integration
XML section name
<integration>
</integration>
This configures the manager to connect Wazuh to external APIs and alerting tools such as Slack, PagerDuty and VirusTotal.
Options
name
This indicates the service to integrate with.
Default value |
n/a |
Allowed values |
slack, pagerduty, virustotal |
Optional filters
level
This filters alerts by rule level so that only alerts with the specified level or above are pushed.
Default value |
n/a |
Allowed values |
Any alert level from 0 to 16 |
group
This filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available.
Default value |
n/a |
Allowed values |
Any rule group or vertical bar-separated rule groups. |
event_location
This filters alerts by where the event originated. Follows the OS_Regex Syntax.
Default value |
n/a |
Allowed values |
Any single agent name, hostname, ip address, or log file. |
Configuration example
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/T000/B000/XXXXX</hook_url>
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<alert_format>json</alert_format>
</integration>
<!-- Integration with VirusTotal -->
<integration>
<name>virustotal</name>
<api_key>VirusTotal_API_Key</api_key>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>