integration
XML section name
<integration>
</integration>
This configures the manager to connect Wazuh to external APIs and alerting tools such as Slack, PagerDuty and VirusTotal.
Options
name
This indicates the service to integrate with.
Default value |
n/a |
Allowed values |
slack, pagerduty, virustotal |
Optional filters
level
This filters alerts by rule level so that only alerts with the specified level or above are pushed.
Default value |
n/a |
Allowed values |
Any alert level from 0 to 16 |
group
This filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available.
Default value |
n/a |
Allowed values |
Any rule group or vertical bar-separated rule groups. |
event_location
This filters alerts by where the event originated. Follows the OS_Regex Syntax.
Default value |
n/a |
Allowed values |
Any single log file. |
Configuration example
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/...</hook_url> <!-- Replace with your Slack hook URL -->
<level>10</level>
<group>multiple_drops|authentication_failures</group>
<alert_format>json</alert_format>
</integration>
<!-- Integration with PagerDuty -->
<integration>
<name>pagerduty</name>
<api_key>API_KEY</api_key> <!-- Replace with your PagerDuty API key -->
</integration>
<!-- Integration with VirusTotal -->
<integration>
<name>virustotal</name>
<api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>