Integration with external APIs

The Integrator is a new daemon that allows Wazuh to connect to external APIs and alerting tools such as Slack and PagerDuty.

New in version 3.0.0.

A new integration has been developed in Wazuh 3.0 that allows for the inspection of malicious files using the VirusTotal database.

The complete documentation of this new feature can be found at the VirusTotal integration section.

Configuration

The Integrator is not enabled by default, however, it can be enabled using the following command:

# /var/ossec/bin/ossec-control enable integrator
# /var/ossec/bin/ossec-control restart

Integrations are configured in the etc/ossec.conf file which is located inside your Wazuh installation directory. Add the following information inside <ossec_config> </ossec_config> to configure integration:

<integration>
     <name> </name>
     <hook_url> </hook_url>
     <api_key> </api_key>

  <!-- Optional filters -->

     <rule_id> </rule_id>
     <level> </level>
     <group> </group>
     <event_location> </event_location>
</integration>

Integration with Slack

In order to make the Slack integration work, we need to install the python-requests package:

  1. For RPM systems:
# yum install python-requests
  1. For Debian systems:
# apt-get install python-requests
  1. Using the Python pip tool:
# pip install requests
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/...</hook_url>
  <alert_format>json</alert_format>
</integration>

Integration with PagerDuty

<integration>
  <name>pagerduty</name>
  <api_key>MYKEY</api_key>
</integration>

Integration with VirusTotal

<integration>
  <name>virustotal</name>
  <api_key>VirusTotal_API_Key</api_key>
  <group>syscheck,</group>
</integration>