Integration with external APIs

The Integrator daemon allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty and VirusTotal.

Configuration

The integrations are configured on the ossec.conf file which is located inside the Wazuh installation folder (/var/ossec/etc/). To configure an integration, add the following configuration inside the <ossec_config> section:

<integration>
  <name> </name>
  <hook_url> </hook_url> <!-- Required for Slack -->
  <api_key> </api_key> <!-- Required for PagerDuty and VirusTotal -->

  <!-- Optional filters -->
  <rule_id> </rule_id>
  <level> </level>
  <group> </group>
  <event_location> </event_location>
</integration>

After enabling the daemon and configure the integrations, restart the Wazuh manager to apply the changes:

  1. For Systemd:
# systemctl restart wazuh-manager
  1. For SysV Init:
# service wazuh-manager restart

The full configuration reference for the Integrator daemon can be found here.

Slack

This integration allows to receive alerts into a Slack channel thanks to the Incoming Webhooks, a simple way to post messages from 3rd-party apps (in this case, Wazuh).

This is an example configuration for the Slack integration:

<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/...</hook_url> <!-- Replace with your Slack hook URL -->
  <alert_format>json</alert_format>
</integration>

PagerDuty

PagerDuty is a SaaS incident response platform suitable for IT departments. This integration allows to create a service using its official API in order to receive Wazuh alerts on the Incidents Dashboard.

This is an example configuration for the PagerDuty integration:

<integration>
  <name>pagerduty</name>
  <api_key>API_KEY</api_key> <!-- Replace with your PagerDuty API key -->
</integration>

As seen on the screenshot below, alerts start coming into the dashboard:

VirusTotal

New in version 3.0.0.

This integration allows the inspection of malicious files using the VirusTotal database. Find more information about this at the VirusTotal integration page.

This is an example configuration for the VirusTotal integration:

<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>