Slack Alert Integration - Adding @mention to better target the alerts

152 views
Skip to first unread message

Raghav

unread,
Feb 12, 2020, 6:02:59 AM2/12/20
to Wazuh mailing list
Hi, 
  Describing the usecase:
 
We have a slack alert channel for several security event (vulnerability, AWS events, Suricata events, etc). We have different people handling different areas of security and would like them to be mentioned by slack tag @<username> for their relevant rules, thus increasing the effectiveness of the response. As of now the Slack Integration seems to not provide this option, so checking if that can be done in some way. 

Would this make sense:

The quick look at the slack integration py file (line 89)
msg['pretext'] = "WAZUH Alert"

if this could be a input so one can add  @names and a different title like NIDS Alert via rule just like description. 

regards

Sergio Peral

unread,
Feb 14, 2020, 3:51:55 PM2/14/20
to Raghav, Wazuh mailing list
Hello Raghav,
Sorry for the late reply.

I will try to provide some insight here. You should be able to achieve the desired behavior by making some modifications to the script, as you pointed out:
 • First, you should identify the member ID of your Slack users. You can do that by clicking on your username on the top-left corner of the Slack client and selecting Profile & account:

image.png

 • Then, in the window that appears on the right side, click on the triple colon and copy your member ID:

image.png

• Now let's say that the member ID is UTTLAUQL8. If this user wants to be pinged in messages for the vulnerability-detector rule group, this is the code that would achieve that:

    for group in alert['rule']['groups']:
        if group == "vulnerability-detector":
            msg['pretext'] = "<@UTTLAUQL8>WAZUH Alert"

Let me know if that works for you.

Best regards,
Sergio.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e1e8feea-5641-409b-928c-66ebb687d832%40googlegroups.com.

Raghav

unread,
Feb 18, 2020, 6:11:46 AM2/18/20
to Wazuh mailing list
Thank you sergio. This worked for me.

regards
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages