Wazuh alerts to thehive
332 views
Skip to first unread message
TheSOC
Jun 12, 2023, 5:54:14 PM6/12/23
to Wazuh mailing list
Hello,
I have a custom script for integration with TheHive. We want to send an alert if level > =12.
But from integration.log, I only see level = 3 be generated. I did not see any other level. I understand that sets a level filter so that the script will not receive alerts below a certain level. So it must be generated level > =12 --> 15. Is this correct?
https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/
Christian Borla
Jun 12, 2023, 6:24:43 PM6/12/23
to Wazuh mailing list
Hi TheSoc
I hope you are doing fine!
Yes, the idea is to filter the alert by level, if the level alert is not specified in the integration configuration it will send all the alerts that trigger the other conditions. This filters alerts by rule level so that only alerts with the specified level or above are pushed.
Here is the level configuration section for Integration.
An example
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/...</hook_url>
<level>10</level> <-------- level filter
<group>multiple_drops,authentication_failures</group>
<alert_format>json</alert_format>
</integration>
Also, there is an alert generation condition, in ossec.conf file in the manager, any rule that contains the level equal or higher than this value will generate alert. if it is less than this number does not generate alert, therefore the integration will not receive events of that type, I understand that it is not your case, but it is good to know.
<alerts>
<log_alert_level>3</log_alert_level> <---- this is the filter to generate an alert.
<email_alert_level>12</email_alert_level>
</alerts>
Do you have a level 12 or higher alert in your environment? or Do you have any custom event or alert to test it?
I hope you are doing fine!
Yes, the idea is to filter the alert by level, if the level alert is not specified in the integration configuration it will send all the alerts that trigger the other conditions. This filters alerts by rule level so that only alerts with the specified level or above are pushed.
Here is the level configuration section for Integration.
An example
<!-- Integration with Slack -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/...</hook_url>
<level>10</level> <-------- level filter
<group>multiple_drops,authentication_failures</group>
<alert_format>json</alert_format>
</integration>
Also, there is an alert generation condition, in ossec.conf file in the manager, any rule that contains the level equal or higher than this value will generate alert. if it is less than this number does not generate alert, therefore the integration will not receive events of that type, I understand that it is not your case, but it is good to know.
<alerts>
<log_alert_level>3</log_alert_level> <---- this is the filter to generate an alert.
<email_alert_level>12</email_alert_level>
</alerts>
Do you have a level 12 or higher alert in your environment? or Do you have any custom event or alert to test it?
Let me know if this information helps.
Regards.
Regards.
Reply all
Reply to author
Forward
0 new messages