Email Template Alert

[TUKARAM GAONKAR]

Hi Team,

I want an email alert for a particular rule only. How can I achieve that .

I got the below link for custom template modification. I want to add some messages to the alerts template like IP to be blocked. What changes I have to do in the script mentioned in below link.

https://groups.google.com/g/wazuh/c/3o4UUM3ud_8/m/VKqpY3mdCgAJ

Warm Regards,

Tukaram

[Juan Carlos]

Hi Tukaram,

E-mail alerts and integrations such as the one mentioned in that thread can be granularly configured to be triggered either by events of a rule level, rule groups or specific rules ID.

For example, if you wish to use the custom-email-alerts integration for rule 651 you may include this configuration on your Wazuh Managers:

<integration>
 <name>custom-email-alerts</name>
 <hook_url>em...@example.com</hook_url>
 <rule_id>651</rule_id>
 <alert_format>json</alert_format>
</integration>

You can see the various options for this configuration stanza here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html

Note that given the flexibility of the integrator daemon you may create specific scripts for different types of alerts and add in several coexisting integrations to the configuration.

As for editing the message's template, if you wish for the IP to be in a specific part of the message then you must adapt the script to use the fields that is specific to your specific rule. For example for Wazuh 4.2.0 or greater, alert 651 ( Host Blocked by firewall-drop Active Response ) provides the IP to be blocked in the data.parameters.alert.data.srcip field.

So the generate_msg function can be modified to be:

def generate_msg(alert):
    """
    Function that will provide the custom subject and body for the email.
    It takes as input a dictionary object generated from the json alert
    """
    description = alert['rule']['description']
    level = alert['rule']['level']
    agentname = alert['agent']['name']

    blockedip = alert['data']['parameters']['alert']['data']['srcip']

   t = time.strptime(alert['timestamp'].split('.')[0],'%Y-%m-%dT%H:%M:%S')
    timestamp = time.strftime('%c',t)
    subject = 'Wazuh Alert: {0} {1}, {2}'.format(blockedip,description, agentname)
    msg = """
    This is an automatic message from your Wazuh Instance.
    
    On {} an event from agent "{}" triggered the rule "{}" of level {}.

    The IP being blocked is {}

   The full contents of the alert are:
    {}
    """.format(timestamp,agentname,description,level,blockedip,json.dumps(alert,indent=4))

    return subject, msg

Let us know if you have any more questions,

I hope you're having a great day,

Juan Carlos Tello

[Mario Esteves]

Sorry for my bad English

To be able to customize and not be so technical the notification emails, use a .py file that you download from this message: https://groups.google.com/g/wazuh/c/ysoU5gPs_mM

I made some corrections and modifications, since it sends the email in json format (unpleasing to look at) and I formatted it to HTML with the help of a Python library. To do this, they must enter the Python installed by wazuh (not the one installed in the operating system) and execute /var/ossec/framework/python/bin/python3 pip install json2html

They should also comment (or delete) the configuration lines of the alerts by e-mail from the Wazuh configuration and add those of the integrator that they are mentioning above.

    <!--
    <email_notification>yes</email_notification>
    <smtp_server>ip_mail_server</smtp_server>
    <email_from>fr...@domain.com</email_from>
    <email_to>recip...@domain.com</email_to>
    <email_maxperhour>30</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    -->

That and a bit of css and html, and you can have a more user-friendly view for your SOC staff.