Webhook
57 views
Skip to first unread message
Romain Hennebois
Feb 24, 2025, 10:33:50 AM2/24/25
to Wazuh | Mailing List
Hello everyone,
I would like some helps in resolving my webhook.
A few months ago, i had configured my webhook integration and with recent updates, the configuration is deprecated.
Here is my configuration in the /var/ossec/etc/ossec.conf file :
<integration>
<name>slack</name>
<hook_url>WEBHOOK_URL</hook_url>
<alert_format>json</alert_format>
<group>vulnerability-detector</group>
<event_location>vulnerability-detector</event_location>
<level>3</level>
</integration>
But for some reason, in my vulnerability detector inventory the group tag is gone and some blanks alerts are being sent.
Can i have some help to change this configuration in aim to send my critical vulnerability in my channel.
Thanks in advance for any help.
I would like some helps in resolving my webhook.
A few months ago, i had configured my webhook integration and with recent updates, the configuration is deprecated.
Here is my configuration in the /var/ossec/etc/ossec.conf file :
<integration>
<name>slack</name>
<hook_url>WEBHOOK_URL</hook_url>
<alert_format>json</alert_format>
<group>vulnerability-detector</group>
<event_location>vulnerability-detector</event_location>
<level>3</level>
</integration>
But for some reason, in my vulnerability detector inventory the group tag is gone and some blanks alerts are being sent.
Can i have some help to change this configuration in aim to send my critical vulnerability in my channel.
Thanks in advance for any help.
Isaiah Daboh
Feb 24, 2025, 11:07:21 AM2/24/25
to Wazuh | Mailing List
Hello,
I am taking a look at this and would revert shortly.
Regards
Romain Hennebois
Feb 25, 2025, 4:40:59 AM2/25/25
to Wazuh | Mailing List
It may be due to the fact that I don't have any events from Vulnerability Detector.
I tried to sample data and I see events in vulnerability-detector and the 'locator' tag and group is here.
I tried to sample data and I see events in vulnerability-detector and the 'locator' tag and group is here.
Romain Hennebois
Feb 25, 2025, 8:24:03 AM2/25/25
to Wazuh | Mailing List
But if this is done for fixed CVEs, how can I configure the webhook in order to send a notification in my channel for high severity vulnerabilities?
Isaiah Daboh
Feb 25, 2025, 1:02:21 PM2/25/25
to Wazuh | Mailing List
Hello Romain,
High severity vulnerabilities should have high alert level.
<level></level> option in the config, filters alerts by rule level so only alerts with the specified level or above are pushed. The allowed value is any alert level from 0 to 16.
Changing the alert level in the ossec.conf should help filter correctly.
<integration>
<name>slack</name>
<hook_url>WEBHOOK_URL</hook_url>
<alert_format>json</alert_format>
<group>vulnerability-detector</group>
<event_location>vulnerability-detector</event_location>
<name>slack</name>
<hook_url>WEBHOOK_URL</hook_url>
<alert_format>json</alert_format>
<group>vulnerability-detector</group>
<event_location>vulnerability-detector</event_location>
<level>10</level>
</integration>
</integration>
References:
Please let me know if this works.
Romain Hennebois
Feb 26, 2025, 4:54:52 AM2/26/25
to Wazuh | Mailing List
I have changed my configuration from the one you gave me. It might work, I can't tell you because I don't have any events in my vulnerability detection, but I think it's normal.
Reply all
Reply to author
Forward
0 new messages