Slack notifications with custom variables
550 views
Skip to first unread message
Pavel Marikin
Mar 25, 2024, 6:16:55 AM3/25/24
to Wazuh | Mailing List
Hi all, I am trying to get some 'fancy' notifications in Slack from Wazuh.
I have set an alert that fires when there is authentication success via ssh, and wish to receive notification in slack with the IP address initiating the connection. Unfortunately I have no luck in defining the "data.srcip" variable, so that it can be sent in the notification.
Could you please suggest some 'How to', as I've read the documentation but obviously I have not found what I was looking for.
Thanks in advance!
Pablo D
Mar 25, 2024, 8:32:14 AM3/25/24
to Wazuh | Mailing List
Hi Pavel
- Change the permissions and ownership:
- In /var/ossec/etc/ossec.conf configure your custom Slack integration in the following way to receive messages for alerts level you require and above:
Hope you find this , let us know if you have any questions.
To achieve this, you have to modify the Slack integration script and add custom variables in the message block.
To set this to a custom integration, follow these steps at Wazuh Manager:
- Modify the /var/ossec/integrations/slack.py script and set your custom fields. You could use the following example adding the line in blue:
- Modify the /var/ossec/integrations/slack.py script and set your custom fields. You could use the following example adding the line in blue:
msg['pretext'] = "WAZUH Alert"
msg['title'] = alert['rule']['description'] if 'description' in alert['rule'] else "N/A"
msg['text'] = alert.get('full_log')
msg['fields'] = []
if 'agent' in alert:
msg['fields'].append({
"title": "Agent",
"value": "({0}) - {1}".format(
alert['agent']['id'],
alert['agent']['name']
),
})
if 'agentless' in alert:
msg['fields'].append({
"title": "Agentless Host",
"value": alert['agentless']['host'],
})
msg['fields'].append({"title": "Location", "value": alert['location']})
msg['title'] = alert['rule']['description'] if 'description' in alert['rule'] else "N/A"
msg['text'] = alert.get('full_log')
msg['fields'] = []
if 'agent' in alert:
msg['fields'].append({
"title": "Agent",
"value": "({0}) - {1}".format(
alert['agent']['id'],
alert['agent']['name']
),
})
if 'agentless' in alert:
msg['fields'].append({
"title": "Agentless Host",
"value": alert['agentless']['host'],
})
msg['fields'].append({"title": "Location", "value": alert['location']})
msg['fields'].append({"title": "Source IP", "value": alert
['data']['srcip'] })
msg['fields'].append({
"title": "Rule ID",
"value": "{0} _(Level {1})_".format(alert['rule']['id'], level),
})
msg['ts'] = alert['id']
msg['fields'].append({
"title": "Rule ID",
"value": "{0} _(Level {1})_".format(alert['rule']['id'], level),
})
msg['ts'] = alert['id']
- Save it as custom-slack script in /var/ossec/integrations/custom-slack This is only to prevent issues during upgrades.
- Change the permissions and ownership:
chown root:wazuh /var/ossec/integrations/custom-slack
chmod 750 /var/ossec/integrations/custom-slack
- In /var/ossec/etc/ossec.conf configure your custom Slack integration in the following way to receive messages for alerts level you require and above:
<integration>
<name>custom-slack</name>
<level><value from 1 to 15></level>
<alert_format>json</alert_format>
</integration>
- Restart your manager so changes can take effect: systemctl restart wazuh-manager
Hope you find this , let us know if you have any questions.
[Wazuh] PabloD
Reply all
Reply to author
Forward
0 new messages