Wazuh integrations with Microsoft teams

[sekhar reddy]

Hi Team,

I have integrated wazuh with Microsoft teams but I observed alerts are not getting generated. It works perfectly with slack. 

Do we need to do any tweaks to make it work for Microsoft teams? Here is my configuration for teams. 

  <integration>
    <name>teams</name>
    <hook_url>https://msazureabcd/webhook.office.com/webhookb2/8c72221f-4116-4969-ab14-3d3e9e64335c@84fe6f40-1cbc-4730-8328-8018b2af88dc/IncomingWebhook/d24a3d09d39541f096a2f7204f8283ad/332c7338-fad2-4e2d-a5a4-26d605a5e255</hook_url>
    <level>3</level>
    <alert_format>json</alert_format>
  </integration>

I thank you in advance for the replies. 

Sekhar

[Pablo Ariel Gonzalez]

Hi Sekhar, It will be a pleasure to discuss this topic with you.

You can use the information in this blog post we posted some time ago to create a custom integration: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/

You have information on how to get the Microsoft Teams webhook here: https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using

You could also refer to this article to get a general idea of the process.: https://www.infopercept.com/sending-alerts-to-microsoft-teams-from-wazuh/

If you have any other doubt or query, do not hesitate to write again and we will analyze it together.

Thanks

[sekhar reddy]

Hi Pablo,

I tried the same present in the link but still do not see the alerts in teams.

https://www.infopercept.com/sending-alerts-to-microsoft-teams-from-wazuh/

Is there any way to debug the issue.

Thanks & Regards,

A.Sekhar

[Adam Pielak]

```python

#!/usr/bin/env python
import json
import sys
import time
import os

try:
import requests
except Exception as e:
print("No module 'requests' found. Install: pip install requests")
sys.exit(1)

# ossec.conf configuration:
# <integration>
# <name>custom-teams</name>
# <hook_url>https://outlook.office.com/webhook/XXXXXXXXXXXX</hook_url>
# <level>10</level> <!-- Optionnal -->
# <alert_format>json</alert_format>
# </integration>

# Global vars

debug_enabled = False
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
json_alert = {}
now = time.strftime("%a %b %d %H:%M:%S %Z %Y")

# Set paths
log_file = '{0}/logs/integrations.log'.format(pwd)


def main(args):
debug("# Starting")

# Read args
alert_file_location = args[1]
webhook = args[3]

debug("# Webhook")
debug(webhook)

debug("# File location")
debug(alert_file_location)

# Load alert. Parse JSON object.
with open(alert_file_location) as alert_file:
json_alert = json.load(alert_file)
debug("# Processing alert")
debug(json_alert)

debug("# Generating message")
msg = generate_msg(json_alert)
debug(msg)

debug("# Sending message")
send_msg(msg, webhook)


def debug(msg):
if debug_enabled:
msg = "{0}: {1}\n".format(now, msg)
print(msg)
f = open(log_file, "a")
f.write(msg)
f.close()


def generate_msg(alert):

level = alert['rule']['level']

if (level <= 4):
color = "008000"
elif (level >= 5 and level <= 7):
color = "FFFF00"
else:
color = "CD5C5C"

facts = {"facts": []}

msg = {}
msg['@context'] = "https://schema.org/extensions"
msg['@type'] = "MessageCard"
msg['sections'] = []

facts["facts"].extend([
{
'name': "Agent" if 'agent' in alert else "Agentless Host",
'value': "({0}) - {1}".format(alert['agent']['id'], alert['agent']['name']) if 'agent' in alert else alert['agentless']['host']
},

{
'name': "Rule",
'value': "{0} _(Level {1})_".format(alert['rule']['id'], level)
},

{
'name': "Location",
'value': alert['location']
},

{
'name': "Path",
'value': alert["syscheck"]["path"] if "syscheck" in alert else "N/A"
},

{
'name': "Description",
'value': alert['rule']['description'] if 'description' in alert['rule'] else "N/A"
},

{
'name': "Full Log",
'value': alert.get('full_log')
}
])
msg['sections'].append(facts)

msg['summary'] = alert['rule']['description'] if 'description' in alert['rule'] else "N/A"
msg['themeColor'] = color
msg['title'] = alert['rule']['description'] if 'description' in alert['rule'] else "N/A"

return json.dumps(msg)


def send_msg(msg, url):
headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}
res = requests.post(url, data=msg, headers=headers)
debug(res)


if __name__ == "__main__":
try:
# Read arguments
bad_arguments = False
if len(sys.argv) >= 4:
msg = '{0} {1} {2} {3} {4}'.format(
now,
sys.argv[1],
sys.argv[2],
sys.argv[3],
sys.argv[4] if len(sys.argv) > 4 else '',
)
debug_enabled = (len(sys.argv) > 4 and sys.argv[4] == 'debug')
else:
msg = '{0} Wrong arguments'.format(now)
bad_arguments = True

# Logging the call
f = open(log_file, 'a')
f.write(msg + '\n')
f.close()

if bad_arguments:
debug("# Exiting: Bad arguments.")
sys.exit(1)

# Main function
main(sys.argv)

except Exception as e:
debug(str(e))
raise
```

[sekhar reddy]

It worked there were some indentation errors and the path needs to be updated in the shell script after modifying that it worked.  

I have a few questions regarding alerts. 

->  Is there a way to remove duplicate alerts?

-> Is there a way to ignore the alerts, and how to acknowledge the alert?

-> let's say if I integrate the Jira and if alerts get generated and Jira will be created will the duplicate alert will create a new Jira ?? 

Thanks & Regards,

A.sekhar

[Pablo Ariel Gonzalez]

Hi Sekhar,

It's great news that the integration worked. With regard to alert management queries, by creating your own alert rules and settings you have the ability to tailor it to your needs. 

In any case, so that the queries can later serve as a reference to other users, I would ask you if you can generate a new query in google groups to be able to treat it properly.

Thanks,

[sang thanh]

Hi Pablo, Sekhar,

Can you guys tell me how to fix your permission problems? I got the same issue with you, I did many things but nothing work.

I'm working on Wazuh 4.3.6, do the integration Wazuh with Microsoft Teams to send my alerts from Wazuh to Teams, everything good except the error messages about the files permission when I run chmod 750 /var/ossec/integrations/custom-teams* and chown root:wazuh /var/ossec/integrations/custom-teams* :

Aug 29, 2022 @ 11:34:43.000 wazuh-integratord ERROR At wpopenv(): file 'integrations/custom-teams' has write permissions.
Aug 29, 2022 @ 11:34:43.000 wazuh-integratord ERROR Couldn't execute command (integrations /tmp/custom-teams-1661747683--1633932925.alert https://intmaster.webhook.office.com/webhookb2/e3c74e8c-2ee9-45bf-bbd7-408498641d09@264fd170-4e9c-46aa-9faa-8895acff195e/IncomingWebhook/2cb2b716007946aeacc010604c07c059/167bb640-6cda-4a4f-b3dd-a795e951e23c > /dev/null 2>&1). Check file and permissions.

So I searched around Google and remove the write permission for the file like this command chmod 550 /var/ossec/integrations/custom-teams* => the first error had resolved, but the second error still there.

I was verify my Teams Incoming Webhook by using the PowerShell post and can confirm it work.
So my friends, can you tell me what I have do to with the error wazuh-integratord ERROR Couldn't execute command(...) Check file and permissions.

Here is the permission about my folders & files:

/var/ossec/:
total 4
drwxrwxrwx  2 root  wazuh  160 Aug 29 04:07 integrations
drwxrwxrwt  2 root  wazuh   23 Aug 29 06:26 tmp

/var/ossec/integrations/:
total 48
-r-xr-xr-x 1 root wazuh 1034 Aug 26 08:35 custom-teams
-rwxrwxrwx 1 root wazuh 4826 Aug 29 02:48 custom-teams.py
-rwxrwxrwx 1 root root  4839 Aug 29 02:45 custom-teams.py.bk
-rwxr-x--- 1 root wazuh 4325 Jul 15 12:18 pagerduty

Thank you so much.

Vào lúc 05:43:07 UTC+7 ngày Thứ Năm, 30 tháng 6, 2022, pablo.g...@wazuh.com đã viết:

[sekhar reddy]

Hi Sang,

Looks like there is a permission issue with your custom-teams, Basically we need to provide execute permission  for both .py and .sh script.

Thanks & Regards,

A.Sekhar

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/EMhYhxNcLVc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2c0e4e5d-162a-4c2b-b2f3-d47d9987375cn%40googlegroups.com.

[sang thanh]

Thanks for your reply, below is my file permission like you, but still got the error:

ERROR Couldn't execute command (...) Check file and permissions.

Too weird.

Vào lúc 00:50:11 UTC+7 ngày Thứ Ba, 30 tháng 8, 2022, sekhar...@gmail.com đã viết:

[sang thanh]

Here is my configuration files for the Teams integration.

Maybe the error in here because the error say "check the file and permissions".

Vào lúc 08:33:50 UTC+7 ngày Thứ Ba, 30 tháng 8, 2022, sang thanh đã viết:

[Michaël PES]

Hi,

Same problem here with Wazuh 4.3.5 . There is a issue on Github with some changes on the files mentioned above :

https://github.com/wazuh/wazuh/discussions/14753

But even after modifying the custom-teams and custom-teams.py files I still have the same error :

2022/08/31 16:49:57 wazuh-integratord: ERROR: Couldn't execute command (integrations /tmp/custom-teams-1661957397-669370212.alert  https://[REDACTED].webhook.office.com/[REDACTED]  > /dev/null 2>&1). Check file and permissions.

M.

[Michaël PES]

Okay, problem solved thanks to Victor in this Slack conversation :

https://wazuh.slack.com/archives/C0A933R8E/p1662553305108759

1°) I used his custom-teams.py (enclosed)

2°) I made a copy of the slack bash script as he suggested ( cp slack ./custom-teams )

3°) I adjusted owner, group and permissions

4°) I restarted the wazuh-manager

And voilà ! It is now working perfectly \o/

M.

[Michael Reiner]

Hey.

I just integrated your script for teams alerts.

I wanted to add a weblink to the alert in the teams message. 

    facts.append({

        'name': 'Link',

        'value': "<a href = 'https://my.localwazuh.com/app/discover#/doc/wazuh-alerts-*/{0}}?id={1}'>Show Event</a>".format(

            alert['_index'],

            alert['_id']

        )})

But when it runs I get 
While running custom-teams -> integrations. Output: KeyError: '_index'

Is there any way I can access the "_index" and "_id" values to generate a web link?

[Federico Gustavo Galland]

Hi Michael,

The _index and _id fields are actually added to the Indexer document and are not present at the time the integration scripts are run.

The analysis engine does add an "id" field (without the underscore) which will still uniquely identify your alert.

You can still use a query to find the alert by its "id" field and get a link to that query.

Something akin to the following:

https://192.168.56.10/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(columns:!(_source),filters:!(),index:'wazuh-alerts-*',interval:auto,query:(language:kuery,query:'%22id%22:%20%221683198842.14835608%22'),sort:!())

Here I'm looking for "id": "1683198842.14835608" which is tied to a single alert.

Let me know if this worked.

Regards,

Fede

[Kamran arshad]

Hi all
https://www.infopercept.com/sending-alerts-to-microsoft-teams-from-wazuh/

as this is  not working any one has detailed steps and files?