How to send daily slack alert summaries

[Dawid Motak]

I would like to send alerts grouped by agents every day at 9 am to a slack channel.

For example I would like to receive a message like:
```
Agent: (003) Server1

Location: vulnerability-detector

Vulnerabilites:

- xxx

- yyy

...
``` 

Is there any way to achieve that?

[malena...@wazuh.com]

Hi Dawid, I'm searching, but I can't find any solution similar to what you want to do. To do the integration with Slack you can read the documentation for the general solution or for the custom integration.

But then, to filter by agent and group the alerts, the only way I find to do it is by a modification of the python script for the Slack integration.

I have found different examples, In our documentation:

• example in our blog: https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/ 
• example to edit ossec-conf to custom the integration: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html#integration-options-tag 
  
  and others examples when users modify this script:
• Thread about Slack custom integration: https://groups.google.com/g/wazuh/c/pTu_UknTl7o 
• https://gist.github.com/redsfyre/8f4887ba9440a008661cbdfef1b3d8eb
• https://www.reddit.com/r/Wazuh/comments/1bh5q69/comment/lkbgzup/?utm_source=share&ut[…]m=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
• https://medium.com/@sathish95/slack-integration-with-wazuh-alerts-in-critical-high-and-medium-slack-channels-4f067e20f8b0 

I have not tested the examples of the users, and from Wazuh we cannot take responsibility for them, but I consider that they could still help you to get closer to the desired solution.

I don't know how many agents you have, but maybe you can think of a workaround if you create a channel for each agent and then send the alerts to the corresponding channel.

Likewise, I hope I have been helpful!

Malena Casas

[Dawid Motak]

Thanks for the response. 

Custom integrations seems like a good solution but how often the custom integration script will be triggered?

For example let's say I want to send alerts to the alertmanager. Alertmanager expects its clients to continuously re-send alerts as long as they are still active. My idea is to have active alerts managed by alertmanager and then grouped and distributed to slack, pagerduty or other platform. 

Is it achievable with custom integration? 

[malena...@wazuh.com]

Sorry for the delay, I was looking for possible solutions.

You can use the alerting plugging and set the monitor to run every day at 9am.

In the alerting plugging you can determine what things will generate alerts and what actions will be triggered in that case.

The process can be long and complex to configure, I'm trying to put together an example guide for your case, but I wanted to let you know that I'm still working on this.

As soon as I have progress on the configuration needed to make this work I will get back to you.

[malena...@wazuh.com]

With the Alerting Plugin, you can configure the monitor to run a script every day at 9 AM. This script can count the number of alerts generated for each agent in the last 24 hours across all the indices you choose and then send you a message via Slack with that count. However, it is impossible to return data about each specific alert found in that message.

Alternatively, you can use the Reporting Plugin, which can create a complete report for you every day and provide the information as a CSV or even a dashboard, but you won’t be able to send it to Slack.

So, if the above doesn’t work for you, to unify all the actions you want to take, you will have to return to the idea of the initial solution. You will need to set up the script for the Slack integration to run automatically at specific times using Python.

Unfortunately, there is no simpler solution with the existing plugins.

Best wishes.