Re: Wazuh + Slack Channel Agent
253 views
Skip to first unread message
Message has been deleted
Diego Ariel Balbuena
Mar 13, 2023, 11:40:03 AM3/13/23
to Wazuh mailing list
Hi Valton!! Thank you for sharing!
Please let me share our documentation for Integration with Slack third party API:
The full configuration reference for the Integrator daemon can be found here.
One of the Optional filters is event_location. This filters alerts by where the event originated.
I hope this helps!
Kind regards,
Diego Ariel Balbuena
On Monday, March 13, 2023 at 12:09:53 PM UTC-3 Valton T. wrote:
HiIs there a way to seperate channel for example alerts from AGENT 001 to be send into and other slack channel since we wanna seperate main alert channel of defualt configuration for example AGENT 001 to be alerted in different channel which is only for this agent.Thanks i'll wait for reply
Message has been deleted
Diego Ariel Balbuena
Mar 13, 2023, 2:05:20 PM3/13/23
to Wazuh mailing list
Hi Valton,
I think I misunderstood your request.
Based on the optional filters you will not be able to send alerts to Slack by filtering the agent directly.
Optional filters depend on the ruleset due to how the integratord works.
In my opinion, you could accomplish this by configuring Agent labels and grouping the relevant agents as you want. This feature allows the user to customize the alert information from agents to include specific information related to the agent generating the alert. This can prove useful when addressing or reviewing alerts.
In case you want to use the Wazuh integrator, you need to create a new group of rules.
On the other hand, you can use the Alerting module of OpenSearch. It allows Slack as a destination and you can create a monitor based on the agent labels search.
I hope this helps!
Diego
On Monday, March 13, 2023 at 12:53:11 PM UTC-3 Valton T. wrote:
i tired all this but it isnt working
Rajesh Kumar
Aug 14, 2024, 2:32:54 AM8/14/24
to Wazuh | Mailing List
Rule for AGENT 001:
<rule id="100001" level="10">
<field name="agent.name">AGENT 001</field>
<description>Alerts from AGENT 001</description>
<mitre>
<id>T1078</id>
</mitre>
<group>agent_001_alerts</group>
</rule>
Integration for Agent001
</group>
<integration>
<name>slack_agent_001</name>
<group>agent_001_alerts</group> <!-- The group from the custom rule -->
<hook_url>https://hooks.slack.com/services/YOUR/AGENT001/WEBHOOKURL</hook_url>
<alert_format>json</alert_format>
<only_new_alerts>true</only_new_alerts>
</integration>
<name>slack_agent_001</name>
<group>agent_001_alerts</group> <!-- The group from the custom rule -->
<hook_url>https://hooks.slack.com/services/YOUR/AGENT001/WEBHOOKURL</hook_url>
<alert_format>json</alert_format>
<only_new_alerts>true</only_new_alerts>
</integration>
Default Integration for all other Alerts:
<integration>
<name>slack_default</name>
<group>default</group> <!-- Ensure this does not include agent_001_alerts -->
<hook_url>https://hooks.slack.com/services/YOUR/DEFAULT/WEBHOOKURL</hook_url>
<alert_format>json</alert_format>
<only_new_alerts>true</only_new_alerts>
</integration>
<name>slack_default</name>
<group>default</group> <!-- Ensure this does not include agent_001_alerts -->
<hook_url>https://hooks.slack.com/services/YOUR/DEFAULT/WEBHOOKURL</hook_url>
<alert_format>json</alert_format>
<only_new_alerts>true</only_new_alerts>
</integration>
Reply all
Reply to author
Forward
0 new messages