Email Notifications for Vulnerabilities in wazuh agents

489 views
Skip to first unread message

rihab benabdelaziz

unread,
Sep 24, 2024, 10:06:55 AM9/24/24
to Wazuh | Mailing List

Hello,

Can we receive email notifications for vulnerabilities found in installed packages on agents for exemple? Currently, I only receive email alerts for events that have rules (ID) and a severity level.


Capture d'écran 2024-09-24 160053.png

Federico Damian Lo Iacono

unread,
Sep 24, 2024, 10:26:41 AM9/24/24
to Wazuh | Mailing List
Hi Rihab,

You can also configure alerts for rules that belong to certain groups. For example, found vulnerabilities belong to the vulnerability-detector group. As such, you can configure your <email_alerts> section in `ossec.conf` with something like the following:

```
<email_alerts>
  <email_to>reci...@example.com</email_to>
  <level>10</level>
  <group>vulnerability-detector,</group>
</email_alerts>
```

Customize the above block to your specifications. Note: do not place this XML leaf under the <global> leaf.


Hope this helps!

rihab benabdelaziz

unread,
Sep 24, 2024, 11:02:24 AM9/24/24
to Wazuh | Mailing List

Thank you Federico,

I made this configuration, but I didn’t receive anything. Could it be because the vulnerable package was detected 2 hours ago?

Capture d'écran 2024-09-24 165943.png
Capture d'écran 2024-09-24 165724.png

Federico Damian Lo Iacono

unread,
Sep 24, 2024, 2:38:29 PM9/24/24
to Wazuh | Mailing List
Hi again Rihab,

Yes, it is possible that since the alert already passed, it did not trigger email. Could you possibly trigger a vulnerability in a test system to check that an email is sent?

Thanks in advance.

rihab benabdelaziz

unread,
Sep 25, 2024, 4:29:33 AM9/25/24
to Wazuh | Mailing List
Hello,

A vulnerability in a Django package was detected today (September 25, 2024 at 09:48), but I did not receive any email alert.

Could there be an issue with the email alert configuration for package vulnerabilities?

Thank you for your help.

Capture d'écran 2024-09-25 101808.png

Federico Damian Lo Iacono

unread,
Sep 30, 2024, 9:43:11 AM9/30/24
to Wazuh | Mailing List
Hi Rihab,

I don't think there is an issue with the email alerts for vulnerabilities, but there could be something we are missing here. What is the minimum level configured for alerts to trigger emails? It's possible that the vulnerability does not have a high enough level for an email to be sent.

It could also be that the alerts do not belong to the `vulnerability-detector` group in the `wazuh-alerts*` indices. Could you please share the `<level>` you set up, and the alert's groups and level, please?

Thanks in advance.

rihab benabdelaziz

unread,
Oct 2, 2024, 11:45:11 AM10/2/24
to Wazuh | Mailing List

Hi Federico,

I see that nothing appears when I select the "vulnerability-detector" group in wazuh-alerts*. Could it be that it's not properly configured? However, in the Vulnerability Detection section, there are vulnerabilities with critical, high, medium, and low levels, but I'm not receiving any emails.


thanks in advance.

email_alerts_not_receive.png
rule_not_found.png

rihab benabdelaziz

unread,
Oct 2, 2024, 11:50:03 AM10/2/24
to Wazuh | Mailing List


I changed the time range, and now I see alerts for the "vulnerability-detector" group being displayed. However, I still do not receive these alerts by email. I do receive other alerts, such as authentication failures, but not these. Could you help me understand why?

rule_found.png

Federico Damian Lo Iacono

unread,
Oct 3, 2024, 9:24:28 AM10/3/24
to Wazuh | Mailing List
Hi again Rihab.

Once again, I'd recommend checking the alert level of the vulnerabilities found. If they are below the level you defined for email alerts, this might indicate why you are not receiving emails from this group. In the meantime, I'll test this out locally.

Thanks in advance.

rihab benabdelaziz

unread,
Oct 6, 2024, 2:58:43 PM10/6/24
to Wazuh | Mailing List

The alert level for these vulnerabilities is 10, while in my ossec.conf configuration, as you can see, I have set the level to 5 to receive email alerts. However, I am still not receiving any emails for these vulnerabilities.

Thanks in advance.

Federico Damian Lo Iacono

unread,
Oct 10, 2024, 12:12:17 PM10/10/24
to Wazuh | Mailing List
Rihab, sorry for the delayed response.

I got clarified that, as of Wazuh 4.8, vulnerabilities are handled by Wazuh Manager directly. They are stored in the `wazuh-states-vulnerabilities*` index, and are not handled in the same way as before by the daemons. You can possibly schedule a command to run periodically and check (via Indexer's API) the vulnerability data of each agent, and send a formatted mail accordingly.

To get the vulnerabilities for agent 00X, you can use this call:

```
GET wazuh-states-vulnerabilities-*/_search?size=5000&_source_includes=package.name,package.version,vulnerability.severity,vulnerability.score.base,vulnerability.decription,vulnerability.id,vulnerability.published_at
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "agent.id": "00X"
          }
        }
      ]
    }
  }
}
```

This will give you this information about each vulnerability:

  • agent
    • name
    • IP
  • group
  • package
    • name
    • version
  • vulnerability
    • severity
    • score
    • base
    • description
    • id
    • published_at
Sorry about the previous confusion, and hope this helps.
Reply all
Reply to author
Forward
0 new messages