configuring Elastalert with wazuh

79 views
Skip to first unread message

Flori Llapi

unread,
Dec 3, 2022, 6:12:13 AM12/3/22
to Wazuh mailing list
Hi all I am new to wazuh ,I need to configure elastalert with opensearch of wazuh .
I am using lattest version of wazuh. I dont know how to configure at all elastalert config.yaml file at all that is compatible with opensearch how to find SSL , usernames and passes , etc.The tutorials on internet are not acurate. Please help

Mauricio Ruben Santillan

unread,
Dec 5, 2022, 1:46:52 PM12/5/22
to Wazuh mailing list
Hello!

Is there any specifig reason you're attempting to use Elastalert?
You see, Wazuh Dashboard (which is a fork of Opensearch Dashboard) includes Opensearch's Alerting module that is fully compatible with Wazuh alerts.
Also, Wazuh includes its own integration module that allows you to send alerts to external APIs defining a criteria to filter them. In case you're new to Elastalert, I do recommend you to check any of these commented methods.

Now, If you still want to proceed using Elastalert, then are you getting any specific error? Can you provide some screenshot of it? Any additional information will be usefult.
Also, there Elastalert official documentation here: https://elastalert2.readthedocs.io/en/latest/elastalert.html

Looking forward to your comments.

flor

unread,
Dec 6, 2022, 9:00:18 AM12/6/22
to Mauricio Ruben Santillan, Wazuh mailing list
Hi Mauricio , just want to monitor through MS teams in real and in better view thats all.
One more question do you know any tool to convert sigma rules to wazuh rules as they are many and manually needs many human resources ?

Regards 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/cVT7RDQ9M1c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/99c18466-bde4-4ded-be83-37dec17baad6n%40googlegroups.com.

Mauricio Ruben Santillan

unread,
Dec 6, 2022, 12:46:10 PM12/6/22
to Wazuh mailing list
Hello!
If you want to receive alerts in your MS Teams, then you should have no problem using the commented Wazuh Dashboard's Alerting feature. Check this out.

Now about converting Sigma rules to Wazuh rules, I haven't heard of nor used any tool as such, but I found next ones:
And there's some related information here:

I hope this helps! Let me know how it goes.
Reply all
Reply to author
Forward
0 new messages