Ignore slack alerts for vulnerability-detector

[Kostiantyn]

Hi All,

I need to configure slack notifications based on following conditions:

1. rule.level: 12-16
2. do not sent slack notifications if alert has location = vulnerability-detector
3. i still need to save all alerts from vulnerability-detector to /var/ossec/logs/alerts/alerts.json

I did not find a way how to exclude slack notifications for alerts based on a location.

Any help is appreciated.

Thank you!

[Sandra Ocando]

Hello Kostiantyn:You can use a custom Slack integration that does not send messages for the "Vulnerability Detector" alerts.I've modified the default Slack integration script by adding the following condition on line 64 (see the custom script attached).

    debug("# Sending message")
    groups = json_alert['rule']['groups']
    if ('vulnerability-detector' not in groups):
        send_msg(msg, webhook)

By adding this condition, the script will only send the message if 'vulnerability-detector' is not in the rule.groups.To use this custom script, add it in /var/ossec/integrations/custom-slack  and give it the right ownership and permissions:

chown root:ossec /var/ossec/integrations/custom-slack
chmod 750 /var/ossec/integrations/custom-slack

Configure your custom Slack integration the following way to receive messages for alerts level 12 and above:

<integration>
    <name>custom-slack</name>
    <hook_url>YOUR_SLACK_WEBHOOK</hook_url> <!-- Replace with your Slack Webhook -->
    <level>12</level>
    <alert_format>json</alert_format>
</integration>

Restart your manager so changes can take effect: systemctl restart wazuh-managerBest regards,
Sandra

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e3a4c65e-459e-4937-87c6-e6740f4ceb93n%40googlegroups.com.