Question on Wazuh Alerts, Notification, Colour coding

109 views

Skip to first unread message

Julius Czar Ravara

unread,

Feb 2, 2023, 7:20:46 PM2/2/23

to Wazuh mailing list

Good Day Everyone,

I am just new to the new the team and the company I am working is young as well which I wanted to help - I am also new using Wazuh.

Is there any way to or even possible to:

1. Send all valid/known alerts to Viber? valid/known alerts would be like:

(I don't think email would do just to avoid it being swamped)

agent disconnection
log sources that are down or aren't sending logs after x number of minutes
RDP/SSH connection has an accept data action outside of business hours and over the weekends
successful sudo to root and sshd
successful login outside of the country on 0365
and the like

2. Set a color coding script to all valid/known alerts on wazuh for easy alert detection say:

Low severity is Green
Medium severity is Orange
High severity is Light Red
Critical is Red

Any links, references, suggestions are welcome team :)

José Fernández

unread,

Feb 6, 2023, 10:27:33 AM2/6/23

to Wazuh mailing list

Hello man.juliu...@gmail.com,

As we talked in slack community https://wazuh.slack.com/archives/C0A933R8E/p1675397032183459 (Linked for users in search of the same answer).

To achieve that matter you will need to develop an integration script with Viber.

Firstly, ensure you can send requests and information to Viber API or another method. After that you only need to know each rule ID of each case, e.g.:

- Agent disconnection -> ID 500 https://github.com/wazuh/wazuh/blob/v4.3.10/ruleset/rules/0015-ossec_rules.xml#L40

- Log sources -> You will need to include some logic in the script.

- Connection outside hours -> ID 5700 https://github.com/wazuh/wazuh/blob/v4.3.10/ruleset/rules/0095-sshd_rules.xml#L139 and time logic.

- Root login -> Same with SSHD and `sudo` ID 5500 https://github.com/wazuh/wazuh/blob/v4.3.10/ruleset/rules/0085-pam_rules.xml#L17

- Login in O365 -> It will require extra development https://github.com/wazuh/wazuh/blob/v4.3.10/ruleset/rules/0755-office365_rules.xml

For the color generation, you need to review the Viber features, which maybe you find useful https://developers.viber.com/docs/api/rest-bot-api/#send-message

Additional links may be helpful:

- https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/

- https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html

- https://wazuh.com/blog/monitor-office-365-with-wazuh/

I hope it helps, don't hesitate to ask us if you have any doubts.

Reply all

Reply to author

Forward

0 new messages