Sending alerts to third party apps

[IT Linguaserve]

Hello,

I'm just getting started with configuring a Wazuh service. I have a pretty good idea of how it works, but I'm not able to get the system to send alerts to external applications (Teams and JSM Ops). I already have the scripts ready to send events to both systems, but I can't see them running.

On "/var/ossec/etc/ossec.conf" I have the following configuration block for the integrations:

 <integration>
  <name>jsm-ops</name>
  <level>12</level>
  <alert_format>json</alert_format>
 </integration>
 <integration>
  <name>teams-alert</name>
  <alert_format>json</alert_format>
  <level>7</level>
 </integration>

This configuration refers to two scripts that should send alerts to one service or another. The scripts have been tested manually and run correctly.

Do you have any idea what might be missing for these integrations to work?

[Olamilekan Abdullateef Ajani]

Hello Sistemas,

When integrating with external applications like Teams, you need more than the integration block. I will just run through the requirements, and please let me know what you have done so far.

Prep the integration script and place it in the directory: /var/ossec/integrations/

Ensure you map the appropriate permissions to the script:

sudo chown root:wazuh /var/ossec/integrations/custom-teams.py 

sudo chmod 750 /var/ossec/integrations/custom-teams.py

Add the integration block to the /var/ossec/etc/ossec.conf

<integration>
   <name>custom-teams</name>
     <hook_url>YOUR_TEAMS_WEBHOOK_URL_HERE</hook_url>
         <level>10</level>
     <alert_format>json</alert_format>
</integration>

This has the hook URL from Teams and also the alert level.

You can find more information regarding external connector integration in the documentation here, which expands the scope on custom configuration. Other configurations would be done on Teams.

That being said, you can check out the URL before for team integration reference:
https://www.cylenth.blog/posts/wazuh-microsoft-teams-integration-workflows

If you encounter any challenges, you can check the integration logs: tail -f /var/ossec/logs/integrations.log

[IT Linguaserve]

Is the "hook_url" block needed for the integration to work?

I have the webhook url added to my script for security.

[Olamilekan Abdullateef Ajani]

Hello Sistemas,

I am not sure how you have programmed this into your script, but the hook_url is required for communication with the software being integrated (in this case, Teams). 

You can check some references below on this integration:

https://github.com/wazuh/wazuh/discussions/14753#discussioncomment-14322447
https://www.cylenth.blog/posts/wazuh-microsoft-teams-integration-workflows

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html

[IT Linguaserve]

The script I've prepared to send alerts to Teams is as follows

#!/bin/bash

WEBHOOK="<YOUR_TEAMS_WEBHOOK_URL>"

read INPUT

TITLE=$(echo "$INPUT" | jq -r '.rule.description')

AGENT=$(echo "$INPUT" | jq -r '.agent.name')

EVENTID=$(echo "$INPUT" | jq -r '.data.win.system.eventID')

MESSAGE=$(echo "$INPUT" | jq -r '.data.win.system.message')

JSON=$(cat <<EOF

{

  "@type": "MessageCard",

  "@context": "https://schema.org/extensions",

  "themeColor": "ff0000",

  "summary": "Wazuh Critical Alert",

  "title": "$TITLE",

  "text": "**Agente:** $AGENT\n\n**EventID:** $EVENTID\n\n**Mensaje:**\n$MESSAGE"

}

EOF

)

curl -H "Content-Type: application/json" -d "$JSON" "$WEBHOOK"

If I execute it by hand, it works, but when I test it from Wazuh it doesn't.

[Olamilekan Abdullateef Ajani]

Hello Sistemas,

We may need to check the integration log to properly understand why the integration did not trigger as it should: /var/ossec/logs/integrations.log

Then also share the integration block in your ossec.conf file for review. And also the permissions for the script: ls -l /var/ossec/integrations/

I shared an improved script, there is an issue with your script input method, which explains why it worked locally and not via Wazuh.

Save the script to /var/ossec/integrations/custom-teams-script and ensure it has the right permissions as described earlier.

Add the integration block, restart the Wazuh manager, and test. If you encounter any issues, please check the logs and share: /var/ossec/logs/integrations.log

<integration>
  <name>custom-teams</name>
  <level>7</level>
  <alert_format>json</alert_format>
</integration>

Regards,

[IT Linguaserve]

So, I've just updated the script and after some tweaking it works when executing it manually.

Is there any way to test it from the alert flow?

This is the integration declaration on ossec.conf

 <integration>
  <name>teams-alert</name>
  <alert_format>json</alert_format>
  <level>7</level>
 </integration>

On the integration.log after excecuting the script it shows this messages:

2026-03-09 12:30:03 - Teams Integration: Script called with args: test-data/test-teams.json
2026-03-09 12:30:03 - Teams Integration: Using alert file: test-data/test-teams.json
2026-03-09 12:30:03 - Teams Integration: Sending alert: Rule 100001, Level 1, Agent Servidor-Test
2026-03-09 12:30:09 - Teams Integration: SUCCESS: Alert sent to Teams (HTTP 200)

These are the permissions for the integrations located in ‘/var/ossec/integrations/’.

-rwxr-x--- 1 root wazuh  3506 mar  9 11:40 jsm-ops
-rwxr-xr-- 1 root wazuh  1045 ene  8 20:06 maltiverse
-rwxr-xr-- 1 root wazuh 20926 ene  8 20:06 maltiverse.py
-rwxr-xr-- 1 root wazuh  1045 ene  8 20:06 pagerduty
-rwxr-xr-- 1 root wazuh  6449 ene  8 20:06 pagerduty.py
-rwxr-xr-- 1 root wazuh  1045 ene  8 20:06 shuffle
-rwxr-xr-- 1 root wazuh  7249 ene  8 20:06 shuffle.py
-rwxr-xr-- 1 root wazuh  1045 ene  8 20:06 slack
-rwxr-xr-- 1 root wazuh  6835 ene  8 20:06 slack.py
-rwxr-x--- 1 root wazuh  3637 mar  9 10:09 teams-alert
drwxr-xr-x 2 root root   4096 mar  9 10:51 test-data
-rwxr-xr-- 1 root wazuh  1045 ene  8 20:06 virustotal
-rwxr-xr-- 1 root wazuh 10691 ene  8 20:06 virustotal.py