Sending alerts to third party apps
28 views
Skip to first unread message
IT Linguaserve
Feb 26, 2026, 11:04:06 AM (6 days ago) Feb 26
to Wazuh | Mailing List
Hello,
I'm just getting started with configuring a Wazuh service. I have a pretty good idea of how it works, but I'm not able to get the system to send alerts to external applications (Teams and JSM Ops). I already have the scripts ready to send events to both systems, but I can't see them running.
On "/var/ossec/etc/ossec.conf" I have the following configuration block for the integrations:
<integration>
<name>jsm-ops</name>
<level>12</level>
<alert_format>json</alert_format>
</integration>
<integration>
<name>teams-alert</name>
<alert_format>json</alert_format>
<level>7</level>
</integration>
<name>jsm-ops</name>
<level>12</level>
<alert_format>json</alert_format>
</integration>
<integration>
<name>teams-alert</name>
<alert_format>json</alert_format>
<level>7</level>
</integration>
This configuration refers to two scripts that should send alerts to one service or another. The scripts have been tested manually and run correctly.
Do you have any idea what might be missing for these integrations to work?
Do you have any idea what might be missing for these integrations to work?
Olamilekan Abdullateef Ajani
Feb 26, 2026, 12:17:04 PM (6 days ago) Feb 26
to Wazuh | Mailing List
Hello Sistemas,
Prep the integration script and place it in the directory: /var/ossec/integrations/
sudo chown root:wazuh /var/ossec/integrations/custom-teams.py
When integrating with external applications like Teams, you need more than the integration block. I will just run through the requirements, and please let me know what you have done so far.
Ensure you map the appropriate permissions to the script:
sudo chmod 750 /var/ossec/integrations/custom-teams.py
<integration>
<name>custom-teams</name>
<hook_url>YOUR_TEAMS_WEBHOOK_URL_HERE</hook_url>
<level>10</level>
<alert_format>json</alert_format>
</integration>
If you encounter any challenges, you can check the integration logs: tail -f /var/ossec/logs/integrations.log
Add the integration block to the /var/ossec/etc/ossec.conf
<integration>
<name>custom-teams</name>
<hook_url>YOUR_TEAMS_WEBHOOK_URL_HERE</hook_url>
<level>10</level>
<alert_format>json</alert_format>
</integration>
This has the hook URL from Teams and also the alert level.
You can find more information regarding external connector integration in the documentation here, which expands the scope on custom configuration. Other configurations would be done on Teams.
That being said, you can check out the URL before for team integration reference:
https://www.cylenth.blog/posts/wazuh-microsoft-teams-integration-workflows
https://www.cylenth.blog/posts/wazuh-microsoft-teams-integration-workflows
IT Linguaserve
Mar 3, 2026, 10:38:44 AM (yesterday) Mar 3
to Wazuh | Mailing List
Is the "hook_url" block needed for the integration to work?
I have the webhook url added to my script for security.
Olamilekan Abdullateef Ajani
Mar 3, 2026, 11:21:25 AM (yesterday) Mar 3
to Wazuh | Mailing List
Hello Sistemas,
I am not sure how you have programmed this into your script, but the hook_url is required for communication with the software being integrated (in this case, Teams).
You can check some references below on this integration:
https://github.com/wazuh/wazuh/discussions/14753#discussioncomment-14322447
https://www.cylenth.blog/posts/wazuh-microsoft-teams-integration-workflows
https://www.cylenth.blog/posts/wazuh-microsoft-teams-integration-workflows
Reply all
Reply to author
Forward
0 new messages