Alerts by emails

[Jordan Empresas]

Hello Wazuh teams,

Please anyone help me in this case:

I am trying to configure one alert of level 6 by email and my default configuration is that all alerts over level 12 are sent by email and I need the alerts of level 6 ID number 92657 sent by email too.

the configuration that I crew is:

But never come to the email

Best regards.

[Kris Deugau]

I'm currently struggling with a similar problem (see
https://groups.google.com/g/wazuh/c/X_hKOE0JX1Y/m/XaTuvuieAgAJ).

As per
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/email-alerts.html,
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html,
and
https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html
you MUST either:

- set the global <email_alert_level> equal or lower than the level of
any event you want to generate an email (and probably remove the global
<email_to>, so that address doesn't get flooded with email)

or

- override the rule definition and either set the level higher, or add
"<options>alert_by_email</options>" to the new definition

For your case, sending email for a specific rule (or list of rules)
should work fine by lowering the <email_alert_level> to 6 in the
<alerts> section. You will probably also want to remove the <email_to>
in the <global> section as well, so that address doesn't get flooded.
However, removing that global <email_to> seems like it might have some
unwanted side effects around how email gets sent, so it's not clear if
that's correct or not.

-kgd

Jordan Empresas wrote:
> Hello Wazuh teams,
>
> Please anyone help me in this case:
>
> I am trying to configure one alert of level 6 by email and my default
> configuration is that all alerts over level 12 are sent by email and I
> need the alerts of level 6 ID number 92657 sent by email too.
>
> the configuration that I crew is:

> image.png
>
> But never come to the email
>
> Best regards.
>
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh | Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com
> <mailto:wazuh+un...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/CAB9Qty6ywuf1_D7qkRBD3sYihfrpmTs1RtwU0nwts1wiQ6rQ_Q%40mail.gmail.com
> <https://groups.google.com/d/msgid/wazuh/CAB9Qty6ywuf1_D7qkRBD3sYihfrpmTs1RtwU0nwts1wiQ6rQ_Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[Julián Morales]

Hi,

In Wazuh, the `email_alert_level` setting in your manager configuration specifies the minimum level an alert must have to trigger an email notification. By default, if set to 12, only alerts of level 12 and above will trigger an email. However, you can override this setting for specific rules using the `alert_by_email` option within the rule configuration.

**Option 1:**
Create a child rule derived from the original rule with ID 92657, specifying that an email should be sent when this rule is triggered, as follows:

```xml
<rule id="100010" level="6">
  <if_sid>92657</if_sid>
  <description>sshd: Attempt to login using a non-existent user</description>
  <options>alert_by_email</options>
  <description>Successful Remote Logon Detected - User:$(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that $(win.eventdata.workstationName) is allowed to perform RDP connections</description>
    <mitre>
      <id>T1550.002</id>
      <id>T1078.002</id>
      <id>T1021.001</id>
    </mitre>
    <group>
```

**Option 2:**
Modify the original rule to include the `alert_by_email` option. However, be cautious as updates to Wazuh overwrite your changes in the `/var/ossec/ruleset/` directory. Here's how you can do it:

1. Navigate to your rules configuration directory, typically located at `/var/ossec/ruleset/rules/0840-win_event_channel.xml`.
2. Locate the rule with ID 92657.
3. Add the `<options>alert_by_email</options>` option to the rule configuration, like so:

```xml
<rule id="92657" level="6">
   ...
   <options>alert_by_email</options>
   ...
</rule>
```

After making the changes, save the file and restart Wazuh Manager to apply the changes:

```bash
systemctl restart wazuh-manager
```

Now, despite the global `email_alert_level` setting, rule 92657 will trigger an email alert whenever it's activated.

For more detailed instructions, you can refer to the [Wazuh documentation on configuring email alerts](https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#email-alerts).

I trust this resolves your issue. Please feel free to reach out if you have any further questions

Best regards,
Julián Morales

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAB9Qty6ywuf1_D7qkRBD3sYihfrpmTs1RtwU0nwts1wiQ6rQ_Q%40mail.gmail.com.

[Julián Morales]

Hello!

I have seen the rule, you have an extra space in the closing of the </options> tag, which makes the XML no longer valid. Eliminate that space and tell me how it went.

On Fri, Oct 20, 2023 at 5:17 PM Jordan Empresas <jordanem...@gmail.com> wrote:

Thank you Julian for your response,

when I try to place the modification in:

/var/ossec/ruleset/rules/0840-win_event_channel.xml

and then:

systemctl restart wazuh-manager

and I go to the panel

It doesn't allow me to save the changes and I am a full administrator user

[Jordan Empresas]

Hello Julián,

I corrected the line:

I saved the changes and now I get this error:

Error: 3013 - Wazuh Internal Error
    at createError (https://wazuh.jordan.cl/45301/bundles/plugin/wazuh/wazuh.plugin.js:2:28658)
    at settle (https://wazuh.jordan.cl/45301/bundles/plugin/wazuh/wazuh.plugin.js:8:19613)
    at XMLHttpRequest.onloadend (https://wazuh.jordan.cl/45301/bundles/plugin/wazuh/wazuh.plugin.js:2:26451)

TypeError: Cannot read properties of undefined (reading 'items')
    at _callee$ (https://wazuh.jordan.cl/45301/bundles/plugin/wazuh/wazuh.chunk.10.js:5:2188358)
    at tryCatch (https://wazuh.jordan.cl/45301/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:760622)
    at Generator.invoke [as _invoke] (https://wazuh.jordan.cl/45301/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:764638)
    at Generator.next (https://wazuh.jordan.cl/45301/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:761817)
    at table_with_search_bar_asyncGeneratorStep (https://wazuh.jordan.cl/45301/bundles/plugin/wazuh/wazuh.chunk.10.js:5:2182115)
    at _next (https://wazuh.jordan.cl/45301/bundles/plugin/wazuh/wazuh.chunk.10.js:5:2182447)

This is my first time trying to make this type of configuration, maybe there is something I'm doing wrong?

when I make changes to the file location "cd /var/ossec/ruleset/rules/"  "nano 0840-win_event_channel.xml"  It gives me the error and does not display anything on the wazuh-rules dashboard

when I put it back as it was

and save the changes, the error is removed and all the rules appear again

My question is this file "0840-win_event_channel.xml" in this path "/var/ossec/ruleset/rules/" Can be modified? or am I doing something wrong? I have all administrator privileges

[Jordan Empresas]

Hello Julián

I already solved the problem, thanks for your support