Wazuh and Shuffle

[Tom Powers]

Does anyone have experience sending Wazuh alerts through integration to Shuffle?

All insight is appreciated

[Matias Pereyra]

Hello Thomas!

You can integrate Wazuh with many external applications.

What you have to do is to configure an integration that will send through a python script all the alerts you have filtered for that purpose.

The configuration block looks like this, you need to add it in ossec.conf and replace all the corresponding values, like the hook_url or the name of the script. You can change the minimum level for the alert to be sent to a value lower than 9. See the documentation section for more information

<!--Custom external Integration -->
<integration>
  <name>custom-shuffle</name>
  <hook_url>WEBHOOK</hook_url>
  <level>9</level>
  <alert_format>json</alert_format>
</integration>

Then you need the scripts, you can write your own using this case as an example: How to integrate external software using Integrator. See https://github.com/wazuh/wazuh/tree/4.3/integrations for examples with Pagerduty, Slack, and VirusTotal. All of them are really similar because they take the alerts and make a POST request.

Also, the Shuffle repository has an integration in their repository you can use as starting point: https://github.com/Shuffle/Shuffle/tree/master/functions/extensions/wazuh (you have examples on the web also, like this Shuffle + Wazuh + TheHIVE + Cortex = Automation Bliss).

I hope you find this information useful.
Regards.