Windows +10 Level alerts wont send slack

Valton T.

unread,

Mar 23, 2023, 6:02:12 AM3/23/23

to Wazuh mailing list

Hi,

I do not know what could be the problem for example this specified Rule ID it should send alert to SLACK since it works with linux machines but it wont work with Windows machines and I do not know why . I want to send alert to slack example from below rule alert but it doesnt alert in slack . the slack hook it is configured in wazuh - manager and i also specified ruleid into slack interigation

Thanks

Screenshot from 2023-03-23 10-58-11.png

Abdullah Al Noman

unread,

Mar 23, 2023, 6:51:17 AM3/23/23

to Wazuh mailing list

Hello Valton,

Hope you are good today.

I am working on your issue. I will get back to you once I gather more information on this.

Regards,

Abdullah Al Noman

unread,

Mar 23, 2023, 7:35:47 AM3/23/23

to Wazuh mailing list

Valton,

Generally there is no such Slack integration based on Linux or Windows machines. If you configure the Wazuh server correctly, it should show the intended alerts to your Slack.

To verify your Slack configuration, share your configuration details here with me. Remember to mask any sensitive information before sharing.

Additionally, check if the integrations.log file has any output using cat /var/ossect/logs/integrations.log.

Looking forward to your response.

Valton T.

unread,

Mar 23, 2023, 7:46:42 AM3/23/23

to Wazuh mailing list

Hi

Below u will find the logs also the integrations conf in manager

Screenshot from 2023-03-23 12-46-05.png

Screenshot from 2023-03-23 12-43-44.png

Valton T.

unread,

Mar 23, 2023, 7:56:41 AM3/23/23

to Wazuh mailing list

alerts are working for Linux agents but now windows!

Abdullah Al Noman

unread,

Mar 23, 2023, 9:02:38 AM3/23/23

to Wazuh mailing list

Thank you for your reply.

Let me know your current Wazuh server version. If possible, please share any windows log that you want to generate alert from.

I am going to simulate your issue from my end. I will give you an update as soon as possible.

Regards,

Valton T.

unread,

Mar 23, 2023, 9:07:39 AM3/23/23

to Wazuh mailing list

Im running the Last Version of Wazuh
and the alert are from Windows Defender eventlog : rule_id 62123

Abdullah Al Noman

unread,

Mar 23, 2023, 12:56:24 PM3/23/23

to Wazuh mailing list

Hi Valton,

From my end, I was able to receive alerts in Slack. I could not trigger the same rule ID 62123 , however, I did generate alerts with rule ID 60106. Both rule IDs belong to Windows events. I used the same configuration as shown below.

<integration>
<name>slack</name>
<hook_url>SLACK_WEB_HOOK</hook_url> 
<alert_format>json</alert_format>
<level>3</level>
<rule_id>60106</rule_id>
</integration>

Find an image attached of alerts generated due to an Windows 10 activity.

I would recommend you to regenerate a new slack webhook url and place it into the Wazuh server and restart the server using systemctl restart wazuh-manager.