Alerts based on agents_group

[Alejandro Olmos Sánchez]

In my environment we have different departaments that are responsible of certains servers/computers.

Those servers / computers are separated in agents group.

We have to configure alerts of certain computers / agent group to different emails based on the agent group

Is there any way?

[Leonardo Daniel Sancho]

Hello Alejandro Olmos Sánchez, I'll run some tests in a lab environment and let you know about the results.

[Alejandro Olmos Sánchez]

All right thanks, I'll keep an eye on this thread

[Leonardo Daniel Sancho]

Hello Alejandro Olmos Sanchez, after some research we may have some options available that could potentially allow you to achieve this functionality.

Wazuh can be configured to send email alerts to one or more email addresses when certain rules are triggered or for daily event reports. You can read more about it here: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html

Among the available options you may use Email alert based on level and agent, which could allow you to point emails to relevant people based on the agent for example.

With SNS, Wazuh can send real-time alert notifications securely to users via SMS to their mobile devices. This enables responding promptly to critical security events detected by Wazuh agents across an environment. Using SNS topics decouples Wazuh from the underlying notification endpoints, allowing more flexibility in managing notifications.

Alternatively to this you can leverage the integration with SNS. You can read more about it here: https://wazuh.com/blog/wazuh-integration-with-aws-sns/

Should you have further questions let us know!

Have a great day!

[Alejandro Olmos Sánchez]

Hello,

I have seen that there are <eventlocation> tag where we can specify the agent name, that good. But isn't there any way to specify an agent group?, imagine editing this value every time we add an agent.

The aim of this is just alert the specified email address about agents they are reponsible of, and not sending them alerts about agents they aren't

alert...@domain.com > alerts about webs servers

alert...@domain.com > alerts about workstations

Something like this example

Regards

[Leonardo Daniel Sancho]

Hello  Alejandro Olmos Sánchez, another alternative to the ones that were already provided relates to the alerting features which are part of the Wazuh dashboard, with this you may create a monitor, which is a job that runs on a defined schedule and queries Wazuh indexes, then create one or more triggers, which define the conditions that generate events and finally you can create actions, which is what happens after an alert is triggered.

This will require some level of customization on your part, you may find the relevant documentation to achieve said functionality with the end result being email alerts to the relevant recipients here: https://opensearch.org/docs/latest/observing-your-data/alerting/index/

To be able to access this section of your Wazuh Dashboard, in versions previous to 4.8 can be done on the Hamburger menu located at the top left corner of your dashboard and by selecting Alerting. In version 4.8 head to the Hamburger menu located at the top left corner of your dashboard and select Alerting on the Explore section.

Have a great day!