Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove wazuh-slack active response script from next Wazuh version #16645

Open
TheMuntu opened this issue Apr 6, 2023 · 0 comments
Open

Remove wazuh-slack active response script from next Wazuh version #16645

TheMuntu opened this issue Apr 6, 2023 · 0 comments
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/enhancement/usability

Comments

@TheMuntu
Copy link

TheMuntu commented Apr 6, 2023
edited

Wazuh version Component Install type Install method Platform
4.4.x Wazuh agent (active response) Manager/Agent Packages/Sources Linux/Unix

Description

The Integrator daemon allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty, VirusTotal, and Shuffle.
The integration with Slack uses Incoming Webhooks and allows posting Wazuh alerts into a Slack channel using the following sample configuration in /var/ossec/etc/ossec.conf:

<integration>
  <name>slack</name>
  <hook_url>WEBHOOK_URL</hook_url> <!-- Replace with your Slack hook URL -->
  <alert_format>json</alert_format>
</integration>

This Integration uses the optional filters fields to determine which alerts should be sent to the external platforms. Only the alerts that meet the filter conditions are sent. If no filters are specified, all alerts are sent.

In the same time, there is also a wazuh-slack active response which is available only for Linux/Unix endpoints and require additional parameters or specific use cases when forwarding alerts to a Slack channel.

This issue aims to remove the limited wazuh-slack active response script from next Wazuh versions and ensure that users request to the Slack Integration to forward Wazuh alerts into a Slack channel.

Current usage of wazuh-slack

To use the current wazuh-slack active response, follow the steps below:

  1. Generate a webhook_url for the Slack workspace where alerts would be sent by using the steps here.
  2. Prepare an Ubuntu 22.04 endpoint with the Wazuh agent installed and enrolled.
  3. Add the configuration below to your Wazuh manager configuration file /var/ossec/etc/ossec.conf:
  <command>
    <name>wazuh-slack</name>
    <executable>wazuh-slack</executable>
    <extra_args><WEBHOOK_URL></extra_args>
  </command>

  <active-response>
    <command>wazuh-slack</command>
    <location>local</location>
    <rules_id>554</rules_id>
  </active-response>

This configuration limits the execution of the active response to when a file creation alert is triggered. `<WEBHOOK_URL> is the webhook URL for the Slack workspace.
4. Restart the Wazuh manager to apply the configuration changes:

systemctl restart wazuh-manager
  1. Add a directory to be monitored in the Ubuntu 22.04 agent configuration file /var/ossec/etc/ossec.conf:
<directories realtime="yes" check_all="yes">/home/vagrant</directories>
  1. Restart the Wazuh agent:
systemctl restart wazuh-agent
  1. To generate the alerts, create a new file in the monitored directory:
echo test >> /home/vagrant/test.txt
echo test >> /home/vagrant/test2.txt

Result of the active response

image

Slack alerts
image

General notes

  • Any suggestions for a more descriptive name of this active response can be added as a comment below.
  • Any comments and use cases that need to be accounted for in this issue should be added as a comment below.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/enhancement/usability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TomasTurina @TheMuntu