Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)


Use Case:

Enrich slack notifications with Wazuh FIM & Vulnerability alerts details.

Painless scripts (Mustache templates):

  • Wazuh File Integrity Monitoring alerts information:
Wazuh File Integrity Monitoring

{{#ctx.results.0.hits.hits}}
- Index: {{_index}}
- Document: {{_id}} 
- Alert Description : {{_source.rule.description}} 
- Alert id : {{_source.rule.id}}
- FIM path : {{_source.syscheck.path}}
- FIM event: {{_source.syscheck.event}}
- Alert Timestamp : {{_source.@timestamp}}
{{/ctx.results.0.hits.hits}}
  • Wazuh Vulnerability alerts information:
Wazuh Vulnerability

{{#ctx.results.0.hits.hits}}
- Index: {{_index}}
- Document: {{_id}} 
- Alert Description : {{_source.rule.description}} 
- Alert id : {{_source.rule.id}}
- Vulnerability Severity: {{_source.data.vulnerability.severity}}
- Vulnerability CVE: {{_source.data.vulnerability.cve}}
- Alert Timestamp : {{_source.@timestamp}}
{{/ctx.results.0.hits.hits}}

Opensearch/Wazuh Monitor Queries:

  • FIM:
{
    "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "match_phrase": {
            "rule.groups": "syscheck"
          }
        },
        {
          "range": {
            "timestamp": {
              "gt": "now-5m",
              "lte": "now",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
    }
}
  • Vulnerability:
{
    "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "match_phrase": {
            "rule.groups": "vulnerability-detector"
          }
        },
        {
          "range": {
            "timestamp": {
              "gt": "now-5m",
              "lte": "now",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
    }
}

Alerting Module Configuration:

The monitor must be configured using Extraction query editor. Then add & test the query:

Define a simple trigger whenever the query return values higher than 0:

Add your painless script, then send a test message:

Slack notification result:

DEMO:

Hope you find it useful 🙂

,

Leave a Reply

Your email address will not be published. Required fields are marked *