wazuh-notify/wazuh-notify-config.yaml

---
# Start of wazuh notifier configuration yaml.

# This is the yaml config file for wazuh-active-response (for both the Python and Go version)

targets: "slack, ntfy, discord"  # Platforms in this string with comma seperated values are triggered.
full_message: ""                 # Platforms in this string will enable sending the full event information.
full_alert: ""                   # Platforms in this string will enable sending the full event information.

# Exclude rule events that are enabled in the ossec.conf active response definition.
# These settings provide an easier way to disable events from firing the notifiers.

excluded_rules: "99999, 00000"        # Enter as a string with comma seperated values
excluded_agents: "99999"              # Enter as a string with comma seperated values

# Priority mapping from 0-15 (Wazuh threat levels) to 1-5 (in notifications) and their respective colors (Discord)
# https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html
# Enter threat_map as lists of integers, mention_threshold as integer and color as Hex integer

priority_map:
  - threat_map: [ 15,14,13,12 ]
    mention_threshold: 1
    color: 0xec3e40 # Red, SEVERE
  - threat_map: [ 11,10,9 ]
    mention_threshold: 1
    color: 0xff9b2b # Orange, HIGH
  - threat_map: [ 8,7,6 ]
    mention_threshold: 5
    color: 0xf5d800 # Yellow, ELEVATED
  - threat_map: [ 5,4 ]
    mention_threshold: 20
    color: 0x377fc7 # Blue, GUARDED
  - threat_map: [ 3,2,1,0 ]
    mention_threshold: 20
    color: 0x01a465 # Green, LOW

# The next 2 settings are used to add information to the messages.
sender: "Wazuh (IDS)"
click: "https://documentation.wazuh.com/"

###########################################################################################
# From here on the settings are ONLY used by the Python version of wazuh-active-response. #
###########################################################################################

# Below settings provide for a window that enable/disables events from firing the notifiers.
excluded_days: ""                   # Enter as a string with comma seperated values. Be aware of your regional settings.
excluded_hours: [ "23:59", "00:00" ]  # Enter as a tuple of string values. Be aware of your regional settings.

# Following parameter defines the markdown characters to emphasise the parameter names in the notification messages
markdown_emphasis:
  slack: "*"
  ntfy: "**"
  discord: "**"

# The next settings are used for testing. Test mode will add the example event in wazuh-notify-test-event.json instead of the
# message received through wazuh. This enables testing for particular events when the test event is customized.
test_mode: False

# Enabling this parameter provides more logging to the wazuh-notifier log.
extended_logging: 2

# Enabling this parameter provides extended logging to the console.
extended_print: 0

# End of wazuh notifier configuration yaml
...
yaml added 2024-05-18 21:35:12 +02:00			`---`
			`# Start of wazuh notifier configuration yaml.`

			`# This is the yaml config file for wazuh-active-response (for both the Python and Go version)`

all is working 2024-05-22 21:05:27 +02:00			`targets: "slack, ntfy, discord" # Platforms in this string with comma seperated values are triggered.`
Small changes and cosmetic changes 2024-05-24 13:06:46 +02:00			`full_message: "" # Platforms in this string will enable sending the full event information.`
			`full_alert: "" # Platforms in this string will enable sending the full event information.`
yaml added 2024-05-18 21:35:12 +02:00
			`# Exclude rule events that are enabled in the ossec.conf active response definition.`
			`# These settings provide an easier way to disable events from firing the notifiers.`

			`excluded_rules: "99999, 00000" # Enter as a string with comma seperated values`
			`excluded_agents: "99999" # Enter as a string with comma seperated values`

			`# Priority mapping from 0-15 (Wazuh threat levels) to 1-5 (in notifications) and their respective colors (Discord)`
			`# https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html`
all is working 2024-05-22 21:05:27 +02:00			`# Enter threat_map as lists of integers, mention_threshold as integer and color as Hex integer`
yaml added 2024-05-18 21:35:12 +02:00
			`priority_map:`
			`- threat_map: [ 15,14,13,12 ]`
			`mention_threshold: 1`
Small changes and cosmetic changes 2024-05-24 13:06:46 +02:00			`color: 0xec3e40 # Red, SEVERE`
yaml added 2024-05-18 21:35:12 +02:00			`- threat_map: [ 11,10,9 ]`
			`mention_threshold: 1`
Small changes and cosmetic changes 2024-05-24 13:06:46 +02:00			`color: 0xff9b2b # Orange, HIGH`
yaml added 2024-05-18 21:35:12 +02:00			`- threat_map: [ 8,7,6 ]`
			`mention_threshold: 5`
Small changes and cosmetic changes 2024-05-24 13:06:46 +02:00			`color: 0xf5d800 # Yellow, ELEVATED`
yaml added 2024-05-18 21:35:12 +02:00			`- threat_map: [ 5,4 ]`
			`mention_threshold: 20`
Small changes and cosmetic changes 2024-05-24 13:06:46 +02:00			`color: 0x377fc7 # Blue, GUARDED`
yaml added 2024-05-18 21:35:12 +02:00			`- threat_map: [ 3,2,1,0 ]`
			`mention_threshold: 20`
Small changes and cosmetic changes 2024-05-24 13:06:46 +02:00			`color: 0x01a465 # Green, LOW`
yaml added 2024-05-18 21:35:12 +02:00
			`# The next 2 settings are used to add information to the messages.`
			`sender: "Wazuh (IDS)"`
			`click: "https://documentation.wazuh.com/"`

all is working 2024-05-22 21:05:27 +02:00			`###########################################################################################`
			`# From here on the settings are ONLY used by the Python version of wazuh-active-response. #`
			`###########################################################################################`
yaml added 2024-05-18 21:35:12 +02:00
			`# Below settings provide for a window that enable/disables events from firing the notifiers.`
			`excluded_days: "" # Enter as a string with comma seperated values. Be aware of your regional settings.`
			`excluded_hours: [ "23:59", "00:00" ] # Enter as a tuple of string values. Be aware of your regional settings.`

all is working 2024-05-22 21:05:27 +02:00			`# Following parameter defines the markdown characters to emphasise the parameter names in the notification messages`
			`markdown_emphasis:`
			`slack: "*"`
			`ntfy: "**"`
			`discord: "**"`

yaml added 2024-05-18 21:35:12 +02:00			`# The next settings are used for testing. Test mode will add the example event in wazuh-notify-test-event.json instead of the`
			`# message received through wazuh. This enables testing for particular events when the test event is customized.`
all is working 2024-05-22 21:05:27 +02:00			`test_mode: False`
yaml added 2024-05-18 21:35:12 +02:00
			`# Enabling this parameter provides more logging to the wazuh-notifier log.`
all is working 2024-05-22 21:05:27 +02:00			`extended_logging: 2`
yaml added 2024-05-18 21:35:12 +02:00
			`# Enabling this parameter provides extended logging to the console.`
all is working 2024-05-22 21:05:27 +02:00			`extended_print: 0`
yaml added 2024-05-18 21:35:12 +02:00
			`# End of wazuh notifier configuration yaml`
			`...`