Merge remote-tracking branch 'origin/master'

README.md

@@ -0,0 +1,335 @@
+# Wazuh notify
+*version 1.0* 
+
+## Table of Contents
+
+- [Introduction](#introduction)
+- [Installation](#installation)
+    - [Step 1: download](#step-1-download)
+    - [Step 2: copy files](#step-2-copy-files)
+        - [Python](#python_1)
+        - [Golang](#golang_1)
+    - [Step 3: copy the TOML file](#step-3-copy-the-toml-configuration-file)
+    - [Step 4: create .env file](#step-4-create-env-file)
+- [Wazuh configuration](#wazuh-configuration)
+    - [Golang](#golang_2)
+    - [Python](#python_2)
+    - [Note](#note)
+- [The TOML configuration file](#the-toml-configuration)
+- [Setting up the platforms](#setting-up-the-platforms-receiving-the-notifications)
+
+## Introduction
+
+Wazuh notifier enables the Wazuh manager to be notified when Wazuh selected events occur, using 3 messaging platforms:
+[ntfy.sh](https://ntfy.sh), [Discord](https://discord.com) and [Slack](https://slack.com).
+
+There are 2 implementations of Wazuh notify. One written in Golang, the other in Python. Both implementations have
+similar functionality, but the Python version is slightly more configurable for testing purposes.
+
+Wazuh notify is a stateless implementation and only notifies: triggered by specific rules, agents, or threat levels.
+
+Wazuh notify is executed by configuring the **ossec.conf** and adding an **active response configuration**.
+
+## Installation
+
+### Step 1: download
+
+Download the files from https://github.com/kleinprojects/wazuh-notify to your server.
+
+### Step 2: copy files
+
+#### _Python_ {id="python_1"}
+
+Copy the 2 Python scripts to the /var/ossec/active-response/bin/ folder
+
+``` 
+$ sudo cp <download folder>/wazuh-*.py /var/ossec/active-response/bin/
+```
+
+Set the correct ownership {id="set-the-correct-ownership_1"}
+
+```
+$ sudo chown root:wazuh /var/ossec/active-response/bin/wazuh-notify.py
+$ sudo chown root:wazuh /var/ossec/active-response/bin/wazuh_notify_module.py
+```
+
+Set the correct permissions {id="set-the-correct-permissions_1"}
+
+```
+$ sudo chmod uog+rx /var/ossec/active-response/bin/wazuh-notify.py
+$ sudo chmod uog+rx /var/ossec/active-response/bin/wazuh_notify_module.py
+```
+
+#### _Golang_ {id="golang_1"}
+
+Copy the Go executable to the /var/ossec/active-response/bin/ folder
+
+``` 
+$ sudo cp <download folder>/wazuh-notify /var/ossec/active-response/bin/
+```
+
+Set the correct ownership {id="set-the-correct-ownership_2"}
+
+```
+$ sudo chown root:wazuh /var/ossec/active-response/bin/wazuh-notify
+```
+
+Set the correct permissions {id="set-the-correct-permissions_2"}
+
+```
+$ sudo chmod uog+rx /var/ossec/active-response/bin/wazuh-notify
+```
+
+### Step 3: copy the TOML configuration file
+
+Copy the TOML file to /var/ossec/etc/
+
+```
+$ sudo cp <download folder>/wazuh-notify-config.toml /var/ossec/etc/
+```
+
+Set the correct ownership {id="set-the-correct-ownership_3"}
+
+```
+$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.toml
+```
+
+Set the correct permissions {id="set-the-correct-permissions_3"}
+
+```
+$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.toml
+```
+
+### Step 4: create .env file
+
+Create an .env file in /var/ossec/etc/
+
+```
+$ sudo touch /var/ossec/etc/.env
+```
+
+Set the correct ownership {id="set-the-correct-ownership_4"}
+
+```
+$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.toml
+```
+
+Set the correct permissions {id="set-the-correct-permissions_4"}
+
+```
+$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.toml
+```
+
+## Wazuh configuration
+
+#### _Golang_ {id="golang_2"}
+
+Modify the /var/ossec/etc/ossec.conf configuration file and add the following:<br/>
+
+*Command section*
+
+```
+<command>
+<name>wazuh-notify-go</name>
+<executable>wazuh-notify</executable>
+<timeout_allowed>yes</timeout_allowed>
+</command>
+```
+
+*Active response section*
+
+```
+<active-response>
+<command>wazuh-notify-go</command>
+<location>server</location>
+<level></level>
+<rules_id></rules_id>
+</active-response>
+```
+
+#### _Python_ {id="python_2"}
+
+*Command section*
+
+```
+<command>
+<name>wazuh-notify-py</name>
+<executable>wazuh-notify.py</executable>
+<timeout_allowed>yes</timeout_allowed>
+</command>
+```
+
+*Active response section*
+
+```
+<active-response>
+<command>wazuh-notify-py</command>
+<location>server</location>
+<level></level>
+<rules_id></rules_id>
+</active-response>
+```
+
+#### NOTE: <format color="OrangeRed">!</format>
+The ```<name>``` in the ```<command>``` section needs to be the same as the ```<command>``` in
+the ```<active-response>``` section.
+The ```<command>``` section describes the program that is executed. The ```<active-response>``` section describes the
+trigger that runs the ```<command>```.
+
+Add the rules you want to be informed about between the ```<rules_id></rules_id>```, with the rules id's separated by
+comma's.  
+Example: ```<rules_id>5402, 3461, 8777</rules_id>```.
+
+Please refer to
+the [Wazuh online documentation](https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html)
+for more information.
+
+## The TOML configuration
+
+This is the toml configuration file for wazuh-notify (for both the Python and Golang version).
+
+The targets setting defines the platforms where notifications will be sent to.
+Platforms in this comma-separated string will receive notifications, if and when they are set up. 
+Refer to [setting up the platforms](#setting-up-the-platforms-receiving-the-notifications).
+
+```
+targets: "slack, ntfy, discord"
+```
+
+Platforms in this comma-separated string will receive the full event information.
+
+```
+full_alert: "" 
+```
+
+Exclude_rules and excluded_agents will disable notification for these particular events or agents that are enabled in
+the ossec.conf active response definition.
+These settings provide an easier way to disable event notifications from firing. No need to restart Wazuh-manager.
+
+Enter rule numbers as a string with comma-separated values.
+Enter numeric agent id's as a string with comma-separated values.
+
+```
+excluded_rules: "99999, 00000"
+excluded_agents: "99999"
+```
+
+[The threat levels used in Wazuh](https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html) 
+(0-15) are mapped to notification priority levels (1-5), and their respective colors (Discord only).
+The Wazuh threat level scale runs from 0-15, where 15 is the most severe threat. It corresponds to the 
+[HSAS](https://en.wikipedia.org/wiki/Homeland_Security_Advisory_System) threat scale that runs from 5-1, whereby 1 is 
+the highest threat level. The configuration allows for customized mapping: in some use cases the mapping could be different.
+
+The mention threshold defines when Discord users receive a DM, next to the common messages they receive in their channel.
+Often these common channels are muted and DM's will draw more attention. 1 means that for every notification a DM will be sent.
+A mention threshold of 5 means that for every 5th occurrence of this specific event, a DM will be sent also.
+
+The notify threshold is somewhat similar to the mention threshold. A notify threshold of 1 will send each notification, 
+a notify threshold of 4 will only send each 4th notification triggered by a specific event. This will reduce high amounts
+of notifications for the same event. The fired_times value in the message will show the actual number of the times this 
+specific event was generated.
+
+Enter a threat_map as a list of integers,  
+color as a hex RGB color values,
+mention/notify_threshold as integers.
+```
+[[priority_map]]                # Priority 1 on the HSAS scale
+threat_map = [15, 14, 13, 12]   # Wazuh threat levels -> priority 2
+color = 0xec3e40                # Red, SEVERE on the HSAS scale
+mention_threshold = 1           
+notify_threshold = 1
+
+[[priority_map]]                # Priority 2 on the HSAS scale
+threat_map = [11, 10, 9]        # Wazuh threat levels -> priority 2
+color = 0xff9b2b                # Orange, HIGH on the HSAS scale
+mention_threshold = 1
+notify_threshold = 1
+
+[[priority_map]]                # Priority 3 on the HSAS scale
+threat_map = [8, 7, 6]          # Wazuh threat levels -> priority 3
+color = 0xf5d800                # Yellow, ELEVATED on the HSAS scale
+mention_threshold = 5
+notify_threshold = 5
+
+[[priority_map]]                # Priority 4 on the HSAS scale
+threat_map = [5, 4]             # Wazuh threat levels -> priority 4
+color = 0x377fc7                # Blue, GUARDED on the HSAS scale
+mention_threshold = 20
+notify_threshold = 5
+
+[[priority_map]]                # Priority 5 on the HSAS scale
+threat_map = [3, 2, 1, 0]       # Wazuh threat levels -> priority 5
+color = 0x01a465                # Green, LOW on the HSAS scale
+mention_threshold = 20
+notify_threshold = 1
+```
+
+The next settings are used to add information to the messages.
+```Sender``` translate to the ``` username ``` field in Discord and Slack and to the ```title``` field in ntfy.sh. 
+The ```click``` parameter adds an arbitrary URL to the message.
+
+```
+sender: "Wazuh (IDS)"
+click: "https://documentation.wazuh.com/"
+```
+
+### From here on the settings are ONLY used by the Python version of wazuh-notify.
+
+Below settings provide for a window that enable/disables events from firing the notifiers.
+
+Enter ```excluded_days``` as a string with comma separated values. Be aware of your regional settings.
+
+```
+excluded_days: "" 
+```
+
+Enter ```excluded_hours``` as a tuple of string values.
+
+```
+excluded_hours: [ "23:59", "00:00" ]
+```
+
+The following parameters define the markdown characters used to emphasise the parameter names in the notification
+messages (Markdown style). This is a dictionary notation.
+
+```
+markdown_emphasis:
+slack: "*"
+ntfy: "**"
+discord: "**"
+```
+
+The next settings are used for testing purposes.
+
+```Test mode``` will add an example event (```wazuh-notify-test-event.json```) instead of the message received through Wazuh.
+This enables customization for testing of a particular event.
+
+```
+test_mode: False
+```
+
+Setting the ```extended_logging``` and ```extended_print``` parameters provides more logging to the wazuh-notifier log
+and console. The possible values are:
+
+0-> limited logging   
+1-> basic logging   
+2-> verbose logging
+
+```
+extended_logging: 2
+extended_print: 0
+```
+
+### Setting up the platforms receiving the notifications
+
+Each of the 3 platforms make use of webhooks or similar API's. In order to have the right information in the ```.env```
+file, please refer to the platform's documentation.
+
+[Slack](https://api.slack.com/) API documentation
+
+[ntfy.sh](https://docs.ntfy.sh/subscribe/api/) API documentation
+
+[ntfy.sh](https://docs.ntfy.sh/examples/) examples
+
+[Discord](https://discord.com/developers/docs/intro) developers documentation
+

Writerside/images/Darius-logo-wit.svg

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><svg id="Layer_1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 917.15 284.56"><defs><style>.cls-1{font-family:LucidaSans-TypewriterBoldOblique, 'Lucida Sans Typewriter';font-size:100px;font-weight:700;letter-spacing:-.35em;}.cls-1,.cls-2,.cls-3{fill:#000;}.cls-1,.cls-3{font-style:italic;}.cls-2,.cls-4{stroke-width:0px;}.cls-4{fill:#c1272d;}.cls-3{font-family:LucidaSans-Typewriter, 'Lucida Sans Typewriter';font-size:48px;letter-spacing:0em;}</style></defs><g id="Black_on_white"><path class="cls-2" d="M77.52,219.48c-5.21-4.1-8.9-9.38-11.11-15.84-7.45-1.07-11.52-4.16-11.52-9.06,0-1.86.63-4.51,1.88-7.93l2.59-6.53,5.06-12.82c4.16-10.41,6.24-17.99,6.24-22.73,0-12.98-6.9-21.99-20.71-27.04,7.02-2.18,13.13-5.35,18.36-9.51,5.22-4.16,9.22-9.1,11.98-14.82,2.77-5.72,4.15-14.18,4.15-25.39l.12-12.84v-6.54c0-4.12.72-7.41,2.16-9.86,1.44-2.45,3.46-4.3,6.06-5.54,2.6-1.24,7.44-1.87,14.51-1.87h13.29l4.5-23.13h-15.63c-13.45,0-24.1,1.4-31.95,4.2-7.85,2.8-14.03,7.24-18.54,13.32-2.41,3.27-4.2,6.76-5.37,10.45-1.17,3.7-1.75,10.45-1.75,20.26l.58,17.29c0,9.34-1.23,16.14-3.69,20.38-2.46,4.24-6.05,7.32-10.77,9.23-4.72,1.91-11.26,2.86-19.61,2.86H4.68l-4.68,23.13h13.82c9.84,0,16.59,1.3,20.27,3.91,3.67,2.61,5.51,6.24,5.51,10.91s-1.57,10.38-4.7,17.62l-7.64,17.27c-4.23,9.72-6.35,17.19-6.35,22.4,0,8.48,3.31,14.89,9.93,19.25,6.62,4.35,18.22,6.53,34.81,6.53l30.59,1.05-1.11-.67c-7.26-1.78-13.13-4.42-17.6-7.94Z"/><path class="cls-2" d="M419.63,107.95c-9.88,0-16.67-1.31-20.35-3.93-3.69-2.62-5.53-6.28-5.53-10.97s1.57-10.44,4.72-17.71l7.67-17.36c4.25-9.69,6.37-17.2,6.37-22.52,0-8.52-3.32-14.97-9.97-19.35-6.65-4.38-18.3-6.57-34.96-6.57h-15.72l-4.77,23.22h13.4c11.91,0,17.87,3.09,17.87,9.26,0,1.95-.67,4.65-2.01,8.09l-2.48,6.56-5.2,12.89c-4.1,10.39-6.15,18.01-6.15,22.86,0,13.05,6.89,22.08,20.68,27.08-7.05,2.34-13.19,5.6-18.43,9.77-5.25,4.17-9.24,9.11-11.98,14.81-2.74,5.7-4.11,14.16-4.11,25.4l-.12,12.88-.12,6.56c0,4.14-.7,7.43-2.11,9.89-1.41,2.46-3.42,4.31-6.03,5.56-2.62,1.25-7.47,1.87-14.58,1.87h-.08c3.09,7.48,7.35,14.43,10.56,21.85,0,0,.96-.39,0,0,9.57-.58,14.74-.96,20.61-3.31,7.81-3.13,13.86-7.81,18.15-14.06,4.29-6.25,6.44-16.13,6.44-29.64l-.59-17.34c0-9.37,1.23-16.21,3.7-20.5,2.47-4.3,6.09-7.38,10.87-9.26,4.78-1.87,11.32-2.81,19.63-2.81h13.75l4.59-23.22h-13.76Z"/><path class="cls-4" d="M284.81,9.12c14.71,0,29.41-.02,44.12.04.92,0,1.84.61,2.76.93-.73,1.38-1.57,2.7-2.16,4.14-13.69,33.35-27.31,66.74-41.07,100.06-1.27,3.08-1.27,5.59,0,8.66,11.28,27.24,22.37,54.56,33.6,81.82,3.09,7.51,7.96,15.86,11.18,23.32-1,0-3.38-.01-4.3-.01-14.71.06-29.41.04-44.12.04-8.56-20.86-17.09-41.73-25.69-62.57-6.4-15.5-12.89-30.97-19.34-46.45,0-.32,0-.65,0-.97.69-1.43,1.45-2.83,2.05-4.3,14.34-34.9,28.66-69.8,42.99-104.71Z"/><path class="cls-4" d="M253.48,9.29l-43.8,219h-84.79c-20.42,0-35.14-3.55-44.17-10.65-9.03-7.1-13.54-17.76-13.54-31.96,0-15.88,4.08-30.83,12.22-44.84,8.15-14.01,19.73-24.93,34.75-32.78,15.01-7.84,35.51-11.76,61.49-11.76h16.74l17.33-87.01h43.76ZM186.58,125.45h-10.82c-10.38,0-20.14,1.68-29.28,5.03-9.14,3.35-16.65,9.69-22.53,19.01-5.88,9.32-8.82,18.37-8.82,27.15,0,4.83.92,8.88,2.74,12.13,1.83,3.26,4.89,5.79,9.19,7.62,4.3,1.82,13.76,2.74,28.39,2.74h16.46l14.67-73.69Z"/><text class="cls-1" transform="translate(97.23 86.19)"><tspan x="0" y="0">```</tspan></text><text class="cls-3" transform="translate(18.16 272.78)"><tspan x="0" y="0">Klein Projects</tspan></text></g></svg>

Writerside/topics/Wazuh-notifier.md

@@ -1,33 +1,37 @@
 # Wazuh notify
+*version 1.0*
+
+<img align="left" alt="Darius-logo-black.svg" height="200" src="Darius-logo-black.svg" width="300"/>
+
 
 ## Table of Contents
 
 - [Introduction](#introduction)
 - [Installation](#installation)
-    - [Step 1](#step-1-download)
+    - [Step 1: download](#step-1-download)
-    - [Step 2](#step-2-copy-files)
+    - [Step 2: copy files](#step-2-copy-files)
         - [Python](#python_1)
         - [Golang](#golang_1)
-    - [Step 3](#step-3)
+    - [Step 3: copy the TOML file](#step-3-copy-the-toml-configuration-file)
-    - [Step 4](#step-4)
+    - [Step 4: create .env file](#step-4-create-env-file)
-- [Configuration](#configuration)
+- [Wazuh configuration](#wazuh-configuration)
     - [Golang](#golang_2)
     - [Python](#python_2)
     - [Note](#note)
-- [The YAML configuration](#the-yaml-configuration)
+- [The TOML configuration file](#the-toml-configuration)
 - [Setting up the platforms](#setting-up-the-platforms-receiving-the-notifications)
 
 ## Introduction
 
-Wazuh notifier enables the Wazuh manager to be notified when selected events occur, using 3 messaging platforms:
+Wazuh notifier enables the Wazuh manager to be notified when Wazuh selected events occur, using 3 messaging platforms:
 [ntfy.sh](https://ntfy.sh), [Discord](https://discord.com) and [Slack](https://slack.com).
 
-There are 2 implementations of Wazuh notify. One written in Golang and the other in Python. Both implementations have
+There are 2 implementations of Wazuh notify. One written in Golang, the other in Python. Both implementations have
-similar functionality, but the Python version is slightly more configurable.
+similar functionality, but the Python version is slightly more configurable for testing purposes.
 
-Wazuh notify is a stateless implementation and only notifies, triggered by selected rules, agents, or threat levels.
+Wazuh notify is a stateless implementation and only notifies: triggered by specific rules, agents, or threat levels.
 
-Wazuh notify is triggered by configuring the **ossec.conf** and adding an **active response configuration.**
+Wazuh notify is executed by configuring the **ossec.conf** and adding an **active response configuration**.
 
 ## Installation
 
@@ -79,27 +83,27 @@ Set the correct permissions {id="set-the-correct-permissions_2"}
 $ sudo chmod uog+rx /var/ossec/active-response/bin/wazuh-notify
 ```
 
-### Step 3
+### Step 3: copy the TOML configuration file
 
-Copy the YAML file to /var/ossec/etc/
+Copy the TOML file to /var/ossec/etc/
 
 ```
-$ sudo cp <download folder>/wazuh-notify-config.yaml /var/ossec/etc/
+$ sudo cp <download folder>/wazuh-notify-config.toml /var/ossec/etc/
 ```
 
 Set the correct ownership {id="set-the-correct-ownership_3"}
 
 ```
-$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.yaml
+$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.toml
 ```
 
 Set the correct permissions {id="set-the-correct-permissions_3"}
 
 ```
-$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.yaml
+$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.toml
 ```
 
-### Step 4
+### Step 4: create .env file
 
 Create an .env file in /var/ossec/etc/
 
@@ -110,16 +114,16 @@ $ sudo touch /var/ossec/etc/.env
 Set the correct ownership {id="set-the-correct-ownership_4"}
 
 ```
-$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.yaml
+$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.toml
 ```
 
 Set the correct permissions {id="set-the-correct-permissions_4"}
 
 ```
-$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.yaml
+$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.toml
 ```
 
-## Configuration
+## Wazuh configuration
 
 #### _Golang_ {id="golang_2"}
 
@@ -169,8 +173,7 @@ Modify the /var/ossec/etc/ossec.conf configuration file and add the following:<b
 </active-response>
 ```
 
-#### NOTE:
+#### NOTE: <format color="OrangeRed">!</format>
-
 The ```<name>``` in the ```<command>``` section needs to be the same as the ```<command>``` in
 the ```<active-response>``` section.
 The ```<command>``` section describes the program that is executed. The ```<active-response>``` section describes the
@@ -178,17 +181,19 @@ trigger that runs the ```<command>```.
 
 Add the rules you want to be informed about between the ```<rules_id></rules_id>```, with the rules id's separated by
 comma's.  
-Example: ```<rules_id>5402, 3461, 8777</rules_id><br/>```
+Example: ```<rules_id>5402, 3461, 8777</rules_id>```.
+
 Please refer to
 the [Wazuh online documentation](https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html)
 for more information.
 
-## The YAML configuration
+## The TOML configuration
 
-This is the yaml config file for wazuh-active-response (for both the Python and Go version)
+This is the toml configuration file for wazuh-notify (for both the Python and Golang version).
 
 The targets setting defines the platforms where notifications will be sent to.
-Platforms in this comma-separated string will receive notifications.
+Platforms in this comma-separated string will receive notifications, if and when they are set up. 
+Refer to [setting up the platforms](#setting-up-the-platforms-receiving-the-notifications).
 
 ```
 targets: "slack, ntfy, discord"
@@ -197,7 +202,7 @@ targets: "slack, ntfy, discord"
 Platforms in this comma-separated string will receive the full event information.
 
 ```
-full_message: "" 
+full_alert: "" 
 ```
 
 Exclude_rules and excluded_agents will disable notification for these particular events or agents that are enabled in
@@ -212,42 +217,59 @@ excluded_rules: "99999, 00000"
 excluded_agents: "99999"
 ```
 
-There is a mapping
+[The threat levels used in Wazuh](https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html) 
-from [Wazuh threat levels](https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html) (0-15)
+(0-15) are mapped to notification priority levels (1-5), and their respective colors (Discord only).
-to priorities (1-5) in notifications.
+The Wazuh threat level scale runs from 0-15, where 15 is the most severe threat. It corresponds to the 
-The colors are derived from
+[HSAS](https://en.wikipedia.org/wiki/Homeland_Security_Advisory_System) threat scale that runs from 5-1, whereby 1 is 
-the [Homeland Security Advisory System](https://en.wikipedia.org/wiki/Homeland_Security_Advisory_System).
+the highest threat level. The configuration allows for customized mapping: in some use cases the mapping could be different.
 
-Enter the values for the threat_map as lists of integers, mention_thresholds as integers and colors as Hex integers.
+The mention threshold defines when Discord users receive a DM, next to the common messages they receive in their channel.
+Often these common channels are muted and DM's will draw more attention. 1 means that for every notification a DM will be sent.
+A mention threshold of 5 means that for every 5th occurrence of this specific event, a DM will be sent also.
 
-The mention_threshold, relates to the number of times a rule has been fired. When the times fired is equal to or greater
+The notify threshold is somewhat similar to the mention threshold. A notify threshold of 1 will send each notification, 
-than the mention_threshold, the recipient will receive a Discord mention in addition to the normal message.
+a notify threshold of 4 will only send each 4th notification triggered by a specific event. This will reduce high amounts
-
+of notifications for the same event. The fired_times value in the message will show the actual number of the times this 
-This setting is a list notation.
+specific event was generated.
 
+Enter a threat_map as a list of integers,  
+color as a hex RGB color values,
+mention/notify_threshold as integers.
 ```
-priority_map:
+[[priority_map]]                # Priority 1 on the HSAS scale
-  - threat_map: [ 15,14,13,12 ]
+threat_map = [15, 14, 13, 12]   # Wazuh threat levels -> priority 2
-    mention_threshold: 1
+color = 0xec3e40                # Red, SEVERE on the HSAS scale
-    color: 0xec3e40 # Red, SEVERE
+mention_threshold = 1           
-  - threat_map: [ 11,10,9 ]
+notify_threshold = 1
-    mention_threshold: 1
+
-    color: 0xff9b2b # Orange, HIGH
+[[priority_map]]                # Priority 2 on the HSAS scale
-  - threat_map: [ 8,7,6 ]
+threat_map = [11, 10, 9]        # Wazuh threat levels -> priority 2
-    mention_threshold: 5
+color = 0xff9b2b                # Orange, HIGH on the HSAS scale
-    color: 0xf5d800 # Yellow, ELEVATED
+mention_threshold = 1
-  - threat_map: [ 5,4 ]
+notify_threshold = 1
-    mention_threshold: 20
+
-    color: 0x377fc7 # Blue, GUARDED
+[[priority_map]]                # Priority 3 on the HSAS scale
-  - threat_map: [ 3,2,1,0 ]
+threat_map = [8, 7, 6]          # Wazuh threat levels -> priority 3
-    mention_threshold: 20
+color = 0xf5d800                # Yellow, ELEVATED on the HSAS scale
-    color: 0x01a465 # Green, LOW
+mention_threshold = 5
+notify_threshold = 5
+
+[[priority_map]]                # Priority 4 on the HSAS scale
+threat_map = [5, 4]             # Wazuh threat levels -> priority 4
+color = 0x377fc7                # Blue, GUARDED on the HSAS scale
+mention_threshold = 20
+notify_threshold = 5
+
+[[priority_map]]                # Priority 5 on the HSAS scale
+threat_map = [3, 2, 1, 0]       # Wazuh threat levels -> priority 5
+color = 0x01a465                # Green, LOW on the HSAS scale
+mention_threshold = 20
+notify_threshold = 1
 ```
 
-The next 2 settings are used to add information to the messages.
+The next settings are used to add information to the messages.
-Sender translate to the ``` username ``` field in Discord and to the ```title``` field in ntfy.sh. It is not used for
+```Sender``` translate to the ``` username ``` field in Discord and Slack and to the ```title``` field in ntfy.sh. 
-Slack.
+The ```click``` parameter adds an arbitrary URL to the message.
-Click adds an arbitrary URL to the message.
 
 ```
 sender: "Wazuh (IDS)"
@@ -264,15 +286,14 @@ Enter ```excluded_days``` as a string with comma separated values. Be aware of y
 excluded_days: "" 
 ```
 
-Enter ```excluded_hours``` as a tuple of string values. Be aware of your regional settings.
+Enter ```excluded_hours``` as a tuple of string values.
 
 ```
 excluded_hours: [ "23:59", "00:00" ]
 ```
 
 The following parameters define the markdown characters used to emphasise the parameter names in the notification
-messages (Markdown style)
+messages (Markdown style). This is a dictionary notation.
-This is a dictionary (object) notation.
 
 ```
 markdown_emphasis:
@@ -283,29 +304,26 @@ discord: "**"
 
 The next settings are used for testing purposes.
 
-Test mode will add an example event (wazuh-notify-test-event.json) instead of the message received through Wazuh.
+```Test mode``` will add an example event (```wazuh-notify-test-event.json```) instead of the message received through Wazuh.
-This enables testing for particular events when the test event is customized.
+This enables customization for testing of a particular event.
 
 ```
 test_mode: False
 ```
 
-Setting this parameter provides more logging to the wazuh-notifier log. Possible values are
+Setting the ```extended_logging``` and ```extended_print``` parameters provides more logging to the wazuh-notifier log
-0 (almost no logging),
+and console. The possible values are:
-1 (basic logging) and
+
-2 (verbose logging)
+0-> limited logging   
+1-> basic logging   
+2-> verbose logging
 
 ```
 extended_logging: 2
-```
-
-Enabling this parameter provides extended logging to the console (see extended logging).
-
-```
 extended_print: 0
 ```
 
-## Setting up the platforms receiving the notifications
+### Setting up the platforms receiving the notifications
 
 Each of the 3 platforms make use of webhooks or similar API's. In order to have the right information in the ```.env```
 file, please refer to the platform's documentation.
@@ -317,3 +335,4 @@ file, please refer to the platform's documentation.
 [ntfy.sh](https://docs.ntfy.sh/examples/) examples
 
 [Discord](https://discord.com/developers/docs/intro) developers documentation
+