How to Push Wazuh Alerts to Your Discord Server

In this episode we will cover how to push Wazuh Alerts to your Discord server! I think this integration is super useful because 99% of us probably already use Discord. Why monitor a Wazuh Dashboard when you can monitor your network through Discord?

Example of Discord Alerts

Here is an example of what we are going to do in this episode:

Create a Discord Webhook

Open Discord.
Go to the server you want to use to monitor Wazuh.
Create a text channel.

right click on your server
Go to server settings.
Select the integrations page.

Click on Create a webhook.

Click New Webhook.
Name your webhook but to something like WazuhAlerts.
Select the text channel for your Wazuh alerts we created a second ago.
Copy the Webhook to a notepad, we will paste it in a configuration file in a minute.

Configure Wazuh's Dashboard Integration settings

Login to your Wazuh dashboard and go to the following location:

(Server Manangement / Settings)

On the top right click (edit configuration)

We are going to paste the following code BELOW the tags <global> </global>

 <integration>
     <name>custom-discord</name>
     <hook_url>https://discord.com/api/webhooks/XXXXXXXXXXX</hook_url>
     <alert_format>json</alert_format>
 </integration>

Then paste your Discords Webhook in the <hook_url> </hook_url> tags.

Click Save.
Restart Manager.

SSH into your Wazuh Dashboard Machine

Next we need to SSH into your Wazuh Dashboard Machine/VM (etc.) to configure the following settings.

ssh username@ip_address

After you login perform the following commands:

sudo su

then go to the config section for integrations:

cd /var/ossec/integrations

We can use the following command to see a list of files in there

ls -l

We need to grab the following discord integrations for this custom Discord notifications here:

wget https://raw.githubusercontent.com/maikroservice/wazuh-integrations/main/discord/custom-discord

and

wget https://raw.githubusercontent.com/maikroservice/wazuh-integrations/main/discord/custom-discord.py

We can then verify they are downloaded. We can also see they are white because they don't have the proper permissions yet.

ls -l

Then we need to ensure they have the proper permissions to execute:

sudo chmod 750 /var/ossec/integrations/custom-*
sudo chown root:wazuh /var/ossec/integrations/custom-*

Now we can verify they are correct one more time (and that they have turned green instead of white becuase they have the right perms now.)

ls -l

Now because this is a python script we need to install the proper pip: (You may get a "Running as pip as the root user..." error but its fine, do not worry about it.)

# debian / ubuntu
sudo apt-get install python3-pip
pip3 install requests

Lastly, we need to restart Wazuhs controls:

/var/ossec/bin/wazuh-control restart

....

Verify Discord Alerts

Next we can go to our Discord channel and see the service restarted with a confirmation alert:

I am going to attempt to SSH into one of our Machines with the Wazuh Agent installed and type the wrong password to mimic failed login attempts from a malicious actor.

We will see that we get notified in Discord for these failed attempts within just a few seconds.

Conclusion

That is it! I hope you guys enjoyed, if you would like to learn more please see the links down below.

How to setup Discord Webhooks

Wazuh external integration configurations