Overview

The Wazuh provider enables seamless integration between Keep and Wazuh. It allows you to get alerts from Wazuh to Keep via custom integration making it easier to track security-related activities in one place.

Please refer to the Wazuh Docs if you want to learn more about Wazuh Custom Integrations.

In workflows

This provider can’t be used as a “step” or “action” in workflows. If you want to use it, please let us know by creating an issue in the GitHub repository.

Connecting Wazuh to Keep

To connect Wazuh to Keep, you need to configure it as a custom integration in Wazuh. Follow the steps below to set up the integration:

  1. Keep webhook scripts need to installed on the Wazuh server.

  2. You can download the Keep webhook scripts using the following command:

wget -O custom-keep.py https://github.com/keephq/keep/blob/main/keep/providers/wazuh_provider/custom-keep.py?raw=true
wget -O custom-keep https://github.com/keephq/keep/blob/main/keep/providers/wazuh_provider/custom-keep?raw=true
  1. Copy the downloaded script to the following path on the Wazuh server: /var/ossec/integrations/ and set correct permissions
cp custom-keep.py /var/ossec/integrations/custom-keep.py
cp custom-keep /var/ossec/integrations/custom-keep
chown root:wazuh custom-keep*
chmod 750 /var/ossec/integrations/custom-keep*

  1. Get the Webhook URL of Keep which is https://api.keephq.dev/alerts/event/wazuh.

  2. Get the API Key of Keep which you can generate in the Keep settings.

  3. In the config /var/ossec/etc/ossec.conf set new integration block

<integration>
    <name>custom-keep</name>
    <level>10</level>
    <hook_url>PLACE_YOUR_KEEP_WEBHOOK_URL_HERE</hook_url>
    <api_key>PLACE_HERE_YOUR_API_KEY</api_key>
    <alert_format>json</alert_format>
</integration>

Please refer to the Wazuh Documentation for more information and set the level you are interested in. 7. Restart the wazuh-manager

$ systemctl restart wazuh-manager