Wazuh integration to send alerts to Keep (open-source alert management and AIOps platform) with custom environment field, as described in seamless integration between Keep and Wazuh
- Clone the Repository or just download custom scripts:
cd /var/ossec/integrations
wget -O custom-keep.py https://raw.githubusercontent.com/adampielak/wazuh-keep-integration/refs/heads/main/custom-wazuh-keep.py
wget -O custom-keep https://raw.githubusercontent.com/adampielak/wazuh-keep-integration/refs/heads/main/custom-wazuh-keep
- After cloning navigate to the integration script's directory and open it:
cd /var/ossec/integrations
vi custom-keep.py
- Modify the Script
- Adding Custom Environment Fields:
# Hardcode your environment value here
environment = "ENV"
url = "https://wazuh.siem.local"
ticket_url = "https://jira.prod.local"
- Give it the right ownership and permissions:
chmod 750 /var/ossec/integrations/custom-keep.py /var/ossec/integrations/custom-keep
chown root:wazuh /var/ossec/integrations/custom-keep.py /var/ossec/integrations/custom-keep
- Update the
ossec.confFile. Append the following configuration to the/var/ossec/etc/ossec.conffile to enable the integration with Keep:
<ossec_config>
<!-- Keep integration -->
<integration>
<name>custom-keep</name>
<hook_url>http://<KEEP_IP_ADDRESS>:8080/alerts/event</hook_url>
<api_key><KEEP_API_KEY></api_key> <!-- Replace with your Keep API key -->
<level>11</level>
<alert_format>json</alert_format>
</integration>
</ossec_config>
- Replace <KEEP_IP_ADDRESS> with the IP address of the Keep server. Ensure to include the port number if Keep is not listening on the default port 8080.
- Make sure to use the /alerts/event endpoint (not /alerts/event/wazuh), as only /alerts/event supports custom labels and full payload customization.
- Restart Wazuh Manager:
systemctl restart wazuh-manager