This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Welcome Center
- Contests and Giveaways
- Lansweeper Integration Challenge
- Lansweeper on-prem (ticketing) with SIEM Wazuh
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
ruisage
Scout Sweeper II
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
08-28-2024
12:28 PM
Lansweeper on-prem (ticketing) integration with SIEM Wazuh.
Labels:
0
Kudos
Comments
Knytmar3
Scout Sweeper
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi Ruisage,
A work around you could consider until a fully integration is implemented is setting up email alerts on your Wazuh server.
Prerequisites:
Wazuh Dashboard: Administrator rights
Lansweeper: Edit Configuration rights or higher
Wazuh Server (Low level trouble shooting): SUDO Administrator access
Open Lansweeper configuration, Ticket Content.
Add a Security Team or any relevant teams required to be notified, then under ticket type, Add Ticket Type, Name the ticket type (Wazuh SIEM/Security Alert) Complete the rest of the categories as seen fit for your environment.
Once Ticket type has been created set the Agent team to the designated Team which was initially created.
Further customization can be done as needed for your environment.
While within the Lansweeper configuration navigate to Email Settings, section Ticket Dispatching Add a Rule.
Name the rule accordingly, change the conditions field for From Email leave the Equal field, then insert the email address intended to be used for Wazuh Email Alert configuration.
Under the actions select Set Ticket Type: Then select the Ticket type category created for Wazuh/Security alerts
Now move to the Wazuh Dashboard, Open the menu list, go to Server Management and click on the drop down list, select settings. From the Settings configuration, select Alerts under Alerts and output management.
Go to Email Alerts tab and configure Email alert settings.
Under the General tab Define your minimum level of severity you would like the alerts to fire.
References:
Perform actions on new tickets using dispatching rules: https://community.lansweeper.com/t5/configuring-using-the-helpdesk/perform-actions-on-new-tickets-us...
Configure ticket types, states and priorities: https://community.lansweeper.com/t5/configuring-using-the-helpdesk/configure-ticket-types-states-and...
Create and add custom fields to ticket types: https://community.lansweeper.com/t5/configuring-using-the-helpdesk/create-and-add-custom-fields-to-t...
Alert management server configuration: https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#generic-email-opti...
Notes:
From my experience upgrading your Wazuh environment the ossec configuration file created a new configuration file no longer allowing email alerts to be configured within the Dashboard but still able to configure from (wazuh server)/var/ossec/etc/ file ossec.conf.new
At the time of your post you would have had version 4.8/4.9 if current installed at the time of the post. Current version available 4.10
ps, version 4.10 now allows for agent upgrades within the Dashboard rather than having to update via RESTful API and PUT /agents/upgrade command
Regards,
Knytmar3
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now