Wazuh Integration¶
Wazuh has native webhook support through its integration module. This guide covers Wazuh 4.x configuration.
Prerequisites¶
- Wazuh Manager 4.0 or later
- Root/sudo access to the Wazuh manager server
- Your Parapet Security webhook URL and token
Quick Setup¶
Step 1: Get Your Credentials¶
- Log in to app.parapetsecurity.com
- Go to Settings → Service Tokens
- Click Generate New Token
- Save both:
- Webhook URL:
https://webhook-{region}.parapetsecurity.com/webhook/{tenant-id} - Service Token:
pst_...(shown only once)
- Webhook URL:
Step 2: Create Integration Script¶
Create the custom integration script:
Paste the following script:
#!/usr/bin/env python3
# Parapet Security Integration for Wazuh
# /var/ossec/integrations/parapet-security
import sys
import json
import requests
from datetime import datetime
# Read alert from stdin
alert_file = open(sys.argv[1])
alert_json = json.loads(alert_file.read())
alert_file.close()
# Read configuration
webhook_url = sys.argv[2]
api_token = sys.argv[3]
# Prepare payload
payload = {
"source": "wazuh",
"timestamp": datetime.utcnow().isoformat() + "Z",
"alert": alert_json
}
# Send to Parapet Security
headers = {
"Authorization": f"Bearer {api_token}",
"Content-Type": "application/json"
}
try:
response = requests.post(
webhook_url,
headers=headers,
json=payload,
timeout=10
)
response.raise_for_status()
except Exception as e:
sys.exit(1)
sys.exit(0)
Set permissions:
sudo chmod 750 /var/ossec/integrations/parapet-security
sudo chown root:wazuh /var/ossec/integrations/parapet-security
Step 3: Configure Wazuh Manager¶
Edit the Wazuh manager configuration:
Add the integration block inside <ossec_config>:
<integration>
<name>custom-parapet-security</name>
<hook_url>https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID</hook_url>
<api_key>pst_YOUR_TOKEN_HERE</api_key>
<level>7</level>
<alert_format>json</alert_format>
</integration>
Replace Placeholders
- Replace
YOUR-TENANT-IDwith your actual tenant ID - Replace
pst_YOUR_TOKEN_HEREwith your service token - Change
webhook-ustowebhook-euif you're in Europe
Step 4: Restart Wazuh Manager¶
Step 5: Verify Integration¶
Check the integration logs:
You should see successful webhook deliveries when alerts trigger.
Configuration Options¶
Alert Level Filtering¶
The <level> setting controls which alerts are forwarded:
| Level | Meaning | Recommendation |
|---|---|---|
3-5 | Low severity | Not recommended (too noisy) |
6-7 | Medium severity | Good for most environments |
8-10 | High severity | Conservative, may miss threats |
11+ | Critical only | Too restrictive |
Recommended Starting Point
Start with <level>7</level> to balance coverage with noise. Adjust based on your alert volume.
Rule-Based Filtering¶
Send only specific rule groups:
<integration>
<name>custom-parapet-security</name>
<hook_url>YOUR_WEBHOOK_URL</hook_url>
<api_key>YOUR_TOKEN</api_key>
<level>5</level>
<group>authentication_failed,syslog,sshd</group>
<alert_format>json</alert_format>
</integration>
Multiple Integrations¶
You can have different integrations for different alert types:
<!-- High-priority alerts -->
<integration>
<name>custom-parapet-security</name>
<hook_url>YOUR_WEBHOOK_URL</hook_url>
<api_key>YOUR_TOKEN</api_key>
<level>10</level>
<alert_format>json</alert_format>
</integration>
<!-- Authentication alerts (any level) -->
<integration>
<name>custom-parapet-security</name>
<hook_url>YOUR_WEBHOOK_URL</hook_url>
<api_key>YOUR_TOKEN</api_key>
<level>3</level>
<group>authentication_failed,authentication_success</group>
<alert_format>json</alert_format>
</integration>
Testing the Integration¶
Trigger a Test Alert¶
Generate a failed SSH login to trigger an alert:
Verify in Wazuh¶
Check that Wazuh generated the alert:
Verify in Parapet Security¶
- Go to your Parapet Dashboard
- Navigate to Alerts
- You should see the SSH authentication alert
Sample Alert Payload¶
Here's what Wazuh sends to Parapet Security:
{
"source": "wazuh",
"timestamp": "2026-01-28T15:30:00Z",
"alert": {
"timestamp": "2026-01-28T15:30:00.123+0000",
"rule": {
"level": 10,
"description": "Multiple authentication failures.",
"id": "5710",
"firedtimes": 5,
"groups": ["authentication_failed", "syslog", "sshd"]
},
"agent": {
"id": "001",
"name": "web-server-01",
"ip": "192.168.1.100"
},
"manager": {
"name": "wazuh-manager"
},
"data": {
"srcip": "45.227.253.98",
"srcport": "52341",
"dstuser": "root"
},
"location": "/var/log/auth.log"
}
}
Parapet Security's AI normalizes this to extract:
- Severity: High (based on rule level 10)
- Category: Authentication
- Source IP: 45.227.253.98
- Target User: root
- Affected Host: web-server-01
Troubleshooting¶
Alerts Not Sending¶
-
Check integration logs:
-
Verify connectivity:
-
Check Wazuh manager status:
Script Permission Errors¶
Ensure correct ownership and permissions:
sudo chown root:wazuh /var/ossec/integrations/parapet-security
sudo chmod 750 /var/ossec/integrations/parapet-security
Python Dependency Issues¶
Install requests library if missing:
High Volume Concerns¶
If you have high alert volumes:
- Increase the
<level>threshold - Use
<group>filtering for specific alert types - Consider upgrading to Professional or Team plan
Advanced: Native HTTP Integration (Wazuh 4.3+)¶
Wazuh 4.3+ supports native HTTP integrations without custom scripts:
<integration>
<name>custom-http</name>
<hook_url>https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID</hook_url>
<level>7</level>
<alert_format>json</alert_format>
<options>
<header>Authorization: Bearer YOUR_TOKEN</header>
<header>Content-Type: application/json</header>
</options>
</integration>
Wazuh Version
The native HTTP integration requires Wazuh 4.3 or later. For earlier versions, use the Python script method above.
Next Steps¶
- Configure Slack notifications for real-time alerts
- Set up alert filters to focus on what matters
- Understand AI triage results