Wazuh Correlation Rule Alerts via Webhook

In this guide, you will configure Wazuh Manager to forward correlation rule alerts to Radiant Security using webhook integration. This enables automated detection and response for multi-stage security events identified by Wazuh's correlation engine.

Prerequisites

• Admin access to Wazuh Manager server

• Correlation rules already defined in Wazuh

• SSH access to the Wazuh Manager

Add the data connector in Radiant Security

1. Log in to Radiant Security.

2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

3. Search for and select the Custom Alerts Webhook option and then click Data Feeds, then click Credentials.

4. Under Credential Name, give the credential an identifiable name (e.g. Wazuh Correlation Alerts).

5. In the Connector tag field, enter a random value. This value will act as the salt to randomize the unique Token you'll see in the next step.

6. Click Add Connector.

7. Back on the Data Connectors page, click View Details on the connector that was just created.

8. Under Vendor Configuration, copy and save the Webhook URL and Token. You'll use these values in the upcoming section.

Configure Wazuh Manager to forward correlation alerts

1. SSH into your Wazuh Manager server.

2. Create a custom integration script:

1. Paste the following script, replacing the placeholder values with your Radiant Webhook URL and Token:

1. Save the file and set the appropriate permissions:

1. Edit the Wazuh configuration file:

1. Add the following integration block within the <ossec_config> section, replacing 10013 with your specific correlation rule ID(s):

Optional configurations:

• To send multiple correlation rules, use comma-separated IDs: <rule_id>10013,10014,10015</rule_id>

• To send all correlation rules from a specific group: <group>correlation_rules</group>

• To filter by severity level: <level>10</level>

1. Save the file and restart Wazuh Manager:

Important Technical Details

• timestamp: Wazuh natively uses ISO 8601 format, but the integration script automatically converts it to Unix Epoch (milliseconds) (e.g., 1707168000000) as required by Radiant Security.

• raw_alert: The full JSON object of the Wazuh alert is included in this field. This allows Radiant to parse any field it needs (IPs, usernames, process paths, rule details, etc.) without further configuration in Wazuh. The raw alert includes the rule description (rule.description) which provides detailed information about what the correlation rule is trying to detect, improving Radiant's agent ability to provide accurate triage.

• rule_name: Wazuh does not have a dedicated "rule name" field in its alert structure. Instead, this maps to Wazuh's rule.description field, which represents the specific detection logic that triggered the correlation alert (e.g., "Successful login after multiple failures", "Multiple authentication failures followed by success").

Verify the integration

1. Monitor Wazuh logs for integration errors:

1. Trigger your correlation rule conditions to generate a test alert.

2. Log in to Radiant Security and verify that alerts are appearing in the Log Management, by writing this query in the search bar:

Troubleshooting

Integration not loading:

• Check /var/ossec/logs/ossec.log for configuration errors

• Verify XML syntax in ossec.conf

• Ensure the webhook URL is accessible from Wazuh Manager

Alerts not reaching Radiant:

• Verify the Token is correct

• Test network connectivity: curl -X POST <YOUR_WEBHOOK_URL> -H "Authorization: rs_token <YOUR_TOKEN>"

• Confirm correlation rules are triggering by checking /var/ossec/logs/alerts/alerts.json

Custom script failing:

• Verify Python dependencies are installed: sudo pip3 install requests

• Check script permissions are set to 750

• Test the script manually with a sample alert file