# Wazuh Correlation Rule Alerts via Webhook

In this guide, you will configure Wazuh Manager to forward correlation rule alerts to Radiant Security using webhook integration. This enables automated detection and response for multi-stage security events identified by Wazuh's correlation engine.

### **Prerequisites**

* [ ] Admin access to Wazuh Manager server
* [ ] Correlation rules already defined in Wazuh
* [ ] SSH access to the Wazuh Manager

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**. 
3. Search for and select the **Custom Alerts Webhook** option and then click **Data Feeds**, then click **Credentials**.
4. Under **Credential** **Name**, give the credential an identifiable name (e.g. `Wazuh Correlation Alerts`). 
5. In the **Connector** **tag** field, enter a random value. This value will act as the salt to randomize the unique **Token** you'll see in the next step.
6. Click **Add** **Connector**.
7. Back on the **Data Connectors** page, click **View Details** on the connector that was just created.
8. Under **Vendor Configuration**, copy and save the **Webhook URL** and **Token**. You'll use these values in the upcoming section.

### Configure Wazuh Manager to forward correlation alerts

1. SSH into your Wazuh Manager server.
2. Create a custom integration script:

```bash
sudo nano /var/ossec/integrations/custom-radiant
```

3. Paste the following script, replacing the placeholder values with your Radiant **Webhook URL** and **Token**:

```python
#!/usr/bin/env python3
 
import sys
import json
import requests
from requests.exceptions import RequestException
from datetime import datetime
 
try:
    # Read and parse alert
    with open(sys.argv[1]) as alert_file:
        alert_json = json.loads(alert_file.read().strip())
    
    # Convert ISO 8601 timestamp to Unix epoch SECONDS (not milliseconds)
    def convert_to_epoch_seconds(timestamp_str):
        try:
            dt = datetime.strptime(timestamp_str.replace('Z', '+00:00').split('+')[0], "%Y-%m-%dT%H:%M:%S.%f")
            return str(int(dt.timestamp()))  # Convert to string
        except:
            return str(int(datetime.now().timestamp()))
    
    original_timestamp = alert_json.get("timestamp", alert_json.get("@timestamp", ""))
    epoch_timestamp = convert_to_epoch_seconds(original_timestamp)
    
    # Build payload
    payload = {
        "alert_id": alert_json.get("id", "unknown"),
        "rule_name": alert_json.get("rule", {}).get("description", "unknown"),
        "rule_type": "correlation",
        "rule_id": str(alert_json.get("rule", {}).get("id", "unknown")),
        "timestamp": epoch_timestamp,
        "raw_alert": alert_json # Full original Wazuh alert JSON
    }
    
    # Radiant webhook configuration
    WEBHOOK_URL = "<YOUR_RADIANT_WEBHOOK_URL>"
    TOKEN = "<YOUR_RADIANT_TOKEN>"
    
    headers = {
        "Content-Type": "application/json",
        "rs_token": TOKEN  
    }
    
    response = requests.post(WEBHOOK_URL, json=payload, headers=headers, timeout=10)
    response.raise_for_status()
    sys.exit(0)
    
except Exception as e:
    sys.stderr.write(f"ERROR: {str(e)}\n")
    sys.exit(1)
```

4. Save the file and set the appropriate permissions:

```bash
sudo chmod 750 /var/ossec/integrations/custom-radiant
sudo chown root:wazuh /var/ossec/integrations/custom-radiant
```

5. Edit the Wazuh configuration file:

```bash
sudo nano /var/ossec/etc/ossec.conf
```

6. Add the following integration block within the `<ossec_config>` section, replacing `10013` with your specific correlation rule ID(s):

```xml
<integration>
  <name>custom-radiant</name>
  <hook_url>YOUR_RADIANT_WEBHOOK_URL</hook_url>
  <rule_id>10013</rule_id>
  <alert_format>json</alert_format>
</integration>
```

**Optional configurations:**

* To send multiple correlation rules, use comma-separated IDs: `<rule_id>10013,10014,10015</rule_id>`
* To send all correlation rules from a specific group: `<group>correlation_rules</group>`
* To filter by severity level: `<level>10</level>`

7. Save the file and restart Wazuh Manager:

```bash
sudo systemctl restart wazuh-manager
```

### **Important Technical Details**

* **timestamp**: Wazuh natively uses ISO 8601 format, but the integration script automatically converts it to **Unix Epoch (milliseconds)** (e.g., 1707168000000) as required by Radiant Security.
* **raw\_alert**: The full JSON object of the Wazuh alert is included in this field. This allows Radiant to parse any field it needs (IPs, usernames, process paths, rule details, etc.) without further configuration in Wazuh. The raw alert includes the rule description (`rule.description`) which provides detailed information about what the correlation rule is trying to detect, improving Radiant's agent ability to provide accurate triage.
* **rule\_name**: Wazuh does not have a dedicated "rule name" field in its alert structure. Instead, this maps to Wazuh's `rule.description` field, which represents the specific detection logic that triggered the correlation alert (e.g., "Successful login after multiple failures", "Multiple authentication failures followed by success").&#x20;

### **Verify the integration**

1. Monitor Wazuh logs for integration errors:

```bash
sudo tail -f /var/ossec/logs/ossec.log
```

2. Trigger your correlation rule conditions to generate a test alert.
3. Log in to Radiant Security and verify that alerts are appearing in the Log Management, by writing this query in the search bar:&#x20;

```powerquery
rs_connectorType:"elastic_siem_webhook"
```

### **Troubleshooting**

**Integration not loading:**

* Check `/var/ossec/logs/ossec.log` for configuration errors
* Verify XML syntax in `ossec.conf`
* Ensure the webhook URL is accessible from Wazuh Manager

**Alerts not reaching Radiant:**

* Verify the Token is correct
* Test network connectivity: `curl -X POST <YOUR_WEBHOOK_URL> -H "Authorization: rs_token <YOUR_TOKEN>"`
* Confirm correlation rules are triggering by checking `/var/ossec/logs/alerts/alerts.json`

**Custom script failing:**

* Verify Python dependencies are installed: `sudo pip3 install requests`
* Check script permissions are set to 750
* Test the script manually with a sample alert file


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/wazuh-correlation-rule-alerts-via-webhook.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.