Mobile Alerting for Wazuh
Respond faster and from anywhere to critical incidents
Why SIGNL4
Wazuh is an open-source security platform offering unified XDR and SIEM protection for endpoints and cloud workloads. It is used to collect, aggregate, index and analyze security data, helping organizations detect intrusions, threats and behavioral anomalies.
SIGNL4 adds app-based alerting and incident response. This includes alerts app-push, text and voice call and strategic escalations when needed. The integration of Wazuh and SIGNL4 introduces an advanced duty scheduling system, ensuring that on-call responsibilities are efficiently allocated and allows you to see who is on duty at any given time.
How it Works
Wazuh uses webhooks to submit alert information to SIGNL4. You can simply configure it by entering your SIGNL4 webhook URL including team secret / integration secret. Specifically the integration helps you with the following.
Benefits and Value-Add
- Forwards Wazuh events to SIGNL4 for mobile alerting
- Reliable and persistent alerting via mobile push, text and voice calls
- Uses Webhook to connect to your SIGNL4 team
- Targeted mobile notifications with response tracking and automated escalations
- Communicate within an alert to address a particular problem
- Real-time cross-team transparency on alert status and ownership on mobile devices
- Mobile app for Android and iPhone to conveniently manage alerts from anywhere
- Enrich alerts by adding documents, images, videos etc.
- Categories with customizable colors, text and icons for rapid and effortless context comprehension
- On-call scheduling to alert the right people at the right time
Scenarios
- 24×7 SecOps with on-call staff
- Critical SecOps Alerting
- Customer service hotline
- Anywhere critical incidence response
- On-call scheduling of IT / network teams
Integration Type
- Close alerts in SIGNL4 automatically when the issue is marked as OK again in Wazuh
Alerts in Wazuh are sent to SIGNL4 via HTTP request
Event categorization, routing and automated delivery based on availability, duty schedules, etc.
Persistent Notifications by push, text and voice call with Tracking, Escalation and Confirmation to Staff on Duty
Ready for a free 30-days trial?
Integration with Wazuh
In the Wazuh web portal log in as a admin to configure SIGNL4 alerting.
Under Notifications create a new channel of the type Custom webhook. The Webhook URL is your SIGNL4 webhook URL including team or integration secret.
https://connect.signl4.com/webhook/{team-secret}
Here, {team-secret} is your SIGNL4 team secret.
The header value Content-Type is application/json.
You can also send a test alert here.
Under Alerting -> Monitors create a new monitor that triggers when you would like to send an alert. You need to configure the Trigger accordingly.
The Action will trigger the SIGNL4 alert. You select the SIGNL4 notification channel that you have created in the previous step. The message is in JSON format and might look like follows.
{
"AlertMonitor": "{{ctx.monitor.name}} just entered alert status. Please investigate the issue.",
"Trigger": "{{ctx.trigger.name}}",
"Severity": "{{ctx.trigger.severity}}",
"PeriodStart": "{{ctx.periodStart}}",
"PeriodEnd": "{{ctx.periodEnd}}",
"X-S4-SourceSystem": "Wazuh",
"X-S4-ExternalID": "Wazuh: {{ctx.trigger.name}}",
"X-S4-Status": "new"
}
You can also automatically close alerts is the status in Wazuh is OK again. In this case you specify a Trigger for the OK condition and the message in the SIGNL4 action might look like this.
{
"X-S4-ExternalID": "Wazuh: {{ctx.trigger.name}}",
"X-S4-Status": "resolved"
}
The value for X-S4-ExternalID is the same as for the previously opened alert.
An incoming alert will look like this.
Tips & Tricks
Alert Optimization
SIGNL4 can further increase the visibility of alerts through its Signals and Services categories. Augmenting the color and icon of alerts will provide more relevant information at a glance without having to open the alert. You can also augment alerts with maps or change the subject or message to a more comprehensible content.
Alert categories in SIGNL4 also allow to group alerts and even to route those ticket notifications to your staff based on skills or other criteria. Screenshots show how to override text, colors and titles are triggered by keywords set within the mobile app.
Duty Scheduling
SIGNL4’s duty scheduling feature streamlines Wazuh alert management by directing notifications to on-call staff. By pre-defining shifts and on-call schedules, Wazuh alerts are routed to available and relevant team members, reducing response times. This eliminates the chaos of alert floods during off-hours and ensures that critical incidents get immediate attention.
With SIGNL4, on-call scheduling is done with just a few mouse clicks and in no time at all. Instead of Excel spreadsheets, planning is done conveniently and transparently in the web browser. It offers a real-time “Who is on duty” dashboard with real-time, digital information. It facilitates shift handovers with mobile reminders, automated punch-ins/outs and handover assistants. Additionally, it provides post-shift email reports, audit trails and downloadable duty records. Read more about On-call Management here.