How to create an alerting in Open Distro that warns about the event increase in Wazuh?

Question

For example, over 4000 events per day should have an email notification.

Answer 1

If you are using Open Distro, where no CCS is being used and want to create an email notification for over 4000 events in a day, find below the high level steps:

1. Click on Alerting on the left menu
2. Click on Destinations tab and Add destination, this will be an Email as a destination , enter a valid email and the smtp configuration under Manage Senders, then select it under Sender, add a recipient email under Recipients
3. Create a Monitor : Under Method of definition you can select Define using visual graph , under Index enter wazuh-alerts* (this will select all events that you visualize under Wazuh>Modules>Security Events), under Time field you can select @timestamp . Leave the WHEN Count() , OVER all documents and WHERE all fields are included as default, in option FOR THE LAST … select for the last 24 hours . Finally select the frequency under Monitor Schedule as Daily and the time when you want this to run, alternatively you can select By interval and run it Every 1 Days , click on Create
4. With the Monitor created you will have to create a trigger , in trigger condition enter IS ABOVE 4,000 . Under Configure actions select the Destination created in step 2, then the Message subject you would like the recipient to receive and you can leave the Message by default, it uses Mustache if you would like to edit it, you can send a test message to check if the Destination and smtp is configured correctly. Click on Create
5. Last step is to enable your monitor in case it was not enabled when created, select it from Monitors tab and click on Actions>Enable

I hope you are able to configure it, let me know!