Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Alerting

The Wazuh Indexer Alerting plugin monitors data stored in the Wazuh Indexer, evaluates user-defined trigger conditions on a schedule, and executes actions when those conditions are met. Actions typically deliver notifications through the Notifications plugin (Slack, email, webhooks, etc.) but can also drive Wazuh-specific workflows such as Active Response.

The plugin is a fork of the OpenSearch Alerting plugin adapted for Wazuh.

Key Capabilities

  • Multiple monitor types: Query-level, bucket-level, document-level, and the Wazuh-specific Active Response monitor. See Architecture for details.
  • Flexible triggers: Define conditions using the full OpenSearch query DSL, aggregation results, or per-document matching with percolate queries.
  • Notification actions: When a trigger fires, send alerts through any channel configured in the Notifications plugin — Slack, Microsoft Teams, email, custom webhooks, PagerDuty, and more.
  • Workflows: Chain multiple monitors into composite workflows for complex detection scenarios.
  • Alert lifecycle management: Track alerts through Active, Acknowledged, Completed, and Error states. Add comments to alerts for collaboration.
  • RBAC integration: Access to monitors, alerts, and destinations is governed by the Security plugin with backend-role–based filtering.
  • Cross-cluster monitoring: Monitor indices on remote clusters connected via cross-cluster search.
  • REST API: Full programmatic control over monitors, workflows, alerts, findings, and comments. See API Reference.
  • Dashboard UI: Create, manage, and monitor alerts through the Wazuh Dashboard interface.

Limits

  • Maximum monitors: Users can create up to 10 custom monitors. This limit applies to all monitor types.

Wazuh Integration Points

Security Analytics

The Security Analytics plugin uses alerting monitors to evaluate incoming events against Sigma detection rules. When an event matches a rule, Security Analytics creates a finding and can trigger an alert. The alerting monitor drives the detection loop — periodically querying new events and running them through the configured detectors.

Notifications

Alerting actions route through the Notifications plugin for message delivery. When a trigger fires, the alerting plugin calls the Notifications plugin via its internal transport interface to send messages to configured channels. This means any destination supported by Notifications (Slack, Teams, email, webhooks, SNS) is available as an alerting action target.

Active Response

The Alerting plugin includes a Wazuh-specific Active Response monitor type that extends document-level monitoring for automated response workflows. This monitor type has specific constraints:

  • Indices: Must target indices matching the wazuh-findings-v5-* prefix.
  • Schedule: Maximum interval of 1 minute (60,000 ms).
  • Triggers: Only DocumentLevelTrigger is supported.

When an Active Response monitor triggers, it writes execution requests to the wazuh-active-responses data stream. The Wazuh Manager retrieves documents from this data stream to distribute and execute Active Response actions on agents. Each document references the source event that triggered the response.

Default Monitors

On first startup, a sample alerting monitor is created alongside the default notification channels. This monitor serves as a template that users can customize and enable. Review it under Alerting > Monitors in the Wazuh Dashboard before enabling alerts.

Dependencies

DependencyPurpose
Notifications pluginDelivers alert notifications to configured channels
Security pluginEnforces RBAC on monitors, alerts, and destinations
Job Scheduler pluginSchedules and executes monitors at configured intervals
wazuh-indexer-common-utilsShared utility functions and common components

Further Reading

For the full upstream API reference, advanced configuration, and Dashboard usage guides, see the OpenSearch Alerting documentation.