Wazuh - Open Source XDR. Observed Responded

Start handling and tagging Wazuh alerts with an Observed or Responded status to enable centralized monitoring and threat response.

"status": "Observed" and "status": "Responded"

XDR collects and correlates telemetry from endpoints, networks, and cloud to deliver continuous threat response, tagging alerts as “Observed” for passive monitoring and “Responded” when active defense is triggered.

• If rule level ≥ 12 → "status": "Observed"
• If rule level ≥ 12 and Active Response triggered → "status": "Responded"
• If rule level < 12 → Ignored

This configuration processes only high-impact security events to reduce noise and improve response focus.

Requirements (xdr-handler):

• Wazuh XDR/SIEM installed
• Active Response (firewall-drop) enabled
• Discord account
• Linux server (Ubuntu/Debian)
• Non-root user: 1337rokudenashi
• jq installed
• notify (ProjectDiscovery) installed
• Log source: /var/ossec/logs/alerts/alerts.json

Discord account:

Navigate to your Discord server settings, open Integrations, then Webhooks, and create a dedicated webhook for security monitoring. After creating it, copy the generated Webhook URL. This URL will be used by Notify to send "status": "Observed" and "status": "Responded" events directly to your Discord channel.

Workspace directory (Notify):

mkdir -p /home/1337rokudenashi/.config/notify

Provider configuration:

cat << 'EOF' > /home/1337rokudenashi/.config/notify/provider-config.yaml
discord:
  - id: xdr-handler
    webhook_url: https://discord.com/api/webhooks/XXXX/YYYY
EOF

Notify test message:

echo "Wazuh - Open Source XDR test message." | /home/1337rokudenashi/go/bin/notify -provider discord -id xdr-handler

If the message appears in Discord, the integration is functioning correctly.

Workspace directory (xdr-handler):

mkdir -p /home/1337rokudenashi/xdr

Processing logic:

cat << 'EOF' > /home/1337rokudenashi/xdr/xdr-handler
#!/usr/bin/env bash
set -euo pipefail

tail=/usr/bin/tail
jq=/usr/bin/jq
notify=/home/1337rokudenashi/go/bin/notify

while [ ! -f /var/ossec/logs/alerts/alerts.json ]; do
  sleep 2
done

"$tail" -F /var/ossec/logs/alerts/alerts.json | while IFS= read -r line; do
  payload="$(
    "$jq" -c '
      if (.rule.level | tonumber) >= 12 then
        {
          status: "Observed",
          time: .timestamp,
          level: (.rule.level | tonumber),
          rule: .rule.id,
          desc: .rule.description,
          agent: .agent.name,
          srcip: .data.srcip
        }
      elif (
        (.rule.groups[]? == "active_response")
        and ((.data.parameters.alert.rule.level | tonumber) >= 12)
      ) then
        {
          status: "Responded",
          time: .timestamp,
          level: (.data.parameters.alert.rule.level | tonumber),
          rule: .data.parameters.alert.rule.id,
          desc: .data.parameters.alert.rule.description,
          agent: .agent.name,
          srcip: .data.parameters.alert.data.srcip,
          action: .rule.description
        }
      else empty end
    ' <<<"$line" || true
  )"

  if [[ -n "$payload" ]]; then
    echo "$payload" | "$notify" -provider discord -id xdr-handler -silent
  fi
done
EOF

Ownership and permissions:

sudo chown 1337rokudenashi:1337rokudenashi /home/1337rokudenashi/xdr/xdr-handler
sudo chmod +x /home/1337rokudenashi/xdr/xdr-handler

Configure systemd:

sudo tee /etc/systemd/system/xdr-handler.service > /dev/null << 'EOF'
[Unit]
Description=Wazuh - Open Source XDR. Observed Responded
After=network.target wazuh-manager.service

[Service]
Type=simple
User=1337rokudenashi
ExecStart=/home/1337rokudenashi/xdr/xdr-handler
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

Restart service:

sudo systemctl daemon-reload
sudo systemctl enable xdr-handler
sudo systemctl start xdr-handler

Review service status:

systemctl status xdr-handler

High-severity events are continuously tracked and sent in JSON, providing clear distinction between “Observed” and “Responded” activities.