XDR Executed via Wazuh Status Observed or Responded

XDR collects and correlates telemetry from endpoints, networks, and cloud to deliver continuous threat response, tagging alerts as “Observed” for passive monitoring and “Responded” when active defense is triggered.

If rule level ≥ 12 → "status": "Observed"

If rule level ≥ 12 and Active Response triggered → "status": "Responded"

If rule level < 12 → Ignored

This configuration processes only high-impact security events to reduce noise and improve response focus.

Requirements

• Wazuh XDR/SIEM installed
• Active Response (firewall-drop) enabled
• Linux server (Ubuntu/Debian)
• Non-root user: 1337rokudenashi
• jq installed
• notify (ProjectDiscovery) installed
• Log source: /var/ossec/logs/alerts/alerts.json

Discord Webhook Setup

Navigate to your Discord server settings, open Integrations, then Webhooks, and create a dedicated webhook for security monitoring. After creating it, copy the generated Webhook URL. This URL will be used by Notify to send "status": "Observed" and "status": "Responded" events directly to your Discord channel.

Configure Notify

Create configuration directory:

mkdir -p /home/1337rokudenashi/.config/notify

Create provider configuration:

cat << 'EOF' > /home/1337rokudenashi/.config/notify/provider-config.yaml
discord:
  - id: xdr
    webhook_url: https://discord.com/api/webhooks/XXXX/YYYY
EOF

Test notification:

echo "XDR test message." | /home/1337rokudenashi/go/bin/notify -provider discord -id xdr

If the message appears in Discord, the integration is functioning correctly.

Create XDR Directory

mkdir -p /home/1337rokudenashi/xdr

Create XDR Processing Script

cat << 'EOF' > /home/1337rokudenashi/xdr/xdr
#!/usr/bin/env bash
set -euo pipefail

tail=/usr/bin/tail
jq=/usr/bin/jq
notify=/home/1337rokudenashi/go/bin/notify

while [ ! -f /var/ossec/logs/alerts/alerts.json ]; do
  sleep 2
done

"$tail" -F /var/ossec/logs/alerts/alerts.json | while IFS= read -r line; do
  payload="$(
    "$jq" -c '
      if (.rule.level | tonumber) >= 12 then
        {
          status: "Observed",
          time: .timestamp,
          level: (.rule.level | tonumber),
          rule: .rule.id,
          desc: .rule.description,
          agent: .agent.name,
          srcip: .data.srcip
        }
      elif (
        (.rule.groups[]? == "active_response")
        and ((.data.parameters.alert.rule.level | tonumber) >= 12)
      ) then
        {
          status: "Responded",
          time: .timestamp,
          level: (.data.parameters.alert.rule.level | tonumber),
          rule: .data.parameters.alert.rule.id,
          desc: .data.parameters.alert.rule.description,
          agent: .agent.name,
          srcip: .data.parameters.alert.data.srcip,
          action: .rule.description
        }
      else empty end
    ' <<<"$line" || true
  )"

  if [[ -n "$payload" ]]; then
    echo "$payload" | "$notify" -provider discord -id xdr -silent
  fi
done
EOF

Set permissions:

sudo chown 1337rokudenashi:1337rokudenashi /home/1337rokudenashi/xdr/xdr
sudo chmod +x /home/1337rokudenashi/xdr/xdr

Create systemd Service

sudo tee /etc/systemd/system/xdr.service > /dev/null << 'EOF'
[Unit]
Description=XDR Service
After=network.target wazuh-manager.service

[Service]
Type=simple
User=1337rokudenashi
ExecStart=/home/1337rokudenashi/xdr/xdr
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

Reload and start service:

sudo systemctl daemon-reload
sudo systemctl enable xdr
sudo systemctl start xdr

Check service status:

systemctl status xdr

High-severity events are continuously tracked and sent in JSON, providing clear distinction between “Observed” and “Responded” activities.