YAML configuration

If you are not running the connector in docker, you may also load configuration as YAML (or JSON). The YAML/JSON layout follows pydantic’s serialisation rules. See this example YAML configuration for an example.

The following is a reference for how to configure the connector using a YAML file. See the configuration reference for details.

  1agents_as_systems: true
  2app_url: https://wazuh.example.org/
  3author_name: Wazuh
  4bundle_abort_limit: 500
  5connector:
  6  auto: true
  7  id: foo
  8  log_level: warning
  9  name: Wazuh
 10  scope:
 11    - Email-Addr
 12    - Mac-Addr
 13    - Vulnerability
 14    - WindowsRegistryValueType
 15    - Url
 16    - User-Agent
 17    - User-Account
 18    - Domain-Name
 19    - Artifact
 20    - StixFile
 21    - IPv4-Addr
 22    - WindowsRegistryKey
 23    - Indicator
 24    - Process
 25    - IPv6-Addr
 26    - Hostname
 27    - Network-Traffic
 28    - Directory
 29  type: internal_enrichment
 30create_agent_hostname_observable: true
 31create_agent_ip_observable: true
 32create_incident: per-sighting
 33create_incident_response: true
 34create_incident_summary: true
 35create_incident_threshold: 1
 36create_obs_sightings: true
 37create_sighting_summary: true
 38enrich:
 39  enrich_urls_without_host: false
 40  filename_behaviour:
 41    - remove-path
 42    - create-dir
 43  types:
 44    - email-addr
 45    - tool
 46    - windows-registry-key
 47    - process
 48    - url
 49    - ipv6-addr
 50    - user-account
 51    - ipv4-addr
 52    - mac-addr
 53    - user-agent
 54    - software
 55    - domain-name
 56    - file
 57    - vulnerability
 58    - attack-pattern
 59    - network-traffic
 60    - directory
 61enrich_labels:
 62  - wazuh_ignore
 63hits_abort_limit: 1000
 64ignore_own_entities: false
 65ignore_revoked_indicators: true
 66incident_rule_exclude_list: []
 67indicator_score_threshold: null
 68label_ignore_list:
 69  - hygiene
 70  - wazuh_ignore
 71max_extrefs: 10
 72max_extrefs_per_alert_rule: 2
 73max_notes: 10
 74max_notes_per_alert_rule: 2
 75max_tlp: TLP:RED
 76opencti:
 77  ssl_verify: false
 78  token: token
 79  url: https://openti.example.org/
 80opensearch:
 81  exclude_match:
 82    - field: data.integration
 83      query: opencti
 84  filter: []
 85  include_match: []
 86  index: wazuh-alerts-*
 87  limit: 50
 88  order_by:
 89    - field: timestamp
 90      order: desc
 91  password: opensearchpass
 92  search_after: null
 93  timeout: "20 seconds"
 94  url: https://wazuh.example.org:9200/
 95  username: opensearchname
 96  verify_tls: true
 97require_indicator_detection: false
 98require_indicator_for_incidents: true
 99rule_exclude_list: []
100search:
101  dirsearch_options:
102    - allow-regexp
103    - match-subdirs
104    - case-insensitive
105    - ignore-trailing-slash
106    - search-filenames
107  filesearch_options:
108    - allow-regexp
109    - case-insensitive
110    - search-size
111    - search-filename-only
112    - search-additional-filenames
113    - include-parent-dir-ref
114    - include-reg-values
115  ignore_private_addrs: true
116  lookup_agent_ip: false
117  lookup_agent_name: false
118  lookup_hostnames_in_cmd_line: false
119  lookup_mac_variants: true
120  lookup_url_ignore_trailing_slash: false
121  lookup_url_without_host: false
122  procsearch_options:
123    - case-insensitive
124system_name: Wazuh SIEM
125tlps:
126  - TLP:AMBER+STRICT
127vulnerability_incident_cvss3_score_threshold: null
128vulnerability_incident_active_only: true