# Set up Wazuh & TheHive for threat detection & case management Wazuh is a free and open-source security platform that integrates Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) capabilities. It offers comprehensive protection for endpoints and cloud workloads, enabling organizations to detect and respond to threats effectively. **Key Features of Wazuh:** * **Intrusion Detection:** Monitors systems for signs of unauthorized access or malicious activity. * **Log Data Analysis:** Collects and analyzes logs from various sources to identify potential security incidents. * **File Integrity Monitoring:** Tracks changes to critical files and directories, alerting administrators to unauthorized modifications. * **Vulnerability Detection:** Identifies known vulnerabilities in software and hardware components within the network. * **Configuration Assessment:** Evaluates system configurations to ensure compliance with security policies and standards. * **Incident Response:** Provides tools and capabilities to respond to and mitigate security incidents promptly. * **Regulatory Compliance:** Assists organizations in meeting compliance requirements by providing necessary security controls and reporting tools. * **Cloud Security:** Offers monitoring and protection for cloud-based infrastructures, ensuring security across various environments. Wazuh's architecture consists of lightweight agents deployed on monitored systems and a centralized management server that processes and analyzes data received from these agents. Let's start by installing Wazzuh: ```bash curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a ```

Finally, we will access the Wazuh dashboard.

Next, we need to configure Wazuh by setting up a new agent.

We need to put the IP address of the machine where Wazuh is installed.

Next, execute the following command on the Windows machine where you intend to install the Wazuh agent. ```powershell Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.10.1-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.204.147' WAZUH_AGENT_NAME='faresmorcy' ``` Next, we need to initiate the **Wazuhsvc** service. ```powershell net.exe start WazuhSvc ```

Next, we need to modify the `ossec.conf` file to configure it for forwarding Sysmon logs to Wazuh.

I only need to forward the Sysmon logs, nothing else. Next, restart the Wazuh service. ```powershell Restart-Service WazuhSvc ``` Now, let's verify on the Wazuh dashboard whether the Wazuh agent is successfully sending Sysmon events.

TheHive is an open-source Security Incident Response Platform (SIRP) designed to assist Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), and Computer Emergency Response Teams (CERTs) in efficiently managing and responding to security incidents. It offers a collaborative environment where security professionals can analyze, track, and resolve incidents effectively. **Key Features of TheHive:** * **Case Management:** Create and manage cases with detailed information, including tasks, observables, and logs. * **Collaboration:** Multiple users can work on the same case simultaneously, promoting teamwork and efficient incident handling. * **Integration:** Seamlessly integrates with other security tools like MISP (Malware Information Sharing Platform) and Cortex for automated analysis. * **Alert Management:** Ingest alerts from various sources, enabling quick triage and prioritization. * **Customizable Dashboards:** Visualize incident data and track performance metrics through user-defined dashboards. TheHive is built to be scalable and can be deployed as a standalone node or in a clustered environment, depending on organizational needs. **`Installation Guid`**: Now, let's install **TheHive.** First, we need to install the required dependencies. ```bash apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl software-properties-common python3-pip lsb-release ``` TheHive requires Java 11, so let's install Amazon Corretto 11 with the following commands: ```bash wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee /etc/apt/sources.list.d/corretto.list sudo apt update sudo apt install -y java-11-amazon-corretto-jdk echo 'JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"' | sudo tee -a /etc/environment source /etc/environment ``` TheHive uses Apache Cassandra as its database. Let's install it as follows: ```bash wget -qO - https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee /etc/apt/sources.list.d/cassandra.sources.list sudo apt update sudo apt install -y cassandra ``` TheHive requires Elasticsearch for data indexing. Let's install Elasticsearch 7.x with the following commands: ```bash wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch-7.x.list sudo apt update sudo apt install -y elasticsearch ``` Additionally, let's add TheHive's repository and proceed with the installation. ```bash wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list sudo apt update sudo apt install -y thehive ``` Next, we need to start TheHive and enable it to run on system boot: ```bash sudo systemctl start thehive sudo systemctl enable thehive ``` Now, let's edit Cassandra configuration file: ```bash nano /etc/cassandra/cassandra.yaml ```

Enter the IP address of the machine where TheHive is installed.

After installation, let's start and enable Cassandra: ```bash sudo systemctl start cassandra sudo systemctl enable cassandra ``` We also need to edit the configuration for Elasticsearch. ```bash nano /etc/elasticsearch/elasticsearch.yml ```

Next, let's start and enable Elasticsearch: ```bash sudo systemctl start elasticsearch sudo systemctl enable elasticsearch ``` Next, we need to modify TheHive's configuration. However, before proceeding, we must update the ownership of the `/opt/thp` directory, assigning it to the `thehive` user and group. ```bash chown -R thehive:thehive /opt/thp ```

```bash nano /etc/thehive/application.conf ```

Now, let's access TheHive by navigating to **`http://192.168.204.149:9000`**.

The default admin user credentials are as follows: * Username: * Password: secret

I encountered an authentication failure when attempting to access it. Let's work on resolving this issue. ```bash nano /etc/elasticsearch/jvm.options.d/jvm.option ``` ```bash -Dlog4j2.formatMsgNoLookups=true -Xms2g -Xmx2g ```

Then restart the Elasticsearch. ```bash systemctl restart elasticsearch ``` Now, let's access TheHive again.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/build-home-lab-soc-automation/set-up-wazuh-and-thehive-for-threat-detection-and-case-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.