Set up Wazuh & TheHive for threat detection & case management

Wazuh is a free and open-source security platform that integrates Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) capabilities. It offers comprehensive protection for endpoints and cloud workloads, enabling organizations to detect and respond to threats effectively.

Key Features of Wazuh:

  • Intrusion Detection: Monitors systems for signs of unauthorized access or malicious activity.

  • Log Data Analysis: Collects and analyzes logs from various sources to identify potential security incidents.

  • File Integrity Monitoring: Tracks changes to critical files and directories, alerting administrators to unauthorized modifications.

  • Vulnerability Detection: Identifies known vulnerabilities in software and hardware components within the network.

  • Configuration Assessment: Evaluates system configurations to ensure compliance with security policies and standards.

  • Incident Response: Provides tools and capabilities to respond to and mitigate security incidents promptly.

  • Regulatory Compliance: Assists organizations in meeting compliance requirements by providing necessary security controls and reporting tools.

  • Cloud Security: Offers monitoring and protection for cloud-based infrastructures, ensuring security across various environments.

Wazuh's architecture consists of lightweight agents deployed on monitored systems and a centralized management server that processes and analyzes data received from these agents.

Let's start by installing Wazzuh:

curl -sO https://packages.wazuh.com/4.10/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Finally, we will access the Wazuh dashboard.

Next, we need to configure Wazuh by setting up a new agent.

We need to put the IP address of the machine where Wazuh is installed.

Next, execute the following command on the Windows machine where you intend to install the Wazuh agent.

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.10.1-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.204.147' WAZUH_AGENT_NAME='faresmorcy'

Next, we need to initiate the Wazuhsvc service.

net.exe start WazuhSvc

Next, we need to modify the ossec.conf file to configure it for forwarding Sysmon logs to Wazuh.

I only need to forward the Sysmon logs, nothing else.

Next, restart the Wazuh service.

Restart-Service WazuhSvc

Now, let's verify on the Wazuh dashboard whether the Wazuh agent is successfully sending Sysmon events.

TheHive is an open-source Security Incident Response Platform (SIRP) designed to assist Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), and Computer Emergency Response Teams (CERTs) in efficiently managing and responding to security incidents. It offers a collaborative environment where security professionals can analyze, track, and resolve incidents effectively.

Key Features of TheHive:

  • Case Management: Create and manage cases with detailed information, including tasks, observables, and logs.

  • Collaboration: Multiple users can work on the same case simultaneously, promoting teamwork and efficient incident handling.

  • Integration: Seamlessly integrates with other security tools like MISP (Malware Information Sharing Platform) and Cortex for automated analysis.

  • Alert Management: Ingest alerts from various sources, enabling quick triage and prioritization.

  • Customizable Dashboards: Visualize incident data and track performance metrics through user-defined dashboards.

TheHive is built to be scalable and can be deployed as a standalone node or in a clustered environment, depending on organizational needs.

Installation Guid: https://docs.strangebee.com/thehive/installation/step-by-step-installation-guide/#installation

Now, let's install TheHive.

First, we need to install the required dependencies.

apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl  software-properties-common python3-pip lsb-release

TheHive requires Java 11, so let's install Amazon Corretto 11 with the following commands:

wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg
echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee /etc/apt/sources.list.d/corretto.list
sudo apt update
sudo apt install -y java-11-amazon-corretto-jdk
echo 'JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"' | sudo tee -a /etc/environment
source /etc/environment

TheHive uses Apache Cassandra as its database. Let's install it as follows:

wget -qO - https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg
echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee /etc/apt/sources.list.d/cassandra.sources.list
sudo apt update
sudo apt install -y cassandra

TheHive requires Elasticsearch for data indexing. Let's install Elasticsearch 7.x with the following commands:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch-7.x.list
sudo apt update
sudo apt install -y elasticsearch

Additionally, let's add TheHive's repository and proceed with the installation.

wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
sudo apt update
sudo apt install -y thehive

Next, we need to start TheHive and enable it to run on system boot:

sudo systemctl start thehive
sudo systemctl enable thehive

Now, let's edit Cassandra configuration file:

nano /etc/cassandra/cassandra.yaml

Enter the IP address of the machine where TheHive is installed.

After installation, let's start and enable Cassandra:

sudo systemctl start cassandra
sudo systemctl enable cassandra

We also need to edit the configuration for Elasticsearch.

nano /etc/elasticsearch/elasticsearch.yml

Next, let's start and enable Elasticsearch:

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Next, we need to modify TheHive's configuration. However, before proceeding, we must update the ownership of the /opt/thp directory, assigning it to the thehive user and group.

chown -R thehive:thehive /opt/thp
nano /etc/thehive/application.conf

Now, let's access TheHive by navigating to http://192.168.204.149:9000.

The default admin user credentials are as follows:

  • Username: admin@thehive.local

  • Password: secret

I encountered an authentication failure when attempting to access it. Let's work on resolving this issue.

nano /etc/elasticsearch/jvm.options.d/jvm.option
-Dlog4j2.formatMsgNoLookups=true
-Xms2g
-Xmx2g

Then restart the Elasticsearch.

systemctl restart elasticsearch

Now, let's access TheHive again.

PreviousInstall & configure Sysmon for deep Windows event loggingNextExecute Mimikatz & create detection rules in Wazuh

Last updated