Incident Management | Wazuh | Hive

[Daniel]

Hello All and Team,

I am planning to integrate Hive and Wazuh in order to have Incident management and ticketing capabilities, While referring to the Hive installations steps on its official documentation I want to confirm the configuration step as mentioned below:

Refer to attached screenshot and confirm what will going to be placed inside of cassandra.yaml file in place of listen_address, rpc_address and seeds ?

Network information in my environment:

Wazuh single node IP: 192.168.0.105

System IP ( Machine Hosting Hypervisor) = Dynamic DHCP provided

You are requested to confirm the configuration step.

Hive Documentation:

https://docs.thehive-project.org/thehive/installation-and-configuration/installation/step-by-step-guide/

[Daniel]

Hello Wazuh Team,

Any update?

[Aditya Sharma]

Hi Daniel, Sorry for the late response!

We have official documentation here https://groups.google.com/g/wazuh/c/Hh9qOHe-_NA in order to integrate Wazuh with Hive. So please look into this documentation and let us know if you face any issues/concerns.

Regards
Aditya Sharma

[Johny Novent]

What is the best way to integrate wazuh and Thehive. I want to receive in real time alerts from wazuh in Thehive. I tried this method 

https://github.com/crow1011/wazuh2thehive

But I think that its obsolete because it was edited 3 years ago and the alerts are slow in load in the alerts page. do you know any differents methods to receive alerts in real time or any idea to fix this problem with the alerts coming  from wazuh to get them in real time???

[Tomas Turina]

Hi Johny Novent,

Have you tried to follow this blog from our website?

As for the real-time request, this is possible using our integrator module, which runs a script every time an alert is generated. It is configured like this:

<integration>

<name>custom-w2thive</name>

<hook_url>http://TheHive_Server_IP:9000</hook_url>

<api_key>RWw/Ii0yE6l+Nnd3nv3o3Uz+5UuHQYTM</api_key>

<alert_format>json</alert_format>

</integration>

Let me know how it goes.

Tomás Turina

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAK1EzX3A4tp3sDKVPxF%2Be0SFPJMjzL6Ayyj0-zLKbrS-UTCnvg%40mail.gmail.com.

[Johny Novent]

Hi Tomas

Yes, i've tried to integrate Wazuh with Thehive following the blog but I have this problems:

1.- when I add the scripts like the blog the alerts are coming from good when meanwhile the time passing by the alerts start to coming slow or the alerts showing in alerts tab or page hours later or even a day later. 

like this example below: 

This is the last alert coming from Wazuh

at 17:23 today january 04 2023

but in Wazuh this alert was generated at 11:44 today

So the alerts are coming from Wazuh too late and Thehive show in alerts tab hours later or even a day later

even if I see the alert counter I have 9868 alerts in the alerts page or tab 

but here below in this part show a different number 

or if a check the platform status 

I have  9879 alerts 

So with this I can confirm that I have alerts delayed or coming from Wazuh but they are coming too slow 

Only when I restart wazuh the alerts start to coming from fast again but when the time goes by, the alerts are delayed again

In fact here you can see my files with the scripts 

and I have my block in /var/ossec/etc/ossec.conf. with my api key and my url to Thehive like this 

<integration>
    <name>custom-w2thive</name>
    <hook_url>http://url:9000</hook_url>
    <api_key>21udajdaoiX3qghdadylJ8q27UR</api_key>
    <alert_format>json</alert_format>
  </integration>

I don't know what happened or what the problem is here. Maybe the resources because I'm using a test machine to try Thehive. 

maybe another solution to receive the alerts from Wazuh in Thehive??

or how I can fix or try to fix this problem ???

Thanks in advanced for your answer Tomas.