Build a soc

152 views
Skip to first unread message

Hatem

unread,
Apr 18, 2024, 12:51:55 PM4/18/24
to Wazuh | Mailing List
Hi Team

Did anyone try docker with 
Wazuh, thehive5, cortex and misp in one server.


Himanshu Sharma

unread,
Apr 22, 2024, 6:33:59 AM4/22/24
to Wazuh | Mailing List
Hi Team,

You can follow the below steps to integrate TheHive with Wazuh.
  1. I have deployed an empty Linux VM, installer docker, and got the official TheHive docker image this way: docker pull strangebee/thehive:5.2.11-1 (you will get the container ID printed on the screen).
  2. Started TheHive docker instance with: docker run -p 9000:9000 your-container-id
  3. Leave it running, TheHive will be listening in port your-vm-ip:9000
  4. At this point you can access and login to TheHive, Admin user is : ad...@thehive.local and password: secret
  5. Create Test Organization and its users following the guide: https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/
  6. In previous steps make sure you have created new user test...@wazuh.com and also thehi...@wazuh.com (this last one with "analyst" permissions and "Create API key" which we will need to use later).
  7. Now on you fully functional Wazuh Manager, install Python module: sudo /var/ossec/framework/python/bin/pip3 install thehive4py==1.8.1
  8. We now create two files: /var/ossec/integrations/custom-w2thive.py & /var/ossec/integrations/custom-w2thive
  9. You can get the contents for each file from here: https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/
  10. Setup file permissions as instructed in the github.
  11. We edit you Wazuh Manager's /var/ossec/etc/ossec.confin order to add "integration" section (as detailed in github article).
  12. Final step is to restart Wazuh Manager to apply changes: sudo systemctl restart wazuh-manager
  13. Login to TheHive as test...@wazuh.com
  14. Attached is the file where I can show you the alerts I got on TheHive.

You can follow the below link to learn more:


image (18).png

Please let us know if you still face issues, we are happy to help.

Himanshu Sharma

unread,
Apr 28, 2024, 11:40:37 PM4/28/24
to Wazuh | Mailing List
Hi Team,
Please let me know If you are still facing the issue or have any doubts.
Reply all
Reply to author
Forward
0 new messages