Send Wazuh data to TheHive

115 views

Skip to first unread message

Cyprien Chapelle

unread,

Jan 27, 2022, 5:42:59 AM1/27/22

to Wazuh mailing list

Good morning !

I use Wazuh to generate alerts related to the logs of my machines and the NIDS Suricata.

I would like these alerts to be sent to TheHive, in order to analyze the data and compare the IP addresses with the detected IOCs (via MISP).

I looked on the internet, I saw that there is Elastalert, but I can't use this one, by project specification.

I also saw sigma, but I didn't understand how it could work with Wazuh.

If someone has an idea

Federico Pacher

unread,

Jan 27, 2022, 6:43:05 AM1/27/22

to Wazuh mailing list

Hi Cyprien,

Thank you for using Wazuh.

There's currently an open issue to develop an integration with TheHive (https://github.com/wazuh/wazuh/issues/3680).

In the meantime, It is possible that Wazuh Manager sends its events to ElasticSearch and TheHive can get its information from ElasticSearch thanks to an open software called ElastAlert.ElastAlert will watch for events of interest and generate alerts inside TheHive. Here you can find a very thorough explanation on how to integrate Wazuh, ElasticSearch, and TheHive.

Also, here you have a video tutorial that may help you

The integration with Sigma is still in an early stage.

Here you have a not official repository that explain more about sigma and Wazuh

https://github.com/SanWieb/sigWah
https://github.com/theflakes/sigma_to_wazuh
https://github.com/sametsazak/sysmon

I hope this information helps you.