compatibility between thehive 4.1 and Wazuh 4.7

50 views
Skip to first unread message

Johny Novent

unread,
Apr 16, 2024, 3:10:41 PMApr 16
to Wazuh | Mailing List
Hello everyone 

I have a doubt about the compatibility between thehive 4.1.24 and the new version of Wazuh 4.7 

someone has these components or tools together with these versions ???

best regards 

Diego Gustavo Oliva

unread,
Apr 17, 2024, 9:36:35 AMApr 17
to Wazuh | Mailing List
Hello Johny,

I have recently configured the Wazuh-TheHive integration in my lab for another query I received.
I was running Wazuh v4.7.2 at that moment, but let me confirm on TheHive version.

Will reply soon.

Regards,
[Wazuh] Diego.-

Diego Gustavo Oliva

unread,
Apr 17, 2024, 9:53:28 AMApr 17
to Wazuh | Mailing List
Johny,

These are the steps I have followed to integrate TheHive with Wazuh.
  1. I have deployed an empty Linux VM, installer docker, and got the official TheHive docker image this way: docker pull strangebee/thehive:5.2.11-1 (you will get the container ID printed on the screen).
  2. Started TheHive docker instance with: docker run -p 9000:9000 your-container-id
  3. Leave it running, TheHive will be listening in port your-vm-ip:9000
  4. At this point you can access and login to TheHive, Admin user is : ad...@thehive.local and password: secret
  5. Create Test Organization and its users following the guide: https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/
  6. In previous steps make sure you have created new user test...@wazuh.com and also thehi...@wazuh.com (this last one with "analyst" permissions and "Create API key" which we will need to use later).
  7. Now on you fully functional Wazuh Manager, install Python module: sudo /var/ossec/framework/python/bin/pip3 install thehive4py==1.8.1
  8. We now create two files: /var/ossec/integrations/custom-w2thive.py & /var/ossec/integrations/custom-w2thive
  9. You can get the contents for each file from here: https://github.com/ls111-cybersec/wazuh-thehive-integration-ep13
  10. Setup file permissions as instructed in the github.
  11. We edit you Wazuh Manager's /var/ossec/etc/ossec.confin order to add "integration" section (as detailed in github article).
  12. Final step is to restart Wazuh Manager to apply changes: sudo systemctl restart wazuh-manager
  13. Login to TheHive as test...@wazuh.com

Since I had issues with TheHive dependencies, I decided to work with the Docker version which in my case was 5.2.11-1.

I hope you find the guide useful.

Regards,
[Wazuh] Diego.-

Johny Novent

unread,
Apr 17, 2024, 2:24:30 PMApr 17
to Diego Gustavo Oliva, Wazuh | Mailing List
Hello Diego

I really appreciated your answer 

we are working right now with Thehive 4.1 at this moment

I see in your answer that you deployed Thehive 5.2 

I think that maybe thehive 4.1 and 5 versions don't have problems to integrate together with wazuh 4.7 ??

thanks Diego for your answer 

Best Regards 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/eWyT0Vp4VZg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/23a673ef-1583-423e-90b1-9b682aea5385n%40googlegroups.com.

Diego Gustavo Oliva

unread,
Apr 18, 2024, 9:37:43 AMApr 18
to Wazuh | Mailing List
Hello Johny,

I'm testing integration with TheHive 4.1.24
Will share my results in some minutes.

Regards,
[Wazuh] Diego.-

Diego Gustavo Oliva

unread,
Apr 18, 2024, 10:22:27 AMApr 18
to Wazuh | Mailing List
Johny,

The integration seems to be working just fine with the version you required.
Please check my attached screenshots.
I have followed the same steps as before, with the only difference being TheHive version:

docker pull thehiveproject/thehive4:4.1.24-1

I hope you can also make it work.

Best regards,
[Wazuh] Diego.-
Screenshot 2024-04-18 111934.png
Screenshot 2024-04-18 111852.png
Screenshot 2024-04-18 111753.png

Johny Novent

unread,
Apr 25, 2024, 2:39:11 PMApr 25
to Wazuh | Mailing List
Thank you so much for your answer Diego 

Best Regards 

Reply all
Reply to author
Forward
0 new messages