Integrating TheHive v.5 with Wazuh v.4.4.1
918 views
Skip to first unread message
mauro....@cmcc.it
Jun 19, 2023, 11:48:03 AM6/19/23
to Wazuh mailing list
Hello everyone,
have any of you been able to integrate The Hive 5 with Wazuh v.4.4.1?
I just installed TheHive 5 and I tried to integrate it with Wazuh following the instructions contained in this link:
But I can't see any alert in the TH GUI...
Could you please help me?
Thanks,
Mauro
Mauricio Aguilar
Jun 19, 2023, 5:30:07 PM6/19/23
to Wazuh mailing list
Hello Mauro, thank you for reaching out to us. We apologize for the inconvenience you are experiencing with the integration of The Hive 5 and Wazuh v.4.4.1.
Let me analyze your inconvenience. I will be in touch soon.
As a first step, it should be checked:
Let me analyze your inconvenience. I will be in touch soon.
As a first step, it should be checked:
* Have you followed all the steps in the guide?
* Verify that the Wazuh alerts are being generated.
* Have you taken into account this note from the guide? The correct ownership for Wazuh 4.3.0 is root:wazuh.
* Make sure that the The Hive server is running and accessible.
* Verify that the Wazuh alerts are being generated.
* Have you taken into account this note from the guide? The correct ownership for Wazuh 4.3.0 is root:wazuh.
* Make sure that the The Hive server is running and accessible.
Best regards,
The Wazuh Team
Mauro Tridici
Jun 19, 2023, 5:57:49 PM6/19/23
to Mauricio Aguilar, Wazuh mailing list
Hello Mauricio,
thank you very much for taking care of my case.
You can find below my answers to your questions:
* yes, I followed all the steps;
* yes, the alerts have been generated by Wazuh (this is the last line captured with debug enabled)
** Alert 1687210891.4535526: - pam,syslog,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Jun 19 21:41:31 curiosity->/var/log/secure
Rule: 5502 (level 3) -> 'PAM: Login session closed.'
User: root
Jun 19 23:41:29 curiosity sudo: pam_unix(sudo:session): session closed for user root
tail /var/ossec/logs/integrations.log
2023-06-19 23:41:32,766 - __main__ - DEBUG - #get alert file location
2023-06-19 23:41:32,766 - __main__ - DEBUG - #get TheHive url
2023-06-19 23:41:32,766 - __main__ - DEBUG - #get TheHive api key
2023-06-19 23:41:32,766 - __main__ - DEBUG - #open alert file
2023-06-19 23:41:32,766 - __main__ - DEBUG - #alert data
2023-06-19 23:41:32,766 - __main__ - DEBUG - {'timestamp': '2023-06-19T21:41:31.631+0000', 'rule': {'level': 3, 'description': 'PAM: Login session closed.', 'id': '5502', 'firedtimes': 1, 'mail': False, 'groups': ['pam', 'syslog'], 'pci_dss': ['10.2.5'], 'gpg13': ['7.8', '7.9'], 'gdpr': ['IV_32.2'], 'hipaa': ['164.312.b'], 'nist_800_53': ['AU.14', 'AC.7'], 'tsc': ['CC6.8', 'CC7.2', 'CC7.3']}, 'agent': {'id': '000', 'name': 'curiosity.cmcc.scc'}, 'manager': {'name': 'curiosity.cmcc.scc'}, 'id': '1687210891.4535526', 'full_log': 'Jun 19 23:41:29 curiosity sudo: pam_unix(sudo:session): session closed for user root', 'predecoder': {'program_name': 'sudo', 'timestamp': 'Jun 19 23:41:29', 'hostname': 'curiosity'}, 'decoder': {'parent': 'pam', 'name': 'pam'}, 'data': {'dstuser': 'root'}, 'location': '/var/log/secure'}
2023-06-19 23:41:32,766 - __main__ - DEBUG - #gen json to dot-key-text
2023-06-19 23:41:32,766 - __main__ - DEBUG - #formatting description
2023-06-19 23:41:32,766 - __main__ - DEBUG - #search artifacts
2023-06-19 23:41:32,767 - __main__ - DEBUG - #threshold filtering
* yes, although my Wazuh version is 4.4.1 (and TheHive v. is 5), I taken into account that note:
ll /var/ossec/integrations/custom-w2thive*
-rwxr-xr-x. 1 root wazuh 997 Jun 19 14:37 /var/ossec/integrations/custom-w2thive
-rwxr-xr-x. 1 root wazuh 5295 Jun 19 23:43 /var/ossec/integrations/custom-w2thive.py
* The Hive server and GUI are up & accessible from Wazuh Manager:
[root@wazuh]# nc -zv thehive 9000
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to thehive:9000.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
And this is what I see on the TheHive v.5 web UI (a very poor page) with only the users and organisations :
Thank you for you help and patience.
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/h_YMTJD8Yhg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d604b30c-ffc1-49ce-ac30-66e0f02095e1n%40googlegroups.com.
mauro....@cmcc.it
Jun 20, 2023, 4:57:26 AM6/20/23
to Wazuh mailing list
Hello Mauricio,
I has been able to fix my issue.
It was generated by a typo in the configuration file.
Many thanks for your help.
Mauro
Mauricio Aguilar
Jun 20, 2023, 9:30:28 AM6/20/23
to Wazuh mailing list
Hi Mauro,
We remain at your disposal.
Best regards!
The Wazuh Team.
Reply all
Reply to author
Forward
0 new messages