how to integrate threat intelligence in wazuh or elk

[Milan Patel]

Hello,

I would like to integrate threat intelligence with wazuh. How can I do that.

what are the ways to archive this ?

I have deployed the hive , cortex and MISP for threat intelligence but do not know how to integrate with wazuh. Can some one please help if they know how to do this.

I have all in one deployment of elk with wazuh.

Thanks,

[elw...@wazuh.com]

Hello Milan,

You can integrate Wazuh with Hive following the instructions from this blog post https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/.

I hope it helps.

Regards,
Wali

[HA]

Hi,

To honest, I would not go to a direct integration between Wazuh and Thehive.

I will create too much alert/case in theHive.

I integrate Wazuh with MISP. MISP is querying/caching various feeds source (like malwarebazaar, etc).

Once we have a hit (DNS query hitting bad domain name, bad URL, etc), Wazuh sends a API to SOAR (in my case N8N but you can also use Shuffle). N8N is integrated in the Hive (and Cortex).

So traffic flow is WAZUH-> N8N -> TheHive+Cortext (Cortext itself is configured to check MISP).

Don't forget you need sysmon to capture DNS query, process start, etc installed on each agent (+wazuh agent).

Hope it can help you.

Regards,

HA

[Milan Patel]

Thank for the suggestion. The process that you share do you have any reference link or documentation which I can follow to implement?

Thank you,

Milan Patel

[HA]

Hi,

This is the first part..

https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19

Setup N8n and integrated it with TheHive.

Next, sends Wazuh alert to N8N (it's the same as with Shuffle)

https://www.youtube.com/watch?v=FBISHA7V15c

https://github.com/Shuffle/Shuffle/tree/main/functions/extensions/wazuh

Regards,

HA