Wazuh & TheHive: Installation, Configuration, and Optimization

What is Wazuh?

Wazuh is an open-source Security Information and Event Management (SIEM) solution. It helps monitor systems, detect threats, and respond to security incidents.

Why Use Wazuh?

✅ Threat Detection – Identifies malware, intrusions, and suspicious activity. ✅ Log Analysis – Collects and analyzes logs from servers, networks, and applications. ✅ Compliance Monitoring – Helps meet security standards (HIPAA, PCI-DSS, GDPR, etc.). ✅ Incident Response – Detects and alerts on security events in real time. ✅ File Integrity Monitoring (FIM) – Tracks changes in critical system files. ✅ Vulnerability Detection – Scans for security weaknesses in systems and software. ✅ Free & Open-Source – No licensing costs, highly customizable.

🔹 Wazuh Setup Guide

Step 1: Connect to Your Linux Server via SSH

Open PowerShell or Command Prompt on Windows and run:

ssh username@server-ip

Replace:

• username → Your Ubuntu username (e.g., root or ubuntu).

• server-ip → The IP address of your Linux machine.

Step 2: Install Wazuh SIEM

1️⃣ Install Wazuh on Ubuntu

Run the following command to download and install Wazuh:

curl -sO https://packages.wazuh.com/4.11/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

• This installs Wazuh Indexers, Server, and Dashboard.

• Once installed, the dashboard URL and login credentials will be displayed.

2️⃣ Access Wazuh Dashboard

• Open a web browser and enter:

  https://<your_wazuh_server_ip>

• Use the default username: admin

• The password is randomly generated during installation.

• Now we can access the Wazuh dashboard.

  

👉Setting Up TheHive

What is TheHive?

TheHive is an open-source Security Incident Response Platform (SIRP) that helps cybersecurity teams detect, investigate, and respond to security threats efficiently. It acts as a central hub for managing incidents, automating workflows, and enhancing collaboration.

Key Features:

🔹 Incident & Case Management – Organize, track, and resolve security incidents effectively. 🔹 Alert Ingestion – Collect alerts from Wazuh, SIEMs, IDS, and emails for centralized analysis. 🔹 Collaboration – Multiple analysts can work together on cases in real time. 🔹 Threat Intelligence (Cortex Integration) – Enrich investigations with automated intelligence gathering. 🔹 Automation & API Support – Automate repetitive tasks to speed up response times. 🔹 Dashboards & Reporting – Gain insights and track security incidents with visual reports.

Why Use TheHive?

✅ Centralized management of security incidents. ✅ Faster response through automation. ✅ Improved teamwork and case tracking.

Now that we know TheHive is a powerful tool for security incident response, let's install and configure it for efficient case management and alert handling 👇

👉 Installation Guide

Follow these steps to install TheHive on your system.

1. Install Dependencies

These are required to ensure system compatibility and allow package installation.

sudo apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl software-properties-common python3-pip lsb-release

2. Install Java 11 (Amazon Corretto)

TheHive requires Java 11 to run properly.

wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg
echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee /etc/apt/sources.list.d/corretto.list
sudo apt update
sudo apt install -y java-11-amazon-corretto-jdk
echo 'JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"' | sudo tee -a /etc/environment
source /etc/environment

3. Install Apache Cassandra (Database)

Cassandra is used to store case data and observables.

wget -qO - https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg
echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee /etc/apt/sources.list.d/cassandra.sources.list
sudo apt update
sudo apt install -y cassandra

4. Install Elasticsearch (For Data Indexing)

Elasticsearch indexes and searches case data efficiently.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch-7.x.list
sudo apt update
sudo apt install -y elasticsearch

5. Install TheHive

This installs TheHive from the official repository.

wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
sudo apt update
sudo apt install -y thehive

👉 Cassandra Configuration

We need to edit Cassandra’s config file so TheHive can connect properly. Open the file in Nano:

sudo nano /etc/cassandra/cassandra.yaml

• Cluster Name – Must match across nodes.

  
• Seed Nodes – Helps nodes discover each other.

  
• Listen Address – Defines the IP address of the machine where TheHive is installed, ensuring proper communication.

  
• RPC Address – Allows client connections.

  

🔔Without these steps, TheHive won’t store or retrieve data correctly.

Now, we should restart Cassandra service:

sudo systemctl stop cassandra 
sudo systemctl start cassandra  
sudo systemctl enable cassandra  

👉We need to edit Elasticsearch’s configuration to:

open the config file:

nano /etc/elasticsearch/elasticsearch.yml

We need to edit these in Elasticsearch to ensure proper setup and stability:

1. Cluster Name – Identifies your Elasticsearch cluster. All nodes must have the same name to communicate.

   
2. Node Name – Gives each node a unique identity for tracking and troubleshooting.

   
3. Network Host – Defines the IP address Elasticsearch binds to, allowing remote access if needed.

   
4. Cluster Initial Master Node – Specifies the first master node in the cluster, ensuring proper election and stability.

   

Now, start and enable Elasticsearch:

sudo systemctl stop elasticsearch
sudo systemctl start elasticsearch  
sudo systemctl enable elasticsearch  

Setting Up TheHive

Update Ownership of TheHive Directory

Before modifying TheHive's configuration, update the ownership of the /opt/thpdirectory by assigning it to the thehive user and group:

chown -R thehive:thehive /opt/thp

Modify TheHive Configuration

Edit TheHive configuration file:

nano /etc/thehive/application.conf

Now, start and enable TheHive:

sudo systemctl start thehive
sudo systemctl enable thehive

Now, access TheHive by visiting🔗 http://192.168.64.20:9000

Log in to TheHive with the default credentials:

• Username: admin@thehive.local

• Password: secret

  

👉 Troubleshooting Hive Login Issues

• If login fails, check Elasticsearch status: systemctl status elasticsearch

• If Elasticsearch is down, create a custom JVM options file:

  • nano /etc/elasticsearch/jvm.options.d/jvm.options

  • Set Java memory allocation to 2GB:

    -Dlog4j2.formatMsgNoLookups=true
    -Xms2g
    -Xmx2g

  • Restart Elasticsearch:

    systemctl restart elasticsearch

  • Check Status:

    systemctl status elasticsearch

Setting Java memory to 2GB (-Xms2g -Xmx2g) prevents crashes, improves performance, and avoids excessive RAM usage. It ensures Elasticsearch runs smoothly without overloading the system

👉 Now, we should install Wazuh Agent on Windows 10

• Select the package to download and install on your system:

  
• Assign the Wazuh server IP or FQDN:

  
• Assign Agent Name (This cannot be changed later):

  
• Run the following commands to download and install the agent:

  1. Open PowerShell as admin.

  2. Run this command:

     Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.11.1-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.64.10' WAZUH_AGENT_NAME='osamaagent' 

  3. Start the agent:

     NET START WazuhSvc

Replace <your_wazuh_server_ip> with your Wazuh server IP and <agent_name> with the name of your Windows machine.

• To check if the Wazuh agent is running on Windows: