# Wazuh & TheHive: Installation, Configuration, and Optimization ## **What is Wazuh?** Wazuh is an **open-source Security Information and Event Management (SIEM) solution**. It helps monitor systems, detect threats, and respond to security incidents. #### **Why Use Wazuh?** ✅ **Threat Detection** – Identifies malware, intrusions, and suspicious activity.\ ✅ **Log Analysis** – Collects and analyzes logs from servers, networks, and applications.\ ✅ **Compliance Monitoring** – Helps meet security standards (HIPAA, PCI-DSS, GDPR, etc.).\ ✅ **Incident Response** – Detects and alerts on security events in real time.\ ✅ **File Integrity Monitoring (FIM)** – Tracks changes in critical system files.\ ✅ **Vulnerability Detection** – Scans for security weaknesses in systems and software.\ ✅ **Free & Open-Source** – No licensing costs, highly customizable. ## **🔹 Wazuh Setup Guide** #### Step 1: Connect to Your Linux Server via SSH Open PowerShell or Command Prompt on Windows and run: ``` ssh username@server-ip ``` Replace: * `username` → Your Ubuntu username (e.g., root or ubuntu). * `server-ip` → The IP address of your Linux machine. ### **Step 2: Install Wazuh SIEM** #### **1️⃣ Install Wazuh on Ubuntu** Run the following command to download and install Wazuh: ```bash curl -sO https://packages.wazuh.com/4.11/wazuh-install.sh && sudo bash ./wazuh-install.sh -a ``` * This installs Wazuh **Indexers, Server, and Dashboard**. * Once installed, the dashboard URL and login credentials will be displayed.

#### **2️⃣ Access Wazuh Dashboard** * Open a web browser and enter: ``` https:// ``` * Use the **default username:** `admin` * The password is **randomly generated** during installation. * Now we can access the Wazuh dashboard.

## 👉Setting Up TheHive ## **What is TheHive?** TheHive is an **open-source Security Incident Response Platform (SIRP)** that helps cybersecurity teams **detect, investigate, and respond** to security threats efficiently. It acts as a **central hub** for managing incidents, automating workflows, and enhancing collaboration. ### **Key Features:** 🔹 **Incident & Case Management** – Organize, track, and resolve security incidents effectively.\ 🔹 **Alert Ingestion** – Collect alerts from Wazuh, SIEMs, IDS, and emails for centralized analysis.\ 🔹 **Collaboration** – Multiple analysts can work together on cases in real time.\ 🔹 **Threat Intelligence (Cortex Integration)** – Enrich investigations with automated intelligence gathering.\ 🔹 **Automation & API Support** – Automate repetitive tasks to speed up response times.\ 🔹 **Dashboards & Reporting** – Gain insights and track security incidents with visual reports. ### **Why Use TheHive?** ✅ Centralized management of security incidents.\ ✅ Faster response through automation.\ ✅ Improved teamwork and case tracking.\
**Now that we know TheHive is a powerful tool for security incident response, let's install and configure it for efficient case management and alert handling 👇** ### 👉 Installation Guide Follow these steps to install TheHive on your system. #### 1. Install Dependencies These are required to ensure system compatibility and allow package installation. ```bash sudo apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl software-properties-common python3-pip lsb-release ``` #### 2. Install Java 11 (Amazon Corretto) TheHive requires Java 11 to run properly. ```bash wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor -o /usr/share/keyrings/corretto.gpg echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee /etc/apt/sources.list.d/corretto.list sudo apt update sudo apt install -y java-11-amazon-corretto-jdk echo 'JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"' | sudo tee -a /etc/environment source /etc/environment ``` #### 3. Install Apache Cassandra (Database) Cassandra is used to store case data and observables. ```bash wget -qO - https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor -o /usr/share/keyrings/cassandra-archive.gpg echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee /etc/apt/sources.list.d/cassandra.sources.list sudo apt update sudo apt install -y cassandra ``` #### 4. Install Elasticsearch (For Data Indexing) Elasticsearch indexes and searches case data efficiently. ```bash wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch-7.x.list sudo apt update sudo apt install -y elasticsearch ``` #### 5. Install TheHive This installs TheHive from the official repository. ```bash wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list sudo apt update sudo apt install -y thehive ``` ### 👉 Cassandra Configuration We need to edit **Cassandra’s config file** so TheHive can connect properly.\ \ **Open the file in Nano:** ```bash sudo nano /etc/cassandra/cassandra.yaml ``` * **Cluster Name** – Must match across nodes.\

* **Seed Nodes** – Helps nodes discover each other.

* **Listen Address** – Defines the IP address of the machine where TheHive is installed, ensuring proper communication.

* **RPC Address** – Allows client connections.

**🔔Without these steps, TheHive won’t store or retrieve data correctly.** ### Now, we should restart Cassandra service: ```bash sudo systemctl stop cassandra sudo systemctl start cassandra sudo systemctl enable cassandra ``` ### 👉We need to edit **Elasticsearch’s configuration** to: open the config file: ```bash nano /etc/elasticsearch/elasticsearch.yml ``` We need to edit these in **Elasticsearch** to ensure proper setup and stability: 1. **Cluster Name** – Identifies your Elasticsearch cluster. All nodes must have the same name to communicate.

2. **Node Name** – Gives each node a unique identity for tracking and troubleshooting.

3. **Network Host** – Defines the IP address Elasticsearch binds to, allowing remote access if needed.

4. **Cluster Initial Master Node** – Specifies the first master node in the cluster, ensuring proper election and stability.

**Now, start and enable Elasticsearch:** ```bash sudo systemctl stop elasticsearch sudo systemctl start elasticsearch sudo systemctl enable elasticsearch ``` ## Setting Up TheHive ### Update Ownership of TheHive Directory Before modifying TheHive's configuration, update the ownership of the `/opt/thp`directory by assigning it to the `thehive` user and group: ```bash chown -R thehive:thehive /opt/thp ```

### Modify TheHive Configuration Edit TheHive configuration file: ``` nano /etc/thehive/application.conf ```

**Now, start and enable TheHive:** ```bash sudo systemctl start thehive sudo systemctl enable thehive ``` \ \ \ Now, access TheHive by visiting🔗

**Log in to TheHive with the default credentials:** * **Username**: `admin@thehive.local` * **Password**: `secret`

**👉 Troubleshooting Hive Login Issues** * If login fails, check Elasticsearch status: `systemctl status elasticsearch` * If Elasticsearch is down, create a custom JVM options file: * `nano /etc/elasticsearch/jvm.options.d/jvm.options` * Set Java memory allocation to **2GB**: ``` -Dlog4j2.formatMsgNoLookups=true -Xms2g -Xmx2g ``` * **Restart Elasticsearch**: ```bash systemctl restart elasticsearch ``` * **Check Status**: ```bash systemctl status elasticsearch ``` > Setting Java memory to **2GB** (`-Xms2g -Xmx2g`) prevents crashes, improves performance, and avoids excessive RAM usage. It ensures Elasticsearch runs smoothly without overloading the system ## **👉 Now, we should install Wazuh Agent on Windows 10**

* **Select the package to download and install on your system:**

* **Assign the Wazuh server IP or FQDN:**

* ### **Assign Agent Name (**This cannot be changed later**):**

* **Run the following commands to download and install the agent:** 1. Open PowerShell as admin. 2. Run this command: ```powershell Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.11.1-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='192.168.64.10' WAZUH_AGENT_NAME='osamaagent' ``` 3. **Start the agent:** ```powershell NET START WazuhSvc ```

Replace `` with your Wazuh server IP and `` with the name of your Windows machine.
* **To check if the Wazuh agent is running on Windows:**

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://osamaa.gitbook.io/osama_homepage/cybersecurity-soc-analyst-labs/automation-lab-home-project/wazuh-and-thehive-installation-configuration-and-optimization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.