Contents

Sending Wazuh alerts to TheHive with elastAlert

Contents
Psst, there is a new vresion of this post!
Check out my latest revision of this script in a later post that uses Python!

Introduction

Wazuh is a really neat host-based IDS system, originally forked from OSSEC and tailored to more easily tie in with fileBeat and elasticSearch. More on Wazuh can be found here, https://wazuh.com/.

Alerts generated by Wazuh can be sent out an email by Wazuh itself, but it can be hard to track, manage and respond to alerts via plain old email.

/1-wazuh-alerts-using-elastalert/wazuh-logo.png
Wazuh HIDS/NIDS

Alerts generated by Wazuh can be sent out an email by Wazuh itself, but it can be hard to track, manage and respond to alerts via plain old email.

Enter TheHive, (https://thehive-project.org/) an opensource incident response and management platform. TheHive allows for Alert’s to be ingested, viewed and categorised before merging them into cases for threat response. Observers like attacking IPs, files, file hashes etc can also be passed for analysis by Cortex, a data enrichment tool.

/1-wazuh-alerts-using-elastalert/thehive-logo.png
TheHive

These two tools are made for each other, but getting them both to work nicely has been a bit cumbersome.

elastAlert does have a built-in TheHive module, that is supposed to create Hive Alerts with observables by hitting TheHive API. I could never get this to actually work… and I wanted a custom format to my Hive Alerts.

elastAlert does have a neat ability to run any CLI script, and pass data found in the elastic search query in as command-line arguments, perfect! So, I created a bash script to do just that!

Feel free to download the script from: https://github.com/32bitbradley/TheHiveAlert

Using the script

The script has the below features

  • Create’s alerts via TheHive API
  • Full logging and debugging capabilities
  • Alert’s whitelist capabilities to stop those pesky false positive alerts that keep popping up for the one weird server
  • Easy to read formatted alerts
  • Alerts include
    • Agent Information
    • Rule Information
    • Important Event data such as source IP and the full log
    • elasticSearch document ID
    • Wazuh event ID
  • Creates observables for:
    • Agent IP
    • Source IP
    • File hashes
  • Rule groups are added as tags to observables

The script will take in CLI argument, and use them in the alert (Obvs). One thing I wanted to make sure of was that the script ALLWAYS exiting with 0, even if something shits itself. Previous experiences with elastAlert and Wazuh Integration scripts erroring lead to some very annoying issues. So this script should never exit with anything other than 0. The ‘–debug’ parameter can be passed for verbose logging and debugging when it decides to not work.

To use the script yourself, you will need to change a few things.

  • Line 8 - Your theHive API key for a user with the ‘Alerts Creation’ permission
  • Line 9 - Your theHive API URI, make sure to include the /api part.
  • Line 10 - Your logfile location. Where logs should be stored.
  • Line 11 - Where the whitelist file is.

The script can then be tested via the CLI

1
2
chmod +x wazuh-thehive-alert.sh
./wazuh-thehive-alert.sh --debug

If everything goes well, you should have a Hive alert! If nothing is passed, all fields will contain no values, obviously. But this ensures that even if elastAlert fucks up somewhere and doesn’t pass things correctly, you’re still notified on the event.