API Key of TheHive

[MidavSec]

Hi Vadim,

thank you very much for your script. I followed your instructions and it seems to be accepted by Wazuh 3.12.3:

2020/05/16 22:00:36 ossec-integratord: INFO: Enabling integration for: 'custom-w2thive'.

But I receive errors from my TheHive test appliance (https://github.com/TheHive-Project/TheHiveDocs/blob/master/training-material.md). Do you know how to get the API Key to get it working:

2020-05-16 23:32:17,917 - main - WARNING - too many arguments 2020-05-16 23:32:17,924 - main - ERROR - Error create TheHive alert: 401/{"type":"AuthenticationError","message":"Authentication failure"} 2020-05-16 23:32:20,017 - main - WARNING - too many arguments 2020-05-16 23:32:20,023 - main - ERROR - Error create TheHive alert: 401/{"type":"AuthenticationError","message":"Authentication failure"}

.... endless loop.

Thank you very much for the script.

Vadim (Midav)

[crow1011]

Hi @MidavSec, you have my name backwards dude (: You need to open TheHive web interface with admin rights and: click the admin button ( right top corner) and then “users” click the "add user" button and fill in the fields (login: any, full name: any, roles: none, Allow alerts creation: TRUE), Find the user in the list and click "create api key" and then "reveal" Please tell me if it'll solve your problem.

[MidavSec]

Thank you very much the connection is working.

I found two interesting entries:

[root@manager ossec]# cat /var/ossec/logs/integrations.log | grep 'WARNING - too many arguments' | wc -l 154839

Logging started 5 days ago, is it possible to reduce the warnings? Additionally, I integrated https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html now I receive every some minutes following MALWARE / Trojan activity alert: https://pastebin.com/FHXUZDQW

Maybe you have some ideas about how to fix both points? Thank you!

[crow1011]

@MidavSec no problem (: problem1( 'WARNING - too many arguments') - it's a bug. I fixed it. You can clone new version problem2( too many alerts) - added possibility of setting threshold of severity level event that should be send to the TheHive. You need:

1. clone repository

2. Open /opt/wazuh2thehive/custom-w2thive.py and change this lvl_threshold=0 to level that you need(https://documentation.wazuh.com/3.12/user-manual/ruleset/rules-classification.html)

3. sudo cp /opt/wazuh2thehive/custom-w2thive.py /var/ossec/integrations/custom-w2thive.py

4. sudo chmod 755 /var/ossec/integrations/custom-w2thive.py

5. sudo chown root:ossec /var/ossec/integrations/custom-w2thive.py

tell me if you have questions

[MidavSec]

Great Vadim,

thank you very much for your quick feedback and solution, the warnings in intergrations.log disappeared.

Suricata is not happy yet:

Added: lvl_threshold=5 but I have a honeypot and >5 events occur on seconds basis.

Maybe you have here as well an idea? Thanks.

[crow1011]

@MidavSec you can also use the "ignore" parameter for rules that repeat too often. More details: https: //documentation.wazuh.com/3.12/user-manual/ruleset/ruleset-xml-syntax/rules.html This solution is better. Please tell me if this solution does not solve your problem.