Added Phase 7,8,9 to Automates Threat Hunting and few edits in Phase … (#296)

Author: smahuzaifa

docs/cybersecurity/Blue Team/Research/Automated Threat Hunting/Phase 1 - Core Setup and Wazuh Deployment.md

@@ -3,7 +3,7 @@ sidebar_position: 2
 ---
 
 :::info
-**Document Creation:** 17 May 2025. **Last Edited:** 23 May 2025. **Authors:** Syed Mahmood Aleem Huzaifa.  
+**Document Creation:** 17 May 2025. **Last Edited:** 09 September 2025. **Authors:** Syed Mahmood Aleem Huzaifa.  
 **Effective Date:** 23 May 2025. **Expiry Date:** 23 May 2026.
 :::
 
@@ -12,7 +12,7 @@ sidebar_position: 2
 
 Phase 1 covers the foundational setup of the Wazuh security monitoring system by deploying a manager on an Ubuntu virtual machine and an agent on a Debian virtual machine. It includes preparing the network, updating system packages, setting hostnames, and installing the Wazuh Manager and Agent using official repositories. The phase ensures secure communication between the manager and agent through key-based registration and custom configuration using ossec.conf. It also addresses logging limitations by installing rsyslog on Debian to enable proper authentication event logging. The phase concludes with the installation of the Wazuh Indexer and Dashboard to complete the all-in-one platform. This provides a web interface for managing alerts and agent activity, ensuring a fully functional and integrated Wazuh environment ready for threat detection and analysis.
 
-### Step 1: Prepare your Virtual Machines
+### Step 1a: Prepare your Virtual Machines
 
 **Manager VM:** Ubuntu 22.04 or 20.04  
 **Agent VM:** Debian 11 or 12  
@@ -24,7 +24,7 @@ Phase 1 covers the foundational setup of the Wazuh security monitoring system by
 
  ![Network Configuration on Virtual Box](img\networkconfig.png)
 
- ### Step 2: Update and Set Hostnames
+ ### Step 1b: Update and Set Hostnames
 
 On both machines, first run the following command:
 ```

…SOAR Deployment – The Hive and Cortex.md …- SOAR Deployment-The Hive and Cortex.mddocs/cybersecurity/Blue Team/Research/Automated Threat Hunting/Phase 5 - SOAR Deployment – The Hive and Cortex.md renamed to docs/cybersecurity/Blue Team/Research/Automated Threat Hunting/Phase 5 - SOAR Deployment-The Hive and Cortex.md docs/cybersecurity/Blue Team/Research/Automated Threat Hunting/Phase 5 - SOAR Deployment – The Hive and Cortex.md renamed to docs/cybersecurity/Blue Team/Research/Automated Threat Hunting/Phase 5 - SOAR Deployment-The Hive and Cortex.md

@@ -3,7 +3,7 @@ sidebar_position: 6
 ---
 
 :::info
-**Document Creation:** 17 May 2025. **Last Edited:** 23 May 2025. **Authors:** Syed Mahmood Aleem Huzaifa.  
+**Document Creation:** 17 May 2025. **Last Edited:** 09 September 2025. **Authors:** Syed Mahmood Aleem Huzaifa.  
 **Effective Date:** 23 May 2025. **Expiry Date:** 23 May 2026.
 :::
 

docs/cybersecurity/Blue Team/Research/Automated Threat Hunting/Phase 7 - Wazuh & The Hive Integration.md

@@ -0,0 +1,304 @@
+---
+sidebar_position: 8
+---
+
+:::info
+**Document Creation:** 3 September 2025. **Last Edited:** 3 September 2025. **Authors:** Syed Mahmood Aleem Huzaifa.  
+**Effective Date:** 3 September 2025. **Expiry Date:** 3 September2026.
+:::
+
+### Overview 
+
+Phase 1 focuses on establishing the integration between Wazuh and TheHive so that security alerts generated by Wazuh are automatically pushed into TheHive as cases. The main goal here is to eliminate the manual step of copying alerts from Wazuh into TheHive, ensuring that analysts have a single central platform to investigate and manage incidents. This means that whenever Wazuh detects suspicious activity, it will trigger the creation of a case in TheHive, where the details of the alert can be examined and escalated. 
+
+**To make this possible, both systems must already be properly set up: the Wazuh Manager should be actively running on the Ubuntu server where it was installed, TheHive should be online and accessible via its web interface, and you should have administrative access to both servers to configure API connectivity and permissions. This setup ensures a seamless pipeline where Wazuh handles detection and TheHive manages investigation, streamlining the incident response workflow.**
+
+### Step 1: Preparing TheHive
+Before Wazuh can send alerts to TheHive, we need to set up an organisation and create a user who can receive alerts through TheHive’s API.
+1. Create an Organisation
+    1.	Log into TheHive web interface using the admin account.
+    2.	Go to Administration → Organisations.
+    3.	Create a new organisation: Example - Redback.
+2. Create a User for API Access
+    1.	Inside your organisation, create a new user.
+        o	Role: **Analyst** (can receive alerts and create cases, but not change system settings).
+    2.	Set a password for this user.
+3. Generate the API Key
+    1.	Edit the new user profile.
+    2.	Click **"Reveal"** under API Key.
+    3.	Copy the key somewhere safe — you’ll need it in the Wazuh configuration.
+
+### Step 2: Install TheHive Python Module on Wazuh
+TheHive integration uses a Python library called thehive4py to send alerts. We need to install it inside Wazuh’s built-in Python environment.
+Run this command on your Wazuh Manager: 
+```
+sudo /var/ossec/framework/python/bin/pip3 install thehive4py==1.8.1
+```
+### Step 3: Create the Custom Integration Script
+Wazuh needs a special script to format alerts and send them to TheHive.
+1. Creating the Python Script
+```
+sudo nano /var/ossec/integrations/custom-w2thive.py
+```
+Paste the below script into the python file
+```
+#!/var/ossec/framework/python/bin/python3
+import json
+import sys
+import os
+import re
+import logging
+import uuid
+from thehive4py.api import TheHiveApi
+from thehive4py.models import Alert, AlertArtifact
+
+#start user config
+
+# Global vars
+
+#threshold for wazuh rules level
+lvl_threshold=0
+#threshold for suricata rules level
+suricata_lvl_threshold=3
+
+debug_enabled = False
+#info about created alert
+info_enabled = True
+
+#end user config
+
+# Set paths
+pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
+log_file = '{0}/logs/integrations.log'.format(pwd)
+logger = logging.getLogger(__name__)
+#set logging level
+logger.setLevel(logging.WARNING)
+if info_enabled:
+    logger.setLevel(logging.INFO)
+if debug_enabled:
+    logger.setLevel(logging.DEBUG)
+# create the logging file handler
+fh = logging.FileHandler(log_file)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+fh.setFormatter(formatter)
+logger.addHandler(fh)
+
+def main(args):
+    logger.debug('#start main')
+    logger.debug('#get alert file location')
+    alert_file_location = args[1]
+    logger.debug('#get TheHive url')
+    thive = args[3]
+    logger.debug('#get TheHive api key')
+    thive_api_key = args[2]
+    thive_api = TheHiveApi(thive, thive_api_key )
+    logger.debug('#open alert file')
+    w_alert = json.load(open(alert_file_location))
+    logger.debug('#alert data')
+    logger.debug(str(w_alert))
+    logger.debug('#gen json to dot-key-text')
+    alt = pr(w_alert,'',[])
+    logger.debug('#formatting description')
+    format_alt = md_format(alt)
+    logger.debug('#search artifacts')
+    artifacts_dict = artifact_detect(format_alt)
+    alert = generate_alert(format_alt, artifacts_dict, w_alert)
+    logger.debug('#threshold filtering')
+    if w_alert['rule']['groups']==['ids','suricata']:
+        #checking the existence of the data.alert.severity field
+        if 'data' in w_alert.keys():
+            if 'alert' in w_alert['data']:
+                #checking the level of the source event
+                if int(w_alert['data']['alert']['severity'])<=suricata_lvl_threshold:
+                    send_alert(alert, thive_api)
+    elif int(w_alert['rule']['level'])>=lvl_threshold:
+        #if the event is different from suricata AND suricata-event-type: alert check lvl_threshold
+        send_alert(alert, thive_api)
+
+def pr(data,prefix, alt):
+    for key,value in data.items():
+        if hasattr(value,'keys'):
+            pr(value,prefix+'.'+str(key),alt=alt)
+        else:
+            alt.append((prefix+'.'+str(key)+'|||'+str(value)))
+    return alt
+
+def md_format(alt,format_alt=''):
+    md_title_dict = {}
+    #sorted with first key
+    for now in alt:
+        now = now[1:]
+        #fix first key last symbol
+        dot = now.split('|||')[0].find('.')
+        if dot==-1:
+            md_title_dict[now.split('|||')[0]] =[now]
+        else:
+            if now[0:dot] in md_title_dict.keys():
+                (md_title_dict[now[0:dot]]).append(now)
+            else:
+                md_title_dict[now[0:dot]]=[now]
+    for now in md_title_dict.keys():
+        format_alt+='### '+now.capitalize()+'\n'+'| key | val |\n| ------ | ------ |\n'
+        for let in md_title_dict[now]:
+            key,val = let.split('|||')[0],let.split('|||')[1]
+            format_alt+='| **' + key + '** | ' + val + ' |\n'
+    return format_alt
+
+
+def artifact_detect(format_alt):
+    artifacts_dict = {}
+    artifacts_dict['ip'] = re.findall(r'\d+\.\d+\.\d+\.\d+',format_alt)
+    artifacts_dict['url'] =  re.findall(r'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+',format_alt)
+    artifacts_dict['domain'] = []
+    for now in artifacts_dict['url']: artifacts_dict['domain'].append(now.split('//')[1].split('/')[0])
+    return artifacts_dict
+
+def generate_alert(format_alt, artifacts_dict,w_alert):
+    #generate alert sourceRef
+    sourceRef = str(uuid.uuid4())[0:6]
+    artifacts = []
+    if 'agent' in w_alert.keys():
+        if 'ip' not in w_alert['agent'].keys():
+            w_alert['agent']['ip']='no agent ip'
+    else:
+        w_alert['agent'] = {'id':'no agent id', 'name':'no agent name'}
+
+    for key,value in artifacts_dict.items():
+        for val in value:
+            artifacts.append(AlertArtifact(dataType=key, data=val))
+    alert = Alert(title=w_alert['rule']['description'],
+              tlp=2,
+              tags=['wazuh', 
+              'rule='+w_alert['rule']['id'], 
+              'agent_name='+w_alert['agent']['name'],
+              'agent_id='+w_alert['agent']['id'],
+              'agent_ip='+w_alert['agent']['ip'],],
+              description=format_alt ,
+              type='wazuh_alert',
+              source='wazuh',
+              sourceRef=sourceRef,
+              artifacts=artifacts,)
+    return alert
+
+def send_alert(alert, thive_api):
+    response = thive_api.create_alert(alert)
+    if response.status_code == 201:
+        logger.info('Create TheHive alert: '+ str(response.json()['id']))
+    else:
+        logger.error('Error create TheHive alert: {}/{}'.format(response.status_code, response.text))
+
+if __name__ == "__main__":
+
+    try:
+       logger.debug('debug mode') # if debug enabled       
+       # Main function
+       main(sys.argv)
+
+    except Exception:
+       logger.exception('EGOR')
+
+```
+This Python script acts as a connector between Wazuh and TheHive by automatically converting Wazuh alerts into TheHive alerts (cases) for investigation. When Wazuh generates an alert, the script parses the JSON alert file, extracts key information, and formats it into a readable description. It also detects potential observables like IPs, URLs, and domains, which are attached as artifacts. Based on severity thresholds, it decides whether the alert should be forwarded to TheHive. If it passes the filter, the script sends the alert to TheHive using its API, where it becomes available for analysts to investigate further. Logging is enabled to track each step and confirm whether alerts were successfully created.
+
+2. Create the Bash Wrapper Script
+Wazuh runs integration scripts through small shell wrappers.
+
+    Create a file:
+    ```
+    sudo nano /var/ossec/integrations/custom-w2thive
+    ```
+    The script that goes into this is below
+    ```
+    #!/bin/sh
+    WPYTHON_BIN="framework/python/bin/python3"
+    SCRIPT_PATH_NAME="$0"
+    DIR_NAME="$(cd $(dirname ${SCRIPT_PATH_NAME}); pwd -P)"
+    SCRIPT_NAME="$(basename ${SCRIPT_PATH_NAME})"
+
+    case ${DIR_NAME} in
+        */active-response/bin | */wodles*)
+            if [ -z "${WAZUH_PATH}" ]; then
+                WAZUH_PATH="$(cd ${DIR_NAME}/../..; pwd)"
+            fi
+        PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py"
+        ;;
+        */bin)
+            if [ -z "${WAZUH_PATH}" ]; then
+                WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)"
+            fi
+        PYTHON_SCRIPT="${WAZUH_PATH}/framework/scripts/${SCRIPT_NAME}.py"
+        ;;
+        */integrations)
+            if [ -z "${WAZUH_PATH}" ]; then
+                WAZUH_PATH="$(cd ${DIR_NAME}/..; pwd)"
+            fi
+        PYTHON_SCRIPT="${DIR_NAME}/${SCRIPT_NAME}.py"
+        ;;
+    esac
+
+    ${WAZUH_PATH}/${WPYTHON_BIN} ${PYTHON_SCRIPT} $@
+
+    ```
+This small shell wrapper is what allows Wazuh to execute your custom Python integration reliably. Since Wazuh can call integrations from different directories, the wrapper first checks its own location, then calculates the correct base path to Wazuh and to the Python script it needs to run. It then builds the path to your custom-w2thive.py script and finally uses Wazuh’s bundled Python interpreter (framework/python/bin/python3) to execute it, passing along any arguments that Wazuh supplies. In simple terms, the wrapper acts as a bridge: Wazuh calls the wrapper, the wrapper resolves the right paths, and then your Python script runs to forward alerts into TheHive. This ensures the integration works consistently regardless of where Wazuh launches it from.
+
+### Step 4: Set Permissions
+These scripts must be executable and owned by the correct group (ossec in Wazuh).
+
+```
+sudo chmod 755 /var/ossec/integrations/custom-w2thive.py
+sudo chmod 755 /var/ossec/integrations/custom-w2thive
+sudo chown root:ossec /var/ossec/integrations/custom-w2thive.py
+sudo chown root:ossec /var/ossec/integrations/custom-w2thive
+```
+These commands are making sure that both your wrapper (custom-w2thive) and the Python script (custom-w2thive.py) have the right permissions and ownership so Wazuh can execute them safely. By setting the mode to 755, you’re allowing the owner (root) to read, write, and execute, while members of the group and others can only read and execute. The ownership is set to root:ossec, which means the root user owns the files, but the ossec group also has access. This is important because Wazuh services run under the ossec group, so without this step, Wazuh would not be able to call your integration scripts.
+
+### Step 5: Configure Wazuh to Use the Integration
+Edit the Wazuh Manager config file:
+```
+sudo nano /var/ossec/etc/ossec.conf
+```
+Add this inside "ossec_config":
+```
+<integration>
+    <name>custom-w2thive</name>
+    <hook_url>http://THEHIVE_SERVER_IP:9000</hook_url>
+    <api_key>YOUR_API_KEY</api_key>
+    <alert_format>json</alert_format>
+</integration>
+```
+*THEHIVE_SERVER_IP = IP address of your TheHive server (e.g., 127.0.0.1 if on the same machine).
+YOUR_API_KEY = the key you copied earlier*
+
+### Step 6: Restart Wazuh
+```
+sudo systemctl restart wazuh-manager
+```
+### Step 7: Test the Integration
+
+We’ll create fake alerts to see if they appear in TheHive.
+Example: Trigger a Syscheck alert by creating a file in /etc: 
+```
+sudo touch /etc/wazuh_test.txt
+echo "test" | sudo tee -a /etc/wazuh_test.txt
+```
+
+Example: Trigger an authentication failure alert:
+```ssh nouser@localhost
+```
+(Type any password — it will fail and create an alert.)
+
+If everything works, you’ll see messages in: 
+```
+sudo tail -n 50 /var/ossec/logs/integrations.log
+```
+![Wazuh Hive Integration logs](img\wazuh-hiveintegration.png)
+
+Automatically, the cases are created as shown below
+![Wazuh Hive Alerts](img\wazuh-hivealerts.png)
+
+### Conclusion
+This phase represents a major milestone in building an automated security operations pipeline, as it bridges the gap between detection and investigation. With the Wazuh ↔ TheHive integration in place, alerts no longer remain siloed within Wazuh but are automatically forwarded into TheHive, where they are transformed into actionable cases. This ensures that analysts can immediately work on verified incidents within a centralized platform rather than wasting time manually transferring data. In practice, this reduces friction, accelerates the response process, and makes sure that no critical alerts are overlooked due to human error or delays.
+
+Beyond convenience, the integration adds structure and scalability to incident management. By feeding enriched alerts into TheHive, security teams can leverage case workflows, collaborative features, and task assignments that are built into TheHive’s design. This allows multiple analysts to coordinate effectively on the same incident, track progress, and document findings in one place. It also improves accountability, since every case in TheHive is linked to its originating Wazuh alert, creating an auditable chain of events.
+
+From a strategic perspective, this integration lays the groundwork for more advanced automation in later phases, such as linking with Cortex for automated analysis, enriching cases with external threat intelligence, or triggering response actions directly from TheHive. What begins here as a simple alert forwarding mechanism evolves into the foundation of a full Security Orchestration, Automation, and Response (SOAR) pipeline. In other words, Phase 7 does not just close the loop between detection and investigation — it transforms the security workflow into a proactive, scalable, and collaborative system that strengthens the organization’s overall security posture.

docs/cybersecurity/Blue Team/Research/Automated Threat Hunting/Phase 8 - Cortex Observables.md

@@ -0,0 +1,39 @@
+---
+sidebar_position: 9
+---
+
+:::info
+**Document Creation:** 3 September 2025. **Last Edited:** 3 September 2025. **Authors:** Syed Mahmood Aleem Huzaifa.  
+**Effective Date:** 3 September 2025. **Expiry Date:** 3 September2026.
+:::
+
+### Overview
+Running manual observables in TheHive is useful for on-demand data enrichment. Instead of waiting for automation or notifications to trigger analyzers, suspicious items can be checked quickly and supporting intelligence viewed immediately. This workflow ensures every piece of evidence is enriched, traceable, and stored within the case context for comprehensive investigation.
+
+### Step 1 – Log in to TheHive
+Open TheHive web interface in a browser and log in with an analyst account. Access to the dashboard where cases and observables are managed requires proper permissions; **usually, the Analyst role** is necessary to create observables and trigger Cortex analyzers.
+![Create case](img\Create_case.png)
+
+### Step 2 – Open a Case
+After logging in, create a new case or open an existing one. A case serves as a container for all investigation data, ensuring observables are associated with the correct incident context.
+
+### Step 3 – Add an Observable
+Within the case, navigate to the *“Observables”* tab and select *“Add Observable.”* Choose the observable type such as IP address, domain, file hash, or URL. Provide the observable value and optionally add descriptions or tags to assist later correlation or filtering.
+![Add Observable](img\Add_Observable.png)
+
+### Step 4 – Save the Observable
+Save the observable, which then appears in the case observables list. At this stage, the observable is stored but no analysis has yet been performed.
+![Adding An Observable](img\Adding_An_Observable.png)
+
+### Step 5 – Run Cortex Analyzer Manually
+Select the observable and click *“Run analyzers.” TheHive displays available Cortex analyzers compatible with the observable type, for example, AbuseIPDB or VirusTotal for IP addresses. Select desired analyzers and confirm to send the observable to the connected Cortex instance for analysis.
+![Run Analyzer Option](img\Run_Analyzer_Option.png)
+![Select The Analyzer to run](img\Select-Analyzer.png)
+
+**(Only the analyzers that are configured and enabled in Cortex would be visible here)**
+
+### Step 6 – Review the Reports
+After analyzer jobs complete, click the observable to view detailed reports. Reports reveal findings such as malicious IP status, malware hash matches, or URL blocklist presence. These results are attached to the observable in TheHive, enabling efficient investigation continuation.
+![Report View](img\Viewing_Report.png)
+Analysis_of_a_report.png
+![Report Analysis View](img\Analysis_of_a_report.png)