Installation

This installation documentation assumes that you already have Wazuh installed. If you do not already have OpenCTI installed, please follow the project’s installation instructions (docker). If you are running or planning to install OpenCTI manually, i.e. not in docker, note that all of the installation documentation for this connector is written for docker-compose.

Using the following as an example, add a connector-wazuh service to your OpenCTI docker-compose file:

services:
  connector-wazuh:
    image: ghcr.io/misje/opencti-wazuh-connector:0.3.0
    restart: always
    environment:
      # A timezone is needed for datetime tools to work as expected:
      - TZ=UTC
      - USE_TZ=true
      - OPENCTI_URL=https://mycti.example.org
      - OPENCTI_TOKEN=84387577-27ac-4751-b268-6893045aa73c # Replace with a token from the user you created
      - CONNECTOR_ID=81f9d582-2b4e-45f1-98b6-f33492d66b6e # Replace this with a unique ID
      - CONNECTOR_NAME=Wazuh
      - CONNECTOR_SCOPE=Artifact,Directory,Domain-Name,Email-Addr,Hostname,IPv4-Addr,IPv6-Addr,Mac-Addr,Network-Traffic,Process,StixFile,Url,User-Account,User-Agent,Windows-Registry-Key,Windows-Registry-Value-Type,Vulnerability,Indicator
      - CONNECTOR_AUTO=true
      - CONNECTOR_LOG_LEVEL=warning
      - CONNECTOR_EXPOSE_METRICS=true
      - WAZUH_APP_URL=https://mywazuh.example.org
      - "WAZUH_OPENSEARCH_PASSWORD=SecretPassword" # Remember double-$ if password contains $:
      - WAZUH_OPENSEARCH_URL=https://mywazuh.example.org:9200
      - WAZUH_OPENSEARCH_USERNAME=cti_connector
      - WAZUH_OPENSEARCH_VERIFY_TLS=true
      - WAZUH_TLPS=TLP:AMBER+STRICT
    volumes:
      - /var/cache/wazuh
    links:
      - opencti:opencti
    # Set a limit on logs:
    logging:
      options:
        max-size: 50m

Warning

This is a bare-minimum example with several placeholder values. Look at the Configuration chapter for how to configure the connector.

After starting OpenCTI, look for any errors (get a continuous log with a little bit of history by running docker compose logs -f --tail=100 connector-wazuh).

Warning

opencti-wazuh-connector is in an early alpha stage. Although the connector does not make any changes to Wazuh, it may produce a lot of data in OpenCTI. Do not use the connector yet in production.

Versioning

The following tags are published to the docker registry:

Connector docker tags

Tag	Description
x.y.z	A connector (stable) release
dev	Latest development version (branch dev) of the connector
latest	The lastest release (à la tag 0.1.0) of the connector

Use a version like 0.1.0 to reference a stable version of the connector, or latest if you want the latest stable version. There are no tags that reference the OpenCTI version, like connectors published by OpenCTI. See versions and compatibility for a connector–OpenCTI version compatibility list.

Creating users

Before running the connector, you need to create an OpenCTI user and generate a token, as well as create an OpenSearch read-only user:

• Creating an OpenSearch user
• Creating an OpenCTI user
  • Maximum confidence
  • Creating a user

Finishing touches

In order to get the most out of OpenCTI along with this connector, you may want to go through a few settings and customisation in OpenCTI:

• OpenCTI configuration
  • Status templates
  • Workflows
  • Case templates