Wazuh And MISP Integration - Quickly Detect IoCs Within Your Wazuh Alerts With MISP!
ฝัง
- เผยแพร่เมื่อ 14 เม.ย. 2022
- Join me as we integrate Wazuh with MISP. Enhance your SOC capabilities with Wazuh and MISP! Let's deploy a Host Intrusion Detection System and SIEM with free open source tools. Join me as we explore and learn together.
Buy Me A Coffee: bit.ly/3woh21M
Blog Post: / wazuh-and-misp-integra...
Security Operations Center as a Service: www.socfortress.co/
Your Own Server: bit.ly/3Eug9Wf
Discord Channel: / discord
Check us out: www.opensecure.co/
Interact with our demo: bit.ly/3tzKJLz
Hire us: www.opensecure.co/contact-us - วิทยาศาสตร์และเทคโนโลยี
Hi Taylor, Could you please do a video about the integration of OpenCTI with Wazuh? I think OpenCTI is more comprehensive than MISP. and also we can integrate it with MISP. Thanks
Wow, this is an awesome Video. It's unbeliveable what is possible with Opensource Produtcs. Can you tell me, which Feeds do youprefer in MISP? Thanks a lot for sharing your knowledge.
Thank you very much for your work!
awesome video and excellent content.
Great video
Good morning Taylor, I would like to know if it is possible for the endpoint itself to make the request to the dedicated MISP server and for the latter to respond to the manager, instead of an endpoint querying the Wazuh Manager, which then queries MISP to verify if the domain is in its threat sources. If the value exists within MISP, it should respond with the event ID and more metadata about the IoC to the Wazuh Manager, so it can be visualized on the dashboard. Sorry for the tongue twister, I hope I made myself clear. Thank you in advance, you're amazing.
is wazuh otomatis block trafic from endpoint when misp send alert to wazuh?
Hello walton,
After completing the integration part while testing the usecase I am getting a misp error "Connection error to misp API" And rule I'd is 100621
Please make a video of integrating splunk with MISP. Splunk will be in a windows machine and MISP will be Ubuntu. And then generating alerts in Splunk by creating threat incidents in MISP. @TaylorWalton
Hi, can you make a video of opencti integration with wazuh? Thankyou.
did anyone succeed in setting this up. I have syslog and it doesn't work for me. I am not able to debug as well, where and how to enable debug logs to troubleshoot the issue. I only see events in Wazuh but nothing shows from MISP. any help would be appreciated.
Es muy acelerado para explicar, no sabe explicar bien lo que hace, solo llega y lo hace...
@@estephanierojas1413 i succeeded in setting it up. if you need help don't hesitate to contact.
Hi Taylor, I did the exact steps but my Wazuh server is not displaying the MISP logs
@foodie_nextdoor0 if your MISP is empty it won't give you any result. The MISP will return result only when the related event of Wazuh has a corresponding IoCs in MISP else it will always be no result in Wazuh.
I'm digging the content you're putting out. Keep it up!
We are attempting to use this integration in our lab. We are seeing the following error in the /var/ossec/logs/ossec.log when we try to use the integration:
2022/04/18 22:28:54 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/04/18 22:28:54 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: IndexError: list index out of range
2022/04/18 22:28:54 wazuh-integratord: ERROR: Exit status was: 1
Other than the server and API key, the custom-misp.py file is left unchanged.
It lives in /var/ossec/integrations
chmod 750
chown root:ossec
Are there any other troubleshooting steps we can attempt or log files we can reference to get a better insight as to what is going on?
Thank you!
For anybody following behind, at the 10 minute mark of the video, there is a reference to the array being correct.
In our instance of Wazuh, we are not natively grabbing Event 22 and we did not have the correct format for the rule.groups when we built out our custom rule.
We updated our local_rules.xml to include the correct array (as shown in the tutorial) to get this integration to work correctly.
Here is our example rule. Note, on the first line, we did not include windows in the group name initially:
61600
^22$
Sysmon - Event 22: DNS Query for $(win.eventdata.queryName) by $(win.eventdata.image)
no_full_log
sysmon_event_22,
Did you resolved it sir, i have same problem with error "Output: IndexError: list index out of range". Could you help me sir?
Was going to be my suggestion. Thank you for sharing and watching :)
@@serversql9951 Hi I'm having the same problem. Did you ever get the fix for this error.
@@taylorwalton_socfortress @Fernando DeBonis and I get problem on "Output: IndexError: list index out of range" Could you help me sir?
Hi Taylor I integrated my wazuh with MISP,
getting the sysmon event 22 but the MISP is not getting triggered by wazuh after the ping test in my windows box
Thanks in advance
@mouleshgopal3936 if your MISP is empty it won't give you any result. The MISP will return result only when the related event of Wazuh has a corresponding IoCs in MISP else it will always be no result in Wazuh.
@@user-yj5wn4lv3f Hi
Thank you for the support
@taylorwalton_socfortress
Mr. taylor good afternoon, please help me with the sysmon configuration file needed to create the rule on the event-22 with which you applied the example in the video as I am trying the same but I would like to know what is the particular rule you used. Thank you very much.
Hello,
I tried to do a code troubleshooting on this custom-misp.py file and I find the response from this line "misp_api_response = misp_api_response.json()" Line number 109 it return this message {'name': 'You do not have permission to use this functionality.', 'message': 'You do not have permission to use this functionality.', 'url': '/events/restSearchvalue:node-antivirus-v001'
Is that an error of the script or what am missing??
Who else win to do this integration?
I've this error too
Hi Taylor, I checked /var/ossec/logs/ossec.log and looking error : "wazuh-integratord: ERROR: Couldn't execute command (integrations /tmp/custom-misp.py-1701595137--1443911367.alert > /dev/null 2>&1). Check file and permissions.". Please help me
I am facing the same issue. Did you manage to solve it somehow?
An other question - is it possible to check in MISP if the API Request was successfull? I can see in Wazuh the Event with Group "windows, sysmon, sysmon_event_22", after some seconds i check in MISP the ussage of the API Key, they shown me, thats last usage is some seconds ago. But i get no event in MISP.
In the integrations.log there is
2022/09/05 12:32:13 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/09/05 12:32:13 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'response'
How i can check, what is going wrong? In MISP see that the API Key was used to the same time, like in the ingrations.log - but there is no Event in MISP.
I think we are on the same issue.. and I tried to check on the respose from the Json.. did you check it on your side?
@@bilaichacha8388: I'm with other people in Wazuh Slack Chat, searching on it. I see in the ossec.log (debug for integrations set to t2) the JSON call is send, but there is get an error - this morning i configure a public certificate for MISP, cause the give cert warning in debbug. But it doesn't solve the problem. How far you are?
@@pleibling Did you deploy your internal MISP ?
I have an issue with the response but I think the issue will be a user because the role of a user is Org.Admin. I was thinking to have another user who has a syn role.
Now am getting Events for Connection Error to MISP API
What about you?
@Bilai Chacha : Hi, checked now with fresh Wazuh and MISP installation, now it works fine. Did you solve your problem?