Integrating MISP Thereat Intelligence with Wazuh
2,409 views
Skip to first unread message
Van Than Vu
Mar 12, 2021, 4:26:23 AM3/12/21
to Wazuh mailing list
Hi Wazuh Experts,
Is this possible to Integrating MISP Threat Intelligence with Wazuh? Has anyone worked with this project? Could you please suggest a way to go, that would be nice if I can have a guideline for this? I'm looking at this blog, but it's not clear to me.
Regards,
Javier Balmaceda
Mar 12, 2021, 9:15:17 AM3/12/21
to Wazuh mailing list
Hello,
You can manage the integration by editing the Wazuh manager configuration file:
/var/ossec/etc/ossec.conf
and adding the following code block inside the <ossec_config> section:
/var/ossec/etc/ossec.conf
and adding the following code block inside the <ossec_config> section:
<integration>
<name> </name>
<hook_url> </hook_url>
<api_key> </api_key> <!-- Optional filters -->
<rule_id> </rule_id>
<level> </level>
<group> </group>
<event_location> </event_location>
</integration>
Then, you should include the MISP API key at api_key field and, in case the API provides it, it's recommended to add the API's URL in hook_url field.
Then, restart the wazuh-manager service:
Then, restart the wazuh-manager service:
systemctl restart wazuh-manager
Our documentation is our best support in these cases, but if it is not clear enough, you can also take a look at this blog:
https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/
Hope this helps!
Regards,
Our documentation is our best support in these cases, but if it is not clear enough, you can also take a look at this blog:
https://wazuh.com/blog/how-to-integrate-external-software-using-integrator/
Hope this helps!
Regards,
Ibrahim
Mar 12, 2021, 5:28:37 PM3/12/21
to Wazuh mailing list
Hello Javier,
I have few questions please,
According to this form, we will have the events of MISP in wazuh as events generated?
or it will be something like virustotal? scaning the archives based on <group>?
I was trying to understand about event_location, may you explain please it serve for what in here?
Iam trying to have something like Virustotal, I need to scan all src_ip in syslog group also the hash of syscheck group
Best Regards.
Yana Zaeva
Nov 5, 2021, 10:12:39 AM11/5/21
to Wazuh mailing list
Hi Ibrahim,
![]()
Sorry for the late response. In order to integrate with MISP (and have something similar to the VirusTotal integration), you will need to write a script. In some cases, it is possible to just edit the ossec.conf configuration with your credentials or API key, but this is only for integrations that we already have a script for. These integrations are Slack, VirusTotal and PagerDuty. In fact, if you go this path: /var/ossec/integrations/, you should be able to see the corresponding scripts to each tool.
We also have an example of an integration with Jira in the following blog, where this integration is used to explain how to write a custom script. In order to integrate with MISP, you will have to follow the steps explained in the blog, but the script will have to be a little bit different. As in the Jira example, you will need to select the file to which all the alerts are arriving (by default, it will be alerts.json). Then, we will need to set the group condition. It will look something similar to if "syslog" in alerts["rules"]["groups"], taking into account that the alerts variable is the information from the alerts.json file. Then, making use of the MISP API, you can forward this alert to the MISP tool. I have found in their documentation the call I think you will have to perform in order to add an event, but you can check all their documentation here. Once the event is scanned, you can forward the result to Wazuh. Not sure if you will need to write decoders and rules for these events, but in that case, I will leave here this link, which it is explained how to create custom decoders and rules.
Hope this helps. Let me know if you need anything else.
Regards,
Yana.
Reply all
Reply to author
Forward
0 new messages