Wazuh + MISP (or OpenCTI) integration → Random/inconsistent IOC alerts: need help

298 views
Skip to first unread message

Pyplex_

unread,
May 21, 2025, 8:41:03 AMMay 21
to Wazuh | Mailing List

Hi everyone, First time using github, i'm sorry if not using the right way to communicate in it.

For my 3rd year internship to validate my bachelor's degree, 'm currently working on an integration project between Wazuh and MISP, with the goal of automatically sending a Wazuh alert when a known IOC is detected on a machine (e.g., a ping from a malicious domain). ⚙️ Context:

  • A Windows VM with a Wazuh agent installed and Sysmon configured
  • Functional Wazuh and Misp machines
  • The sysmon logs are generated and visible in Wazuh
  • Example: I ping assso.net → I can see the entry in the logs (Event ID 22)
  • The domain is present in MISP (verified with curl, the response is positive)

Problem: Most of the time, no alerts like those found via MISP are returned.

But randomly, sometimes I'm getting an IOC alert based on the domain I pinged, without understanding why or where it's coming from. It's inconsistent and impossible to reproduce.

Here's my setup for the integration:

- The Python integration script: https://github.com/karelumair/MISP-Wazuh-Integration/blob/main/custom-misp.py

- Wazuh configuration (ossec.conf) :

#<!------------------------MISP INTEGRATION------------------------>

  <integration>
    <name>custom-misp.py</name>
    <hook_url>Misp IP server</hook_url>
    <api_key>Misp IP Key</api_key>
    <group>sysmon_event1,sysmon_event3,sysmon_event6,
    sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
    <alert_format>json</alert_format>
  </integration>

-Alerts rules for MISP :

<rule id="100620" level="10">
    <field name="integration">misp</field>
    <match>misp</match>
    <description>MISP Events</description>
    <options>no_full_log</options>
  </rule>

  <rule id="100621" level="5">
    <field name="misp.error">\.+</field>
    <description>MISP - Error connecting to API</description>
    <options>no_full_log</options>
    <group>misp_error,</group>
  </rule>

  <rule id="100622" level="12">
    <field name="misp.category">\.+</field>
    <description>MISP - IoC found in Threat Intel - Category: $(misp.category), Attribute: $(misp.value)</description>
    <options>no_full_log</options>
    <group>misp_alert,</group>
  </rule>
Strange symptoms:

  • I have a Sysmon log with the DNS query (event ID 22) visible in Wazuh when I ping a known IOC. (eg. assso.net) but no alert is generated immediately in Wazuh
  • Sometimes IOC alerts appear hours later without me doing anything.
  • At first, everything worked fine: every ping triggered an IOC alert as expected.
  • Next, I wanted to integrate TheHive so that each IOC detected by Wazuh via MISP would trigger an alert in TheHive.
  • That's when the problems started. It's impossible to say if it's related, but the behavior has since deteriorated.

Then tried to get around the problem by going through OpenCTI for this I used this github link : https://socfortress.medium.com/wazuh-siem-opencti-threat-intel-integration-4cb1a3810250 :

  • JI configured a MISP → OpenCTI connector
  • Then tried to integrate OpenCTI to Wazuh with the same principle

But again, it doesn't work. I'm getting this kind of errorr in the logs:

2025/05/21 10:15:15 wazuh-integratord: ERROR: While running custom-opencti.py -> integrations. Output: KeyError: 'queryName'

2025/05/21 10:15:15 wazuh-integratord: ERROR: Exit status was: 1

2025/05/21 10:15:15 wazuh-integratord: ERROR: While running custom-opencti.py -> integrations. Output: KeyError: 'data'

2025/05/21 10:15:15 wazuh-integratord: ERROR: Exit status was: 1

In summary, what I am looking for today:

  • Concrete feedback from users who have successfully integrated Wazuh with MISP or OpenCTI reliably and consistently, ideally with Wazuh version 4.11.2.
  • Find out if the custom-misp.py script used is still valid and up to date, or if there is a newer, maintained version.
  • To get a better understanding where the problem might come from: is it a conflict between integrations (TheHive, MISP, OpenCTI), a JSON structure problem, a poorly referenced field, or simply poor script execution?
  • And if you have any advice for DEBUG, good practices or techniques to understand the problem

Eli Josue Rodriguez

unread,
May 21, 2025, 5:49:32 PMMay 21
to Wazuh | Mailing List
Hello, Since it is a custom script, I would recommend following the guide as defined here.

https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html#custom-integration

Check the permissions:
chmod 750 /var/ossec/integrations/custom-script
chown root:wazuh /var/ossec/integrations/custom-script

Also,  enable debugs logs for the integratord by adding the integrator.debug=2 configuration in the /var/ossec/etc/local_internal_options.conf file. Then restart the wazuh manager and try with the execution of the integration script and check for logs.

https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#integrator

Regards,
Reply all
Reply to author
Forward
0 new messages