Wazuh MISP integration. Scipt to handle HASH, URL and DNS
490 views
Skip to first unread message
HA
Mar 8, 2023, 10:20:19 AM3/8/23
to Wazuh mailing list
Hi all,
I need some help to perform some script modification for WAzuh and MISP Integration.
For the moment the script, working like a charm, can handle URL (from sysmon event1) and DNS query (sysmon event 22)
I would like to make it works in following way:
- if a process starts without any URL in the "commandLine" parameter -> we just send the HASH to MISP,
- if a process start with any URL (http/https) in the "commandLine" parameter -> we send the HASH and the URL to MISP using two different queries.
I'm not good at all to write script...
Any idea ??
Regards,
HA
I need some help to perform some script modification for WAzuh and MISP Integration.
For the moment the script, working like a charm, can handle URL (from sysmon event1) and DNS query (sysmon event 22)
I would like to make it works in following way:
- if a process starts without any URL in the "commandLine" parameter -> we just send the HASH to MISP,
- if a process start with any URL (http/https) in the "commandLine" parameter -> we send the HASH and the URL to MISP using two different queries.
I'm not good at all to write script...
Any idea ??
Regards,
HA
Manuel Pedro Gomez Castro
Mar 8, 2023, 12:10:46 PM3/8/23
to Wazuh mailing list
Hello! Thank you for reaching out to us!
I have been reviewing the script you shared and investigating a bit and, while I couldn't complete the customization you requested for you, it does seem you are on the right track!
I suspect you followed this article https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19 as the script seems to be the same. I think you would find it helpful to read our article on custom integrators and our documentation to gain a better understanding on how it works and how to modify it.
In summary, the script as described in Opensecure, receives all alerts from sysmon groups and parses them generating and executing queries in MISP and sending the events back to the wazuh manager. Specifically
- It generates the wazuh_event_param in line 49
I have been reviewing the script you shared and investigating a bit and, while I couldn't complete the customization you requested for you, it does seem you are on the right track!
I suspect you followed this article https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19 as the script seems to be the same. I think you would find it helpful to read our article on custom integrators and our documentation to gain a better understanding on how it works and how to modify it.
In summary, the script as described in Opensecure, receives all alerts from sysmon groups and parses them generating and executing queries in MISP and sending the events back to the wazuh manager. Specifically
- It generates the wazuh_event_param in line 49
- Constructs the search body in line 96
- Executes the search in line 109
- Builds and sends the event in the block starting in 124
This flow generates a single event in each execution of the integrator. If I understand correctly, in the case an URL is found in the commandLine parameter, you wish to generate 2 of them.
In that case, you could encapsulate the code section that executes the query and sends the event (lines 109 to 136) into a function that accepts the wazuh_event_param. That way you could discern between the case of your regex finding a match or not, and continue with either the default case, calling it once, or your desired case, calling it twice with both URL and hash as inputs.
I hope this helps you get started on your task! Please let us know if you need more help on this matter!
I hope this helps you get started on your task! Please let us know if you need more help on this matter!
Reply all
Reply to author
Forward
0 new messages