Sysmon MISP integration to detect Phishing alert
863 views
Skip to first unread message
HA
Aug 4, 2022, 2:44:11 AM8/4/22
to Wazuh mailing list
Hi all,
I need some help to perform Phishing email (URL) detection using sysmon and MISP.
The idea is the following, a user click on an URL received by email (this trigger sysmon event 1, process creation) in wazuh.
Example
data.win.eventdata.commandLine (parameter)
C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --single-argument https://kb.fortinet.com/kb/viewAttachment.do?attachID=2.10%%20Asset
What I need to catch here is text (URL link) after the value -single-argument.
Then I will use the script provided by (see in video) https://www.youtube.com/watch?v=-qRMDxZpnWg to send the link to MISP which will detect the URL as suspicious or not...
I have already done the config for DNS query (sysmon event 22 and data.win.eventdata.queryName) but here, in the case of URL, I don't known how to extract it (I'm not good at all to write script)...
Any idea ??
Regards,
HA
Андрей Рыжков
Aug 4, 2022, 2:54:03 AM8/4/22
to Wazuh mailing list
Greetings! I came across ThePhish which integrates well with the MISP stack, Cortex and TheHive. Try https://github.com/emalderson/ThePhish
четверг, 4 августа 2022 г. в 09:44:11 UTC+3, HA:
Christian Bassey
Aug 4, 2022, 3:11:40 AM8/4/22
to Wazuh mailing list
Hi HA!
Thank you for using Wazuh!
It is not possible to send only the URL parameter to the phishing script. What I would recommend is that you send the whole field to the script, then use a regex in your script to extract just the URL. So, you can add the following code block between line 96 and 97
elif alert["data"]["win"]["eventdata"]["commandLine"] != None:
try:
Thank you for using Wazuh!
It is not possible to send only the URL parameter to the phishing script. What I would recommend is that you send the whole field to the script, then use a regex in your script to extract just the URL. So, you can add the following code block between line 96 and 97
elif alert["data"]["win"]["eventdata"]["commandLine"] != None:
try:
wazuh_event_param = re.search("(?P<url>https?://[^\s]+)", alert["data"]["win"]["eventdata"]["commandLine"]).group("url")
except IndexError:
sys.exit()
Please be careful with the code indentation. Best!
sys.exit()
Please be careful with the code indentation. Best!
HA
Aug 4, 2022, 4:31:23 AM8/4/22
to Wazuh mailing list
Hi all,
elif alert["data"]["win"]["eventdata"]["commandLine"] != None:
try:
wazuh_event_param = re.search("(?P<url>https?://[^\s]+)", alert["data"]["win"]["eventdata"]["commandLine"]).group("url")
except IndexError:
sys.exit()
First, thanks a lot for your help !
I followed your advice and changed the script to parse the URL but now I can see the following error message...
Aug 4, 2022 @ 08:49:27.000 wazuh-integratord ERROR Unable to run integration for custom-misp.py -> integrations
Aug 4, 2022 @ 08:49:27.000 wazuh-integratord ERROR While running custom-misp.py -> integrations. Output: json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Aug 4, 2022 @ 08:49:27.000 wazuh-integratord ERROR Exit status was: 1
.....
elif event_type == 'sysmon_event_25':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif alert["data"]["win"]["eventdata"]["commandLine"] != None:
try:
wazuh_event_param = re.search("(?P<url>https?://[^\s]+)", alert["data"]["win"]["eventdata"]["commandLine"]).group("url")
except IndexError:
sys.exit()
else:
sys.exit()
misp_search_value = "value:"f"{wazuh_event_param}"
sys.exit()
misp_search_value = "value:"f"{wazuh_event_param}"
...
Regards,
HA
Christian Bassey
Aug 4, 2022, 4:48:05 AM8/4/22
to Wazuh mailing list
Hi HA,
Please confirm that the indentation on the newly added code block is correct. Send a screenshot of that section for me to review.
Please confirm that the indentation on the newly added code block is correct. Send a screenshot of that section for me to review.
HA
Aug 5, 2022, 2:56:21 AM8/5/22
to Wazuh mailing list
Hi,
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event_25':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
misp_search_value = "value:"f"{wazuh_event_param}"
except IndexError:
sys.exit()
else:
sys.exit()
sys.exit()
misp_search_value = "value:"f"{wazuh_event_param}"
Sorry forget my last post.
The script doesn't produce error...
But I have a question about it...
If I understand correctly (maybe it's not) your code is checking any alert to match special string (starting with http or https).
In my case, I would like to trigger the script only when sysmon event 1 (process creation) appears in the log.
So below the line 46 (if event_type == 'sysmon_event1':) if my point of view...
#!/var/ossec/framework/python/bin/python3
## MISP API Integration
#
import sys
import os
from socket import socket, AF_UNIX, SOCK_DGRAM
from datetime import date, datetime, timedelta
import time
import requests
from requests.exceptions import ConnectionError
import json
import ipaddress
import hashlib
import re
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
socket_addr = '{0}/queue/sockets/queue'.format(pwd)
def send_event(msg, agent = None):
if not agent or agent["id"] == "000":
string = '1:misp:{0}'.format(json.dumps(msg))
else:
string = '1:[{0}] ({1}) {2}->misp:{3}'.format(agent["id"], agent["name"], agent["ip"] if "ip" in agent else "any", json.dumps(msg))
sock = socket(AF_UNIX, SOCK_DGRAM)
sock.connect(socket_addr)
sock.send(string.encode())
sock.close()
false = False
# Read configuration parameters
alert_file = open(sys.argv[1])
# Read the alert file
alert = json.loads(alert_file.read())
alert_file.close()
# New Alert Output if MISP Alert or Error calling the API
alert_output = {}
# MISP Server Base URL
misp_base_url = "https://misp.simacpsf.cloud/attributes/restSearch/"
# MISP Server API AUTH KEY
misp_api_auth_key = "q5WCGFvBnXTUwBZbBSwGYgyUud3c0nHJJ3t4L8Xu"
# API - HTTP Headers
misp_apicall_headers = {"Content-Type":"application/json", "Authorization":f"{misp_api_auth_key}", "Accept":"application/json"}
## Extract Sysmon for Windows/Sysmon for Linux and Sysmon Event ID
event_source = alert["rule"]["groups"][0]
event_type = alert["rule"]["groups"][2]
## Regex Pattern used based on SHA256 lenght (64 characters)
regex_file_hash = re.compile('\w{64}')
if event_source == 'windows':
if event_type == 'sysmon_event1':
## MISP API Integration
#
import sys
import os
from socket import socket, AF_UNIX, SOCK_DGRAM
from datetime import date, datetime, timedelta
import time
import requests
from requests.exceptions import ConnectionError
import json
import ipaddress
import hashlib
import re
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
socket_addr = '{0}/queue/sockets/queue'.format(pwd)
def send_event(msg, agent = None):
if not agent or agent["id"] == "000":
string = '1:misp:{0}'.format(json.dumps(msg))
else:
string = '1:[{0}] ({1}) {2}->misp:{3}'.format(agent["id"], agent["name"], agent["ip"] if "ip" in agent else "any", json.dumps(msg))
sock = socket(AF_UNIX, SOCK_DGRAM)
sock.connect(socket_addr)
sock.send(string.encode())
sock.close()
false = False
# Read configuration parameters
alert_file = open(sys.argv[1])
# Read the alert file
alert = json.loads(alert_file.read())
alert_file.close()
# New Alert Output if MISP Alert or Error calling the API
alert_output = {}
# MISP Server Base URL
misp_base_url = "https://misp.simacpsf.cloud/attributes/restSearch/"
# MISP Server API AUTH KEY
misp_api_auth_key = "q5WCGFvBnXTUwBZbBSwGYgyUud3c0nHJJ3t4L8Xu"
# API - HTTP Headers
misp_apicall_headers = {"Content-Type":"application/json", "Authorization":f"{misp_api_auth_key}", "Accept":"application/json"}
## Extract Sysmon for Windows/Sysmon for Linux and Sysmon Event ID
event_source = alert["rule"]["groups"][0]
event_type = alert["rule"]["groups"][2]
## Regex Pattern used based on SHA256 lenght (64 characters)
regex_file_hash = re.compile('\w{64}')
if event_source == 'windows':
if event_type == 'sysmon_event1':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event3' and alert["data"]["win"]["eventdata"]["destinationIsIpv6"] == 'false':
try:
dst_ip = alert["data"]["win"]["eventdata"]["destinationIp"]
if ipaddress.ip_address(dst_ip).is_global:
wazuh_event_param = dst_ip
else:
sys.exit()
except IndexError:
sys.exit()
elif event_type == 'sysmon_event3' and alert_output["data"]["win"]["eventdata"]["destinationIsIpv6"] == 'true':
sys.exit()
elif event_type == 'sysmon_event6':
try:
dst_ip = alert["data"]["win"]["eventdata"]["destinationIp"]
if ipaddress.ip_address(dst_ip).is_global:
wazuh_event_param = dst_ip
else:
sys.exit()
except IndexError:
sys.exit()
elif event_type == 'sysmon_event3' and alert_output["data"]["win"]["eventdata"]["destinationIsIpv6"] == 'true':
sys.exit()
elif event_type == 'sysmon_event6':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event7':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event_15':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event_22':
try:
wazuh_event_param = alert["data"]["win"]["eventdata"]["queryName"]
except IndexError:
sys.exit()
elif event_type == 'sysmon_event_23':
try:
wazuh_event_param = alert["data"]["win"]["eventdata"]["queryName"]
except IndexError:
sys.exit()
elif event_type == 'sysmon_event_23':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event_24':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event_25':
try:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
else:
sys.exit()
misp_search_value = "value:"f"{wazuh_event_param}"
sys.exit()
misp_search_value = "value:"f"{wazuh_event_param}"
misp_search_url = ''.join([misp_base_url, misp_search_value])
try:
misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=False)
except ConnectionError:
alert_output["misp"] = {}
alert_output["integration"] = "misp"
alert_output["misp"]["error"] = 'Connection Error to MISP API'
send_event(alert_output, alert["agent"])
else:
misp_api_response = misp_api_response.json()
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
# Generate Alert Output from MISP Response
alert_output["misp"] = {}
alert_output["misp"]["source"] = {}
alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
alert_output["misp"]["source"]["description"] = alert["rule"]["description"]
send_event(alert_output, alert["agent"])
elif event_source == 'linux':
if event_type == 'sysmon_event3' and alert["data"]["eventdata"]["destinationIsIpv6"] == 'false':
try:
dst_ip = alert["data"]["eventdata"]["DestinationIp"]
if ipaddress.ip_address(dst_ip).is_global:
wazuh_event_param = dst_ip
try:
misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=False)
except ConnectionError:
alert_output["misp"] = {}
alert_output["integration"] = "misp"
alert_output["misp"]["error"] = 'Connection Error to MISP API'
send_event(alert_output, alert["agent"])
else:
misp_api_response = misp_api_response.json()
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
# Generate Alert Output from MISP Response
alert_output["misp"] = {}
alert_output["misp"]["source"] = {}
alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
alert_output["misp"]["source"]["description"] = alert["rule"]["description"]
send_event(alert_output, alert["agent"])
elif event_source == 'linux':
if event_type == 'sysmon_event3' and alert["data"]["eventdata"]["destinationIsIpv6"] == 'false':
try:
dst_ip = alert["data"]["eventdata"]["DestinationIp"]
if ipaddress.ip_address(dst_ip).is_global:
wazuh_event_param = dst_ip
misp_search_value = "value:"f"{wazuh_event_param}"
misp_search_url = ''.join([misp_base_url, misp_search_value])
try:
misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=False)
except ConnectionError:
alert_output["misp"] = {}
alert_output["integration"] = "misp"
alert_output["misp"]["error"] = 'Connection Error to MISP API'
send_event(alert_output, alert["agent"])
else:
misp_api_response = misp_api_response.json()
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
# Generate Alert Output from MISP Response
alert_output["misp"] = {}
alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
send_event(alert_output, alert["agent"])
else:
sys.exit()
try:
misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=False)
except ConnectionError:
alert_output["misp"] = {}
alert_output["integration"] = "misp"
alert_output["misp"]["error"] = 'Connection Error to MISP API'
send_event(alert_output, alert["agent"])
else:
misp_api_response = misp_api_response.json()
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
# Generate Alert Output from MISP Response
alert_output["misp"] = {}
alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
send_event(alert_output, alert["agent"])
else:
sys.exit()
except IndexError:
sys.exit()
else:
sys.exit()
elif event_source == 'ossec' and event_type == "syscheck_entry_added":
try:
wazuh_event_param = alert["syscheck"]["sha256_after"]
except IndexError:
try:
wazuh_event_param = alert["syscheck"]["sha256_after"]
except IndexError:
sys.exit()
misp_search_value = "value:"f"{wazuh_event_param}"
misp_search_url = ''.join([misp_base_url, misp_search_value])
try:
misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=false)
except ConnectionError:
alert_output["misp"] = {}
alert_output["integration"] = "misp"
alert_output["misp"]["error"] = 'Connection Error to MISP API'
send_event(alert_output, alert["agent"])
else:
misp_api_response = misp_api_response.json()
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
# Generate Alert Output from MISP Response
alert_output["misp"] = {}
alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
send_event(alert_output, alert["agent"])
else:
sys.exit()
try:
misp_api_response = requests.get(misp_search_url, headers=misp_apicall_headers, verify=false)
except ConnectionError:
alert_output["misp"] = {}
alert_output["integration"] = "misp"
alert_output["misp"]["error"] = 'Connection Error to MISP API'
send_event(alert_output, alert["agent"])
else:
misp_api_response = misp_api_response.json()
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
# Generate Alert Output from MISP Response
alert_output["misp"] = {}
alert_output["misp"]["event_id"] = misp_api_response["response"]["Attribute"][0]["event_id"]
alert_output["misp"]["category"] = misp_api_response["response"]["Attribute"][0]["category"]
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
alert_output["misp"]["type"] = misp_api_response["response"]["Attribute"][0]["type"]
send_event(alert_output, alert["agent"])
else:
sys.exit()
Christian Bassey
Aug 5, 2022, 3:22:33 AM8/5/22
to Wazuh mailing list
Hi HA,
Yes, you are right, the code block I gave you checks if the field
alert["data"]["win"]["eventdata"]["commandLine"] is not empty, then it checks if there is a http or https in the field and extracts it as a URL.
If I understand correctly (maybe it's not) your code is checking any alert to match special string (starting with http or https).
So below the line 46 (if event_type == 'sysmon_event1':) if my point of view...
Please can you explain this better? I do not understand it.
HA
Aug 5, 2022, 6:57:23 AM8/5/22
to Wazuh mailing list
Hi,
First, thanks for your help !
I would like to send the URL to MISP only and only when sysmon_event1 (process creaion) alert is triggered...
So in my point of view (maybe I'm wrong), your code should be inserted somewhere after the line 'if event_type == 'sysmon_event1':'
Regards,
HA
Christian Bassey
Aug 8, 2022, 9:43:30 AM8/8/22
to Wazuh mailing list
Hi HA,
It is clear now.
Replace in the sysmon_event_1 block:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
With:
wazuh_event_param = re.search("(?P<url>https?://[^\s]+)", alert["data"]["win"]["eventdata"]["commandLine"]).group("url")
It is clear now.
Replace in the sysmon_event_1 block:
wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
wazuh_event_param = re.search("(?P<url>https?://[^\s]+)", alert["data"]["win"]["eventdata"]["commandLine"]).group("url")
HA
Aug 10, 2022, 4:53:39 AM8/10/22
to Wazuh mailing list
Hi,
except IndexError:
sys.exit()
elif event_type == 'sysmon_event3' and alert["data"]["win"]["eventdata"]["destinationIsIpv6"] == 'false':
The script has been changed to...
if event_source == 'windows':
if event_type == 'sysmon_event1':
try:
if event_type == 'sysmon_event1':
try:
wazuh_event_param = re.search("(?P<url>https?://[^\s]+)", alert["data"]["win"]["eventdata"]["commandLine"]).group("url")
# wazuh_event_param = regex_file_hash.search(alert["data"]["win"]["eventdata"]["hashes"]).group(0)
except IndexError:
sys.exit()
elif event_type == 'sysmon_event3' and alert["data"]["win"]["eventdata"]["destinationIsIpv6"] == 'false':
Now I get the following info in the logs
2022/08/10 08:44:48 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/10 08:44:48 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: AttributeError: 'NoneType' object has no attribute 'group'
2022/08/10 08:44:48 wazuh-integratord: ERROR: Exit status was: 1
2022/08/10 08:45:25 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/10 08:45:25 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: AttributeError: 'NoneType' object has no attribute 'group'
2022/08/10 08:44:48 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: AttributeError: 'NoneType' object has no attribute 'group'
2022/08/10 08:44:48 wazuh-integratord: ERROR: Exit status was: 1
2022/08/10 08:45:25 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/10 08:45:25 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: AttributeError: 'NoneType' object has no attribute 'group'
The following info is sent to MISP using the API call...
GET /attributes/restSearch/value:http://outlook.office.com
Host: misp.xxx.xxx
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: application/json
Connection: keep-alive
Content-Type: application/json
Authorization: XXXXXXXXXXXXXXXXXXXXXXXXX
Host: misp.xxx.xxx
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: application/json
Connection: keep-alive
Content-Type: application/json
Authorization: XXXXXXXXXXXXXXXXXXXXXXXXX
Many thanks for your help !!
Regards,
HA
Christian Bassey
Aug 10, 2022, 7:29:28 AM8/10/22
to Wazuh mailing list
Hi HA, please provide me with the sysmon_event_1 json. From the error message, it looks like the regex is not matching anything from that particular sysmon event.
HA
Aug 10, 2022, 7:53:54 AM8/10/22
to Wazuh mailing list
Hi Christian,
I think it match because we can see API call to MISP following the process creation with the specified URL (example http://twoparrot.com/wp-includes/s7agv/ here) ....
The issue seems to be on the API call (maybe bad format ??)...
{"timestamp":"2022-08-10T11:43:48.735+0000","rule":{"level":2,"description":"Sysmon - Event 1: Process creation.","id":"101101","firedtimes":59,"mail":false,"groups":["windows","sysmon","sysmon_event1"]},"agent":{"id":"011","name":"WS00126","ip":"192.168.145.1","labels":{"group":"SIM"}},"manager":{"name":"wazuh-server"},"id":"1660131828.2923003667","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-08-10T11:43:47.7173197Z","eventRecordID":"1274487","processID":"6520","threadID":"7980","channel":"Microsoft-Windows-Sysmon/Operational","computer":"WS00126.sim.prod","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2022-08-10 11:43:47.715\r\nProcessGuid: {08506e83-99f3-62f3-78ee-000000003d00}\r\nProcessId: 18272\r\nImage: C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\r\nFileVersion: 104.0.5112.79\r\nDescription: Google Chrome\r\nProduct: Google Chrome\r\nCompany: Google LLC\r\nOriginalFileName: chrome.exe\r\nCommandLine: \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --single-argument http://twoparrot.com/wp-includes/s7agv/\r\nCurrentDirectory: C:\\Users\\HA\\OneDrive - sim.prod\\Documents\\\r\nUser: SIM\\HA\r\nLogonGuid: {08506e83-ed59-62e0-952b-aa0000000000}\r\nLogonId: 0xAA2B95\r\nTerminalSessionId: 1\r\nIntegrityLevel: Medium\r\nHashes: MD5=0BB1766795AB719DF477CB2AFA446749,SHA256=9F314794880AE5635C634C385C94A252328AAD242EB1193DD70345AAABAF00BE,IMPHASH=6B4443349D1BF3B7F64F196B03E28222\r\nParentProcessGuid: {08506e83-5577-62f3-f4e5-000000003d00}\r\nParentProcessId: 34072\r\nParentImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\r\nParentCommandLine: \"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\" /n \"C:\\Users\\ha\\OneDrive - sim\\Desktop\\New Microsoft Word Document.docx\" /o \"\"\r\nParentUser: SIM\\HA\""},"eventdata":{"utcTime":"2022-08-10 11:43:47.715","processGuid":"{08506e83-99f3-62f3-78ee-000000003d00}","processId":"18272","image":"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe","fileVersion":"104.0.5112.79","description":"Google Chrome","product":"Google Chrome","company":"Google LLC","originalFileName":"chrome.exe","commandLine":"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --single-argument http://twoparrot.com/wp-includes/s7agv/","currentDirectory":"C:\\\\Users\\\\ha\\\\OneDrive - sim.prod\\\\Documents\\\\","user":"SIM\\\\HA","logonGuid":"{08506e83-ed59-62e0-952b-aa0000000000}","logonId":"0xaa2b95","terminalSessionId":"1","integrityLevel":"Medium","hashes":"MD5=0BB1766795AB719DF477CB2AFA446749,SHA256=9F314794880AE5635C634C385C94A252328AAD242EB1193DD70345AAABAF00BE,IMPHASH=6B4443349D1BF3B7F64F196B03E28222","parentProcessGuid":"{08506e83-5577-62f3-f4e5-000000003d00}","parentProcessId":"34072","parentImage":"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE","parentCommandLine":"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\Office16\\\\WINWORD.EXE\\\" /n \\\"C:\\\\Users\\\\ha\\\\OneDrive - sim\\\\Desktop\\\\New Microsoft Word Document.docx\\\" /o \\\"\\\"","parentUser":"SIM\\\\HA"}}},"location":"EventChannel"}
Christian Bassey
Aug 10, 2022, 12:50:54 PM8/10/22
to Wazuh mailing list
Hi HA,
You are right. The sysmon event 1 is fine and the URL extraction works. The problem might possibly be on the API response.
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
Check the integrations.log file and let me know what the misp_api_response is.
You are right. The sysmon event 1 is fine and the URL extraction works. The problem might possibly be on the API response.
You can enable logging by including these lines before110 of the initial code (the line that says # Check if response includes Attributes (IoCs)):
misp_api_response = misp_api_response.json()
LOG_FILE = "/var/ossec/logs/integrations.log"
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(misp_api_response +"\n")
# Check if response includes Attributes (IoCs)
if (misp_api_response["response"]["Attribute"]):
Check the integrations.log file and let me know what the misp_api_response is.
HA
Aug 11, 2022, 2:34:18 AM8/11/22
to Wazuh mailing list
Hi,
misp_api_response = misp_api_response.json()
LOG_FILE = "/var/ossec/logs/integrations.log"
with open(LOG_FILE, mode="a") as log_file:
/var/ossec/logs
[root@wazuh-server logs]# ls -ali integrations.log
I put the following code...
else:
misp_api_response = misp_api_response.json()
LOG_FILE = "/var/ossec/logs/integrations.log"
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(misp_api_response +"\n"))
# Check if response includes Attributes (IoCs)
The file is created...
[root@wazuh-server logs]# pwd/var/ossec/logs
[root@wazuh-server logs]# ls -ali integrations.log
8820925 -rw-r----- 1 wazuh wazuh 0 Aug 11 06:20 integrations.log
But in the ossec.log...
2022/08/11 06:32:19 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/11 06:32:19 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: TypeError: unsupported operand type(s) for +: 'dict' and 'str'
2022/08/11 06:32:19 wazuh-integratord: ERROR: Exit status was: 1
2022/08/11 06:32:19 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: TypeError: unsupported operand type(s) for +: 'dict' and 'str'
2022/08/11 06:32:19 wazuh-integratord: ERROR: Exit status was: 1
Script error but no idea why....
Many thanks for your help !!
HA
Christian Bassey
Aug 11, 2022, 3:21:14 AM8/11/22
to Wazuh mailing list
Hi, please change
log_file.write(str(misp_api_response +"\n"))
to
log_file.write(misp_api_response)
Reason:
misp_api_response is an array and the initial code was treating it as a string.
Once that's done, please provide me the contents of integrations.log and ossec.log
log_file.write(str(misp_api_response +"\n"))
to
log_file.write(misp_api_response)
Reason:
misp_api_response is an array and the initial code was treating it as a string.
Once that's done, please provide me the contents of integrations.log and ossec.log
HA
Aug 11, 2022, 4:18:13 AM8/11/22
to Wazuh mailing list
Hi,
2022/08/11 08:10:31 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/11 08:10:31 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: TypeError: write() argument must be str, not dict
If I change to
log_file.write(misp_api_response)
I get the following error message in ossec.log
2022/08/11 08:10:30 wazuh-integratord: ERROR: Exit status was: 12022/08/11 08:10:31 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/11 08:10:31 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: TypeError: write() argument must be str, not dict
2022/08/11 08:10:31 wazuh-integratord: ERROR: Exit status was: 1
I tried with
log_file.write(str(misp_api_response))
I still have error in ossec.log like
2022/08/11 08:13:19 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/11 08:13:19 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'response'
2022/08/11 08:13:19 wazuh-integratord: ERROR: Exit status was: 1
2022/08/11 08:13:19 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'response'
2022/08/11 08:13:19 wazuh-integratord: ERROR: Exit status was: 1
BUT integration.log is now filled with entries like the following..
{'response': {'Attribute': []}}{'name': 'Not Found', 'message': 'Not Found', 'url': '/e:http://ieee-acts.com/mainpage/vg/?%2Fattributes%2FrestSearch%2Fvalue%3Ahttp%3A%2Fieee-acts_com%2Fmainpage%2Fvg%2F='}
So we get a reply from MISP...
I think the remaining issue is the /e: before the URL (maybe I'm wrong)...
'url': '/e:http://ie...
HA
Christian Bassey
Aug 11, 2022, 6:16:28 AM8/11/22
to Wazuh mailing list
Hi,
I have tested the URL extraction line with a sysmon 1 event and it extracts the URL correctly. If you see, the regex says it should search for a url in the commandLine value and extract it.
The problem I can see is that the response from your API is empty.
Can you try with another URL and let me know the response?
Also, you can change
log_file.write(misp_api_response)
To:
log_file.write(wazuh_event_param)
In order to get the details of the URL extracted in the integrations.log file.
I have tested the URL extraction line with a sysmon 1 event and it extracts the URL correctly. If you see, the regex says it should search for a url in the commandLine value and extract it.
The problem I can see is that the response from your API is empty.
Can you try with another URL and let me know the response?
Also, you can change
log_file.write(misp_api_response)
To:
log_file.write(wazuh_event_param)
In order to get the details of the URL extracted in the integrations.log file.
HA
Aug 11, 2022, 8:02:33 AM8/11/22
to Wazuh mailing list
Hi,
Changed to
log_file.write(str(wazuh_event_param))
tail -f intergration.log
It's the correct value for
wazuh_event_param....
Christian Bassey
Aug 11, 2022, 9:16:20 AM8/11/22
to Wazuh mailing list
Yes, the URL is being extracted correctly.
You would have to do some troubleshooting on the MISP side because from the response you sent earlier, attribute is empty that's why you were getting that error.
{'response': {'Attribute': []}}{'name': 'Not Found', 'message': 'Not Found', 'url': '/e:http://ieee-acts.com/mainpage/vg/?%2Fattributes%2FrestSearch%2Fvalue%3Ahttp%3A%2Fieee-acts_com%2Fmainpage%2Fvg%2F='}
Are the other sysmon events working as expected with the integration?
What I mean is are you getting the same kind of error when you try to do a ping to twoparrot.com for example?
You would have to do some troubleshooting on the MISP side because from the response you sent earlier, attribute is empty that's why you were getting that error.
{'response': {'Attribute': []}}{'name': 'Not Found', 'message': 'Not Found', 'url': '/e:http://ieee-acts.com/mainpage/vg/?%2Fattributes%2FrestSearch%2Fvalue%3Ahttp%3A%2Fieee-acts_com%2Fmainpage%2Fvg%2F='}
What I mean is are you getting the same kind of error when you try to do a ping to twoparrot.com for example?
HA
Aug 11, 2022, 9:41:30 AM8/11/22
to Wazuh mailing list
Hi,
Yes, the sysmon_event_22 (DNS queries) is working correcly.
Example:
ping www.wazuh.com (which is NOT reported as a compromised domain in MISP)
tail -f integration.log
{'response': {'Attribute': []}}
ping dafnefonseca.com (which is reported as a compromised domain in MISP)
tail -f integration.log
{'response': {'Attribute': [{'id': '276059', 'event_id': '1243', 'object_id': '19748', 'object_relation': 'domain', 'category': 'Network activity', 'type': 'domain', 'to_ids': True, 'uuid': '92f61960-d374-475b-b471-b65311fd673d', 'timestamp': '1650873794', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'dafnefonseca.com', 'Event': {'org_id': '1', 'distribution': '3', 'id': '1243', 'info': 'TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies', 'orgc_id': '3', 'uuid': 'c65578dd-3d7d-4a1a-bc30-7d12af38a59a'}, 'Object': {'id': '19748', 'distribution': '5', 'sharing_group_id': '0'}}, {'id': '276174', 'event_id': '1244', 'object_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'domain', 'to_ids': True, 'uuid': 'bc022016-fb5d-45f9-9372-b3c43a9330f7', 'timestamp': '1650870667', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'dafnefonseca.com', 'Event': {'org_id': '1', 'distribution': '3', 'id': '1244', 'info': 'A22-108A TraderTraitor North Korean State-Sponsored APT Targets Blockchain Companies', 'orgc_id': '3', 'uuid': '2ec1f538-1915-4636-8b38-101cb1efce5e'}}]}}
HA
Christian Bassey
Aug 11, 2022, 11:48:52 AM8/11/22
to Wazuh mailing list
Hi HA,
Thank you for this information, I am deploying an MISP instance in my lab and will provide you with some feedback once I finish my tests.
Thank you for this information, I am deploying an MISP instance in my lab and will provide you with some feedback once I finish my tests.
Christian Bassey
Aug 12, 2022, 3:51:54 AM8/12/22
to Wazuh mailing list
Hi HA,
I performed some tests in my environment with the script modified for the URL. Below were my findings:
- I opened the URL http://twoparrot.com/wp-includes/s7agv/http://twoparrot.com/wp-includes/s7agv/ from the command line to generate a custom alert to trigger the integration script. The sample log contained the line below:
I believe the block we modified is working as expected and that error was from the formatting of the URL like you mentioned earlier.
You can proceed to perform more tests with different sysmon 1 events and URLs and let me know if you encounter any other errors.
I performed some tests in my environment with the script modified for the URL. Below were my findings:
- I opened the URL http://twoparrot.com/wp-includes/s7agv/http://twoparrot.com/wp-includes/s7agv/ from the command line to generate a custom alert to trigger the integration script. The sample log contained the line below:
data.win.eventdata.commandLine \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --single-argument http://twoparrot.com/wp-includes/s7agv/
- When the integration script ran, the following was extracted from it as the URL ( the wazuh_event_params variable) http://twoparrot.com/wp-includes/s7agv/
- The result of the MISP integration logged to my integration.log file was:
{"response": {"Attribute": []}}
Meaning it was not found in my MISP instance. There were no errors in ossec.log
{"response": {"Attribute": []}}
Meaning it was not found in my MISP instance. There were no errors in ossec.log
I believe the block we modified is working as expected and that error was from the formatting of the URL like you mentioned earlier.
You can proceed to perform more tests with different sysmon 1 events and URLs and let me know if you encounter any other errors.
HA
Aug 12, 2022, 5:38:44 AM8/12/22
to Wazuh mailing list
Hi Christian,
First, thanks a lot for your help.
I found a domain name and URL that should trigger an alert (for both)...
DNS query to aideck.net
HTTP Query to https://aideck.net/board.php
for DNS query in the integration.log
{'response': {'Attribute': [{'id': '276088', 'event_id': '1243', 'object_id': '19754', 'object_relation': 'domain', 'category': 'Network activity', 'type': 'domain', 'to_ids': True, 'uuid': 'f1dda6f9-c665-4431-bc3f-0b1b66808f7a', 'timestamp': '1650634870', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'aideck.net', 'Event': {'org_id': '1', 'distribution': '3', 'id': '1243', 'info': 'TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies', 'orgc_id': '3', 'uuid': 'c65578dd-3d7d-4a1a-bc30-7d12af38a59a'}, 'Object': {'id': '19754', 'distribution': '5', 'sharing_group_id': '0'}}, {'id': '276166', 'event_id': '1244', 'object_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'domain', 'to_ids': True, 'uuid': 'f7a2638d-221b-41d8-beb9-626694e88b11', 'timestamp': '1650870667', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'aideck.net', 'Event': {'org_id': '1', 'distribution': '3', 'id': '1244', 'info': 'A22-108A TraderTraitor North Korean State-Sponsored APT Targets Blockchain Companies', 'orgc_id': '3', 'uuid': '2ec1f538-1915-4636-8b38-101cb1efce5e'}}]}}
for HTTP query in the integration.log
{'name': 'Not Found', 'message': 'Not Found', 'url': '/e:https://aideck.net/board.php?%2Fattributes%2FrestSearch%2Fvalue%3Ahttps%3A%2Faideck_net%2Fboard_php='}
Regards,
HA
Christian Bassey
Aug 12, 2022, 7:56:47 AM8/12/22
to Wazuh mailing list
Hi Ha, thank you for the feedback.
Please what version of MISP are you running? I seem to be getting a different behavior. I want to confirm that the version of MISP is not the reason for the different responses.
I am running MISP 2.4.161.
Additionally, I have attached my MISP integration script here. The following changes were made.
- An if-else block was added from line 110 to 113 to check if the event is a sysmon 1 event or not. If it is a sysmon 1 event, the request is sent as a post request. Otherwise it is sent as a get request.
Please modify the MISP instance and API keys accordingly, comment out your present code and try mine. Kindly let me know what you see in the integration log. Thanks!
Please what version of MISP are you running? I seem to be getting a different behavior. I want to confirm that the version of MISP is not the reason for the different responses.
I am running MISP 2.4.161.
Additionally, I have attached my MISP integration script here. The following changes were made.
- An if-else block was added from line 110 to 113 to check if the event is a sysmon 1 event or not. If it is a sysmon 1 event, the request is sent as a post request. Otherwise it is sent as a get request.
Please modify the MISP instance and API keys accordingly, comment out your present code and try mine. Kindly let me know what you see in the integration log. Thanks!
HA
Aug 12, 2022, 11:43:27 AM8/12/22
to Wazuh mailing list
Hi,
I upgraded to the same MISP version like yours and I used your script...
It almost work now !!
The only issue I have is the same of the URL displayed in Wazuh GUI...
It always displays http://java-se.com/o.js...
Even if the bad URL I called were
etc
DNS query are displayed with the correct value...
Again many thanks for your help !!
HA
Christian Bassey
Aug 15, 2022, 2:21:32 AM8/15/22
to Wazuh mailing list
Hi HA,
Glad to hear we are making progress!
Please change line 131 in my script:
Also, comment line 43 and 44 and uncomment lines 41 and 42. I added lines 43 and 44 to test specifically for windows sysmon event 1.
Please let me know if this helps. Best.
Glad to hear we are making progress!
Please change line 131 in my script:
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
To:
if event_type == 'sysmon_event1':
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["url"]
else:
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["url"]
else:
alert_output["misp"]["value"] = misp_api_response["response"]["Attribute"][0]["value"]
Please let me know if this helps. Best.
HA
Aug 16, 2022, 3:08:30 AM8/16/22
to Wazuh mailing list
Hi,
I changed the script as requested... But now, no more URL alert type anymore...
That's what's I see in ossec.log:
2022/08/16 05:53:59 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/16 05:53:59 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: AttributeError: 'NoneType' object has no attribute 'group'
2022/08/16 05:53:59 wazuh-integratord: ERROR: Exit status was: 1
2022/08/16 05:54:01 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/16 05:54:01 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'url'
2022/08/16 05:54:01 wazuh-integratord: ERROR: Exit status was: 1
2022/08/16 05:53:59 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: AttributeError: 'NoneType' object has no attribute 'group'
2022/08/16 05:53:59 wazuh-integratord: ERROR: Exit status was: 1
2022/08/16 05:54:01 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/08/16 05:54:01 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'url'
2022/08/16 05:54:01 wazuh-integratord: ERROR: Exit status was: 1
Regards,
HA
Christian Bassey
Aug 16, 2022, 5:13:52 AM8/16/22
to Wazuh mailing list
Hi, Please what is the entry in the integrations.log file?
HA
Aug 16, 2022, 9:46:58 AM8/16/22
to Wazuh mailing list
Hi,
This a partial content of the integration.log.
It seems that everytime an URL query is sent to MISP and hit a match, the system result of the full MISP database (the log file reached 14M after querying 2 or 3 URLs) !!
More over we can the the first entry is http://java-se.com/o.js.
This is the entry we always see in Wazuh alert (see prevous screenshot)...
Hedi
{'response': {'Attribute': []}}{'response': {'Attribute': [{'id': '1324', 'event_id': '4', 'object_id': '0', 'object_rel ation': None, 'category': 'Network activity', 'type': 'url', 'to_ids': True, 'uuid': '543b7c42-9104-4568-9349-32fb950d21 0b', 'timestamp': '1413184583', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_ correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'http://java-se.com/o.js', 'Event': {'org_id': '1', 'distribution': '3', 'id': '4', 'info': 'OSINT Democracy in Hong Kong Under Attack blog post from Volexity (Steven Adai r)', 'orgc_id': '2', 'uuid': '543b7c14-ec70-446e-b2f7-4620950d210b'}}, {'id': '1327', 'event_id': '4', 'object_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'url', 'to_ids': True, 'uuid': '543b7d77-a13c-4e88-9e7 8-32fb950d210b', 'timestamp': '1413184887', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': Fals e, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'http://985.so/bUYj', 'Event': {'org_id ': '1', 'distribution': '3', 'id': '4', 'info': 'OSINT Democracy in Hong Kong Under Attack blog post from Volexity (Stev en Adair)', 'orgc_id': '2', 'uuid': '543b7c14-ec70-446e-b2f7-4620950d210b'}}, {'id': '1328', 'event_id': '4', 'object_id ': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'url', 'to_ids': True, 'uuid': '543b7d77-f9a0-4 a47-963b-32fb950d210b', 'timestamp': '1413184887', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted ': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'http://985.so/bUYe', 'Event': { 'org_id': '1', 'distribution': '3', 'id': '4', 'info': 'OSINT Democracy in Hong Kong Under Attack blog post from Volexit y (Steven Adair)', 'orgc_id': '2', 'uuid': '543b7c14-ec70-446e-b2f7-4620950d210b'}}, {'id': '1329', 'event_id': '4', 'ob ject_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'url', 'to_ids': True, 'uuid': '543b7d77 -8290-4413-b2b7-32fb950d210b', 'timestamp': '1413184887', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', ' deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'http://985.so/b6hW', 'Ev ent': {'org_id': '1', 'distribution': '3', 'id': '4', 'info': 'OSINT Democracy in Hong Kong Under Attack blog post from Volexity (Steven Adair)', 'orgc_id': '2', 'uuid': '543b7c14-ec70-446e-b2f7-4620950d210b'}}, {'id': '1330', 'event_id': ' 4', 'object_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'url', 'to_ids': True, 'uuid': '5 43b7d77-4a54-4ebb-a2b7-32fb950d210b', 'timestamp': '1413184887', 'distribution': '5', 'sharing_group_id': '0', 'comment' : '', 'deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'http://985.so/bUY f', 'Event': {'org_id': '1', 'distribution': '3', 'id': '4', 'info': 'OSINT Democracy in Hong Kong Under Attack blog pos t from Volexity (Steven Adair)', 'orgc_id': '2', 'uuid': '543b7c14-ec70-446e-b2f7-4620950d210b'}}, {'id': '3230', 'event _id': '6', 'object_id': '0', 'object_relation': None, 'category': 'Network activity', 'type': 'url', 'to_ids': True, 'uu id': '543cf25c-bbb4-4960-ae47-4d43950d210b', 'timestamp': '1413280348', 'distribution': '5', 'sharing_group_id': '0', 'c omment': '', 'deleted': False, 'disable_correlation': False, 'first_seen': None, 'last_seen': None, 'value': 'http://goo gle-traffic-analytics.com/cl.py', 'Event': {'org_id': '1', 'distribution': '3', 'id': '6', 'info': 'OSINT Shellshock exp
Christian Bassey
Aug 17, 2022, 6:43:34 AM8/17/22
to Wazuh mailing list
Hi Heidi,
Please share your own integration script. For some reason, the response you are getting is for all the MISP values.
Please share your own integration script. For some reason, the response you are getting is for all the MISP values.
HA
Aug 17, 2022, 11:11:57 AM8/17/22
to Wazuh mailing list
Hi Christian,
I uploaded the script and IT WORKS !!
I have now the correct URL displayed in Wazuh !
Many thanks for your support and your help !! Without you it wouldn't be possible...
Regards,
HA
Christian Bassey
Aug 17, 2022, 11:14:40 AM8/17/22
to Wazuh mailing list
Glad to hear it works! Have fun with your Wazuh and MISP installation!
HA
Aug 19, 2022, 7:58:03 AM8/19/22
to Wazuh mailing list
Hi Christian,
I probably need your help again....
I discover that MISP stores event (in case of URL) into 2 different format: one prefixed with http(s) or one without http(s).
Example:
When the script is triggered (sysmon event 1), I need to send two queries:
the other one with http(s)://vihaiha.com/.ill/news/school/boy/choo/PvqDq929BSx_A_D_M1n_a.php
If not I could miss some bad activity...
Any idea ??
Regards,
HA
Christian Bassey
Aug 23, 2022, 4:14:27 AM8/23/22
to Wazuh mailing list
Hi Hedi!
Apologies for my late reply.
The approach I can think of is to send the URL without the http(s) prefix always. Will MISP detect it properly?
Apologies for my late reply.
The approach I can think of is to send the URL without the http(s) prefix always. Will MISP detect it properly?
Reply all
Reply to author
Forward
0 new messages