Integrating MISP Threat Intelligence with Wazuh

[R swan]

Hello community,

We have installed the wazuh on a VPS cloud and the MISP on a local server

How to integrate this?

Regards

[Jonathan José Levy Gil]

Hi  r9swan !

Any Threat Intelligence source can be used with Wazuh as part of an external integration, you can download information directly from the external source, use CDB lists or make real time queries using APIs. For this last one Wazuh uses the integrator daemon which allows it to connect to an external API and generate alerts.

Reviewing the documentation of MISP, looks like it supports API interactions with external entities, so as long as it can be queried using this method wazuh should be able to query these feeds. However, in any case, it will be necessary to develop custom rules in order to be able to alert about the API interaction events and also about customized security issues based on the information received.

A good example of how Wazuh can fetch information from external feeds using API requests is Virustotal integration, this example could help you in order to understand this approach.

Hope this helps,

Regards

[Sri]

is there a way to enable API integration via Wazuh dashboard, because from documentation what i understand is the /var/ossec/integrations file needs to edit with required config to enable API. however, i don't have access to ssh rather i can access only wazuh dashboard. from settings on the dashboard i couldn't find any way.