MISP Integration with Wazuh

[Blason R]

Hi Folks,

Any use case if Wazuh can be integrated with MISP or threat intel can be pulled from Wazuh and have a look at it?

[Franco Giovanolli]

Hi Blason, regarding the MISP integration into Wazuh, please, take a look at our Documentation related to Wazuh Integrator.

Since MISP has a "Flexible API to integrate MISP with your own solutions", it could be helpful for you the section related to the VirusTotal Integration.

In essence, it consist of editing the Wazuh Manager config file:

/var/ossec/etc/ossec.conf

by adding the following code block:

<integration>
 <name>virustotal</name>
 <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
 <group>syscheck</group>
 <alert_format>json</alert_format>
</integration>

You can change the name <name> and use the correct MISP API_KEY

Then, restart the wazuh-manager service:

systemctl restart wazuh-manager

Please, let us know if this helps you.

Regards,
Franco

[Mike Harness]

I am curious about this as well.

How do we point to our install of MISP as the server to use for this integration?

[Mike Harness]

Ah, I guess that would be the Hook URL. Thanks for the info Franco!