MISP Integration
244 views
Skip to first unread message
Nathan D.
Oct 8, 2025, 9:26:46 AM10/8/25
to Wazuh | Mailing List
Hi everyone,
I inserted the script and I took the rules from this file too :
I installed a MISP instance so that I could integrate it with Wazuh. I installed Sysmon on the Windows endpoint and used the SwiftOnSecurity configuration.
I inserted the script and I took the rules from this file too :
https://github.com/wazuh/integrations/tree/main/integrations/misp
In the /var/ossec/integration folder
I modified the ossec.conf configuration file as follows
<integration>
<name>custom-email.py</name>
<rule_id>60204,100002,100003,100004,100005,100006,100007,100008,100009,100010,100011,100012,100013,100015,100016</rule_id>
<alert_format>json</alert_format>
<options>JSON</options>
</integration>
<integration>
<name>custom-misp</name>
<group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<alert_format>json</alert_format>
</integration>
My integration is correctly recorded in the logs (ossec.log).
And I modified the script to put the IP address of my instance and add the Auth_key (read-only user).
However, I don't yet see any correlation of MISP alerts in Wazuh.
Has anyone already set up this integration and could guide me through the verification or debugging steps?
Thank you in advance.
I used this to help me :
https://medium.com/@AdonayT/1-misp-overview-a0b79d683234
https://github.com/socfortress/Wazuh-Rules/tree/main/MISP
In the /var/ossec/integration folder
I modified the ossec.conf configuration file as follows
<integration>
<name>custom-email.py</name>
<rule_id>60204,100002,100003,100004,100005,100006,100007,100008,100009,100010,100011,100012,100013,100015,100016</rule_id>
<alert_format>json</alert_format>
<options>JSON</options>
</integration>
<integration>
<name>custom-misp</name>
<group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<alert_format>json</alert_format>
</integration>
My integration is correctly recorded in the logs (ossec.log).
And I modified the script to put the IP address of my instance and add the Auth_key (read-only user).
However, I don't yet see any correlation of MISP alerts in Wazuh.
Has anyone already set up this integration and could guide me through the verification or debugging steps?
Thank you in advance.
I used this to help me :
https://medium.com/@AdonayT/1-misp-overview-a0b79d683234
https://github.com/socfortress/Wazuh-Rules/tree/main/MISP
jesusd...@wazuh.com
Oct 8, 2025, 2:00:44 PM10/8/25
to Wazuh | Mailing List
It seems your configurations are correctly configured, but can you please share me these details to troubleshoot further your issue
- What version of Wazuh are you currently using?
- Are Sysmon alerts being generated ?
- Check the permissions of the integration script using `ls -la /var/ossec/integrations`. Additionally, verify whether the script is saved with or without the `.py` extension. If you are using the Wazuh custom MISP script (https://github.com/wazuh/integrations/blob/main/integrations/misp/custom-misp.py), either remove the `.py` extension or include it in your integration name as this `<name>custom-misp.py</name>`
- Have you placed the `custom_misp_rules.xml` rules file in your Wazuh Manager `/var/ossec/etc/rules/` directory ?
- Check for integratord logs `cat /var/ossec/logs/ossec.log | grep wazuh-integratord` in your manager
- What version of Wazuh are you currently using?
- Are Sysmon alerts being generated ?
- Check the permissions of the integration script using `ls -la /var/ossec/integrations`. Additionally, verify whether the script is saved with or without the `.py` extension. If you are using the Wazuh custom MISP script (https://github.com/wazuh/integrations/blob/main/integrations/misp/custom-misp.py), either remove the `.py` extension or include it in your integration name as this `<name>custom-misp.py</name>`
- Have you placed the `custom_misp_rules.xml` rules file in your Wazuh Manager `/var/ossec/etc/rules/` directory ?
- Check for integratord logs `cat /var/ossec/logs/ossec.log | grep wazuh-integratord` in your manager
Nathan D.
Oct 9, 2025, 7:05:51 AM10/9/25
to Wazuh | Mailing List
I am using version 4.13.1 for the manager and the agents are on 4.13.
For the sysmon, I am sending you a screenshot, but I imagine it is fine and I can see them on the Windows machine.
As permission on the script, I have this :
-rwxr-x--- 1 wazuh wazuh 17778 Oct 8 11:32 custom-misp
I have placed the rules in the directory:
ndriss@wazuhprog:/$ ls /var/ossec/etc/rules/
custom_misp_rules.xml eset_local_rules.xml local_rules.xml local_rules.xml.save
-> cat /var/ossec/logs/ossec.log | grep wazuh-integratord
When I run the command to view the integratord logs, nothing appears
Thank you
For the sysmon, I am sending you a screenshot, but I imagine it is fine and I can see them on the Windows machine.
As permission on the script, I have this :
-rwxr-x--- 1 wazuh wazuh 17778 Oct 8 11:32 custom-misp
I have placed the rules in the directory:
ndriss@wazuhprog:/$ ls /var/ossec/etc/rules/
custom_misp_rules.xml eset_local_rules.xml local_rules.xml local_rules.xml.save
-> cat /var/ossec/logs/ossec.log | grep wazuh-integratord
When I run the command to view the integratord logs, nothing appears
Thank you
jesusd...@wazuh.com
Oct 9, 2025, 1:27:05 PM10/9/25
to Wazuh | Mailing List
The image shows a Windows Sysmon alert showing correctly integration with your Windows Events.
Ensure that you are executing the command on your server or manager instance. Even if no integration is configured, it should output something like this:
```
[root@wazuh-manager-master-0 bin]# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2025/10/09 01:13:09 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
```
Also please share the following details:
- /var/ossec/logs/integrations.log
- /var/ossec/custom-misp-integration/logs/integrations.log
- How are you configuring the credentials and base url ?
Ensure that you are executing the command on your server or manager instance. Even if no integration is configured, it should output something like this:
```
[root@wazuh-manager-master-0 bin]# cat /var/ossec/logs/ossec.log | grep wazuh-integratord
2025/10/09 01:13:09 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
```
Also please share the following details:
- /var/ossec/logs/integrations.log
- /var/ossec/custom-misp-integration/logs/integrations.log
- How are you configuring the credentials and base url ?
Nathan D.
Oct 10, 2025, 4:47:25 AM10/10/25
to Wazuh | Mailing List
Thank you for your reply.
I run all my commands on the server that hosts the manager.
For the command: cat /var/ossec/logs/ossec.log | grep wazuh-integratord
I enabled debugging and got this:
2025/10/10 05:03:59 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:00 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:01 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:272 at OS_IntegratorD(): DEBUG: Skipping: Rule doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:240 at OS_IntegratorD(): DEBUG: Skipping: Group doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:10 wazuh-integratord[162763] json-queue.c:162 at jqueue_parse_json(): DEBUG: Can't read from 'logs/alerts/alerts.json'. Trying again
ndriss@wazuhprog:/$ sudo cat /var/ossec/logs/integrations.log
Nothing appeared
ndriss@wazuhprog:/var/ossec/integrations/custom-misp-integration/logs$ cat integrations.log
2025-10-08 13:21:09,138 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 13:49:41,511 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:41:05,818 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:43:21,240 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:24,983 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:42,333 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 14:46:33,825 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 16:56:31,827 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
For identifiers, I use the auth_key, and for the base URL, I use the IP address of my instance. Like this :
MISP_BASE_URL = "https:/<IP>"
MISP_API_KEY = "<My_auth_key>"
VERIFY_SSL = False
I run all my commands on the server that hosts the manager.
For the command: cat /var/ossec/logs/ossec.log | grep wazuh-integratord
I enabled debugging and got this:
2025/10/10 05:03:59 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:00 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 05:04:01 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:161 at OS_IntegratorD(): DEBUG: Sending new alert.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:272 at OS_IntegratorD(): DEBUG: Skipping: Rule doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:240 at OS_IntegratorD(): DEBUG: Skipping: Group doesn't match.
2025/10/10 07:34:11 wazuh-integratord[162763] integrator.c:154 at OS_IntegratorD(): DEBUG: jqueue_next()
2025/10/10 07:34:10 wazuh-integratord[162763] json-queue.c:162 at jqueue_parse_json(): DEBUG: Can't read from 'logs/alerts/alerts.json'. Trying again
ndriss@wazuhprog:/$ sudo cat /var/ossec/logs/integrations.log
Nothing appeared
ndriss@wazuhprog:/var/ossec/integrations/custom-misp-integration/logs$ cat integrations.log
2025-10-08 13:21:09,138 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 13:49:41,511 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:41:05,818 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:43:21,240 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:24,983 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
2025-10-08 14:44:42,333 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 14:46:33,825 [ERROR] wazuh-misp-integration: Failed to parse alert input: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
2025-10-08 16:56:31,827 [ERROR] wazuh-misp-integration: Failed to parse Wazuh integration arguments: list index out of range
For identifiers, I use the auth_key, and for the base URL, I use the IP address of my instance. Like this :
MISP_BASE_URL = "https:/<IP>"
MISP_API_KEY = "<My_auth_key>"
VERIFY_SSL = False
jesusd...@wazuh.com
Oct 21, 2025, 12:10:01 PM10/21/25
to Wazuh | Mailing List
Hi Nathan,
Apologies for the delayed response.
I’ve been replicating your issue locally and consulting the team for further troubleshooting and assistance.
It appears that the new script version still lacks documentation and detailed configuration steps. When I attempted to set it up, the alerts were not generated as expected. However, you can continue using the previous script version, which I have tested is fully functional and successfully delivers MISP alerts.
You can refer to the README file containing a comprehensive step-by-step guide for configuring each component at the following link:
https://github.com/wazuh/integrations/blob/3cca29fc153913300a3ccbc4251dab2f59cb0a79/integrations/misp/README.md
Additionally, the previous script file you need to use is available here:
https://github.com/wazuh/integrations/blob/3cca29fc153913300a3ccbc4251dab2f59cb0a79/integrations/misp/custom-misp.py
If you’ve already completed the integration steps and published MISP test events, you may only need to replace the current script with the previous version and include some additional configurations in the <integration> block within your manager’s /var/ossec/etc/ossec.conf configuration file.
It should look something like this:
<integration>
<name>custom-misp.py</name>
<group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
<hook_url>https://YOUR_MISP_IP/attributes/restSearch/</hook_url>
<api_key>YOUR_API_KEY</api_key>
<alert_format>json</alert_format>
</integration>
Nathan D.
Oct 22, 2025, 11:13:22 AM10/22/25
to Wazuh | Mailing List
Hi Jesus,
No worries about the delay in responding, it's very kind of you to help me.
Everything is working perfectly, thank you for the information provided. I followed all your instructions and indeed with this script. The alerts are being generated correctly.
Have a nice evening.
No worries about the delay in responding, it's very kind of you to help me.
Everything is working perfectly, thank you for the information provided. I followed all your instructions and indeed with this script. The alerts are being generated correctly.
Have a nice evening.
Reply all
Reply to author
Forward
0 new messages