Wazuh And MISP Integration - Quickly Detect IoCs Within Your Wazuh Alerts With MISP!

preview_player
Показать описание
Join me as we integrate Wazuh with MISP. Enhance your SOC capabilities with Wazuh and MISP! Let's deploy a Host Intrusion Detection System and SIEM with free open source tools. Join me as we explore and learn together.

  1. Taylor Walton
  2. wazuh
  3. misp
  4. api
  5. automation
  6. opensecure
Рекомендации по теме
Wazuh And MISP 0:20:14

Wazuh And MISP Integration - Quickly Detect IoCs Within Your Wazuh Alerts With MISP!

Wazuh + MISP 0:19:31

Wazuh + MISP Automation - Automate Your SIEM Threat Intel Now!

Open Source Security 0:21:08

Open Source Security Operations - Wazuh, DFIR-IRIS, Shuffle, MISP Threat Sharing

MISP Install - 0:22:17

MISP Install - 1 Million (+) Free IoCs in 10 Minutes!

Automating Threat Detection 0:25:42

Automating Threat Detection and Response with Wazuh ,Cortex, MISP, and TheHive.

SOC Open Source, 0:40:58

SOC Open Source, ELK- TheHive- Cortex- MISP Complete Setup Guide, Part 1

How to Integrate 0:30:48

How to Integrate Cortex & MISP with TheHive in your SOC - Virtual Lab Building Series: Ep11

Shuffle + Wazuh 0:46:50

Shuffle + Wazuh + TheHIVE + Cortex = Automation Bliss

you need this 0:32:06

you need this FREE CyberSecurity tool

How to Integrate 0:14:55

How to Integrate Wazuh & TheHive - Virtual Lab Building Series Ep: 13

Complete Workflow based 0:07:39

Complete Workflow based on Open Source Products

this Cybersecurity Platform 0:39:46

this Cybersecurity Platform is FREE

Cybersecurity projects on 0:00:40

Cybersecurity projects on GitHub you should check out: MISP #cybersecurity #github #shorts

Wazuh Crash Course 2:05:31

Wazuh Crash Course | 2 Hour+ Free Course(Must for Security Analyst)

Wazuh and AbuseIPDB 0:19:02

Wazuh and AbuseIPDB - Integrating Wazuh and AbuseIPDB API

Improved Automation with 0:07:07

Improved Automation with Cisco SecureX | MISP Integration

TheHive, Cortex & 0:24:36

TheHive, Cortex & MISP Installation Using Docker Compose - Virtual Lab Building Series: Ep10

Cortex and MISP 0:14:00

Cortex and MISP Integration - Quickly search your MISP database for IOCs!

OpenCTI and MISP 0:08:46

OpenCTI and MISP - Ingesting MISP Events Into Your OpenCTI Stack!

SOC Automation Project 0:12:28

SOC Automation Project (Home Lab) | Part 1

UPDATED - TheHive, 0:08:01

UPDATED - TheHive, MISP & Cortex Integration - Virtual Lab Building Series: Ep11.5

Wazuh tutorilal 6. 0:30:15

Wazuh tutorilal 6. wazuh server integration with ELK stack in english. installation, architecture

How To Setup 0:14:35

How To Setup ELK | Elastic Agents & Sysmon for Cybersecurity

Wazuh - Detecting 0:02:57

Wazuh - Detecting and removing malware - Virus Total integration

Комментарии
Автор

did anyone succeed in setting this up. I have syslog and it doesn't work for me. I am not able to debug as well, where and how to enable debug logs to troubleshoot the issue. I only see events in Wazuh but nothing shows from MISP. any help would be appreciated.

SrinivasaRaoPalatheerdham
Автор

Hi Taylor, Could you please do a video about the integration of OpenCTI with Wazuh? I think OpenCTI is more comprehensive than MISP. and also we can integrate it with MISP. Thanks

laanbarehamza
Автор

hello sir, could you help make video on how to integrate wazuh v 4.9.2 with misp, please?

.lykungmeng
Автор

Hello,

I tried to do a code troubleshooting on this custom-misp.py file and I find the response from this line "misp_api_response = misp_api_response.json()" Line number 109 it return this message {'name': 'You do not have permission to use this functionality.', 'message': 'You do not have permission to use this functionality.', 'url':

Is that an error of the script or what am missing??

Who else win to do this integration?

bilaichacha
Автор

Good morning Taylor, I would like to know if it is possible for the endpoint itself to make the request to the dedicated MISP server and for the latter to respond to the manager, instead of an endpoint querying the Wazuh Manager, which then queries MISP to verify if the domain is in its threat sources. If the value exists within MISP, it should respond with the event ID and more metadata about the IoC to the Wazuh Manager, so it can be visualized on the dashboard. Sorry for the tongue twister, I hope I made myself clear. Thank you in advance, you're amazing.

RobertoMartinez-pmvq
Автор

I can't see on the wazuh manager the logs that show that the agent sent the ping request to the domain. Am I missing something? Do I have to set this?

lorenzo-bd
Автор

I'm digging the content you're putting out. Keep it up!
We are attempting to use this integration in our lab. We are seeing the following error in the /var/ossec/logs/ossec.log when we try to use the integration:

2022/04/18 22:28:54 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/04/18 22:28:54 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: IndexError: list index out of range
2022/04/18 22:28:54 wazuh-integratord: ERROR: Exit status was: 1

Other than the server and API key, the custom-misp.py file is left unchanged.
It lives in /var/ossec/integrations
chmod 750
chown root:ossec

Are there any other troubleshooting steps we can attempt or log files we can reference to get a better insight as to what is going on?

Thank you!

jacobfogal
Автор

Can we get the Sysmon Wazuh rules used for this to work? I found Sysmon rules you used for another video to integrate Sysmon into Wazuh - but those custom rules don't monitor Sysmon Event 22 for example.

SatoshiSky
Автор

Hello walton,
After completing the integration part while testing the usecase I am getting a misp error "Connection error to misp API" And rule I'd is 100621

ankitkamble
Автор

is wazuh otomatis block trafic from endpoint when misp send alert to wazuh?

betajemz
Автор

Hi Taylor, I checked /var/ossec/logs/ossec.log and looking error : "wazuh-integratord: ERROR: Couldn't execute command (integrations > /dev/null 2>&1). Check file and permissions.". Please help me

nhantieu
Автор

Wow, this is an awesome Video. It's unbeliveable what is possible with Opensource Produtcs. Can you tell me, which Feeds do youprefer in MISP? Thanks a lot for sharing your knowledge.

pleibling
Автор

Hi Taylor, I did the exact steps but my Wazuh server is not displaying the MISP logs

foodie_nextdoor
Автор

Hi Taylor I integrated my wazuh with MISP,
getting the sysmon event 22 but the MISP is not getting triggered by wazuh after the ping test in my windows box
Thanks in advance

mouleshgopal
Автор

Please make a video of integrating splunk with MISP. Splunk will be in a windows machine and MISP will be Ubuntu. And then generating alerts in Splunk by creating threat incidents in MISP. @TaylorWalton

SomnathDas-uwbg
Автор

Hi, can you make a video of opencti integration with wazuh? Thankyou.

bakhtawar
Автор

@taylorwalton_socfortress
Mr. taylor good afternoon, please help me with the sysmon configuration file needed to create the rule on the event-22 with which you applied the example in the video as I am trying the same but I would like to know what is the particular rule you used. Thank you very much.

juanpalacio
Автор

An other question - is it possible to check in MISP if the API Request was successfull? I can see in Wazuh the Event with Group "windows, sysmon, sysmon_event_22", after some seconds i check in MISP the ussage of the API Key, they shown me, thats last usage is some seconds ago. But i get no event in MISP.
In the integrations.log there is
2022/09/05 12:32:13 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations
2022/09/05 12:32:13 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'response'

How i can check, what is going wrong? In MISP see that the API Key was used to the same time, like in the ingrations.log - but there is no Event in MISP.

pleibling