Hi Taylor, Could you please do a video about the integration of OpenCTI with Wazuh? I think OpenCTI is more comprehensive than MISP. and also we can integrate it with MISP. Thanks

Good morning Taylor, I would like to know if it is possible for the endpoint itself to make the request to the dedicated MISP server and for the latter to respond to the manager, instead of an endpoint querying the Wazuh Manager, which then queries MISP to verify if the domain is in its threat sources. If the value exists within MISP, it should respond with the event ID and more metadata about the IoC to the Wazuh Manager, so it can be visualized on the dashboard. Sorry for the tongue twister, I hope I made myself clear. Thank you in advance, you're amazing.

did anyone succeed in setting this up. I have syslog and it doesn't work for me. I am not able to debug as well, where and how to enable debug logs to troubleshoot the issue. I only see events in Wazuh but nothing shows from MISP. any help would be appreciated.

Can we get the Sysmon Wazuh rules used for this to work? I found Sysmon rules you used for another video to integrate Sysmon into Wazuh - but those custom rules don't monitor Sysmon Event 22 for example.

awesome video and excellent content.

Wow, this is an awesome Video. It's unbeliveable what is possible with Opensource Produtcs. Can you tell me, which Feeds do youprefer in MISP? Thanks a lot for sharing your knowledge.

Hello walton, After completing the integration part while testing the usecase I am getting a misp error "Connection error to misp API" And rule I'd is 100621

I can't see on the wazuh manager the logs that show that the agent sent the ping request to the domain. Am I missing something? Do I have to set this?

Hello, I tried to do a code troubleshooting on this custom-misp.py file and I find the response from this line "misp_api_response = misp_api_response.json()" Line number 109 it return this message {'name': 'You do not have permission to use this functionality.', 'message': 'You do not have permission to use this functionality.', 'url': '/events/restSearchvalue:node-antivirus-v001' Is that an error of the script or what am missing?? Who else win to do this integration?

is wazuh otomatis block trafic from endpoint when misp send alert to wazuh?

I'm digging the content you're putting out. Keep it up! We are attempting to use this integration in our lab. We are seeing the following error in the /var/ossec/logs/ossec.log when we try to use the integration: 2022/04/18 22:28:54 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations 2022/04/18 22:28:54 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: IndexError: list index out of range 2022/04/18 22:28:54 wazuh-integratord: ERROR: Exit status was: 1 Other than the server and API key, the custom-misp.py file is left unchanged. It lives in /var/ossec/integrations chmod 750 chown root:ossec Are there any other troubleshooting steps we can attempt or log files we can reference to get a better insight as to what is going on? Thank you!

Thank you very much for your work!

Hi, can you make a video of opencti integration with wazuh? Thankyou.

Hi Taylor, I did the exact steps but my Wazuh server is not displaying the MISP logs

Hi Taylor I integrated my wazuh with MISP, getting the sysmon event 22 but the MISP is not getting triggered by wazuh after the ping test in my windows box Thanks in advance

Please make a video of integrating splunk with MISP. Splunk will be in a windows machine and MISP will be Ubuntu. And then generating alerts in Splunk by creating threat incidents in MISP. @TaylorWalton

Great video

@taylorwalton_socfortress Mr. taylor good afternoon, please help me with the sysmon configuration file needed to create the rule on the event-22 with which you applied the example in the video as I am trying the same but I would like to know what is the particular rule you used. Thank you very much.

Hi Taylor, I checked /var/ossec/logs/ossec.log and looking error : "wazuh-integratord: ERROR: Couldn't execute command (integrations /tmp/custom-misp.py-1701595137--1443911367.alert > /dev/null 2>&1). Check file and permissions.". Please help me

An other question - is it possible to check in MISP if the API Request was successfull? I can see in Wazuh the Event with Group "windows, sysmon, sysmon_event_22", after some seconds i check in MISP the ussage of the API Key, they shown me, thats last usage is some seconds ago. But i get no event in MISP. In the integrations.log there is 2022/09/05 12:32:13 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations 2022/09/05 12:32:13 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'response' How i can check, what is going wrong? In MISP see that the API Key was used to the same time, like in the ingrations.log - but there is no Event in MISP.