Thank you very much for your work!

awesome video and excellent content.

Great video

Hi Taylor, Could you please do a video about the integration of OpenCTI with Wazuh? I think OpenCTI is more comprehensive than MISP. and also we can integrate it with MISP. Thanks

Wow, this is an awesome Video. It's unbeliveable what is possible with Opensource Produtcs. Can you tell me, which Feeds do youprefer in MISP? Thanks a lot for sharing your knowledge.

Good morning Taylor, I would like to know if it is possible for the endpoint itself to make the request to the dedicated MISP server and for the latter to respond to the manager, instead of an endpoint querying the Wazuh Manager, which then queries MISP to verify if the domain is in its threat sources. If the value exists within MISP, it should respond with the event ID and more metadata about the IoC to the Wazuh Manager, so it can be visualized on the dashboard. Sorry for the tongue twister, I hope I made myself clear. Thank you in advance, you're amazing.

is wazuh otomatis block trafic from endpoint when misp send alert to wazuh?

I can't see on the wazuh manager the logs that show that the agent sent the ping request to the domain. Am I missing something? Do I have to set this?

Hello walton, After completing the integration part while testing the usecase I am getting a misp error "Connection error to misp API" And rule I'd is 100621

did anyone succeed in setting this up. I have syslog and it doesn't work for me. I am not able to debug as well, where and how to enable debug logs to troubleshoot the issue. I only see events in Wazuh but nothing shows from MISP. any help would be appreciated.

@estephanierojas1413

4 ай бұрын

Es muy acelerado para explicar, no sabe explicar bien lo que hace, solo llega y lo hace...

@user-yj5wn4lv3f

4 ай бұрын

@@estephanierojas1413 i succeeded in setting it up. if you need help don't hesitate to contact.

Please make a video of integrating splunk with MISP. Splunk will be in a windows machine and MISP will be Ubuntu. And then generating alerts in Splunk by creating threat incidents in MISP. @TaylorWalton

Hi, can you make a video of opencti integration with wazuh? Thankyou.

Hi Taylor, I did the exact steps but my Wazuh server is not displaying the MISP logs

@user-yj5wn4lv3f

4 ай бұрын

@foodie_nextdoor0 if your MISP is empty it won't give you any result. The MISP will return result only when the related event of Wazuh has a corresponding IoCs in MISP else it will always be no result in Wazuh.

Hi Taylor I integrated my wazuh with MISP, getting the sysmon event 22 but the MISP is not getting triggered by wazuh after the ping test in my windows box Thanks in advance

@user-yj5wn4lv3f

4 ай бұрын

@mouleshgopal3936 if your MISP is empty it won't give you any result. The MISP will return result only when the related event of Wazuh has a corresponding IoCs in MISP else it will always be no result in Wazuh.

@mouleshgopal3936

4 ай бұрын

@@user-yj5wn4lv3f Hi Thank you for the support

@taylorwalton_socfortress Mr. taylor good afternoon, please help me with the sysmon configuration file needed to create the rule on the event-22 with which you applied the example in the video as I am trying the same but I would like to know what is the particular rule you used. Thank you very much.

I'm digging the content you're putting out. Keep it up! We are attempting to use this integration in our lab. We are seeing the following error in the /var/ossec/logs/ossec.log when we try to use the integration: 2022/04/18 22:28:54 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations 2022/04/18 22:28:54 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: IndexError: list index out of range 2022/04/18 22:28:54 wazuh-integratord: ERROR: Exit status was: 1 Other than the server and API key, the custom-misp.py file is left unchanged. It lives in /var/ossec/integrations chmod 750 chown root:ossec Are there any other troubleshooting steps we can attempt or log files we can reference to get a better insight as to what is going on? Thank you!

@jacobfogal5029

2 жыл бұрын

For anybody following behind, at the 10 minute mark of the video, there is a reference to the array being correct. In our instance of Wazuh, we are not natively grabbing Event 22 and we did not have the correct format for the rule.groups when we built out our custom rule. We updated our local_rules.xml to include the correct array (as shown in the tutorial) to get this integration to work correctly. Here is our example rule. Note, on the first line, we did not include windows in the group name initially: 61600 ^22$ Sysmon - Event 22: DNS Query for $(win.eventdata.queryName) by $(win.eventdata.image) no_full_log sysmon_event_22,

@serversql9951

2 жыл бұрын

Did you resolved it sir, i have same problem with error "Output: IndexError: list index out of range". Could you help me sir?

@taylorwalton_socfortress

2 жыл бұрын

Was going to be my suggestion. Thank you for sharing and watching :)

@ghostwalker0050

2 жыл бұрын

@@serversql9951 Hi I'm having the same problem. Did you ever get the fix for this error.

@serversql9951

2 жыл бұрын

@@taylorwalton_socfortress ​ @Fernando DeBonis and I get problem on "Output: IndexError: list index out of range" Could you help me sir?

Hello, I tried to do a code troubleshooting on this custom-misp.py file and I find the response from this line "misp_api_response = misp_api_response.json()" Line number 109 it return this message {'name': 'You do not have permission to use this functionality.', 'message': 'You do not have permission to use this functionality.', 'url': '/events/restSearchvalue:node-antivirus-v001' Is that an error of the script or what am missing?? Who else win to do this integration?

@NguyenCuong-rw9zr

Жыл бұрын

I've this error too

Hi Taylor, I checked /var/ossec/logs/ossec.log and looking error : "wazuh-integratord: ERROR: Couldn't execute command (integrations /tmp/custom-misp.py-1701595137--1443911367.alert > /dev/null 2>&1). Check file and permissions.". Please help me

@AbhishekPandey-2396

4 ай бұрын

I am facing the same issue. Did you manage to solve it somehow?

An other question - is it possible to check in MISP if the API Request was successfull? I can see in Wazuh the Event with Group "windows, sysmon, sysmon_event_22", after some seconds i check in MISP the ussage of the API Key, they shown me, thats last usage is some seconds ago. But i get no event in MISP. In the integrations.log there is 2022/09/05 12:32:13 wazuh-integratord: ERROR: Unable to run integration for custom-misp.py -> integrations 2022/09/05 12:32:13 wazuh-integratord: ERROR: While running custom-misp.py -> integrations. Output: KeyError: 'response' How i can check, what is going wrong? In MISP see that the API Key was used to the same time, like in the ingrations.log - but there is no Event in MISP.

@bilaichacha8388

Жыл бұрын

I think we are on the same issue.. and I tried to check on the respose from the Json.. did you check it on your side?

@pleibling

Жыл бұрын

@@bilaichacha8388: I'm with other people in Wazuh Slack Chat, searching on it. I see in the ossec.log (debug for integrations set to t2) the JSON call is send, but there is get an error - this morning i configure a public certificate for MISP, cause the give cert warning in debbug. But it doesn't solve the problem. How far you are?

@bilaichacha8388

Жыл бұрын

@@pleibling Did you deploy your internal MISP ? I have an issue with the response but I think the issue will be a user because the role of a user is Org.Admin. I was thinking to have another user who has a syn role.

@bilaichacha8388

Жыл бұрын

Now am getting Events for Connection Error to MISP API What about you?

@pleibling

Жыл бұрын

​ @Bilai Chacha : Hi, checked now with fresh Wazuh and MISP installation, now it works fine. Did you solve your problem?