Wazuh‐MISP Integration - socarium/makarasoc GitHub Wiki

This guide provides step-by-step instructions to integrate Wazuh, an open-source security monitoring platform, with MISP, a threats sharing platform. By integrating these tools, organizations can enhance their security posture by correlating threat intelligence, log analysis, and incident response workflows.

  1. Open MISP in the browser app https://<IP Address>:10443 to get the API key.

  2. Go to the Administration >> List Auth Keys.

  1. Select Add authentication key to generate new API key.

  1. Fill in the page with your information and submit the information.

Here is the example:

  1. Copy the API key into your note apps or something else, and select I have noted down my key, take me back now.

  1. The notification has shown that AuthKey Added

We will back into terminal to add and edit configuration that needed for integration script.

  1. Edit the integration script with your editor app.
nano modules/wazuh/custom-misp.py
  • Find this configuration in that script:
misp_base_url = "https://**your misp instance and port**/attributes/restSearch/"
misp_api_auth_key = "*Your API Key"
  1. Replace your misp instance and port and Your API Key with your real MISP ip:port and MISP API Key.

Here is the example:

  • Press ctrl + o and Enter in your keyboard for confirm it.

  • Press ctrl + x to exit the text editor.

  1. Edit wazuh_manager.conf with your editor app.
sudo nano wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf
  1. Copy this script into wazuh_manager.conf.
 <!-- MISP integration -->
 <integration>
    <name>custom-misp.py</name>
    <group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
    <alert_format>json</alert_format>
 </integration>

Please follow this example:

  • Press ctrl + o and Enter to confirm it.

  • Press ctrl + x to exit the editor app.

  1. Last steps you need to execute the main.sh.
./main.sh
  1. Select I'am New to This or I Know What I'm Doing.

The example picture using I'm New to This.

  1. Select Tools Configurations.

The example picture using I'm New to This.

  1. Select Integration Wazuh - MISP.

  1. Once process is finish, verify wazuh services.

  2. Verify Wazuh services for check the configuration works properly.

sudo docker-compose -f wazuh-docker/single-node/docker-compose.yml ps -a

⚠️ **GitHub.com Fallback** ⚠️