Wazuh‐MISP Integration - wahyusutejo1986/socarium GitHub Wiki

• Open MISP in the browser app to get the API key.

• Go to the Administration >> List Auth Keys.

• Select Add authentication key to generate new API key.

• Fill in the page with your information and submit the information.

• Here is the example:

• Copy the API key into your note apps or something else, and select I have noted down my key, take me back now.

• The notification has shown that AuthKey Added

We will back into terminal to add and edit configuration that needed for integration.

• Edit the integration script with your text editor.

nano modules/wazuh/integration-misp.py

• Find this configuration in that script:

misp_base_url = "https://**your misp instance and port**/attributes/restSearch/"
misp_api_auth_key = "*Your API Key"

• Replace your misp instance and port and Your API Key with your real MISP ip:port and MISP API key.

• Here is the example:

• Press Ctrl + o and Enter in your keyboard for confirm it.

• Press Ctrl + x to exit the text editor.

• Add this script into wazuh manager configuration.

 <!-- MISP integration -->
 <integration>
    <name>integration-misp.py</name>
    <group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
    <alert_format>json</alert_format>
 </integration>

• Edit wazuh_manager.conf with text editor.

sudo nano wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf

• Here is the example:

• Press Ctrl + o and Enter to confirm it.

• Press Ctrl + x to exit the text editor.

• Last step you need to execute the main.sh.

./main.sh

• Select Socarium Configurations.

• Select Integration Wazuh - MISP.

• Wait until the process is finish