GitHunt
AY

aymenmarjan/MISP-Wazuh-Integration

A comprehensive integration solution connecting MISP threat intelligence with Wazuh security monitoring for real-time threat detection. This project provides step-by-step instructions for deploying, configuring, and integrating MISP and Wazuh with Sysmon to automatically detect indicators of compromise (IoCs) in your environment.

blue-teamcybersecuritydevsecopsincident-responseioc-detectionmispsecurity-automationsecurity-integrationsecurity-monitoringsecurity-operationssecurity-toolssysmonthreat-detectionthreat-intelligencewazuh

πŸ›‘οΈ MISP-Wazuh Integration

MISP
Wazuh
Sysmon

πŸ“‹ Table of Contents

Introduction

This project provides a detailed guide and necessary scripts to integrate MISP (Malware Information Sharing Platform) with Wazuh, a security monitoring solution. By combining these tools, security teams can automatically check Sysmon events against MISP's threat intelligence database, enabling real-time detection of known threats and indicators of compromise (IoCs).

workflow

Prerequisites

Before starting the integration, ensure you have the following:

  • A machine with Ubuntu Server installed (for MISP and Wazuh installation)
  • VMware or another virtualization platform (if using a VM)
  • Docker installed (We’ll show how to install it if it’s not already installed)
  • Basic knowledge of Linux command line, Docker, and network configuration
  • Python 3 and pip3 installed (for the integration script)

Installation and Configuration

Installing MISP

  • MISP can be installed using three methods: automatic script, manual installation, or Docker. Choose the method that best suits your needs.
  • In this guide, we will configure and run MISP using Docker For a faster and isolated deployment on an Ubuntu Server (virtual machine on VMware).

Installing Docker

Click to expand Docker installation steps
First, uninstall any old versions of Docker
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done
Add Docker's official GPG key
sudo apt-get update

sudo apt-get install ca-certificates curl gnupg

sudo install -m 0755 -d /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

sudo chmod a+r /etc/apt/keyrings/docker.gpg
Add the Docker repository
echo \
  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
Install the Docker packages
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Finally, verify Docker was installed successfully by executing
sudo docker run hello-world

Installing the MISP Docker Image

Click to expand MISP Docker installation steps
Clone the MISP Docker repository
git clone https://github.com/MISP/misp-docker
Configure files
cd misp-docker
cp template.env .env
vim .env

Modify the MISP_BASEURL variable in .env to reflect the machine's IP address.

MISP Base URL Configuration

Next, build the Docker containers
sudo docker compose build

Running MISP Using Docker

Click to expand MISP Docker running steps
Edit the docker-compose.yml file

This file holds the configuration settings for the Docker environment running MISP. In particular, you need to update the MISP_BASEURL variable to match the IP address of the machine hosting MISP.

Docker Compose Configuration

Launch MISP containers
sudo docker compose up
To stop the Docker environment
sudo docker compose down

Initial MISP Configuration

Logging into MISP

You can access your MISP instance through ports 80 and 443 on the machine hosting MISP. Accept the security certificate, then log in as the default Administrator using the credentials:

  • Username: admin@admin.test
  • Password: admin

MISP Login Screen

Adding feeds

Click to expand feed configuration steps

A MISP feed is a structured data source that automatically provides up-to-date information on cyber threats.

MISP Feeds Configuration

Paste this script here:

Adding Feed Metadata

⚠️ IMPORTANT: DON'T FORGET TO ACTIVATE AND COLLECT THE FEEDS

Activate Feeds

Generate an API key

Click to expand API key generation steps
  • Click on administration >> list auth keys >> Add authentication key

Auth Keys Menu

  • We generate an authentication key to allow the API to recognize and authorize the user. Fields such as user, comment, and authorized IPs must be configured as needed before submitting.

Generate Auth Key

  • Please make sure to write down the authentication key

Auth Key Result

Set up a Cronjob to update feeds daily

0 1 * * * /usr/bin/curl -XPOST --insecure --header "Authorization: **YOUR_API_KEY**" --header "Accept: application/json" - header "Content-Type: application/json" https://**YOUR_MISP_ADDRESS**/feeds/fetchFromAllFeeds

Installing Wazuh

  • Wazuh offers an installation method called Quick Start
  • Download and run the Wazuh installation assistant
curl -sO https://packages.wazuh.com/4.11/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
  • Once the installation is complete, the assistant will give us a username and password to connect to the indexer

Wazuh Installation Complete

Initial Wazuh Configuration

  • We identify ourselves using the credentials given previously

Wazuh Login

  • Home page:

Wazuh Dashboard

Adding agents

Click to expand agent deployment steps
  • Click on Deploy new agent
  • Select your agent's system

Agent Selection

  • Enter the server IP address. Then, name your agent, and add it to an existing group

Agent Configuration

  • Open PowerShell as an administrator and run the displayed installation command to download the agent. Then, start the agent using the NET START WazuhSvc command

Agent Installation Command
Agent Installation Complete

  • This will create a directory under C:\Program Files (x86)\ossec-agent, which we can use later to manage the events sent to the wazuh manager

Agent Directory

  • And there you have it! The agent is deployed.

Agent Deployed

Wazuh-Sysmon Integration

Step 1: Installing and Configuring Sysmon
Click to expand Sysmon installation steps
  • Download Sysmon from the Microsoft Sysinternals page.
  • Download the Sysmon configuration file from this link.
  • Extract the Sysmon zip file and place the downloaded configuration file in the extracted folder.
  • Install Sysmon with the configuration file using PowerShell (as administrator):
.\sysmon64.exe -accepteula -i .\sysmonconfig-export.xml
Step 2: Configure the Wazuh agent
Click to expand Wazuh agent configuration steps
  • Edit the Wazuh agent's ossec.conf file:
    C:\Program Files (x86)\ossec-agent\ossec.conf
  • Add the following configuration to collect Sysmon logs:
<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>
  • Restart the Wazuh agent with the command:
Restart-Service -Name wazuh
Step 3: Configure the Wazuh server
Click to expand Wazuh server configuration steps
  • Add the following rules to the file /var/ossec/etc/rules/local_rules.xml:
<group name="win-sysmon">
  <rule id="100502" level="2">
    <if_sid>921101</if_sid>
    <field name="win.system.eventID" type="pcre2">^3$</field>
    <field name="win.eventdata.image" type="pcre2">^C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe$</field>
    <description>Network connection initiated by PowerShell</description>
    <mitre>
      <id>T1059.001</id>
    </mitre>
  </rule>

  <rule id="100503" level="13" frequency="5" timeframe="60">
    <if_matched_sid>100502</if_matched_sid>
    <description>Multiple network connections initiated by PowerShell to "$(win.eventdata.destinationIp)" on port "$(win.eventdata.destinationPort)"</description>
    <mitre>
      <id>T1059.001</id>
    </mitre>
  </rule>
</group>
  • Restart the Wazuh manager:
systemctl restart wazuh-manager

MISP-Wazuh Integration

Integration Steps

Step 1: Add the Python script

Click to expand integration script configuration steps

Note: Ensure that you didn't add extension .py

  • Change the URL and the API key in the script.

MISP Integration Script Configuration

  • Make sure to set the permissions:
cd /var/ossec/integrations/
sudo chown root:wazuh custom-misp && sudo chmod 750 custom-misp
  • Make sure wazuh is already alerting for the desired sysmon events. You will likely need to create a custom rule if it isn't already alerting.
  • For example, in our test we will need DNS queries from sysmon event 22
  • We will change the under rule level from 0 to 4 in the file /var/ossec/ruleset/rules/0595-win-sysmon_rules.xml
<rule id="61650" level="4">
   <if_sid>61600</if_sid>
   <field name="win.system.eventID">^22$</field>
   <description>Sysmon - Event 22: DNS Query event</description>
   <options>no_full_log</options>
   <group>sysmon_event_22,</group>
 </rule>

Note: We found the rule for event 22 in 0595-win-sysmon_rules.xml because it falls between 05-95. Follow the same approach to find the desired event.

Note: There are 16 levels of rules 0-15. Check this page to recognize each one.

Step 2: Configure the integration in Wazuh

Click to expand Wazuh integration configuration steps
  • Edit the Wazuh manager's /var/ossec/etc/ossec.conf file to add the integration block:
<integration>
  <name>custom-misp</name>
  <group>sysmon_event1,sysmon_event3,sysmon_event6,sysmon_event7,sysmon_event_15,sysmon_event_22,syscheck</group>
  <alert_format>json</alert_format>
</integration>

integration block

Note: The manager will only run the script when one of the Sysmon groups is triggered

  • Restart the Wazuh manager.
systemctl restart wazuh-manager

Step 3: Also add the following rule to the wazuh manager

Click to expand rule addition steps
  • Go to Server Management > Rules > Add New Rule file. Name it misp.xml, add the following and save.
<group name="misp,">
  <rule id="100620" level="10">
    <field name="integration">misp</field>
    <match>misp</match>
    <description>MISP Events</description>
    <options>no_full_log</options>
  </rule>
  <rule id="100621" level="5">
    <if_sid>100620</if_sid>
    <field name="misp.error">\.+</field>
    <description>MISP - Error connecting to API</description>
    <options>no_full_log</options>
    <group>misp_error,</group>
  </rule>
  <rule id="100622" level="12">
    <field name="misp.category">\.+</field>
    <description>MISP - IoC found in Threat Intel - Category: $(misp.category), Attribute: $(misp.value)</description>
    <options>no_full_log</options>
    <group>misp_alert,</group>
  </rule>
</group>

MISP Rules Configuration

Step 4: Restart Wazuh services

systemctl restart wazuh-manager
systemctl restart wazuh-indexer
systemctl restart wazuh-dashboard

Integration Testing

In the integration test, you can use any attribute from the feeds. However, we'll create our own event and add a domain attribute to it, allowing us to test with that domain later.

Create our own event

Click to expand event creation steps
  • Access the MISP interface via its URL (e.g.: http://<MISP_IP_address>).
  • Create a new event with a title, distribution, and threat level, then submit.
  • Add a domain attribute with a fictitious name, like lolo.koko.co, and save it.
  • Publish the event by clicking on Publish Event

Create MISP Event

Add Domain Attribute

  • On a Windows machine with the Wazuh agent installed, use PowerShell to interact with the added domain:

Test Domain Query

  • Check if the malicious domain is detected and marked as a critical alert in the Sysmon logs transmitted to Wazuh.

Alert Detection

Alert Details

Sources

Click to expand source references

πŸ”„ Workflow Diagram

graph TD
    A[Windows Client] -->|Sysmon Events| B[Wazuh Agent]
    B -->|Forward Events| C[Wazuh Manager]
    C -->|Check IoCs| D[MISP Integration]
    D -->|Query| E[MISP Server]
    E -->|Return Matches| D
    D -->|Alert on Matches| C
    C -->|Display Alerts| F[Wazuh Dashboard]
Loading

Contributors

AY
Created January 26, 2025
Updated February 17, 2026
aymenmarjan/MISP-Wazuh-Integration | GitHunt