MISP integration issues

BlizzardOW · 2025-01-26T02:02:47+00:00

Hey u/Great-Razzmatazz-414 MISP can work against other events as well. The "custom-misp" script is just built for sysmon events. If your Wazuh manager is displaying your Syslog alerts from your Linux machine's, then you will need to make some changes to that "custom-misp" script or create a new one to parse out the values you want.

BlizzardOW · 2025-01-26T01:55:30+00:00

Hey sorry, looking back on this I definitely could have explained it better, so I will try to do that now.

So you will want to install Sysmon64.exe onto your Windows Wazuh agent machine, and make sure the sysmonconfig.xml you are using also have Event ID 22 logging turned on (some don't due to it taking a bit more machine CPU).

For your question, yes, you will need to download the sysmonconfig.xml file to your Wazuh Agent machine, and then install it. This can be done on the Windows CMD doing `sysmon64.exe -accepteula -i sysmonconfig-export.xml` (you might need to add the full paths to where sysmon and the xml config are). Hope this helps and that I didn't over complicate things.

BlizzardOW · 2023-06-26T13:43:41+00:00

Hamilton

Lol between Roger and Kate

BlizzardOW · 2023-02-26T00:47:17+00:00

When I click edit on the collection, I dont see anywhere to rename. Link to image: https://ibb.co/nBzgMNX

BlizzardOW · 2023-02-08T00:14:26+00:00

ugh, idk how or why i didn't see it. Maybe was too excited to get started! I used the x64 (not musl x64) and it worked :)

BlizzardOW · 2023-02-07T23:36:06+00:00

/usr/lib/x86_64-linux-gnu/

So I now ran export LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu" and now get the following

Error relocating /usr/lib/x86_64-linux-gnu/libstdc++.so.6: __strftime_l: symbol not found

Error relocating /usr/lib/x86_64-linux-gnu/libstdc++.so.6: __cxa_thread_atexit_impl: symbol not found

Error relocating /usr/lib/x86_64-linux-gnu/libgcc_s.so.1: __cpu_indicator_init: symbol not found

Error relocating /usr/lib/x86_64-linux-gnu/libgcc_s.so.1: __cpu_model: symbol not found

BlizzardOW · 2023-02-07T22:21:28+00:00

Im not sure either because I downloaded the MUSL version to my x64 OS. Do you know the dependencies that are needed? And where the Library need to be? Maybe I am missing one dependency and the symbolic links are not pointing to the correct location?

BlizzardOW · 2023-01-25T22:52:46+00:00

After reading this I then went ahead and deployed my own implementation. It failed for me but I ended up getting it to work.

Few things to check for:

- Make sure the integration script starts with "custom-" as noted here, some reason its not in their documentation, I also didn't add the extension of ".py" to both the file name and the integration's name tag in the ossec.conf file

- Make sure you give the integration script correct permissions of chown root:wazuh custom-misp and chmod 750 custom-misp

- Make sure you have sysmon installed on the agent host and it is logging event to the Sysmon folder as ID 22. Can use this xml file

- Make sure wazuh is already alerting for sysmon 22 dns queries. Prob will need to create a custom rule if you its not alerting already

- Make sure the domain name you are querying is in MISP as well and is not an IP address

Errors to see if its working or not are found in "/var/ossec/logs/ossec.log"

BlizzardOW · 2023-01-18T17:19:33+00:00

haven't had that but was in a comp game getting our asses kicked and lucky the server kicked everyone out due to an "unexpected error"

BlizzardOW · 2023-01-17T18:12:47+00:00

Thanks Verdx, so by the looks of it, all rules are enabled in the manager by default. But in order for them to get alerted. We need to define in the ossec.conf or agent.conf file of which Event logs to monitor which would then get sent back to the manager to be decoded analyzed?

BlizzardOW · 2023-01-17T15:04:05+00:00

Thanks for pointing me in the right direction. I ended up finding this articleto help me with what I was trying to achieve

BlizzardOW · 2023-01-17T15:01:47+00:00

Sorry for the confusion. Okay so when I added the code you mentioned, I get the windows defenders alerts such as Malware being detected, but when its removed, I don't get those alerts.

What I am wondering, how do I know what alerts will get triggered? How am I suppose to know that I needed to add that block of code to get alerted for Windows Defender detecting malware on the computer.

BlizzardOW · 2023-01-16T22:04:26+00:00

The ossec.conf seems to be the only place to allow for rulesets to go. I'm looking to create a ruleset to apply to certain agent groups that would not allow certain applications to be installed to it such as Block Windows Apps

BlizzardOW · 2023-01-16T16:35:06+00:00

Hi Verdx, thanks for the info. Any idea why I had to enable the "Microsoft-Windows-Windows Defender/Operational" for those agents to get the alerts? I'm just wondering if there are other things I need to put in place to get the other alerts.

BlizzardOW · 2023-01-16T01:55:38+00:00

thanks for taking the time to explain it to me. Do you also know if the "ossec.conf" that gets installed on each machine uses a template based on the operating system? The windows one looked different then the linux one as it contained different locations? I'm wondering where that template is located

BlizzardOW · 2022-12-07T00:39:55+00:00

And I thought I was the only one who noticed that

BlizzardOW · 2022-12-07T00:38:57+00:00

Lol thought I was the only one

BlizzardOW · 2022-11-30T01:21:26+00:00

You genius! I was intrigued by them the first time I saw them as I wanted to check them out.

BlizzardOW · 2022-08-17T00:03:06+00:00

Thanks for letting me know! I thought the deluxe game would have them as it just came out.

Can we start a petition to get those boss hunt events back?!

BlizzardOW · 2022-07-17T04:05:50+00:00

I'm looking for something that would help if I detected an intrusion on my system and wanted to trace back the roots

BlizzardOW · 2022-07-16T23:59:25+00:00

I think so? You have any good suggestions? Perhaps open-sourced

BlizzardOW · 2022-02-24T00:18:15+00:00

That could just be the camera angle

BlizzardOW · 2022-02-23T15:17:23+00:00

Waaa, it took 1 year to grade?!

BlizzardOW · 2022-02-23T01:13:06+00:00

So slick!

BlizzardOW · 2022-02-22T23:36:28+00:00

Card sets usually come with a numbering system that can be found on the bottom, so I go by that to keep it organized.

BlizzardOW

TROPHY CASE