socfortress / Wazuh-Rules

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!
https://www.socfortress.co
590 stars 169 forks source link

MISP Python script - creating error Wazuh #13

Closed Braedach closed 1 year ago

Braedach commented 1 year ago

Taylor,

Sorry to bother you again - but have issue with Python script here.

https://github.com/socfortress/Wazuh-Rules/blob/main/MISP/custom-misp.py

Wazuh logs is reporting an error as below.

Jun 21, 2023 @ 20:35:17.000 wazuh-integratord ERROR Unable to run integration for custom-misp.py -> integrations Jun 21, 2023 @ 20:35:17.000 wazuh-integratord ERROR While running custom-misp.py -> integrations. Output: KeyError: 'data'

MISP integration is limited to type 3 and 22 at this time.

Attempts to rectify the issue.

  1. Check MISP Application logs for API access - correct
  2. Script is correct in relation to URL and API key
  3. Check Sysmon installation on all Windows Endpoints - configuration file not iaw with this repository
  4. Change configuration file to one SOCFortress uses and restart endpoints (miles out of date - yours no changes 2 years)
  5. Rewatch your YouTube video and confirm that, Rule.Groups is correct iaw python script - yes
  6. Access local MISP server - search for malicious domains and ping them. No alerts
  7. Replace the entire custom-misp.py file with raw copy changing URL and API Key and issuing reboot commmand

Wazuh version v4.4.3 MISP version - Latest via MSIP WebUI Current API calls since implementation = 110500

Braedach commented 1 year ago

Found the error. Closed. Apologies