MISP integration with SecurityOnion 2.4

[Harbhr]

Hello
we want to integrate SecurityOnion 2.4 with MISP, we followed the tutorial bellow:
https://github.com/weslambert/securityonion-misp
but we got the attached error:
Are those instructions still valid for securityonion 2.4 ?
Regards.

[cm-ops]

Have you tried using the MISP threat intel integration? https://docs.elastic.co/en/integrations/ti_misp

[InfosecGoon]

How do you want to "integrate" MISP into Security Onion?

The Github project that you linked to is using MISP's ability to generate Zeek and Suricata rules to take threat intel from MISP and make detection rules for it. That should still work, although the scripts may need a little tweaking to accommodate changes from 2.3 to 2.4.

The threat intel integration that cm-ops suggested would ingest the threat intel directly into Elasticsearch, where you could review it in SOC but it wouldn't generate any alerts or anything unless you set up an enrichment pipeline on the back end in Elastic.

So, what's your ultimate goal here?

[Harbhr]

Hello
We can't get the events from MISP on Hunt using MISP Integration
please see the configuration we made:

However the commande

curl -- insecure --header "Authorization: Our API Key"
--header "Accept: application/json"
--header "Content-Type: application/json" -kinsecure https://192.168.33.153/events

works properly and we can see the events and the attributes

Also
-We want to use MISP Iocs to generate Zeek alerts, we've tried to use the script from https://github.com/weslambert/securityonion-misp, but we get the following error.
Regards.

[InfosecGoon]

If you manually generate Zeek Intel rules in MISP and put them in /opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat on the Manager, do they function as expected?

Documentation: https://docs.securityonion.net/en/2.4/zeek.html#intel

[camdg12]

Hello
We can't get the events from MISP on Hunt using MISP Integration in securityonion2.4

please see the configuration we made:
Can someone help
Thanks.