custom-misp.py - Returned raw log line from MISP cannot be decoded

[pandel]

Hi!

I am using Wazuh 4.8.0 via Docker. I integrated the scripts and rules for MISP and in general, everything seems to work - at least as far as MISP returns some information, only Wazuh isn't able to interpret the incoming alert aka log line. So I tried to manually analyze what is happening.

What I did:
I installed a fresh wazuh-docker setup with only the defaults and integrated the three MISP rules (100620-100622). Then I sent the following line (which is identical to the returned information from MISP on a successful search) via the Ruleset Test page to see what happens:

1:[001] (machine) 10.90.206.32->misp:{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}

The result is as follows:

**Phase 1: Completed pre-decoding.
	full event: '1:[001] (machine) 10.90.206.32->misp:{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}'

**Phase 2: Completed decoding.
	No decoder matched.

If I change the log line to:

{"misp": {"event_id": "179", "category": "Network activity", "value": "zu4f.top", "type": "domain"}}

the result is like this

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
	name: 'json'
	misp.category: 'Network activity'
	misp.event_id: '179'
	misp.type: 'domain'
	misp.value: 'zu4f.top'

**Phase 3: Completed filtering (rules).
	id: '100622'
	level: '12'
	description: 'MISP - IoC found in Threat Intel - Category: Network activity, Attribute: zu4f.top'
	groups: '["misp","misp_alert"]'
	firedtimes: '2'
	mail: 'true'
**Alert to be generated.

I wonder if there is any kind of MISP-related decoder missing here, but every single tutorial and video I found did not mention any special decoders at all.

So, what is happening here or what am I missing? It would be really nice, if someone has an idea...

Regards,
Holger