Help Integrating Wazuh, MISP, and Logstash into a Preventive Security Analysis Module

Hi everyone,

I'm currently working on a preventive security analysis module as part of a project, and I'm integrating the following components:

  • Wazuh for SIEM and endpoint monitoring (running via Docker)
  • MISP for threat intelligence feeds (also Dockerized)
  • Logstash for parsing and enriching log data

My objective is to:

  1. Collect endpoint logs via Wazuh.
  2. Forward relevant events to Logstash for processing.
  3. Enrich or correlate this data using threat intel from MISP.
  4. Optionally forward enriched logs to OpenSearch or Elasticsearch for visualization in Kibana or Dashboards.

I’ve already got each service up and running in Docker containers. My questions are:

  • What is the recommended way to pull MISP data into Logstash? Is it best to use the MISP JSON API with the http_poller plugin?
  • How can I ensure Logstash and Wazuh are efficiently integrated while keeping performance optimized in Docker?
  • Should enrichment happen directly in Logstash, or is it more efficient to do correlation in Wazuh before shipping logs?
  • Any sample pipelines or community plugins that could help with this kind of setup?

Any guidance, examples, or links to similar use cases would be really appreciated!

Thanks in advance!