Skip to main content

Cyware Threat Intelligence eXchange

MISP

Connector Category: API Feed Source

About Integration

MISP is an open-source threat intelligence platform that facilitates sharing, storing, and correlating information on Indicators of Compromise. It also provides comprehensive information about targeted attacks, threat intelligence, financial fraud, vulnerability, or counter-terrorism.

You can integrate the MISP threat intelligence platform with CTIX and use the MISP events data available in the CTIX application.

Using this integration, CTIX can continuously receive real-time threat intelligence feeds. You can use the features of CTIX to enhance, share, or define relationships for the IOCs received from the MISP events.

You can ingest MISP events data into CTIX in the following ways:

Import MISP file in CTIX

If you have a MISP file format, you can import it directly into CTIX as threat intel.

To import the MISP file, do the following:

  1. In CTIX, click +New on the top right corner.

  2. Select Import Intel.

  3. Select MISP as the format from the drop-down list.

  4. Select a collection to post the threat data from the MISP file.

  5. Click Upload File and browse the MISP JSON file to import. Ensure that the file is less than 10 MB.

  6. Click Import.

Configure MISP as an Integration Tool

MISP is available as an out-of-the-box integration in the CTIX application.

To configure MISP as an integration tool, do the following:

Configure MISP App in CTIX

Configure the MISP API feed source to receive events from MISP into Intel Exchange.

Before you Start

  • You must have the View API FeedView Feed SourceCreate Feed Source, and Update Feed Source permissions in Intel Exchange.

  • You must have the base URL and authentication key of the MISP instance.

Steps

To configure MISP as an API feed source in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management and select APIs under FEED SOURCES.

  2. Click Add API Source.

  3. Search and select the MISP app.

  4. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique name to identify the instance. For example, MISP-Events.

    • Base URL: Enter the base URL of the MISP instance.

    • API Key: Enter the API key to authenticate communication between the Intel Exchange and MISP servers.

    • Proxy URL: To ingest feeds from MISP using a proxy, enter the URL of the proxy server. For example, https://www.sampledomain.com.

    • Verify SSL: Select this option to verify the SSL certificate and secure the connection between the Intel Exchange and MISP servers. By default, Verify SSL is selected.

      Note

      We recommend you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  5. Click Save.

After the MISP instance is configured successfully, you can configure and enable the feed channels to receive feeds.

Configure Feed Channels for the MISP Integration

After configuring your MISP app, you have to configure and enable the feed available for this integration. For MISP integration, you can configure the Retrieve MISP Events feed channel.

Steps

To configure the Retrieve MISP Events feed channel, follow these steps:

  1. Go to Administration > Integration Management and select APIs under FEED SOURCES.

  2. Search and select the MISP app.

  3. Click the vertical ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels and select the Retrieve MISP Events feed channel.

  5. Enable the feed channel and enter the following details:

    • Start Date and Time: Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

    • Collection Name: Enter the name of the collection to store the feed data. For example, MISP Feeds. A collection is created with the specified name to store all the feeds from the feed channel.

    • Published: Select this option to receive only published events from MISP. If you do not select this option, then Intel Exchange polls all events including unpublished events.

    • Filters: To filter events based on specific parameters, follow these steps:

      1. Filter: Select a parameter to filter events. The supported parameters are Sharing Group and Organization. You can view the values of the selected parameter available in the configured MISP instance in Value.

      2. Value: Select the values to retrieve specific events. For example, Internal Sharing Group. Events associated with the selected values will be ingested.

    • Polling Cron Schedule: Select from one of the following polling types to define the polling schedule:

      • Manual: Allows you to manually poll from the source collection.

      • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

    • Default TLP: Set a default TLP to assign to the feeds that do not have a TLP already assigned by the source. By default, the default TLP is set to Amber.

    • Default Source Confidence: Set a default Confidence Score to assign to the feeds that do not have a score already assigned by the source. By default, the default Confidence Score is set to 100.

    • Tags: Select the tags to identify and categorize the feeds.

  6. Click Save.

The feed channel is configured and you can poll feeds from the channel.

Poll for MISP Feeds Manually

If you enable Auto Polling while configuring feed channels, the polling will be done automatically. However, if you want to poll for information manually, use the following process.

Steps

  1. From Administration, open Integration Management and select APIs under FEED SOURCES.

  2. Select MISP.

  3. Select the feed channel.

  4. Click the feed channel ellipsis and choose Poll Now.

View MISP Feeds on CTIX

After configuring the MISP integration on the CTIX application, you can view intel received on the CTIX application. The CTIX application mainly receives Indicator STIX Objects through this integration.

  1. On the MISP integration configuration page, select View Intel.

  2. View the indicators received from MISP in Threat Data.

MISP Objects Ingested in CTIX

MISP objects are used in the MISP system and can also be used by other information sharing tools. These objects and their associated attributes are created based on real cyber security use-cases. For more information about MISP objects, see MISP Objects.

In CTIX, all intel that is received is converted into STIX objects. The following MISP objects acquired in CTIX are converted to STIX objects. The rest of the MISP objects are converted to custom objects.

  • ASN

  • CIDR

  • Domain

  • Email

  • IP

  • MAC address

  • MD5

  • Mutex

  • Port

  • Registry Key

  • SHA1

  • SHA224

  • SHA256

  • SHA384

  • SHA512

  • SSDEEP

  • URL

  • Malware

  • Threat Actor

  • Attack Pattern

  • Course of Action

  • DDoS

  • DNS Record

  • Domain crawled

  • Domain IP

  • Geo location

  • HTTP request

  • Phishing kit

  • Registry key

  • Report

  • Shortened link

  • STIX2 pattern

  • Tor-node

  • Victim

Publish MISP Feed to Collections

CTIX enables you to publish malicious objects with context and metadata received from MISP to subscribers so that they can take action and share with others.

To publish MISP feed to the collections, do the following:

  1. From Administration, select Integration Management, and select Rules under Actions.

  2. Click New Rule.

  3. Enter the rule name and description to identify the rule.

  4. Select Tags to categorize and identify the rule.

  5. Click Submit.

  6. In the Source box, select MISP and its collections from the Source and Collection drop-down menu to poll threat intel.

  7. Define a condition to apply to the rule.

    For more information on defining rules and conditions, see Automation Rules.

  8. To define an action after a condition has been met, add an action by hovering below the condition box or expand Actions under Component on the left side of the screen and select Publish to Collection.

  9. Select CTIX as the application to implement the rule.

  10. Select the default account for the application.

  11. Select Fast & Light as the Analyser to publish the information in non-editable mode.

  12. Select server collections to post the intel about malicious objects and metadata.

  13. Click Save.

Add MISP as a STIX Subscriber in CTIX

In CTIX, configure MISP as a STIX subscriber to send threat intel from CTIX. Retain the MISP credentials, that is the MISP URL, and the MISP Authkey handy to configure CTIX in the MISP platform. For more information on adding a STIX subscriber in CTIX, see Add Subscribers Manually in CTIX.