Skip to main content

Cyware Threat Intelligence eXchange

Integrate CTIX with MISP

MISP is an open-source TIP that facilitates sharing, storing, and correlating information on Indicators of Compromise (IOCs). It also provides comprehensive information about targeted attacks, threat intelligence, financial fraud information, vulnerability information, or counter-terrorism information. By integrating CTIX with MISP, you can fetch threat intel from the CTIX application for the MISP events and view this data on the MISP platform.

Before you Start

  • Ensure that you have access to the CTIX and MISP platforms.

  • In CTIX, enable the MISP STIX type in Administration > Configuration > TAXII Server > STIX Type to share threat data in MISP format.

Refer to the following illustration to understand the process for successfully integrating CTIX with MISP:

CTIX_in_MISP_2x__4_.png

In this section

Add MISP as a Subscriber in CTIX

In CTIX, add MISP as a STIX subscriber to pull threat intel from CTIX.

Before you Start

  • Ensure that you have a STIX collection with threat intel to share with MISP. In case you don't have a collection, refer to Create STIX Collection for more information about creating STIX collections.

  • Ensure that you have Update Subscribers, Create Subscribers, and View Subscribers permissions.

Steps

  1. Sign in to CTIX.

  2. Follow the steps mentioned in Add Subscribers Manually in CTIX to add MISP as a subscriber in CTIX.

  3. Download the MISP credentials, that is MISPURL and MISPAuth Key to integrate CTIX in the MISP platform.

Poll Threat Data for MISP

In CTIX, while adding a subscriber, you select one or more STIX collections to share threat data from CTIX to MISP. To ensure that the selected collections have threat data to share with MISP, you can publish data to the collections in the following ways:

  • Submit Detailed Intel to publish threat data to the collections.

  • Write a rule to automatically publish conditionalized threat data to the selected collections using the following procedure.

Before you Start

Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in CTIX.

Steps

  1. Navigate to Main Menu and select Rules under Actions.

  2. Click New Rule.

  3. Enter a title and click Add.

    To add key details about the rule, such as description and tags, click Edit Details.

  4. Define the source and collections for the rule to poll threat data for MISP.

  5. Define the condition to trigger the rule.

    For more information about defining sources, collections, and conditions, see Automation Rules.

  6. Enter the following to define the action:

    1. Select Publish To Collection as the action from the drop-down menu.

    2. Select CTIX as the application.

    3. Select an account to specify the application instance to run the rule.

    4. Set Analyser to Fast & Light to publish the information to the selected server collection.

    5. Select server collections associated with the MISP subscriber to post intel about malicious objects and their metadata.

  7. Click Save.

Note

For more information about configuring CTIX as a server, see Configure CTIX as a Server.

Pull CTIX Data in MISP

In MISP, pull the associated STIX collections' data into MISP.

Steps

  1. Navigate to Sync Actions and select List Servers.

  2. From the list of servers, select the instance you added, and click Pull all on the right side of the server record.

    The pulled data is stored in the MISP queue and you can view the pulled data in the events list after it is picked from the queue.

PullCTIXDatainMISP.png

View CTIX Data in MISP

View the details of the CTIX threat data received in MISP.

Steps

  1. Navigate to Event Actions and select List Events.

  2. From the Events panel, look for the latest data received from CYWARE as the Org, and the instance name in Info.

    If you see a cross (X) in Published, it means MISP is still pulling threat intel from CTIX. Wait for the cross to change to a tick mark to view the threat intel received from CTIX.

  3. Click the Id of the data to view its details, such as event ID, UUID, objects received from CTIX, tags, and more.

    An MISP event can contain multiple objects received from CTIX. Each object has its own TLP attached to it and MISP interprets these values as a tag. Hence, if you observe multiple TLP values attached to an event as tags, it implies that the event comprises multiple objects. For example, if in an MISP event, you receive an indicator, an observable, and a threat actor with TLP values as AMBER, GREEN, and RED respectively then MISP interprets these values as tags.

ViewCTIXDatainMISP.gif