Skip to main content

Cyware Threat Intelligence eXchange

Integrate CTIX with MISP

MISP is an open-source TIP that facilitates sharing, storing, and correlating information on Indicators of Compromise (IOCs). It also provides comprehensive information about targeted attacks, threat intelligence, financial fraud information, vulnerability information, or counter-terrorism information. By integrating Intel Exchange with MISP, you can fetch threat intel from the Intel Exchange application for the MISP events and view this data on the MISP platform.

Before you Start

  • Ensure that you have access to the Intel Exchange and MISP platforms.

  • In Intel Exchange, enable the MISP STIX type in Administration > Configuration > TAXII Server > STIX Type to share threat data in MISP format.

Refer to the following illustration to understand the process for successfully integrating Intel Exchange with MISP:

CTIX_in_MISP_2x__4_.png

In this section

Add MISP as a Subscriber in Intel Exchange

In Intel Exchange, add MISP as a STIX subscriber to pull threat intel from Intel Exchange.

Before you Start

  • Ensure that you have a STIX collection with threat intel to share with MISP. In case you don't have a collection, refer to Create STIX Collection for more information about creating STIX collections.

  • Ensure that you have Update Subscribers, Create Subscribers, and View Subscribers permissions.

Steps

  1. Sign in to Intel Exchange.

  2. Follow the steps mentioned in Add Subscribers Manually in CTIX to add MISP as a subscriber in Intel Exchange.

  3. Download the MISP credentials, that is MISPURL and MISPAuth Key to integrate Intel Exchange in the MISP platform.

Poll Threat Data for MISP

In Intel Exchange, while adding a subscriber, you select one or more STIX collections to share threat data from Intel Exchange to MISP. To ensure that the selected collections have threat data to share with MISP, you can publish data to the collections in the following ways:

  • Detailed Submission to publish threat data to the collections.

  • Write a rule to automatically publish conditionalized threat data to the selected collections using the following procedure.

Before you Start

Ensure that you have the Create Rule, View Rule, and View & Update Rule permissions in Intel Exchange.

Steps

  1. Navigate to Main Menu and select Rules under Actions.

  2. Click New Rule.

  3. Enter a title and click Add.

    To add key details about the rule, such as description and tags, click Edit Details.

  4. Define the source and collections for the rule to poll threat data for MISP.

  5. Define the condition to trigger the rule.

    For more information about defining sources, collections, and conditions, see Automation Rules.

  6. Enter the following to define the action:

    1. Select Publish To Collection as the action from the drop-down menu.

    2. Select CTIX as the application.

    3. Select an account to specify the application instance to run the rule.

    4. Set Analyser to Fast & Light to publish the information to the selected server collection.

    5. Select server collections associated with the MISP subscriber to post intel about malicious objects and their metadata.

  7. Click Save.

Note

For more information about configuring Intel Exchange as a server, see Configure CTIX as a Server.

Pull Intel Exchange Data in MISP

In MISP, pull the associated STIX collections' data into MISP.

Steps

  1. Navigate to Sync Actions and select List Servers.

  2. From the list of servers, select the instance you added, and click Pull all on the right side of the server record.

    The pulled data is stored in the MISP queue, and you can view the pulled data in the events list after it is picked from the queue.

PullCTIXDatainMISP.png

View Intel Exchange Data in MISP

View the details of the Intel Exchange threat data received in MISP.

Steps

  1. Navigate to Event Actions and select List Events.

  2. From the Events panel, look for the latest data received from CYWARE as the Org, and the instance name in Info.

    If you see a cross (X) in Published, it means MISP is still pulling threat intel from Intel Exchange. Wait for the cross to change to a tick mark to view the threat intel received from Intel Exchange.

  3. Click the Id of the data to view its details, such as event ID, UUID, objects received from Intel Exchange, tags, and more.

    A MISP event can contain multiple objects received from Intel Exchange, and each object has its own metadata, such as TLP. MISP interprets certain metadata values as tags. Hence, if you observe multiple TLP values attached to an event as tags, it indicates that the event comprises multiple objects, each with its own TLP. For example, if an MISP event includes an indicator, an observable, and a threat actor with TLP values AMBER, GREEN, and RED, respectively, MISP will interpret these TLPs as separate tags for that event.

    Note

    Intel Exchange adds the following fields as tags during a MISP export: TLP, Killchain, Types.

ViewCTIXDatainMISP.gif