Outgoing feed - MISP#

Note

This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.

Specifications

Transport type

MISP upload

Content type

MISP JSON model

Published data

Events, attributes, and objects.

Description

Publish events, attributes, and objects to MISP platform.

Introduction#

By configuring an outgoing feed you can push data from EclecticIQ Platform to the MISP Platform.

There are some differences between the EclecticIQ and the MISP data models. Therefore, certain constraints are applied to the outgoing feed.

The MISP model is treelike in its core and only supports MISP attributes that are directly linked to, or are part of, an entity.

This means that the outgoing data feed, that is being pushed to the MISP Platform, can only apply a principle to an entity that is linked to an indicator through relationships that can be mapped to a MISP structure.

In EclecticIQ Intelligence Center, entities can be connected in ways that are not supported by the MISP Platform. To provide appropriate mappings, the outgoing feed works by fetching all incidents from the dataset, then fetching all other entities that are part of the dataset, that are linked to the specific incident, and supported by MISP to EclecticIQ Platform mappings.

The outgoing feed will build a MISP-like data model and push that data to the MISP Platform. It will not include any entities that do not meet above conditions.

For example, an indicator that is not linked to any incident but is a part of a MISP outgoing feed dataset will not be pushed. Similarly, an indicator that is a part of an MISP outgoing feed dataset and is linked to an incident that is not a part of a MISP dataset, will not be pushed to MISP.

Requirements#

  • URL used to access your MISP instance.

  • MISP Authkey.

To get a MISP Authkey:

  1. In your MISP instance, click My profile.

  2. Copy the Authkey, and store it for later.

Dataset guidelines#

When configuring a dataset, to allow granular control over the data that is synced to the MISP Platform, make sure of the following:

  • All incidents that represent events that should be pushed to MISP must be made part of the MISP outgoing feed dataset.

  • All related entities that represent data that will be pushed to MISP, in form of attributes and that are connected to appropriate incident, must be made part of MISP outgoing feed dataset.

IDS flags#

This extension sets the IDS flag (to_ids) to true on packaged event attributes if the corresponding entities on the platform have a tag named “IDS”.

Configure the outgoing feed#

  1. Create or edit an outgoing feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select MISP upload from the drop-down menu.

    Content type*

    Select MISP JSON model from the drop-down menu.

    Datasets*

    Select an existing dataset from the drop-down menu. The menu only displays datasets that are compatible with the Transport type you’ve selected.

    See Dataset guidelines.

    Update strategy*

    Select an update strategy.

    Supported update strategies:

    • APPEND

    • REPLACE

    MISP server URL*

    Enter the URL you use to reach your MISP instance.

    MISP server API key*

    Enter the API key used to authenticate with your MISP instance.

  3. Store your changes by selecting Save.

Execution schedule#

We recommend that the execution schedule is set to the length of time taken to update and ingest the feed plus 2 hours.

View and retrieve outgoing feed content#

  1. In the top navigation bar click Data configuration > Outgoing feeds.

  2. In the Outgoing feeds view, click anywhere in the row corresponding to the outgoing feed whose content you want to view or retrieve.

  3. In the selected outgoing feed detail pane, click the Created packages tab.

  4. In the Created packages tab, under the Download column header, click the name of a package to download it, and to save it to a target location.

Supported attributes and mapping#

The following table displays all attributes that are supported by this integration and also describes how attributes are mapped in the EclecticIQ Platform during an incoming or outgoing feed.

MISP

EIQ Observable

EIQ Entity

ip-src

  • ipv4 / ipv6

  • source

Multiple

ip-dst

  • ipv4 / ipv6

  • destination

Multiple

domain

domain

Multiple

hostname

host

Multiple

url / uri

uri

Multiple

md5 / sha1 / sha256 / sha512

hash-md5 / hash-sha1 / hash-sha256 / hash-sha512

Multiple

filename

file

Multiple

threat-actor

(multiple within ThreatActor entity)

ThreatActor

campaign-name

(name within Campaign entity)

Campaign

link

uri

Multiple

email-src

email

Multiple

email-dst / target-email

email

Multiple

email-subject

Indicator title

Indicator title

email-attachment

file

Multiple

attachment

file

Multiple

mutex

mutex

Multiple

vulnerability

cve

ExploitTarget

snort

snort

Test Mechanism on Indicator

yara

yara

Test Mechanism on Indicator

Limitations#

  • In this integration, outgoing feeds can generate and update MISP events with simple attributes only.

    It is not possible to generate or update MISP events that contain objects, galaxies, or composite attributes.

  • Threat level metadata from a MISP event is not preserved in the Intelligence Center during a in MISP to Intelligence Center communication.

  • Attribute update or deletion is not supported in a EclecticIQ Platform to MISP communication.

    If an attribute is updated in EclecticIQ Intelligence Center, a new attribute will be created with the updated value but the old value will not be updated or deleted on the MISP Platform.

Debugging#

Caution

This is only used for debugging the MISP extension.

To test if you can connect to your MISP instance from the EclecticIQ Intelligence Center host:

  1. Start a terminal session on the EclecticIQ Intelligence Center host.

  2. Switch to the eclecticiq user

    sudo -i -u eclecticiq

  3. Activate the Python virtual environment for EclecticIQ Intelligence Center:

    source /opt/eclecticiq-platform-backend/bin/activate

  4. Create a text file named misp_integration_test.py, and add to it the following:

    import pymisp

# Replace '${misp_instance_url}' with the URL of the MISP instance connected to the platform.
# Replace '${misp_instance_authkey}' with the Authkey of the MISP instance connected to the platform.
MISP_URL = 'https://${misp_instance_url}'
MISP_KEY = '${misp_instance_authkey}'

# If necessary, you can pass here also server and client certificates
misp = pymisp.PyMISP(url=MISP_URL, key=MISP_KEY)

res = misp.galaxies()
print(res)

  5. Run the script:

    python misp_integration_test.py

Known issues#

For this feed to successfully pack MISP events objects from indicator and incident entities in the dataset:

  • Indicators must be related to at least one incident

  • Indicator entities must have this specific relationship with incident entities:

    Incident B -- related-to --> Indicator A

    Example:

    ../../../_images/misp-required-relationship-direction.png

    Other relationship types between indicator and incidents will cause this feed to not pack them as events.