MISP | Version 2 | Default Incoming feed#
With Default Incoming feeds for MISP v2 you can ingest feeds offered in MISP format.
Either v2 or v1
Running any MISP v1 feeds at the same time as MISP v2 feeds is discouraged as it might lead to data corruption.
Specifications#
Transport type |
MISP API V2 |
---|---|
Content type |
MISP API V2 |
Ingested data |
MISP Events, related Objects, and Attributes related to those Objects. |
Processed data |
|
Configure the Incoming feed#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Create an Incoming feed.
From the Transport type drop-down menu, select MISP API v2.
From the Content type drop-down menu, select MISP API V2.
Under Transport configuration, enter the MISP URL of the feed you want to ingest.
This can be either the base URL of the feed or the URL of the feed’smanifest.json
.If required for the feed, enter your HTTP username and HTTP password.
(Optional) With the checkboxes, you can choose whether to:
only ingest published MISP events.
prioritze TLP tags.
Read more about TLP versus Distribution below.add a tags to ingested intelligence objects that have IDS flags to convey those flags.
From the Default malicious level for IDS flag drop-down menu, select the maliciousness level you’d like to have applied to ingested intelligence objects that have an IDS flag.
(Optional) In the Filter by tags field, enter a list of comma-separated MISP tags. Events that do not have at least one of the tags you include here will not be ingested (nor will the Objects and Attributes related to them).
Under Ingest only the events created after this date select the earliest event creation date you are interested in.
(Optional) In the Filter by MISP event info field, enter a regular expression search query. MISP events whose Event info field contents match the query will NOT be ingested into EclecticIQ Intelligence Center (nor will the Objects and Attributes related to them).
(Optional) In the Filter by the creating organization’s name field, enter a regular expression search query.
MISP events whose Creator org field contents match the query will NOT be ingested into EclecticIQ Intelligence Center (nor will the Objects and Attributes related to them).(Optional) Check the Use SSL cert keys box.
Read more about SSL cert keys.(Optional) Check the Use client cert and key box.
If you do, enter the Client cert location and Client key location.(Optional) Check the SSL verification box.
If you do, enter the Path to SSL certificate.Pick a date to Start ingesting from.
To store your changes, click Save. To discard them, click Cancel.
Distribution or TLP#
MISP records “distribution” instead of TLP, but intelligence objects in the default feeds may carry a TLP tag.
If you check the Prioritize TLP tag box during the creation of an Incoming feed,
the intelligence objects will be assigned the TLP corresponding to their TLP tag
(if they have one).
If you don’t check this box, the ingested intelligence objects will be assigned the
TLP color corresponding to their distribution.
Objects without TLP tags will always be assigned the TLP color corresponding to their distribution.
SSL cert keys#
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
eclecticiq
user.Owned by
eclecticiq:eclecticiq
.
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
Where
/path/to/cert.pem
is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.