MISP | Version 2 | Outgoing feed#

Specifications

Transport type

MISP v2 Upload

Content type

MISP v2 Upload

Exported data

  • Incident entities that have the MISP event hub entity tag are exported as MISP Events.
    These Incident entities are referred to as Hub entities.

  • Observables directly related to the Hub entity are exported as Attributes of the Event in MISP.

  • Entities directly related to the Hub entity are exported as Event Objects in MISP, with any Observables related those Entities exported as Object Attributes.

  • The Hub entity’s analysis is exported as Event reports in MISP.

  • Entities in the dataset not directly related to Hub entities will NOT be exported (nor will Observables only related to these Entities).

  • Entities in the Dataset without Observables will NOT be exported.

Self-contained Hub entity

The Hub entity does not require any related Entities for it to be exported.
If all required information is captured in the Hub entity and its Observables, it can be exported without having Entities related to it.

Either v2 or v1

Running any MISP v1 feeds at the same time as MISP v2 feeds is discouraged as it might lead to data corruption.

Requirements#

The MISP v2 Outgoing feed requires EclecticIQ Intelligence Center version 3.4.4 or later.

MISP Sightings#

You can export sightings (thumbs up) and false positive sightings (thumbs down) to MISP. To do so, add Sighting entities to the Observables that have been sighted.

  • For each Sighting entity related to an Observable, that Observables’s correlated Attribute will have a thumb up added.

  • For each Sighting entity with the false-positive tag related to an Observable, a thumb down will be added to that Observable’s correlated Attribute.

The Sighting entities do not need to be related to the Hub entity.

Configure the Outgoing feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

MISP v1 to v2

If you are currently using a MISP v1 Outgoing feed, we recommend creating a new Outgoing feed to start using v2. Simply changing the Transport type and Content type of an existing feed is not advised.

  1. Create or edit an Outgoing feed.

  2. Under Update strategy, select Append.

  3. From the Transport type drop-down menu, select MISP v2 upload.

  4. From the Content type drop-down menu, select MISP v2 upload.

  5. Under Transport configuration, enter the MISP server URL and MISP server API key.

  6. From the Content distribution drop-down menu, select how MISP distribution should be assigned to the intelligence objects being exported.

  7. From the Threat Level drop-down menu, select the MISP threat level you’d like you’d like to export the intelligence with.

  8. From the Analysis Level drop-down menu, select the MISP analysis level you’d like you’d like to export the intelligence with.

  9. (Optional) With the checkboxes, you can choose whether to:

    • Publish event after upload : have MISP publish the exported Incidents entities (as Events).

    • SSL verification : use SSL verification.
      If you do, enter the Path to SSL certificate.

    • Use SSL cert keys : use SSL certification keys.
      Read more about SSL cert keys.

    • Use client cert and key : use client certification and key.
      If you do, enter the Client cert location and Client key location.

    • Automatic Event : have an event automatically created in MISP if the dataset contains no Hub entity.
      E.g., if you have a Dataset filled with Indicator entities and none of those have the MISP event hub entity tag.

  10. To store your changes, select Save.
    If you want the Outgoing feed to run right away, select the dropdown arrow next to Save and then select Save and run.

SSL cert keys#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem
    

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.