MISP | Version 2 | Outgoing feed#
Specifications |
|
---|---|
Transport type |
MISP v2 Upload |
Content type |
MISP v2 Upload |
Exported data |
Self-contained Hub entity The Hub entity does not require any related Entities for it to be exported. |
Either v2 or v1
Running any MISP v1 feeds at the same time as MISP v2 feeds is discouraged as it might lead to data corruption.
Requirements#
The MISP v2 Outgoing feed requires EclecticIQ Intelligence Center version 3.4.4 or later.
MISP Sightings#
You can export sightings (thumbs up) and false positive sightings (thumbs down) to MISP. To do so, add Sighting entities to the Observables that have been sighted.
For each Sighting entity related to an Observable, that Observables’s correlated Attribute will have a thumb up added.
For each Sighting entity with the
false-positive
tag related to an Observable, a thumb down will be added to that Observable’s correlated Attribute.
The Sighting entities do not need to be related to the Hub entity.
Configure the Outgoing feed#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
MISP v1 to v2
If you are currently using a MISP v1 Outgoing feed, we recommend creating a new Outgoing feed to start using v2. Simply changing the Transport type and Content type of an existing feed is not advised.
Create or edit an Outgoing feed.
Under Update strategy, select
Append
.From the Transport type drop-down menu, select MISP v2 upload.
From the Content type drop-down menu, select MISP v2 upload.
Under Transport configuration, enter the MISP server URL and MISP server API key.
From the Content distribution drop-down menu, select how MISP distribution should be assigned to the intelligence objects being exported.
From the Threat Level drop-down menu, select the MISP threat level you’d like you’d like to export the intelligence with.
From the Analysis Level drop-down menu, select the MISP analysis level you’d like you’d like to export the intelligence with.
(Optional) With the checkboxes, you can choose whether to:
Publish event after upload : have MISP publish the exported Incidents entities (as Events).
SSL verification : use SSL verification.
If you do, enter the Path to SSL certificate.Use SSL cert keys : use SSL certification keys.
Read more about SSL cert keys.Use client cert and key : use client certification and key.
If you do, enter the Client cert location and Client key location.Automatic Event : have an event automatically created in MISP if the dataset contains no Hub entity.
E.g., if you have a Dataset filled with Indicator entities and none of those have theMISP event hub entity
tag.
To store your changes, select Save.
If you want the Outgoing feed to run right away, select the dropdown arrow next to Save and then select Save and run.
SSL cert keys#
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
eclecticiq
user.Owned by
eclecticiq:eclecticiq
.
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
Where
/path/to/cert.pem
is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.