About MISP Integration

The EclecticIQ Platform MISP integration combines an incoming and an outgoing feed, along with an enricher, to provide full bi-directional connectivity with MISP instances. Two distinct configurations are enabled by the extension:

  • Incoming MISP feed
    This integration enables you to connect to a single MISP instance and ingest available MISP events, attributes, and more into the EclecticIQ Platform. You can then supplement or modify the ingested entities within the EclecticIQ Platform.
    The integration will also keep track of updates to the connected MISP instance and update the local EclecticIQ Platform state accordingly.

  • Outgoing EclecticIQ Platform feed
    This integration enables the EclecticIQ Platform to act as an MISP API client and to connect to MISP instances and to publish data, together with any updates created on the EclecticIQ Platform, back to the connected MISP instance.

  • Enrichers enable you to enrich all EIQ observable types and pull all relating MISP events and attributes into the EclecticIQ Platform.

Supported attributes and attribute mapping

The following table displays all attributes that are supported by this integration and also describes how attributes are mapped in the EclecticIQ Platform during an incoming or outgoing feed.

MISP

EIQ Observable

EIQ Entity

ip-src

ipv4 / ipv6

source

Multiple

ip-dst

ipv4 / ipv6

destination

Multiple

domain

domain

Multiple

hostname

host

Multiple

url / uri

uri

Multiple

md5 / sha1 / sha256 / sha512

hash-md5 / hash-sha1 / hash-sha256 / hash-sha512

Multiple

filename

file

Multiple

threat-actor

(multiple within ThreatActor entity)

ThreatActor

campaign-name

(name within Campaign entity)

Campaign

link

uri

Multiple

email-src

email

Multiple

email-dst / target-email

email

Multiple

email-subject

Indicator title

Indicator title

email-attachment

file

Multiple

attachment

file

Multiple

mutex

mutex

Multiple

vulnerability

cve

ExploitTarget

snort

snort

Test Mechanism on Indicator

yara

yara

Test Mechanism on Indicator