This topic describes how to configure an incoming MISP feed in the EclecticIQ Platform.
A configured MISP Platform instance
A configured EclecticIQ Platform instance
Step 1 - Get your MISP key
In the MISP platform, click My profile.
Copy the Authkey , and store it for later.
Step 2 - Configure your EclecticIQ instance
Create an incoming feed.
In the Feed name field, enter a name for the feed.
In the Organization field, enter an organization name. This will be used to identify the feed producer.
In the Transport type field, select MISP API.
In the MISP URL field, enter the URL or your MISP instance.
In the MISP Key field, enter your MISP key.
Optional — select the Include tags, SSL validation, and Use cert keys check boxes.
Optional — in the Client cert location field, enter the client cert for your MISP instance. Ensure that the EclecticIQ Platform has permission to access this location.
Adjusting the request interval determines the batch size of data that is fetched from MISP.
A lower interval value will result in less data being pulled in one API query. This is useful if the target MISP system has large amounts of data. Note that data is pulled by the date or time that it was published on MISP.
For example, if you set the interval to 24, each API call issued to MISP will be filtered with a time span of 24 hours. A lower interval will result in more calls being made to the MISP API, the MISP responses will contain less data, and each individual call will place less stress on the MISP API.
Click the Start ingesting from field and select a start date to start ingesting data.
Optional — click the End ingestion field and select a date to end the ingestion of data. If an end date is not selected, the integration will fetch the most recent data.
Step 3 - Check that the feed is working
Open the feed that you created in Step 2 - Configure your EclecticIQ instance.
In the Overview view, click Download now.
Click Ingested entities and check that entities have been ingested into the EclecticIQ Platform.