About MISP Integration#
The EclecticIQ Platform MISP integration combines an incoming and an outgoing feed, along with an enricher, to provide full bi-directional connectivity with MISP instances. Two distinct configurations are enabled by the extension:
Incoming MISP feed
This integration enables you to connect to a single MISP instance and ingest available MISP events, attributes, and more into the EclecticIQ Platform. You can then supplement or modify the ingested entities within the EclecticIQ Platform.
The integration will also keep track of updates to the connected MISP instance and update the local EclecticIQ Platform state accordingly.
Outgoing EclecticIQ Platform feed
This integration enables the EclecticIQ Platform to act as an MISP API client and to connect to MISP instances and to publish data, together with any updates created on the EclecticIQ Platform, back to the connected MISP instance.
Supported attributes and attribute mapping#
The following table displays all attributes that are supported by this integration and also describes how attributes are mapped in the EclecticIQ Platform during an incoming or outgoing feed.
MISP |
EIQ Observable |
EIQ Entity |
|---|---|---|
ip-src |
|
Multiple |
ip-dst |
|
Multiple |
domain |
domain |
Multiple |
hostname |
host |
Multiple |
url / uri |
uri |
Multiple |
md5 / sha1 / sha256 / sha512 |
hash-md5 / hash-sha1 / hash-sha256 / hash-sha512 |
Multiple |
filename |
file |
Multiple |
threat-actor |
(multiple within ThreatActor entity) |
ThreatActor |
campaign-name |
(name within Campaign entity) |
Campaign |
link |
uri |
Multiple |
email-src |
Multiple |
|
email-dst / target-email |
Multiple |
|
email-subject |
Indicator title |
Indicator title |
email-attachment |
file |
Multiple |
attachment |
file |
Multiple |
mutex |
mutex |
Multiple |
vulnerability |
cve |
ExploitTarget |
snort |
snort |
Test Mechanism on Indicator |
yara |
yara |
Test Mechanism on Indicator |