MISP

by Elvis Hovor

Introduction

MISP is a threat intelligence platform for gathering, sharing, storing and correlating Indicators of

Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability

information or even counter-terrorism information.

Prerequisites

This integration requires TruSTAR users to have already set up their MISP servers. To complete the integration you will need your MISP Server URL and Authentication Key.

Configure Integration

After you have retrieved your MISP URL and Auth Keys follow these steps:

  1. Log into TruSTAR Station and select Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Select MISP by clicking on the logo and fill in the URL and Auth Keys.
  3. Select save credentials and request integration.
TruSTAR will validate and enable the MISP integration within 48 hours. You will receive an email from a TruSTAR team member informing you as soon as it is enabled.


After the integration is enabled, you should see the latest events from MISP being submitted into an enclave you control on TruSTAR.

    FAQ

    • What data do we currently pull from MISP?
      • Our integration currently only pulls newly created events in MISP, the whole event body is pulled down and submitted as the body of the report in TruSTAR
      • Please contact us if you would like to discuss how other reports can be pulled from Digital Shadows.
    • How often is the data pulled?
      • Our integration retrieves data from MISP every 15 minutes. The initial pull will query events for the last 24h and checkpoint the timestamp to use as a basis to ingest the latest events every 15 mins.
    • What about Historical Data?
      • We can use the MISP sync feature to download all historical data from the MISP server and upload that data into the user's enclave in TruSTAR.

    Data Mapping

    TruSTARMISP

    Report External Id

    Event UUID

    Report BodyEntire Event Content
    Report TagsEvent Tags
    Report UpdateIf an event with the same UUID is observed, the existing report is updated by replacing it with the updated content.
    Please reach out to support@trustar.co for any additional questions.

    How Did We Do?