MISP
Introduction
MISP is a threat intelligence platform for gathering, sharing, storing and correlating IOCs from targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
Requirements
This integration requires TruSTAR users to have already set up their MISP servers. To complete the integration you will need your MISP Server URL and Authentication Key.
Configure Integration
After you have retrieved your MISP URL and Auth Keys follow these steps:
- Log into TruSTAR Station and select Explore->Marketplace (https://station.trustar.co/browse/marketplace).
- Select MISP by clicking on the logo and fill in the URL and Auth Keys.
- Select save credentials and request integration.
After the integration is enabled, you should see the latest events from MISP being submitted into an enclave you control on TruSTAR.
Data Mapping
Please see our API documentation for more information about data elements for TruSTAR Reports.
TruSTAR | MISP |
Report External Id | Event UUID |
Report Body | Entire Event Content |
Report Tags | Event Tags |
Report Update | If an event with the same UUID is observed, the existing report is updated by replacing it with the updated content. |
Troubleshooting & FAQ's
Q: What data do we currently pull from MISP?
- Our integration currently only pulls newly created events in MISP, the whole event body is pulled down and submitted as the body of the report in TruSTAR
Q: How often is the data pulled?
- Our integration retrieves data from MISP every 15 minutes. The initial pull will query events for the last 24h and checkpoint the timestamp to use as a basis to ingest the latest events every 15 mins.
Q: What about Historical Data?
- We can use the MISP sync feature to download all historical data from the MISP server and upload that data into the user's enclave in TruSTAR.
