MISP

Updated 3 months ago by Elvis Hovor

Introduction

MISP is a threat intelligence platform for gathering, sharing, storing and correlating IOCs from targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

Requirements

This integration requires TruSTAR users to have already set up their MISP servers. To complete the integration you will need your MISP Server URL and Authentication Key.

Configure Integration

After you have retrieved your MISP URL and Auth Keys follow these steps:

  1. Log into TruSTAR Station and select Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Select MISP by clicking on the logo and fill in the URL and Auth Keys.
  3. Select save credentials and request integration.
TruSTAR will validate and enable the MISP integration within 48 hours. You will receive an email from a TruSTAR team member informing you as soon as it is enabled.


After the integration is enabled, you should see the latest events from MISP being submitted into an enclave you control on TruSTAR.

Data Mapping

Please see our API documentation for more information about data elements for TruSTAR Reports.

TruSTAR

MISP

Report External Id

Event UUID

Report Body

Entire Event Content

Report Tags

Event Tags

Report Update

If an event with the same UUID is observed, the existing report is updated by replacing it with the updated content.

Troubleshooting & FAQ's

Q: What data do we currently pull from MISP?

  • Our integration currently only pulls newly created events in MISP, the whole event body is pulled down and submitted as the body of the report in TruSTAR
  • Please contact us if you would like to discuss how other reports can be pulled from Digital Shadows.

Q: How often is the data pulled?

  • Our integration retrieves data from MISP every 15 minutes. The initial pull will query events for the last 24h and checkpoint the timestamp to use as a basis to ingest the latest events every 15 mins.

Q: What about Historical Data?

  • We can use the MISP sync feature to download all historical data from the MISP server and upload that data into the user's enclave in TruSTAR.
Please reach out to support@trustar.co for any additional questions.


How Did We Do?