FAQ: TruSTAR for MISP (v2)

Updated 2 weeks ago by Jeffrey Chen

This document answers questions about the TruSTAR App for MISP (v2).

Q. What data does TruSTAR pull from MISP?

A. The integration currently only pulls newly created events in MISP. The whole event body is pulled down and submitted as the body of the report to TruSTAR.

Please contact us if you would like to discuss how other reports can be pulled from MISP.

Q. How often is data pulled?

A. The integration retrieves data from MISP every 15 minutes. The initial pull will query events for the last 24 hours and checkpoint the timestamp to use as a basis to ingest the latest events every 15 mins.

Q. What about historical data?

TruSTAR can use the MISP sync feature to download all historical data from the MISP server and upload that data into the users enclave in TruSTAR.

Q. How is data mapped between TruSTAR and MISP?

A. Here are how the data is mapped between the two platforms:

TruSTAR

MISP

Report External ID

Event UUID 

Report Title

Event ID

Report Body

Entire Event (Json)

Report Tag

Event Tag

 

Q. How Do I Edit MISP User Permissions?

You must have MISP Administrator level access to change user role permissions.

To and enrich events in MISP, users must have these permissions:

  • Create Events
  • Create Tags
  • Create Attributes permissions.

In MISP, go to Admistration, then click on List Roles.

Make sure that user role is set to Publisher and double check that this role has “Manage & Publish Organization Events“ under the Permissions column and has a checkmark under Tag Editor column

Please reach out to support@trustar.co for any additional questions.


How Did We Do?