FAQ: TruSTAR for MISP (v2)
This document answers questions about the TruSTAR App for MISP (v2).
Q. What data does TruSTAR pull from MISP?
A. The integration currently only pulls newly created events in MISP. The whole event body is pulled down and submitted as the body of the report to TruSTAR.
Please contact us if you would like to discuss how other reports can be pulled from MISP.
Q. How often is data pulled?
A. The integration retrieves data from MISP every 15 minutes. The initial pull will query events for the last 24 hours and checkpoint the timestamp to use as a basis to ingest the latest events every 15 mins.
Q. What about historical data?
TruSTAR can use the MISP sync feature to download all historical data from the MISP server and upload that data into the users enclave in TruSTAR.
Q. How is data mapped between TruSTAR and MISP?
A. Here are how the data is mapped between the two platforms:
Report External ID
Entire Event (Json)
Q. How Do I Edit MISP User Permissions?
To and enrich events in MISP, users must have these permissions:
- Create Events
- Create Tags
- Create Attributes permissions.
In MISP, go to Admistration, then click on List Roles.
Make sure that user role is set to Publisher and double check that this role has “Manage & Publish Organization Events“ under the Permissions column and has a checkmark under Tag Editor column