MISP: Import Reports or Indicators from TruSTAR
You can use this script to import TruSTAR data to MISP as Events or Objects.
This script pulls Intel Reports from specific TRUSTAR Enclaves from a specified time period and submits the items into your MISP installation as MISP Events or Objects. The original Report tags are included in the Event, while the original Report Indicators are generated as MISP objects and then added to the Event.
- You can create a 1:1 relationship of TruSTAR Intel Reports to MISP Events or you can create a recurring MISP Event for each Enclave ID that you want to get reports from.
- The script can be hosted by TruSTAR or on your organization's infrastructure.
Activating This Script
Contact your TruSTAR account manager and provide the following information:
- Source Enclave ID(s)
- MISP URL
- MISP Auth Key
- Frequency of script execution. The default is every 24 hours but you can request a different time interval to meet your organization's needs.
After you have provided the information, your account manager will configure the feature and then email you with confirmation that the summary email has been enabled.
How It Works
- Fetches data from the specified TruSTAR Enclave.
- If the Enclave includes only indicators, the script creates MISP Objects for those indicators.
- If the Enclave contains Intel Reports, the script creates MISP Events for each report. Indicators in the Intel Report are added to the MISP Event as MISP Objects.
- Adds TruSTAR Intel Report tags to the MISP Event as tags.
- Submits the MISP Event or Object, depending on the source Enclave.
Q. Is TruSTAR working on a full integration with MISP?
A. Yes. Until the bilateral MISP integration is available, you can use this script to send reports from TruSTAR to MISP.
Any issues or questions about this script, contact firstname.lastname@example.org.