Install: TruSTAR for MISP (v2)
This document explains how to install and configure the TruSTAR Workflow App for the MISP Threat Intelligence platform.
You can use this TruSTAR Workflow App to:
- Deep Enrichment: Automatically enrich and sync MISP reports with TruSTAR’s intelligence sources or look up individual indicators for time-critical investigations.
- Targeted Sharing: Use tags and attributes in TruSTAR to direct MISP distribution of intelligence to SIEM, Case Management and SOAR applications.
- Faster Event Handling: Automatic intelligence syncing between TruSTAR and MISP speeds investigations and reduces response time.
You can use the TruSTAR App for MISP in two ways:
The TruSTAR App sends new MISP Reports to TruSTAR every 15 minutes, enriches them with TruSTAR's intelligence sources, and then returns the enriched intelligence back to MISP as updated reports. This keeps MISP and TruSTAR intelligence in sync.
This automated process can take up to 90 minutes to fully enrich the report, depending on how many intelligences sources you specify during installation. The TruSTAR App is easily installed, and after back-end configuration by TruSTAR, works without any further action.
This feature sends a one or more indicators from a single MISP report to TruSTAR and returns the enrichment in real time. This is useful for high-priority investigations where you cannot wait for the automatic enrichment process to enrich and sync a MISP report.
The Quick Indicator Lookup feature requires additional configuration in MISP.
Before installing the TruSTAR App for MISP, make sure you meet these requirements.
MISP 2.4.132 or higher installed
You must have your MISP key information to install the TruSTAR App.
The MISP user must be able to view these items in MISP:
- Create Events
- Create Tags
- Create Attributes
You can use the MISP User Permissions section to grant access to these items to MISP users. See the FAQ: TruSTAR for MISP document for more information
Installing the TruSTAR App
This part of the installation process sets up the Automatic Enrichment between MISP and TruSTAR.
- Log in to the TruSTAR Web App.
- Click the Marketplace icon on the Navigation Bar.
- Choose Sources
- Click the MISP <-> TruSTAR Icon to open the Subscription window.
- Enter the following information into the Subscription Window
- MISP URL
- MISP Key
- Enclaves: The comma-separated list of intelligence enclaves you wish to use with MISP. (Finding Enclave IDs). **Configure for TruSTAR Reports -> MISP Events
- MISP Enclave: The name of the TruSTAR enclave where your MISP reports will be stored. This enclave will be created by TruSTAR as part of the subscription process. ** Configure for MISP -> TruSTAR Reports. Leave blank if no MISP Events are required to be sent to TruSTAR
- Click Save Credentials and Request Subscription to complete the installation process.
TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.
Configuring the Indicator Lookup Feature
To be able to send individual indicators in a MISP report to TruSTAR for enrichment, you must configure MISP using the instructions in this section.
Download and install the misp-modules on your MISP instance. You can find instructions for how to do that here: https://misp.github.io/misp-modules/install/
You must have access to this information in the TruSTAR Web App:
- TruSTAR API key and API Secret - Finding your API Keys
- Enclave IDs you wish to use when enriching MISP reports - Finding Enclave IDs
- Log into your MISP instance (Administrator level access is required)
- In the top menu, click Administration -> Server Settings & Maintenance to open that page.
- Click the Plugin Settings tab.
- Click the Enrichment tab at the top of the list.
- Set Plugin.Enrichment_services_enable to true and then click the checkmark to activate the setting. After the Enrichment_services plug-in is started, you will see a list of plug-in settings.
- Locate the TruSTAR plug-in configuration tabs and then make these edits:
- Set Plugin.Enrichment_trustar_enrich_enabled to true.
- In the Plugin.Enrichment_trustar_enrich_user_api_key row, click the empty space in the middle of the row and enter your TruSTAR API key.
- In the Plugin.Enrichment_trustar_enrich_user_api_secret row, click the empty space in the middle of the row and enter your TruSTAR API secret.
- In the Plugin.Enrichment_trustar_enrich_enclave_ids row, click the empty space in the middle of the row and enter a comma separated list of the TruSTAR enclave IDs from which you wish to use to enrich MISP reports.
- While in Administration, navigate to List Roles to configure the user role permissions
- Update the permissions for the user used to submit and enrich events in MISP to include Create Events, Create Tags and Create Attributes permissions.
- Confirm that the user role is set to Publisher and double check that this role has “Manage & Publish Organization Events“ under the Permissions column and has a checkmark under Tag Editor column
- Once everything is set up, you may need to refresh in order to start using the Quick Indicator Lookup feature.
For information on using this feature, see the User Guide: TruSTAR for MISP document.