Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MISP Analyzer Tag and Sightings pull #175

Closed
syloktools opened this issue Jan 30, 2018 · 5 comments
Closed

MISP Analyzer Tag and Sightings pull #175

syloktools opened this issue Jan 30, 2018 · 5 comments
Labels
scope:analyzer Issue is analyzer related scope:question

Comments

@syloktools
Copy link
Contributor

Is there any thoughts on adding to the MISP analyzer to pull all tags and number of sightings from the MISP events that match?
@3c7
Copy link
Contributor

3c7 commented Jan 30, 2018 via email

@syloktools
Copy link
Contributor Author

No tags are coming through on my install. Also when you export to MISP (share), shouldn't the sightings in TheHive be sent with the observables to MISP?

MISP Event:
image

Cortex Report inside TheHive
image

{
  "artifacts": [
    {
      "data": "http://xxx.xxx.xxx.xxx",
      "attributes": {
        "dataType": "url"
      }
    }
  ],
  "full": {
    "results": [
      {
        "url": "http://xxx.xxx.xxx.xxx",
        "name": "Unnamed",
        "result": [
          {
            "orgc_id": "2",
            "id": "4",
            "threat_level_id": "3",
            "uuid": "xxx",
            "Object": [],
            "Orgc": {
              "uuid": "xxx",
              "id": "2",
              "name": "PhishMe Intelligence Feed"
            },
            "RelatedEvent": [
              {
                "info": "Inquiry - CVE-2017-11882, Loki Bot",
                "id": "1"
              },
              {
                "info": "firehol_level1 feed",
                "id": "827"
              },
              {
                "info": " - Buying Order Quote - FormGrabber",
                "id": "828"
              },
              {
                "info": " - Inquiry Order - FormGrabber",
                "id": "5"
              },
              {
                "info": " - Payment Credited - FormGrabber",
                "id": "6"
              },
              {
                "info": " - See Attached Purchase Order - FormGrabber",
                "id": "683"
              },
              {
                "info": " - Provisional BC - FormGrabber",
                "id": "205"
              },
              {
                "info": " - Order - FormGrabber",
                "id": "671"
              },
              {
                "info": " - Payment - FormGrabber",
                "id": "131"
              },
              {
                "info": " - FedEx Office Delivery - FormGrabber",
                "id": "782"
              }
            ],
            "timestamp": "1517256532",
            "date": "2018-01-29",
            "info": " - New Inquiry - CVE-2017-11882, FormGrabber",
            "org_id": "1",
            "Galaxy": []
          },
          {
            "orgc_id": "2",
            "id": "1",
            "threat_level_id": "3",
            "uuid": "xxx",
            "Object": [],
            "Orgc": {
              "uuid": "x",
              "id": "2",
              "name": "xxx Feed"
            },
            "RelatedEvent": [
              {
                "info": " - New Inquiry - CVE-2017-11882, FormGrabber",
                "id": "4"
              }
            ],
            "timestamp": "1517326976",
            "date": "2018-01-30",
            "info": " - Inquiry - CVE-2017-11882, Loki Bot",
            "org_id": "1",
            "Galaxy": []
          }
        ]
      }
    ]
  },
  "summary": {
    "taxonomies": [
      {
        "predicate": "Search",
        "namespace": "MISP",
        "value": "\"2 event(s)\"",
        "level": "info"
      }
    ]
  },
  "success": true
}

@3c7
Copy link
Contributor

3c7 commented Jan 31, 2018

This is how it should look like:
firefox_2018-01-31_15-15-33

Are your tags exportable? Seems like they don't show up using the MISP api either.

@syloktools
Copy link
Contributor Author

You were right. I had to set this to false: MISP.incoming_tags_disabled_by_default
For those events since they came from another org.

What do you think about the sightings? If it is marked as sighted in TheHive should that carry over to MISP?

@saadkadhi
Copy link
Contributor

Hi @robertnixon2003. Re 'What do you think about the sightings? If it is marked as sighted in TheHive should that carry over to MISP?', this has been planned for quite some time. It should be available with TheHive 3.1. We track it under #366 in TheHive's repository.

If you have no other question/suggestion, please close this issue.

@saadkadhi saadkadhi added scope:analyzer Issue is analyzer related scope:question labels Feb 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scope:analyzer Issue is analyzer related scope:question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@3c7 @saadkadhi @syloktools