Is there an easy way to get threal intel from MISP into IDR? I’m very new to MISP so still trying to work my way around it and figure out the best way to use the data it provides.
ICON has a Plugin that can do this for you.
We are currently implementing MISP and we are using ICON to manage it across multiple applications that do not have a native integration
Thank you for the response, I am an ICON customer. Can this be setup to say once a day download the latest IPs, Hashes, Domains and create a community threat in IDR? That way I’ll be alerted on any activity. I typically don’t add threat intel direct to block lists.
yes, that is what we do because IOCs don’t change that frequent. You would use a timer trigger set to once a day at the ## hour.
I am not an IDR customer, but I have read that IDR does have ICON use (there was a recent thread about this)
Hey Brandon, can you give me some more information on how you are doing this? I was having a hard time getting the MISP connection to successfully connect. I worked with support and we were able to it to successfully connect. After that support said they can’t help me. They said there is no way to have ICON to download the data and create a community threat in IDR.
I have created this a long time ago, and I already see some changes that I could make.
In the past I had some issues with the MISP plugin so I am using the python plugin (this allows me to have more control over the data)
The snippet at the end is a simple check with the ICON API around the job. So if the job failed we receive an alert in our Slack/Teams; from here we can decide what we want to do with it. Rerun the workflow etc.
Hope it helps guiding you along your ICON way.
Do you have your own MISP instance or are you trying to connect to someone else’s?
Originally someone tried to just connect to someone else’s, and I found you need to have your own MISP instance that pulls from them and you connect to yours.
I’m trying to connect to someone elses
from what I’ve read, this is not how MISP works. You need to setup your own MISP server (they have an ova to POC it) you then have that server pull from different sources. Then you would have ICON pull from your instance and update IVR. I am still in the implementation phase so if I’m wrong, someone please speak up
Hi.
We are a new ICON customer and I am also interested in this. I guess if MISP is not used can I use ICON to sync IOCs with other OSINT like VT?
Yes, you can collect IOCs from different source (github etc) and load them, however I would suggest MISP as it combines the data and ensures that you are not loading duplicates.
Keeping it clean is important in Threat Intel.
Hi there,
We’ve Implemented MISP on our side with IDR and we skipped ICON because the plugin didn’t work properly but that may have changed…anyway.
So @brandon_mcclure is correct,you need to setup your own MISP server, after that you can configure it from where you would want to pull IoC’s and schedule that either with scheduled job from the UI or through cronjob.
After that you can use PyMISP library to interact with the platform and download IoÇ’s from the MISP in csv file and then push the file to Threat Community List in IDR via API.
1 Like
So, with ICONN I would import IOCs from different threats/families and add them to Community Threats?
Has anyone imported all or just certain IOCs?
Just trying to get a feel for what is best before I reach out to our CTI platform support.