The Malware Information Sharing Platform (MISP) API feed enables you to import events from the MISP server, along with their associated attributes and objects, into the TISC library.
始める前に
Role required: sn_sec_tisc.admin
手順
-
Navigate to .
-
Select Custom.
注: By default, the MISP feed is disabled, you must edit the
configuration
to enable the feed.
-
Select the Edit button on the MISP Feed card.
-
Drill down to the Configuration Details section.
-
Update the REST endpoint URL field.
-
Add the required authentication details for the MISP server (if any).
-
Navigate to Additional Settings to configure the filters to fetch the data from MISP.
The Additional Settings tab is used to set up filters that determine which MISP events are ingested.
-
Select Edit Settings.
-
Select the required filters.
注: All the filters configured will be applied in conjunction while ingesting the events.
The following section provides a detailed explanation of each available option. Review each option in the following
table to understand how the filters can be applied to optimize which
MISP events are ingested into the
TISC library.
-
Select the required values from the following available filters.
表 : 1. Edit Additional Settings
| Field |
Description |
| Filters on events |
| Include unpublished events |
Select this check box if you want to include unpublished events. |
| Creator org name or ID |
Enter a comma-separated list of organization names and/or IDs associated with the event.注: If the organization name contains leading or trailing spaces, enclose the name in double quotes to
ensure proper processing. |
| Tag name or ID |
Enter a comma-separated list of tag names and/or tag IDs associated with the event. |
| Threat level |
Select a threat level to filter incoming events. Leaving this field empty includes events of all threat levels. |
| Distribution level |
Select a distribution level to limit events. Leaving this field empty includes events of all distribution levels. |
注:
Once you've defined the Additional Settings following the instructions above, you can duplicate the feed when creating another. For more information, see Step 13.
-
Select Update on the Additional Settings dialog box to save the modified additional settings.
-
Select Enable to enable the MISP feed for including the MISP events.
The TISC application uses the date configured in the Fetch data from field as the baseline for retrieving events and associated
attributes.
The Fetch data from date determines which events and associated attributes are retrieved. TISC compares this date with specific timestamps based on the event status:
- Published events: Compared against the Published timestamp.
- Unpublished events: Compared against the Last updated timestamp.
An event is retrieved only if its relevant timestamp is later than the configured Fetch data from date.
Using the appropriate timestamp for each event status ensures accurate retrieval of both newly published events and recently updated unpublished events.
- オプション:
Select Duplicate to duplicate the feed.
For more information, see
Duplicate threat intelligence feeds.
注:
- Each MISP event imported into the TISC library, whether as a Threat Report or Threat Event, includes an associated External
Reference record.
- This record is accessible via the Related Records tab and provides a direct URL link to the corresponding MISP event on the MISP server. This also enables a quick access to the original event data.
- For details on how MISP events, along with their associated attributes and objects, are mapped to TISC entities, refer to KB2197697.
- Entity types that aren’t included in the mapping described in the KB article aren't ingested into the TISC Library.