MISP

The ThreatConnect integration with the Malware Information Sharing Platform (MISP) enables you to import MISP Events and Attributes into ThreatConnect as Incidents and Indicators [Address, Host, Email Address, Email Subject, URL, CIDR, File, ASN, and User Agent], respectively. Improvements to this app include:

• Supports retrieving attributes nested inside MISP Objects
• Supports additional Attribute categories / mappings

This app can be found in the ThreatConnect App Catalog under the names: MISP Import (v2.0.1)

The Polarity MISP integration enables analysts to get the most out of their open-source MISP threat intelligence platform. Analysts can quickly understand the scope of an indicator, knowing what the indicator is related to and how it could be effecting their company. Analysts can also add or remove tags enriching the indicators for other analysts.

Examples

MISP Data Overview

• Summary Tags: When running a search analysts can quickly see associated tags for the indicator and its categories. Enabling them to know if it is something worth further investigation.
• Attributes: When drilling into the details of an indicator with MISP analysts can quickly understand additional information on the indicator such as the type, category and when it was added into MISP.
• Events: If there were any events associated with the indicator, analysts can quickly know the dates, number of organization(s) it may effect, its threat level and when the event occurred.
• Add/Remove Tags: If enabled, analysts will have the ability to add or remove tags from indicators. Enabling them to enrich the indicator as deemed necessary.

The Polarity - MISP IOC Submission integration enables analysts to quickly enrich their MISP TIP by bulk adding in indicators to the system. Enabling teams to have a full enriched platform.

Examples

MISP IOC Submission Data Overview

• Indicators in MISP: When using the MISP IOC Submission integration, analysts can quickly add and enrich their MISP platform. When looking at the integration analysts will first be presented with a list of indicators that are currently in MISP.
• Indicators Not in MISP: In the next section there is a list of indicators that are not currently in the analysts MISP instance. Analysts can hit the plus button next to the indicator to prep the indicators to add to MISP.
• To Be Submitted: Any indicators that are staged to be submitted to MISP will be shown in this section.
• Submission Options: Before submitting all the indicators to MISP analysts will be able to enrich the information with event information, organization, category and indicator types. Analysts can also add in any tags necessary.

The Polarity - MISP Warning Lists integration enables analysts to quickly know if the indicator is well known and could be potentially associated with a false positive.

Examples

MISP Warning Lists Data Overview

• Summary Tags: When using MISP Warning Lists, analysts quickly understand if the domain or IP is a common indicator, instantly knowing that it is not malicious. The summary tags quickly let analysts know what lists the indicator is associated with.
• List Information: When clicking into the details analysts can get more context on lists the indicator is in.