Tags in Export to MISP?

InQuest / ThreatIngestor

Extract and aggregate threat intelligence.

https://inquest.readthedocs.io/projects/threatingestor/

GNU General Public License v2.0

821 stars 135 forks source link

Tags in Export to MISP? #74

Closed mathurin68 closed 5 years ago

mathurin68 commented 5 years ago

I saw this in the manual...

ssl: Verify SSL certificate? (default: true)
tags: List of tags to attach to events (default: [type:OSINT])

But is there a way to add a different tag for each source pushed to MISP? I.E. Twitter or RSS

Thank you so much for releasing this tool too!

rshipp commented 5 years ago

Hi! This is possible, but you'd have to split them out manually, with one MISP operator for each grouping. Each operator can define its own tags, and only process from the sources you allow. Eg:

- name: mymisp-twitter
  module: misp
  credentials: misp-auth
  tags: [type:OSINT, my-misp-twitter-tag-1]
  allowed_sources: [my-twitter-source-*]

- name: mymisp-rss
  module: misp
  credentials: misp-auth
  tags: [type:OSINT, my-misp-rss-tag-1]
  allowed_sources: [my-rss-source-*]

Hope that makes sense. :)

mathurin68 commented 5 years ago

Sorry this took me so long to respond, this is awesome thank you!