OpenCTI can't get MISP Events

[khalidrehan]

Description

MISP Connector is working and connecting to MISP - as I see it - but no events returned.

Environment

1. OS (where OpenCTI server runs): Ubuntu 20.04 / VM Temp.
2. OpenCTI version: 4.0.3
3. MISP version: v2.4.136
4. PyMISP Status: OK

MISP Connector Config:

  connector-misp:
    image: opencti/connector-misp:4.0.3
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_MISP_ID}
      - CONNECTOR_TYPE=EXTERNAL_IMPORT
      - CONNECTOR_NAME=MISP
      - CONNECTOR_SCOPE=misp
      - CONNECTOR_CONFIDENCE_LEVEL=3
      - CONNECTOR_UPDATE_EXISTING_DATA=false
      - CONNECTOR_LOG_LEVEL=info
      - MISP_URL=${CONNECTOR_MISP_URL} # Required
      - MISP_KEY=${CONNECTOR_MISP_API} # Required
      - MISP_SSL_VERIFY=False # Required
      - MISP_CREATE_REPORTS=True # Required, create report for MISP event
      - MISP_REPORT_CLASS=MISP Event # Optional, report_class if creating report for event
      - MISP_IMPORT_FROM_DATE=2000-01-01 # Optional, import all event from this date
      - MISP_IMPORT_TAGS=opencti:import,type:osint,C2,osint:source-type*,ecsirt:intrusions* # Optional, list of tags used for import events
      - MISP_INTERVAL=1 # Required, in minutes
    restart: always

Environment variables:

Service Log:

2021-01-07T13:50:03.831874258Z INFO:root:Reporting work update_received opencti-work--56a45273-c45b-4523-8775-77b92d1415ee,
2021-01-07T13:49:03.482065217Z INFO:root:MISP returned 0 events.,
2021-01-07T13:49:03.482150701Z INFO:root:Connector successfully run (0 events have been processed), storing last_run as 1610027343,
2021-01-07T13:49:03.482195225Z INFO:root:Reporting work update_received opencti-work--821668f9-5f26-4e64-bc83-22d3b8175f99,
2021-01-07T13:51:03.941814882Z INFO:root:Initiate work for 48e257b7-1c80-4cb9-9ea1-433eff4057eb,
2021-01-07T13:51:04.190585525Z INFO:root:Reporting work update_received opencti-work--d9267337-d719-41fb-8969-abdaa95b1f6a,
2021-01-07T13:51:04.190441257Z INFO:root:MISP returned 0 events.,
2021-01-07T13:51:04.190462892Z INFO:root:Connector successfully run (0 events have been processed), storing last_run as 1610027463,
2021-01-07T13:51:04.118686033Z INFO:root:Connector last run: 2021-01-07 13:50:03,
2021-01-07T13:51:04.118771497Z INFO:root:Fetching MISP events with args: {"tags": {"OR": ["opencti:import", "type:osint", "C2", "osint:source-type*", "ecsirt:intrusions*"]}, "timestamp": 1610027403, "limit": 50, "page": 1},
2021-01-07T13:50:03.831770059Z INFO:root:Connector successfully run (0 events have been processed), storing last_run as 1610027403,
2021-01-07T13:50:03.831739666Z INFO:root:MISP returned 0 events.

OpenCTI:

MISP Events:

Regards. Khalid Rehan

[khalidrehan]

Testing curl from the OpenCTI server:

  curl -k \
 -d '{"returnFormat":"csv","tags":"type:osint"}' \
 -H "Authorization: LFKL3J3ITHOPGtKzoeWW3P8GCcZ0GnXt8iBq7TiP" \
 -H "Accept: application/json" \
 -H "Content-type: application/json" \
 -X POST https://<MISP-Server>/

Returned events.

But it did not work from inside opencti_connector-misp.* console.

[khalidrehan]

I fixed it! The problem was the MISP-ID, I used a wrong UUID from the MISP Settings, and I should have used the Organization UUID instead. I unified them to be the Organization UUID - which I'm not sure if it was a correct step - then I used it, and it worked.

Regards, Khalid.

[Ken-Abruzzi]

@khalidrehan Hello, bro! What is the Organization UUID? How can I get it? Thank you.

[khalidrehan]

@khalidrehan Hello, bro! What is the Organization UUID? How can I get it? Thank you.

1. Create a Sync account in MISP, than login to it.
2. Go to "Create Sync", and you will find it.

[Ken-Abruzzi]

@khalidrehan Thank you!