[MISP] Multiple enhancements requests

[SamuelHassine]

Use case

Here is a list of requirements for the new MISP connector:

Filtering engine

Ideally we should be able to define some filtering rules when importing event:

based on creator_org : opt-in and/or opt-out

based on owner_org : opt-in and/or opt-out

import some observable types only for some organization (example: import all observables but hashes for events created by org_XXX)

filter events with (or without) a specific tag (example: do not import events with tag: Cuckoo)

filter events based on keywords in the description (example: Cuckoo Sandbox analysis)

Enhanced contextualization

The MISP connector should be able to read the Galaxy information indicated on the MISP attributes level and create, in OpenCTI, a relationship between the indicators (which are created based on MISP attributes) and the relevant OpenCTI threat entities (intrusion set, malware or attack pattern).

the MISP connector should detect if tags attached to MISP event correspond to malware or intrusion sets in OpenCTI, and make the association with the relevant entities during the import.

Optimization

A better catch-retry mechanism when the urllib3 or requests module throws an exception. At the moment it requires manual intervention to get the MISP connector going again.

Improve the performance and resilience of the connector when an updated MISP event is imported. As of today our understanding is that a small update on a MISP event trigger lots of work on the OpenCTI DB

An additional request, if possible, would be a configuration option/env var to automatically set the status of reports (New/In Progress/Analyzed/Closed) created for MISP events like there is for the Alienvault and Crowdstrike connector (ALIENVAULT_REPORT_STATUS/CROWDSTRIKE_REPORT_STATUS).

It seems when importing a MISP event with attributes of type filename|hash , only the filename is imported.

[debelyoo]

If I'm not mistaken the MISP connector only supports importing events from MISP to OpenCTI. Is there any plan to support handling deletion (i.e. deleting reports in OpenCTI for events that have been deleted in MISP) ?

[SamuelHassine]

Status:

• [x] based on creator_org : opt-in and/or opt-out
• [x] based on owner_org : opt-in and/or opt-out
• [ ] import some observable types only for some organization (example: import all observables but hashes for events created by org_XXX)
• [x] filter events with (or without) a specific tag (example: do not import events with tag: Cuckoo)
• [x] filter events based on keywords in the description (example: Cuckoo Sandbox analysis)
• [x] The MISP connector should be able to read the Galaxy information indicated on the MISP attributes level and create, in OpenCTI, a relationship between the indicators (which are created based on MISP attributes) and the relevant OpenCTI threat entities (intrusion set, malware or attack pattern).
• [ ] the MISP connector should detect if tags attached to MISP event correspond to malware or intrusion sets in OpenCTI, and make the association with the relevant entities during the import.
• [x] A better catch-retry mechanism when the urllib3 or requests module throws an exception. At the moment it requires manual intervention to get the MISP connector going again.
• [x] Improve the performance and resilience of the connector when an updated MISP event is imported. As of today our understanding is that a small update on a MISP event trigger lots of work on the OpenCTI DB
• [ ] An additional request, if possible, would be a configuration option/env var to automatically set the status of reports (New/In Progress/Analyzed/Closed) created for MISP events like there is for the Alienvault and Crowdstrike connector (ALIENVAULT_REPORT_STATUS/CROWDSTRIKE_REPORT_STATUS).
• [ ] It seems when importing a MISP event with attributes of type filename|hash , only the filename is imported.