dewiestr
commented
3 years ago This is probably linked to this FR: https://github.com/TheHive-Project/TheHive/issues/2146
Open dewiestr opened 3 years ago
dewiestr
commented
3 years ago This is probably linked to this FR: https://github.com/TheHive-Project/TheHive/issues/2146
torsolaso
commented
3 years ago You can setup an MISP org name exclusion in application.conf, using it you avoid to have duplicate events.
dewiestr
commented
3 years ago Hey @torsolaso I think we aren't talking about the same thing. In my scenario, any export will always result in a new MISP event being created, independent from which org name creates it. Just so you know the entire chain, in my case, is triggered by a theHive event, nothing comes in from MISP originally. Perhaps that makes more sense ? I'm not importing anything from MISP, simply exporting the observables while working on the case so my SIEM and IDS can pick up the indicators on a daily basis.
realAnimoL
commented
3 years ago I can relate with @dewiestr, we have the same exact behaviour in our environment.
kiz1
commented
3 years ago This is probably linked to #1949
kiz1
commented
3 years ago On TH3 - MISP events updated
dewiestr
commented
2 years ago Hi @kiz1, It's actually not the same setup. I actually think an event in MISP should be updated based upon a new indicator being added in theHive for example. The way we use it is that IR only has access to TheHive and hit Export when they want to provide indicators to the Threat Intel group (aka to MISP). So The problem is actually that if you have an update on thehive event (lets say new IOCs get found during the IR), a new MISP event is created in MISP, I think the old MISP event should be updated instead.
hkelley
commented
1 year ago Does anyone know if this behavior was fixed in thehive5?
Request Type
Feature request - to avoid MISP duplicate entries set a configurable MISP event ID for each case in TheHive.
Feature Description
Currently when exporting a case towards MISP on multiple occasions, theHIVE will create a NEW case. This is probably likely due to the fact that the case does not have a fixed MISP event ID assigned.
If it would be configurable through the GUI to set a MISP Event ID for each case in TheHive, this would stop generating duplicates and hopefully update an existing event with new indicators.
Possible Solutions
Set a configurable MISP event ID for each case in TheHive.
Complementary information
Way to reproduce:
1) Create a new case in the hive 2) add indicators 3) export to configured MISP event 4) add more indicators 5) export again to MISP 6) See duplicate events in MISP.