search

opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 74 forks source link

[FEATURE] Implement use of MISP feeds for detection #702

Open sandervandegeijn opened 1 year ago

sandervandegeijn commented 1 year ago

Is your feature request related to a problem? Within the educational sector in The Netherlands we use MISP to exchange threat intel. MISP is widely used for this also outside our context. It can be very useful to detect threats based on the findings of other organisations.

https://www.misp-project.org/features/

What solution would you like? Use MISP-feeds for detection of threats.

What alternatives have you considered? Not really, this is an industry standard.

Do you have any additional context? N/A

eirsep commented 1 year ago

@ict-one-nl How do you intend to consume MISP feeds? Were you thinking of an integration with MISP's platform and providing a license key to pull in your MISP's latest events? Or were you thinking of a feature where we let users choose a list of open feeds that are used by MISP and keep the feeds updated?

sandervandegeijn commented 1 year ago

We have a internal MISP that's being fed by other institutions in the Netherlands. It would be helpful if we could consume this and other MISP feeds as a basis for detection. Suricata also does this, but only for NDR :)

praveensameneni commented 7 months ago

@sandervandegeijn , Thank you for the feature request on MISP feeds. We are working on creating a Threat Intel Analytics Platform for integrating different feeds and provide enhanced correlations and threat investigation capabilities with the IOC's. We (@eirsep ) will share a detailed proposal on the upcoming feature and the version it will be available in.

sandervandegeijn commented 7 months ago

Great, should I close this issue then? :)

praveensameneni commented 7 months ago

We can close it once we release the feature.

praveensameneni commented 6 months ago

@sandervandegeijn , can you please comment on the Meta issue - https://github.com/opensearch-project/security-analytics/issues/989

sandervandegeijn commented 6 months ago

Sure, how can I help you?

praveensameneni commented 6 months ago

Sure, how can I help you?

  1. As a user, what would you like to have the user experience of using IOC's for threat investigations and threat hunting
  2. As a user, would you like to integrate the IOC's to be part of threat detection workflow
  3. Would you like to see integrations with both open source and commercial feeds (login with subscription/api-key)
  4. What would be the top 3 or 5 things that you would like to see as part of the initial launch
sandervandegeijn commented 5 months ago
  1. It's one of the possible sources for detection, just like others. Shouldn't be treated differently from the others?
  2. Yep, just like other sources, preferably with correlation
  3. Possible, but also private feeds from other institutions
  4. You need to be able to define one or more feeds (open and authenticated), maybe with some filtering applied and apply the usual workflow.

something like this? :)