This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

MISP Ingestion Integration

Posted on 11-21-2023 11:10 PM
samnewton
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Everyone,

I've set up the MISP Ingestion Integration but I'm having no luck getting events from MISP. Every time it downloads, there are 0 events. No errors, just no events.

Has anyone done this successfully? I'm pulling my hair out.

Thank you 

Sam

 

Solved Solved
0 4 1,101
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

You can use the CSV Extended format with something like PyMISP, e.g.,  for each indicator type you want to bring in run a scheduled job:

/python3 /home/user/misp_api/get_csv.py -f /home/user/misp_logs/ip-dst.log -t "ip-dst" -l 1d -c

And then use a Chronicle Forwarder, NXLog, or other agent to ingest into Chronicle SIEM.  This will work with the default MISP_IOC parser.

I wrote this enhanced version of the Ingestion Script (from the SIEM GitHub repo) which is a bit more involved to setup, but is more flexible and extracts more fields:

https://github.com/goog-cmmartin/thatsiemguy/tree/main/misp

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
samnewton
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thank you @cmmartin_google that was extremely helpful, it took a bit of hacking but using your github link managed to get it working. Much appreciated 👍🏻

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4
Top Solution Authors
View all