Current state of the MISP playbooks

I published an overview of the current state of the MISP playbooks, covering the work that has been done in 2023 and the features you can expect in 2024.

Activity 4: MISP workflow integration, Elasticsearch, MDTI and support for curation Activity 5: Timesketch, conversions with CACAO and Microsoft Sentinel Activity 6: Scheduled playbooks, timelines,

Read the full details at the MISP project website at https://www.misp-project.org/2023/12/08/current-state-MISP-playbooks.html/

MISP playbook: Malware triage

I shared the MISP playbook for malware triage that I regularly use for a first assessment on new samples. It uses MISP, VirusTotal, MalwareBazaar, Hashlookupand pefile. It then uploads the samples to MWDB and alerts to Mattermost.

The MISP playbook on malware triage is one of many playbooks that address common use-cases encountered by SOCs, CSIRTs or CTI teams to detect, react and analyse specific intelligence received by MISP.

MISP to Microsoft Sentinel integration with Upload Indicators API

The MISP2Sentinel integration allows you to sync indicators from MISP to Microsoft Sentinel. The old integration relied on the Microsoft Graph API. Microsoft prefers new integrations to rely on the Upload Indicators API. The new MISP to Microsoft (previously Azure) Sentinel or misp2sentinel does just that, it

Supports integration with the old Graph API, but also It supports the new, and preferred, Upload Indicators API.

Read the installation and configuration documentation at https://github.com/cudeso/misp2sentinel forRead more.

MISP to Sentinel integration

I published a blog article on the MISP project website on how to do the MISP to Azure / Sentinel integration. This integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure.

Read the full article at MISP project website : MISP to Sentinel integration.

The integration is available via GitHub at https://github.com/cudeso/misp2sentinel

ThisRead more.

Include threat information from MISP in Zeek network visibility

Zeek (formerly Bro) is a free and open-source software network analysis framework. It gives insights on DNS queries, HTTP and TLS information and details on transmitted files. I find Zeek one of the best network monitoring tools available to provide detailed visibility on network traffic.

Zeek has a built-in intelligence framework. This framework allows you to add information received via MISP directly into the network visibility capabilities of Zeek. This includes

Visits to URLs orRead more.

CTI-Summit 2022 Luxembourg Presentations

The first edition of the Cyber Threat Intelligence Summit took place in Luxembourg in October 2022. I did two presentations:

One presentation on MISP web scraper, a tool to create MISP events and reports from scraped websites; and one presentation on building CTI Operational Procedures with Jupyter Notebooks and PyMISP.

The slides and recording are available on GitHub and Youtube.

Slides: https://github.com/cudeso/misp-tip-of-the-week/tree/main/CTIS-2022; Recording of CTI Operational Procedures with Jupyter Notebooks and PyMISP; Recording of MISPRead more.

MISP web scraper

I published an article on the MISP project website on the MISP web scraper.

There are a lot of websites that regularly publish reports on new threats, campaigns or actors with useful indicators, references and context information. Unfortunately only a few publish information in an easily accessible and structured format, such as a MISP-feed. As a result, we often find ourself manually scraping these sites, and then copy-pasting this information in new MISP events. TheseRead more.

Analysing Amazon AWS security groups and access control lists

Analysing firewall rules in AWS can be complex. There are Security Groups (SG) as well as Access Control Lists (ACL). Security groups are applied on instances and are the first layer of defense, whereas access control lists are applied on network components (subnets) and are a second layer of defense. A major difference is that SGs are stateful, whereas ACLs are stateless. From a filtering perspective there is also a difference. In security groups allRead more.

MISP sharing groups demonstration video

Sharing groups in MISP are a more granular way to create re-usable distribution lists for events/attributes that allow users to include organisations from their own instance (local organisations) as well as organisations from directly, or indirectly connected instances (external organisations).

For a possible future project I had to document if sharing groups are an answer for a sort of multi-tenancy for sharing threat events within MISP.

Sharing groups certainly provide an answer, as long asRead more.

Integrate DFIR-IRIS, MISP and TimeSketch

I published a set of scripts that I use to integrate

Threat events and indicators stored in MISP; CSIRT case handling data such as events, IOCs, timelines, assets and evidences in DFIR-IRIS; Analysis events on PCAP and EVTX files in TimeSketch.

The Python scripts tie everything together between MISP, IRIS and TimeSketch. The scripts and example usage, with screenshots, are published in a Github repository: https://github.com/cudeso/dfir-iris-misp-timesketch.

The scripts make it possible to document threatRead more.