Create and delete training alerts in TheHive

TheHive is a scalable, open source and free Security Incident Response Platform, which tightly integrates with MISP. It supports a feature that allows you to convert one or more alerts, for example alerts sent by security devices, to a security case (an investigation). The creation, and handling, of these alerts can be done via an API.

Creating, and then afterwards deleting, these alerts to showcase the features of TheHive during a training session can beRead more.

Report sightings from Kibana to MISP

A problem we all face when using threat intelligence data is getting rid of false positives in our data feeds. On the other hand, reporting of true positives is equally important as it allows to increase the level of trust in an indicator.

I published a post on the NVISO blog, “Report sightings from Kibana to MISP“, which provides a solution for this problem.

COVID-19 Blocklists

A lot of good initiatives popped up recently to combat malicious activity related to the Corona pandemic.

A MISP instance for tracking COVID-19 activity; A list of domains which provides legitimate COVID-19 services; The Slack channel of COVID19 Cyber Threat Coalition; The COVID-19 CTI League; Public MISP feed by DCSO; And a feed by 1984.sh; Threat reports by RiskIQ; A COVID-19 threat list by domaintools; The COVID-19 domain classifier by SANS; A MISP warning listRead more.

Integrating MISP and Cytomic Orion

Cytomic Orion is a solution for Threat Hunting & Incident Response, that speeds up the process of identification, investigation, containment, and remediation of cyber threats & insiders using Living-off-the-Land techniques to evade existing controls (Reduce the MTTD & MTTR). The Cytomic Orion API allows you to integrate it with other tools, one of those tools is MISP.

The integration with Cytomic Orion allows you to achieve two main goals :

Query the Cytomic Orion API,Read more.

Parse stored Windows Event logs with Security Onion

Security Onion is a free tool to monitor for suspicious activity in network events. I find it very easy to use, especially if you integrate the MISP threat data with the Bro -Zeek- intelligence framework. Besides investigating network events, you can also use it to analyze Windows Event logs, both from a live event stream and for analyzing stored Windows events.

Winlogbeat, part of Elastic, is the shipper that we will use to send theRead more.

Use Sysmon DNS data for incident response

Recent versions of Sysmon support the logging of DNS queries. This is done via event ID 22 in Applications and Services Log > Microsoft > Windows > Sysmon Operational.

To enable DNS logging, you need to include the section DnsQuery in your Sysmon configuration file. For example via

Note that enabling DNS queries can be noisy. It’s best to apply filtering as proposed by the SwiftOnSecurity sysmon config file and, additionally, filter out the commonlyRead more.

BelgoMISP Meeting 0x01 : Belgian MISP User Group Meeting

Interested in sharing your MISP usage experiences? How did you integrate MISP in your incident response workflow? Have anything to say about threat sharing in general?

There’s a BelgoMISP Meeting 0x01 for all Belgian MISP users. Submit your proposals via Github or contact us via Twitter.

Use PyMISP to track false positives and disable to_ids in MISP

Attributes in MISP have a boolean flag to_ids allowing you to indicate if an attribute should be used for detection or correlation actions. According to the MISP core format data standard, the to_ids flag represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.

Unfortunately attributes markedRead more.

Docker image for PyMISP (and create MISP data statistical reports)

Installing PyMISP can sometimes be difficult because of a mixup between Python2 and Python3 libraries or problems with pip install. To solve this I created a PyMISP docker container that allows you to run the scripts in the example directory, without the need of installing PyMISP itself.

The Dockerfile is in the Github repository PyMISP-docker. The docker container is available via Docker Hub cudeso/pymisp.

In a previous post I covered how to create MISP dataRead more.

Feed honeypot data to MISP for blocklist and RPZ creation

I run a couple of honeypots which allow me to map some of the bad actors and scanners on the internet. The most popular honeypots are Dioanea, Cowrie (ssh, previously kippo) and Conpot (ICS). So far I’ve not really used this honeypot data that much for defensive purposes but a recent writeup on using ModSecurity and MISP gave me inspiration to transform this data into information that I can use as a defender.

The coreRead more.