topic Re: Using MineMeld with MISP in Automation/API Discussions

Using MineMeld with MISP

vhgambit — Thu, 13 Sep 2018 03:25:12 GMT

How can I pull the IOCs from MISP to MinMeld Plattform ?

Exist any extension to get the IOCs from MISP ?

Re: Using MineMeld with MISP

TiagoSantos84 — Thu, 24 Jan 2019 17:59:17 GMT

@vhgambit

Hi there,

try:

in SYSTEM > EXTENSIONS install the extension using git button (https://github.com/PaloAltoNetworks/minemeld-misp.git)

more details in: https://github.com/PaloAltoNetworks/minemeld-misp

Re: Using MineMeld with MISP

vhgambit — Fri, 22 Mar 2019 19:39:22 GMT

Excellent, Tks a Lot

@TiagoSantos84 wrote:
@vhgambit

Hi there,

try:
in SYSTEM > EXTENSIONS install the extension using git button (https://github.com/PaloAltoNetworks/minemeld-misp.git)

more details in: https://github.com/PaloAltoNetworks/minemeld-misp

Re: Using MineMeld with MISP

slp-security — Wed, 16 Oct 2019 14:14:48 GMT

Hello,

I'm trying to integrate Minemeld with MISP.

I followed https://github.com/PaloAltoNetworks/minemeld-misp

Which URL of MISP (public) do I need to provide on the Prototype parameter ?

Regards,

Re: Using MineMeld with MISP

TiagoSantos84 — Wed, 16 Oct 2019 14:34:13 GMT

Hi @slp-security ,

I don't know if I understand your question, but you need to use your MISP url.

Prototype parameters
# source name, to identify the origin of the indicators inside MineMeld
source_name: misp.test
# URL of MISP
url: https://misp.example.co

Please be more specific.

Kind regards,

Tiago

Re: Using MineMeld with MISP

slp-security — Thu, 17 Oct 2019 07:07:43 GMT

Hi,

First, thanks for your help.

OK I solved the issue.

The API key was not correct...

Regards,

Re: Using MineMeld with MISP

papham — Tue, 23 Jun 2020 19:44:21 GMT

Have you ever had this issue ?

- i clone this prototype as a new node : misp.anyEvent

- added the url and the API key from the GUI

Do i missed something ?

Re: Using MineMeld with MISP

TiagoSantos84 — Tue, 23 Jun 2020 20:25:13 GMT

Hi @papham,

Try to confirm your auth key..

Certificates installed on misp? Do you have a self signed certificate?

But it should be straight forward.

Kind Regards.

Re: Using MineMeld with MISP

Tony101 — Tue, 07 Jul 2020 09:15:18 GMT

My MISP miner seems to work OK, i'm using the IDS check box as the filter to block IoC's - How do I unblock an IoC, is it as simple as unchecking the IDS box in MISP, will that update the EDL?

Re: Using MineMeld with MISP

TiagoSantos84 — Tue, 07 Jul 2020 10:17:10 GMT

Hi @Tony101

It really depends on how the receiver deal with data. There is some platforms that will update the list of IoCs after some amount of time. On the other hand you can try to disable IDS flag on the MISP and delete the IoC on the destination that already receive the IoC as black list.

However, you just need to remove IDS flag if you don't have the enforcewarninglist flag active on the query and if you don't have any warninglist feed active.

Please take a look on this:

https://github.com/MISP/misp-warninglists

like this example (credits from Dev Team MISP):

https://your.misp/attributes/restSearch/returnFormat:suricata/publish_timestamp:15d/enforceWarninglist:1

Hope that you can manage it. It's really hard to deal with false positives!

Re: Using MineMeld with MISP

Tony101 — Fri, 23 Oct 2020 14:19:51 GMT

Hi thanks for the previous answer, it was really helpful.. I have another question re the output FEED BASE URL:

appending ?v=mwg&t=regex to the feed base url gives me the format i require e.g..

type=regex
"hxxp://badsite[.]biz/malware.html" "comment"

But what i really want to achieve is an * wildcard at the end of the string e.g.

"hxxp://badsite[.]biz/malware.html*" "comment"

Any ideas if this is do-able?

Re: Using MineMeld with MISP

Negin-Amou — Tue, 17 Nov 2020 17:51:30 GMT

we have recently installed MineMeld on our Linux server and after adding the MISP extension on MineMeld, I don't understand what it means by add your MISP URL. Is this URL found from MISP website or is it a URL we get after installing MISP. Between we haven't installed MISP as well. Is it required for the miner to work ?

Another question I have is regarding the dynamic lists on MISP website. Do we add them with MISP miner or regular miners can pull them too?

I'm very new to MineMeld and I don't quite understand how to configure nodes. So I would appreciate if you could provide me a sample of a configuration for MISP feeds.

Re: Using MineMeld with MISP

TiagoSantos84 — Tue, 17 Nov 2020 18:17:25 GMT

Hi,

MISP url is the address of you MISP instance. So you need to install it, create a sync user and put the key of that user in the miner.

Please follow the links provided in previous posts.

Kind regards,

Tiago

Re: Using MineMeld with MISP

MScoppettuolo — Fri, 20 Aug 2021 15:57:22 GMT

Hi guys, but

source name, to identify the origin of the indicators inside MineMeld

Source name is generic? Can i choose every name?