Using MineMeld with MISP
cancel
Showing results for 
Search instead for 
Did you mean: 

Using MineMeld with MISP

L1 Bithead

How can I pull the IOCs from MISP to MinMeld Plattform ?

Exist any extension to get the IOCs from MISP ?

12 REPLIES 12

L1 Bithead

@vhgambit

 

Hi there,

 

try:

in SYSTEM > EXTENSIONS install the extension using git button (https://github.com/PaloAltoNetworks/minemeld-misp.git)

 

more details in: https://github.com/PaloAltoNetworks/minemeld-misp

Excellent, Tks a Lot


@TiagoSantos84 wrote:

@vhgambit

 

Hi there,

 

try:

in SYSTEM > EXTENSIONS install the extension using git button (https://github.com/PaloAltoNetworks/minemeld-misp.git)

 

more details in: https://github.com/PaloAltoNetworks/minemeld-misp


 

Hello,

 

I'm trying to integrate Minemeld with MISP.

I followed https://github.com/PaloAltoNetworks/minemeld-misp

 

Which URL of MISP (public) do I need to provide on the Prototype parameter ?

 

Regards,

 

HA

Hi @slp-security ,

 

I don't know if I understand your question, but you need to use your MISP url.

Prototype parameters
# source name, to identify the origin of the indicators inside MineMeld
source_name: misp.test # URL of MISP url: https://misp.example.co

Please be more specific.

 

Kind regards,

Tiago

Hi,

 

First, thanks for your help.

OK I solved the issue.

The API key was not correct...

 

Regards,

 

HA

 

 

Have you ever had this issue ? 

- i clone this prototype as a new node : misp.anyEvent

- added the url and the API key from the GUI 

 

Do i missed something ? 

 

papham_1-1592941077366.png

 

papham_2-1592941210161.png

 

 

 

 

 

Hi @papham,

 

Try to confirm your auth key..

 

Certificates installed on misp? Do you have a self signed certificate?

 

But it should be straight forward.

 

Kind Regards.

L0 Member

My MISP miner seems to work OK, i'm using the IDS check box as the filter to block IoC's - How do I unblock an IoC, is it as simple as unchecking the IDS box in MISP, will that update the EDL?

Hi @Tony101 

 

It really depends on how the receiver deal with data. There is some platforms that will update the list of IoCs after some amount of time. On the other hand you can try to disable IDS flag on the MISP and delete the IoC on the destination that already receive the IoC as black list.

However, you just need to remove IDS flag if you don't have the enforcewarninglist flag active on the query and if you don't have any warninglist feed active.

 

Please take a look on this:

Hope that you can manage it. It's really hard to deal with false positives!

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!