ciscosecurity/tr-05-misp

By ciscosecurity

Updated 9 months ago

Image
0

3.9K

V 1.0.6

Improvements

  • Enabled certificate verification
  • Updated dependencies

V 1.0.5

Improvements

  • Remove traceback from logs in case of 404 error

V 1.0.4

Improvements

  • Add traceback to log file

V 1.0.3

Improvements

  • Remove unused endpoints

V 1.0.2

Improvements

  • Update dependencies management

V 1.0.1

Improvements

  • Alpine version update to 3.14
  • Python version update to 3.9
  • Update module_type.json.sample
  • Add Jenkinsfile

V 1.0.0

Implementation Details

Implemented Relay Endpoints
  • POST /health

    • Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
    • Authenticates to the underlying external service to check that the provided credentials are valid and the service is available at the moment.
  • POST /observe/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
    • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Verdict,
      • Judgment,
      • Indicator,
      • Sighting,
      • Relationship.
  • POST /refer/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Builds a search link per each supported observable to pivot back to the underlying external service and look up events with the observable there.
    • Returns a list of those links.
  • POST /version

    • Returns the current version of the application.
Supported Types of Observables
  • ip
  • domain
  • hostname
  • url
  • sha1
  • sha256
  • md5
CTIM Mapping Specifics

Each response from the MISP API for the supported observables generates the following CTIM entities:

  • Judgements are based on .threat_level_id of each event in response.

    CTIM Disposition NameMISP threat_level_id
    Malicious1 (High)
    Suspicious2 (Medium)
    Common3 (Low)
    Unknown4 (Undefined)
  • Verdict is chosen from all of the Judgements on that observable. The highest priority Judgement becomes the active Verdict.

  • Indicators and Sightings are taken from each event in response.

  • Sightings are based on .date.

  • Indicators are based on .info.

  • The Sighting to Indicator Relationship is sighting-of.

  • The Judgement to Indicator Relationship is element-of.

Docker Pull Command

docker pull ciscosecurity/tr-05-misp