ciscosecurity/tr-05-misp

•Updated 9 months ago

Image

3.9K

POST /health
- Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
- Authenticates to the underlying external service to check that the provided credentials are valid and the service is available at the moment.
POST /observe/observables
- Accepts a list of observables and filters out unsupported ones.
- Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
- Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
- Maps the fetched data into appropriate CTIM entities.
- Returns a list per each of the following CTIM entities (if any extracted):
  - Verdict,
  - Judgment,
  - Indicator,
  - Sighting,
  - Relationship.
POST /refer/observables
- Accepts a list of observables and filters out unsupported ones.
- Builds a search link per each supported observable to pivot back to the underlying external service and look up events with the observable there.
- Returns a list of those links.
POST /version
- Returns the current version of the application.

Each response from the MISP API for the supported observables generates the following CTIM entities:

Judgements are based on .threat_level_id of each event in response.
CTIM Disposition Name MISP threat_level_id
Malicious 1 (High)
Suspicious 2 (Medium)
Common 3 (Low)
Unknown 4 (Undefined)
Verdict is chosen from all of the Judgements on that observable. The highest priority Judgement becomes the active Verdict.
Indicators and Sightings are taken from each event in response.
Sightings are based on .date.
Indicators are based on .info.
The Sighting to Indicator Relationship is sighting-of.
The Judgement to Indicator Relationship is element-of.

docker pull ciscosecurity/tr-05-misp