apiosintDS MISP Module
apiosintDS is included as enrichment module in the official MISP-Modules repository. This guide assume you have your MISP instance up and running with MISP Modules correctly initializated.
The module has been specially designed for people and organizations don’t want to subscribe the DigitalSide Threat-Intel MISP Feed and prefer to query it as an on demand service.
Warning
If DigitalSide Threat-Intel MISP Feed is enabled and regulary fetched by your MISP instance, don’t use this plugin. All information retrivable by the plugin are just included in your MISP events dataset. The MISP correlation engine should be used instead.
Input / Output
- Module type
MISP module type.
- Module-type:
['hover', 'expansion']
- Input
The module runs against the following MISP attributes type.
- Input-attributes:
["domain", "domain|ip", "hostname", "ip-dst", "ip-src", "ip-dst|port", "ip-src|port"]["url", "md5", "sha1", "sha256", "filename|md5", "filename|sha1", "filename|sha256"]
- Output
The module returns the following MISP attributes type.
- Output-attributes:
["domain", "ip-dst", "url", "comment", "md5", "sha1", "sha256", "link", "text"]
Configuration
Go to your MISP web interface and login with a user account able to edit plugins configuration. Once logged in go to Administration >> Server Settings & Maintenance >> Plugin and select the Enrichment tab. Put in the search input filter apiosintds in order to show only the needed configuration settings.
- Plugin.Enrichment_apiosintds_enabled
MISP internal configuration to enable or disable the module.
- Type:
boolean
- Default:
false
Note
To enable the plugint configure the valute to
true.
- Plugin.Enrichment_apiosintds_restrict
Restrict the plugin use to a single organization.
- Type:
enum
- Default:
No organization selected- Allowed:
ORG in the given MISP instance
- Plugin.Enrichment_apiosintds_STIX2_details
Dowload and parse additional information from online STIX report.
- Type:
enum
- Default:
no- Allowed:
[yes|no]
Note
STIX2 reports may be not available due to data retention policy.
Parse and include in the results related items.
- Type:
enum
- Default:
no- Allowed:
[yes|no]
Note
Is strongly reccommended to configure it to
yesto obtain best results.
- Plugin.Enrichment_apiosintds_cache
Enable cache mode. Downloaded lists will be stored and won’t be downloaded untile the cache timeout is reached.
- Type:
enum
- Default:
no- Allowed:
[yes|no]
- Plugin.Enrichment_apiosintds_cache_directory
The cache directory where the script check for cached list files and where them will be stored on cache cache creation or update.
- Type:
string
- Default:
None- Example:
/path/to/cachedir
Note
Read and write permissions are required for the system user running the MISP instance (depends on your installation configuration, should be one between
www-data,misp,apache, others…)
- Plugin.Enrichment_apiosintds_cache_timeout_h
Define the cache timeout in hours.
- Type:
integer
- Default:
4
Note
0is allowed but means no timeout. Default value is4hours. This option needs to be used in combination withapiosintds_cacheoption configured to True.
- Plugin.Enrichment_apiosintds_local_directory
Absolute path to the ‘Threat-Intel’ directory related to a local project clone. Searches are performed against local data.
- Type:
string
- Default:
Empty- Example:
/path/to/git/clone/Threat-Intel/
Note
Before using this option, clone the GitHub project in a file system where the library has read permissions. Don’t forget to use –depth=1 and –branch=master options if you don’t want to download all project commits.
Make sure the system user running the MISP instance has read permissions on the directory.
$ cd /path/to/git/clone/ $ git clone --depth=1 --branch=master https://github.com/davidonzo/Threat-Intel.git $ chown -R $MISP_SYSTEM_USER:$MISP_SYSTEM_GROUP Threat-Intel
When this option is in use, all cache related options are ignored. To update data in your local repository destroy the existing data and clone it again.
$ cd /path/to/git/clone/ $ rm -rf Threat-Intel/ $ git clone --depth=1 --branch=master https://github.com/davidonzo/Threat-Intel.git $ chown -R $MISP_SYSTEM_USER:$MISP_SYSTEM_GROUP Threat-Intel
Usage: hover
Using the module as hover plugin retrived data will be displayed as follow.
Usage: enrichment
Using the module as enrichment plugin retrived data will be imported as follow.
