MISP Plugin for Threat Exchange

MISP Plugin for Threat Exchange

This document explains how to configure the MISP plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for sharing of URLs and file hashes with Netskope that has been identified by MISP or Netskope.

MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. (More Info)

This plugin is used to fetch event attributes from MISP (Malware Information Sharing Platform) and extract indicators of type SHA256, MD5, URL, Domain, IP (IPv4 and IPv6) from them. It can also share the indicators of type SHA256, MD5, URL, Domain (Domain, FQDN and Hostname), and IP (IPv4 and IPv6) as attributes to MISP Custom Events. To get required details for creating a new configuration, go to https://<misp-url>/events/automation.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing and a URL List.
  • A Netskope Threat Prevention subscription for malicious file hash sharing and a File Profile.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A MISP Instance.
  • Connectivity to the following host: the MISP platform (https://<misp-URL>).
CE Version Compatibility

Netskope CE: v4.2.0 and v5.0.1

MISP Plugin Support

This plugin is used to fetch event attributes from MISP and extract indicators from them.

Fetched indicator typesMD5, SHA256, URL, Domain, IP (IPv4 and IPv6)
Shared indicator typesMD5, SHA256, URL, Domain (Domain, FQDN and Hostname), IP (IPv4 and IPv6)
Mappings
Pull Mapping
Netskope CE Fields MISP API Response Fields
value value
type type
first_seen first_seen
Comment Comment | Decaying Score: <DecayingModel.score>, Decaying Model ID: <DecayingModel.id>, Decaying Model Name: <DecayingModel.name>
tags Tag + MISPCATEGORY-<category>
extendedInformation <Base URL>//events/view/<event_id>
Push Mapping
Netskope CE Fields MISP API Response Fields
value value
type type
comment comment
first_seen firstSeen
last_seen lastSeen
Tag netskope-ce
Permissions

Admin permissions is required to generate an Authentication Key.

API Details
List of APIs used
API Endpoint Method Use Case
/events/restSearch POST Check event existence
/attributes/restSearch POST Pull attributes
/tags/search/<Tag name> POST Check tag existence
/tags/add POST Create tag
/events/edit/<Event ID> POST Share indicators to existing event
/events/add POST Share indicators to new event
Check Event Existence

API Endpoint: /events/restSearch
Method: POST
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-misp-v1.4.0
Authorization API Key
Accept application/json
Content-Type application/json

Payload

Key Value
returnFormat json
limit 1
page 1
eventinfo <Event Name>
metadata true

Sample API Response:

{
  "response": [
    {
      "Event": {
        "id": "1517",
        "orgc_id": "1",
        "org_id": "1",
        "date": "2024-06-25",
        "threat_level_id": "4",
        "info": "new",
        "published": false,
        "uuid": "09502561-a07f-41e9-8359-59394878e47d",
        "attribute_count": "11",
        "analysis": "0",
        "timestamp": "1719493608",
        "distribution": "1",
        "proposal_email_lock": false,
        "locked": false,
        "publish_timestamp": "0",
        "sharing_group_id": "0",
        "disable_correlation": false,
        "extends_uuid": "",
        "protected": null,
        "event_creator_email": "admin@admin.test",
        "Org": {
          "id": "1",
          "name": "ORGNAME",
          "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18",
          "local": true
        },
        "Orgc": {
          "id": "1",
          "name": "ORGNAME",
          "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18",
          "local": true
        },
        "RelatedEvent": [
          {
            "Event": {
              "id": "1325",
              "date": "2024-07-05",
              "threat_level_id": "4",
              "info": "new5",
              "published": false,
              "uuid": "3508388f-b6a6-4be2-9b99-de05825cc304",
              "analysis": "0",
              "timestamp": "1720177270",
              "distribution": "1",
              "org_id": "1",
              "orgc_id": "1",
              "Org": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              },
              "Orgc": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              }
            }
          },
          {
            "Event": {
              "id": "1324",
              "date": "2024-07-02",
              "threat_level_id": "4",
              "info": "new4",
              "published": false,
              "uuid": "e8d24ff9-2955-4eb6-80f1-5f276fae2e42",
              "analysis": "0",
              "timestamp": "1720424260",
              "distribution": "1",
              "org_id": "1",
              "orgc_id": "1",
              "Org": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              },
              "Orgc": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              }
            }
          },
          {
            "Event": {
              "id": "1319",
              "date": "2024-06-27",
              "threat_level_id": "4",
              "info": "420test",
              "published": false,
              "uuid": "1e1f4455-8d0e-43dd-95ba-0fd4f7eb6abf",
              "analysis": "0",
              "timestamp": "1720418522",
              "distribution": "1",
              "org_id": "1",
              "orgc_id": "1",
              "Org": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              },
              "Orgc": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              }
            }
          },
          {
            "Event": {
              "id": "1315",
              "date": "2024-03-12",
              "threat_level_id": "4",
              "info": "test",
              "published": false,
              "uuid": "dceaa84e-156f-4a31-b0b2-a3ae0778d72a",
              "analysis": "0",
              "timestamp": "1720175425",
              "distribution": "1",
              "org_id": "1",
              "orgc_id": "1",
              "Org": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              },
              "Orgc": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              }
            }
          },
          {
            "Event": {
              "id": "1308",
              "date": "2015-01-01",
              "threat_level_id": "1",
              "info": "testevent",
              "published": false,
              "uuid": "0c3d5017-8edf-483b-a829-426bb2c56c92",
              "analysis": "0",
              "timestamp": "1699523309",
              "distribution": "0",
              "org_id": "1",
              "orgc_id": "1",
              "Org": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              },
              "Orgc": {
                "id": "1",
                "name": "ORGNAME",
                "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
              }
            }
          }
        ],
        "Galaxy": [],
        "CryptographicKey": [],
        "Tag": [
          {
            "id": "251",
            "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"",
            "colour": "#770040",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "local": 0,
            "relationship_type": null
          }
        ]
      }
    }
  ]
}
Pull Attributes

API Endpoint: /attributes/restSearch
Method: POST
Headers

Key Value
User-Agent netskope-ce-5.0.1-cte-misp-v1.4.0
Authorization API Key
Accept application/json
Content-Type application/json

Payload:

Key Value Comment
returnFormat json The format to return data in. e.g. json, csv, etc
limit 1 Maximum records to return
page 1 Page number
eventid < Event ID> Event ID
timestamp [ <Start Time>, <End Time>] Restrict the results by the timestamp (last edit)
category [<Categories Name>] Categories of attributes to pull.
type [“md5″,”sha256″,”ip-src”,”domain”] Type of indicators to pull
tags [“!netskope-ce”] Include or exclude attributes with certain tags.
includeDecayScore 1 If set to 1, decay score information will be included for attributes that are affected by decaying.
decayingModel [1,2] Allows you to set the decaying model(s) to use to calculate the decay score.
excludeDecayed 1 Filter out all expired IOCs.
modelOverrides.threshold 30 JSON that can be used to modify Model parameters on-the-fly.
published 1 Set whether published or unpublished events should be returned Accepted values 0 or 1.
to_ids 1 By default (0) all attributes are returned that match the other filter parameters, regardless of their to_ids setting.
enforceWarninglist 1 Remove any attributes from the result that would cause a hit on a warninglist entry.

Sample API Response:

{
  "response": {
    "Attribute": [
      {
        "id": "347224",
        "event_id": "1315",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "ip-src",
        "to_ids": true,
        "uuid": "567ac850-6337-4266-a646-9317661f8974",
        "timestamp": "1719987636",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "efd:2dbe:3d3:b9ac:71e1:fd4f:5d2:2de7",
        "decay_score": [
          {
            "score": 30.478404654276954,
            "base_score": 90,
            "decayed": false,
            "DecayingModel": {
              "id": "2",
              "name": "NIDS Simple Decaying Model Updated"
            }
          }
        ],
        "Event": {
          "org_id": "1",
          "distribution": "1",
          "id": "1315",
          "info": "test",
          "orgc_id": "1",
          "uuid": "dceaa84e-156f-4a31-b0b2-a3ae0778d72a"
        }
      }
    ]
  }
}
Check a Tag’s Existence on MISP

API Endpoint: /tags/search/<Tag name>
Method: POST
Headers:

Key Value
User-Agent netskope-ce-5.0.1-cte-misp-v1.4.0
Authorization API Key
Accept application/json
Content-Type application/json

Payload:

[]

Sample API Response:

  {
    "Tag": {
      "id": "1399",
      "name": "netskope-ce",
      "colour": "#ff0000",
      "exportable": true,
      "org_id": "0",
      "user_id": "0",
      "hide_tag": false,
      "numerical_value": null,
      "is_galaxy": false,
      "is_custom_galaxy": false,
      "local_only": false
    }
  }
]
Create a Tag on MISP

API Endpoint: /tags/add
Method: POST
Headers

Key Value
User-Agent netskope-ce-5.0.1-cte-misp-v1.4.0
Authorization API Key
Accept application/json
Content-Type application/json

Payload:

Key Value
name <Tag Name>
colour #ff0000

Sample API Response:

{
  "Tag": {
    "id": "1400",
    "name": "netskooe-ce",
    "colour": "#ff0000",
    "exportable": true,
    "org_id": "0",
    "user_id": "0",
    "hide_tag": false,
    "numerical_value": null,
    "is_galaxy": false,
    "is_custom_galaxy": false,
    "local_only": false
  }
}
Share Indicators to an Existing Event (Update Event)

API Endpoint: /events/edit/<Event ID>
Method: POST
Headers

Key Value
User-Agent netskope-ce-5.0.1-cte-misp-v1.4.0
Authorization API Key
Accept application/json
Content-Type application/json

Payload

Key Value Comment
type sha256 Indicator Type
value 56af10adb647b1e675f3f486c7941fbf637ebd0c6632e86e6dc9879d2214441a SHA256 value
comment Test IoC.  
first_seen 2024-07-05T09:48:51.585000 First Seen of the IoC
last_seen 2024-07-05T09:48:51.585000 First Seen of the IoC
Tag.name netskope-ce  

Sample Payload:

{
  "Attribute": [
    {
      "type": "sha256",
      "value": "56af10adb647b1e675f3f486c7941fbf637ebd0c6632e86e6dc9879d2214441a",
      "comment": "Test IoC.",
      "first_seen": "2024-07-05T09:48:51.585000",
      "last_seen": "2024-07-05T09:48:51.585000",
      "Tag": [
        {
          "name": "netskope-ce"
        }
      ]
    }
  ]
}

Sample API Response:

{
  "Event": {
    "id": "1317",
    "orgc_id": "1",
    "org_id": "1",
    "date": "2024-06-25",
    "threat_level_id": "4",
    "info": "new",
    "published": false,
    "uuid": "09502561-a07f-41e9-8359-59394878e47d",
    "attribute_count": "12",
    "analysis": "0",
    "timestamp": "1720443083",
    "distribution": "1",
    "proposal_email_lock": false,
    "locked": false,
    "publish_timestamp": "0",
    "sharing_group_id": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "event_creator_email": "admin@admin.test",
    "Org": {
      "id": "1",
      "name": "ORGNAME",
      "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18",
      "local": true
    },
    "Orgc": {
      "id": "1",
      "name": "ORGNAME",
      "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18",
      "local": true
    },
    "Attribute": [
      {
        "id": "1488555",
        "type": "sha256",
        "category": "Payload delivery",
        "to_ids": true,
        "uuid": "343b7c36-beb7-4197-945e-4b35c8179426",
        "event_id": "1317",
        "distribution": "5",
        "timestamp": "1720443083",
        "comment": "Test IoC.",
        "sharing_group_id": "0",
        "deleted": false,
        "disable_correlation": false,
        "object_id": "0",
        "object_relation": null,
        "first_seen": "2024-07-05T09:48:51.585000+00:00",
        "last_seen": "2024-07-05T09:48:51.585000+00:00",
        "value": "56af10adb647b1e675f3f486c7941fbf637ebd0c6632e86e6dc9879d2214441a",
        "Galaxy": [
          
        ],
        "ShadowAttribute": [
          
        ],
        "Tag": [
          {
            "id": "1399",
            "name": "netskope-ce",
            "colour": "#ff0000",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "local": 0,
            "relationship_type": null
          }
        ]
      }
    ],
    "ShadowAttribute": [
      
    ],
    "RelatedEvent": [
      {
        "Event": {
          "id": "1325",
          "date": "2024-07-05",
          "threat_level_id": "4",
          "info": "new5",
          "published": false,
          "uuid": "3508388f-b6a6-4be2-9b99-de05825cc304",
          "analysis": "0",
          "timestamp": "1720177270",
          "distribution": "1",
          "org_id": "1",
          "orgc_id": "1",
          "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          },
          "Orgc": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          }
        }
      },
      {
        "Event": {
          "id": "1324",
          "date": "2024-07-02",
          "threat_level_id": "4",
          "info": "new4",
          "published": false,
          "uuid": "e8d24ff9-2955-4eb6-80f1-5f276fae2e42",
          "analysis": "0",
          "timestamp": "1720424260",
          "distribution": "1",
          "org_id": "1",
          "orgc_id": "1",
          "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          },
          "Orgc": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          }
        }
      },
      {
        "Event": {
          "id": "1319",
          "date": "2024-06-27",
          "threat_level_id": "4",
          "info": "420test",
          "published": false,
          "uuid": "1e1f4455-8d0e-43dd-95ba-0fd4f7eb6abf",
          "analysis": "0",
          "timestamp": "1720418522",
          "distribution": "1",
          "org_id": "1",
          "orgc_id": "1",
          "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          },
          "Orgc": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          }
        }
      },
      {
        "Event": {
          "id": "1315",
          "date": "2024-03-12",
          "threat_level_id": "4",
          "info": "test",
          "published": false,
          "uuid": "dceaa84e-156f-4a31-b0b2-a3ae0778d72a",
          "analysis": "0",
          "timestamp": "1720175425",
          "distribution": "1",
          "org_id": "1",
          "orgc_id": "1",
          "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          },
          "Orgc": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          }
        }
      },
      {
        "Event": {
          "id": "1308",
          "date": "2015-01-01",
          "threat_level_id": "1",
          "info": "testevent",
          "published": false,
          "uuid": "0c3d5017-8edf-483b-a829-426bb2c56c92",
          "analysis": "0",
          "timestamp": "1699523309",
          "distribution": "0",
          "org_id": "1",
          "orgc_id": "1",
          "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          },
          "Orgc": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "45d545a3-859f-4645-9139-0d8fb8730f18"
          }
        }
      }
    ],
    "Galaxy": [
      
    ],
    "Object": [
      
    ],
    "EventReport": [
      
    ],
    "CryptographicKey": [
      
    ],
    "Tag": [
      {
        "id": "251",
        "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"",
        "colour": "#770040",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false,
        "local": 0,
        "relationship_type": null
      }
    ]
  }
}
Share Indicators to a New Event (Create Event)

API Endpoint: /events/add
Method: POST
Headers

Key Value
User-Agent netskope-ce-5.0.1-cte-misp-v1.4.0
Authorization API Key
Accept application/json
Content-Type application/json

Payload:

Key Value Comment
type sha256 Indicator Type
value 56af10adb647b1e675f3f486c7941fbf637ebd0c6632e86e6dc9879d2214441a SHA256 value
comment Test IoC.  
first_seen 2024-07-05T09:48:51.585000 First Seen of the IoC
last_seen 2024-07-05T09:48:51.585000 First Seen of the IoC
Tag.name netskope-ce  

Sample Payload:

{
"info": "test"
  "Attribute": [
    {
      "type": "sha256",
      "value": "56af10adb647b1e675f3f486c7941fbf637ebd0c6632e86e6dc9879d2214441a",
      "comment": "Test IoC.",
      "first_seen": "2024-07-05T09:48:51.585000",
      "last_seen": "2024-07-05T09:48:51.585000",
      "Tag": [
        {
          "name": "netskope-ce"
        }
      ]
    }
  ]
}

Sample API Response:

{
  "Tag": {
    "id": "1400",
    "name": "netskope-ce",
    "colour": "#ff0000",
    "exportable": true,
    "org_id": "0",
    "user_id": "0",
    "hide_tag": false,
    "numerical_value": null,
    "is_galaxy": false,
    "is_custom_galaxy": false,
    "local_only": false
  }
}
Performance Matrix

Here is the performance reading conducted by pulling and sharing 100K indicators from/to MISP on a Large CE Stack with these specifications.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from MISP Platform ~8.3K per minute
Indicators shared with MISP Platform ~3.3K per minute
User Agent

netskope-ce-5.0.1-cte-misp-v1.4.0

Workflow

  1. Get your MISP URL and API key.
  2. Configure the MISP Plugin.
  3. Configure a business rule.
  4. Configure sharing between Netskope and MISP.
  5. Validate the MISP Plugin.

Click play to watch a video.

 

Get your MISP URL and API Key

Your MISP Instance URL and API key are needed to later configure the MISP plugin in Threat Exchange.

  1. Log in to your MISP Instance.
  2. Copy your MISP Instance URL.
  3. In the Home page left nav panel, click Automation.
  4. Click on here in You can view and manage your API keys under your profile, found here.
    TE-MISP-Automation.png
  5. Click Auth keys.
    TE-MISP-API-Keys.png
  6. Click Add authentication key.
    TE-MISP-Add-Key.png
  7. Your MISP API key will be shown. Copy the API key to configure the MISP plugin.

Configure the MISP Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins.
  2. Search for and select the CTE MISP plugin and click on the plugin box.
  3. Enter these parameters:
    • Configuration Name: Plugin configuration name.
    • Sync Interval: Interval to fetch data from this plugin source.
    • Aging Criteria: Expire indicators after a specific time.
    • Override Reputation: Set value to override reputation of indicators received from this configuration. Leave empty to keep default.
    • Enable SSL Validation: Disable SSL Certificate validation.
    • Use System Proxy: Use system proxy configured in Settings.

  4. Click Next.
  5. Enter these parameters:
    • MISP Base URL: Base URL of MISP instance (https://<misp-url>).
    • Authentication Key: API Key generated from the MISP platform. API Key can be generated from the Administration > List Auth Keys page.
    • MISP attribute type: Select the MISP attribute type (SHA256, MD5, URL, DOMAIN, IP (IPv4 and IPv6). Indicators from only specified attribute types will be fetched. Keep empty to fetch indicators of all types. Multiple Types are accepted.
    • MISP attribute Category: Select MISP attribute Category, Indicators from only specified Attribute Categories will be fetched. Keep empty to fetch indicators of all Categories. Multiple Categories are accepted.
    • MISP Attribute Tags: Enter MISP Attribute Tags, Indicators from only specified comma-separated Tags will be fetched. Keep empty to fetch indicators of all Tags. Dynamic values are accepted.
    • Event Names: Leave Event Names blank to fetch indicators from all the events or enter them separately by comma to fetch only those indicators which belong to that event. For now, leave it blank.
    • Exclude IoCs from Event: In Exclude IoCs from Event, enter the name of the event whose IoCs you want to exclude from being fetched.
    • IoC Event Type: Indicators will be pulled based on the selected event type. Published, Unpublished or both types of events can be selected. Keep empty to fetch all types.
    • Decaying Score Threshold: Only indicators having Decaying Score greater than Provided value will be pulled. Value should be in the range of 0 to 100.
    • Decaying Model IDs: Decaying score of only specified comma separated decaying models will be tracked. Keep blank to fetch scores for all enabled decaying models that apply to the attribute type. Decaying model IDs can be found from Global Action > List Decaying Models.
    • Filter on IDS Flag: Pull IoCs based on the Selected option for IDS. Enabled IDS flag, Disabled IDS flag or both types of indicators can be selected. Keep empty to fetch all indicators.
    • Enforce Warning List IoCs: Select “Yes” to remove any IoC from the events that would cause a hit on a warning list entry. Warning List can be found from Input Filters > Warninglists.
    • Pulling Mechanism: Select a Pulling Mechanism.
      1. Incremental (Default): Plugin will fetch data using stored checkpoint i.e. last_run_at of the plugin.
      2. Look Back: Plugin will fetch data subtracting lookback value from the plugin run time on every sync. For ex: If the provided value is 72 Hrs then it will fetch 72 Hrs of IoCs from now on every sync.
    • Look Back (in hours): Enter Look Back (in hours) to pull the indicators of historical time from now on every time the plugin syncs. The default value is set to empty and it will only be used when selected “Look Back” in Pulling Mechanism.
    • The rest of this form can remain as default.
  6. Click Save.

IoCs stored in Cloud Exchange will have the current date and time as Last_Seen rather than the MISP’s last seen.

Configure a Threat Exchange Business Rule for MISP

A Business Rule is used to filter out the indicators that are to be shared. In order to share IOCs with MISP, create a business rule using the following steps:

  1. Go to Threat Exchange > Business Rules and click Create New Rule.
  2. Add the Rule name and select the fields for which you want to filter the IoCs.
  3. Click Save.

Add Threat Exchange Sharing for MISP

  1. Go to Threat Exchange > Sharing and click Add Sharing Configuration.
  2. Select the Source configuration (Source from which you want to share data to MISP), select a Business Rule, and select the Destination (MISP Plugin).
  3. Select the Target value Add to Event.
  4. Enter the Event Name from in the MISP Platform.
  5. Click Save.

Validate the MISP Plugin

Validate the Pull

Go to Event Actions > List Attributes. Indicators from MISP are pulled from this page.

Indicators stored in Cloud Exchange can be verified on the Threat Exchange > Threat IoCs page. Search for the MISP IoCs by filtering indicators on the Threat IoCs page with source name as Configured MISP Plugin.

Example: Add a query on the Threat IoCs page like “sources.source Is equal “CTE MISP” && type IN (“<IOC_TYPE>”)”

You can also verify the indicators pulled in Cloud Exchange from the Logs available on the Logging page.

CTE MISP [CTE MISP]: Successfully fetched 10 indicator(s) in page 1 from MISP. Total indicator(s) fetched - 10.
CTE MISP [CTE MISP]: Successfully fetched 10 indicator(s) in page 50 from MISP. Total indicator(s) fetched - 499.

Validate the Push

Shared IoCs to MISP can be verified from logs available on the Logging page of Cloud Exchange.

CTE MISP [CTE MISP]: Successfully pushed/update 5 indicator(s) and failed to push/update 0 indicator(s) to CTE MISP event event.
CTE MISP [CTE MISP]: Successfully updated 5 indicator(s) to MISP. Total indicator(s) sent: 5

IoCs shared on MISP can be verified from Event Actions > List Attributes.
Click on the Event ID to view all the events
While Sharing IoCs to the MISP Platform, “netskope-ce” tag gets attached to the shared indicators so that they do not get pulled back into the Netskope CE platform.

Troubleshooting

Error while upgrading the plugin repository

If while trying to upgrade a plugin you received an error like this, follow these steps.

  1. Click Skip.
  2. Go to Home > Threat Exchange > Plugins.
  3. Edit the plugin as it will be disabled due to an error while upgrading the plugin.
  4. Click Next.
  5. Scroll down to newly added params (Pulling Mechanism & Look Back), and select the method of pulling and provide Look Back as per the Pulling Mechanism selected.
  6. Click Save and then enable the plugin.
Unable to pull/push data to MISP Plugin

If you are not able to share IoCs from Netskope to MISP, that could be due to this reason:
The Authentication Key of MISP could have either expired or been deleted from the MISP Platform.
What to do:
Make sure that all the Authentication Key of MISP is not expired. Also ensure that the Key is not deleted from the MISP. Authentication Key and its details can be found at Administration > List Auth Keys.

Limitations

Decaying Score is not in sync with MISP for Incremental Pulling Mechanism

  • If the user is using the Incremental pulling mechanism, after an IoC is pulled from MISP along with its decaying score, the IoC will only be pulled again into Cloud Exchange if the timestamp for that indicator gets updated on MISP. Otherwise, the decaying score will remain as it was when initially pulled.
  • This is a limitation of the MISP platform: when updating the decaying score, the timestamp associated with the attribute is not updated. Cloud Exchange uses the timestamp fields from MISP attributes to capture only the updated indicators. Therefore, if the timestamp value is not updated, the IoC will never be pulled again into Cloud Exchange.
  • To address this, you can use the Look Back pulling mechanism to pull all the indicators based on the Look Back period specified in the configuration parameters for each pull.

Known Behaviors

Difference in response displayed on the UI in case “Decaying Model IDs field” is left empty and when all Model IDs are added.

  • If no Model IDs are provided in the Decaying Model IDs field, the decaying scores associated with the attribute will be fetched in Cloud Exchange. For example, if there are three models in the MISP instance and only one model is attached to the attribute, only the decaying score for that specific model will be fetched in Cloud Exchange.
  • However, if specific Model IDs are provided—whether they are associated with the attribute or not—the scores for all available models will be returned via the API. In the MISP UI, only the associated models will be shown.
Share this Doc

MISP Plugin for Threat Exchange

Or copy link

In this topic ...