Integrating TheHive and MISP

PorMateo Martinez

Integrating TheHive and MISP

Edit the file /opt/thehive/conf/application.conf and enable the MISP section by uncommenting (deleting the #) the following lines and adding some configuration information.

  1. Uncomment some lines (delete the # at the start of the lines)
  2. Add MISP url and sync user key
  3. Define sync time interval in minutes (m) or hours(h)
  4. Save the file and restart TheHive service (service thehive restart)

if TheHive fails to start, check all the modifications to the application.conf file, you may mistype something.

If everything is working fine, you will see this icon in the lower right corner of TheHive web console:

—- extract from /opt/thehive/conf/application.conf —-

# MISP

# TheHive can connect to one or multiple MISP instances. Give each MISP

# instance a name and specify the associated Authkey that must  be used

# to poll events, the case template that should be used by default when

# importing events as well as the tags that must be added to cases upon

# import.

# Prior to configuring the integration with a MISP instance, you must

# enable the MISP connector. This will allow you to import events to

# and/or export cases to the MISP instance(s).

play.modules.enabled += connectors.misp.MispConnector

misp {

  # Interval between consecutive MISP event imports in hours (h) or

  # minutes (m).

  interval = 5m

  “MISP-SERVER-ID” {

  #  # MISP connection configuration requires at least an url and a key. The key must

  #  # be linked with a sync account on MISP.

    url = “https://your-misp-server-url/”

    key = “MISP-SYNC-USER-KEY”

  #

  #  # Name of the case template in TheHive that shall be used to import

  #  # MISP events as cases by default.

  #  caseTemplate = “<Template_Name_goes_here>

  #

  #  # Optional tags to add to each observable  imported  from  an  event

  #  # available on this instance.

  #  tags = [“misp-server-id”]

  #

  #  ## MISP event filters

  #  # MISP filters is used to exclude events from the import.

  #  # Filter criteria are:

  #  # The number of attribute

  #  max-attributes = 1000

  #  # The size of its JSON representation

  #  max-size = 1 MiB

  #  # The age of the last publish date

  #  max-age = 7 days

  #  # Organization and tags

  #  exclusion {

  #    organisation = [“bad organisation”, “other organisations”]

  #    tags = [“tag1”, “tag2”]

  #  }

  #

  #  ## HTTP client configuration (SSL and proxy)

  #  # Truststore to use to validate the X.509 certificate of the MISP

  #  # instance if the default truststore is not sufficient.

  #  # Proxy can also be used

  #  ws {

  #    ssl.trustManager.stores = [ {

  #      path = /path/to/truststore.jks

  #    } ]

  #    proxy {

  #      host = proxy.mydomain.org

  #      port = 3128

  #    }

  #  }

  #

  #  # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)

  #  # Default is ImportAndExport

  #  purpose = ImportAndExport

  } ## <– Uncomment to complete the configuration

}

Now you can see MISP alerts on TheHive and you can create cases from MISP events or merge MISP events into TheHive Cases

Acerca del autor

Mateo Martinez administrator

    Copyright KINAITECH 2020 - 2021