This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

MISP Question

Posted on 01-21-2024 05:35 PM
taejun
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi guys, I have q question while setup chronicle.

When checking ioc matehes log, I can check the feed information "MISP"

 Is chronicle already integrated with MISP?

If i want to write a rule with MISP data, do i not need to do any additional MISP integration work?

1 2 103
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
DanHansen
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

To the best of my knowledge it is not. While some things show up in Chronicle as values they're not all fully integrated. There's a really detailed guide on medium on integrating it into Chronicle yourself though. https://medium.com/@thatsiemguy/how-to-integrate-misp-and-chronicle-siem-9e5fe5fde97c 

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

While there are a number of threat intel feeds incorporated into Google SecOps, particularly with the updates we are making to Applied Threat Intelligence, a general MISP instance is not one of them. There may be MISP instances used as aggregation tools that are being used to ingest indicators but if you want to use your own MISP instance and ingest data into it, the guidance in the above link is a good start. I've done a very basic csv read in of exported MISP data as well via a storage bucket as well but I suspect Chris's method is probably more what you have in mind.

Top Solution Authors
View all