Current ThreatQ Version Filter

MIPS COVID-19 Warning List CDF

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.1

Compatible with ThreatQ Versions

>= 4.32.0

Support Tier

ThreatQ Supported

Introduction

MISP provides a series of warning lists for the detection of known valid domains. This is selection of COVID-19 related whitelist feeds.

The integration provides the following feeds:

MISP Warning List - COVID-19 CTC Whitelist - ingests a list of valid COVID-19 related domains provided by the Cyber Threat Coalition.
MISP Warning List - COVID-19 Domains - ingests a list "maintained using different lists (such as Jaime Blasco's and Krassimir's lists)."

The integration ingests indicators and indicator attributes into the ThreatQ platform.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the OSINT option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
Click on the integration entry to open its details page.
Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

MISP Warning List - COVID-19 CTC Whitelist

A MISP Warning list of valid COVID-19 related domains provided by the Cyber Threat Coalition.

GET https://raw.githubusercontent.com/MISP/misp-warninglists/main/lists/covid-19-cyber-threat-coalition-whitelist/list.json

Sample Response:

    {
        "description": "The Cyber Threat Coalition's whitelist of COVID-19 related websites.",
        "list": [
           "2019novelcoronavirusoracle.com",
           ...
        ]
    }

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
.list[]	Indicator	FQDN	N/A	2019novelcoronavirusoracle.com	Status: Whitelisted
N/A	Indicator.Attribute	Warning List	N/A	Covid-19 CTC Whitelist	Hard-coded

MISP Warning List - COVID-19 Domains

A MISP Warning list "maintained using different lists (such as Jaime Blasco's and Krassimir's lists)."

GET https://raw.githubusercontent.com/MISP/misp-warninglists/main/lists/covid/list.json

Sample Response:

    {
        "description": "Maintained using different lists (such as Jaime Blasco's and Krassimir's lists).",
        "list": [
            "3d.nicovideo.jp",
            ...
        ]
    }

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
.list[]	Indicator	FQDN	N/A	3d.nicovideo.jp	Status: Whitelisted
N/A	Indicator.Attribute	Warning List	N/A	Valid COVID-19 Related Domains	Hard-coded

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

MISP Warning List - COVID-19 CTC Whitelist

Metric	Result
Run Time	1 minute
Indicators	697
Indicator Attributes	697

MISP Warning List - COVID-19 Domains

Metric	Result
Run Time	< 1 minute
Indicators	318
Indicator Attributes	318

Change Log

Version 1.0.1
- Updated to account for URL change by the provider
Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
MISP COVID-19 Warning List CDF Guide v1.0.1	4.32.0 or Greater
MISP COVID-19 Warning List CDF Guide v1.0.0	4.32.0 or Greater