Current ThreatQ Version Filter
 

MISP Operation

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The MISP Operation for ThreatQ enables analysts to export Events from ThreatQ into MISP, along with related context.

The operation provides the following actions:

  • Share - Exports a ThreatQ Event, and related content, to MISP.
  • Send Investigation - Exports a ThreatQ Investigation, and related content, to MISP.

The operation is compatible with system object types:

  • Event
  • Files
  • Indicators

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Operation option from the Type dropdown (optional).
  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    MISP Host Your MISP Hostname or IP.  
    MISP API Key Your MISP API Key.
    Verify SSL Certificate Select this checkbox to validate/verify the SSL certification.

    Leave this parameter unchecked if you are using a self-signed certificate.
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The MISP operation provides the following actions:

Action Description Object Type
Share Exports a ThreatQ event, and related content, to MISP. Events
Send Investigation Exports a ThreatQ Investigation, along with related content, to MISP. Events, Files, Indicators

Share

The Share action allows you to share an event from ThreatQ to MISP, along with related context such as MISP Galaxies, indicators, attachments, and attributes.

There is no API response data or mappings for this action.

Parameters

ThreatQ provides the following parameters for this Action:

Parameter Description
Publish Event Use this checkbox to mark the event as Published in MISP.  This parameter is selected by default.   
Distribution Level Select who will be able to see this event when it is published.  Options include:
  • Connected communities (Default)
  • Your organization only
  • This community only
  • All communities
  • Sharing group
Default Analysis Level Select the analysis maturity level for this event. If an Analysis Level attribute is found, the attribute will be used instead of this value.  Options include:
  • Initial
  • Ongoing
  • Complete (Default)
Default Threat Level Select the analysis maturity level for this event. If a Threat Level attribute is found, the attribute will be used instead of this value.  Options include:  
  • High
  • Medium (Default)
  • Low
  • Undefined
Send IOCs/Attachments to IDS Send IOCs and attachments directly to the IDS (if applicable).
Default IP Type Select the default type for the IP Addresses sent to MISP.  Options include:
  • Source IP (Default)
  • Destination IP
Include Unmapped Attribution Add attribution that doesn't have a mapped Category/Type.

Send Investigation

The Send Investigation action allows you to export an Investigation from ThreatQ to MISP, along with related content such as indicators, attachments, tasks, and events.

Parameters

ThreatQ provides the following parameter for this action:

Parameter Description
Investigation to send to MISP The name of the Investigation you want to send to MISP. 

Change Log

  • Version 1.1.0
    • Added new action: Send Investigation - export an Investigation from ThreatQ to MISP, along with related content such as indicators, attachments, tasks, and events.
  • Version 1.0.2
    • Added functionality to upload attachments from ThreatQ to MISP.
  • Version 1.0.1
    • Optimized integration code to improve overall performance and upgraded support tier from Not Supported to ThreatQ Supported.  
  • Version 1.0.0
    • Initial Release

PDF Guides

Document ThreatQ Version
MISP Operation Guide v1.1.0 4.35.0 or Greater
MISP Operation Guide v1.0.2 4.35.0 or Greater
MISP Operation Guide v1.0.1 4.35.0 or Greater
MISP Operation Guide v1.0.0 4.35.0 or Greater