Skip to content

Utilizing your Threat data from a MISP instance into CarbonBlack Response by exposing the data in the Threat Intelligence Feed.

License

Notifications You must be signed in to change notification settings

eCrimeLabs/MISP2CbR

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MISP Threat Feed into CarbonBlack Response

Utilizing your Threat data from a MISP instance into CarbonBlack Response by exposing the data in the Threat Intelligence Feed.

Read more on eCrimeLabs Blog post: https://www.ecrimelabs.com/blog/2019/6/4/encriching-carbonblack-response-with-threat-data-from-misp

The following data types from MISP is exported into the feed

  • ip-src
  • ip-dst
  • domain
  • hostname
  • md5 checksum
  • sha256 checksum

The above MISP data types are converted into CarbonBlack's data types

  • IPv4
  • IPv6
  • DNS
  • MD5
  • SHA256

Remember to create the file "keys.py":

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

misp_url = 'https://misp_instance'
misp_key = 'auth_key_value'
misp_verifycert = True
misp_tag = 'CarbonBlackResponse'

flask_cert = ''
flask_key = ''
app_debug = False

proxies = {
    'https://127.0.0.1:8090',
    'http://127.0.0.1:8090',
}

###Installation:

pip3 install -r requirements.txt

You can choose to add your own certificates, alternate these will be autogenerated. To use ad hoc certificates with Flask, you need to install an additional dependency in your environment:

pip install pyopenssl

Sample Usage:

~# # python3 MISP2CBR.py -h

Expose MISP attributes to CarbonBlack Response
(c)2022 eCrimeLabs
https://www.ecrimelabs.com
----------------------------------------

usage: MISP2CBR.py [-h] [-i IP] [-p PORT]

Providing Threat Data from MISP to Cb Response EDR tool

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        Hostname or IP of the service (default 127.0.0.1)
  -p PORT, --port PORT  Portname the service will listen on (default 8443)

About

Utilizing your Threat data from a MISP instance into CarbonBlack Response by exposing the data in the Threat Intelligence Feed.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages