Adding MISP to OpenCTI

By Adrian | April 24, 2020

While im still getting myself familiar with OpenCTI and building out an actor profile, I thought I’d link it up with my MISP instance. OpenCTI provides a connector to do this which will require an update to the docker-compose.yml file and an update of the stack.

If you have been following along, this post is a continuation of Installing OpenCTI.

To add the MISP connector, login to Portainer and select Stacks, opencti. Select the Editor tab.

portainer-opencti-editor

Now, we need to add the MISP service in. The following configuration is added.

  connector-misp:
    image: opencti/connector-misp:3.1.0
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_MISP_ID}
      - CONNECTOR_TYPE=EXTERNAL_IMPORT
      - CONNECTOR_NAME=MISP
      - CONNECTOR_SCOPE=misp
      - CONNECTOR_CONFIDENCE_LEVEL=3
      - CONNECTOR_UPDATE_EXISTING_DATA=false
      - CONNECTOR_LOG_LEVEL=info
      - MISP_URL=${CONNECTOR_MISP_URL} # Required
      - MISP_KEY=${CONNECTOR_MISP_API} # Required
      - MISP_SSL_VERIFY=False # Required
      - MISP_CREATE_REPORTS=True # Required, create report for MISP event
      - MISP_REPORT_CLASS=MISP Event # Optional, report_class if creating report for event
      - MISP_IMPORT_FROM_DATE=2000-01-01 # Optional, import all event from this date
      - MISP_IMPORT_TAGS=opencti:import,type:osint # Optional, list of tags used for import events
      - MISP_INTERVAL=1 # Required, in minutes
    restart: always

Indenting is important when it comes to yml, so make sure its correct. To help illustrate this point, this is where the updated configuration gets inserted.

docker-compose-post-misp-config

Notice that 3 new environment variables have been added. These need to be added into the Environment variables section of the stack within Portainer.

Variable Name Notes
CONNECTOR_MISP_ID a generated UUID
CONNECTOR_MISP_URL your MISP instance’s url
CONNECTOR_MISP_API the authKey taken from MISP

portainer-misp-environment-variables

Once you have updated the yml configuration and environment variables press Update the stack.

Confirm syncing from MISP works

If there is one thing i’d like to see within the OpenCTI GUI, its a quick way to see what connectors you have added. It could very well be somewhere, but I have not seen it under the settings.

In order for indicators to come across from MISP you need to use one of the import tags that is configured. According to the docker-compose file, these tags are either opencti:import OR type:osint, but change your config for what tag you see as appropriate. Whatever tags you pick, need to be available to use in MISP (Check Event Actions, Add Tag in MISP).

misp-add-tags

Now, its just a matter of tagging an indicator.

tagged-ioc-in-misp

Wait until a sync happens (this is specified in the docker-compose file as the MISP_INTERVAL variable). The MISP event and indicators will come across.

opencti-with-ioc-from-misp

Conclusion

I wont lie, there were a few little issues I had along the way. If syncing isn’t working for you, check that from your underlying OS that you are able to ping/curl your MISP instance! Also, use the Exec Console and View Log features of Docker/Portainer and see if there are any errors being thrown.

I am hoping to tackle reverse proxy and SSL in the next post using Traefik/Lets Encrypt and Route53 next. Its semi uncharted waters for me.

Search

Tags