Skip to content
/ MISP-QRadar-Integration Public
forked from karthikkbala/MISP-QRadar-Integration

The Project can used to integrate QRadar with MISP Threat Sharing Platform

License

MIT license
0 stars 29 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

JamesCullum/MISP-QRadar-Integration

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.ini
config.ini
 
 
integration.py
integration.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

QRadar MISP Integration

Integrate QRadar with IOC (Attributes) from MISP - Open Source Threat Intelligence Platform

IBM QRadar:

alt text

IBM QRadar Security Information and Event Management (SIEM) centrally collects and analyzes log and network flow data throughout even the most highly distributed environments to provide actionable insights into threats.

Using advanced analytics, the solution automatically sorts through millions to billions of events per day to detect anomalous and malicious activities, identify and group related events, and generate prioritized alerts to only the most critical threats.

MISP:

alt text

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators.

MISP is a threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

Many organizations use MISP to maintain internal repository of IOCs involved in any security incident of the organization.

MISP has rich RESTful API support to integrate with any producers or consumers of threat intelligence information.

Requirements:

  • Python 3
  • Packages in requirements.txt

Installation:

git clone https://github.com/karthikkbala/MISP-QRadar-Integration.git
cd MISP-QRadar-Integration
pip3 install -r requirements.txt

Configuration:

Edit the config.ini file with favourite editor and provide the following information.

[general]
misp_auth_key = mxVt2yZWkS39XemrgtyhbfYts7ZeeheQ50dXKLHO # or as environment variable
misp_tag_filter = tlp:white,tlp:green
misp_tag_blacklist = automatic-collection,low-risk
misp_category_filter = Network activity,Payload delivery,Artifacts dropped,Payload installation,Persistence mechanism
misp_server = <FQDN or IP of MISP Server>

qradar_auth_key = 811aacf9-ef79-456h-98d4-5d27b7a94844 # or as environment variable
qradar_server = <FQDN or IP of QRadar Server>

# In minutes
frequency = 60
# Only load new attributes since the last interval
fetch_incremental = True

[refset_attributes]
# Map which MISP attributes (e.g. url, dst-ip, src-ip, domain) to copy into which reference set
MISP_IP_IOC = ip-dst,ip-src
MISP_Host_IOC = domain,hostname,domain
MISP_Url_IOC = url,uri
MISP_Filehash_IOC = md5,sha1,sha256

Usage:

python3 integration.py >> /var/log/misp-integration.log &

Error Handling - Use Cases

  • Validate if the reference sets exist
  • Identify the Element Type of the reference set
  • Socket connection validation for QRadar and MISP

Output - Success

14:55:04 -- Checking HTTPS Connectivity to QRadar
14:55:04 -- (Success) HTTPS Connectivity to QRadar
14:55:04 -- Checking HTTPS Connectivity to MISP
14:55:04 -- (Success) HTTPS Connectivity to MISP
14:55:05 -- Validating if reference set MISP_IP_IOC exists
14:55:05 -- Validating reference set MISP_IP_IOC - (Success)
14:55:05 -- Identifying Reference set MISP_IP_IOC element type
14:55:05 -- Reference set element type = IP (Success)
14:55:05 -- Initiating, GET data from MISP on <IP Address of MISP Server> since 2019-03-28
14:55:07 -- MISP API Query (Success)
14:55:07 -- 8 IOCs imported into MISP_IP_IOC
14:55:07 -- Initiating, IOC POST to QRadar
14:55:08 -- (Finished) Imported 8 IOCs to QRadar (Success)
14:55:08 -- Validating if reference set MISP_Domain_IOC exists
14:55:08 -- Validating reference set MISP_Domain_IOC - (Success)
14:55:08 -- Identifying Reference set MISP_Domain_IOC element type
14:55:08 -- Reference set element type = ALNIC (Success)
14:55:08 -- Initiating, GET data from MISP on <IP Address of MISP Server> since 2019-03-28
14:55:10 -- MISP API Query (Success)
14:55:10 -- 4 IOCs imported into MISP_Domain_IOC
14:55:10 -- Initiating, IOC POST to QRadar
14:55:10 -- (Finished) Imported 4 IOCs to QRadar (Success)
14:55:10 -- Validating if reference set MISP_URL_IOC exists
14:55:10 -- Validating reference set MISP_URL_IOC - (Success)
14:55:10 -- Identifying Reference set MISP_URL_IOC element type
14:55:10 -- Reference set element type = ALNIC (Success)
14:55:10 -- Initiating, GET data from MISP on <IP Address of MISP Server> since 2019-03-28
14:55:12 -- MISP API Query (Success)
14:55:12 -- 11 IOCs imported into MISP_URL_IOC
14:55:12 -- Initiating, IOC POST to QRadar
14:55:13 -- (Finished) Imported 11 IOCs to QRadar (Success)

About

The Project can used to integrate QRadar with MISP Threat Sharing Platform

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%