Name		Name	Last commit message	Last commit date
parent directory ..
README.md		README.md
config.toml.example		config.toml.example
imports.py		imports.py
reporting.py		reporting.py
requirements.txt		requirements.txt
sightings.py		sightings.py
sync_iocs.py		sync_iocs.py

README.md

MISP Plugins

This directory contains the plugins one can use to bind WHIDS and MISP together.

Each plugin is runnable and can be run as a service, using the service manager you prefer (systemd, initd ...).

Requirements

All the plugins requirements need to be fulfilled
Have a MISP instance running
Have all the credentials both to access WHIDS and MISP APIs set in configuration file

List of MISP plugins

reporting.py: plugin to push to MISP the IR reports generated by WHIDS

One of the motivations behind WHIDS is to obtain "as close as incident" artifact collections (files, registries, memory dumps ...). Recently, WHIDS has been improved to also generate Incident Response ready reports, containing crucial informations such as (running processes, modules/drivers loaded, etc.).

This plugin aims at pushing those reports (and related artifacts) to MISP in the objective to be shared and analysed by other parties.

How it works: WHIDS manager exposes an API to query artifacts uploaded by the endpoints. This plugin makes regular calls to this API in order to find new artifacts uploaded with IR reports. Whenever a new report is found, the plugin creates a new report object in MISP.

NB: An event is created per day and then reports objects are appended to the event.

Example:

# to push reports collected the last 24h
./reporting -l 1
# to run the same command  as a service
./reporting.py --service -l 1

sightings.py: plugin to add MISP sightings as events are received by the EDR

This plugin takes advantage of the event's streams exposed by an EDR manager to update MISP sightings.

How it works: streams are provided through websockets and are streaming in real time the events received by the EDR manager. Multiple clients might subscribe to a stream and will receive the same events.

For performance reason, especially in high event thoughput scenario, we decided not to update sightings for an IOC at every event. Instead, by default, an IOC can be sighted at most once every minute on a per source (i.e. endpoint) basis. For example, if a host resolves 10x github.com in a minute, this will count as only one sighting. By extension, if 5 hosts resolves 10x github.com in a minute, this will count as 5 sightings. The refresh time of a sighting is configurable with --cache-ttl command line option.

NB: only attributes with IDS flag will see there sightings updated

Example:

./sightings.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

misp

misp

README.md

MISP Plugins

Requirements

List of MISP plugins

reporting.py: plugin to push to MISP the IR reports generated by WHIDS

sightings.py: plugin to add MISP sightings as events are received by the EDR

Files

misp

Directory actions

More options

Directory actions

More options

Latest commit

History

misp

Folders and files

parent directory

README.md

MISP Plugins

Requirements

List of MISP plugins

reporting.py: plugin to push to MISP the IR reports generated by WHIDS

sightings.py: plugin to add MISP sightings as events are received by the EDR