Utilizing your Threat data from a MISP instance into CarbonBlack Response by exposing the data in the Threat Intelligence Feed.
Read more on eCrimeLabs Blog post: https://www.ecrimelabs.com/blog/2019/6/4/encriching-carbonblack-response-with-threat-data-from-misp
The following data types from MISP is exported into the feed
- ip-src
- ip-dst
- domain
- hostname
- md5 checksum
- sha256 checksum
The above MISP data types are converted into CarbonBlack's data types
- IPv4
- IPv6
- DNS
- MD5
- SHA256
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
misp_url = 'https://misp_instance'
misp_key = 'auth_key_value'
misp_verifycert = True
misp_tag = 'CarbonBlackResponse'
flask_cert = ''
flask_key = ''
app_debug = False
proxies = {
'https://127.0.0.1:8090',
'http://127.0.0.1:8090',
}
###Installation:
pip3 install -r requirements.txt
You can choose to add your own certificates, alternate these will be autogenerated. To use ad hoc certificates with Flask, you need to install an additional dependency in your environment:
pip install pyopenssl
~# # python3 MISP2CBR.py -h
Expose MISP attributes to CarbonBlack Response
(c)2022 eCrimeLabs
https://www.ecrimelabs.com
----------------------------------------
usage: MISP2CBR.py [-h] [-i IP] [-p PORT]
Providing Threat Data from MISP to Cb Response EDR tool
optional arguments:
-h, --help show this help message and exit
-i IP, --ip IP Hostname or IP of the service (default 127.0.0.1)
-p PORT, --port PORT Portname the service will listen on (default 8443)