diff --git a/crowdsec-docs/static/img/misp/config.png b/crowdsec-docs/static/img/misp/config.png new file mode 100644 index 000000000..c6bbc1ce6 Binary files /dev/null and b/crowdsec-docs/static/img/misp/config.png differ diff --git a/crowdsec-docs/static/img/misp/enrich-event-from-left-menu-popup.png b/crowdsec-docs/static/img/misp/enrich-event-from-left-menu-popup.png new file mode 100644 index 000000000..00e2dc23a Binary files /dev/null and b/crowdsec-docs/static/img/misp/enrich-event-from-left-menu-popup.png differ diff --git a/crowdsec-docs/static/img/misp/enriched-ip-event-2.png b/crowdsec-docs/static/img/misp/enriched-ip-event-2.png new file mode 100644 index 000000000..b6399586e Binary files /dev/null and b/crowdsec-docs/static/img/misp/enriched-ip-event-2.png differ diff --git a/crowdsec-docs/static/img/misp/enriched-ip-event.png b/crowdsec-docs/static/img/misp/enriched-ip-event.png new file mode 100644 index 000000000..a2c4488cd Binary files /dev/null and b/crowdsec-docs/static/img/misp/enriched-ip-event.png differ diff --git a/crowdsec-docs/static/img/misp_crowdsec_knowledge.png b/crowdsec-docs/static/img/misp_crowdsec_knowledge.png deleted file mode 100644 index 8b0202467..000000000 Binary files a/crowdsec-docs/static/img/misp_crowdsec_knowledge.png and /dev/null differ diff --git a/crowdsec-docs/static/img/misp_hover.png b/crowdsec-docs/static/img/misp_hover.png deleted file mode 100644 index e6b0dc896..000000000 Binary files a/crowdsec-docs/static/img/misp_hover.png and /dev/null differ diff --git a/crowdsec-docs/unversioned/cti_api/integration_misp.md b/crowdsec-docs/unversioned/cti_api/integration_misp.md index 845cfa1e1..d1412f080 100644 --- a/crowdsec-docs/unversioned/cti_api/integration_misp.md +++ b/crowdsec-docs/unversioned/cti_api/integration_misp.md @@ -4,41 +4,66 @@ title: MISP Plugin sidebar_position: 2 --- -MISP hover plugin allows you to get knowledge from CrowdSec's CTI API upon hovering an IP in your MISP instance. +MISP plugin lets you enrich the knowledge of IP attributes using CrowdSec's CTI API. ## Installation +### Requirements + +- A CrowdSec CTI API key. See [instructions to obtain it](https://docs.crowdsec.net/docs/next/cti_api/getting_started/#getting-an-api-key) + ### Setting up plugin server The plugin is included in MISP's [official plugin repo](https://github.com/MISP/misp-modules). -The development version can be found on [crowdsec's fork](https://github.com/crowdsecurity/misp-modules). - -Install the fork via by following instructions given [here](https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules-in-a-python-virtualenv-recommended) -. Make sure to subsitute repository address as required. ### Configure the plugin -1. Navigate to plugin settings page at `http:///servers/serverSettings/Plugin` +You can activate this module by accessing the “Plugins” tab of your MISP instance: -2. Click on Enrichment. +1. Navigate to plugin settings page at `http:///servers/serverSettings/Plugin` +2. Click on Enrichment +3. Set the value of `Plugin.Enrichment_crowdsec_enabled` to `true` +4. Set the value of `Plugin.Enrichment_crowdsec_api_key` to your CrowdSec CTI API key + +For more details on the settings available, please refer to the [Configurations](#configurations) part. -3. Set the value of Plugin.Enrichment_crowdsec_enabled to `true` -4. Set the value of Plugin.Enrichment_crowdsec_api_key to your CTI API key. See [instructions to obtain it](/cti_api/getting_started.mdx) +## Usage -5. Set the value of Plugin.Enrichment_crowdsec_api_version to "v2". +Thanks to the CrowdSec Threat Intelligence, you can enrich your IP attributes. -Done ! +![Enrich IP](/img/misp/enrich-event-from-left-menu-popup.png) +Once enriched, you will find a `crowdsec-ip-context` object with all attributes retrieved from CrowdSec. -## Usage +For more details about this object, please refer to the [Misp project documentation](https://www.misp-project.org/objects.html#_crowdsec_ip_context). + + +![Enriched IP part 1](/img/misp/enriched-ip-event.png) + +![Enriched IP part 2](/img/misp/enriched-ip-event-2.png) + + +## Configurations + +You will find the settings page at `http:///servers/serverSettings/Plugin` + +![Configurations](/img/misp/config.png) + +Configuration parameters are described below: -1. Simply click on hover button on any IP attribute. -![MISP hover](/img/misp_hover.png) +| Setting name | Mandatory | Type | Description | +|------------------------------------------------------|-----------|---------|--------------------------------------------------------------------------------------------------------------------------------------------| +| `Plugin.Enrichment_crowdsec_enabled` | Yes | Boolean | Enable or disable the crowdsec module | +| `Plugin.Enrichment_crowdsec_restrict` | No | String | Restrict the crowdsec module to the given organisation. | +| `Plugin.Enrichment_crowdsec_api_key` | Yes | String | CrowdSec CTI API key. See [instructions to obtain it](https://docs.crowdsec.net/docs/next/cti_api/getting_started/#getting-an-api-key) | +| `Plugin.Enrichment_crowdsec_add_reputation_tag` | No | String | Enable/disable the creation of a reputation tag for the IP attribute. You can use `True` or `False` as string value. Default: `True` | +| `Plugin.Enrichment_crowdsec_add_behavior_tag` | No | String | Enable/disable the creation of a behavior tag for the IP attribute. You can use `True` or `False` as string value. Default: `True` | +| `Plugin.Enrichment_crowdsec_add_classification_tag` | No | String | Enable/disable the creation of a classification tag for the IP attribute. You can use `True` or `False` as string value. Default: `True` | +| `Plugin.Enrichment_crowdsec_add_mitre_technique_tag` | No | String | Enable/disable the creation of a mitre technique tag for the IP attribute. You can use `True` or `False` as string value. Default: `True` | +| `Plugin.Enrichment_crowdsec_add_cve_tag` | No | String | Enable/disable the creation of a cve tag for the IP attribute. You can use `True` or `False` as string value. Default: `True` | -2. Upon clicking the hover icon, you will see the enrichements on this IP obtained from CrowdSec's CTI. -![MISP CrowdSec Hover](/img/misp_crowdsec_knowledge.png)