Skip to content
Utilizing your Threat data from a MISP instance into CarbonBlack Response by exposing the data in the Threat Intelligence Feed.
Branch: master
Clone or download
Latest commit 0516272 Jun 4, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Added Code Jun 4, 2019
LICENSE Initial commit Jun 4, 2019
MISP2CBR.py Added Code Jun 4, 2019
README.md Update README.md Jun 4, 2019

README.md

MISP Threat Feed into CarbonBlack Response

Utilizing your Threat data from a MISP instance into CarbonBlack Response by exposing the data in the Threat Intelligence Feed.

Read more on eCrimeLabs Blog post: https://www.ecrimelabs.com/blog/2019/6/4/encriching-carbonblack-response-with-threat-data-from-misp

The following data types from MISP is exported into the feed

  • ip-src
  • ip-dst
  • domain
  • hostname
  • md5 checksum
  • sha256 checksum

The above MISP data types are converted into CarbonBlack's data types

  • IPv4
  • IPv6
  • DNS
  • MD5
  • SHA256

Remember to create the file "keys.py":

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

misp_url = 'https://misp_instance'
misp_key = 'auth_key_value'
misp_verifycert = True
misp_tag = 'CarbonBlackResponse'

flask_cert = ''
flask_key = ''
app_debug = False

proxies = {
    'https://127.0.0.1:8090',
    'http://127.0.0.1:8090',
}

###Installation:

pip3 install flask
pip3 install pyopenssl

You can choose to add your own certificates, alternate these will be autogenerated. To use ad hoc certificates with Flask, you need to install an additional dependency in your environment:

pip install pyopenssl

Sample Usage:

~# # python3 MISP2CBR.py -h

Expose MISP attributes to CarbonBlack Response
(c)2019 eCrimeLabs
https://www.ecrimelabs.com
----------------------------------------

usage: MISP2CBR.py [-h] [-i IP] [-p PORT]

Providing Threat Data from MISP to Cb Response EDR tool

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        Hostname or IP of the service (default 127.0.0.1)
  -p PORT, --port PORT  Portname the service will listen on (default 8443)
You can’t perform that action at this time.