[Intelmq-users] MISP feed output bot usage

[Sebastian Wagner]

Dear all,

Marius is already in contact with Raphaël Vinot, the MISP Feed Output
author and MISP developer. Here is a short summary by Raphaël, which I
can share here on his behalf:

    If you have a lot of similarities across events, you have the
    following options to avoid crazy amount of correlations:

      * Create less events (once a week for example)
      * Disable correlation at event level
      * Keep the feed in memory only and not create events out of it in
        the database. => in that case, you will still be able to see
        hits against indicators in the events from the feed, but they're
        in redis only instead of in MySQL so it's not a problem.

best regards
Sebastian

On 9/3/20 11:21 AM, Marius Urkis wrote:
> Hello IntelMQ users,
>
> Trying to figure out how to use MISP feed output bot, could someone
> advise. MISP creates new event once per period (per hour, or per day),
> and that makes MISP doing correlation between these events created
> previously. And actually that results correlation table grows
> exponentially. Am I doing something wrong on IntelMQ side or MISP?
>
> At IntelMQ I configure bot to make one event per day (actually
> containing ~1500 events in resulting json file). At the MISP side I have
> MISP feed format feed.
>
>
> Best regards
>
> --
>
> Marius Urkis
>
>
-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20200904/aa3549f4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20200904/aa3549f4/attachment.sig>