<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoPlainText">Hi Aron,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">So we cannot see feeds manually also? I am able to see feeds as below but unable to access it when I click on view button.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><img width="1365" height="494" style="width:14.2187in;height:5.1458in" id="Picture_x0020_1" src="cid:image001.png@01D741D5.FD50F620"><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Regards,<o:p></o:p></p>
<p class="MsoPlainText">Drupad Soni<o:p></o:p></p>
<p class="MsoPlainText">KPMG – Cyber Security<o:p></o:p></p>
<p class="MsoPlainText">Embassy Golf Links Business Park, Pebble Beach, 'B' Block,
<o:p></o:p></p>
<p class="MsoPlainText">1st & 2nd Floor, Off Intermediate Ring Road <o:p></o:p></p>
<p class="MsoPlainText">Mobile : +91 8140283894<o:p></o:p></p>
<p class="MsoPlainText">Know more about our Cyber Security Services<o:p></o:p></p>
<p class="MsoPlainText">https://home.kpmg.com/in/en/home/services/advisory/risk-consulting/it-advisory-services/cyber-security.html<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: L. Aaron Kaplan <aaron@lo-res.org> <br>
Sent: Wednesday, May 5, 2021 4:40 PM<br>
To: Soni, Drupad <drupadsoni@kpmg.com><br>
Cc: intelmq-users@lists.cert.at; Shah, Kunal <kunalshah3@kpmg.com><br>
Subject: Re: [IntelMQ-users] MISP Expert bot</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The "expert bot of MISP " (I assume you mean the MISP expansion module?) is just there to enrich MISP events with data which are in the eventdb. That is probably not what you want.<o:p></o:p></p>
<p class="MsoPlainText">I assume what you want is to send IntelMQ data to MISP. However, ... MISP is not designed to process billions of records (IntelMQ can generate quite a lot and fast). So that's where we use a MISP "feed". Which allows correlation of data
with MISP data without really importing all of it.<o:p></o:p></p>
<p class="MsoPlainText">Is that what you want?<o:p></o:p></p>
<p class="MsoPlainText">In case it is, I recommend reading the MISP book section on MISP feeds [1]<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Best,<o:p></o:p></p>
<p class="MsoPlainText">Aaron.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">[1] <a href="https://www.circl.lu/doc/misp/managing-feeds/#caching-feeds">
<span style="color:windowtext;text-decoration:none">https://www.circl.lu/doc/misp/managing-feeds/#caching-feeds</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> On 05.05.2021, at 13:03, Soni, Drupad via IntelMQ-users <<a href="mailto:intelmq-users@lists.cert.at"><span style="color:windowtext;text-decoration:none">intelmq-users@lists.cert.at</span></a>> wrote:<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Hi Sebastian,<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Thanks,<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> I am working on pushing all feeds of Intelmq to MISP. I am working on this since long unable to crack it. If anyone has worked on this scenario please help me out.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Regards,<o:p></o:p></p>
<p class="MsoPlainText">> Drupad Soni<o:p></o:p></p>
<p class="MsoPlainText">> KPMG – Cyber Security<o:p></o:p></p>
<p class="MsoPlainText">> Embassy Golf Links Business Park, Pebble Beach, 'B' Block, 1st & 2nd
<o:p></o:p></p>
<p class="MsoPlainText">> Floor, Off Intermediate Ring Road Mobile : +91 8140283894 Know more
<o:p></o:p></p>
<p class="MsoPlainText">> about our Cyber Security Services <o:p></o:p></p>
<p class="MsoPlainText">> <a href="https://home.kpmg.com/in/en/home/services/advisory/risk-consulting/it-">
<span style="color:windowtext;text-decoration:none">https://home.kpmg.com/in/en/home/services/advisory/risk-consulting/it-</span></a><o:p></o:p></p>
<p class="MsoPlainText">> advisory-services/cyber-security.html<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> From: Sebastian Wagner <<a href="mailto:wagner@cert.at"><span style="color:windowtext;text-decoration:none">wagner@cert.at</span></a>><o:p></o:p></p>
<p class="MsoPlainText">> Sent: Wednesday, May 5, 2021 3:53 PM<o:p></o:p></p>
<p class="MsoPlainText">> To: Soni, Drupad <<a href="mailto:drupadsoni@kpmg.com"><span style="color:windowtext;text-decoration:none">drupadsoni@kpmg.com</span></a>>;
<a href="mailto:intelmq-users@lists.cert.at"><span style="color:windowtext;text-decoration:none">intelmq-users@lists.cert.at</span></a><o:p></o:p></p>
<p class="MsoPlainText">> Subject: Re: [IntelMQ-users] MISP Expert bot<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Hi,<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> On 5/5/21 10:33 AM, Soni, Drupad via IntelMQ-users wrote:<o:p></o:p></p>
<p class="MsoPlainText">> How misp expert bot works?<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> I want to know more on this.<o:p></o:p></p>
<p class="MsoPlainText">> <a href="https://intelmq.readthedocs.io/en/latest/user/bots.html#id13">
<span style="color:windowtext;text-decoration:none">https://intelmq.readthedocs.io/en/latest/user/bots.html#id13</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> > Queries a MISP instance for the source.ip and adds the MISP Attribute UUID and MISP Event ID of the newest attribute found.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Does that answer your question?<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> I have used mispfeed output bot as output to misp but I am not able to see feeds in MISP. Later I have found a expert bot of MISP. Please guide me how that can be used.<o:p></o:p></p>
<p class="MsoPlainText">> Add the bot to your configuration, set the parameters misp_key and misp_url according to your MISP setup.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Btw: If you have a use-case and you don't know how to implement it, you may also ask here for input and ideas. Probably that saves you a few round of trial-and-error.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Sebastian<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> --<o:p></o:p></p>
<p class="MsoPlainText">> // Sebastian Wagner <<a href="mailto:wagner@cert.at"><span style="color:windowtext;text-decoration:none">wagner@cert.at</span></a>> - T: +43 676 898 298 7201 // CERT
<o:p></o:p></p>
<p class="MsoPlainText">> Austria - <a href="https://www.cert.at/"><span style="color:windowtext;text-decoration:none">https://www.cert.at/</span></a> // Eine Initiative der nic.at GmbH -
<o:p></o:p></p>
<p class="MsoPlainText">> <a href="https://www.nic.at/"><span style="color:windowtext;text-decoration:none">https://www.nic.at/</span></a> // Firmenbuchnummer 172568b, LG Salzburg KPMG (in
<o:p></o:p></p>
<p class="MsoPlainText">> India) allows reasonable personal use of the e-mail system. Views and opinions expressed in these communications do not necessarily represent those of KPMG (in India).<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> **********************************************************************<o:p></o:p></p>
<p class="MsoPlainText">> *********************************<o:p></o:p></p>
<p class="MsoPlainText">> DISCLAIMER<o:p></o:p></p>
<p class="MsoPlainText">> The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address
with the subject heading "Received in error," send to <a href="mailto:postmaster1@kpmg.com">
<span style="color:windowtext;text-decoration:none">postmaster1@kpmg.com</span></a>, then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail
and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> KPMG, an Indian partnership and a member firm of KPMG International Cooperative ("KPMG International"), a Swiss entity that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International
Cooperative (“KPMG International”) provides no services to clients. Each member firm of KPMG International Cooperative (“KPMG International”) is a legally distinct and separate entity and each describes itself as such.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> “Notwithstanding anything inconsistent contained in the meeting invite to which this acceptance pertains, this acceptance is restricted solely to confirming my availability for the proposed call and should not be construed in any manner
as acceptance of any other terms or conditions. Specifically, nothing contained herein may be construed as an acceptance (or deemed acceptance) of any request or notification for recording of the call, which can be done only if it is based on my explicit and
written consent and subject to the terms and conditions on which such consent has been granted”<o:p></o:p></p>
<p class="MsoPlainText">> **********************************************************************<o:p></o:p></p>
<p class="MsoPlainText">> *********************************<o:p></o:p></p>
<p class="MsoPlainText">> --<o:p></o:p></p>
<p class="MsoPlainText">> List settings:<o:p></o:p></p>
<p class="MsoPlainText">> <a href="https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users">
<span style="color:windowtext;text-decoration:none">https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users</span></a><o:p></o:p></p>
<p class="MsoPlainText">> IntelMQ Documentation: <a href="https://intelmq.readthedocs.io/">
<span style="color:windowtext;text-decoration:none">https://intelmq.readthedocs.io/</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
<HR>KPMG (in India) allows reasonable personal use of the e-mail system. Views and opinions expressed in these communications do not necessarily represent those of KPMG (in India).<BR>
<BR>
*******************************************************************************************************<BR>
DISCLAIMER<BR>
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to postmaster1@kpmg.com, then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.<BR>
<BR>
KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses.<BR>
<BR>
KPMG, an Indian partnership and a member firm of KPMG International Cooperative ("KPMG International"), a Swiss entity that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International Cooperative (“KPMG International”) provides no services to clients. Each member firm of KPMG International Cooperative (“KPMG International”) is a legally distinct and separate entity and each describes itself as such.<BR>
<BR>
“Notwithstanding anything inconsistent contained in the meeting invite to which this acceptance pertains, this acceptance is restricted solely to confirming my availability for the proposed call and should not be construed in any manner as acceptance of any other terms or conditions. Specifically, nothing contained herein may be construed as an acceptance (or deemed acceptance) of any request or notification for recording of the call, which can be done only if it is based on my explicit and written consent and subject to the terms and conditions on which such consent has been granted”<BR>
*******************************************************************************************************<BR>
</body>
</html>