Dear all,

Marius is already in contact with Raphaël Vinot, the MISP Feed Output author and MISP developer. Here is a short summary by Raphaël, which I can share here on his behalf:

If you have a lot of similarities across events, you have the following options to avoid crazy amount of correlations:

• Create less events (once a week for example)
• Disable correlation at event level
• Keep the feed in memory only and not create events out of it in the database. => in that case, you will still be able to see hits against indicators in the events from the feed, but they're in redis only instead of in MySQL so it's not a problem.

best regards
Sebastian

Hello IntelMQ users,

Trying to figure out how to use MISP feed output bot, could someone
advise. MISP creates new event once per period (per hour, or per day),
and that makes MISP doing correlation between these events created
previously. And actually that results correlation table grows
exponentially. Am I doing something wrong on IntelMQ side or MISP?

At IntelMQ I configure bot to make one event per day (actually
containing ~1500 events in resulting json file). At the MISP side I have
MISP feed format feed.


Best regards

--

Marius Urkis

-- 
// Sebastian Wagner <wagner@cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg