Hello Marius,
Am Donnerstag 03 September 2020 11:21:45 schrieb Marius Urkis:
Trying to figure out how to use MISP feed output bot, could someone advise.
seems my MISP foo is not strong enough to advise without doing lots of tests myself. Just to be sure, you are talking about using
https://github.com/certtools/intelmq/blob/develop/intelmq/bots/outputs/misp/... as documented here https://github.com/certtools/intelmq/blob/develop/docs/Bots.md#misp-feed and runs into MISP as "feed", via https://www.circl.lu/doc/misp/managing-feeds/
MISP creates new event once per period (per hour, or per day), and that makes MISP doing correlation between these events created previously. And actually that results correlation table grows exponentially. Am I doing something wrong on IntelMQ side or MISP?
There are a number of options to MISP feeds, some are related to correlation and whether to keep old data in. Personally I'd play with these and ask in a MISP forum how they handle feeds in general. (We've developed the IntelMQ Output MISP API bot and there you can set the fields explicitely which you want to correlate and you have to chose a few significant ones.)
At IntelMQ I configure bot to make one event per day (actually containing ~1500 events in resulting json file). At the MISP side I have MISP feed format feed.
If those are different events, they should not correlate much (in my simple understanding), but again I don't know how MISP handles other incoming "feeds".
Best Regards, Bernhard