|2 months ago|
|ansible||4 months ago|
|doc||4 months ago|
|src/MISP_maltego||2 months ago|
|.canari||1 year ago|
|.gitignore||5 months ago|
|.mrbob.ini||1 year ago|
|Dockerfile||8 months ago|
|LICENSE||1 year ago|
|MANIFEST.in||1 year ago|
|README.md||4 months ago|
|TRANSFORM_HUB_DISCLAIMER.md||8 months ago|
|k8s.yaml||6 months ago|
|publish_to_pip.sh||1 year ago|
|setup.py||2 months ago|
This user guide should help you through the installation of MISP-Maltego, and should guide you how to use it through a few use-cases. As this is a collaborative project, do not hesitate to propose changes, write other use-cases or raise feature requests for missing features.
Currently supported MISP elements are : Event, Attribute, Object (incl relations), Tag, Taxonomy, Galaxy (incl relations).
Once installed you can start by creating a
MISPEvent entity, then load the Machine
EventToAll or the transform
Alternatively initiate a transform on an existing Maltego entity.
The currently supported entities are:
For MITRE ATT&CK pivoting, feel free to start with an
Threat Actor, or
MISPGalaxy. Create your entity, enter a keyword such as
%gama% and use the
Search in MISP transform to get started.
Open the Transform Hub, locate ATT&CK - MISP and press the Install button.
Your transforms will go through Paterva's servers and ours. See the Transform Hub Disclaimer for more information.
If you trust nobody, or just want to connect to your local MISP server you can install everything as local transforms.
These instructions have been tested on Ubuntu 18.04 LTS, but should be similar on other systems.
sudo pip3 install MISP-maltego
canari create-profile MISP_maltego
MISP_maltego.mtzfile and follow the prompts.
$HOME/.canari/MISP_maltego.confand enter your
MISP-Maltego tries to use as much as possible the default Paterva entities, or the most popular from the community. It however comes with a few custom entities:
In this use case we will be using already existing entities and will initiate a transform using MISP. The currently supported entities are:
domainwith the value
While MISP already has a graphing capability we would like to use the power of Maltego to look at the data and expand the work.
event id, or
If you use MISP as central database it can be quite convenient to know which data is present in MISP, and which data is not; especially after using a number of other transforms. To permit this MISP-Maltego will always add a green bookmark to all the data that is present in MISP.
As with the MISP attribute search through the MISP Web UI you can use
% wildcards at the front and end to specify the substring. You might be tempted to always use
%keyword%, but bare in mind how databases indexes work; a search for
keyword% will always be much faster than
Galaxies are actually tags with much more contextual data. Examples are threat actors, malware families, but also the whole MITRE ATT&CK data is available as Galaxy. All this data comes from the MISP Galaxy repository. Today the integration is not done using a MISP server because of limitations in MISP. You might encounter Galaxies when transforming from MISP Events or Attributes. An alternative use-case is by starting immediately from a Galaxy. There are 3 ways to manually create a good Galaxy Entity.
To use the magical search feature:
Apply the same steps for MITRE ATT&CK browsing:
You might end up with such a graph:
Having access to a large amount of Threat information through MISP Threat Sharing communities gives you outstanding opportunities to aggregate this information and take the process of trying to understand how all this data fits together telling a broader story to the next level. We are transforming technical data or indicators of compromise (IOCs) into cyber threat intelligence. This is where the analytical challenge begins. [read more]
In some communities such as the COVID-19 MISP some events contain tens of thousands attributes. Loading all the attributes from these events might not be a good idea if you do not have Maltego XL. You can see the amount of attributes and objects in the Event properties, so you can think before you click:
This software is licensed under GNU Affero General Public License version 3
Note: Before being rewritten from scratch this project was maintained by Emmanuel Bouillon. The code is available in the
The logo is CC-BY-SA and was designed by Françoise Penninckx
The icons in the intelligence-icons folder are from intelligence-icons licensed CC-BY-SA - Françoise Penninckx, Brett Jordan