MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

new: [blog] how to use the TAXII export in MISP

pull/80/head
Alexandre Dulaunoy 2023-04-29 17:48:14 +02:00
parent 445a275e00
commit 9c5767bef1
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 114 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
content/blog/MISP.how.to.push.to.a.taxii.server.md Normal file
View File

@ -0,0 +1,114 @@
---
title: How to push to a TAXII server from MISP
date: 2023-04-29
layout: post
banner: /img/blog/taxii-1.png
---
If you want to push data from your MISP instance to a TAXII server, there are a few steps you need to follow. Firstly, you'll need to ensure that your MISP instance is configured to export data in a format that the TAXII server can accept. This typically involves converting the data to STIX 2.x format by using the builtin [misp-stix converter](https://github.com/MISP/misp-stix). Next, you'll need to establish a connection between your MISP instance and the TAXII server by configuring the appropriate API and collection endpoints in the MISP sync action. Once this is done, you can initiate the data transfer from your MISP instance to the TAXII server by pushing the searched data to the designated API and collection.
MISP has an automatic feature to support the automatic export from MISP to a TAXII 2.1 server. This article includes all the steps including the installation of TAXII 2.1 server for testing.
# TAXII 2.1 server configuration example
### Install medallion
- From git
```bash
git clone https://github.com/oasis-open/cti-taxii-server.git
cd cti-taxii-server
# optional but appreciated
virtualenv -p python3 venv
source ./venv/bin/activate
pip3 install -r requirements.txt
pip3 install .
```
- From pypi
```bash
pip3 install medallion
```
### Run medallion
Some important points:
- medallion runs on http only
- the default port is 5000
- look at the configuration file and check the options
- **set the host address with the `-h` option**
```bash
medallion -h <HOST> -c <config_file.json>
```
### Push data to TAXII
MISP has an integration for TAXII servers, which includes:
- TAXII servers configuration listing
- discovery end point on each TAXII server to list and choose:
- the API root
- the collections
- Filtering on the content to push
The list of TAXII servers is available via the `Sync Actions` tab -> `List Taxii Servers`
![](/img/blog/taxii-1.png)
#
#### Make your running TAXII server reachable from MISP
In order to add a new connection to a TAXII server, you need to provide:
- the server url
- an API key being the base64 encoded string of `<username>:<password>`
- the API root
- the collection name
![](static/img/blog/taxi-2.png)
#
#### Filter on the data to push
In the TAXII server connection config, you can define filter rules.
Those rules are basically the ones you would use as `HTTP body` of a `restSearch` request.
This means you can filter on a lot of different things, for example:
- data that is owned by your own organisation
```json
{
"org": "<YOUR_ORG>"
}
```
- content marked with certain tags
```json
{
"tags": [
"tlp:white",
"stix_push"
]
}
```
- a more specific example
```json
{
"org": "CIRCL",
"tags": "tlp:white",
"type": [
"ip-src",
"ip-dst"
]
}
```
#
The feature is converting your content to STIX 2.x format then it can be automatically exported and pushed to the designated API and collection on the TAXII server."