{"id":14628,"date":"2022-11-08T22:30:59","date_gmt":"2022-11-08T19:30:59","guid":{"rendered":"https:\/\/kifarunix.com\/?p=14628"},"modified":"2024-03-09T23:22:51","modified_gmt":"2024-03-09T20:22:51","slug":"how-to-integrate-thehive-with-misp","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-integrate-thehive-with-misp\/","title":{"rendered":"How to Integrate TheHive with MISP"},"content":{"rendered":"\n<p>Follow through this tutorial to learn how to integrate TheHive with MISP. TheHive, a Security Incident Response Platform (SIRP) can be integrated with <a href=\"https:\/\/www.misp-project.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">MISP<\/a>, (Malware Information Sharing Platform) to make the investigation of any security incidents easy for SOC analysts, CSIRTs or CERTs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Integrating TheHive with MISP<\/h2>\n\n\n\n<p>To integrate TheHive with MISP, you can deploy each of these components on separate nodes or all on a single node. We will be using a single node for demonstration purposes in this guide.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Configure TheHive<\/h3>\n\n\n\n<p>In order to integrate TheHive with MISP, you first need to have TheHive running.<\/p>\n\n\n\n<p>Follow through this guide to learn how to install and configure TheHive;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-thehive-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install TheHive on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install MISP<\/h3>\n\n\n\n<p>Follow through the guide below to learn how to install MISP on Ubuntu 22.04\/Ubuntu 20.04.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-misp-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install MISP on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<p>You can simply download and execute the installation script on any supported system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Integrating TheHive with MISP<\/h3>\n\n\n\n<p>The integration of TheHive and MISP will both tools work hand in hand in incident analysis. MISP can be configured to sent event alerts into TheHive while TheHive can be configured as well to sent event observables into MISP for analysis.<\/p>\n\n\n\n<p>To integrate TheHive with MISP;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate MISP Auth key<\/li>\n<\/ul>\n\n\n\n<p>Login to MISP web interface as administrative user and navigate to <strong>Administration &gt; List Auth Keys &gt; Add authentication Key<\/strong>;<\/p>\n\n\n\n<p>Select the User to create an API key for, comment, defined IPs allowed to query MISP using the API key, set expiration date or leave blank to set to not expire, choose whether to set the key as read only key.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1327\" height=\"836\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/MISP-auth-key.png\" alt=\"How to Integrate TheHive with MISP\" class=\"wp-image-14735\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/MISP-auth-key.png?v=1667919354 1327w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/MISP-auth-key-768x484.png?v=1667919354 768w\" sizes=\"(max-width: 1327px) 100vw, 1327px\" \/><\/figure><\/div>\n\n\n<p>Click Submit to create MISP auth key;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1205\" height=\"515\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/MISP-auth-key-created.png\" alt=\"\" class=\"wp-image-14737\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/MISP-auth-key-created.png?v=1667919413 1205w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/MISP-auth-key-created-768x328.png?v=1667919413 768w\" sizes=\"(max-width: 1205px) 100vw, 1205px\" \/><\/figure>\n\n\n\n<p>Next, copy and save the key somewhere you would be able to retrieve when needed. Once you click<strong> take me back now<\/strong>, you wont be able to see other parts of the key.<\/p>\n\n\n\n<p>Next, open TheHive application configuration file, <code>\/etc\/thehive\/application.conf<\/code> and uncomment the MISP configuration settings.<\/p>\n\n\n\n<p>Note that we are using TheHive 5 in this guide. Hence the path to configuration files may vary.<\/p>\n\n\n\n<p>Open the application.conf file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo vim \/etc\/thehive\/application.conf<\/code><\/pre>\n\n\n\n<p>And append the following configs or update if already exists;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code># Integrate TheHive with MISP\n## MISP configuration\nmisp {\n  interval: 2m\n  servers: [\n    {\n      name = \"Kifarunix-demo MISP\"            \n      url = \"https:\/\/misp.kifarunix-demo.com\" \n      auth {\n        type = key\n        key = \"<strong>OVI6wc3eBSdpdTkrmWL7W1HnPsLzyQQLIzDVxeOZ<\/strong>\"\n       }\n#      wsConfig {}\n      wsConfig.ssl.loose.acceptAnyCertificate: true\n#      caseTemplate = \"&lt;Template_Name_goes_here&gt;\"      \n#      tags = [\"misp-server-id\"]\n#      max-age = 7 days\n#      exclusion {\n#        organisations = [\"bad organisation\", \"other orga\"]\n#        tags = [\"tag1\", \"tag2\"]\n#      }\n#      whitelist {\n#        tags = [\"tag1\", \"tag2\"]\n#      }\n#      includedTheHiveOrganisations = [\"*\"]\n#      excludedTheHiveOrganisations = []\n    }\n  ]\n}\n<\/code><\/pre>\n\n\n\n<p>Also, ensure TheHive MISP module is enabled;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>scalligraph.modules += org.thp.thehive.connector.misp.MispModule<\/code><\/pre>\n\n\n\n<p>Note, the line <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  wsConfig.ssl.loose.acceptAnyCertificate: true<\/code><\/pre>\n\n\n\n<p>Allows us to use either commercially signed or private self-signed certificates. We are using the private self-signed certs generated by MISP installer in this guide.<\/p>\n\n\n\n<p>Restart TheHive service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart thehive<\/code><\/pre>\n\n\n\n<p>Next, login to TheHive web UI and confirm the integration with MISP.<\/p>\n\n\n\n<p>You should see the MISP icon at the bottom left corner turn to green.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1901\" height=\"931\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-module.png\" alt=\"How to Integrate TheHive with MISP\" class=\"wp-image-14741\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-module.png?v=1667924227 1901w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-module-768x376.png?v=1667924227 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-module-1536x752.png?v=1667924227 1536w\" sizes=\"(max-width: 1901px) 100vw, 1901px\" \/><\/figure>\n\n\n\n<p>Click on the ICON to view the MISP server details;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1907\" height=\"869\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-integration.png\" alt=\"How to Integrate TheHive with MISP\" class=\"wp-image-14742\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-integration.png?v=1667924249 1907w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-integration-768x350.png?v=1667924249 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-MISP-integration-1536x700.png?v=1667924249 1536w\" sizes=\"(max-width: 1907px) 100vw, 1907px\" \/><\/figure>\n\n\n\n<p>TheHive should now be able to pull any events that are published on the MISP.<\/p>\n\n\n\n<p>You can check how to <a href=\"https:\/\/kifarunix.com\/install-misp-on-ubuntu\/#the-misp-events\" target=\"_blank\" rel=\"noreferrer noopener\">enable default opensource MISP feeds<\/a> to download events related to known Malwares, APTS, ransomware and their attributes, metadata, IOCs&#8230;<\/p>\n\n\n\n<p>If the events are already populated\/published int the MISP, TheHive will immediately start to pull those published events as alerts;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1899\" height=\"869\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alerts.png\" alt=\"How to Integrate TheHive with MISP\" class=\"wp-image-14751\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alerts.png?v=1667929129 1899w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alerts-768x351.png?v=1667929129 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alerts-1536x703.png?v=1667929129 1536w\" sizes=\"(max-width: 1899px) 100vw, 1899px\" \/><\/figure><\/div>\n\n\n<p>You can go into the preview details of an alert to see more details;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1905\" height=\"927\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alert-details.png\" alt=\"\" class=\"wp-image-14753\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alert-details.png?v=1667929651 1905w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alert-details-768x374.png?v=1667929651 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/11\/thehive-misp-event-alert-details-1536x747.png?v=1667929651 1536w\" sizes=\"(max-width: 1905px) 100vw, 1905px\" \/><\/figure>\n\n\n\n<p> <\/p>\n\n\n\n<p>You can define the tags\/list of organizations for the events that you want to pull from the MISP on the integration configuration file.<\/p>\n\n\n\n<p>With that kind of integration, any event that is created on the MISP will automatically be pulled and created on TheHive.<\/p>\n\n\n\n<p>And that is it on integrating TheHive with MISP.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials;<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-integrate-elk-stack-with-thehive\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Integrate ELK Stack with TheHive<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/enroll-windows-systems-into-osquery-fleet-manager\/\" target=\"_blank\" rel=\"noreferrer noopener\">Enroll Windows Systems into Osquery Fleet Manager<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to integrate TheHive with MISP. TheHive, a Security Incident Response Platform (SIRP) can be integrated with MISP, (Malware<\/p>\n","protected":false},"author":1,"featured_media":14755,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72],"tags":[6069,6073,6068,6071,6072,6038,6070],"class_list":["post-14628","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","tag-how-to-integrate-thehive-with-misp","tag-integrate-thehive-and-misp","tag-misp","tag-misp-events-on-thehive","tag-misp-self-signed","tag-thehive","tag-thehive-and-misp","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14628"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=14628"}],"version-history":[{"count":15,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14628\/revisions"}],"predecessor-version":[{"id":20659,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14628\/revisions\/20659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/14755"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=14628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=14628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=14628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}