Query announces the Malware Information Sharing Project (MISP) Connector!
The MISP Connector for Query Federated Search allows customers to bring back normalized Open Source Intelligence (OSINT) and Cyber Threat Intelligence (CTI) data from MISP. MISP—or the Malware Information Sharing Project—is the most popular open source Threat Intelligence Platform (TIP) in the market today. As the name suggests, it started its life as a malware analysis and Digital Forensics/Incident Response (DFIR) project, but has grown significantly since and is used by organizations of all sizes to create intelligence products, analytics, or just to store and disseminate information and Indicators of Compromise (IOCs).
The core concept of MISP is sharing of information. It has a hierarchical structure of how information is grouped, all described within the MISP Data Models. MISP defines “Objects” which are not too unlike Query Data Model (QDM), based on the Open Cybersecurity Schema Framework Objects – they’re essentially Nouns: people, places, things, subjects – and every Object has a top-level Category as well as a Type. The Category is threat & open source intelligence specific: Network Activity, Payload Delivery, Persistence Mechanism and the Types are not OOP data types per se but organizational identifiers: boolean, campaign-id, cc-number, ip-dst. They’re almost like OCSF Attributes in a way.
The Query Connector for MISP connects with MISP servers to search Attributes within their Events. Events are sourced from analysts internal to a company as well as external who curate Feeds – these are collections of Events — which contain information about IOCs, behaviors, threat groups, campaigns and more. MISP provides a powerful search mechanism the restSearch API where we can retrieve specific IOCs that correspond to our Entities and surface the results normalized to the OSINT Inventory Info Event Class.
Using the MISP Connector for Query Federated Search allows customers to bring back normalized Open Source Intelligence (OSINT) and Cyber Threat Intelligence (CTI) data based on various searches. For instance, a customer searching for IP addresses, domains, hostnames, hashes, or other Indicators of Compromise (IOCs) as part of an investigation or threat hunt will have matching Events from MISP brought back that match. The naming and commentary of the Event can help with decision making capabilities, especially if the OSINT and CTI report from the MISP instance matches the IOC to a specifically nefarious threat group or dangerous attack mechanism.
All that is required is an API Key (Auth Key) and the URL of the MISP Instance – either a publicly-hosted instance, or a proxy endpoint – further IP allowlisting can be enforced at the Auth Key and instance level. For information on the Query IP address range, reach out to the product team at product@query.ai.
For incident responders, investigators, threat hunters, security architects, IT audit, IT governance, and other personas – Query Federated Search provides a quick and easy way to glean important information from MISP without needing to set up your own automation or connectivity and adaptation of the MISP APIs.
For more information, refer to our documentation here.
