MISP was originally conceived to share IoCs with other researchers. STIX 2 is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX 1 (2012) is nearly as old as MISP (2011), but has been deprecated in favor over STIX 2.
Conversion between the two formats is often necessary, as one might want to ingest MISP data into a TAXII server, or have a MISP server that needs STIX data from a TAXII server. MISP uses its own data format for events and there is no complete overlap between STIX and MISP formats. As a consequence, conversion is lossy, information is lost.
I recently wanted to set up a pipeline to ingest data from a TAXII server into MISP. It is very straightforward if you do not want to modify your data before uploading it to MISP. However, if you need to enrich your MISP data before the upload, for example by adding tags or setting the threat level, things get interesting. Since I ran into some oddities and did not find much help, I’m writing down the steps needed to ingest STIX data into MISP with the intermediary step to enrich the converted data.
Overview of the Pipeline
Here’s the steps for a successful conversion:
- Download STIX data from TAXII server
- Convert data to MISP format
- Create MISP event object
- Enrich event data
- Create event via API in MISP
The code snippets below are incomplete (no credentials and such) and unrefined (no error handling), to focus on the important steps. For the intermediary files you might want to use Python’s tempfile instead or clean them up via a cronjob.
Requirements
To successfully convert STIX data to MISP, you need an additional library. Note that there’s several (unmaintained) converters out there, but I use the official one from the MISP project called misp-stix. Also note that from January 1st 2024 onwards, pyMISP requires at least Python 3.10 to run, even though your MISP installation might still use an older Python version.
Here are the third-party requirements:
|
|
Directly Upload STIX Data to MISP
If you do not want to modify the STIX data in any way, the upload is a no-brainer:
|
|
Enrich MISP Data Before Upload
The library misp-stix
is a CLI tool, but can also be used in a Python script. Oddly enough, the function stix_2_to_misp()
can only save a MISP event as a serialized JSON object to disk and not directly create a MISPEvent object. I dug a bit through the code, but did not find any documentation: There seems to be no other way than serializing first, then read in the file again to have a MISPEvent object. If you find any other way, feel free to ping me on Mastodon, as I was not able to find another solution (and also wanted to get the job done).
Another pitfall lies in the arguments of stix_2_to_misp()
: The code lists two arguments, output_dir
and output_name
. However, if you use both, output_dir
and output_name
, it will save the file in the script’s working directory and not in output_dir
. Since the code has no docstrings and not much documentation, I am unsure what the developers intended there. Maybe I missed something, but again, I wanted to get the job done. For the script to find the newly-created file, use only output_name
with a complete filepath.
Here’s the sample code:
|
|
Someone gracefully provided the code to retrieve data from the TAXII server and allowed me to include it here to benefit the wider community. Thank you.
Image source: “one big server on a mounain. Another server on another mountain. Mountains connected by a bridge”, Nightcafe/Crystal Clear XL.
Last modified on 2024-02-08
Comments Disabled.