hack.lu 2023

MISP42: connecting CTI and SOC teams
2023-10-17 , Salle Europe

In cybersecurity, CTI and SOC teams often seat next to each other. The CTI team accumulates impressive amount of threat intelligence including technical IOCs. On SOC side even more impressive amount of data is collected in data lakes even now data oceans (logs, telemetry, network flow or traffic, etc.).
MISP has been available for years as a Threat Intelligence platform and had highly facilitated sharing across the security community, mainly between CTI teams. In particular, MISP allows an organisation to have IOC data set ready to be used.
Still SOC teams rather often struggle to consume those IOCs into their monitoring and detection platforms and event more to feed back into MISP for new findings or sightings from the alerts or retro searches run on the SOC platforms.
MISP42 is an open-source app developed to help SOC teams using Splunk platform to make the use of IOCs in MISP an easy workflow that can be automated.


The presentation will present the challenges CTI and SOC team may have in using in an actionable way IOCs on the monitoring and detection platforms to introduce why MISP42 was developed for Splunk (it was the main platform of the SOC at the time).

Then the 2 main use cases will be detailed with practical examples
- use MISP IOC into Splunk for hunting, retrosearch, threat activity or detection enrichment.
- use findings/matches on Splunk to create new events or increment sightings factors
and finally illustrate the swiss-knife concept of MISP42 (one command designed to be a wrapper of MISP REST API)

I work in cybersecurity for more than 15 years mainly in Blue teams but I am interested to foster purple teaming. I fully support Libre software and try to contribute to the open source community.