This Script will download MISP events in STIX format. McAfee ESM will be configured to pull STIX files from the folder location via SCP and run automated triage processes.
McAfee Enterprise Security Manager (ESM) is a security information and event management (SIEM) solution that delivers actionable intelligence and integrations to prioritize, investigate, and respond to threats. https://www.mcafee.com/enterprise/en-us/products/enterprise-security-manager.html
MISP threat sharing platform is free and open source software helping information sharing of threat and cyber security indicators. https://github.com/MISP/MISP
Download the Latest Release
- Extract the release .zip file
MISP platform installation (Link) (tested with MISP 2.4.121)
Requests (Link)
PyMISP library installation (Link)
git clone https://github.com/MISP/PyMISP.git
cd PyMISP/
python setup.py installMISP receives intelligence feeds from multiple sources. The provided script will export tagged events as STIX files and McAfee ESM will pull these STIX files for automated investigations.
The misp_stix.py script will export tagged events as STIX files to a given location.
Enter the MISP IP/URL, API key, MISP Tag to look for and the location where the STIX files should be stored (line 12 - 15).
Log into the McAfee ESM platform and open ESM properties. Go to the Cyber Threat Feeds and add a new feed. In the source enter the IP, username, password and path to the folder that contains the STIX files that got previous downloaded through the misp_stix.py script.
Define the frequency, watchlist and backtrace options to automate triage steps.
McAfee ESM will pull new STIX file and check if any events have been seen in the past related to the artifacts.