User Guide

Synapse-MISP User Guide

Synapse-MISP adds new Storm commands to allow you to ingest data from a MISP feed.

By default, Synapse-MISP connects to a MISP server hosted by The Vertex Project at https://misp.power-ups.vertex.link. Use misp.setup.server.add if you wish to connect to your own MISP instances.

Getting Started

Check with your Admin to enable permissions.

Examples

Adding a personal MISP server

To set-up a personal MISP server configuration:

> misp.setup.server.add fooserver https://foo.com fookey
Adding server config fooserver to Synapse-MISP
MISP server configuration "fooserver" added

Syncing nodes from the MISP server

The first time you run the misp.sync command, you should use the --resync option to pull down the entire collection of events from the MISP server:

misp.sync --resync

Once the initial load completes, you can pull down changes since the last run using the --last option using either a timestamp or a short-hand time description described under the publish_timestamp section of the MISP REST search documentation:

misp.sync --last 24h

Syncing nodes from a MISP feed

The misp.feed.sync command allows a user to ingest published events from a HTTP repository in MISP standardized format.

The first time you run the misp.feed.sync command, it will sync all published events from the given feed URL. Subsequent executions of this command will only download events published since the last time the URL was synced (tracked via the meta:source:_misp:feed:updated extended property). To pull down the entire collection of events from the MISP feed again:

misp.feed.sync --resync <url>

To limit the number of events during any sync, the --since <timestamp> option can be used. Specifying --since <timestamp> will cause a feed which has already been processed to be reprocessed.

Setting up a cron job to sync from MISP

The default --last value will automatically download any updates in the last 24 hours. To ensure no records are missed, you can easily add a cron job to check for updates every 8 hours:

cron.add --hour +8 { misp.sync }

Use of meta:source nodes

Synapse-MISP uses two different types of meta:source nodes with -(seen)> light weight edges to track nodes observed from MISP servers/feeds.

meta:source nodes with :type=synapse.misp are used for configured MISP servers.

> meta:source:type=synapse.misp
meta:source=8af9677fd16d762a8a72822fa344b321
        .created = 2024/11/19 21:23:15.662
        :name = misp server: vertex default
        :type = synapse.misp

meta:source nodes with :type=synapse.misp.feed are used for MISP feeds. These nodes will contain the URL of the feed in the :url property and will have it’s _misp:feed:updated property updated every time the feed is synced using the misp.feed.sync command.

> meta:source:type=synapse.misp.feed
meta:source=d2c8b926635f1e3cf35c950434b34fab
        .created = 2024/11/19 21:23:15.722
        :name = misp feed: https://www.circl.lu/doc/misp/feed-osint
        :type = synapse.misp.feed
        :url = https://www.circl.lu/doc/misp/feed-osint

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MISP. The following example shows how to filter the results of a query to include only results observed by Synapse-MISP:

> #cool.tag.lift +{ <(seen)- meta:source:type=synapse.misp }