User Guide

Synapse-MISP User Guide

Synapse-MISP adds new Storm commands to allow you to ingest data from a MISP feed.

By default, Synapse-MISP connects to a MISP server hosted by The Vertex Project at https://misp.power-ups.vertex.link. Use misp.setup.server.add if you wish to connect to your own MISP instances.

Getting Started

Check with your Admin to enable permissions.

Examples

Adding a personal MISP server

To set-up a personal MISP server configuration:

> misp.setup.server.add fooserver https://foo.com fookey
Adding server config fooserver to Synapse-MISP
MISP server configuration "fooserver" added

Syncing nodes from the MISP server

The first time you run the misp.sync command, you should use the --resync option to pull down the entire collection of events from the MISP server:

misp.sync --resync

Once the initial load completes, you can pull down changes since the last run using the --last option using either a timestamp or a short-hand time description described under the publish_timestamp section of the MISP REST search documentation:

misp.sync --last 24h

Setting up a cron job to sync from MISP

The default --last value will automatically download any updates in the last 24 hours. To ensure no records are missed, you can easily add a cron job to check for updates every 8 hours:

cron.add --hour +8 { misp.sync }

Use of meta:source nodes

Synapse-MISP uses a meta:source node and -(seen)> light weight edges to track nodes observed from MISP servers.

> meta:source
meta:source=4534bc94bdf85837c3398d528ce2cd07
        .created = 2024/04/17 17:12:08.442
        :name = misp server: v
        :type = synapse.misp

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-MISP. The following example shows how to filter the results of a query to include only results observed by Synapse-MISP:

> #cool.tag.lift +{ <(seen)- meta:source:type=synapse.misp }