RTIR-Extension-MISP - Integrate RTIR with MISP
MISP is a platform for sharing threat intelligence among security teams, and this extension provides integration from "https://bestpractical.com/rtir" in RTIR.
Works with RTIR 5.0
perl Makefile.PL
make
make install
May need root permissions
patch -p1 -d /opt/rt5/local/plugins/RT-IR < patches/Add-callbacks-to-the-feed-listing-and-display-pages.patch
Add this line:
Plugin('RTIR::Extension::MISP');
make initdb
Only run this the first time you install this module.
If you run this twice, you will end up with duplicate data in your database.
If you are upgrading this module, check for upgrading instructions in case changes need to be made to your database.
rm -rf /opt/rt4/var/mason_data/obj
Set the following in your RT_SiteConfig.pm with details for the MISP instance you want RTIR to integrate with.
RT_SiteConfig.pm
Set(%ExternalFeeds, 'MISP' => [ { Name => 'MISP', URI => 'https://mymisp.example.com', # Change to your MISP Description => 'My MISP Feed', DaysToFetch => 5, # For the feed page, how many days back to fetch ApiKeyAuth => 'API SECRET KEY', # Change to your real key }, ], );
If you want to display the MISP ID custom fields in a separate portlet on the incident page, you can customize your custom field portlets with something like this:
Set(%CustomFieldGroupings, 'RTIR::Ticket' => [ 'Networking' => ['IP', 'Domain'], 'Details' => ['How Reported','Reporter Type','Customer', 'Description', 'Resolution', 'Function', 'Classification', 'Customer', 'Netmask','Port','Where Blocked'], 'MISP IDs' => ['MISP Event ID', 'MISP Event UUID'], # Add/remove CFs as needed ], );
This integration adds several different ways to work between the MISP and RTIR systems as described below.
After adding the MISP configuration described above, the Feeds page in RTIR at RTIR > Tools > External Feeds will have a new MISP option listed. This feed pulls in events for the past X number of days based on the DaysToFetch configuration. From the feed display page, you can click the "Create new ticket" button to create a ticket with information from the MISP event.
On the Incident Display page, if the custom field MISP Event ID has a value, a portlet MISP Event Details will be displayed, showing details pulled in from the event via the MISP REST API.
On an incident with a MISP Event ID, the Actions menu will have an option "Update MISP Event". If you select this action, RTIR will update the existing MISP event with an RTIR object, including data from the incident ticket.
If MISP Event ID has no value, the Actions menu on incidents shows an option to "Create MISP Event". Select this to create an event in MISP with details from the incident ticket.
Best Practical Solutions, LLC <modules@bestpractical.com>
All bugs should be reported via email to bug-RTIR-Extension-MISP@rt.cpan.org or via the web at rt.cpan.org.
This software is Copyright (c) 2021 by Best Practical Solutions, LLC
This is free software, licensed under:
The GNU General Public License, Version 2, June 1991
To install RTIR::Extension::MISP, copy and paste the appropriate command in to your terminal.
cpanm
cpanm RTIR::Extension::MISP
CPAN shell
perl -MCPAN -e shell install RTIR::Extension::MISP
For more information on module installation, please visit the detailed CPAN module installation guide.