Hey Folks,
Has anybody integrated Chronicle SIEM with MISP or a similar platform like OpenCTI? I'm pretty sure I have seen an option in Chronicle feeds in third-party API but I'm not able to find it anymore. Not sure if I was dreaming that it was there ahaha
Page 1 / 1
Hi
@rodneysamuel
we will be writing a dedicated post for this and will share in the community in the next few weeks. In the meantime, from a high level, all inputs, whether a stream of log data from Crowdstrike in AWS or a series of batch files from a Threat Intelligence source, all of these things are "feeds" to Chronicle.
The cycle goes Ingest - Parse - Normalize - Enrich
Thus MISP or OpenCTI first has to go through the ingestion pipeline. Cloud-to-Cloud, Forwarder, API: these are all ingest methods.
After that, we take the data (it's been decrypted, and converted from base64 if necessary) and we parse it. The parser is a Grok/Logstash-based system with our parsers part of the Google source code base. The Parsing process expects the data to be formatted a specific way, matches patterns, and writes results into our Unified Data Model fields.
These UDM fields then go through a further enrichment process -- matching fields with other ingested sources to provide a pivotable match. This leads to further parallelization of the data, which helps provide Chronicle's speed.
As a result, you will pull in an IOC like a domain name, over a feed. IOC is parsed out, normalized to UDM, and then enriched with matches such as internal hostnames that connected to that domain name.
This is the broad-based picture for any feed. Figure out how to send the data in, then make sure we have a parser for it to convert it to UDM.
I will share the post once its published, I hope this is helpful.
Hey
@shakedtal
, Thanks for this. Really useful!
Here is a direct link to the MISP integration - https://cloud.google.com/chronicle/docs/ingestion/ingest-using-cloud-functions#before_you_begin I hope it helps.
The link for SOAR integrations has also changed to - https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/misp
Hi
@rodneysamuel
we will be writing a dedicated post for this and will share in the community in the next few weeks. In the meantime, from a high level, all inputs, whether a stream of log data from Crowdstrike in AWS or a series of batch files from a Threat Intelligence source, all of these things are "feeds" to Chronicle.
The cycle goes Ingest - Parse - Normalize - Enrich
Thus MISP or OpenCTI first has to go through the ingestion pipeline. Cloud-to-Cloud, Forwarder, API: these are all ingest methods.
After that, we take the data (it's been decrypted, and converted from base64 if necessary) and we parse it. The parser is a Grok/Logstash-based system with our parsers part of the Google source code base. The Parsing process expects the data to be formatted a specific way, matches patterns, and writes results into our Unified Data Model fields.
These UDM fields then go through a further enrichment process -- matching fields with other ingested sources to provide a pivotable match. This leads to further parallelization of the data, which helps provide Chronicle's speed.
As a result, you will pull in an IOC like a domain name, over a feed. IOC is parsed out, normalized to UDM, and then enriched with matches such as internal hostnames that connected to that domain name.
This is the broad-based picture for any feed. Figure out how to send the data in, then make sure we have a parser for it to convert it to UDM.
I will share the post once its published, I hope this is helpful.
Hello @shakedtal, I was trying to look for the dedicate post you mention. Please could you share it here? Thank you!
Hello @shakedtal, I was trying to look for the dedicate post you mention. Please could you share it here? Thank you!
Hi @keso - see Part 1: https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Building-Rules-with-Your-Own-Threat-Intel/ba-p/733835 and Part 2: https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Building-Rules-with-Your-Own-Threat-Intel/ba-p/733857
Here is a direct link to the MISP integration - https://cloud.google.com/chronicle/docs/ingestion/ingest-using-cloud-functions#before_you_begin I hope it helps.
The link for SOAR integrations has also changed to - https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/misp
@apettet is there no direct feed based integration anymore for MISP??
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.