top of page

Integration with SIEMs

Integration with Security Information and Event Management (SIEM) systems relies on the adoption of MISP. It comes out with many built-in solutions for implementing this task, letting the SIEM owners to choose the most suitable one for their environment. 

 

The MISP guide, available at https://www.circl.lu/doc/misp/book.pdf , suggests the usage of the zeroMQ publish-subscribe model, to inject new Indicator of Compromises into SIEMs, in an automated way. However, not all of them support this communication model, indeed other ways could be considered.

 

For instance, an ad-hoc phython library, called PyMISP, is available for communicating with MISP. In this case, a generic system or component, such as a SIEM, could rely on it for directly injecting and receiving new IoCs, exploiting the REST APIs provided by MISP itself (see the guide for having a global overview of the available APIs). The MISP instance owner will create a specific authentication key for authenticating the SIEM user, who, in turn, will use it in the Authorization Header of every HTTP Requests. 

​

Besides, for many well-known SIEMs, such as the ArchSight SIEM, specific solutions have been built, for making this integration task easier.

​

Finally, if the above options are not satisfying, the possibility of extending MISP, adding one or more "MISP modules", allows the implementation of alternative custom solutions, depending on the needs of the specific SIEM. For instance, the usage of a RabbitMQ queue, as well as simple TCP sockets.

IocEnrv2.png
bottom of page