I want to propose a new version of the “misp_taxii_hook” package included in the “MISP-TAXII-Server” available on the official MISP repository.
Preamble
The purpose is to improve the STIX import via TAXII on MISP. Actually the import system, before importing the IoC, checks for its existence in any event. If the item has been found, it will be discarded. If MISP receives the same IoC qualified for differents reasons in two or more STIX reports or if it has been imported before in others ways, it will be imported just the first time the system checks for it, and it will be discarded for the future in any other STIX report.
From a Security Analyst point of view, I think it’s better add the attribute, even if it has been yet imported by a previous import.
From a Data Analyst point of view, I don’t want to duplicate informations, because relationships check should result in deprecated performances and false positives.
The proposed “misp_taxii_hook” package (go to GitHub)
The new hook try to define a title and a correspondent filename for the STIX report (def detect_title) using the and the header’s elements.
If this operation successed, it performs a search to detect if the STIX file has been imported before. It searchs for a MISP event having the correspondent “title” and an attachment attribute named as the “filename”. It must have it boths!
If nothing found, a new event will be created with the previous defined title, attachment and the attributes included in the report.
But, if these search conditions (title and attachment) are true, the hook try to update the detected event. If new attributes are detected, it will be pushed and a the STIX report will be attached.
If the STIX report has no title and description in the stix_header element, the hook will import the file using the old hook code.