Migrating events from non-MISP tool into MISP #785
Replies: 10 comments 4 replies
-
Can you give us a sample? I'm not sure to understand what you mean. |
Beta Was this translation helpful? Give feedback.
-
Here is a subset of the columns of an event from my legacy:
Can I create an event via PyMISP, and pin these attributes to it? |
Beta Was this translation helpful? Give feedback.
-
So, the procedure for this is:
? |
Beta Was this translation helpful? Give feedback.
-
Much THANKS for that info, but I need further clarity. The five fields I mentioned before, all five go into a single object or there are five objects, one per field?
…________________________________
From: Raphaël Vinot ***@***.***>
Sent: Wednesday, September 15, 2021 4:23 PM
To: MISP/PyMISP ***@***.***>
Cc: Siwek, Adam ***@***.***>; Author ***@***.***>
Subject: Re: [MISP/PyMISP] Migrating events from non-MISP tool into MISP (Discussion #785)
[External: Use caution with links & attachments]
Pretty much yes. You can also just create the template in the subdirectory where all the other templates are in PyMISP and use it directly from there.
The question you need to answer is how you want to add them into event(s): one event with all the data in objects? One event/month? One event/day? It will depend how many objects you end-up having, and what you want to do with the data.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://urldefense.us/v3/__https://github.com/MISP/PyMISP/discussions/785*discussioncomment-1335420__;Iw!!JRQnnSFuzw7wjAKq6ti6!isy1-0RH6bnzkHf7HaaMmr17Ps6jDGsQVSejNIXshwnTPpdFEIddpgVOTlx5OAY$>, or unsubscribe<https://urldefense.us/v3/__https://github.com/notifications/unsubscribe-auth/AVUUVKSMWU6NUY6SOCCNLKTUCD6DLANCNFSM5ECZYGYQ__;!!JRQnnSFuzw7wjAKq6ti6!isy1-0RH6bnzkHf7HaaMmr17Ps6jDGsQVSejNIXshwnTPpdFEIddpgVOOXlVMhI$>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.us/v3/__https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675__;!!JRQnnSFuzw7wjAKq6ti6!isy1-0RH6bnzkHf7HaaMmr17Ps6jDGsQVSejNIXshwnTPpdFEIddpgVOY19JBBE$> or Android<https://urldefense.us/v3/__https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign*3Dnotification-email*26utm_medium*3Demail*26utm_source*3Dgithub__;JSUlJSU!!JRQnnSFuzw7wjAKq6ti6!isy1-0RH6bnzkHf7HaaMmr17Ps6jDGsQVSejNIXshwnTPpdFEIddpgVOYJtPhjE$>.
|
Beta Was this translation helpful? Give feedback.
-
FYI,
I've inherited this task( migration to MISP), so I might not have the vocabulary right about indicator types and more. But thanks for the feedback!
…________________________________
From: Raphaël Vinot ***@***.***>
Sent: Wednesday, September 15, 2021 5:10 PM
To: MISP/PyMISP ***@***.***>
Cc: Siwek, Adam ***@***.***>; Author ***@***.***>
Subject: Re: [MISP/PyMISP] Migrating events from non-MISP tool into MISP (Discussion #785)
[External: Use caution with links & attachments]
an object contains attributes, so you will have N attributes in your object. One other thing you might want to do is to use the first_seen/last_seen field in the object itself to represent created and updated, if it makes sense.
The other thing I'm not clear about is where the actual indicator is? You're talking of indicator type, but not the indicator itself.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://urldefense.us/v3/__https://github.com/MISP/PyMISP/discussions/785*discussioncomment-1335561__;Iw!!JRQnnSFuzw7wjAKq6ti6!ktcmEQETv29ojgBl46gryxKFLuoWkxcgb_Nf3M785wfTZ258xBWZ61UAqBKIrjs$>, or unsubscribe<https://urldefense.us/v3/__https://github.com/notifications/unsubscribe-auth/AVUUVKUEZDLZTXMQEE2MOUTUCEDUXANCNFSM5ECZYGYQ__;!!JRQnnSFuzw7wjAKq6ti6!ktcmEQETv29ojgBl46gryxKFLuoWkxcgb_Nf3M785wfTZ258xBWZ61UAMNwE-Hs$>.
Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.us/v3/__https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675__;!!JRQnnSFuzw7wjAKq6ti6!ktcmEQETv29ojgBl46gryxKFLuoWkxcgb_Nf3M785wfTZ258xBWZ61UAxx1w51k$> or Android<https://urldefense.us/v3/__https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign*3Dnotification-email*26utm_medium*3Demail*26utm_source*3Dgithub__;JSUlJSU!!JRQnnSFuzw7wjAKq6ti6!ktcmEQETv29ojgBl46gryxKFLuoWkxcgb_Nf3M785wfTZ258xBWZ61UAzEM_8Z8$>.
|
Beta Was this translation helpful? Give feedback.
-
You're welcome! If you need further help, don't hesitate. And if you can share an actual sample, it might make things easier. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Raphaël,
OK, I created the Object template file, and located it in the MISP misp_object template directory. But how do I enforce that template during object creation?
|
Beta Was this translation helpful? Give feedback.
-
There are a few moving parts, so it's a bit hard to answer. As you have a custom template, I'm assuming that you installed PyMISP from the repository. You can look at this tutorial: https://github.com/MISP/PyMISP/blob/main/docs/tutorial/FullOverview.ipynb (search for |
Beta Was this translation helpful? Give feedback.
-
I am new to MISP, am curious if I can migrate events from a legacy tool into MISP, and can the attributes from the legacy events become custom attributes on a MISP event?
Any help appreciated!
Beta Was this translation helpful? Give feedback.
All reactions