MISP integration for Security Operations

Release version:
Yokohama
Xanadu
Washington DC
Vancouver
UpdatedJan 30, 2025
4 minutes to read

Yokohama
Threat Integration

With MISP integration for Security Operations, you can investigate security incidents with sighting searches, observable enrichment, and create or update events in MISP. Using MISP, you can investigate targeted attacks faster, improve the detection ratio, and reduce the number of false positives in your environment.

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

MISP Overview

MISP, which stands for Malware Information Sharing Platform, lets you exchange and share threat intelligence and Indicators of Compromise (IoCs) about the targeted malware and attacks within your community of trusted members. You can also share MISP information with private or open communities. By exchanging MISP information, you can investigate targeted attacks faster, improve the detection ratio, and reduce the number of false positives in your environment.

MISP and Security Operations

See the following example to learn how the MISP information flows with Security Operations applications.

How MISP integrates with the Security Operations applications. — Figure 1. MISP and Security Operations overview

Key features

This integration includes the things that you can do with the MISP key features:

Connect to private and public MISP instances.
Support manual and automatic sighting search of observables.
Run sighting search from case management.
Report or update sightings to an attribute:
- Report an observable as a sighting (global)
- Report an observable as a false positive (global)
- Report an observable as expired
Support manual and automatic observable enrichment. Results include the MISP attribute and event information that is associated with the observables.
Attribute enrichment in MISP which includes adding or updating tags, galaxies, or comments.
Event creation in MISP from SIR: Supports manual and the automatic creation of events in MISP from SIR.
Update a MISP event from SIR which includes adding or updating tags, galaxies, or attributes.
Add security incident associated observables as attributes to a MISP event.
Auto-extract MITRE-ATT&CK™ information from MISP attributes and associate the information to SIR security incidents.
Automatically add SIR MITRE-ATT&CK™ information as galaxies to a MISP event.

Key concepts

This integration includes the following key concepts that you must know:

MISP is a Threat intelligence platform (TIP). You use TIPs to collect, correlate, categorize, share, and integrate security threat data in real time to support the prioritization of actions and aid in attack prevention, detection, and response.
MISP is a Threat Intelligence Management (TIM). You use TIMs to turn threat data into threat intelligence through context and to automatically prioritize threats by user-defined scoring and relevance.
MISP Data layer
- Events are encapsulations for contextually linked information.
- Attributes are individual data points, which can be indicators or supporting data.
- Objects are custom template attribute compositions.
- Object references are the relationships between the other building blocks.
- Sightings are time-specific occurrences of a detected data-point.
MISP Context layer
- Tags are labels that are attached to events or attributes and may come from taxonomies.
- Galaxy-clusters are knowledge base items that you can use to label events or attributes that come from galaxies.
- Cluster relationships denote pre-defined relationships between clusters.
Indicators contain a pattern that you can use to detect suspicious or malicious cyber activity.
Attributes in MISP can be network indicators (IP address), system indicators (a string in memory), or even bank account details. The attributes in MISP are known as observables in other SIEMs or formats such as STIX.
- A type describes the attribute. For example, MD5 or a URL.
- The attribute category describes an attribute. For example, a payload delivery.
- An IDS tag determines if an attribute can be automatically used for detection.

Note: For more information about MISP concepts, see the MISP Documentation website

How your organization can benefit from MISP integration for Security Operations

Security analysts must gain and maintain situational awareness of the threat landscape, which means that they must manually consolidate and integrate an overwhelming amount of threat data. Gathering, consolidating, and integrating this data takes valuable time, which slows the detection and analysis of threats. MISP integration for Security Operations enables analysts to detect more threats and respond quicker by integrating the MISP security intelligence into an existing ServiceNow AI Platform instance.

By using the MISP integration for Security Operations, your organization can do the following actions:

Enable your security analysts to respond quickly and with the right context.
Improve your security team's efficiency by automating the incident flows for detecting and containing threats.
Reduce manual research time and enable security analysts to operationalize and curate indicators from within the ServiceNow AI Platform.

Learn about this integration


Document identifier	Document title
MISP documentation website	MISP Documentation website
ServiceNow product documentation website	ServiceNow Product Documentation website

Yokohama Security Management

Filters

Versions

Products