MISP is an open source solution for collecting, storing, distributing and sharing cyber security indicators. As this solution is still used by some of our customers, we provide a set of API endpoints to consume our CTI feed from MISP.

Unfortunately, this connector doesn’t fit all our customer needs.

For example, one customer raised some performance issues while ingesting our feed in their MISP instance with the “event correlation” mechanism enabled. This is because SEKOIA.IO pushes any updated IoC in the MISP feed as new event.

Currently, when a Content Proposal is merged, a MISP event is created with all contained information. This is a very simple – still efficient – mechanism.

In order to improve our MISP feed, we will completely change the way we organize and update data in the MISP feed.

The general idea is to keep a mapping between SEKOIA.IO IoCs and their location in the MISP feed (in which events are they stored). When a Content Proposal is merged, then all contained objects should be checked and be created if not already available in a MISP event and else be updated with the new expiration date and metadata. To do so, MISP events’ organization should be changed. One proposal is to organize data by source.

We should also implement an expiration mechanism that removes from the MISP feed all expired objects.

As our current MISP feed is widely used by our customers, we should implement the new MISP feed in dedicated endpoints. We should keep – at least during the new feed qualification – both feeds.