MISP Broker

By Moacir Araújo Candido Bezerra

In Tempest’s SOC Platform team (Security Operations Center) daily activities development, a set of challenges was detected in the process of information collecting and correlation within the SIEM solution for its customers. Within this context, there were other difficulties, such as: control of false positives, IoC reliability (Indicators of Compromise), high volume of requests to the MISP server, low performance in the execution of use cases in the SIEM solution, and so on.

Realizing this opportunity, researchers from Tempest’s SOC platform team developed the MISP Broker tool as an answer and solution to this set of difficulties and challenges mentioned above, as well a security community contribution whose face the very same obstacles.

Briefly, the main contribution use of this tool by security analysts is to obtain control of correlated events, such as outdated information, the possibility of enriching the MISP with IoC as well, removing false positives and all these actions directly reflected in the SIEM.

MISP Broker was developed in Python 3+, using SQLite as a database and ShellScript to manage the tool’s services. Among its main features, we can highlight:

• IoC, MISP and SIEM database synchronization;
• Control of false positives and sightings;
• By type IoC lifetime control;
• Decreased correlated data in SIEM;
• Content generation and external tools exporting;
• Cross-platform compatibility (QRadar and Splunk);
• Global block lists possibility creating;

Security analysts interested in using the MISP Broker can access the utility application developed by Tempest’s researchers team by accessing Tempest GITHub repository through the URL below and its Users Manual as well:

https://github.com/tempestsecurity/MISP-Broker