-
Notifications
You must be signed in to change notification settings - Fork 10
/
misp_import.ini
111 lines (105 loc) · 4.36 KB
/
misp_import.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
; ______ __ _______ __ __ __
; | |.----.-----.--.--.--.--| | __| |_.----.|__| |--.-----.
; | ---|| _| _ | | | | _ |__ | _| _|| | <| -__|
; |______||__| |_____|________|_____|_______|____|__| |__|__|__|_____|
; MISP Import configuration file.
[CrowdStrike]
; Crowdstrike API client ID and client secret.
client_id = CROWDSTRIKE API CLIENT ID
client_secret = CROWDSTRIKE API CLIENT SECRET
; Can pass the full URL, the URL strings, or just the shortname (US1, US2, EU1, USGOV1)
; Typically, this value only ever needs to be changed for GovCloud users.
; crowdstrike_url = https://api.crowdstrike.com
; crowdstrike_url = api.crowdstrike.com
; crowdstrike_url = us1
crowdstrike_url = auto
; 5000 = US1, 2500 = ALL OTHERS
api_request_max = 5000
; Should we use SSL to connect to the CrowdStrike Falcon API?
api_enable_ssl = True
; Tool configurations. The files in which to store the last updated timestamp and the max age of the
; reports/indicators/actors pulled in an initial run.
reports_timestamp_filename = lastReportsUpdate.dat
indicators_timestamp_filename = lastIndicatorsUpdate.dat
actors_timestamp_filename = lastActorsUpdate.dat
; Initial data segment size
; REPORTS - Up to 7300 days (20 years) can be imported (Report creation date)
; INDICATORS - Up to 15 days (20220 minutes) can be imported
; ADVERSARIES (Actors) - Up to 7300 days (20 years) can be imported (First activity date)
init_reports_days_before = 7300
; init_indicators_minutes_before = 480
init_indicators_minutes_before = 60
init_actors_days_before = 7300
; Unique local tags - Used to identify CrowdStrike imports **DEPRECATED**
; reports_unique_tag = CrowdStrike: REPORT
; indicators_unique_tag = CrowdStrike: INDICATOR
; actors_unique_tag = CrowdStrike: ADVERSARY
; Standard local tags
; You can add additional tags here, and they will be appended to each event created
; Example: reports_tags = ${CrowdStrike:reports_unique_tag},My_Custom_Tag_1,My_Custom_Tag_2
; reports_tags = ${CrowdStrike:reports_unique_tag}
; indicators_tags = ${CrowdStrike:indicators_unique_tag}
; actors_tags = ${CrowdStrike:actors_unique_tag}
reports_tags =
indicators_tags =
actors_tags =
; Used to locally tag unattributed indicators
unknown_mapping = CrowdStrike:indicator:galaxy: UNATTRIBUTED
unattributed_title = Unattributed indicators:
; INDICATOR EVENT TITLES
; Indicator type
indicator_type_title = Indicator Type:
; Indicator family
malware_family_title = Malware Family:
[MISP]
; The URL of your MISP instance.
misp_url = https://MISP_URL_GOES_HERE
; The authentification key of the user adding the events.
misp_auth_key = MISP AUTH KEY
; The UUID of the Crowdstrike organisation in your MISP instance.
crowdstrike_org_uuid = CROWDSTRIKE ORG UUID
; File to use to track malware that has no galaxy mapping.
miss_track_file = no_galaxy_mapping.log
; File that contains our known galaxy association mappings.
galaxies_map_file = galaxy.ini
; Do we require SSL to connect to the MISP instance?
misp_enable_ssl = False
; Limit initial Malware Family event lookups to a specified date range.
misp_malware_family_range = 30d
; ### PERFORMANCE TUNING ###
; These values allow you to adjust application behavior
; to better suit the requirements of your environment.
; Maximum number of potential attributes to include
; in a singular event update (Indicators only).
; Should not exceed the value of "api_request_max".
; Adjusting this value will also impact the amount of memory
; used during each iteration of the processing loop.
ind_attribute_batch_size = 2500
; How many seconds will we allow saves to take before discarding
; the MISP event object and requesting a new one (seconds)
event_save_memory_refresh_interval = 180
; Maximum number of threads to use for processing
; A null value allows the application to determine
max_threads =
; max_threads = 64
; max_threads = 32
; Ludicrous speed... *Warning*
; max_threads = 128
[TAGGING]
tag_unknown_galaxy_maps = True
taxonomic_KILL-CHAIN = True
taxonomic_INFORMATION-SECURITY-DATA-SOURCE = True
taxonomic_TYPE = True
taxonomic_IEP = False
taxonomic_IEP2 = True
taxonomic_IEP2_VERSION = False
taxonomic_TLP = True
taxonomic_WORKFLOW = True
[PROXY]
; http = http://my.http.proxy:8080
; https = https://my.https.proxy
[EXTRA_HEADERS]
; Headers will be provided as strings regardless of datatype
; ExampleHeader1 = StringExample
; ExampleHeader2 = False
; ExampleHeader3 = 40