MISP

The Validin MISP Integration connects a MISP instance to the Validin API. It enables you to query across Validin's data sources: DNS, WHOIS and RDAP records, TLS Certificates, and HTTP/S web crawls - and directly enrich domain names and IP addresses in your MISP instance.

📘

What is MISP?

MISP Threat Sharing (formerly the Malware Information Sharing Program) is an open source threat intelligence sharing platform used by teams around the world to share threat intelligence. This integration enriches the following MISP attributes: domain, hostname, ip-src and ip-dst with Validin's internet intelligence data.

1. Prerequisites ⚙️

To use the Validin MISP Integration:

1. Ensure that you have MISP 2.4 or higher running on your MISP instance
2. Python >= 3.9
   1. Individual package versioning is directly handled by the misp-modules service using poetry based on your Python version
   2. The Validin MISP module has no additional requirements besides what misp-modules already requires

For more information:

1. Visit the Validin MISP Integration on Github

2. Installation

1. Download the Validin MISP module from here
2. Move the Validin MISP module into your misp-modules working directory
3. Restart the MISP Modules Service
   1. For more information about setting up and starting MISP Modules: visit the misp-modules documentation
4. Set Environment Variables
   1. Under the Administration Tab, select "Server Settings & Maintenance"
   2. Select the "Plugins" Tab and search for Validin.
   3. Expand the Enrichment accordion to see all Validin module settings
   4. Enable the Validin enrichment, and set the following environment variables:
      1. Endpoint: Your Validin endpoint (e.g. app.validin.com)
      2. API Key: Your Validin API Key (found in your Profile, under Settings > API Keys)
      3. Result Limit: Defaults to 100, but can be overridden

3. API Usage and Quota

The Validin MISP module enriches attributes across multiple data sources, using multiple queries per enrichment.

❗️

API Rate Limits

Every action (hover and enrichment) using the Validin MISP integration uses a minimum of 5 API queries, and as many as 8, depending on the attribute type and your tier of plan. Monitor your API usage carefully to avoid overages.

4. Features

The Validin MISP integration is structured as an expansion module for your MISP platform. The module supports two modes for enrichment of MISP attributes:

Validin can only enrich the following types of attributes:

• domain
• hostname
• ip-src
• ip-dst

4.1 Enrichment Mode

The Validin MISP module provides a mechanism for deep enrichment using the "Add enrichment" and "Propose enrichment" icons, represented by asterisks, under the "Actions" column, to the right side of an attribute row.

Proposing or adding an enrichment will populate the enrichment table with all the records and attributes from a Validin enrichment. This enhanced context can enable users to decide if there are other suspicious attributes (domains/IPs) that are related to this event and should be added.

4.2 Hover Mode

The Validin MISP module provides a quick way to enrich attributes through hover mode, that gives immediate context about any observed infrastructure.

Next to any attribute in a MISP event, click on "Show Hover Enrichment", represented by the zoom-in icon directly next to the value of the attribute.

The Hover pop-up includes identical context as the "Enrichment Results", but shows it in a more compact popup for usability.

📘

Tip

Use Hover mode when you only want immediate context for a domain or IP. Use Enrichment mode when you want the ability to add additional, related attributes to your MISP event.

5. Data Model

Use the table below to understand the Validin MISP data model.

6. Troubleshooting

Use the table below to troubleshoot and resolve common errors when using the Validin MISP Integration.