Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

MISP Overview

MISP, which stands for Malware Information Sharing Platform, lets you exchange and share threat intelligence and Indicators of Compromise (IoCs) about the targeted malware and attacks within your community of trusted members. You can also share MISP information with private or open communities. By exchanging MISP information, you can investigate targeted attacks faster, improve the detection ratio, and reduce the number of false positives in your environment.

MISP and Security Operations

See the following example to learn how the MISP information flows with Security Operations applications.

Key features

Key concepts

• MISP is a Threat intelligence platform (TIP). You use TIPs to collect, correlate, categorize, share, and integrate security threat data in real time to support the prioritization of actions and aid in attack prevention, detection, and response.
• MISP is a Threat Intelligence Management (TIM). You use TIMs to turn threat data into threat intelligence through context and to automatically prioritize threats by user-defined scoring and relevance.
• MISP Data layer
  • Events are encapsulations for contextually linked information.
  • Attributes are individual data points, which can be indicators or supporting data.
  • Objects are custom template attribute compositions.
  • Object references are the relationships between the other building blocks.
  • Sightings are time-specific occurrences of a detected data-point.
• MISP Context layer
  • Tags are labels that are attached to events or attributes and may come from taxonomies.
  • Galaxy-clusters are knowledge base items that you can use to label events or attributes that come from galaxies.
  • Cluster relationships denote pre-defined relationships between clusters.
• Indicators contain a pattern that you can use to detect suspicious or malicious cyber activity.
• Attributes in MISP can be network indicators (IP address), system indicators (a string in memory), or even bank account details. The attributes in MISP are known as observables in other SIEMs or formats such as STIX.
  • A type describes the attribute. For example, MD5 or a URL.
  • The attribute category describes an attribute. For example, a payload delivery.
  • An IDS tag determines if an attribute can be automatically used for detection.

How your organization can benefit from MISP integration for Security Operations

Security analysts must gain and maintain situational awareness of the threat landscape, which means that they must manually consolidate and integrate an overwhelming amount of threat data. Gathering, consolidating, and integrating this data takes valuable time, which slows the detection and analysis of threats. MISP integration for Security Operations enables analysts to detect more threats and respond quicker by integrating the MISP security intelligence into an existing ServiceNow AI Platform instance.

By using the MISP integration for Security Operations, your organization can do the following actions:

• Enable your security analysts to respond quickly and with the right context.
• Improve your security team's efficiency by automating the incident flows for detecting and containing threats.
• Reduce manual research time and enable security analysts to operationalize and curate indicators from within the ServiceNow AI Platform.

Learn about this integration