Generic MISP AI Module - architecture considerations, second prototype implementation released

hackathon.lu
,
1

AIPITCH

Two days of specification writing, discussions, architecture designs, writing down use-cases for one topic: combining LLMs and MISP. Where does it make sense? Which types of NLP tasks (use-case categories) would make sense for interacting with MISP?

Architecture

We came up with an initial architecture: AIPITCH Kaplan - HedgeDoc

image
image1920Ă—1845 187 KB

The architecture was reviewed by 4 people and deemed suitable for an initial implementation. We called this “PoC_v2” (version 1 was already done some time ago and is in MISP as “CTI Info Extractor”).

The specifications and strong guardrails (AGENTS.md, testing loops) resulted in a very first (vibe coded! beware! this is still unreviewed) implementation at https://github.com/ctitools/aipitch-design.
We treat this as a sample implementation - suitable for discussing and trying out it.

The assumption here is that there is a MISP_HOST (a MISP dev instance) and a DEVELOPMENT_HOST (a linux box) which are connected. The DEVELOPMENT_HOST cloned misp-modules and runs them:
.venv/bin/python -m misp_modules -c ./generic-ai-misp-module -l 127.0.0.1 -p 6666

Then there are plenty of unit tests and a sample summarization test which can be tested against MISP_HOST via the API.

The event report gets sent to the misp module, it summarizes it and returns the summary + metadata + the right ai-assisted MISP taxonomy tags which get attached to the event.
The reasoning here is that we want to be able to identify and possibly filter out AI-generated garbage if it’s not suitable.

You can try it out by cloning the repo. Please note that we currently still see this as a “brainstorming” implementation.

Next steps

  • review the code, adapt, make sure the coverage is good
  • review the documentation. It should be there for humans :wink: not for coding agents
  • review the data format between the generic AI module and MISP
  • add tracing, logging
  • add telemetry
  • test test test
  • implement prompts (system, use-case, user-)
  • make sure they are configurable per org/user
  • have MISP folks review it properly
  • test some more
  • push upstream

User interface impressions

(subject to change!)

image
image2958Ă—1504 409 KB

(config for the plugin)

image
image2958Ă—584 132 KB

(labels get added to the event)

Feedback welcome in the repo!

2 Likes