Supported Cortex XSOAR versions: 5.5.0 and later.
Indicators feed from MISP. This integration was integrated and tested with version 1.0 of MISP Feed.
Navigate to Settings > Integrations > Servers & Services.
Search for MISP Feed.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Your server URL True API Key The API Key to use for the connection. True Trust any certificate (not secure) False Use system proxy settings False Fetch indicators False Incremental Feed Incremental feeds pull only new or modified indicators that have been sent from the integration. The determination if the indicator is new or modified happens on the 3rd-party vendor's side, and only indicators that are new or modified are sent to Cortex XSOAR. Therefore, all indicators coming from these feeds are labeled new or modified. False Indicator Reputation Indicators from this integration instance will be marked with this reputation. False Source Reliability Reliability of the source providing the intelligence data. True False False Feed Fetch Interval False Bypass exclusion list When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. False Attribute Tags Attribute tags to get. You can enter a comma-separated list of tags, for example <tag1,tag2,tag3>. False Attribute Types Attribute types to get. You can enter a comma-separated list of types, for example <type1,type2,type3>. False Query JSON query to filter MISP attributes. When a query parameter is used, Attribute Types and Attribute Tags parameters are not used. You can check for the correct syntax at https://<Your MISP url>/servers/openapi#operation/restSearchAttributes False Traffic Light Protocol Color The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed, False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Gets indicators from the feed.
|limit||The maximum number of results to return. Default is 10.||Optional|
|tags||Tags of the attributes to search for.||Optional|
|attribute_type||Types of the attributes to search for.||Optional|
|query||JSON query to filter MISP attributes. When a query argument is used attribute_type and tags arguments are not used. You can check for the correct syntax at https://<Your MISP url>/servers/openapi#operation/restSearchAttributes.||Optional|
!misp-feed-get-indicators tags=tlp:% attribute_type=ip-src
Retrieved 7 indicators.