Skip to main content

MISP Feed

This Integration is part of the MISP Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Indicators feed from MISP. This integration was integrated and tested with version 1.0 of MISP Feed.

Configure MISP Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for MISP Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Your server URLTrue
    API KeyThe API Key to use for the connection.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch indicatorsFalse
    Incremental FeedIncremental feeds pull only new or modified indicators that have been sent from the integration. The determination if the indicator is new or modified happens on the 3rd-party vendor's side, and only indicators that are new or modified are sent to Cortex XSOAR. Therefore, all indicators coming from these feeds are labeled new or modified.False
    Indicator ReputationIndicators from this integration instance will be marked with this reputation.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    False
    False
    Feed Fetch IntervalFalse
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Attribute TagsAttribute tags to get. You can enter a comma-separated list of tags, for example <tag1,tag2,tag3>.False
    Attribute TypesAttribute types to get. You can enter a comma-separated list of types, for example <type1,type2,type3>.False
    QueryJSON query to filter MISP attributes. When a query parameter is used, Attribute Types and Attribute Tags parameters are not used. You can check for the correct syntax at https://<Your MISP url>/servers/openapi#operation/restSearchAttributesFalse
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed,False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

misp-feed-get-indicators#


Gets indicators from the feed.

Base Command#

misp-feed-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of results to return. Default is 10.Optional
tagsTags of the attributes to search for.Optional
attribute_typeTypes of the attributes to search for.Optional
queryJSON query to filter MISP attributes. When a query argument is used attribute_type and tags arguments are not used. You can check for the correct syntax at https://<Your MISP url>/servers/openapi#operation/restSearchAttributes.Optional

Context Output#

{
"MISPFeed": {
"Indicators": {
"0": {
"fields": {
"Category": "Payload delivery",
"Description": "desc",
"SHA256": "somehash",
"Updated Date": 1607517728,
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"FeedURL": "someurl",
"type": "File",
"value": {
"Event": {
"distribution": 1,
"id": 123,
"info": "some info",
"org_id": 1,
"orgc_id": 7,
"uuid": "some uuid"
},
"category": "Payload delivery",
"comment": "desc",
"deleted": false,
"disable_correlation": false,
"distribution": 5,
"event_id": 143,
"first_seen": null,
"id": 69548,
"last_seen": null,
"object_id": 0,
"object_relation": null,
"sharing_group_id": 0,
"timestamp": 1607517728,
"to_ids": true,
"type": "sha256",
"uuid": "some uuid",
"value": "some hash"
}
},
"service": "MISP",
"type": "File",
"value":"somehash"
}
}
}
}

Command Example#

!misp-feed-get-indicators tags=tlp:% attribute_type=ip-src

Human Readable Output#

Retrieved 7 indicators.