MISP 1.0.0
App Vendor: MISP
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.0.0
API Version: 2.4.125
About App
The MISP threat sharing platform is an open-source threat intelligence platform to collect, share, sort, and correlate threat indicators, financial fraud information, vulnerability information, and indicators of compromise of targeted attacks.
The MISP app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Add Event | This action creates an event on the MISP platform. |
Search Events | This action searches for and retrieves events from the MISP platform. |
Get Event Details by ID | This action retrieves event all details for the entered event ID and related events. |
Add Attribute to an Event | This action adds an attribute to the entered event ID. |
Search Attributes | This action searches for and retrieves details of an attribute from the MISP platform. |
Configuration Parameters
The following configuration parameters are required for the MISP app to communicate with the MISP enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the MISP API key. Example: "XXXXg6sgds-asdg-7sd7-sdg7s8-sd554sd" | Text | Required | |
Base URL | Enter the MISP base URL. Example: "https://misp.corp.tld" | Text | Required | |
Verify SSL | Optional parameter to verify the SSL certificate. Example: True | Boolean | Optional | Allowed values:
Default value: False |
Action: Add an Event
This action creates an event on the MISP platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Date | Enter the date in the yyyy-mm-dd format. Example: "2021-10-31" | Text | Required | |
Select Threat Level | Enter the threat level for the event. Example : "2" | Text | Required | Allowed values:
|
Event Information | Enter a brief description of the event. Example: "osint - gallium: targeting global telecom" | Text | Required | |
Analysis Status | Enter the analysis status for the event. Example: "2" | Text | Required | Allowed values:
|
Allowed Communities | Enter the allowed communities. This parameter allows you to control who can view the information after it is published. Example: "2" | Text | Required | Allowed values:
|
Attribute Type | Enter the attribute type for the event. Example: "domain" | Text | Required | |
Event Category | Enter the category for the event. Example: "network activity" | Text | Required | |
Attribute Value | Enter the attribute value for the event. This has to be the same as the value entered against the Attribute Type parameter. If Attribute Type is domain, Attribute Value has to be domain. Example: "domain" | Text | Required | |
Comment | Enter a comment for the event. Example: "global telecom event" | Text | Optional | |
Published | Enter if the event should be published. Example: True | Boolean | Required | Allowed values:
|
Example Request
[
{
"date": "2021-10-31",
"threat_level_id": "2",
"event_info": "osint - gallium: targeting global telecom",
"analysis": "2",
"distribution": "2",
"attribute_type": "domain",
"event_category": "network activity",
"attribute_value": "domain",
"comment": "global telecom event",
"published": True
}
]Action: Search Events
This action searches for and retrieves events from the MISP platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the required search parameters. Example: {"limit": 10} | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"post_query_params": {
"page": 0,
"limit": 1,
"sort": "timestamp",
"direction": "asc",
"minimal": false,
"attribute": "domain",
"eventid": "12345",
"datefrom": "2021-03-05",
"dateuntil": "2021-03-05",
"org": "cyware",
"eventinfo": "Phishing campaing",
"tag": "tlp:white",
"tags": [
"tlp:amber",
"cycat:scope=\"exploit\""
],
"distribution": "0",
"sharinggroup": "1",
"analysis": "0",
"threatlevel": "1",
"email": "admin@example.com",
"hasproposal": "1",
"timestamp": "1",
"publish_timestamp": "1",
"searchDatefrom": "2020-01-20",
"searchDateuntil": "2020-01-20"
}
}
]Action: Get Event Details by ID
This action retrieves event details for the entered eventId and related events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event Id or UUID | Enter the event id or UUID for which you want to fetch details. Example: "12345" | Text | Required | You can retrieve the event id using the Search Event API. |
Example Request
[
{
"event_id": "12345"
}
]Action: Add Attribute to an Event
This action adds an attribute to the entered eventId.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event Id | Enter the event id for which you want to add the attribute. Example: "12345" | Text | Required | You can retrieve the event ID using the Search Event API. |
Event Category | Enter the event category for the event. Example: "network activity" | Text | Optional | |
Attribute Type | Enter the attribute type for the event. Example: "domain" | Text | Optional | |
Attribute Value | Enter the attribute value for the event. This has to be the same as the value you entered against the Attribute Type parameter. If Attribute Type is domain, Attribute Value has to be domain. Example: "domain" | Text | Optional | |
Allowed Communities | Enter the allowed communities. This parameter allows you to control who can view the information once it is published. Example: "2" | Text | Optional | Allowed values:
|
Comment | Enter a comment for the event. Example: "global telecom event" | Text | Optional | |
Add Intrusion Detection System | Enter if you want to add an intrusion detection system. Example: True | Boolean | Optional | Allowed values:
Default value: False |
Example Request
[
{
"event_id": "12345",
"event_category": "network activity",
"attribute_type": "domain",
"attribute_value": "domain",
"distribution": "2",
"comment": "global telecom event",
"to_ids": "True"
}
]Action: Search Attributes
This action searches for and retrieves details of an attribute from the MISP platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the required search parameters. Example: {"limit": 10} | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"post_query_params": {
"page": 0,
"limit": 1,
"value": "127.0.0.1",
"type": "md5",
"category": "Internal reference",
"org": "12345",
"tags": [
"tlp:amber"
],
"from": "string",
"to": "string",
"last": 0,
"eventid": "12345",
"withAttachments": False,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"publish_timestamp": "1617875568",
"published": false,
"timestamp": "1617875568",
"attribute_timestamp": "1617875568",
"enforceWarninglist": True,
"to_ids": true,
"deleted": false,
"event_timestamp": "1617875568",
"threat_level_id": "1",
"eventinfo": "string",
"decayingModel": "string",
"score": "string",
"first_seen": "string",
"last_seen": "string",
"includeEventUuid": False,
"includeEventTags": False,
"includeProposals": False,
"requested_attributes": [
"id"
],
"includeContext": True,
"headerless": true,
"includeWarninglistHits": True,
"attackGalaxy": "mitre-attack",
"object_relation": "filepath",
"includeSightings": True,
"includeCorrelations": True,
"modelOverrides": {
"lifetime": 3,
"decay_speed": 2.3,
"threshold": 30,
"default_base_score": 80,
"base_score_config": {
"estimative-language:confidence-in-analytic-judgment": 0.25,
"estimative-language:likelihood-probability": 0.25,
"phishing:psychological-acceptability": 0.25,
"phishing:state": 0.2
}
},
"includeDecayScore": False,
"includeFullModel": False,
"excludeDecayed": False,
"returnFormat": "json"
}
}
]