MISP 2.0.0
App Vendor: MISP
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.0.0
API Version: 1.0.0
About App
The MISP threat sharing platform is an open-source threat intelligence platform to collect, share, sort, and correlate threat indicators, financial fraud information, vulnerability information, and indicators of compromise of targeted attacks.
The MISP app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Add Event | This action creates an event on the MISP platform. |
Search Events | This action searches for and retrieves events from the MISP platform. |
Get Event Information | This action retrieves event all details for the entered event ID and related events. |
Add Attribute | This action adds an attribute to the entered event ID. |
Search Attributes | This action searches for and retrieves details of an attribute from the MISP platform. |
Add Tag to Event | This action adds a tag to an event. |
Download Malware Samples from Hash | This action retrieves malware sample files from an event. |
Get Attribute | This action retrieves details about an attribute. |
Get Tags | This action retrieves all available tags. |
Upload Malware File from Path | This action uploads a file using a file path as an attribute to an event. |
Upload Malware Sample Content | This action uploads a file sample content as an attribute to an event. |
Configuration Parameters
The following configuration parameters are required for the MISP app to communicate with the MISP enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the MISP API key. Example: "XXXXg6sgds-asdg-7sd7-sdg7s8-sd554sd" | Text | Required | |
Base URL | Enter the MISP base URL. Example: "https://misp.corp.tld" | Text | Required | |
Verify SSL | Optional parameter to verify the SSL certificate. Example: True | Boolean | Optional | Allowed values:
Default value: False |
Action: Add an Event
This action creates an event on the MISP platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Date | Enter the date in the yyyy-mm-dd format. Example: "2022-04-31" | Text | Required | |
Threat Level ID | Enter the threat level for the event. Example : "2" | Text | Required | Allowed values:
|
Event Info | Enter a brief description of the event. Example: "osint - gallium: targeting global telecom" | Text | Required | |
Analysis | Enter the analysis status for the event. Example: "2" | Text | Required | Allowed values:
|
Distribution | Enter the allowed communities. This parameter allows you to control who can view the information after it is published. Example: "2" | Text | Required | Allowed values:
|
Attribute Type | Enter the attribute type for the event. Example: "domain" | Text | Required | |
Event Category | Enter the category for the event. Example: "network activity" | Text | Required | |
Attribute Value | Enter the attribute value for the event. This has to be the same as the value entered against the Attribute Type parameter. If Attribute Type is domain, Attribute Value has to be domain. Example: "domain" | Text | Required | |
Comment | Enter a comment for the event. Example: "global telecom event" | Text | Optional | |
Published | Enter if the event should be published. Example: True | Boolean | Required | Allowed values:
|
To IDs | Enter your preference to restrict results to to_ids only. To restrict the returned data set to to_ids only attributes set this parameter to 1. By default (0) all attributes are returned that match the other filter parameters, regardless of their to_ids setting. Example: 0 | Integer | Optional | You can only use the special "exclude" setting to only return attributes that have the to_ids flag disabled. Default is 0. For more details check MISP documentation. |
Example Request
[
{
"date": "2021-10-31",
"threat_level_id": "2",
"event_info": "osint - gallium: targeting global telecom",
"analysis": "2",
"distribution": "2",
"attribute_type": "domain",
"event_category": "network activity",
"attribute_value": "domain",
"comment": "global telecom event",
"published": True
"to_ids": "0"
}
]Action: Search Events
This action searches for and retrieves events from the MISP platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Object | Enter the required search parameters. Example: $JSON[{"limit": 10}] | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"post_query_params": {
"page": 0,
"limit": 1,
"sort": "timestamp",
"direction": "asc",
"minimal": false,
"attribute": "domain",
"eventid": "12345",
"datefrom": "2021-03-05",
"dateuntil": "2021-03-05",
"org": "cyware",
"eventinfo": "Phishing campaing",
"tag": "tlp:white",
"tags": [
"tlp:amber",
"cycat:scope=\"exploit\""
],
"distribution": "0",
"sharinggroup": "1",
"analysis": "0",
"threatlevel": "1",
"email": "admin@example.com",
"hasproposal": "1",
"timestamp": "1",
"publish_timestamp": "1",
"searchDatefrom": "2020-01-20",
"searchDateuntil": "2020-01-20"
}
}
]Action: Get Event Information
This action retrieves event details for the entered event ID and related events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID or UUID | Enter the event ID or UUID for which you want to fetch details. Example: "12345" | Text | Required | You can retrieve the event ID using the Search Event API. |
Example Request
[
{
"event_id": "12345"
}
]Action: Add Attribute
This action adds an attribute to the entered event ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID for which you want to add the attribute. Example: "12345" | Text | Required | You can retrieve the event ID using the Search Event API. |
Event Category | Enter the event category for the event. Example: "network activity" | Text | Optional | |
Value Type | Enter the attribute type for the event. Example: "domain" | Text | Optional | |
Value | Enter the attribute value for the event. This has to be the same as the value you entered against the Attribute Type parameter. If Attribute Type is domain, Attribute Value has to be domain. Example: "domain" | Text | Optional | |
Distribution | Enter the allowed communities. This parameter allows you to control who can view the information once it is published. Example: "2" | Text | Optional | Allowed values:
|
Comment | Enter a comment for the event. Example: "global telecom event" | Text | Optional | |
To IDs | Enter your preference to restrict results to to_ids only. To restrict the returned data set to to_ids only attributes set this parameter to 1. By default (0) all attributes are returned that match the other filter parameters, regardless of their to_ids setting. Example: 0 | Integer | Optional |
Example Request
[
{
"event_id": "12345",
"event_category": "network activity",
"attribute_type": "domain",
"attribute_value": "domain",
"distribution": "2",
"comment": "global telecom event",
"to_ids": 0
}
]Action: Search Attributes
This action searches for and retrieves details of an attribute from the MISP platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the required search parameters. Example: $JSON[{"limit": 10}] | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"post_query_params": {
"page": 0,
"limit": 1,
"value": "127.0.0.1",
"type": "md5",
"category": "Internal reference",
"org": "12345",
"tags": [
"tlp:amber"
],
"from": "string",
"to": "string",
"last": 0,
"eventid": "12345",
"withAttachments": False,
"uuid": "c99506a6-1255-4b71-afa5-7b8ba48c3b1b",
"publish_timestamp": "1617875568",
"published": false,
"timestamp": "1617875568",
"attribute_timestamp": "1617875568",
"enforceWarninglist": True,
"to_ids": true,
"deleted": false,
"event_timestamp": "1617875568",
"threat_level_id": "1",
"eventinfo": "string",
"decayingModel": "string",
"score": "string",
"first_seen": "string",
"last_seen": "string",
"includeEventUuid": False,
"includeEventTags": False,
"includeProposals": False,
"requested_attributes": [
"id"
],
"includeContext": True,
"headerless": true,
"includeWarninglistHits": True,
"attackGalaxy": "mitre-attack",
"object_relation": "filepath",
"includeSightings": True,
"includeCorrelations": True,
"modelOverrides": {
"lifetime": 3,
"decay_speed": 2.3,
"threshold": 30,
"default_base_score": 80,
"base_score_config": {
"estimative-language:confidence-in-analytic-judgment": 0.25,
"estimative-language:likelihood-probability": 0.25,
"phishing:psychological-acceptability": 0.25,
"phishing:state": 0.2
}
},
"includeDecayScore": False,
"includeFullModel": False,
"excludeDecayed": False,
"returnFormat": "json"
}
}
]Action: Add Tag to Event
This action adds a tag to an event.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the ID of the event to add a tag. Example: "27719" | Text | Required | |
Tag ID | Enter the tag to add to the event. Example: "2" | Text | Required |
Example Request
[
{
"tag_id": "2",
"event_id": "4"
}
]Action: Download Malware Samples From Hash
This action retrieves malware sample files from an event.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
MD5 hash | Enter the hash for which you want to download malware samples. Example: "098f6bcd4621d373cade4e832627b4f6" | Text | Required |
Example Request
[
{
"md5_hash": "098f6bcd4621d373cade4e832627b4f6"
}
]Action: Get Attribute
This action retrieves details about an attribute.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Attribute ID | Enter the ID or UUID of the attribute to get details about. Example: "62698a46-f550-478f-9768-0153ac110002" | Text | Required |
Example Request
[
{
"attribute_id": "1"
}
]Action: Get Tags
This action retrieves all available tags.
Action Input Parameters
This action does not require any input parameter.
Action: Upload Malware File From Path
This action uploads a file using a file path as an attribute to an event.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID of the event to add this file. Example: "27719" | Text | Required | |
Filename | Enter the file name of this file. Example: "/tmp/17034f1a-1586-4db4-be4b-c2f70aa5b0ed/samplefile.txt"" | Text | Required | |
Threat level ID | Enter the threat level ID of this file. 0 = high, 1 = medium, 2 = low, 3 = undefined | Integer | Required | Allowed values:
|
Comment | Enter any comments about this file or its contents. Example: "Sample Comment" | Text | Optional |
Example Request
[
{
"comment": "Sample Comment",
"event_id": "27719",
"filename": "/tmp/17034f1a-1586-4db4-be4b-c2f70aa5b0ed/samplefile.txt",
"threat_level_id": "3"
}
]Action: Upload Malware Sample Content
This action will upload a file sample content as an attribute to an event.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID of the event to add this file. Example: "27719" | Text | Required | |
Filename | Enter the file name of this file. Example: "samplefile.txt" | Text | Required | |
Base64 encoded data | Enter the base64 encoded data of the file to upload. Example: "dgvzda==" | Text | Required | |
Threat level ID | Enter the threat level ID of this file. Example: 3 | Integer | Required | Allowed values:
|
Comment | Enter any comments about this file or its contents. Example: "Sample Comment" | Text | Optional |
Example Request
[
{
"comment": "Sample Comment",
"event_id": "4",
"filename": "samplefile.txt",
"threat_level_id": 3,
"base64_encoded_data": "dGVzdA=="
}
]