MISP¶
The MISP operator will send extracted artifacts to your MISP instance, as objects attached to events.
When this plugin is configured, events should show up on your MISP instance with the name “ThreatIngestor Event: {SOURCE}”, where “{SOURCE}” is the name of the source plugin that extracted the attached objects. Artifact context (reference link and text, if any) will also be attached to the event, as “internal” objects.
The following artifacts are supported by the MISP plugin:
- Domains
- Hashes (MD5, SHA1, SHA256)
- IP Addresses
- URLs
- YARA Signatures
If other artifact types are sent through this plugin, the artifacts will be ignored.
Configuration Options¶
module
(required):misp
url
(required): Base URL for your MISP instance.secret_key
(required): Your MISP authentication key.ssl
: Verify SSL certificate? (default: true)tags
: List of tags to attach to events (default:[type:OSINT]
)
Example Configuration¶
The following example assumes MISP credentials have already been
configured in the credentials
section of the config, like this:
credentials:
- name: misp-auth
url: http://mymisp
key: MYKEY
ssl: false
Inside the operators
section of your configuration file:
- name: mymisp
module: misp
credentials: misp-auth