The MISP operator will send extracted artifacts to your MISP instance, as objects attached to events.

When this plugin is configured, events should show up on your MISP instance with the name “ThreatIngestor Event: {SOURCE}”, where “{SOURCE}” is the name of the source plugin that extracted the attached objects. Artifact context (reference link and text, if any) will also be attached to the event, as “internal” objects.

The following artifacts are supported by the MISP plugin:

  • Domains
  • Hashes (MD5, SHA1, SHA256)
  • IP Addresses
  • URLs
  • YARA Signatures

If other artifact types are sent through this plugin, the artifacts will be ignored.

Configuration Options

  • module (required): misp
  • url (required): Base URL for your MISP instance.
  • secret_key (required): Your MISP authentication key.
  • ssl: Verify SSL certificate? (default: true)
  • tags: List of tags to attach to events (default: [type:OSINT])

Example Configuration

The following example assumes MISP credentials have already been configured in the credentials section of the config, like this:

  - name: misp-auth
    url: http://mymisp
    key: MYKEY
    ssl: false

Inside the operators section of your configuration file:

- name: mymisp
  module: misp
  credentials: misp-auth