The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and nontechnical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, and also reduce the number of false positives.
This document provides information about the MISP connector, which facilitates automated interactions, with a MISP server using FortiSOAR™ playbooks. Add the MISP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating an event in MISP and adding attributes in MISP.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.1-109 and later
Compatibility with MISP Versions: 2.4 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the MISP connector and click Configure to configure the following parameters:
| Parameter | Description |
|---|---|
| Server Name | Hostname or IP address of the MISP server to which you will connect and perform automated operations. |
| API Key | API key that is configured for your account for using the MISP server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Event | Creates an event and adds the new event in MISP. | add_event Investigation |
| Add Attributes to Event | Adds attributes that you specify to a MISP event. | update_record Investigation |
| Get Event | Retrieves information about an event based on the event ID that you specify. | get_event Investigation |
| Run Search | Searches for events or attributes in MISP based on the parameters you specify. | run_search Investigation |
| Delete Event | Deletes an event from MISP based on the event ID that you specify. | delete_event Miscellaneous |
| Delete Attribute from Event | Deletes an attribute from MISP based on the attribute ID that you specify. | update_event Miscellaneous |
| Parameter | Description |
|---|---|
| Distribution | Setting controls on who can view this event once it is published and eventually when it gets pulled. Apart from being able to set which users on this server are allowed to see the event, this also controls whether or not the event will be synchronized to other servers. You can choose between Your organization only, This community only, Connected communities, or All communities. |
| Threat Level | Indicates the risk level of the event. You can categorize events into different threat categories, which are Low, Medium, or High. You can also alternatively leave this field as Undefined. |
| Analysis Status | Indicates the current stage of analysis of the event. You can choose between Initial, Ongoing, or Completed. |
| Event Information | Brief description of the malware or event you are creating, including the internal reference for the event. You can add a detailed description of the event by adding attributes to the event after the event is created. |
| Source IP | Source IP that will be added as an attribute while creating the event. |
| Destination IP | Destination IP that will be added as an attribute while creating the event. |
| Domain | Domain that will be added as an attribute while creating the event. |
| Source Email | Source email address that will be added as an attribute while creating the event. |
| Destination Email | Destination email address that will be added as an attribute while creating the event. |
| URL | URL that will be added as an attribute while creating the event. |
| Attribute Distribution | Setting controls on who can view this attribute once it is published. This field inherits the distribution that is set on its parent event. |
| Other Attributes | Other attributes that you can add to the MISP event This parameter takes the input in the dict format, containing a key and value pair.For example, {“port”: 80, “md5”: “0042cacc71934ec8560ea9876801d5a7”} |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | Comments can be added for attributes that will be used for informational purposes only and not for correlations. |
The JSON output contains the details of the newly added event.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add attributes. |
| Source IP | Source IP to be added as an attribute. |
| Destination IP | Destination IP to be added as an attribute. |
| Domain | Domain to be added as an attribute. |
| Source Email | Source email address to be added as an attribute. |
| Destination Email | Destination email address to be added as an attribute. |
| URL | URL to be added as an attribute. |
| Attribute Distribution | Setting controls on who can view this attribute once it is published. This field inherits the distribution that is set on its parent event. |
| Other Attributes | Other attributes that you can add to the MISP event This parameter takes the input in the dict format, containing a key and value pair.For example, {“port”: 80, “md5”: “0042cacc71934ec8560ea9876801d5a7”} |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | Comments can be added for attributes that will be used for informational purposes only and not for correlations. |
The JSON output contains the details of the attributes added to the event based on the Event ID you have specified.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event for which you want to retrieve information. |
The JSON output contains the details of the event based on the Event ID you have specified.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Controller | Specifies whether you want to search Attributes or Events. |
| Maximum Results | (Optional) Maximum number of results that you want to return. By default, this is set to 10. |
| Event IDs (CSV Format) | (Optional) IDs of events based on which you want to run the search. |
| Tags | (Optional) Tags based on which you want to run the search. |
| Attribute Type | (Optional) Attribute type based on which you want to run the search. |
| Category | (Optional) Category based on which you want to run the search. |
| By UUID | (Optional) UUID based on which you want to run the search. |
| Tags | (Optional) Tags based on which you want to run the search. |
| Only Published Events(Applicable when controller is Events) | Select this check box if you want to return only published events. Note: This is only applicable when you have selected the Controlleras Event. |
| Other Filters | (Optional) Other filters based on which you want to run the search. This parameter takes the input in the dict format, containing a key and value pair.For example, {“values”:”8.8.8.8”, “not_values”:”google.com” } |
The JSON output contains details of the event(s) or attribute(s) that matches the query you have specified.
Following image displays a sample output, when you have specified Events as the controller:
Following image displays a sample output, when you have specified Attributes as the controller:
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event that you want to delete. |
The JSON output contains a status message specifying whether or not the event you have specified is deleted.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Attribute ID | ID of the MISP attribute that you want to delete. |
The JSON output contains a status message specifying whether or not the attribute you have specified is deleted.
Following image displays a sample output:
The Sample-MISP-1.0.0 playbook collection comes bundled with the MISP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MISP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and nontechnical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, and also reduce the number of false positives.
This document provides information about the MISP connector, which facilitates automated interactions, with a MISP server using FortiSOAR™ playbooks. Add the MISP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating an event in MISP and adding attributes in MISP.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.1-109 and later
Compatibility with MISP Versions: 2.4 and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the MISP connector and click Configure to configure the following parameters:
| Parameter | Description |
|---|---|
| Server Name | Hostname or IP address of the MISP server to which you will connect and perform automated operations. |
| API Key | API key that is configured for your account for using the MISP server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Event | Creates an event and adds the new event in MISP. | add_event Investigation |
| Add Attributes to Event | Adds attributes that you specify to a MISP event. | update_record Investigation |
| Get Event | Retrieves information about an event based on the event ID that you specify. | get_event Investigation |
| Run Search | Searches for events or attributes in MISP based on the parameters you specify. | run_search Investigation |
| Delete Event | Deletes an event from MISP based on the event ID that you specify. | delete_event Miscellaneous |
| Delete Attribute from Event | Deletes an attribute from MISP based on the attribute ID that you specify. | update_event Miscellaneous |
| Parameter | Description |
|---|---|
| Distribution | Setting controls on who can view this event once it is published and eventually when it gets pulled. Apart from being able to set which users on this server are allowed to see the event, this also controls whether or not the event will be synchronized to other servers. You can choose between Your organization only, This community only, Connected communities, or All communities. |
| Threat Level | Indicates the risk level of the event. You can categorize events into different threat categories, which are Low, Medium, or High. You can also alternatively leave this field as Undefined. |
| Analysis Status | Indicates the current stage of analysis of the event. You can choose between Initial, Ongoing, or Completed. |
| Event Information | Brief description of the malware or event you are creating, including the internal reference for the event. You can add a detailed description of the event by adding attributes to the event after the event is created. |
| Source IP | Source IP that will be added as an attribute while creating the event. |
| Destination IP | Destination IP that will be added as an attribute while creating the event. |
| Domain | Domain that will be added as an attribute while creating the event. |
| Source Email | Source email address that will be added as an attribute while creating the event. |
| Destination Email | Destination email address that will be added as an attribute while creating the event. |
| URL | URL that will be added as an attribute while creating the event. |
| Attribute Distribution | Setting controls on who can view this attribute once it is published. This field inherits the distribution that is set on its parent event. |
| Other Attributes | Other attributes that you can add to the MISP event This parameter takes the input in the dict format, containing a key and value pair.For example, {“port”: 80, “md5”: “0042cacc71934ec8560ea9876801d5a7”} |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | Comments can be added for attributes that will be used for informational purposes only and not for correlations. |
The JSON output contains the details of the newly added event.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add attributes. |
| Source IP | Source IP to be added as an attribute. |
| Destination IP | Destination IP to be added as an attribute. |
| Domain | Domain to be added as an attribute. |
| Source Email | Source email address to be added as an attribute. |
| Destination Email | Destination email address to be added as an attribute. |
| URL | URL to be added as an attribute. |
| Attribute Distribution | Setting controls on who can view this attribute once it is published. This field inherits the distribution that is set on its parent event. |
| Other Attributes | Other attributes that you can add to the MISP event This parameter takes the input in the dict format, containing a key and value pair.For example, {“port”: 80, “md5”: “0042cacc71934ec8560ea9876801d5a7”} |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | Comments can be added for attributes that will be used for informational purposes only and not for correlations. |
The JSON output contains the details of the attributes added to the event based on the Event ID you have specified.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event for which you want to retrieve information. |
The JSON output contains the details of the event based on the Event ID you have specified.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Controller | Specifies whether you want to search Attributes or Events. |
| Maximum Results | (Optional) Maximum number of results that you want to return. By default, this is set to 10. |
| Event IDs (CSV Format) | (Optional) IDs of events based on which you want to run the search. |
| Tags | (Optional) Tags based on which you want to run the search. |
| Attribute Type | (Optional) Attribute type based on which you want to run the search. |
| Category | (Optional) Category based on which you want to run the search. |
| By UUID | (Optional) UUID based on which you want to run the search. |
| Tags | (Optional) Tags based on which you want to run the search. |
| Only Published Events(Applicable when controller is Events) | Select this check box if you want to return only published events. Note: This is only applicable when you have selected the Controlleras Event. |
| Other Filters | (Optional) Other filters based on which you want to run the search. This parameter takes the input in the dict format, containing a key and value pair.For example, {“values”:”8.8.8.8”, “not_values”:”google.com” } |
The JSON output contains details of the event(s) or attribute(s) that matches the query you have specified.
Following image displays a sample output, when you have specified Events as the controller:
Following image displays a sample output, when you have specified Attributes as the controller:
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event that you want to delete. |
The JSON output contains a status message specifying whether or not the event you have specified is deleted.
Following image displays a sample output:
| Parameter | Description |
|---|---|
| Attribute ID | ID of the MISP attribute that you want to delete. |
The JSON output contains a status message specifying whether or not the attribute you have specified is deleted.
Following image displays a sample output:
The Sample-MISP-1.0.0 playbook collection comes bundled with the MISP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MISP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
