The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, and also reduce the number of false positives.
This document provides information about the MISP connector, which facilitates automated interactions, with a MISP server using FortiSOAR™ playbooks. Add the MISP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating an event in MISP and adding attributes in MISP.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.1-2133 and 6.4.3-2885
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the MISP connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-misp
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the MISP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server Name | Hostname or IP address of the MISP server to which you will connect and perform automated operations. |
| API Key | API key that is configured for your account for using the MISP server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Event | Creates an event and adds the new event in MISP based on the event information and other input parameters you have specified. | add_event Investigation |
| Add Attributes to Event | Adds specified attributes to an existing MISP event based on the event ID, attribute type and value, and other input parameters you have specified. . | update_record Investigation |
| Get Event | Retrieves information about an event from MISP based on the event ID that you have specified. | get_event Investigation |
| Run Search | Searches for events or attributes in MISP based on the input parameters that you have specified. | run_search Investigation |
| Delete Event | Deletes an event from MISP based on the event ID that you have specified. | delete_event Miscellaneous |
| Delete Attribute from Event | Deletes an attribute from a MISP event based on the attribute ID that you have specified. | update_event Miscellaneous |
| List All Tags | Retrieves a list of all existing tags from MISP. | get_tags Investigation |
| Add Tag | Adds a tag in MISP based on the tag name and other input parameters that you have specified. | add_tag Investigation |
| Add Tag to Event | Adds a tag to an existing event in MISP based on the tag and event ID that you have specified. | add_tag_to_event Investigation |
| Remove Tag from Event | Deletes the specified tag from an existing event in MISP based on the tag and event ID that you have specified. | remove_tag_from_event Investigation |
| Parameter | Description |
|---|---|
| Event Information | Brief description of the malware or event you are creating, including the internal reference for the event. You can add a detailed description of the event by adding attributes to the event after the event is created. |
| Date | (Optional) Date on which you want to create the event in MISP. The date must be in the yyyy/mm/dd format. |
| Distribution | (Optional) Setting that controls on who can view this event once it is published and eventually when it gets pulled. Apart from being able to set which users on this server are allowed to see the event, this also controls whether or not the event will be synchronized to other servers. You can choose between Your organization only, This community only, Connected communities, or All communities. |
| Threat Level | (Optional) Indicates the risk level of the event. You can categorize events into different threat categories, which are Low, Medium, or High. You can also alternatively leave this field as Undefined. |
| Analysis Status | (Optional) Indicates the current stage of analysis of the event. You can choose between Initial, Ongoing, or Completed. |
| Published | Select this checkbox to publish the event in MISP. |
The JSON output contains the details of the newly added event.
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add attributes. |
| Category | Category of the attribute that you want to add to the specific event in MISP. You can choose from options such as Internal reference, Network activity, Financial fraud, etc. |
| Attribute Type | Type of attribute that you want to add to the specific event in MISP. |
| Attribute Value | Value of the attribute that you want to add to the specific event in MISP. |
| Attribute Distribution | (Optional)Setting controls on who can view this attribute once it is published. By default, "Inherit Event" is set, which means that this field inherits the distribution that is set on its parent event. You can choose between Your organization only, This community only, Connected communities, or All communities or Inherit Event. |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | (Optional) Comments that you want to add for the attributes. Comments are used for informational purposes only and not for correlations. |
The JSON output contains the details of the attributes added to the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Attribute": {
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"value1": "",
"value2": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": ""
},
"AttributeTag": []
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event whose information you want to retrieve from MISP. |
The JSON output contains the details of the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [
{
"id": "",
"type": "",
"category": "",
"to_ids": "",
"uuid": "",
"event_id": "",
"distribution": "",
"timestamp": "",
"comment": "",
"sharing_group_id": "",
"deleted": "",
"disable_correlation": "",
"object_id": "",
"object_relation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Controller | Specifies whether you want to search for Attributes or Events in MISP. |
| Filters | (Optional) Filters based on which you want to search for attributes or events in MISP. This parameter takes the input in the dict format, containing a key and value pair.For example, {“values”:”8.8.8.8”, “not_values”:”google.com” } |
The JSON output contains details of the event(s) or attribute(s) that matches the query you have specified.
The output contains the following populated JSON schema:
{
"response": [
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
]
}
{
"response": {
"Attribute": [
{
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Event": {
"org_id": "",
"distribution": "",
"id": "",
"info": "",
"orgc_id": "",
"uuid": ""
}
}
]
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event that you want to delete from MISP. |
The JSON output contains a status message specifying whether or not the event you have specified is deleted.
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"name": "",
"message": "",
"url": ""
}
| Parameter | Description |
|---|---|
| Attribute ID | ID of the attribute that you want to delete from MISP. |
The JSON output contains a status message specifying whether or not the attribute you have specified is deleted.
The output contains the following populated JSON schema:
{
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"Tag": [
{
"id": "",
"name": "",
"colour": "",
"exportable": "",
"org_id": "",
"user_id": "",
"hide_tag": "",
"numerical_value": "",
"count": "",
"attribute_count": "",
"favourite": ""
}
]
}
| Parameter | Description |
|---|---|
| Tag Name | Name of the tag you want to create in MISP. |
| Exportable | Select this checkbox if you want to create an exportable tag in MISP. |
| Hide Tag | Select this checkbox if you want to hide the created tag in MISP. |
| Organisation ID | ID of the organization that you want to add to the tag that you are creating in MISP. |
| User ID | ID of the user that you want to add to the tag that you are creating in MISP. |
The output contains the following populated JSON schema:
{
"Tag": {
"id": "",
"name": "",
"colour": "",
"exportable": "",
"org_id": "",
"user_id": "",
"hide_tag": "",
"numerical_value": ""
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add the specified tag. |
| Tag | Tag that you want to add to the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event from which you want to remove the specified tag. |
| Tag | Tag that you want to remove from the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
The Sample-MISP-2.0.0 playbook collection comes bundled with the MISP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MISP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, and also reduce the number of false positives.
This document provides information about the MISP connector, which facilitates automated interactions, with a MISP server using FortiSOAR™ playbooks. Add the MISP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating an event in MISP and adding attributes in MISP.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 6.4.1-2133 and 6.4.3-2885
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the MISP connector in version 2.0.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-misp
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the MISP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server Name | Hostname or IP address of the MISP server to which you will connect and perform automated operations. |
| API Key | API key that is configured for your account for using the MISP server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Event | Creates an event and adds the new event in MISP based on the event information and other input parameters you have specified. | add_event Investigation |
| Add Attributes to Event | Adds specified attributes to an existing MISP event based on the event ID, attribute type and value, and other input parameters you have specified. . | update_record Investigation |
| Get Event | Retrieves information about an event from MISP based on the event ID that you have specified. | get_event Investigation |
| Run Search | Searches for events or attributes in MISP based on the input parameters that you have specified. | run_search Investigation |
| Delete Event | Deletes an event from MISP based on the event ID that you have specified. | delete_event Miscellaneous |
| Delete Attribute from Event | Deletes an attribute from a MISP event based on the attribute ID that you have specified. | update_event Miscellaneous |
| List All Tags | Retrieves a list of all existing tags from MISP. | get_tags Investigation |
| Add Tag | Adds a tag in MISP based on the tag name and other input parameters that you have specified. | add_tag Investigation |
| Add Tag to Event | Adds a tag to an existing event in MISP based on the tag and event ID that you have specified. | add_tag_to_event Investigation |
| Remove Tag from Event | Deletes the specified tag from an existing event in MISP based on the tag and event ID that you have specified. | remove_tag_from_event Investigation |
| Parameter | Description |
|---|---|
| Event Information | Brief description of the malware or event you are creating, including the internal reference for the event. You can add a detailed description of the event by adding attributes to the event after the event is created. |
| Date | (Optional) Date on which you want to create the event in MISP. The date must be in the yyyy/mm/dd format. |
| Distribution | (Optional) Setting that controls on who can view this event once it is published and eventually when it gets pulled. Apart from being able to set which users on this server are allowed to see the event, this also controls whether or not the event will be synchronized to other servers. You can choose between Your organization only, This community only, Connected communities, or All communities. |
| Threat Level | (Optional) Indicates the risk level of the event. You can categorize events into different threat categories, which are Low, Medium, or High. You can also alternatively leave this field as Undefined. |
| Analysis Status | (Optional) Indicates the current stage of analysis of the event. You can choose between Initial, Ongoing, or Completed. |
| Published | Select this checkbox to publish the event in MISP. |
The JSON output contains the details of the newly added event.
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add attributes. |
| Category | Category of the attribute that you want to add to the specific event in MISP. You can choose from options such as Internal reference, Network activity, Financial fraud, etc. |
| Attribute Type | Type of attribute that you want to add to the specific event in MISP. |
| Attribute Value | Value of the attribute that you want to add to the specific event in MISP. |
| Attribute Distribution | (Optional)Setting controls on who can view this attribute once it is published. By default, "Inherit Event" is set, which means that this field inherits the distribution that is set on its parent event. You can choose between Your organization only, This community only, Connected communities, or All communities or Inherit Event. |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | (Optional) Comments that you want to add for the attributes. Comments are used for informational purposes only and not for correlations. |
The JSON output contains the details of the attributes added to the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Attribute": {
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"value1": "",
"value2": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": ""
},
"AttributeTag": []
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event whose information you want to retrieve from MISP. |
The JSON output contains the details of the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [
{
"id": "",
"type": "",
"category": "",
"to_ids": "",
"uuid": "",
"event_id": "",
"distribution": "",
"timestamp": "",
"comment": "",
"sharing_group_id": "",
"deleted": "",
"disable_correlation": "",
"object_id": "",
"object_relation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Controller | Specifies whether you want to search for Attributes or Events in MISP. |
| Filters | (Optional) Filters based on which you want to search for attributes or events in MISP. This parameter takes the input in the dict format, containing a key and value pair.For example, {“values”:”8.8.8.8”, “not_values”:”google.com” } |
The JSON output contains details of the event(s) or attribute(s) that matches the query you have specified.
The output contains the following populated JSON schema:
{
"response": [
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
]
}
{
"response": {
"Attribute": [
{
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Event": {
"org_id": "",
"distribution": "",
"id": "",
"info": "",
"orgc_id": "",
"uuid": ""
}
}
]
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event that you want to delete from MISP. |
The JSON output contains a status message specifying whether or not the event you have specified is deleted.
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"name": "",
"message": "",
"url": ""
}
| Parameter | Description |
|---|---|
| Attribute ID | ID of the attribute that you want to delete from MISP. |
The JSON output contains a status message specifying whether or not the attribute you have specified is deleted.
The output contains the following populated JSON schema:
{
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"Tag": [
{
"id": "",
"name": "",
"colour": "",
"exportable": "",
"org_id": "",
"user_id": "",
"hide_tag": "",
"numerical_value": "",
"count": "",
"attribute_count": "",
"favourite": ""
}
]
}
| Parameter | Description |
|---|---|
| Tag Name | Name of the tag you want to create in MISP. |
| Exportable | Select this checkbox if you want to create an exportable tag in MISP. |
| Hide Tag | Select this checkbox if you want to hide the created tag in MISP. |
| Organisation ID | ID of the organization that you want to add to the tag that you are creating in MISP. |
| User ID | ID of the user that you want to add to the tag that you are creating in MISP. |
The output contains the following populated JSON schema:
{
"Tag": {
"id": "",
"name": "",
"colour": "",
"exportable": "",
"org_id": "",
"user_id": "",
"hide_tag": "",
"numerical_value": ""
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add the specified tag. |
| Tag | Tag that you want to add to the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event from which you want to remove the specified tag. |
| Tag | Tag that you want to remove from the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
The Sample-MISP-2.0.0 playbook collection comes bundled with the MISP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MISP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
