The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information results in faster detection of targeted attacks, improve the detection ratio, and reduce the number of false positives.
This document provides information about the MISP connector, which facilitates automated interactions, with a MISP server using FortiSOAR™ playbooks. Add the MISP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating an event in MISP and adding attributes in MISP.
Connector Version: 2.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
MISP Version Tested On: v2.4.158
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the MISP Connector in version 2.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-misp
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the MISP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server Name | Hostname or IP address of the MISP server to connect and perform automated operations. |
| API Key | API key that is configured for your account for using the MISP server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Event | Creates an event and adds the new event in MISP based on the event information and other input parameters you have specified. | create_event Investigation |
| Add Attributes to Event | Adds specified attributes to an existing MISP event based on the event ID, attribute type and value, and other input parameters you have specified. . | add_attributes_to_event Investigation |
| Get Event | Retrieves information about an event from MISP based on the event ID that you have specified. | get_event Investigation |
| Run Search | Searches for events or attributes in MISP based on the input parameters that you have specified. | run_search Investigation |
| Delete Event | Deletes an event from MISP based on the event ID that you have specified. | delete_event Investigation |
| Delete Attribute from Event | Deletes an attribute from a MISP event based on the attribute ID that you have specified. | update_event Investigation |
| List All Tags | Retrieves a list of all existing tags from MISP. | get_tags Investigation |
| Add Tag | Adds a tag in MISP based on the tag name and other input parameters that you have specified. | add_tag Investigation |
| Add Tag to Event | Adds a tag to an existing event in MISP based on the tag and event ID that you have specified. | add_tag_to_event Investigation |
| Remove Tag from Event | Deletes the specified tag from an existing event in MISP based on the tag and event ID that you have specified. | remove_tag_from_event Investigation |
| Get Organizations | Retrieves a list of all available organizations from MISP. | get_organisations Investigation |
| Get Users | Retrieves a list of all available users from MISP. | get_users Investigation |
| Search Events | Retrieves information about events from MISP based on the filter you have specified. | get_events Investigation |
| Execute an API Request | Execute any MISP REST API using the specified API method, endpoint, and payload as input parameters. | generic_rest_api_call Investigation |
| Parameter | Description |
|---|---|
| Event Information | Brief description of the malware or event you are creating, including the internal reference for the event. You can add a detailed description of the event by adding attributes to the event after the event is created. |
| Date | (Optional) Date on which you want to create the event in MISP. The date must be in the yyyy/mm/dd format. |
| Distribution | (Optional) Setting that controls on who can view this event once it is published and eventually when it gets pulled. Apart from being able to set which users on this server are allowed to see the event, this also controls whether or not the event will be synchronized to other servers. You can choose between Your organization only, This community only, Connected communities, or All communities. |
| Threat Level | (Optional) Indicates the risk level of the event. You can categorize events into different threat categories, which are Low, Medium, or High. You can also alternatively leave this field as Undefined. |
| Analysis Status | (Optional) Indicates the current stage of analysis of the event. You can choose between Initial, Ongoing, or Completed. |
| Published | Select this checkbox to publish the event in MISP. |
| Extends Event | Specify the ID or UUID of the event that is being extended by the event being added. |
| Additional Attributes | Specify additional attributes, in JSON format, to associate with the event being added. |
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"CryptographicKey": [],
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"protected": "",
"timestamp": "",
"EventReport": [],
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event whose information you want to retrieve from MISP. |
The JSON output contains the details of the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"CryptographicKey": [],
"EventReport": [],
"protected": "",
"RelatedEvent": [
{
"Event": {
"id": "",
"date": "",
"threat_level_id": "3",
"info": "",
"published": "",
"uuid": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"org_id": "",
"orgc_id": "",
"Org": {
"id": "",
"name": "",
"uuid": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": ""
}
}
}
],
"Tag": [
{
"colour": "",
"exportable": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local": "",
"local_only": "",
"name": "",
"numerical_value": "",
"user_id": ""
}
],
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [
{
"id": "",
"type": "",
"category": "",
"to_ids": "",
"uuid": "",
"event_id": "",
"distribution": "",
"timestamp": "",
"comment": "",
"sharing_group_id": "",
"deleted": "",
"disable_correlation": "",
"object_id": "",
"object_relation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add attributes. |
| Category | Category of the attribute that you want to add to the specific event in MISP. You can choose from options such as Internal reference, Network activity, Financial fraud, etc. |
| Attribute Type | Type of attribute that you want to add to the specific event in MISP. |
| Attribute Value | Value of the attribute that you want to add to the specific event in MISP. |
| Attribute Distribution | (Optional)Setting controls on who can view this attribute once it is published. By default, "Inherit Event" is set, which means that this field inherits the distribution that is set on its parent event. You can choose between Your organization only, This community only, Connected communities, or All communities or Inherit Event. |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for the Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | (Optional) Comments that you want to add for the attributes. Comments are used for informational purposes only and not for correlations. |
The JSON output contains the details of the attributes added to the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Attribute": {
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"value1": "",
"value2": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": ""
},
"AttributeTag": []
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event that you want to delete from MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"name": "",
"message": "",
"url": ""
}
| Parameter | Description |
|---|---|
| Attribute ID | ID of the attribute that you want to delete from MISP. |
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Controller | Specifies whether you want to search for Attributes or Events in MISP. |
| Search Type | Select the type of search to perform. You can select from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Controller as Events:
{
"response": [
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"CryptographicKey": [],
"EventReport": [],
"protected": "",
"RelatedEvent": [
{
"Event": {
"id": "",
"date": "",
"threat_level_id": "3",
"info": "",
"published": "",
"uuid": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"org_id": "",
"orgc_id": "",
"Org": {
"id": "",
"name": "",
"uuid": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": ""
}
}
}
],
"Tag": [
{
"colour": "",
"exportable": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local": "",
"local_only": "",
"name": "",
"numerical_value": "",
"user_id": ""
}
],
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [
{
"id": "",
"type": "",
"category": "",
"to_ids": "",
"uuid": "",
"event_id": "",
"distribution": "",
"timestamp": "",
"comment": "",
"sharing_group_id": "",
"deleted": "",
"disable_correlation": "",
"object_id": "",
"object_relation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"Galaxy": [],
"Object": []
}
}
]
}
Output schema when you choose Controller as Attributes:
{
"response": {
"Attribute": [
{
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Event": {
"org_id": "",
"distribution": "",
"id": "",
"info": "",
"orgc_id": "",
"uuid": ""
}
}
]
}
}
| Parameter | Description |
|---|---|
| Tag Name | Name of the tag you want to create in MISP. |
| Color | Specify the hex color code (with a #) to associate with the tag being added. For example: #ff5733. |
| Exportable | Select this checkbox if you want to create an exportable tag in MISP. |
| Hide Tag | Select this checkbox if you want to hide the created tag in MISP. |
| Organization ID | ID of the organization that you want to add to the tag that you are creating in MISP. |
| User ID | ID of the user that you want to add to the tag that you are creating in MISP. |
The output contains the following populated JSON schema:
{
"Tag": {
"colour": "",
"exportable": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local_only": "",
"name": "",
"numerical_value": "",
"org_id": "",
"user_id": ""
}
}
None.
The output contains the following populated JSON schema:
{
"Tag": [
{
"attribute_count": "",
"colour": "",
"count": "",
"exportable": "",
"favourite": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local_only": "",
"name": "",
"numerical_value": "",
"org_id": "",
"user_id": ""
}
]
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add the specified tag. |
| Tag | Tag that you want to add to the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event from which you want to remove the specified tag. |
| Tag | Tag that you want to remove from the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
None.
The output contains the following populated JSON schema:
[
{
"Organisation": {
"id": "",
"name": "",
"date_created": "",
"date_modified": "",
"description": "",
"type": "",
"nationality": "",
"sector": "",
"created_by": "",
"uuid": "",
"contacts": "",
"local": "",
"restricted_to_domain": [],
"landingpage": "",
"user_count": "",
"created_by_email": ""
}
}
]
None.
The output contains the following populated JSON schema:
[
{
"User": {
"id": "",
"org_id": "",
"server_id": "",
"email": "",
"autoalert": "",
"authkey": "",
"invited_by": "",
"gpgkey": "",
"certif_public": "",
"nids_sid": "",
"termsaccepted": "",
"newsread": "",
"role_id": "",
"change_pw": "",
"contactalert": "",
"disabled": "",
"expiration": "",
"current_login": "",
"last_login": "",
"force_logout": "",
"date_created": "",
"date_modified": ""
},
"Role": {
"id": "",
"name": "",
"perm_add": "",
"perm_modify": "",
"perm_modify_org": "",
"perm_publish": "",
"perm_delegate": "",
"perm_sync": "",
"perm_admin": "",
"perm_audit": "",
"perm_auth": "",
"perm_site_admin": "",
"perm_regexp_access": "",
"perm_tagger": "",
"perm_template": "",
"perm_sharing_group": "",
"perm_tag_editor": "",
"perm_sighting": "",
"perm_object_template": "",
"perm_publish_zmq": "",
"perm_publish_kafka": "",
"perm_decaying": "",
"perm_galaxy_editor": "",
"default_role": "",
"memory_limit": "",
"max_execution_time": "",
"restricted_to_site_admin": "",
"enforce_rate_limit": "",
"rate_limit_count": "",
"permission": "",
"permission_description": ""
},
"Organisation": {
"id": "",
"name": ""
}
}
]
| Parameter | Description |
|---|---|
| Search JSON Body | Specify a JSON body for searching the event index. Refer to MISP API Documentation available at https://www.misp-project.org/openapi/#tag/Events/operation/searchEvents. |
The output contains the following populated JSON schema:
[
{
"id": "",
"Org": {
"id": "",
"name": "",
"uuid": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": ""
},
"date": "",
"info": "",
"uuid": "",
"locked": "",
"org_id": "",
"orgc_id": "",
"EventTag": [
{
"id": "",
"Tag": {
"id": "",
"name": "",
"colour": "",
"is_galaxy": ""
},
"local": "",
"tag_id": "",
"event_id": ""
}
],
"analysis": "",
"protected": "",
"published": "",
"timestamp": "",
"distribution": "",
"extends_uuid": "",
"attribute_count": "",
"threat_level_id": "",
"sharing_group_id": "",
"publish_timestamp": "",
"sighting_timestamp": "",
"disable_correlation": "",
"proposal_email_lock": ""
}
]
| Parameter | Description |
|---|---|
| HTTP Method | Select an HTTP action for the request. You can select from the following options:
|
| Endpoint | Specify the REST API endpoint for the action to perform. |
| query_params | (Optional) Specify any optional parameters query parameters in JSON format. |
| Payload | (Optional) Specify the payload to be passed in JSON format. |
The output contains a non-dictionary value.
The Sample - MISP - 2.2.0 playbook collection comes bundled with the MISP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MISP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The Sample - MISP - 2.2.0 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for indicator types IP Address, File Hash, URL, and Domain. The pluggable enrichment playbooks are in the format: indicatorType > MISP > Enrichment. For example, File Hash / Domain / IP / URL > MISP > Enrichment.
The Configuration step in all the pluggable enrichment playbooks contains variables that have default values for calculating the Verdict for various indicator types.
The MISP integration API response returns the verdict, cti_score, enrichment_summary, and other variables as listed in the following table:
| Variable Name | Description | Return Value |
|---|---|---|
verdict |
This connector returns a high-reliability value called verdict. Use this verdict to find the reputation of the various types of indicators. |
if the value in if the value in if the value in For any other value, return the verdict as No Reputation Available |
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | MISP |
cti_score |
The verdict value returned by the integration API. |
Returns the value in |
source_data |
The source_data response returned by the integration API. |
A JSON response object containing the source data of the threat intelligence integration. |
field_mapping |
The mapping of the FortiSOAR Indicator module fields with the MISP Intelligence response fields. | A JSON response object containing the field mapping of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the Description field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated Description field in a FortiSOAR indicator record:  |
The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information results in faster detection of targeted attacks, improve the detection ratio, and reduce the number of false positives.
This document provides information about the MISP connector, which facilitates automated interactions, with a MISP server using FortiSOAR™ playbooks. Add the MISP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating an event in MISP and adding attributes in MISP.
Connector Version: 2.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
MISP Version Tested On: v2.4.158
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the MISP Connector in version 2.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-misp
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the MISP connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server Name | Hostname or IP address of the MISP server to connect and perform automated operations. |
| API Key | API key that is configured for your account for using the MISP server. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Add Event | Creates an event and adds the new event in MISP based on the event information and other input parameters you have specified. | create_event Investigation |
| Add Attributes to Event | Adds specified attributes to an existing MISP event based on the event ID, attribute type and value, and other input parameters you have specified. . | add_attributes_to_event Investigation |
| Get Event | Retrieves information about an event from MISP based on the event ID that you have specified. | get_event Investigation |
| Run Search | Searches for events or attributes in MISP based on the input parameters that you have specified. | run_search Investigation |
| Delete Event | Deletes an event from MISP based on the event ID that you have specified. | delete_event Investigation |
| Delete Attribute from Event | Deletes an attribute from a MISP event based on the attribute ID that you have specified. | update_event Investigation |
| List All Tags | Retrieves a list of all existing tags from MISP. | get_tags Investigation |
| Add Tag | Adds a tag in MISP based on the tag name and other input parameters that you have specified. | add_tag Investigation |
| Add Tag to Event | Adds a tag to an existing event in MISP based on the tag and event ID that you have specified. | add_tag_to_event Investigation |
| Remove Tag from Event | Deletes the specified tag from an existing event in MISP based on the tag and event ID that you have specified. | remove_tag_from_event Investigation |
| Get Organizations | Retrieves a list of all available organizations from MISP. | get_organisations Investigation |
| Get Users | Retrieves a list of all available users from MISP. | get_users Investigation |
| Search Events | Retrieves information about events from MISP based on the filter you have specified. | get_events Investigation |
| Execute an API Request | Execute any MISP REST API using the specified API method, endpoint, and payload as input parameters. | generic_rest_api_call Investigation |
| Parameter | Description |
|---|---|
| Event Information | Brief description of the malware or event you are creating, including the internal reference for the event. You can add a detailed description of the event by adding attributes to the event after the event is created. |
| Date | (Optional) Date on which you want to create the event in MISP. The date must be in the yyyy/mm/dd format. |
| Distribution | (Optional) Setting that controls on who can view this event once it is published and eventually when it gets pulled. Apart from being able to set which users on this server are allowed to see the event, this also controls whether or not the event will be synchronized to other servers. You can choose between Your organization only, This community only, Connected communities, or All communities. |
| Threat Level | (Optional) Indicates the risk level of the event. You can categorize events into different threat categories, which are Low, Medium, or High. You can also alternatively leave this field as Undefined. |
| Analysis Status | (Optional) Indicates the current stage of analysis of the event. You can choose between Initial, Ongoing, or Completed. |
| Published | Select this checkbox to publish the event in MISP. |
| Extends Event | Specify the ID or UUID of the event that is being extended by the event being added. |
| Additional Attributes | Specify additional attributes, in JSON format, to associate with the event being added. |
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"CryptographicKey": [],
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"protected": "",
"timestamp": "",
"EventReport": [],
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"event_creator_email": "",
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event whose information you want to retrieve from MISP. |
The JSON output contains the details of the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"CryptographicKey": [],
"EventReport": [],
"protected": "",
"RelatedEvent": [
{
"Event": {
"id": "",
"date": "",
"threat_level_id": "3",
"info": "",
"published": "",
"uuid": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"org_id": "",
"orgc_id": "",
"Org": {
"id": "",
"name": "",
"uuid": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": ""
}
}
}
],
"Tag": [
{
"colour": "",
"exportable": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local": "",
"local_only": "",
"name": "",
"numerical_value": "",
"user_id": ""
}
],
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [
{
"id": "",
"type": "",
"category": "",
"to_ids": "",
"uuid": "",
"event_id": "",
"distribution": "",
"timestamp": "",
"comment": "",
"sharing_group_id": "",
"deleted": "",
"disable_correlation": "",
"object_id": "",
"object_relation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"Galaxy": [],
"Object": []
}
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add attributes. |
| Category | Category of the attribute that you want to add to the specific event in MISP. You can choose from options such as Internal reference, Network activity, Financial fraud, etc. |
| Attribute Type | Type of attribute that you want to add to the specific event in MISP. |
| Attribute Value | Value of the attribute that you want to add to the specific event in MISP. |
| Attribute Distribution | (Optional)Setting controls on who can view this attribute once it is published. By default, "Inherit Event" is set, which means that this field inherits the distribution that is set on its parent event. You can choose between Your organization only, This community only, Connected communities, or All communities or Inherit Event. |
| Use Attribute as an IDS Signature | Select this checkbox if you want to add attributes for the Intrusion Detection System (IDS) and this sets the to_IDS flag to True in MISP. |
| Comment | (Optional) Comments that you want to add for the attributes. Comments are used for informational purposes only and not for correlations. |
The JSON output contains the details of the attributes added to the event based on the Event ID you have specified.
The output contains the following populated JSON schema:
{
"Attribute": {
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"value1": "",
"value2": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": ""
},
"AttributeTag": []
}
| Parameter | Description |
|---|---|
| Event ID | ID of the event that you want to delete from MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"name": "",
"message": "",
"url": ""
}
| Parameter | Description |
|---|---|
| Attribute ID | ID of the attribute that you want to delete from MISP. |
The output contains the following populated JSON schema:
{
"message": ""
}
| Parameter | Description |
|---|---|
| Controller | Specifies whether you want to search for Attributes or Events in MISP. |
| Search Type | Select the type of search to perform. You can select from the following options:
|
The output contains the following populated JSON schema:
Output schema when you choose Controller as Events:
{
"response": [
{
"Event": {
"id": "",
"orgc_id": "",
"org_id": "",
"date": "",
"threat_level_id": "",
"info": "",
"published": "",
"uuid": "",
"attribute_count": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"proposal_email_lock": "",
"locked": "",
"publish_timestamp": "",
"sharing_group_id": "",
"disable_correlation": "",
"extends_uuid": "",
"CryptographicKey": [],
"EventReport": [],
"protected": "",
"RelatedEvent": [
{
"Event": {
"id": "",
"date": "",
"threat_level_id": "3",
"info": "",
"published": "",
"uuid": "",
"analysis": "",
"timestamp": "",
"distribution": "",
"org_id": "",
"orgc_id": "",
"Org": {
"id": "",
"name": "",
"uuid": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": ""
}
}
}
],
"Tag": [
{
"colour": "",
"exportable": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local": "",
"local_only": "",
"name": "",
"numerical_value": "",
"user_id": ""
}
],
"Org": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": "",
"local": ""
},
"Attribute": [
{
"id": "",
"type": "",
"category": "",
"to_ids": "",
"uuid": "",
"event_id": "",
"distribution": "",
"timestamp": "",
"comment": "",
"sharing_group_id": "",
"deleted": "",
"disable_correlation": "",
"object_id": "",
"object_relation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"Galaxy": [],
"Object": []
}
}
]
}
Output schema when you choose Controller as Attributes:
{
"response": {
"Attribute": [
{
"id": "",
"event_id": "",
"object_id": "",
"object_relation": "",
"category": "",
"type": "",
"to_ids": "",
"uuid": "",
"timestamp": "",
"distribution": "",
"sharing_group_id": "",
"comment": "",
"deleted": "",
"disable_correlation": "",
"first_seen": "",
"last_seen": "",
"value": "",
"Event": {
"org_id": "",
"distribution": "",
"id": "",
"info": "",
"orgc_id": "",
"uuid": ""
}
}
]
}
}
| Parameter | Description |
|---|---|
| Tag Name | Name of the tag you want to create in MISP. |
| Color | Specify the hex color code (with a #) to associate with the tag being added. For example: #ff5733. |
| Exportable | Select this checkbox if you want to create an exportable tag in MISP. |
| Hide Tag | Select this checkbox if you want to hide the created tag in MISP. |
| Organization ID | ID of the organization that you want to add to the tag that you are creating in MISP. |
| User ID | ID of the user that you want to add to the tag that you are creating in MISP. |
The output contains the following populated JSON schema:
{
"Tag": {
"colour": "",
"exportable": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local_only": "",
"name": "",
"numerical_value": "",
"org_id": "",
"user_id": ""
}
}
None.
The output contains the following populated JSON schema:
{
"Tag": [
{
"attribute_count": "",
"colour": "",
"count": "",
"exportable": "",
"favourite": "",
"hide_tag": "",
"id": "",
"is_custom_galaxy": "",
"is_galaxy": "",
"local_only": "",
"name": "",
"numerical_value": "",
"org_id": "",
"user_id": ""
}
]
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event to which you want to add the specified tag. |
| Tag | Tag that you want to add to the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
| Parameter | Description |
|---|---|
| Event ID | ID of the MISP event from which you want to remove the specified tag. |
| Tag | Tag that you want to remove from the specified event in MISP. |
The output contains the following populated JSON schema:
{
"saved": "",
"success": "",
"check_publish": ""
}
None.
The output contains the following populated JSON schema:
[
{
"Organisation": {
"id": "",
"name": "",
"date_created": "",
"date_modified": "",
"description": "",
"type": "",
"nationality": "",
"sector": "",
"created_by": "",
"uuid": "",
"contacts": "",
"local": "",
"restricted_to_domain": [],
"landingpage": "",
"user_count": "",
"created_by_email": ""
}
}
]
None.
The output contains the following populated JSON schema:
[
{
"User": {
"id": "",
"org_id": "",
"server_id": "",
"email": "",
"autoalert": "",
"authkey": "",
"invited_by": "",
"gpgkey": "",
"certif_public": "",
"nids_sid": "",
"termsaccepted": "",
"newsread": "",
"role_id": "",
"change_pw": "",
"contactalert": "",
"disabled": "",
"expiration": "",
"current_login": "",
"last_login": "",
"force_logout": "",
"date_created": "",
"date_modified": ""
},
"Role": {
"id": "",
"name": "",
"perm_add": "",
"perm_modify": "",
"perm_modify_org": "",
"perm_publish": "",
"perm_delegate": "",
"perm_sync": "",
"perm_admin": "",
"perm_audit": "",
"perm_auth": "",
"perm_site_admin": "",
"perm_regexp_access": "",
"perm_tagger": "",
"perm_template": "",
"perm_sharing_group": "",
"perm_tag_editor": "",
"perm_sighting": "",
"perm_object_template": "",
"perm_publish_zmq": "",
"perm_publish_kafka": "",
"perm_decaying": "",
"perm_galaxy_editor": "",
"default_role": "",
"memory_limit": "",
"max_execution_time": "",
"restricted_to_site_admin": "",
"enforce_rate_limit": "",
"rate_limit_count": "",
"permission": "",
"permission_description": ""
},
"Organisation": {
"id": "",
"name": ""
}
}
]
| Parameter | Description |
|---|---|
| Search JSON Body | Specify a JSON body for searching the event index. Refer to MISP API Documentation available at https://www.misp-project.org/openapi/#tag/Events/operation/searchEvents. |
The output contains the following populated JSON schema:
[
{
"id": "",
"Org": {
"id": "",
"name": "",
"uuid": ""
},
"Orgc": {
"id": "",
"name": "",
"uuid": ""
},
"date": "",
"info": "",
"uuid": "",
"locked": "",
"org_id": "",
"orgc_id": "",
"EventTag": [
{
"id": "",
"Tag": {
"id": "",
"name": "",
"colour": "",
"is_galaxy": ""
},
"local": "",
"tag_id": "",
"event_id": ""
}
],
"analysis": "",
"protected": "",
"published": "",
"timestamp": "",
"distribution": "",
"extends_uuid": "",
"attribute_count": "",
"threat_level_id": "",
"sharing_group_id": "",
"publish_timestamp": "",
"sighting_timestamp": "",
"disable_correlation": "",
"proposal_email_lock": ""
}
]
| Parameter | Description |
|---|---|
| HTTP Method | Select an HTTP action for the request. You can select from the following options:
|
| Endpoint | Specify the REST API endpoint for the action to perform. |
| query_params | (Optional) Specify any optional parameters query parameters in JSON format. |
| Payload | (Optional) Specify the payload to be passed in JSON format. |
The output contains a non-dictionary value.
The Sample - MISP - 2.2.0 playbook collection comes bundled with the MISP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the MISP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The Sample - MISP - 2.2.0 playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for indicator types IP Address, File Hash, URL, and Domain. The pluggable enrichment playbooks are in the format: indicatorType > MISP > Enrichment. For example, File Hash / Domain / IP / URL > MISP > Enrichment.
The Configuration step in all the pluggable enrichment playbooks contains variables that have default values for calculating the Verdict for various indicator types.
The MISP integration API response returns the verdict, cti_score, enrichment_summary, and other variables as listed in the following table:
| Variable Name | Description | Return Value |
|---|---|---|
verdict |
This connector returns a high-reliability value called verdict. Use this verdict to find the reputation of the various types of indicators. |
if the value in if the value in if the value in For any other value, return the verdict as No Reputation Available |
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | MISP |
cti_score |
The verdict value returned by the integration API. |
Returns the value in |
source_data |
The source_data response returned by the integration API. |
A JSON response object containing the source data of the threat intelligence integration. |
field_mapping |
The mapping of the FortiSOAR Indicator module fields with the MISP Intelligence response fields. | A JSON response object containing the field mapping of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the Description field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated Description field in a FortiSOAR indicator record: |