The Malware Information Sharing Platform (MISP) API feed enables you to import events from the MISP server, along with their associated attributes and objects, into the TISC library.
Before you begin
Role required: sn_sec_tisc.admin
Procedure
-
Navigate to .
-
Select Custom.
Note: By default, the
MISP feed is inactive. You must edit the
configuration
to enable the feed.
-
Select the Edit button on the MISP Feed card.
-
Navigate to the Configuration Details section.
-
Update the REST endpoint URL field.
-
Add the required authentication details for the MISP server (if any).
-
Navigate to Additional Settings to configure the filters to fetch the data from MISP.
The Additional Settings tab is used to set up filters that determine which MISP events are ingested.
-
Select Edit Settings.
-
Select the required filters.
Note: All the filters configured will be applied in conjunction while ingesting the events.
Review each option in the table to understand how the filters can be applied to optimize which
MISP events are ingested into the
TISC library.
-
Select the required values from the following available filters.
Table 1. Edit Additional Settings
| Field |
Description |
| Filters on events |
| Include unpublished events |
Select this check box if you want to include unpublished events. |
| Creator org name or ID |
Enter a comma-separated list of organization names and/or IDs associated with the event.Note: If the organization name contains leading or trailing spaces, enclose the name in double quotes to
verify proper processing. |
| Tag name or ID |
Enter a comma-separated list of tag names and/or tag IDs associated with the event. |
| Threat level |
Select a threat level to filter incoming events. Leaving this field empty includes events of all threat levels. |
| Distribution level |
Select a distribution level to limit events. Leaving this field empty includes events of all distribution levels. |
Note: After you have defined the Additional Settings following the instructions as explained in the previous step, you can duplicate the feed when creating another. For more information, see Step
13.
-
Select Update on the Additional Settings dialog box to save the modified additional settings.
-
Select Enable to enable the MISP feed for including the MISP events.
The TISC application uses the date configured in the Fetch data from field as the baseline for retrieving events and associated
attributes.
The Fetch data from date determines which events and associated attributes are retrieved. TISC compares this date with specific timestamps based on the event status:
- Published events: Compared against the Published timestamp.
- Unpublished events: Compared against the Last updated timestamp.
An event is retrieved only if its relevant timestamp is later than the configured Fetch data from date.
The system uses the appropriate timestamp for each event status to retrieve newly published events and recently updated unpublished events.
- Optional:
Select Duplicate to duplicate the feed.
For more information, see
Duplicate threat intelligence feeds.
Note:
- Each MISP event imported into the TISC library, whether as a Threat Report or Threat Event, includes an associated External
Reference record.
- This record is accessible via the Related Records tab and provides a direct URL link to the corresponding MISP event on the MISP server. This also enables quick access to the original event data.
- For details on how MISP events, along with their associated attributes and objects, are mapped to TISC entities, refer to KB2197697.
- Entity types that aren't included in the mapping described in the KB article aren't ingested into the TISC Library.