MISP Plugin
MISP plugin lets you enrich the knowledge of IP attributes using CrowdSec's CTI API.
Installation
Requirements
- A CrowdSec CTI API key. See instructions to obtain it
Setting up plugin server
The plugin is included in MISP's official plugin repo.
Configure the plugin
You can activate this module by accessing the “Plugins” tab of your MISP instance:
- Navigate to plugin settings page at
http://<your-misp-address>/servers/serverSettings/Plugin - Click on Enrichment
- Set the value of
Plugin.Enrichment_crowdsec_enabledtotrue - Set the value of
Plugin.Enrichment_crowdsec_api_keyto your CrowdSec CTI API key
For more details on the settings available, please refer to the Configurations part.
Usage
Thanks to the CrowdSec Threat Intelligence, you can enrich your IP attributes.
Once enriched, you will find a crowdsec-ip-context object with all attributes retrieved from CrowdSec.
For more details about this object, please refer to the Misp project documentation.
Configurations
You will find the settings page at http://<your-misp-address>/servers/serverSettings/Plugin
Configuration parameters are described below:
| Setting name | Mandatory | Type | Description |
|---|---|---|---|
Plugin.Enrichment_crowdsec_enabled | Yes | Boolean | Enable or disable the crowdsec module |
Plugin.Enrichment_crowdsec_restrict | No | String | Restrict the crowdsec module to the given organisation. |
Plugin.Enrichment_crowdsec_api_key | Yes | String | CrowdSec CTI API key. See instructions to obtain it |
Plugin.Enrichment_crowdsec_add_reputation_tag | No | String | Enable/disable the creation of a reputation tag for the IP attribute. You can use True or False as string value. Default: True |
Plugin.Enrichment_crowdsec_add_behavior_tag | No | String | Enable/disable the creation of a behavior tag for the IP attribute. You can use True or False as string value. Default: True |
Plugin.Enrichment_crowdsec_add_classification_tag | No | String | Enable/disable the creation of a classification tag for the IP attribute. You can use True or False as string value. Default: True |
Plugin.Enrichment_crowdsec_add_mitre_technique_tag | No | String | Enable/disable the creation of a mitre technique tag for the IP attribute. You can use True or False as string value. Default: True |
Plugin.Enrichment_crowdsec_add_cve_tag | No | String | Enable/disable the creation of a cve tag for the IP attribute. You can use True or False as string value. Default: True |
