Skip to main content

MISP Plugin

MISP plugin lets you enrich the knowledge of IP attributes using CrowdSec's CTI API.

Installation

Requirements

Setting up plugin server

The plugin is included in MISP's official plugin repo.

Configure the plugin

You can activate this module by accessing the “Plugins” tab of your MISP instance:

  1. Navigate to plugin settings page at http://<your-misp-address>/servers/serverSettings/Plugin
  2. Click on Enrichment
  3. Set the value of Plugin.Enrichment_crowdsec_enabled to true
  4. Set the value of Plugin.Enrichment_crowdsec_api_key to your CrowdSec CTI API key

For more details on the settings available, please refer to the Configurations part.

Usage

Thanks to the CrowdSec Threat Intelligence, you can enrich your IP attributes.

Enrich IP

Once enriched, you will find a crowdsec-ip-context object with all attributes retrieved from CrowdSec.

For more details about this object, please refer to the Misp project documentation.

Enriched IP part 1

Enriched IP part 2

Configurations

You will find the settings page at http://<your-misp-address>/servers/serverSettings/Plugin

Configurations

Configuration parameters are described below:

Setting nameMandatoryTypeDescription
Plugin.Enrichment_crowdsec_enabledYesBooleanEnable or disable the crowdsec module
Plugin.Enrichment_crowdsec_restrictNoStringRestrict the crowdsec module to the given organisation.
Plugin.Enrichment_crowdsec_api_keyYesStringCrowdSec CTI API key. See instructions to obtain it
Plugin.Enrichment_crowdsec_add_reputation_tagNoStringEnable/disable the creation of a reputation tag for the IP attribute. You can use True or False as string value. Default: True
Plugin.Enrichment_crowdsec_add_behavior_tagNoStringEnable/disable the creation of a behavior tag for the IP attribute. You can use True or False as string value. Default: True
Plugin.Enrichment_crowdsec_add_classification_tagNoStringEnable/disable the creation of a classification tag for the IP attribute. You can use True or False as string value. Default: True
Plugin.Enrichment_crowdsec_add_mitre_technique_tagNoStringEnable/disable the creation of a mitre technique tag for the IP attribute. You can use True or False as string value. Default: True
Plugin.Enrichment_crowdsec_add_cve_tagNoStringEnable/disable the creation of a cve tag for the IP attribute. You can use True or False as string value. Default: True