Skip to content

External Integrations: MISP Feed

The default feed is available as a MISP feed.

It can be added to an existing MISP instance by following MISP's documentation.

To fetch Sekoia.io’s MISP feed, you’ll have to generate an API key with the INTHREAT_READ_OBJECTS permission. Please read the “Generate API keys“ page to understand how to create a new API key with the proper permissions.

The following field values are required for the feed to work properly:

  • Input Source: Network
  • URL: https://api.sekoia.io/v1/misp-gateway/misp
  • Source Format: MISP Feed
  • Headers: Authorization: Bearer <APIKEY> (please replace <APIKEY> with the secret API key)
  • Enabled: True

Configuring Sekoia.io’s MISP feed in MISP

You then need to make sure you have a scheduled task in place to regularly fetch the feed's content.

Note

MISP adds automatically the suffix /manifest.json to the feed URL. If you want to try the connection to the feed outside MISP or make a custom script, you need to use the following URL: https://api.sekoia.io/v1/misp-gateway/misp/manifest.json

The new MISP feed contains all non-expired Sekoia.io intelligence material and is constantly kept in sync with SEKOIA.IO’s intelligence feed. This way, when an indicator is updated in SEKOIA.IO, that latter will be also updated in the MISP feed. This will ensure that the indicator is not duplicated each time an indicator is updated.

The MISP feed is organized by data “source” per creation date of the indicator. Hence, if an indicator has several sources, it will be included in several MISP events.