How to Connect a MISP Server

This topic provides step-by-step instructions for connecting a MISP server to TheHive.

This is useful if you want to automatically retrieve filtered MISP events as alerts in TheHive or manually export observables marked as IOCs from cases to MISP.

You can configure multiple MISP servers in TheHive.

To manually import a MISP event as a case in TheHive, refer to How to Create a New Case.

Requirements

Before proceeding with these instructions, ensure you have a MISP API key. You can find the API key under the My Profile page (/users/view/me) on your MISP instance.

Upgrading MISP from 2.4.x to 2.5.x

If you have upgraded MISP from version 2.4.x to 2.5.x, ensure that you update the database configuration in MISP to avoid potential issues.

Required permissions for managing MISP server connections

Only users with an admin-type profile that has the managePlatform permission can manage MISP server connections in TheHive.

Procedure

1. Go to the Platform management view from the sidebar menu.

   

   ---

2. Select the Connectors tab.

   

   ---

3. Select the MISP tab.

   

   ---

4. Enter the time interval between each event polling from TheHive to MISP.

   Configuration for all MISP servers

   This time interval applies to all MISP servers connected to TheHive.

   ---

5. Select .

   ---

6. In the Set up the new server drawer, enter the following information in the General settings section:

   - Server name

   A name for the connection. Use explicit, precise names for each connection if you have multiple servers configured in TheHive.

   - Server URL

   The URL of the MISP server to connect with. For example: https://misp.mycompany.com.

   - API key

   The API key for the dedicated MISP account. You can find the API key under the My Profile page (/users/view/me) on your MISP instance.

   - Purpose

   The purpose of this connection indicates what actions you are allowed to perform with the server:

   • Import only: Automatically import events from MISP to TheHive as alerts
   • Export only: Manually export observables marked as IOCs from TheHive cases to MISP
   • Import and export: Allows both automatically importing events from MISP to TheHive and manually exporting observables marked as IOCs from TheHive cases to MISP

   ---

7. In the Proxy settings section, select the proxy settings you want to apply:

   • Default configuration
   • Disabled
   • Enabled:
     • Enter the type of protocol, either HTTP or HTTPS.
     • Enter the IP address or domain name of the proxy server.
     • Enter the port number used by the proxy server.
     • Turn on the Authentication toggle if you want to require a username and password to authenticate with the proxy server.

   ---

8. Add a certificate authority.

   For more information about configuring SSL, refer to the Configure SSL topic.

   Only use certificates from trusted, predefined authorities for secure connections; you can't use custom certificate authorities.

   You can turn off the Don't check certificate authority toggle to bypass certificate validation, but this isn't recommended as it may compromise connection security.

   ---

9. Turn on the Disable host name verification toggle if you want to bypass the verification of the server's host name against the certificate.

   ---

10. In the Advanced settings section, enter the following information:

    - Choose the filter on TheHive organizations

    By default, all your organizations in TheHive benefit from this connection.

    The following options are available:

    • Include all organizations
    • Include selected organizations
    • Exclude selected organizations

    - Tags

    The tags to be appended to alerts when importing MISP events.

    - Export case tags

    Exports the case tags to the MISP event.

    - Export observables tags

    Exports the tags from the observables to the MISP event.

    - Export TheHive URL

    Exports the TheHive case link to the MISP event.

    ---

11. In the Filter settings section, enter the following information:

    - Maximum age

    The maximum age, based on the creation date, for an event to be imported into TheHive.

    - Organizations to include

    Only events created by the MISP organizations defined in this field are imported.

    - Organizations to exclude

    Only events not created by the MISP organizations defined in this field are imported.

    - Maximum number of attributes

    The maximum number of MISP attributes, corresponding to observables in TheHive, per event to import.

    - List of allowed tags

    Only events containing the tags defined in this field are imported.

    - Prohibited tags list

    Only events that don't contain the tags defined in this field are imported.

    ---

12. Select Test server connection to verify your connection.

    ---

13. Select Add.

Next steps

• Edit a MISP Server Connection
• Delete a MISP Server Connection