MISP Integration
Energy SOAR Base can synchronise with one or more MISP instances to import events as alerts and export IOC-flagged observables. The MISP connector is disabled by default.
Enabling the MISP connector
Uncomment the following line in
/etc/energysoar/application.conf.d/misp.conf:
play.modules.enabled += org.emca.energysoar.connector.misp.MispModule
Restart Energy SOAR Base after any change to this file:
systemctl restart energysoar
Configuring MISP servers
Add a misp block to /etc/energysoar/application.conf.d/misp.conf:
misp {
interval: 1 hour
servers: [
{
name = "local" # MISP instance name
url = "http://localhost/" # MISP server URL
auth {
type = key
key = "***" # MISP API key
}
max-age = 7 days # import events no older than this
wsConfig {} # HTTP client configuration (SSL, proxy)
}
]
}
To connect to multiple MISP instances, add additional objects to the servers list.
Configuration fields
Key |
Description |
|---|---|
|
How often Energy SOAR polls each MISP server for new events. Default: |
|
Friendly name for the MISP instance, used in the UI. |
|
Base URL of the MISP server. |
|
Authentication type. Only |
|
MISP API key. Generate it in MISP under My Profile > Auth key. |
|
Maximum age of MISP events to import. Events older than this value are skipped.
Default: |
|
Optional HTTP client settings (TLS certificates, proxy). Leave empty |
TLS and proxy
Pass TLS or proxy settings inside wsConfig:
wsConfig {
ssl {
trustManager {
stores = [{ type: "PEM", path: "/etc/energysoar/misp-ca.crt" }]
}
}
}
Observable export
Only observables with the Is IOC flag set are exported to MISP. The export is triggered manually from the observable row in a case or automatically by the MISP connector on its next synchronisation cycle.
Exporting to a specific MISP connection can be restricted per organisation in
/etc/energysoar/application.conf.d/misp.conf. If export is not permitted for
the organisation, the platform logs:
Export on MISP connection <id> is denied by configuration.