Views:
The Malware Information Sharing Platform (MISP) can receive events and indicators from the Threat Intelligence Feed.
Prerequisites:

Add the feed in MISP Parent topic

Access the Threat Intelligence Feed through the built-in feeds functionality in MISP.

Procedure

  1. In the MISP web interface, select Sync ActionsFeeds.
  2. Click Add Feed to display the configuration page.
  3. Select Enabled.
  4. Enter the Name and Provider for the feed.
  5. Enter the regional feed URL from the table below.

    Feed URLs

    Region
    MISP feed URL
    Australia
    https://api.au.xdr.trendmicro.com/v3.0/threatintel/misp/feed
    European Union
    https://api.eu.xdr.trendmicro.com/v3.0/threatintel/misp/feed
    India
    https://api.in.xdr.trendmicro.com/v3.0/threatintel/misp/feed
    Japan
    https://api.xdr.trendmicro.co.jp/v3.0/threatintel/misp/feed
    Singapore
    https://api.sg.xdr.trendmicro.com/v3.0/threatintel/misp/feed
    United Arab Emirates
    https://api.mea.xdr.trendmicro.com/v3.0/threatintel/misp/feed
    United States
    https://api.xdr.trendmicro.com/v3.0/threatintel/misp/feed
  6. Enter the API token as follows: Authorization: Bearer <your_token>
  7. Click Submit to save the configuration.

Add custom galaxies Parent topic

After adding the Threat Intelligence Feed in MISP, you can add or update TrendAI™ galaxies using the Python script available here.
Alternatively, you can manually add custom galaxies by following the steps below.

Procedure

  1. Download the relevant galaxy JavaScript Object Notation (JSON) files from the URL for your region shown in the table below.
    Available TrendAI™ galaxy types:
    • trendmicro-campaign-galaxy
    • trendmicro-intrusion-set-galaxy
    • trendmicro-malware-galaxy
    • trendmicro-tool-galaxy
    • trendmicro-vulnerability-galaxy

    Galaxy URLs

    Region
    Galaxy URL template
    Australia
    https://api.au.xdr.trendmicro.com/v3.0/threatintel/misp/galaxies/%7Bgalaxy
    European Union
    https://api.eu.xdr.trendmicro.com/v3.0/threatintel/misp/galaxies/%7Bgalaxy
    India
    https://api.in.xdr.trendmicro.com/v3.0/threatintel/misp/galaxies/%7Bgalaxy
    Japan
    https://api.xdr.trendmicro.co.jp/v3.0/threatintel/misp/galaxies/%7Bgalaxy
    Singapore
    https://api.sg.xdr.trendmicro.com/v3.0/threatintel/misp/galaxies/%7Bgalaxy
    United Arab Emirates
    https://api.mea.xdr.trendmicro.com/v3.0/threatintel/misp/galaxies/%7Bgalaxy
    United States
    https://api.xdr.trendmicro.com/v3.0/threatintel/misp/galaxies/%7Bgalaxy
  2. Copy the files to the galaxies folder (location may vary): /var/www/MISP/app/files/misp-galaxy/galaxies/
  3. Click Force Update Galaxies to save changes.

Add custom clusters Parent topic

After adding the Threat Intelligence Feed in MISP, you can add or update TrendAI™ clusters using the Python script available here.
Alternatively, you can manually add custom galaxies by following the steps below.

Procedure

  1. Download the relevant cluster JSON files from the URL for your region shown in the table below.

    Cluster URLs

    Region
    Cluster URL template
    Australia
    https://api.au.xdr.trendmicro.com/v3.0/threatintel/misp/clusters/%7Bcluster
    European Union
    https://api.eu.xdr.trendmicro.com/v3.0/threatintel/misp/clusters/%7Bcluster
    India
    https://api.in.xdr.trendmicro.com/v3.0/threatintel/misp/clusters/%7Bcluster
    Japan
    https://api.xdr.trendmicro.co.jp/v3.0/threatintel/misp/clusters/%7Bcluster
    Singapore
    https://api.sg.xdr.trendmicro.com/v3.0/threatintel/misp/clusters/%7Bcluster
    United Arab Emirates
    https://api.mea.xdr.trendmicro.com/v3.0/threatintel/misp/clusters/%7Bcluster
    United States
    https://api.xdr.trendmicro.com/v3.0/threatintel/misp/clusters/%7Bcluster
  2. Copy the files to the clusters folder (location may vary): /var/www/MISP/app/files/misp-galaxy/clusters/
  3. Click Force Update Galaxies to save changes.