Integrating MISP

Trend Micro Vision One enables transfer of suspicious object data to and retrieval of threat intelligence data from the MISP threat sharing platform through a Service Gateway.

Configure transfer and retrieval of threat intelligence data with this integration through a Service Gateway.


At least one Service Gateway must be configured to enable integration.

For more information, see Service Gateway Inventory.

  1. Configure settings on Trend Micro Vision One.
    1. Go to Administration > Third-Party Integration.
    2. In the Integration column, click MISP.
    3. Click the toggle to enable or disable the integration.
    4. Review the Legal Statement and click Accept or Close to continue.
    5. Configure settings to allow Trend Micro Vision One to transfer suspicious object data to MISP.
      1. Select Transfer data to MISP.

      2. Event tag: Specify the tag to transfer the suspicious object data to.

        • The event tag must be created in the MISP system before data can be transferred.

        • If the event tag is added to multiple events, the data will only be transferred to the event with the lowest ID.

      3. Select the risk level of the suspicious object data to include in the transferred data.

      4. Select the frequency at which suspicious object data is transferred.

    6. Configure settings to allow Trend Micro Vision One to retrieve threat intelligence data from MISP.
      1. Select Retrieve data from MISP.

      2. Frequency: Select the frequency at which threat intelligence data is retrieved.

      3. Retrieve from: Select how far in the past to begin retrieving threat intelligence data from.

      4. Subscribe event tags: Specify the threat intelligence data to retrieve by subscribing to tags.

        1. Event tag: Specify a tag. Trend Micro Vision One only retrieves threat intelligence data that contains the specified tag.

        2. Extract and block suspicious objects: If enabled, the following objects are extracted and added to the Suspicious Object List as high-risk objects with Block/Quarantine action applied:

          • Domain

          • File SHA-1

          • File SHA-256

          • IP address

          • Sender address

          • URL


          Only "indicator" type objects that are not labeled as "anomalous-activity", "anonymization", "benign", "compromised", or "unknown", and that are not revoked will be added to the Suspicious Objects List.

        3. Run an auto sweep: If enabled, an automatic sweeping task runs right after successful retrieval to search your historical data for objects extracted from the threat intelligence data.

      5. (Optional) Click Add Event Tag and repeat the previous step to retrieve threat intelligence data from additional tags.

    7. Under Service Gateway Connection, configure the connection between the Service Gateway and the integration.
      1. Click Connect.

        The Service Gateway Connection panel appears.

      2. Select a Service Gateway.

      3. Configure the integration server settings.

      4. (Optional) Click Test Connection to verify if the settings are valid.

      5. Click Connect.

        The connection configuration is added to the list.

    8. Repeat the previous step to add multiple connection configurations for this integration.
    9. Click Save.
  2. Configure settings on your integration. For more information, see the documentation for the integration.