MISP Feeds

Trend Vision One enables transfer of suspicious object data to and retrieval of threat intelligence data from the MISP threat sharing platform through a Service Gateway.

Configure transfer and retrieval of threat intelligence data with this integration through a Service Gateway.


At least one Service Gateway must be configured to enable integration.

  1. Configure settings on Trend Vision One.
    1. Go to Threat Intelligence > Third-Party Intelligence > MISP.
    2. Click the toggle to enable or disable the integration.
    3. Review the Legal Statement and click Accept or Close to continue.
    4. Configure settings to allow Trend Vision One to transfer suspicious object data to MISP.
      1. Select Transfer data to MISP.

      2. Event tag: Specify the tag to transfer the suspicious object data to.

        • The event tag must be created in the MISP system before data can be transferred.

        • If the event tag is added to multiple events, the data will only be transferred to the event with the lowest ID.

      3. Select the risk level of the suspicious object data to include in the transferred data.

      4. Select the frequency at which suspicious object data is transferred.

    5. Configure settings to allow Trend Vision One to retrieve threat intelligence data from MISP.
      1. Select Retrieve data from MISP.

      2. Frequency: Select the frequency at which threat intelligence data is retrieved.

      3. Retrieve from: Select how far in the past to begin retrieving threat intelligence data from.

      4. Subscribe event tags: Specify the threat intelligence data to retrieve by subscribing to tags.

        1. Event tag: Specify a tag. Trend Vision One only retrieves threat intelligence data that contains the specified tag.

        2. Extract and block suspicious objects: If enabled, click and select one or more of the following suspicious object types to extract and add to the Suspicious Object List:

          • Domain

          • File SHA-1

          • File SHA-256

          • IP address

          • Sender address

          • URL

          By default, these suspicious objects are considered as high-risk objects with Block/Quarantine action applied.


          Only "indicator" type STIX objects that are not labeled as "anomalous-activity", "anonymization", "benign", "compromised", or "unknown", and that are not revoked will be added to the Suspicious Objects List.

        3. Run an auto sweep: If enabled, a one-time sweeping task runs right after successful retrieval to search your historical data for objects extracted from the threat intelligence data. Only "report" type STIX objects are supported for sweeping.

      5. (Optional) Click Add Event Tag and repeat the previous step to retrieve threat intelligence data from additional tags.

    6. Under Service Gateway Connection, configure the connection between the Service Gateway and the integration.
      1. Click Connect.

        The Service Gateway Connection panel appears.

      2. Select a Service Gateway.

      3. Configure the integration server settings.

      4. (Optional) Click Test Connection to verify if the settings are valid.

      5. Click Connect.

        The connection configuration is added to the list.

    7. Repeat the previous step to add multiple connection configurations for this integration.
    8. Click Save.
  2. Configure settings on your integration. For more information, see the documentation for the integration.