Maltiverse, powered by Lumu Technologies, revolutionizes threat intelligence management by providing a cloud-based platform that simplifies the ingestion, analysis, and dissemination of Indicators of Compromise (IoCs). If you're using MISP (Malware Information Sharing Platform) for threat sharing, you may encounter common challenges such as ongoing maintenance of on-premise servers, unreliable intelligence leading to false positives, lack of automatic IoC expiration, and limited integrations with commercial cybersecurity tools. Maltiverse addresses these pain points head-on: as a fully cloud-based Threat Intelligence Platform (TIP), it eliminates maintenance overhead, employs advanced methods to prevent false positives through rule-based patterns, whitelists, and third-party validations, enables configurable automatic IoC expiration and downgrading, and offers over 30 seamless integrations with leading commercial technologies.

By integrating your MISP instance with Maltiverse via the MISP Ingest Plugin, you can effortlessly synchronize IoCs, enhancing your cybersecurity stack with curated, actionable intelligence that supports Continuous Compromise Assessment and empowers your SOC team to respond faster to emerging threats. This integration not only streamlines IoC synchronization but also serves as a cornerstone for optimizing threat intelligence workflows. Whether you're a security analyst managing private IoCs or an MSP integrating with client ecosystems, Maltiverse's MISP ingest feature ensures reliable data flow, reducing operational friction and boosting your organization's threat detection capabilities.

In this article, you'll learn how to configure the plugin, understand data mapping, and leverage it for real-world use cases.

Overview

This integration is designed to seamlessly pull attributes from a MISP instance and convert them into Indicators of Compromise (IOCs) within Maltiverse.

• Pulls all MISP attributes visible to your API key (no organization or organization-context filter is applied).
• Converts supported MISP attributes into Maltiverse IOCs.
• Fetches only new or updated attributes between runs that take place every hour.

Prerequisites

Before starting the configuration, ensure you have the following:

• A reachable MISP server URL.
• A MISP API key with permission to search attributes and view event context.
• Network access from the Maltiverse platform to your MISP instance.

Only Maltiverse Platform teams are authorized to upload IOCs to Maltiverse Instances.

Plugin Configuration

Follow these instructions to integrate your MISP instance.

1. Access the Maltiverse Portal.

2. Go to Platform > Connectors.

3. Filter the list by INGEST. Then, select MISP Ingestion.

4. Click + Add MISP to create a new plugin.

5. Configure the configuration form as follows:

• MISP Name: A descriptive, unique name for this plugin.
• MISP Instance URL: The base URL of your MISP server. Example: https://misp.example.com
• MISP API Key: Your authentication key for the MISP API.
• (Optional) Description: Add useful information about the data source or the type of data being pulled from the remote MISP instance.

6. Once you fill up the form, click Test Connection to verify the connectivity.

The integration will attempt to connect to the MISP instance hourly, so you may save the configuration even if the test is currently failing.

7. Click Save to confirm the configuration. The plugin will be scheduled to start pulling attributes. Note that it may take some time before the new indicators appear online.

Plugin Status

Once a plugin is configured, the status will show you how it is behaving with these four options:

View Results

On the Ingest Plugin table, use the 🔍 button to search for the IOCs fetched by the plugin.

How data is ingested and mapped

Data Ingestion and MappingAttribute Mappings 

MISP attributes are mapped to Maltiverse IOC types as follows:

• ip-src, ip-src|port, ip-dst, ip-dst|port are saved as ip.
• domain, hostname are saved as hostname.
• url is saved as url. The urlchecksum is also computed as the SHA-256 of the raw URL string.
• sha256, filename|sha256 are saved as sha256. Only the hash part is used for filename|sha256.
• email-src is saved as email_address.

Classification Rules

Incoming attributes are classified based on the to_ids flag. In MISP, the field to_ids indicates whether an indicator is suitable to be used as an Indicator of Compromise (IoC) for detection by security tools. The field is mapped as: 

• malicious: when to_ids is true.
• suspicious: when to_ids is false.

Tag Handling

• Attribute tags and event tags are merged.
• Duplicates are removed, and the resulting tag list is sorted.

Blacklist Metadata

The following metadata fields are populated:

• description: The attribute comment if present; otherwise, the event info.
• source: The event Org name, then Orgc name, or MISP <hostname> as a fallback.
• first_seen: The event publish_timestamp in YYYY-MM-DD HH:MM:SS UTC.
• last_seen: The event timestamp in YYYY-MM-DD HH:MM:SS UTC.
• tags: The merged and sorted tag list.
• external_references: If the description contains a URL, it is moved to this field with source_name: "MISP" and removed from the description.

Troubleshooting

If you encounter issues with the plugin (such as an Unreachable status), please verify the following configurations:

• Check API Key Permissions: Ensure that the API key you have provided has the specific privileges required to search attributes and read event context within your MISP instance.
• Verify Network Connectivity: Confirm that your MISP URL is reachable from the Maltiverse platform. You may need to check firewall rules or allowlist Maltiverse IPs to ensure the connection is not being blocked.