Updated 5 days ago by Elvis Hovor

This document explains to set up and use the MISP intel feed with TruSTAR Station.

MISP is a threat intelligence platform for gathering, sharing, storing and correlating IOCs from targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: 15 minutes
  • Source Type: Open Feed


  • Your MISP Server URL
  • MISP Authentication Key
TruSTAR Admin rights are required to activate this closed source feed.

Getting Started

After you have retrieved your MISP URL and Auth Keys follow these steps:

  1. Sign into TruSTAR.
  2. Click the Marketplace tab.
  1. Choose Closed Sources.
  2. Click Subscribe on the MISP box.
  1. Enter your MISP API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

How It Works

The TruSTAR integration retrieves data from MISP every 15 minutes. The initial pull will query events for the last 24 hours and checkpoint the timestamp to use as a basis to ingest the latest events every 15 minutes.

Report Mapping

Please see our API documentation for more information about data elements for TruSTAR Reports.



Report External Id

Event UUID

Report Body

Entire Event Content

Report Tags

Event Tags

Report Update

If an event with the same UUID is observed, the existing report is updated by replacing it with the updated content.


Q: What data does TruSTAR pull from MISP?

The TruSTAR integration currently only pulls newly created events in MISP. The whole event body is pulled down and submitted as the body of the report in TruSTAR.

Q: What about Historical Data?

TruSTAR can use the MISP sync feature to download all historical data from the MISP server and upload that data into the user's enclave in TruSTAR.

Known Issues

No reported issues.

Please reach out to support@trustar.co if you have issues with this integration.

How Did We Do?