Usage¶
To use OTX to MISP from the command line:
$ otx-misp --help
otx-misp¶
Downloads OTX pulses and add them to MISP.
usage: otx-misp [-h] [-o OTX] [-s SERVER] [-m MISP] [-t TIMESTAMP] [-c CONFIG]
[-w] [-a] [-u] [-n] [-d] [-v] [--no-tlp] [--discover-tags]
[--to-ids] [--distribution DISTRIBUTION]
[--threat-level THREAT_LEVEL] [--analysis ANALYSIS]
[--author-tag] [--bulk-tag BULK_TAG] [--dedup-titles]
[--stop-on-error]
-
-h,--help¶ show this help message and exit
-
-o<otx>,--otx<otx>¶ Alienvault OTX API key
-
-s<server>,--server<server>¶ MISP server URL
-
-m<misp>,--misp<misp>¶ MISP API key
-
-t<timestamp>,--timestamp<timestamp>¶ Last import as Date/Time ISO format or UNIX timestamp
-
-c<config>,--config-file<config>¶
-
-w,--write-config¶ Write the configuration file
-
-a,--author¶ Add the Pulse author name in the MISP Info field
-
-u,--update-timestamp¶ Updates the timestamp in the configuaration file
-
-n,--no-publish¶ Don’t publish the MISP event
-
-d,--dry-run¶ Fetch the pulses but don’t create MISP events. Use -v[v] to see details.
-
-v,--verbose¶ Verbosity, repeat to increase the verbosity level.
-
--no-tlp¶ No Traffic Light Protocol tag
Discover tags to add to MISP events
-
--to-ids¶ Mark IOCs as exportable to IDS
-
--distribution<distribution>¶ MISP distribution of events (organisation,community,connected,all), default: organisation
-
--threat-level<threat_level>¶ MISP threat level of events (high,medium,low,undefined), default: undefined
-
--analysis<analysis>¶ MISP analysis state of events (initial,ongoing,completed), default: completed
Add the pulse author as an event tag
-
--bulk-tag<bulk_tag>¶ Add a custom tag that will be added to all events (e.g. OTX)
-
--dedup-titles¶ Search MISP for an existing event title and update it, rather than create a new one
-
--stop-on-error¶ Stop import when an exception is raised
To use OTX to MISP in a project:
import otx_misp