To use OTX to MISP from the command line:

$ otx-misp --help


Downloads OTX pulses and add them to MISP.

usage: otx-misp [-h] [-o OTX] [-s SERVER] [-m MISP] [-t TIMESTAMP] [-c CONFIG]
                [-w] [-a] [-u] [-n] [-d] [-v] [--no-tlp] [--discover-tags]
                [--to-ids] [--distribution DISTRIBUTION]
                [--threat-level THREAT_LEVEL] [--analysis ANALYSIS]
                [--author-tag] [--bulk-tag BULK_TAG] [--dedup-titles]
-h, --help

show this help message and exit

-o <otx>, --otx <otx>

Alienvault OTX API key

-s <server>, --server <server>

MISP server URL

-m <misp>, --misp <misp>


-t <timestamp>, --timestamp <timestamp>

Last import as Date/Time ISO format or UNIX timestamp

-c <config>, --config-file <config>
-w, --write-config

Write the configuration file

-a, --author

Add the Pulse author name in the MISP Info field

-u, --update-timestamp

Updates the timestamp in the configuaration file

-n, --no-publish

Don’t publish the MISP event

-d, --dry-run

Fetch the pulses but don’t create MISP events. Use -v[v] to see details.

-v, --verbose

Verbosity, repeat to increase the verbosity level.


No Traffic Light Protocol tag


Discover tags to add to MISP events


Mark IOCs as exportable to IDS

--distribution <distribution>

MISP distribution of events (organisation,community,connected,all), default: organisation

--threat-level <threat_level>

MISP threat level of events (high,medium,low,undefined), default: undefined

--analysis <analysis>

MISP analysis state of events (initial,ongoing,completed), default: completed


Add the pulse author as an event tag

--bulk-tag <bulk_tag>

Add a custom tag that will be added to all events (e.g. OTX)


Search MISP for an existing event title and update it, rather than create a new one


Stop import when an exception is raised

To use OTX to MISP in a project:

import otx_misp