User Guide
Real-time Scenario Integration
You can configure real-time detection of threat indicators received from MISP by selecting a rule such as "IP address is in a specific reputation DB" or "IP address is in a reputation DB", as shown below:
Batch Scenario Integration
To query only records that match IP threat indicators from MISP for source IP (src_ip) or destination IP (dst_ip) in firewall logs from the past 10 minutes using the local MISP profile, use the following query:
Note
Feed names follow the format: `misp_type_profile name`.
For example, the domain feed name for the `local` connection profile is `misp_domain_local`.
For example, the domain feed name for the `local` connection profile is `misp_domain_local`.
Checking MISP Feed Data
To view MISP feed data synchronized on the analysis server, run:
To check feed data synchronized to each cluster node from the MISP platform, use: