<p>MISP modules support is included in MISP starting from version <code>2.4.28</code>.</p>
<p>For more information: <ahref="https://www.circl.lu/assets/files/misp-training/switch2016/2-misp-modules.pdf">Extending MISP with Python modules</a> slides from MISP training.</p>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/backscatter_io.py">Backscatter.io</a> - a hover and expansion module to expand an IP address with mass-scanning observations.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/bgpranking.py">BGP Ranking</a> - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_scam_check.py">BTC scam check</a> - An expansion hover module to instantly check if a BTC address has been abused.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc_steroids.py">BTC transactions</a> - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivedns.py">CIRCL Passive DNS</a> - a hover and expansion module to expand hostname and IP addresses with passive DNS information.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivessl.py">CIRCL Passive SSL</a> - a hover and expansion module to expand IP addresses with the X.509 certificate seen.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/countrycode.py">countrycode</a> - a hover module to tell you what country a URL belongs to.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/crowdstrike_falcon.py">CrowdStrike Falcon</a> - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve.py">CVE</a> - a hover module to give more information about a vulnerability (CVE).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve_advanced.py">CVE advanced</a> - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cuckoo_submit.py">Cuckoo submit</a> - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dbl_spamhaus.py">DBL Spamhaus</a> - a hover module to check Spamhaus DBL for a domain name.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/dns.py">DNS</a> - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx-enrich.py">docx-enrich</a> - an enrichment module to get text out of Word document into MISP (using free-text parser).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/domaintools.py">DomainTools</a> - a hover and expansion module to get information from <ahref="http://www.domaintools.com/">DomainTools</a> whois.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/eupi.py">EUPI</a> - a hover and expansion module to get information about an URL from the <ahref="https://phishing-initiative.eu/?lang=en">Phishing Initiative project</a>.</li>
<li><ahref="misp_modules/modules/expansion/eql.py">EQL</a> - an expansion module to generate event query language (EQL) from an attribute. <ahref="https://eql.readthedocs.io/en/latest/">Event Query Language</a></li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/farsight_passivedns.py">Farsight DNSDB Passive DNS</a> - a hover and expansion module to expand hostname and IP addresses with passive DNS information.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_country.py">GeoIP</a> - a hover and expansion module to get GeoIP information from geolite/maxmind.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/greynoise.py">Greynoise</a> - a hover to get information from greynoise.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hashdd.py">hashdd</a> - a hover module to check file hashes against <ahref="http://www.hashdd.com">hashdd.com</a> including NSLR dataset.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/hibp.py">hibp</a> - a hover module to lookup against Have I Been Pwned?</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/intel471.py">intel471</a> - an expansion module to get info from <ahref="https://intel471.com">Intel471</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ipasn.py">IPASN</a> - a hover and expansion to get the BGP ASN of an IP address.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/iprep.py">iprep</a> - an expansion module to get IP reputation from packetmail.net.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_submit.py">Joe Sandbox submit</a> - Submit files and URLs to Joe Sandbox.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py">Joe Sandbox query</a> - Query Joe Sandbox with the link of an analysis and get the parsed data.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macaddress_io.py">macaddress.io</a> - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from <ahref="https://macaddress.io">MAC address Vendor Lookup</a>. See <ahref="https://macaddress.io/integrations/MISP-module">integration tutorial here</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macvendors.py">macvendors</a> - a hover module to retrieve mac vendor information.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py">ocr-enrich</a> - an enrichment module to get OCRized data from images into MISP.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ods-enrich.py">ods-enrich</a> - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/odt-enrich.py">odt-enrich</a> - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe.py">onyphe</a> - a modules to process queries on Onyphe.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/onyphe_full.py">onyphe_full</a> - a modules to process full queries on Onyphe.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/otx.py">OTX</a> - an expansion module for <ahref="https://otx.alienvault.com/">OTX</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/passivetotal.py">passivetotal</a> - a <ahref="https://www.passivetotal.org/">passivetotal</a> module that queries a number of different PassiveTotal datasets.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pdf-enrich.py">pdf-enrich</a> - an enrichment module to extract text from PDF into MISP (using free-text parser).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pptx-enrich.py">pptx-enrich</a> - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/qrcode.py">qrcode</a> - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/rbl.py">rbl</a> - a module to get RBL (Real-Time Blackhost List) values from an attribute.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/reversedns.py">reversedns</a> - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/securitytrails.py">securitytrails</a> - an expansion module for <ahref="https://securitytrails.com/">securitytrails</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/shodan.py">shodan</a> - a minimal <ahref="https://www.shodan.io/">shodan</a> expansion module.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sigma_queries.py">Sigma queries</a> - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sourcecache.py">sourcecache</a> - a module to cache a specific link from a MISP instance.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/stix2_pattern_syntax_validator.py">STIX2 pattern syntax validator</a> - a module to check a STIX2 pattern syntax.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatcrowd.py">ThreatCrowd</a> - an expansion module for <ahref="https://www.threatcrowd.org/">ThreatCrowd</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/threatminer.py">threatminer</a> - an expansion module to expand from <ahref="https://www.threatminer.org/">ThreatMiner</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py">urlhaus</a> - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlscan.py">urlscan</a> - an expansion module to query <ahref="https://urlscan.io">urlscan.io</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal.py">virustotal</a> - an expansion module to query the <ahref="https://www.virustotal.com/gui/home">VirusTotal</a> API with a high request rate limit required. (More details about the API: <ahref="https://developers.virustotal.com/reference">here</a>)</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal_public.py">virustotal_public</a> - an expansion module to query the <ahref="https://www.virustotal.com/gui/home">VirusTotal</a> API with a public key and a low request rate limit. (More details about the API: <ahref="https://developers.virustotal.com/reference">here</a>)</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vmray_submit.py">VMray</a> - a module to submit a sample to VMray.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulndb.py">VulnDB</a> - a module to query <ahref="https://www.riskbasedsecurity.com/">VulnDB</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/vulners.py">Vulners</a> - an expansion module to expand information about CVEs using Vulners API.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/whois.py">whois</a> - a module to query a local instance of <ahref="https://github.com/rafiot/uwhoisd">uwhois</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/wiki.py">wikidata</a> - a <ahref="https://www.wikidata.org">wikidata</a> expansion module.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xforceexchange.py">xforce</a> - an IBM X-Force Exchange expansion module.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xlsx-enrich.py">xlsx-enrich</a> - an enrichment module to get text out of an Excel document into MISP (using free-text parser).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/yara_query.py">YARA query</a> - a module to create YARA rules from single hash attributes.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cef_export.py">CEF</a> module to export Common Event Format (CEF).</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py">Cisco FireSight Manager ACL rule</a> module to export as rule for the Cisco FireSight manager ACL.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/goamlexport.py">GoAML export</a> module to export in <ahref="http://goaml.unodc.org/goaml/en/index.html">GoAML format</a>.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/liteexport.py">Lite Export</a> module to export a lite event.</li>
<li><ahref="misp_modules/modules/export_mod/mass_eql_export.py">Mass EQL Export</a> module to export applicable attributes from an event to a mass EQL query.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py">PDF export</a> module to export an event in PDF.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/nexthinkexport.py">Nexthink query format</a> module to export in Nexthink query format.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py">osquery</a> module to export in <ahref="https://osquery.io/">osquery</a> query format.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threat_connect_export.py">ThreatConnect</a> module to export in ThreatConnect CSV format.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/threatStream_misp_export.py">ThreatStream</a> module to export in ThreatStream format.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/email_import.py">Email Import</a> Email import module for MISP to import basic metadata.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/goamlimport.py">GoAML import</a> Module to import <ahref="http://goaml.unodc.org/goaml/en/index.html">GoAML</a> XML format.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/joe_import.py">Joe Sandbox import</a> Parse data from a Joe Sandbox json report.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/ocr.py">OCR</a> Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/openiocimport.py">OpenIOC</a> OpenIOC import based on PyMISP library.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/threatanalyzer_import.py">ThreatAnalyzer</a> - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.</li>
<li><ahref="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/vmray_import.py">VMRay</a> - An import module to process VMRay export.</li>
<h2id="how-to-contribute-your-own-module">How to contribute your own module?<aclass="headerlink"href="#how-to-contribute-your-own-module"title="Permanent link">¶</a></h2>
<p>Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.
For further information please see <ahref="contribute/">Contribute</a>.</p>
<scriptid="__config"type="application/json">{"base":".","features":[],"translations":{"clipboard.copy":"Copy to clipboard","clipboard.copied":"Copied to clipboard","search.config.lang":"en","search.config.pipeline":"trimmer, stopWordFilter","search.config.separator":"[\\s\\-]+","search.placeholder":"Search","search.result.placeholder":"Type to start searching","search.result.none":"No matching documents","search.result.one":"1 matching document","search.result.other":"# matching documents","search.result.more.one":"1 more on this page","search.result.more.other":"# more on this page","search.result.term.missing":"Missing","select.version.title":"Select version"},"search":"assets/javascripts/workers/search.8397ff9e.min.js","version":null}</script>
