API of the month: MISP

MISP is a very well known tool in the infosec community that enables individuals and teams to work and share indicators and other case relevant information.

The MISP API comes for free with every MISP installation of the free and open source software, so if you want to try it out, go for it. There are various install guides for MISP.

Once your MISP instance is up and running, you can head over to the MISP API documentation.


Among all endpoints I did use the Search endpoint the most. This endpoint can be used to search all your MISP data. You can either just pass a string and search everything, or you filter by dedicates types. The query can be as complicated as you want it to be. Be careful with just value searches, depending on your data size, the requests might take a while to complete.

Get events

Another very useful thing after your searched is then pull the events that matched your search. This can be helpful to provide more context to analysts who started the search.


When writing about the MISP API, it is important to mention pyMISP, the Python library to access the MISP REST API. It is maintained by the same people behind MISP, so it is kind of a reference implementation of the API and is very easy to use.

Target audience

The target audience for the MISP API is researchers, students, DFIR professionals and everyone who has a need to store and query structured data around events.


Want to find more Security APIs? Go and visit my repository: https://github.com/jaegeral/security-apis

Security API collection

While working on different stuff I was searching for a collection of APIs that are related of useful for security researchers, incident response people or threat intel.

Unable to find a good list of REST APIs decided to start it. The collection is hosted on a Security API list, and pull requests or issues mentioning missing APIs are highly welcome.

Why did I produce such a list? More and more people want to automate their workflows, Security Orchestration is the new Buzzword after last years Threat Intelligence, but basically containing the same, they both have in common to facilitate already available data, with Orchestration not storing that much data but enriching dots collected.

However the challenge is, what to integrate, everyone has their „go to“ tools they use on a daily base risking to miss some golden nuggets that are handy.

The list is divided (at the moment) in tools that are mostly on prem., online tools, SIEMs and various. With an increasing number of APIs that ordering might change of course.

So I really hope the list is useful and people can use it and that it can grow.

MISP Issues with certificates

Recently I came a across some MISP issues with Certificates with remote servers. Even it is okay with Test connection, if you try to push or pull events it will not do anything. Also logs will not tell you anything. If you run tcpdump to debug and watch in Wireshark you will see something like the screen shot.

Before adding it to the documentation of MISP, here is a brain dump what I did:

Server 1 – running MISP
Server 2 – running MISP

Server 1 wants to push events to Server 2

Server 2 has a TLS / SSL certificate signed by an internal CA. Because cakephp is not respecting the OS CA store. This needs to be done manually.

Looking up the certificate with full chain in Firefox will not reveal the FULL cert patch because it is not showing the ROOT CA.

What you need to do is create a new text file and add all public certificates to that file and save it as a .pem file (including the sign of the Root CA)
This pem file then needs to be added as certificate to the MISP Server config.

Within gitter we had a discussion why it is not okay to simply mark the „self signed“ box. It appears that certificates that are signed by a CA (and not signed locally) have several indications for such signatures:

#2: ObjectId: Criticality=true


ObjectId: Criticality=false
KeyUsage [


keytool -printcert -file certificate.pem


openssl s_client -showcerts -connect server2:443