Plugin MISP to Pandora SIEM

This plugin retrieves the 500 most frequent IPs from the last 30 days of MISP events and generates a SIEM rule to detect traffic from those IPs.

Introduction

Ver. 06/03/2026

This plugin retrieves the 500 most frequent IPs from the last 30 days of MISP events and generates a SIEM rule to detect traffic from those IPs.

Type: Server Plugin

Compatibility Matrix

Systems where it has been tested

Rocky Linux 9
Systems where it should work

Any Linux System

Prerequisites

For the correct operation of the plugin, Python 3.10 or higher and the PyMISP library must be installed.

The requirements can be installed with the following commands:

On Rocky Linux 8 and 9:

# Install Python and the required compilation dependencies

sudo dnf install -y python3.11 python3.11-devel python3.11-pip gcc libffi-devel openssl-devel

# Install PyMISP and dependencies

sudo pip3.11 install pymisp requests urllib3

On Ubuntu 22.04:

# Install Python and the required compilation dependencies

sudo apt update && sudo apt install -y python3 python3-dev python3-pip libffi-dev libssl-dev build-essential

# Install PyMISP and dependencies

sudo pip3 install pymisp requests urllib3 --break-system-packages

Once all dependencies are installed, proceed with the plugin configuration.

Plugin Configuration

Before running the plugin, you need to locate the script on the server, set execution permissions, and collect connection details for both Pandora FMS and MISP.

1. Script Location and Permissions

Upload the file to the server and run the following command to make it executable:

chmod +x /usr/share/pandora_server/util/plugin/misp_to_pandora.py

2. Pandora FMS API Configuration (ACL)

For the script to inject rules via the API, the IP executing the script must be authorized.

  1. Log in to the Pandora FMS web console as an administrator.

  2. Navigate to: Management → Settings → System Settings → General Setup → Security tab.

  3. Check the field IP list with API access.

    • Ensure the IP of the server running the script (or 127.0.0.1 if running locally) is included, separated by commas.

    • You can also use * to allow any IP.

  4. Generate a V2 API authorization token following the official documentation.

3. Parameters Collection

The script requires 5 mandatory parameters that must be passed in a specific order during execution:

Recommended: use a high number to avoid conflicts with native or previously created custom rules

Once all the required data is collected, you can proceed to run the plugin.

Manual Execution

Once permissions are set and access data collected, it is highly recommended to perform an initial manual execution from the Pandora FMS server terminal. This confirms bidirectional connectivity (with MISP and the Pandora FMS API) and verifies that the SIEM rule is correctly injected.

1. Command Structure

Run the script with python3, passing the 5 parameters in quotes to avoid issues with special characters:

python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py "<PANDORA_API_URL>" "<PANDORA_TOKEN>" "<MISP_URL>" "<MISP_KEY>" "<RULE_ID>"

Example:

python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py \
"http://192.168.1.142/pandora_console/api/v2" \
"ff94a1fa-5cc4-4636-..." \
"https://misp.midominio.com" \
"lpY9q5yy72SC..." \
"200200"

2. Verifying Results

If execution is successful, the script will:

  1. Connect to MISP

  2. Download malicious IPs from the last 30 days

  3. Generate the regular expression

  4. Reload the SIEM engine

You can verify success in two ways:

1. Plugin Log

Check the detailed log at:

tail -f /var/log/pandora/misp_api_sync.log

A successful log shows:

image.png

2. Pandora FMS Console

  1. Go to Operations SIEM → Rules

  2. Search for the RULE_ID used (e.g., 200200)

  3. Verify that the rule:

    • Was created with severity 14 (Critical)

    • Contains the full list of IPs for intrusion detection in your logs

Once the rule is confirmed in the SIEM Rules section, you can proceed to configure periodic execution via crontab.

Automation (Crontab)

Since MISP threat intelligence continuously receives new Indicators of Compromise (IoCs), it is essential to automate the script execution. This ensures that Pandora FMS updates its Mega-Regex automatically, keeping the SIEM engine protected against the latest threats without manual intervention.

1. Edit the Crontab File

On the server where the script is located, edit the global crontab file /etc/crontab with administrative privileges using your preferred editor (e.g., vim, nano):

sudo vim /etc/crontab

2. Add the Scheduled Task

Add the following line at the end of the file to run the synchronization daily at 2:00 AM:

0 2 * * * root /usr/bin/python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py "<PANDORA_API_URL>" "<PANDORA_TOKEN>" "<MISP_URL>" "<MISP_KEY>" "200200" > /dev/null 2>&1

Replace <...> with your actual credentials and URLs, exactly as used in the manual test.

Important Details about the configuration:

Save the changes and exit the editor. Cron automatically detects the update and applies the new scheduled task.