# Manual Execution

Once permissions are set and access data collected, it is highly recommended to perform an initial **manual execution** from the Pandora FMS server terminal. This confirms **bidirectional connectivity** (with MISP and the Pandora FMS API) and verifies that the SIEM rule is correctly injected.

---

#### 1. Command Structure

Run the script with `python3`, passing the **5 parameters in quotes** to avoid issues with special characters:

```bash
python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py "<PANDORA_API_URL>" "<PANDORA_TOKEN>" "<MISP_URL>" "<MISP_KEY>" "<RULE_ID>"
```

**Example:**

```bash
python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py \
"http://192.168.1.142/pandora_console/api/v2" \
"ff94a1fa-5cc4-4636-..." \
"https://misp.midominio.com" \
"lpY9q5yy72SC..." \
"200200"
```

---

#### 2. Verifying Results

If execution is successful, the script will:

1. Connect to **MISP**
2. Download malicious IPs from the last **30 days**
3. Generate the **regular expression**
4. Reload the **SIEM engine**

You can verify success in **two ways**:

##### 1. Plugin Log

Check the detailed log at:

```bash
tail -f /var/log/pandora/misp_api_sync.log
```

A successful log shows:

- Number of attackers found
- Rule creation or update
- Final message: `Hot-Reload SUCCESSFUL.`

[![image.png](https://pandorafms.com/guides/public/uploads/images/gallery/2026-03/scaled-1680-/OxDimage.png)](https://pandorafms.com/guides/public/uploads/images/gallery/2026-03/OxDimage.png)

##### 2. Pandora FMS Console

1. Go to **Operations **→** SIEM → Rules**
2. Search for the **RULE\_ID** used (e.g., `200200`)
3. Verify that the rule:
    
    
    - Was created with **severity 14 (Critical)**
    - Contains the full list of IPs for intrusion detection in your logs

Once the rule is confirmed in the **SIEM Rules** section, you can proceed to configure **periodic execution via crontab**.