Plugin Configuration

Before running the plugin to export SIEM alerts to MISP, you need to locate the script, set permissions, and configure API credentials for both platforms.

1. Script Location and Permissions

Upload the file to the server and run the following command to make it executable:

chmod +x /usr/share/pandora_server/util/plugin/pandora_to_misp.py


2. Script Parameters

The script works via command-line arguments. It includes an auto-classification engine (Triage) that reads alert content and automatically assigns threat level, MITRE ATT&CK tags, and category. You can override these values using optional parameters.

Mandatory Parameters:

Optional Parameters:

Parameter Description Default Value
-t, --tlp TLP (Traffic Light Protocol) level. Example: tlp:red, tlp:amber. tlp:green
-s, --sharing Event sharing level in MISP (0=Your Org, 1=Community, 2=Connected, 3=All). 0
-l, --threat-level Force the threat level, ignoring auto-triage (1=High, 2=Medium, 3=Low). Auto-assigned
-c, --category Force the IP attribute category in MISP. Auto-assigned
-g, --tags Add extra tags to the event (comma-separated). Auto-assigned

3. Configuring Triggers in Pandora FMS

To enable automatic export, you must configure Command, Action, and Template in Pandora FMS alerts to pass environment variables directly to the script using macros.

Step 1: Create the Alert Command
  1. Navigate to: Management → Alerts → Commands
  2. Click Create +.
  3. Fill the Command form with:
/usr/bin/python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py -u "_field1_" -k "_field2_" -a "_field3_" -n "_field4_" -d "_field5_" _field6_

Note: Macros must be in double quotes to correctly handle spaces, except the field6 which -if needed- will include all the optional parameters.

Field Description Field Value
MISP URL  
MISP API Key  
Agent Name _agent_
Alert Name _alert_name_
Alert Description _data_
Optional Parameters  

Example:

image.png

Step 2: Create the Alert Action
  1. Navigate to: Management → Alerts → Actions
  2. Click Create +
  3. Fill the Action form with:

Example:

image.png

image.png

image.png

Step 3: Create the Alert Template
  1. Navigate to: Management → Alerts → Templates
  2. Click Create +
  3. Fill the Template form with:

Example of all optional parameters for field6:

-t "tlp:red" -s 1 -l 1 -c "Network activity" -g "SOC-Team, Critical-Alert"
  1. -t "tlp:red": Labels the event with TLP Red

  2. -s 1: Shares the event with MISP Community

  3. -l 1: Forces Threat Level to High

  4. -c "Network activity": Classifies the extracted IP in this category in MISP

  5. -g "SOC-Team, Critical-Alert": Adds these custom tags

Recommended: Create multiple templates with different optional parameters for different alert types.

Finalize the wizard, save changes, and ensure the template is enabled.

Example:

image.pngimage.pngimage.pngimage.png


Revision #5
Created 6 March 2026 12:42:04 by Sergio Berruetta
Updated 6 March 2026 13:29:24 by Sergio Berruetta