Important Disclaimer: This integration sends data from the Axur Platform to an external platform (MISP), which may be hosted on third-party infrastructure.
It is your responsibility to:
Verify that sending data to external platforms complies with your organization’s policies, regulations, and data protection requirements
Ensure that the MISP instance and any downstream services meet your security and compliance standards
Review data handling, storage, and processing practices of all external platforms used in your workflows - Obtain necessary approvals and authorizations before implementing this integration
Axur is not responsible for data handling, security, or compliance practices of external platforms. Use this integration at your own risk and ensure it aligns with your legal and regulatory obligations.
Axur Platform continuously monitors and detects threats to your digital assets. With Pull Feeds, you can automatically import these detections as IOCs (Indicators of Compromise) into MISP, enabling you to leverage Axur’s threat intelligence within your security operations.
By connecting Axur detections to MISP, you can maximize the value of Axur’s intelligence by integrating it with your existing threat intelligence workflows and security tools.
1) Create the Axur Platform Feed
Create an API Key and an IOC Feed with Pull delivery mode directly on the Axur Platform. Keep both values at hand for later steps.
Generate an API Key
In the Axur Platform, go to API Keys configuration.
Create a new API key and copy the API Key value securely.
Note: The feed only returns data that the API key user has permission to access.
Screenshots:
Create the IOC Feed with Pull delivery mode
In the Axur Platform, go to API & Integrations → Feeds.
Click Add Feed to create a new feed.
You’ll see a list of feed templates. For IOC feeds, you can select “All IOC detections” or skip the templates to configure manually.
Selecting feed template in Axur Platform
Choose the delivery mode. Select Pull Feeds (you request data by calling the feed URL). This is perfect for scheduled integrations like MISP.
Selecting Pull delivery mode
Configure the feed settings:
Feed Type: Ensure it’s set to IOC (Indicators of Compromise)
Parameters (optional): You can add filters here, for example: type=file&confidence=high to filter by IOC type and confidence level
Feed title (optional): Give it a descriptive name (e.g., “Example to integrate MISP only the IOCs of type file and high confidence”)
Start date: Set the date range if you want to import historical IOCs
Configure any other filters you need (type, confidence, date range, etc.)
Configuring IOC feed parameters
After saving, the feed will generate a Feed URL. This URL is what MISP will use to fetch IOCs.
Important: Configure CSV format for MISP
To get the CSV format that MISP requires, you need to append the
format=csvquery parameter to the feed URL. The complete URL should look like:https://your-axur-instance.com/api/feeds/your-feed-id?format=csvYou can see the URL with the
format=csvparameter already added in the feed details page. Copy this complete URL (including theformat=csvparameter) - you’ll need it when configuring MISP in the next step.
Feed URL with CSV format parameter
From this point onward (Step 2+), all configuration is performed in MISP.
Step 2: Configure MISP Feed
Now configure MISP to fetch IOCs from the Axur Pull Feed.
In MISP, navigate to Feeds (usually under “Sync Actions” or “Feeds” in the navigation menu)
Click Add Feed or New Feed
Configure the feed with the following settings:
Name: Give it a descriptive name (e.g., “Axur IOC Integration”)
Provider: Enter “Axur” or your preferred provider name
Input Source: Select Network
URL: Paste the complete Axur Feed URL (including format=csv parameter) from the previous step
Source Format: Select Simple CSV Parsed Feed
Value field(s) in the CSV: Set this to 3 (the third column in the CSV contains the IOC value)
Delimiter: Set to ,
Any headers to be passed with requests: Add the Authorization header:
Authorization: Bearer YOUR_AXUR_API_KEYReplace
YOUR_AXUR_API_KEYwith your actual Axur API Key.
Important: The header value must include the word “Bearer” followed by a space, then your API key. For example: Bearer axur_api_key_12345
i. Enabled: Check this box to enable the feed
j. Configure any other settings as needed (Creator organisation, Target Event, etc.)
Configuring MISP feed with all settings
After configuring all settings and enabling the feed, MISP will now periodically fetch IOCs from the Axur feed.
Part 2: Configuring Feed Scheduling
By default, MISP fetches feeds once per day. For more timely IOC updates from Axur, you can configure a more frequent schedule.
Step 3: Configure Scheduled Tasks for Faster Updates
To accelerate IOC import and get more frequent updates from Axur:
In MISP, navigate to Scheduled Tasks (usually under “Administration” or “Server Settings”)
Click Add scheduled task to create a new scheduled task
Configure the task as follows:
Type: Select Feed
Action: Select Fetch
Feed: Select your Axur feed (e.g., “Axur IOC Integration”)
User: Select the user account that will run the task
Runs every: Set the frequency (e.g., 10 minute(s))
Enabled: Check this box to enable the scheduled task
Leave Next Execution Date and Next Execution Time blank for immediate execution, or set them for a specific time
Configuring scheduled task for feed fetching
This ensures that new IOCs from Axur are imported into MISP more quickly (every 10 minutes in this example), rather than waiting for the default daily fetch.
Understanding Feed Pagination and Import Behavior
How Axur Feed Pagination Works
The Axur Feed provides up to 5,000 IOCs per fetch. Importantly, the feed automatically handles pagination:
First Fetch: Returns the first 5,000 IOCs
Second Fetch: Returns the next 5,000 IOCs (starting from where the previous fetch ended)
Subsequent Fetches: Continue paginating through all available IOCs
The feed does not return the same IOCs on each fetch. Instead, it automatically advances through your IOC collection, ensuring that over time, all IOCs are eventually imported into MISP.
Feed Configuration Options
When configuring the feed in Axur Platform, you can set:
Type: Filter IOCs by type (e.g., domain, IP, URL)
Confidence: Filter by confidence level
Date Range: Select IOCs from a specific date range
Impact of Date Range Selection
If you configure the feed with a date range that goes far into the past, the feed will provide thousands of IOCs for import. However, because the feed only delivers 5,000 IOCs per fetch:
With Default Schedule (once per day): If you have 50,000 IOCs to import, it will take 10 days to import everything (5,000 per day)
With Faster Schedule (every 10 minutes): The import process accelerates significantly, importing 5,000 IOCs every 10 minutes instead of once per day
Recommendation: If you’re importing a large historical dataset, configure a more frequent schedule (as described in Part 2) to accelerate the import process. Once the historical import is complete, you can adjust the schedule to a more reasonable frequency for ongoing updates.
Testing and Verification
Verify Feed Connection
In MISP, go to your feed configuration
Use the Test Connection or Preview Feed feature to verify that MISP can successfully connect to the Axur feed
Check that IOCs are visible in the preview
Verify IOC Import
After the feed runs (either manually triggered or via scheduled task), check your MISP events
Verify that IOCs from Axur are appearing in MISP
Remember: The number of IOCs in MISP may be less than the number returned by the API due to filtering (as explained in the “Understanding IOC Import Behavior” section)
Monitor Feed Status
Check the feed status in MISP to see when the last fetch occurred
Review any error messages if the feed fails to fetch
Verify that the Authorization header is correctly configured if you encounter authentication errors
Important: Understanding IOC Import Behavior
Before configuring the integration, it’s crucial to understand that not all IOCs returned by the Axur Feed API will necessarily appear in MISP after import. This is expected behavior and not a configuration issue.
Why Some IOCs May Not Appear in MISP
When you query the Axur Feed API, you may see a certain number of IOCs (e.g., 5,000). However, after MISP fetches and imports the feed, you might see fewer IOCs (e.g., 4,800) in your MISP instance. This difference occurs because MISP applies its own validation and filtering rules during the import process.
MISP performs several types of filtering and validation based on its own criteria and configuration:
Duplicate Detection: MISP automatically detects and filters duplicate IOCs.
Format Validation: MISP validates IOC formats according to its own rules and standards. IOCs that don’t conform to MISP’s expected format specifications may be rejected during import.
Value Validation: MISP applies validation rules. IOCs that don’t meet MISP’s validation criteria for their respective types will be filtered out.
Warning Lists: If warning lists are configured in your MISP instance, IOCs matching those lists may be automatically filtered out.
Other MISP Filters: Depending on your MISP configuration, additional filters may be applied (e.g., organization-specific rules, tag-based filtering, etc.).
How to Verify This Behavior
You can validate this behavior by:
Remote Feed Query: When you query the feed remotely via MISP’s feed preview, MISP will show IOCs from the API that pass its initial validation checks.
Feed Fetch and Import: When MISP performs a fetch and downloads IOCs for import, it applies all validation and filtering rules according to its configuration, which may exclude some IOCs based on the criteria above.
Why this matters: If you see that your Axur Feed API returns N IOCs but MISP only imports a smaller number, this is expected behavior. The difference represents IOCs that MISP filtered out based on its own validation rules, duplicate detection, warning lists, or other configured filters. This is a normal part of MISP’s data quality and deduplication process, ensuring that only validated and relevant IOCs are imported into your threat intelligence platform according to MISP’s standards.
Troubleshooting
Feed Not Fetching
Check URL: Verify the feed URL includes the format=csv parameter
Check Authentication: Ensure the Authorization header is correctly formatted: Bearer YOUR_API_KEY
Check Network: Verify that MISP can reach the Axur Platform URL
Check API Key: Verify your Axur API Key is valid and has the necessary permissions
IOCs Not Appearing
Review Filtering: Remember that MISP filters duplicates, invalid formats, and IOCs that don’t pass validation
Check Feed Status: Verify the feed is enabled and has successfully fetched
Check Date Range: If you set a date range, ensure it includes the IOCs you expect
Review MISP Logs: Check MISP logs for any import errors or warnings
Import Taking Too Long
Check Schedule: If importing historical data, consider increasing the fetch frequency (e.g., every 10 minutes instead of daily)
Check Volume: Large historical imports will take time due to the 5,000 IOC per fetch limit
Monitor Progress: Check feed status to see how many fetches have completed
Appendix: Tips and best practices
Security: Always protect your API keys. Store them securely and rotate them periodically.
Feed Filtering: Configure appropriate filters in the Axur feed to import only the IOCs relevant to your use case (e.g., specific types, confidence levels, date ranges).
Schedule Optimization: Balance fetch frequency with system resources. More frequent fetches provide faster updates but consume more resources.
Monitoring: Regularly monitor feed status and import success rates to ensure the integration is working correctly.
Validation: Understand that MISP’s validation and filtering is normal behavior. Not all IOCs from the API will appear in MISP.
Historical Imports: For large historical imports, use a more frequent schedule initially, then adjust to a maintenance frequency once caught up.
If you have any questions, feel free to reach out at [email protected] 😊