MISP n8n INTEGRATION: AUTOMATE MISP WITH N8N

The Get Many Warninglists action allows you to retrieve multiple warning lists from your MISP instance in a single operation. Warninglists in MISP help identify potential false positives by flagging known benign indicators such as common DNS servers, CDN IP ranges, or legitimate software hashes.

Key parameters: Credential to connect with (required dropdown), Resource set to "Warninglist", Operation set to "Get Many", Return All toggle, and Limit numeric field (default 50) for maximum warninglists to retrieve.

Use cases: Audit your MISP instance by fetching all active warninglists and comparing against a baseline, synchronize warninglist data with external documentation systems, build dashboards showing which warninglists are deployed, or feed warninglist information into attribute validation workflows.

When to use it: This action is ideal when you need to review or export multiple warninglists at once, rather than fetching individual entries.

The Get Warninglist action retrieves detailed information about a specific warning list by its ID. This is useful when you need complete data about a particular warninglist for processing or validation purposes.

Key parameters: Credential to connect with (required), Resource set to "Warninglist", Operation set to "Get", and Warninglist ID text field (required) supporting fixed values or expressions for dynamic input.

Use cases: Fetch specific warninglist content to validate attributes before creating events, retrieve warninglist details for logging or documentation purposes, or check if a particular warninglist has been updated before running correlation workflows.

When to use it: Use this action when you know exactly which warninglist you need and want its complete details, rather than scanning through multiple lists.

The User Update action modifies existing user accounts in your MISP instance. This is essential for maintaining proper access control and user management in automated security operations.

Key parameters: Credential to connect with (required), Resource set to "User", Operation set to "Update", User ID text field (required), and Update Fields expandable section where you add specific fields and values to modify.

Use cases: Automatically update user roles based on HR system changes, sync user organization assignments when team structures change, batch update user permissions as part of security policy enforcement, or disable/modify accounts based on activity monitoring results.

When to use it: Ideal for maintaining user data consistency across systems or implementing automated access management based on external triggers.

The Get Many Users action retrieves multiple user accounts from your MISP instance, providing visibility into who has access to your threat intelligence platform.

Key parameters: Credential to connect with (required), Resource set to "User", Operation set to "Get Many", Return All toggle, and Limit numeric field (default 50) for maximum users to retrieve.

Use cases: Generate regular user access reports for compliance audits, sync MISP user data with identity management systems, monitor for unauthorized or inactive accounts, or build user activity dashboards combining MISP data with other sources.

When to use it: Use this action for bulk user data retrieval in audit, reporting, or synchronization workflows.

The User - Get action retrieves information about a specific user by their ID. This provides detailed data about individual accounts for targeted operations.

Key parameters: Credential to connect with (required), Resource set to "User", Operation set to "Get", and User ID text input field (required).

Use cases: Verify user details before granting additional permissions, fetch user information for personalized notification workflows, or check user status as part of event attribution processes.

When to use it: When you need complete details about a single, specific user rather than bulk data retrieval.

The Delete User action removes a user account from your MISP instance. This is a destructive operation that should be used carefully in automated workflows.

Key parameters: Credential to connect with (required), Resource set to "User", Operation set to "Delete", and User ID text field (required).

Use cases: Automate user offboarding when employees leave the organization, clean up test accounts after quality assurance processes, or implement automatic account removal for inactive users after a defined period.

When to use it: Use in carefully controlled workflows where user removal has been validated through appropriate approval processes.

The User Create action adds new user accounts to your MISP instance, enabling automated user provisioning as part of your identity management workflows.

Key parameters: Credential to connect with (required), Resource set to "User", Operation set to "Create", Email text field (required), Role ID text field (optional), and Additional Fields expandable section for extra user properties.

Use cases: Automatically provision MISP accounts when new analysts join the security team, create service accounts for automated integrations, set up temporary accounts for external partners or incident responders, or sync user creation with HR onboarding systems.

When to use it: Ideal for implementing automated user provisioning that maintains consistency with your organization's identity management policies.

The Update Tag action modifies existing tags in your MISP instance. Tags are crucial for categorizing and filtering threat intelligence, making this action valuable for taxonomy management.

Key parameters: Credential to connect with (required), Resource set to "Tag", Operation set to "Update", Tag ID text field (required), and Update Fields section where you add fields to update such as name, colour, or exportable status.

Use cases: Standardize tag naming conventions across your MISP deployment, update tag colors to match organizational taxonomy guidelines, modify tag export settings based on sharing policy changes, or batch update tags as part of taxonomy migration projects.

When to use it: When you need to modify tag properties while maintaining the tag's relationships with existing events and attributes.

The Get Many Tags action retrieves multiple tags from your MISP instance, essential for understanding your current taxonomy and maintaining tag consistency.

Key parameters: Credential to connect with (required), Resource set to "Tag", Operation set to "Get Many", Return All toggle for fetching all tags or limiting results, and Limit numeric field (default 50) for maximum tags to retrieve.

Use cases: Audit your complete tag taxonomy for compliance documentation, sync MISP tags with external taxonomy management systems, build tag selection interfaces for other automation tools, or generate reports on tag usage patterns.

When to use it: Use when you need visibility into your complete tag landscape or need to export tag data for external processing.

The Delete Tag action removes a tag from your MISP instance. This operation should be used carefully as it affects all events and attributes using that tag.

Key parameters: Credential to connect with (required), Resource set to "Tag", Operation set to "Delete", and Tag ID text field (required).

Use cases: Clean up deprecated tags as part of taxonomy maintenance, remove duplicate or incorrectly created tags, or implement controlled tag lifecycle management.

When to use it: Use in taxonomy cleanup workflows where tag removal has been properly validated.

The Create Tag action adds new tags to your MISP instance, enabling programmatic taxonomy expansion based on threat intelligence requirements.

Key parameters: Credential to connect with (required), Resource set to "Tag", Operation set to "Create", Name text field (required), and Additional Fields section allowing users to add more fields like colour, exportable status, or organization restrictions.

Use cases: Automatically create campaign-specific tags when new threat actors emerge, sync external taxonomy sources with your MISP tag database, generate tags dynamically based on threat feed classifications, or implement standardized tag creation following naming conventions.

When to use it: Ideal for workflows that need to extend your taxonomy programmatically while maintaining consistency.

The Update Organisation action modifies organisation records in MISP, essential for maintaining accurate partner information in your threat sharing community.

Key parameters: Credential to connect with (required), Resource set to "Organisation", Operation set to "Update", Organisation ID text field (required), and Update Fields section for specifying which organisation properties to change.

Use cases: Keep organisation contact information synchronized with CRM data, update organisation metadata when partnership terms change, or modify organisation types or sectors based on updated classifications.

When to use it: When organisation details need updating while preserving the organisation's existing relationships with events and users.

The Get Many Organisation action retrieves multiple organisation records from MISP, providing visibility into your threat sharing community membership.

Key parameters: Credential to connect with (required), Resource set to "Organisation", Operation set to "Get Many", Return All toggle for complete or limited results, and Limit numeric field (default 50) for maximum organisations to fetch.

Use cases: Generate reports on community membership for governance purposes, sync MISP organisation data with partner management systems, build organisation selection interfaces for event distribution workflows, or audit organisation configurations for security compliance.

When to use it: Use for bulk organisation data retrieval in reporting, synchronization, or audit workflows.

The Organisation Get action retrieves details about a specific organisation by ID, providing complete information for targeted operations.

Key parameters: Credential to connect with (required), Resource set to "Organisation", Operation set to "Get", and Organisation ID text field (optional but necessary for specific lookups).

Use cases: Verify organisation details before sharing sensitive threat intelligence, fetch organisation metadata for event attribution workflows, or retrieve contact information for automated notification processes.

When to use it: When you need complete details about a single organisation rather than bulk retrieval.

The Delete Organisation action removes an organisation from your MISP instance. This is a significant operation affecting event ownership and sharing relationships.

Key parameters: Credential to connect with (required), Resource set to "Organisation", Operation set to "Delete", and Organisation ID text field (required).

Use cases: Clean up test organisations after quality assurance processes, remove defunct partner organisations from your community, or implement controlled organisation lifecycle management.

When to use it: Use with extreme caution in well-validated workflows where organisation removal has been properly approved.

The Create Organisation action adds new organisations to your MISP instance, enabling automated community management.

Key parameters: Credential to connect with (required), Resource set to "Organisation", Operation set to "Create", Name text field (required), and Additional Fields section for extra properties like description, sector, nationality, or contact information.

Use cases: Automatically onboard new threat sharing partners, create organisations based on external community management systems, set up organisations for new departments or subsidiaries, or sync with partner registration workflows.

When to use it: Ideal for automating community expansion while maintaining data quality standards.

The Object Search action searches for MISP objects matching specific criteria. Objects in MISP represent complex entities like email messages, files, or network connections with multiple related attributes.

Key parameters: Credential to connect with (required), Resource set to "Object", Operation set to "Search", Use JSON to Specify Fields toggle, Value text field for search value, and Additional Fields section for more search parameters.

Use cases: Search for all objects containing a specific indicator across your event database, find related network connection objects when investigating infrastructure, locate file objects matching malware samples for attribution analysis, or build investigation workflows that pivot between related objects.

When to use it: Use when searching for complex, multi-attribute entities rather than individual indicators.

The Get Many Noticelist action retrieves multiple noticelists from MISP. Noticelists contain informational notices about specific types of data, helping analysts understand context and potential issues.

Key parameters: Credential to connect with (required), Resource set to "Noticelist", Operation set to "Get Many", Return All toggle, and Limit numeric field (default 50) for maximum noticelists.

Use cases: Audit deployed noticelists for configuration management, export noticelist data for documentation purposes, or build validation workflows that reference noticelist information.

When to use it: When you need to retrieve multiple noticelists for audit, documentation, or validation purposes.

The Noticelist Get action retrieves details about a specific noticelist by ID.

Key parameters: Credential to connect with (required), Resource set to "Noticelist", Operation set to "Get", and Noticelist ID text field (optional).

Use cases: Fetch specific noticelist content for validation workflows or retrieve noticelist details for documentation.

When to use it: When you need complete details about a specific noticelist.

The Get Many Galaxies action retrieves multiple galaxies from MISP. Galaxies provide threat intelligence context like threat actors, attack patterns, and malware classifications.

Key parameters: Credential to connect with (required), Resource set to "Galaxy", Operation set to "Get Many", Return All toggle, and Limit numeric field (default 50) for maximum galaxies.

Use cases: Sync MISP galaxies with external threat intelligence platforms, build galaxy selection interfaces for event enrichment workflows, generate reports on available threat classifications, or audit galaxy configurations across MISP instances.

When to use it: Use for bulk galaxy retrieval in synchronization, reporting, or integration workflows.

The Get Galaxy action retrieves details about a specific galaxy by ID.

Key parameters: Credential to connect with (required), Resource set to "Galaxy", Operation set to "Get", and Galaxy ID text field (required).

Use cases: Fetch specific galaxy clusters for event enrichment or retrieve galaxy details for threat actor attribution workflows.

When to use it: When you need complete details about a specific galaxy.

The Delete Galaxy action removes a galaxy from your MISP instance.

Key parameters: Credential to connect with (required), Resource set to "Galaxy", Operation set to "Delete", and Galaxy ID text field (required).

Use cases: Clean up custom galaxies that are no longer needed or remove deprecated threat classifications.

When to use it: Use carefully in controlled cleanup workflows.

The Feed Update action modifies existing feed configurations in MISP. Feeds provide automated ingestion of external threat intelligence.

Key parameters: Credential to connect with (required), Resource set to "Feed", Operation set to "Update", Feed ID text field (required), and Update Fields section for specifying which feed properties to change.

Use cases: Update feed URLs when sources change, modify feed authentication credentials, adjust feed caching or pulling intervals, or change feed distribution settings.

When to use it: When feed configurations need updating without recreating the feed entirely.

The Get Many Feeds action retrieves multiple feed configurations from MISP.

Key parameters: Credential to connect with (required), Resource set to "Feed", Operation set to "Get Many", Return All toggle, and Limit numeric field (default 50) for maximum feeds.

Use cases: Audit all configured threat feeds for documentation, monitor feed status across your MISP infrastructure, generate reports on feed sources and configurations, or sync feed configurations between MISP instances.

When to use it: Use for feed inventory, audit, or synchronization workflows.

The Feed Get action retrieves details about a specific feed by ID.

Key parameters: Credential to connect with (required), Resource set to "Feed", Operation set to "Get", and Feed ID text field (required).

Use cases: Check specific feed configuration before triggering pulls or verify feed status for health monitoring workflows.

When to use it: When you need complete details about a specific feed.

The Feed Enable action activates a disabled feed in MISP, allowing it to resume pulling data.

Key parameters: Credential to connect with (required), Resource set to "Feed", Operation set to "Enable", and Feed ID text field (required).

Use cases: Automatically enable feeds during business hours and disable overnight, reactivate feeds after maintenance periods, or implement conditional feed activation based on threat levels.

When to use it: When you need to programmatically activate feeds as part of feed management workflows.

The Disable Feed action deactivates an active feed in MISP, pausing data ingestion.

Key parameters: Credential to connect with (required), Resource set to "Feed", Operation set to "Disable", and Feed ID text field (required).

Use cases: Temporarily disable feeds during maintenance windows, stop noisy or problematic feeds pending investigation, or implement scheduled feed management based on operational requirements.

When to use it: When you need to programmatically pause feeds without deleting them.

The Create Feed action adds new feed configurations to MISP, enabling automated threat intelligence ingestion from new sources.

Key parameters: Credential to connect with (required), Resource set to "Feed", Operation set to "Create", Name text field (required), Provider text field (optional), URL text field (required for most feed types), and Additional Fields section for extra properties.

Use cases: Automatically add new threat feed sources based on recommendations, implement self-service feed provisioning for security teams, sync feed configurations from centralized management systems, or set up feeds for new threat intelligence partnerships.

When to use it: Ideal for automating feed provisioning while maintaining configuration standards.

The Remove Event Tag action removes a specific tag from an event in MISP.

Key parameters: Credential to connect with (required), Resource set to "Event Tag", Operation set to "Remove", Event ID text field (required), and Tag Name or ID field to specify which tag to remove.

Use cases: Clean up incorrect tags added during initial event triage, remove temporary workflow tags after processing is complete, or implement tag lifecycle management based on event states.

When to use it: When specific tags need removal from events as part of tagging workflows.

The Event Tag Add action attaches a tag to an existing event in MISP.

Key parameters: Credential to connect with (required), Resource set to "Event Tag", Operation set to "Add", Event ID text field (required), and Tag Name or ID text field specifying which tag to add.

Use cases: Automatically tag events based on attribute content or patterns, add workflow status tags as events progress through analysis, apply classification tags based on external intelligence sources, or implement consistent tagging based on organizational policies.

When to use it: Essential for automated event categorization and workflow management.

The Update Event action modifies existing events in MISP, enabling automated event management and enrichment.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Update", Event ID text field (required), and Update Fields section for specifying which event properties to change.

Use cases: Automatically update event threat levels based on new intelligence, modify event distribution as sharing requirements change, update event analysis status through automated triage workflows, or enrich event information with data from external sources.

When to use it: Critical for automated event lifecycle management and enrichment workflows.

The Unpublish Event action removes the published status from an event, preventing further distribution until republished.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Unpublish", and Event ID text field (required).

Use cases: Temporarily unpublish events when corrections are needed, remove events from distribution pending additional validation, or implement controlled event withdrawal workflows.

When to use it: When events need to be temporarily removed from distribution without deletion.

The Event Search action finds events matching specific criteria, essential for threat intelligence investigation and correlation.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Search", Use JSON to Specify Fields toggle, Value text field for the search value, and Additional Fields section for adding search parameters.

Use cases: Find all events related to a specific threat actor or campaign, search for events containing particular indicators of compromise, build investigation workflows that locate relevant threat context, or implement correlation between new indicators and existing intelligence.

When to use it: Fundamental for any investigation or correlation workflow in MISP.

The Publish Event action marks an event as published, triggering distribution to connected instances and users based on sharing rules.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Publish", and Event ID text field (required).

Use cases: Automatically publish events after validation workflows complete, trigger immediate distribution of high-priority threat intelligence, implement scheduled publishing based on operational requirements, or build approval workflows that publish after review.

When to use it: Essential for controlling when threat intelligence is shared with your community.

The Get Many Event action retrieves multiple events from MISP, providing bulk access to threat intelligence data.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Get Many", Return All toggle, and Limit numeric field (default 50) for maximum events.

Use cases: Export recent events for external analysis platforms, generate regular threat intelligence reports, sync event data with SIEM or SOAR platforms, or build dashboards showing current threat landscape.

When to use it: Use for bulk event retrieval in reporting, export, or synchronization workflows.

The Event Get action retrieves complete details about a specific event by ID.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Get", and Event ID text field (required).

Use cases: Fetch complete event data for investigation workflows, retrieve event details for enrichment processes, or access event metadata for reporting.

When to use it: When you need complete details about a specific event for processing or analysis.

The Delete Event action removes an event from MISP. This is a destructive operation that should be used carefully.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Delete", and Event ID text field (required).

Use cases: Clean up false positive or duplicate events, remove test events after quality assurance, or implement controlled event deletion workflows with proper approvals.

When to use it: Use carefully in validated workflows where event deletion is appropriate.

The Event Create action creates new events in MISP, the foundation for automated threat intelligence ingestion.

Key parameters: Credential to connect with (required), Resource set to "Event", Operation set to "Create", Organization Name or ID field (dynamically fetched), Information text field for the event's main description, and Additional Fields section for extra properties.

Use cases: Automatically create events from threat feed ingestion, generate events based on SIEM alerts or security tool detections, build event templates that standardize threat documentation, or implement automated incident response that creates MISP events.

When to use it: Fundamental for any automated threat intelligence ingestion workflow.

The Attribute Update action modifies existing attributes in MISP events.

Key parameters: Credential to connect with (required), Resource set to "Attribute", Operation set to "Update", Attribute ID text field (required), and Update Fields section for specifying which attribute properties to change.

Use cases: Update attribute comments with analysis findings, modify attribute distribution or sharing settings, change attribute categories or types based on validation, or enrich attributes with correlation results.

When to use it: When attribute properties need modification without deletion and recreation.

The Attribute Search action finds attributes matching specific criteria across your MISP event database.

Key parameters: Credential to connect with (required), Resource set to "Attribute", Operation set to "Search", Use JSON to Specify Fields toggle, Value text field for the search value, and Additional Fields section for additional search parameters.

Use cases: Search for specific IOCs across all events, find attributes matching patterns for correlation, locate duplicate indicators across events, or build investigation workflows that pivot on indicator values.

When to use it: Essential for indicator lookup and correlation workflows.

The Get Many Attribute action retrieves multiple attributes from MISP.

Key parameters: Credential to connect with (required), Resource set to "Attribute", Operation set to "Get Many", Return All toggle, and Limit numeric field (default 50) for maximum attributes.

Use cases: Export IOCs for integration with defensive tools, generate indicator feeds for firewalls or proxies, build reports on attribute types and volumes, or sync indicators with external platforms.

When to use it: Use for bulk indicator export and synchronization workflows.

The Get Attribute action retrieves details about a specific attribute by ID.

Key parameters: Credential to connect with (required), Resource set to "Attribute", Operation set to "Get", and Attribute ID text field (required).

Use cases: Fetch complete attribute details for analysis or retrieve attribute metadata for processing workflows.

When to use it: When you need complete details about a specific attribute.

The Delete Attribute action removes an attribute from MISP.

Key parameters: Credential to connect with (required), Resource set to "Attribute", Operation set to "Delete", and Attribute ID text field (required).

Use cases: Remove false positive indicators, clean up duplicate attributes, or delete attributes that fail validation.

When to use it: Use in controlled cleanup workflows where attribute removal is validated.

The Attribute Create action adds new indicators to MISP events, fundamental for building threat intelligence.

Key parameters: Credential to connect with (required), Resource set to "Attribute", Operation set to "Create", Event UUID text field (optional but necessary for proper attachment), Type dropdown for attribute type, Value text field for the actual indicator value (required), and Additional Fields section for extra properties.

Use cases: Automatically ingest IOCs from threat feeds into events, add indicators discovered during investigations, build automated attribute creation from security tool alerts, or implement standardized indicator formatting and categorization.

When to use it: Fundamental for any automated indicator ingestion workflow.