This project automates the process of pulling Threat Intelligence from Google Threat Intelligence and importing it into your MISP instance. It can be configured to run as a one-time import or on a periodic schedule to keep your MISP instance updated with the latest GTI data.
Attention: Configure the connector in the Google Threat Intelligence interface prior to starting ingestion.
-
Clone the repository:
git clone <repository_url> cd gti-misp-connector
-
Configure Environment Variables: Create a
.envfile in the root of the project and add the following variables:GTI_APIKEY=YOUR_GTI_API_KEY LIMIT=10 MISP_URL=YOUR_MISP_URL MISP_APIKEY=YOUR_MISP_API_KEY MISP_SSL=False
Replace the placeholder values with your actual API keys and URLs.
LIMIT: Controls the number of messages fetched from GTI in a single API call. The recommended value is 10 and it can't be greater than 40.MISP_SSL: Controls whether to use SSL verification when connecting to MISP (defaults to False).
-
Create and activate a virtual environment:
python3 -m venv venv source venv/bin/activateTo deactivate, simply run:
deactivate -
Install dependencies:
pip install -r requirements.txt
-
Run the connector:
- Run once:
python src/main.py
- Run periodically (e.g., every 60 seconds):
python src/main.py --schedule 60
- Run once:
-
Build the Docker image:
docker build --no-cache -t misp-connector . -
Run the Docker container:
- Run once:
docker run --env-file .env misp-connector
- Run periodically (e.g., every 60 seconds):
docker run --env-file .env misp-connector --schedule 60
- Run once: