MISP connector guide for VirusTotal

This guide provides instructions on how to activate the MISP connector within VirusTotal. Once activated, VirusTotal reports will display threat intelligence information about IoCs (Indicators of Compromise) sourced from the events found in your configured MISP instance.


Before you can begin the connector set up, ensure that you have the following prerequisites in place:

  1. Access to MISP: You must have access to a running instance of MISP, either self-hosted or via a trusted organization.

  2. API Key: Obtain an API key from your MISP instance. This key will be required for authentication during the integration setup.

Getting the MISP API key

Follow these steps to get the MISP API key:

  1. Access to the MISP instance: Log in to the MISP instance.

  2. Navigate to your user profile: If you don't find it navigate directly to the url /users/view/me.

  3. Add a new auth key: Under Auth keys click on the + Add authentication key.

  4. Configure it: Leave the Allowed IPs empty and mark the Read only checkbox.

Adding the connector

Before you can view MISP events information in VirusTotal reports, you must set up the MISP connector and provide your API key. Follow these steps:

  1. Access the Technology Integrations page via the left menu and then click on the Connectors (Third party to VT). This page serves as the hub for all your configured connectors.

Here you can perform different actions described in details in the Manage the connector section.

  1. Click on Add a connector". A dialog will guide you through configuring the connector in two straightforward steps.

  2. Select the MISP connector.

  1. Provide a name, the API key and the url of your MISP instance.
  1. Save the connector.

Once completed, all members of your group will have access to the MISP information in the IoC reports.

Managing the connector

The user who adds the connector and the admins of the group to which it belongs, has the authority to edit or delete the connector.

Additionally, all users within your group can enable or disable the connector, this action affects individually to the user.

Viewing Mandiant Information

Once the MISP connector is configured, all members of your group will start seeing additional context in the reports.

For each IoC, you will receive, the MISP events ids and descriptions that contains the IoC, and the tags and the severity of each event.


This connector is officially suported by VirusTotal, please contact us if you have any question.