Views:

Symptoms

  1. A MISP direct connection integration is configured in Trend Vision One.
  2. The connection test to the MISP server completes successfully.
  3. The "last pulled" timestamp updates on schedule as expected.
  4. No IOC data appears under Threat Intelligence > Intelligence Reports > Custom.
  5. All standard prerequisites appear to be met: event tags match (case-sensitive), events are published, and the IDS flag is enabled on attributes.

Root Cause

The MISP server is unable to generate STIX2-formatted output. Trend Vision One's MISP integration retrieves IOC data by calling POST /events/restSearch with returnFormat=stix2 on the MISP server. If the MISP server lacks the required libraries or dependencies to produce STIX2 output, the integration silently fails to ingest any data.

Important: The connection test in Vision One only validates network reachability and authentication to the MISP server. It does not validate whether the MISP server can generate STIX2-formatted output. A passing connection test does not guarantee that IOC ingestion will succeed.

Resolution

Step 1: Verify STIX2 export capability on the MISP server

Before contacting your MISP server administrator, manually test whether the MISP server can produce STIX2 output. Run the following curl command from a machine that has access to the MISP server:

curl -k -d '{"returnFormat": "stix2", "eventid": ["<EVENT_ID>"], "deleted": 0}' -v \
--header "Authorization: <YOUR_API_KEY>" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
-X POST https://<MISP_URL>/events/restSearch

Replace <EVENT_ID> with a known published event ID from your MISP instance, <YOUR_API_KEY> with your MISP API key, and <MISP_URL> with your MISP server address.

Alternatively, use the MISP REST client UI:

  1. Set the method to POST and the path to https://localhost/events/restSearch.
  2. Enable Skip SSL validation if required.
  3. Add the following headers: Authorization: <YOUR_API_KEY>, Accept: application/json, Content-Type: application/json.
  4. Set the request body to: {"returnFormat": "stix2", "eventid": ["<EVENT_ID>"], "deleted": 0}.
  5. Submit the request and review the response.

If the response does not return valid STIX2 JSON, or returns an error, the MISP server cannot produce STIX2 output.

Step 2: Contact your MISP server administrator

If the STIX2 export test fails, contact the administrator of your MISP server and request that they install or enable the required libraries and dependencies to support STIX2 format export. Once the MISP server is updated to support STIX2 output, Trend Vision One will begin ingesting IOCs on the next scheduled pull.

Step 3: Verify IOC ingestion in Vision One

After the MISP server administrator confirms the fix has been applied, wait for the next scheduled pull (based on your configured retrieval frequency) and then check Threat Intelligence > Intelligence Reports > Custom to confirm that IOC data is now appearing.

Keywords: MISP integration IOC ingestion failure, Custom Intelligence Reports no data, MISP STIX2 export not working, Vision One MISP direct connect, MISP connection test passes no IOCs, Suspicious Object false positive MISP, MISP missing STIX2 libraries