feat: add SOCRadar TAXII Feed Import & IoC Enrichment modules

[Radargoger]

Add SOCRadar TAXII Feed Import & IoC Enrichment Expansion Modules

Summary

This PR adds two new modules for SOCRadar threat intelligence integration:

1. SOCRadar TAXII Feed Import (import_mod/socradar_taxii_feed.py) — Import enriched threat indicators from SOCRadar's TAXII 2.1 server into MISP events
2. SOCRadar IoC Enrichment (expansion/socradar_lookup.py) — Enrich MISP attributes by querying SOCRadar's IoC Enrichment REST API

What is SOCRadar?

SOCRadar is an Extended Threat Intelligence (XTI) platform that aggregates indicators from 100+ sources . It provides:

• A TAXII 2.1 compliant server serving STIX 2.1 indicators (used by the import module)
• An IoC Enrichment REST API for real-time indicator lookups (used by the expansion module)

---

Import Module — socradar_taxii_feed.py

Connects to SOCRadar's TAXII 2.1 endpoint and imports STIX 2.1 indicators into MISP with rich metadata:

• IoC types supported: IP (v4/v6), domain, URL, file hash (MD5/SHA1/SHA256/SHA512), email
• MITRE ATT&CK tagging: Extracted from STIX labels and SOCRadar's extra-info-ext extension tags (type: MITRE_ATTCK)
• Malware family detection: 60+ known families (Redline, Emotet, Cobalt Strike, LockBit, Prometei, etc.) detected from labels, tags, and indicator metadata
• Confidence mapping: STIX confidence (0–100 float) → MISP confidence-level taxonomy
• SOCRadar threat score: Numeric score from extra-info-ext.score preserved as tag
• Feed source attribution: Original feed sources (e.g., Abuse.ch-Urlhaus-C&Cs, SOCRadar Research Team) tagged per attribute
• Country/geo tags: Geographic attribution from COUNTRY-type extension tags
• TLP marking: Configurable default
• Pagination: Handles SOCRadar's more + next JSON cursor pagination
• Deduplication: Skips duplicate indicator values

Import Module — Configuration

In MISP: Administration → Server Settings → Plugin Settings → Import

Parameter	Description	Default
socradar_taxii_url	TAXII 2.1 base URL	https://taxii2.socradar.com
socradar_api_root	API root path	radar_alpha
socradar_username	TAXII username	—
socradar_password	TAXII password	—

Note: Customers need an IoC Enrichment API key from SOCRadar, available at https://platform.socradar.com → API Management. The import module (TAXII) uses separate TAXII credentials and does not require this API key.

---

SOCRadar STIX 2.1 Data Format

SOCRadar's TAXII response uses standard STIX 2.1 with a custom extra-info-ext extension:

{
  "type": "indicator",
  "pattern": "[file:hashes.sha1 = 'abc123...']",
  "confidence": 28.0,
  "labels": ["malware", "t1055", "t1486", "prometei", "botnet"],
  "extensions": {
    "extra-info-ext": {
      "score": 28.5,
      "tags": [
        {"tag": "malware", "type": "TAG", "priority": 1},
        {"tag": "t1055", "type": "MITRE_ATTCK", "priority": 10, "description": "Process Injection"},
        {"tag": "hong kong", "type": "COUNTRY", "priority": 10}
      ],
      "feed_source_list": [
        {"source_name": "SOCRadar Research Team-Hash", "seen_count": 1, "first_seen_date": "2025-05-29 13:23:42"}
      ]
    }
  },
  "threat_feed_source_name": "Abuse.ch-Hash",
  "indicator_types": ["malicious-activity"]
}

Testing

Tested against live SOCRadar TAXII 2.1 production data. Example dry-run output from import module:

Collection 'file-import' → 3 groups: Screenconnect(1), Prometei(1), Malicious IPs(1)
Event: SOCRadar: Screenconnect

Tags: source:SOCRadar, type:OSINT, tlp:amber, mitre-attack:T1055, mitre-attack:T1071.001,

mitre-attack:T1486, mitre-attack:T1496, malware:screenconnect

→ [url] https://object.brovanti.com/bin/support.client.exe...
Event: SOCRadar: Prometei

Tags: source:SOCRadar, type:OSINT, tlp:amber, mitre-attack:T1055, mitre-attack:T1486,

malware:prometei, feed-source:Abuse.ch-Hash, feed-source:MalwareBazaar Feeds

→ [sha1] bc558a64f7667ca11e60c21e4a3d25ee0032eaca
Event: SOCRadar: Malicious IPs

Tags: source:SOCRadar, type:OSINT, tlp:amber, mitre-attack:T1595.001, mitre-attack:T1595.002,

country:hong kong, feed-source:SOCRadar Research Team

→ [ip-dst] 47.76.121.170

Dependencies

• requests (already included in misp-modules dependencies)

Files Changed

• misp_modules/modules/import_mod/socradar_taxii_feed.py — new file
• misp_modules/modules/expansion/socradar_lookup.py — new file

About the Author

SOCRadar — Enterprise API & Integration Team

• Website: https://socradar.io
• Contact: burak.goger@socradar.io

# Add SOCRadar TAXII Feed Import & IoC Enrichment Expansion Modules

Summary

This PR adds two new modules for SOCRadar threat intelligence integration:

1. SOCRadar TAXII Feed Import (import_mod/socradar_taxii_feed.py) — Import enriched threat indicators from SOCRadar's TAXII 2.1 server into MISP events
2. SOCRadar IoC Enrichment (expansion/socradar_lookup.py) — Enrich MISP attributes by querying SOCRadar's IoC Enrichment REST API

What is SOCRadar?

SOCRadar is an Extended Threat Intelligence (XTI) platform that aggregates indicators from 120+ sources. It provides:

• A TAXII 2.1 compliant server serving STIX 2.1 indicators (used by the import module)
• An IoC Enrichment REST API for real-time indicator lookups (used by the expansion module)

---

Import Module — socradar_taxii_feed.py

Connects to SOCRadar's TAXII 2.1 endpoint and imports STIX 2.1 indicators into MISP with rich metadata:

• IoC types supported: IP (v4/v6), domain, URL, file hash (MD5/SHA1/SHA256/SHA512), email
• MITRE ATT&CK tagging: Extracted from STIX labels and SOCRadar's extra-info-ext extension tags (type: MITRE_ATTCK)
• Malware family detection: 60+ known families (Redline, Emotet, Cobalt Strike, LockBit, Prometei, etc.) detected from labels, tags, and indicator metadata
• Confidence mapping: STIX confidence (0–100 float) → MISP confidence-level taxonomy
• SOCRadar threat score: Numeric score from extra-info-ext.score preserved as tag
• Feed source attribution: Original feed sources (e.g., C&Cs) tagged per attribute
• Country/geo tags: Geographic attribution from COUNTRY-type extension tags
• TLP marking: Configurable default
• Pagination: Handles SOCRadar's more + next JSON cursor pagination
• Deduplication: Skips duplicate indicator values

Import Module — Configuration

In MISP: Administration → Server Settings → Plugin Settings → Import

Parameter	Description	Default
socradar_taxii_url	TAXII 2.1 base URL	https://taxii2.socradar.com
socradar_api_root	API root path	radar_alpha
socradar_username	TAXII username	—
socradar_password	TAXII password	—

---

Expansion Module — socradar_lookup.py

Hover and enrichment module that queries SOCRadar's IoC Enrichment REST API (/ioc_enrichment/get/) for real-time threat intelligence on MISP attributes:

• Input types: ip-src, ip-dst, domain, hostname, url, md5, sha1, sha256, email-src, email-dst
• Two enrichment modes:
  • Full mode (default) — calls /ioc_enrichment/get/indicator_details returning: categorization (malware, scanner, tor, proxy, honeypot, CDN, VPN, etc.), malware families, threat actors, targeted industries, cross-source confidence (Very High / High / Medium / Low), IoC signal strength, feed history with timestamps, ASN and geographic info, and optionally AI-generated threat insight
  • STIX mode — calls /ioc_enrichment/get/indicator_details_stix for fast structured STIX 2.1 output with MITRE ATT&CK technique mappings, tags, and feed sources
• Authentication: Requires a SOCRadar IoC Enrichment API key (stored securely in MISP server settings, encrypted at rest)
• Performance: AI insight is disabled by default as it adds ~10-15s processing time; can be enabled via config when deeper analysis is needed
• Error handling: Clear error messages for authentication failures, timeouts, and bad requests with guidance on obtaining API keys
• Module types: expansion, hover

Expansion Module — Configuration

In MISP: Administration → Server Settings → Plugin Settings → Enrichment

Parameter	Description	Default
socradar_api_key	SOCRadar IoC Enrichment API key (required)	—
socradar_api_url	API base URL	https://platform.socradar.com/api
socradar_mode	full (detailed JSON) or stix (fast STIX 2.1)	full
socradar_ai_insight	Include AI-generated insight in full mode (slower)	false

Note: Customers need an IoC Enrichment API key from SOCRadar, available at https://platform.socradar.com → API Management. The import module (TAXII) uses separate TAXII credentials and does not require this API key.

---

SOCRadar STIX 2.1 Data Format

SOCRadar's TAXII response uses standard STIX 2.1 with a custom extra-info-ext extension:

{
  "type": "indicator",
  "pattern": "[file:hashes.sha1 = 'abc123...']",
  "confidence": 28.0,
  "labels": ["malware", "t1055", "t1486", "prometei", "botnet"],
  "extensions": {
    "extra-info-ext": {
      "score": 28.5,
      "tags": [
        {"tag": "malware", "type": "TAG", "priority": 1},
        {"tag": "t1055", "type": "MITRE_ATTCK", "priority": 10, "description": "Process Injection"},
        {"tag": "hong kong", "type": "COUNTRY", "priority": 10}
      ],
      "feed_source_list": [
        {"source_name": "SOCRadar Research Team-Hash", "seen_count": 1, "first_seen_date": "2025-05-29 13:23:42"}
      ]
    }
  },
  "threat_feed_source_name": "SOCRadar Research Team-Hash",
  "indicator_types": ["malicious-activity"]
}

Testing

Tested against live SOCRadar TAXII 2.1 production data. Example dry-run output from import module:

Collection 'file-import' → 3 groups: Screenconnect(1), Prometei(1), Malicious IPs(1)

  Event: SOCRadar: Screenconnect
  Tags: source:SOCRadar, type:OSINT, tlp:amber, mitre-attack:T1055, mitre-attack:T1071.001, 
        mitre-attack:T1486, mitre-attack:T1496, malware:screenconnect
    → [url] https://object.brovanti.com/bin/support.client.exe...

  Event: SOCRadar: Prometei
  Tags: source:SOCRadar, type:OSINT, tlp:amber, mitre-attack:T1055, mitre-attack:T1486,
        malware:prometei, feed-source:Abuse.ch-Hash, feed-source:MalwareBazaar Feeds
    → [sha1] bc558a64f7667ca11e60c21e4a3d25ee0032eaca

  Event: SOCRadar: Malicious IPs
  Tags: source:SOCRadar, type:OSINT, tlp:amber, mitre-attack:T1595.001, mitre-attack:T1595.002,
        country:hong kong, feed-source:SOCRadar Internal Soruces
    → [ip-dst] 47.76.121.170

Dependencies

• requests (already included in misp-modules dependencies)

Files Changed

• misp_modules/modules/import_mod/socradar_taxii_feed.py — new file
• misp_modules/modules/expansion/socradar_lookup.py — new file

About the Author

SOCRadar — Enterprise API & Integration Team

• Website: https://socradar.io

[Radargoger]

Hi MISP team,
We're from SOCRadar — an Extended Threat Intelligence platform. This PR adds two modules:

1. Import module — pulls STIX 2.1 indicators from our TAXII 2.1 server with rich tagging (MITRE ATT&CK, malware families, confidence mapping, geo tags, feed sources)
2. Expansion module — enriches attributes via our IoC Enrichment REST API (categorization, threat actors, signal strength, optional AI insight)

We're aware of the existing generic TAXII 2.1 import module. Our import module adds SOCRadar-specific value by parsing the extra-info-ext STIX extension which includes MITRE technique mappings, malware family classifications, SOCRadar threat scores, and multi-source attribution that the generic module doesn't handle.

The expansion module uses a separate REST API (/ioc_enrichment/get/indicator_details) — not TAXII — so lookups are ~2-10s.

Both modules have been tested against production data. Happy to address any feedback!

Best,
Burak Goger — SOCRadar Enterprise API & Integration Team
cc @adulau

[adulau]

Thanks a lot. This looks great.

Can you lint the files to be sure that the tests are passing?

[Radargoger]

Hi @adulau , thanks for the quick review and support!

Both files are now linted with black, isort, and flake8.

We tested both modules on a live MISP instance:

Import module — Successfully fetches indicators from SOCRadar TAXII 2.1 server via http://127.0.0.1:6666/query. Tested with 14 collections, indicators are returned with full tagging:

• MITRE ATT&CK techniques (T1055, T1071.001, T1486, etc.)
• Malware family detection (Prometei, Connectwise, etc.)
• Confidence level mapping (STIX 0-100 → MISP taxonomy)
• SOCRadar threat score
• Feed source attribution (Abuse.ch, MalwareBazaar, AbuseIPDB, etc.)
• Country/geo tags and TLP marking

The module also supports collection auto-discovery — when no collection UUID is provided, it returns a list of all available collections with their UUIDs and feed names.

Expansion module — Successfully enriches attributes via SOCRadar IoC Enrichment REST API (/ioc_enrichment/get/indicator_details). Tested with IP and hash lookups — returns categorization (honeypot, scanner, threat_actor), SOCRadar score, first/last seen dates, and feed source details. Tags are correctly added to enriched attributes.

Let us know if you need any changes!
Burak

[adulau]

Great stuff. I merged it but I have some open questions about the TAXII->MISP connectors:

• How do you deal with duplicates? if I recall properly the TAXII protocol the collection UUID is not unique across connections or SOCRadar has a very custom implementation to support that.
• Do you plan to add additional objects/support in the future?

Thanks a lot.