MISP

What MISP Is and Why Analysts Use It

• MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform designed to store, correlate, and share indicators of compromise, malware analysis reports, and threat actor information.
• MITRE ATT&CK maps threat intelligence sharing as a key enabler of T1598 (Threat Intel Gathering) defense — structured intelligence lets analysts pivot from individual IOCs to the broader threat landscape.
• Unlike a simple CSV of hashes, MISP stores fully structured threat data: each event can contain multiple attributes (IOCs) with relationships, tags, and context. An event for “Emotet campaign” might include the file hash, delivery URL, C2 IP, email subject line, and MITRE ATT&CK technique — all linked together.
• MISP also handles correlation — if two analyst teams submit a report about the same IP address, MISP links those events together, revealing that both teams are tracking the same campaign.

Core MISP Concepts

Events and Attributes

Attribute Types

Installing and Configuring MISP

Quick Install (Ubuntu/Debian)

# Official MISP installation script
wget -O /tmp/install.sh https://raw.githubusercontent.com/MISP/MISP/2.5/INSTALL/INSTALL.sh
sudo bash /tmp/install.sh

# Or use Docker for evaluation:
docker run -d -p 443:443 -p 80:80 harvarditsecurity/misp

Initial Configuration

After installation, the admin must:

1. Create organization: Define your organization profile
2. Create user accounts: Grant roles (admin, org admin, publisher, sync user, user)
3. Configure sharing groups: Control who can see what (Your Organization, Connected Communities, All)
4. Set up MISP feed feeds: Subscribe to external threat feeds
5. Enable correlation: Turn on attribute correlation
6. Configure sync: Link to other MISP instances if sharing with peers

User Roles

STIX Import and Export

MISP natively supports STIX 1.x and 2.x import and export. This is critical interoperability: threat intel feeds in STIX format can be ingested into MISP, and MISP events can be exported as STIX, YARA rules, Sigma rules, or other formats for use in detection tools.

Importing STIX

# Via CLI
./app/Console/cake stix2 import /path/to/stix2-bundle.json

# Via API
curl -X POST -H "Authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"Feed":{"url":"https://example.com/feed.json","format":"stix2"}}' \
  https://misp.internal.example.com/feeds/add

Exporting STIX

# Via MISP UI:
# Event Actions → Export → Download as STIX2

# Via API:
GET /events/stix/download/<event_id>

Mapping Between MISP and STIX

Feed Management

MISP can ingest indicators from external feeds, automatically creating events and attributes. These feeds can also be exported as Snort and Suricata IDS rules for network-level detection.

Adding a Feed

Navigate to Sync Actions → List Feeds and enable available feeds, or add a custom feed:

API — List Feeds

curl -H "Authorization: YOUR_API_KEY" \
  https://misp.internal.example.com/feeds/index

Integrating MISP with SIEM and EDR

The value of MISP is realized when indicators make it into your detection tools.

Push to SIEM (Splunk Example)

#!/usr/bin/env python3
# misp-to-splunk.py — Export attributes with IDS flag to Splunk lookup file
import requests
import csv

MISP_URL = "https://misp.internal.example.com"
API_KEY = "YOUR_API_KEY"
LOOKUP_FILE = "/opt/splunk/etc/apps/threat-intel/lookups/misp_iocs.csv"

headers = {"Authorization": API_KEY, "Accept": "application/json"}
params = {"returnFormat": "csv", "type": join("ip-src", "ip-dst", "domain", "url", "sha256")}

response = requests.get(f"{MISP_URL}/attributes/restSearch", headers=headers, params=params)

with open(LOOKUP_FILE, "w") as f:
    f.write(response.text)

Push to EDR via API

# misp-to-edr.py — Push IOCs to EDR blocklist
# This script fetches new MISP attributes and pushes them to the EDR API
import requests

MISP_API = "https://misp.internal.example.com/attributes/restSearch"
EDR_API = "https://edr.internal.example.com/api/v1/ioc/import"
API_KEY_MISP = "MISP_KEY"
API_KEY_EDR = "EDR_KEY"

headers_misp = {"Authorization": API_KEY_MISP, "Accept": "application/json"}
params = {"last": "1d", "type": ["ip-src", "ip-dst", "domain", "sha256"]}

# Fetch recent indicators
response = requests.get(MISP_API, headers=headers_misp, params=params)
indicators = response.json()

# Push to EDR
edr_payload = {"indicators": indicators["response"]["Attribute"]}
requests.post(EDR_API, json=edr_payload, headers={"Authorization": API_KEY_EDR})

Correlation — Finding Relationships

MISP’s correlation engine automatically links attributes across events. If two different events both contain the same IP address, MISP creates a correlation entry.

What Gets Correlated

Using Correlation in Investigations

1. Find an IOC in your SIEM (e.g., IP 5.5.5.5)
2. Search MISP for that attribute
3. View correlated events — see which other analysts or feeds have reported that IP
4. Pivot to other attributes in those correlated events (other IPs, hashes, domains)
5. Feed those pivots back to SIEM — repeat

Workflows for SOC Analysts

Daily Intel Review

Incident Response Workflow

Related

• Threat Intelligence Fundamentals — detection and response for T1598 techniques
• Azure Sentinel — detection and response for T1654 techniques
• BloodHound — detection and response for T1087 techniques

Sources

• MISP Project Documentation
• MISP GitHub Repository
• CIRCL — MISP Feeds
• OASIS STIX 2.1
• MITRE ATT&CK — T1598