How to Deploy an Open Source Threat Intelligence Platform with MISP

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Threat intelligence without a platform is a collection of flat files and email threads. MISP gives structure to IOCs, enables correlation (finding which of your SIEM alerts match known threat actors), and automates distribution to blocking systems. It ingests from CIRCL, AbuseIPDB, MalwareBazaar, and dozens of community feeds: and exports enriched indicators to Sentinel watchlists, Palo Alto EDL, and Cisco Firepower blocked IP lists.
MISP is maintained by CIRCL (Computer Incident Response Center Luxembourg) and used by NATO, EU CERTs, and thousands of private organizations. It is the default choice for organizations that want structured TIP capabilities without a $100K commercial license.
MISP Deployment on Ubuntu
# Requirements: Ubuntu 22.04 LTS, 8GB RAM, 4 CPU cores, 100GB storage
# MISP uses ~4GB RAM under normal load; 8GB provides headroom for feeds
# Official automated installer (recommended):
curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh -o /tmp/INSTALL.sh
bash /tmp/INSTALL.sh
# The installer:
# - Installs MISP and all dependencies (PHP, MariaDB, Redis, Apache)
# - Configures the database
# - Creates the admin user (admin@admin.test / password shown at end)
# - Sets up background workers for feed pulling
# - Takes 15-30 minutes on a clean Ubuntu 22.04 server
# After install: access MISP at https://[server-ip]
# First login:
# Username: admin@admin.test
# Password: (shown in installer output)
# Change password immediately after first login
Initial configuration:
In MISP web interface:
Admin > Server Settings > MISP settings:
MISP.baseurl: https://[your-server-fqdn]
MISP.email: security@yourdomain.com
MISP.org: [Your Organization Name]
# Generate GnuPG key (for event signing and sharing):
Admin > Server Settings > MISP settings > GnuPG:
MISP.gpg.onlyencrypted: false
MISP.gpg.homedir: /var/www/MISP/.gnupg
Generate key from the interface or:
cd /var/www/MISP && sudo -u www-data gpg --gen-key
# Configure Redis (background jobs):
Admin > Server Settings > Workers > Start all workers
# Workers process feed pulls, export generation, and correlations
Configure Threat Intelligence Feeds
MISP includes built-in feed configurations for the most commonly used threat intelligence sources.
In MISP: Sync Actions > Feeds > List Feeds
Enable the following feeds (all free, no API key required):
1. CIRCL OSINT Feed
URL: https://www.circl.lu/doc/misp/feed-osint/
Format: MISP Feed
Pull all: Yes
Description: CIRCL's primary OSINT feed: high-quality IOCs from European CERTs
2. Botvrij.eu (Domain IOCs)
URL: https://www.botvrij.eu/data/feed-osint/
Format: MISP Feed
Description: Malicious domain indicators
3. ESET COVID Threat Feed (covers general malware)
URL: https://github.com/eset/malware-ioc
Format: Various
4. Abuse.ch feeds:
- MalwareBazaar: https://bazaar.abuse.ch/export/
- FeodoTracker: https://feodotracker.abuse.ch/downloads/
- URLhaus: https://urlhaus.abuse.ch/downloads/
These require free API registration at abuse.ch
# Via PyMISP: add a feed programmatically:
from pymisp import PyMISP
misp = PyMISP('https://your-misp-server', 'YOUR-API-KEY', ssl=True)
# Add a new feed:
feed = {
'name': 'MalwareBazaar',
'provider': 'Abuse.ch',
'url': 'https://bazaar.abuse.ch/export/csv/recent/',
'enabled': True,
'pull': True,
'source_format': 'csv',
'input_source': 'network',
'distribution': '0', # Your organization only
'tag_id': '0',
'caching_enabled': True,
}
result = misp.add_feed(feed)
# Schedule automatic feed pulls:
# Admin > Server Settings > Jobs > Schedule Tasks:
# "fetch_feeds": every 1 hour
# "cache_feeds": every 6 hours
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Microsoft Sentinel Integration (TAXII)
Method 1: Sentinel TAXII connector (Microsoft TAXII feed support):
MISP serves as a TAXII server that Sentinel can poll directly.
In MISP: Admin > List Auth Keys > Add Authentication Key
Create a key with read-only permissions for Sentinel integration
Save the API key
MISP TAXII server URL (built-in):
https://[misp-server]/taxii2/collections/
In Microsoft Sentinel:
Content Hub > Search "MISP" > Install the MISP2Sentinel connector
Or:
Data Connectors > Threat Intelligence Platforms > TAXII
TAXII server: https://[misp-server]/taxii2/
Collection ID: [collection UUID from MISP]
Username: [blank]
Password: [MISP API key]
Lookback: 3 months
Method 2: MISP to Sentinel watchlist export (for custom IOC types):
# Export MISP IOCs to a Sentinel watchlist via the Sentinel API
import requests
from pymisp import PyMISP
misp = PyMISP('https://your-misp-server', 'MISP-API-KEY')
# Get recent IOCs (last 24h, high confidence):
events = misp.search(
type_attribute=['ip-dst', 'domain', 'url', 'md5', 'sha256'],
to_ids=True, # Only export IDS-flagged attributes
timestamp='1d', # Last 24 hours
published=True
)
# Format for Sentinel watchlist:
iocs = []
for event in events:
for attr in event.get('Attribute', []):
iocs.append({
'type': attr['type'],
'value': attr['value'],
'comment': attr.get('comment', ''),
'threat_level': event.get('threat_level_id', '2')
})
# Upload to Sentinel watchlist via Sentinel REST API
# (requires Log Analytics workspace ID + key)
Use MISP IOCs in Sentinel detection rules:
// Alert when a network connection matches a MISP threat intel indicator
let MISPIndicators = ThreatIntelligenceIndicator
| where TimeGenerated > ago(24h)
| where SourceSystem == "MISP"
| where Active == true
| where NetworkIP != ""
| project MaliciousIP = NetworkIP, IndicatorId, Description;
CommonSecurityLog
| join kind=inner MISPIndicators on $left.DestinationIP == $right.MaliciousIP
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP = MaliciousIP,
Description, IndicatorId
Automated IOC Export for Blocking
# Export MISP IOCs to a format suitable for firewall/EDR blocking
# Uses the MISP REST export and PyMISP library
from pymisp import PyMISP
import json
from datetime import datetime
misp = PyMISP('https://your-misp-server', 'MISP-API-KEY', ssl=True)
# Export malicious IPs for Palo Alto External Dynamic List (EDL):
result = misp.search(
type_attribute='ip-dst',
to_ids=True, # Only IDS-flagged (actionable) indicators
timestamp='7d', # Last 7 days
threat_level_id='1', # High threat level only
)
ip_list = []
for event in result:
for attr in event.get('Attribute', []):
if attr['type'] == 'ip-dst':
ip_list.append(attr['value'])
# Write Palo Alto EDL format (one IP per line):
with open('/var/www/misp-exports/blocked-ips.txt', 'w') as f:
f.write('\n'.join(set(ip_list)))
# Palo Alto EDL configuration:
# Objects > External Dynamic Lists > New
# Type: IP List
# Source: https://your-misp-server/misp-exports/blocked-ips.txt
# Repeat: Every 5 minutes
MISP API key management:
In MISP: Admin > List Auth Keys
Create separate keys per integration:
- Sentinel-ReadOnly: GET only, no POST/DELETE
- EDL-Export: GET only, specific endpoint permissions
- SIEM-Push: POST for event creation from alert pipeline
Rotate keys quarterly or when personnel change
Log key usage: Admin > Server Settings > Audit Logs
The bottom line
MISP deployment uses the official installer script on Ubuntu 22.04 (curl + bash INSTALL.sh: 15-30 min). Enable CIRCL OSINT feed, abuse.ch feeds (MalwareBazaar, URLhaus, FeodoTracker), and botvrij.eu as minimum starting feeds. Integrate with Microsoft Sentinel via the TAXII connector pointing to https://[misp-server]/taxii2/ with an API key for polling. Use the ThreatIntelligenceIndicator table in Sentinel to join MISP indicators against network logs. Export actionable high-confidence IPs to Palo Alto or Cisco firewall External Dynamic Lists for automated blocking: filter to to_ids=True and threat_level_id=1 (high) to avoid blocking false positives.
Frequently asked questions
What is MISP and how does it differ from commercial threat intelligence platforms?
MISP (Malware Information Sharing Platform) is a free, open-source threat intelligence platform that stores, correlates, and shares IOCs in structured STIX/TAXII format. Unlike commercial platforms (Recorded Future, ThreatConnect, Anomali), MISP does not include premium intelligence feeds or automated analyst workflows: it provides the platform and community feeds, and organizations build their own feed subscriptions and integrations. MISP is used by NATO, European government CERTs, and thousands of private organizations as either a primary TIP or as an on-premises aggregator for commercial intelligence.
How do you get high-quality free threat intelligence feeds for MISP?
Start with the feeds included in MISP's default feed list: CIRCL OSINT (European CERT intelligence, no registration required), botvrij.eu (domain indicators), and the abuse.ch family: MalwareBazaar (malware samples and hashes), URLhaus (malicious URLs), and FeodoTracker (botnet C2 IPs): all free with registration at abuse.ch. Enable feeds in Sync Actions > Feeds > List Feeds. Schedule hourly fetch_feeds jobs in Admin > Server Settings > Jobs. The CIRCL and abuse.ch feeds collectively cover a large portion of current commodity malware infrastructure.
How do I integrate MISP with Microsoft Sentinel for automated threat detection?
Two integration methods: (1) TAXII connector: MISP serves as a TAXII 2.1 server at https://[misp-server]/taxii2/. In Sentinel, install the MISP2Sentinel connector from Content Hub, configure the TAXII data connector with your MISP server URL, collection ID, and API key. Indicators flow into the ThreatIntelligenceIndicator table and automatically match against ingested logs via built-in Sentinel analytics rules. (2) Direct export via PyMISP: use a scheduled script to query MISP for recent high-confidence IOCs and push them to a Sentinel watchlist via the Log Analytics REST API. The TAXII approach is simpler to maintain; the PyMISP approach allows more filtering (threat level, feed source, attribute type) before indicators reach Sentinel.
How do I use MISP to automatically block malicious IPs at the firewall?
Export MISP indicators to an External Dynamic List (EDL) for supported firewalls (Palo Alto, Fortinet, Check Point). Use PyMISP to query for IP attributes with to_ids=True (IDS-flagged, actionable) and threat_level_id=1 (high confidence only) from the last 7 days, write them to a text file (one IP per line), and serve that file over HTTPS from the MISP server or a web server. Configure the firewall's EDL to pull from that URL every 5-15 minutes. Critical filter: never export unverified indicators to blocking infrastructure; limit exports to high-threat-level, to_ids-flagged attributes from curated feeds. False positives in blocklists cause availability incidents.
What hardware or cloud resources does MISP require to run reliably?
MISP minimum production requirements: 8GB RAM (4GB for MISP, 4GB for MariaDB and feed processing), 4 CPU cores, 100GB SSD storage (threat intelligence data grows: plan for 200-500GB over 1-2 years with feeds enabled). Recommended cloud instance: AWS t3.xlarge (4 vCPU, 16GB RAM) or GCP e2-standard-4. Ubuntu 22.04 LTS is the officially supported OS. For high-availability deployments: run MISP behind an HTTPS load balancer, use a managed database (RDS or Cloud SQL) for MariaDB, and separate the Redis cache. Single-instance MISP serves most teams of up to 50 analysts without performance issues; feed workers running every hour add CPU spikes during pull cycles.
How do you measure whether MISP is actually improving your detection, and what metrics indicate a healthy threat intelligence operation?
Measure MISP ROI through four operational metrics: (1) IOC hit rate -- query Sentinel for ThreatIntelligenceIndicator matches against network and endpoint logs per month; even a 1-2% hit rate on high-fidelity indicators represents meaningful automated detection enrichment; (2) indicator freshness -- run 'ThreatIntelligenceIndicator | where SourceSystem == "MISP" and ExpirationDateTime < now()' in Sentinel to identify stale indicators still in the watchlist; high stale counts mean feed pulls are failing or indicators are not being retired; (3) false positive rate on MISP-sourced blocks -- track how often IPs or domains exported to firewall blocklists generate user complaints about blocked legitimate traffic; false positive rates above 0.5% indicate filtering is too permissive (relax to_ids=True and threat_level_id=1 requirements); (4) analyst enrichment value -- measure how often analysts click through to MISP event context from a SIEM alert versus ignoring it. Beyond metrics, verify feed freshness by checking the 'Last import' timestamp for each enabled feed in MISP's feed management page: feeds not updating for more than 48 hours indicate connectivity or parsing failures requiring investigation.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
