MISP
Malware Information Sharing Platform: the de facto open-source TIP; used by NATOs NCIRC, European government CERTs, and thousands of organizations worldwide for structured threat intelligence sharing
STIX/TAXII
Structured Threat Intelligence eXpression / Trusted Automated eXchange of Intelligence Information: the standard formats for sharing threat intelligence; MISP can import and export both, enabling integration with any compliant platform
CIRCL
Computer Incident Response Center Luxembourg: operates the primary public MISP feeds and community instance; the CIRCL feeds are the most widely used free threat intelligence source for MISP deployments
PyMISP
The Python library for MISP API access: used to automate IOC import, export to blocklists, and SIEM integration; most community MISP integrations are built with PyMISP

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Threat intelligence without a platform is a collection of flat files and email threads. MISP gives structure to IOCs, enables correlation (finding which of your SIEM alerts match known threat actors), and automates distribution to blocking systems. It ingests from CIRCL, AbuseIPDB, MalwareBazaar, and dozens of community feeds: and exports enriched indicators to Sentinel watchlists, Palo Alto EDL, and Cisco Firepower blocked IP lists.

MISP is maintained by CIRCL (Computer Incident Response Center Luxembourg) and used by NATO, EU CERTs, and thousands of private organizations. It is the default choice for organizations that want structured TIP capabilities without a $100K commercial license.

MISP Deployment on Ubuntu

# Requirements: Ubuntu 22.04 LTS, 8GB RAM, 4 CPU cores, 100GB storage
# MISP uses ~4GB RAM under normal load; 8GB provides headroom for feeds

# Official automated installer (recommended):
curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh -o /tmp/INSTALL.sh
bash /tmp/INSTALL.sh

# The installer:
# - Installs MISP and all dependencies (PHP, MariaDB, Redis, Apache)
# - Configures the database
# - Creates the admin user (admin@admin.test / password shown at end)
# - Sets up background workers for feed pulling
# - Takes 15-30 minutes on a clean Ubuntu 22.04 server

# After install: access MISP at https://[server-ip]
# First login:
# Username: admin@admin.test
# Password: (shown in installer output)
# Change password immediately after first login

Initial configuration:

In MISP web interface:

Admin > Server Settings > MISP settings:
  MISP.baseurl: https://[your-server-fqdn]
  MISP.email: security@yourdomain.com
  MISP.org: [Your Organization Name]

# Generate GnuPG key (for event signing and sharing):
Admin > Server Settings > MISP settings > GnuPG:
  MISP.gpg.onlyencrypted: false
  MISP.gpg.homedir: /var/www/MISP/.gnupg
  Generate key from the interface or:
cd /var/www/MISP && sudo -u www-data gpg --gen-key

# Configure Redis (background jobs):
Admin > Server Settings > Workers > Start all workers
# Workers process feed pulls, export generation, and correlations

Configure Threat Intelligence Feeds

MISP includes built-in feed configurations for the most commonly used threat intelligence sources.

In MISP: Sync Actions > Feeds > List Feeds

Enable the following feeds (all free, no API key required):

1. CIRCL OSINT Feed
   URL: https://www.circl.lu/doc/misp/feed-osint/
   Format: MISP Feed
   Pull all: Yes
   Description: CIRCL's primary OSINT feed: high-quality IOCs from European CERTs

2. Botvrij.eu (Domain IOCs)
   URL: https://www.botvrij.eu/data/feed-osint/
   Format: MISP Feed
   Description: Malicious domain indicators

3. ESET COVID Threat Feed (covers general malware)
   URL: https://github.com/eset/malware-ioc
   Format: Various

4. Abuse.ch feeds:
   - MalwareBazaar: https://bazaar.abuse.ch/export/
   - FeodoTracker: https://feodotracker.abuse.ch/downloads/
   - URLhaus: https://urlhaus.abuse.ch/downloads/
   These require free API registration at abuse.ch
# Via PyMISP: add a feed programmatically:
from pymisp import PyMISP

misp = PyMISP('https://your-misp-server', 'YOUR-API-KEY', ssl=True)

# Add a new feed:
feed = {
    'name': 'MalwareBazaar',
    'provider': 'Abuse.ch',
    'url': 'https://bazaar.abuse.ch/export/csv/recent/',
    'enabled': True,
    'pull': True,
    'source_format': 'csv',
    'input_source': 'network',
    'distribution': '0',  # Your organization only
    'tag_id': '0',
    'caching_enabled': True,
}
result = misp.add_feed(feed)

# Schedule automatic feed pulls:
# Admin > Server Settings > Jobs > Schedule Tasks:
# "fetch_feeds": every 1 hour
# "cache_feeds": every 6 hours
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Microsoft Sentinel Integration (TAXII)

Method 1: Sentinel TAXII connector (Microsoft TAXII feed support):

MISP serves as a TAXII server that Sentinel can poll directly.

In MISP: Admin > List Auth Keys > Add Authentication Key
Create a key with read-only permissions for Sentinel integration
Save the API key

MISP TAXII server URL (built-in):
https://[misp-server]/taxii2/collections/

In Microsoft Sentinel:
Content Hub > Search "MISP" > Install the MISP2Sentinel connector
Or:
Data Connectors > Threat Intelligence Platforms > TAXII

TAXII server: https://[misp-server]/taxii2/
Collection ID: [collection UUID from MISP]
Username: [blank]
Password: [MISP API key]
Lookback: 3 months

Method 2: MISP to Sentinel watchlist export (for custom IOC types):

# Export MISP IOCs to a Sentinel watchlist via the Sentinel API
import requests
from pymisp import PyMISP

misp = PyMISP('https://your-misp-server', 'MISP-API-KEY')

# Get recent IOCs (last 24h, high confidence):
events = misp.search(
    type_attribute=['ip-dst', 'domain', 'url', 'md5', 'sha256'],
    to_ids=True,  # Only export IDS-flagged attributes
    timestamp='1d',  # Last 24 hours
    published=True
)

# Format for Sentinel watchlist:
iocs = []
for event in events:
    for attr in event.get('Attribute', []):
        iocs.append({
            'type': attr['type'],
            'value': attr['value'],
            'comment': attr.get('comment', ''),
            'threat_level': event.get('threat_level_id', '2')
        })

# Upload to Sentinel watchlist via Sentinel REST API
# (requires Log Analytics workspace ID + key)

Use MISP IOCs in Sentinel detection rules:

// Alert when a network connection matches a MISP threat intel indicator
let MISPIndicators = ThreatIntelligenceIndicator
| where TimeGenerated > ago(24h)
| where SourceSystem == "MISP"
| where Active == true
| where NetworkIP != ""
| project MaliciousIP = NetworkIP, IndicatorId, Description;

CommonSecurityLog
| join kind=inner MISPIndicators on $left.DestinationIP == $right.MaliciousIP
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP = MaliciousIP,
    Description, IndicatorId

Automated IOC Export for Blocking

# Export MISP IOCs to a format suitable for firewall/EDR blocking
# Uses the MISP REST export and PyMISP library

from pymisp import PyMISP
import json
from datetime import datetime

misp = PyMISP('https://your-misp-server', 'MISP-API-KEY', ssl=True)

# Export malicious IPs for Palo Alto External Dynamic List (EDL):
result = misp.search(
    type_attribute='ip-dst',
    to_ids=True,  # Only IDS-flagged (actionable) indicators
    timestamp='7d',  # Last 7 days
    threat_level_id='1',  # High threat level only
)

ip_list = []
for event in result:
    for attr in event.get('Attribute', []):
        if attr['type'] == 'ip-dst':
            ip_list.append(attr['value'])

# Write Palo Alto EDL format (one IP per line):
with open('/var/www/misp-exports/blocked-ips.txt', 'w') as f:
    f.write('\n'.join(set(ip_list)))

# Palo Alto EDL configuration:
# Objects > External Dynamic Lists > New
# Type: IP List
# Source: https://your-misp-server/misp-exports/blocked-ips.txt
# Repeat: Every 5 minutes

MISP API key management:

In MISP: Admin > List Auth Keys

Create separate keys per integration:
- Sentinel-ReadOnly: GET only, no POST/DELETE
- EDL-Export: GET only, specific endpoint permissions
- SIEM-Push: POST for event creation from alert pipeline

Rotate keys quarterly or when personnel change
Log key usage: Admin > Server Settings > Audit Logs

The bottom line

MISP deployment uses the official installer script on Ubuntu 22.04 (curl + bash INSTALL.sh: 15-30 min). Enable CIRCL OSINT feed, abuse.ch feeds (MalwareBazaar, URLhaus, FeodoTracker), and botvrij.eu as minimum starting feeds. Integrate with Microsoft Sentinel via the TAXII connector pointing to https://[misp-server]/taxii2/ with an API key for polling. Use the ThreatIntelligenceIndicator table in Sentinel to join MISP indicators against network logs. Export actionable high-confidence IPs to Palo Alto or Cisco firewall External Dynamic Lists for automated blocking: filter to to_ids=True and threat_level_id=1 (high) to avoid blocking false positives.

Frequently asked questions

What is MISP and how does it differ from commercial threat intelligence platforms?

MISP (Malware Information Sharing Platform) is a free, open-source threat intelligence platform that stores, correlates, and shares IOCs in structured STIX/TAXII format. Unlike commercial platforms (Recorded Future, ThreatConnect, Anomali), MISP does not include premium intelligence feeds or automated analyst workflows: it provides the platform and community feeds, and organizations build their own feed subscriptions and integrations. MISP is used by NATO, European government CERTs, and thousands of private organizations as either a primary TIP or as an on-premises aggregator for commercial intelligence.

How do you get high-quality free threat intelligence feeds for MISP?

Start with the feeds included in MISP's default feed list: CIRCL OSINT (European CERT intelligence, no registration required), botvrij.eu (domain indicators), and the abuse.ch family: MalwareBazaar (malware samples and hashes), URLhaus (malicious URLs), and FeodoTracker (botnet C2 IPs): all free with registration at abuse.ch. Enable feeds in Sync Actions > Feeds > List Feeds. Schedule hourly fetch_feeds jobs in Admin > Server Settings > Jobs. The CIRCL and abuse.ch feeds collectively cover a large portion of current commodity malware infrastructure.

How do I integrate MISP with Microsoft Sentinel for automated threat detection?

Two integration methods: (1) TAXII connector: MISP serves as a TAXII 2.1 server at https://[misp-server]/taxii2/. In Sentinel, install the MISP2Sentinel connector from Content Hub, configure the TAXII data connector with your MISP server URL, collection ID, and API key. Indicators flow into the ThreatIntelligenceIndicator table and automatically match against ingested logs via built-in Sentinel analytics rules. (2) Direct export via PyMISP: use a scheduled script to query MISP for recent high-confidence IOCs and push them to a Sentinel watchlist via the Log Analytics REST API. The TAXII approach is simpler to maintain; the PyMISP approach allows more filtering (threat level, feed source, attribute type) before indicators reach Sentinel.

How do I use MISP to automatically block malicious IPs at the firewall?

Export MISP indicators to an External Dynamic List (EDL) for supported firewalls (Palo Alto, Fortinet, Check Point). Use PyMISP to query for IP attributes with to_ids=True (IDS-flagged, actionable) and threat_level_id=1 (high confidence only) from the last 7 days, write them to a text file (one IP per line), and serve that file over HTTPS from the MISP server or a web server. Configure the firewall's EDL to pull from that URL every 5-15 minutes. Critical filter: never export unverified indicators to blocking infrastructure; limit exports to high-threat-level, to_ids-flagged attributes from curated feeds. False positives in blocklists cause availability incidents.

What hardware or cloud resources does MISP require to run reliably?

MISP minimum production requirements: 8GB RAM (4GB for MISP, 4GB for MariaDB and feed processing), 4 CPU cores, 100GB SSD storage (threat intelligence data grows: plan for 200-500GB over 1-2 years with feeds enabled). Recommended cloud instance: AWS t3.xlarge (4 vCPU, 16GB RAM) or GCP e2-standard-4. Ubuntu 22.04 LTS is the officially supported OS. For high-availability deployments: run MISP behind an HTTPS load balancer, use a managed database (RDS or Cloud SQL) for MariaDB, and separate the Redis cache. Single-instance MISP serves most teams of up to 50 analysts without performance issues; feed workers running every hour add CPU spikes during pull cycles.

How do you measure whether MISP is actually improving your detection, and what metrics indicate a healthy threat intelligence operation?

Measure MISP ROI through four operational metrics: (1) IOC hit rate -- query Sentinel for ThreatIntelligenceIndicator matches against network and endpoint logs per month; even a 1-2% hit rate on high-fidelity indicators represents meaningful automated detection enrichment; (2) indicator freshness -- run 'ThreatIntelligenceIndicator | where SourceSystem == "MISP" and ExpirationDateTime < now()' in Sentinel to identify stale indicators still in the watchlist; high stale counts mean feed pulls are failing or indicators are not being retired; (3) false positive rate on MISP-sourced blocks -- track how often IPs or domains exported to firewall blocklists generate user complaints about blocked legitimate traffic; false positive rates above 0.5% indicate filtering is too permissive (relax to_ids=True and threat_level_id=1 requirements); (4) analyst enrichment value -- measure how often analysts click through to MISP event context from a SIEM alert versus ignoring it. Beyond metrics, verify feed freshness by checking the 'Last import' timestamp for each enabled feed in MISP's feed management page: feeds not updating for more than 48 hours indicate connectivity or parsing failures requiring investigation.

Sources & references

  1. MISP Project: Official Documentation
  2. CIRCL: MISP Default Feeds
  3. Microsoft Sentinel: MISP to Sentinel Integration

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.