MISP: Threat Intelligence Management & Sharing

MISP organises threat intelligence as events (incidents or campaigns) containing attributes (IPs, hashes, URLs) and objects (structured groupings such as a file with its hashes and PE metadata). Galaxies tag events against frameworks like MITRE ATT&CK; taxonomies apply controlled-vocabulary labels.

The series uses the official Docker Compose deployment — repeatable, snapshottable, and well-supported. Bare-metal INSTALL.sh is fine if you want to colocate other services; misp-airgap is for offline labs.

git clone https://github.com/MISP/misp-docker /opt/misp
cd /opt/misp
cp template.env .env
# Edit .env: BASE_URL, MYSQL_PASSWORD, ADMIN_*, OIDC if used
docker compose pull
docker compose up -d

Log in as the bootstrap admin and immediately:

• • Create your real organisation under Administration → Add Organisation.
• • Create a sharing group TIP-Internal with just your org for now.
• • Define a least-privilege automation user with Sync Actions for the Wazuh and Zeek exporters.

Enable the high-signal community feeds first; everything else can wait:

• • CIRCL OSINT — curated indicators from CIRCL's analysts.
• • abuse.ch URLhaus, ThreatFox, MalwareBazaar — malware URLs, IOCs, and samples.
• • AlienVault OTX — broad community feed; needs an API key.
• • Emerging Threats compromised IPs — pairs with the Suricata ET ruleset.

# from the misp-modules container
/var/www/MISP/app/Console/cake Server fetchFeed 1 all

• • tlp — every event must be tagged with a TLP colour.
• • admiralty-scale — source reliability and information credibility.
• • malware-classification — coarse family labels.
• • mitre-attack-pattern galaxy — attach ATT&CK techniques.
• • threat-actor galaxy — link events to known actors.

MISP's notification model is email-first. Disable the SMTP path and write a small webhook adapter that watches the MISP audit log and posts to the shared tip-notify wrapper from Part 1. A 50-line Python service is sufficient; keep it on the management VPS.

Three pipelines feed MISP from the rest of the stack:

• • Cowrie sessions — parse cowrie.json and emit one MISP event per unique source IP that uploads a payload, with the file hash as an attribute.
• • Beelzebub captures — emit events tagged with the LLM-specific misp-galaxy:attack-pattern="LLM Prompt Injection".
• • Suricata + Zeek alerts — emit pivot attributes (JA4 hash, TLS SNI, HTTP host) so analysts can branch from a single hit into related events.

# Suricata rules export
curl -H "Authorization: $MISP_KEY" \
  "https://misp.tip.internal/events/nids/suricata/download" \
  -o /etc/suricata/rules/misp.rules

# Zeek intel framework export
curl -H "Authorization: $MISP_KEY" \
  "https://misp.tip.internal/attributes/bro/download/all" \
  -o /opt/zeek/intel/misp.intel

# Wazuh CDB list (for Part 6)
curl -H "Authorization: $MISP_KEY" \
  "https://misp.tip.internal/attributes/text/download/ip-dst" \
  -o /var/ossec/etc/lists/misp-ip

Schedule each export every 15 minutes; reload Suricata rules and Zeek as covered in Part 4.

Once your local content is healthy, request access to a community such as the CIRCL Private Sector or a sector-specific ISAC, then add a Sync Server entry pointing at their MISP. Sharing groups control which of your events are pushed.

• • Restrict the API to the WireGuard interface; expose the UI through Caddy + Authelia only.
• • Per-user API keys; rotate quarterly.
• • Enable Security.rest_client_enable_arbitrary_urls only if you really need it.

The MariaDB instance backing MISP is the first thing that hurts. Watch for: attributes table over 50M rows, correlation engine taking minutes to finish, and feed pulls timing out. Mitigations: prune low-signal feeds, raise innodb_buffer_pool_size, and split correlation into a separate scheduled job rather than on-write.