Adding Threat Intelligence Feeds to Your MISP Instance

Adding threat intelligence feeds to your MISP instance allows you to rapidly populate your SIEM and other tools with indicators of compromise (IOCs). These IOCs can then be used to generate detections and alerts to help you defend against known bad actors.

You can add feeds to MISP threat intelligence feeds by clicking the Add Feed option on the left menu. This will open the Add MISP Feed dynamic web form where you can enter information about your new CTI feed. You will need to provide a name, provider, an input source, how data will be delivered (MISP, free text, or CSV), what formats you can accept (MISP or JSON), and how to distribute the events created by this feed to your organization. You can also set filter rules, a default tag, and configuration details about how to use this feed.

Exploring MISP Threat Intelligence Feeds for Enhanced Security

Once you’ve added a feed, you will see the new events start to appear in your MISP instance. Click on an event to view the full selection of attributes available for that IOC. As you work with your colleagues on these IOCs, you will be able to find and share the relationships between them that will enable better understanding of campaign structures, TTPs, and other observables.

Note that IOCs have a limited shelf life as adversaries change hash values, domains, and other aspects of malicious artifacts. You can reflect this in your MISP by using decaying models to reduce the weight of old IOCs over time.

Leave a Reply

Your email address will not be published. Required fields are marked *