MISP is an open-source threat intelligence platform designed to facilitate the collection, analysis, and sharing of Indicators of Compromise (IOCs) and threat data across trusted communities. Built by and for security analysts, it supports structured collaboration across SOCs, CERTs, and CTI teams.
Primary Use Cases:
| Function | Description |
|---|---|
| Event Management | Analysts can create and manage events tied to incidents or campaigns. Events are containers for attributes and context. |
| Attribute Handling | Stores technical and contextual data: IPs, hashes, domains, YARA rules, malware family tags, etc. |
| Correlation Engine | Detects relationships across attributes and events (e.g., same IP seen across multiple events). Supports fuzzy matching, CIDR range correlation, etc. |
| Event Graphs | Visualizes object and attribute relationships using node-link graphs. |
| Sharing Controls | Flexible distribution levels: private, community, connected networks, or public. |
| Tagging & Taxonomy | Use tags, classifications (e.g., TLP, threat actor, confidence level) to organize and label threat data. |
| Import & Export | Supports STIX (v1/v2), OpenIOC, CSV, JSON, Suricata, Zeek, Snort, and many more. |
| API Access | Enables automation, feed ingestion, and integration with SIEMs, SOARs, and other tooling. |
Events are containers for threat intelligence related to a security incident.
Analysts define metadata: event title, timestamp, threat level, distribution scope.
Distribution Options:
IP: 192.168.1.1, sha256:...)