🧠 Threat intelligence
MISP
Threat intelligence platform for sharing IoCs and structured intel.
Why use it
MISP is the de-facto open-source platform for threat intelligence sharing — used by CERTs, CSIRTs, and ISACs worldwide. Pull free community feeds, store your own observables, and push IoCs into your detection stack automatically.
What you get
- Structured storage of IoCs (hashes, IPs, domains, URLs, files)
- Sharing groups and event taxonomies
- Built-in feeds (CIRCL, Abuse.ch, OTX) — free
- API to push/pull observables
- Galaxies (MITRE ATT&CK, threat actors, malware families)
System requirements
| Cpu | 2 cores |
|---|---|
| Ram | 4 GB minimum |
| Disk | 50 GB |
| Os | Linux |
| Docker | Yes |
Installation
The official Docker setup at github.com/MISP/misp-docker is the path of least resistance: docker compose up -d brings up MISP, MariaDB, and Redis. First-run takes ~15 minutes. Default creds: admin@admin.test / admin — change on login.
Suggested configuration
Enable the CIRCL OSINT, Abuse.ch URLhaus, and Feodo Tracker feeds out of the box. Configure pull schedules (hourly for high-velocity feeds, daily for slower ones). Tag events with kill-chain phases so downstream tools can prioritise.
Integration ideas
- Push IoCs to Wazuh as custom rules
- Feed Suricata rules from MISP events
- Cortex analyser for enrichment from TheHive
- Pull from OpenCTI for STIX 2 interoperability
Alternatives
- OpenCTI — STIX-native, more polished UI, heavier infra.
- Yeti — Lighter, less ecosystem.
Cyentrix verdict
The standard for community TI. The free feed integrations make it useful from day one without writing any custom intel.