MISP

MISP is an open-source threat intelligence sharing platform designed for collecting, storing, and distributing structured threat indicators and intelligence. At its core, it provides a distributed synchronization protocol for transferring events between instances, an attribute-based correlation engine that links matching indicators across events, and a REST API with an OpenAPI specification for programmatic access to threat data. The platform uses formal data formats for JSON, taxonomy, galaxy, and object templates to enable compatibility across tools and communities.

The platform distinguishes itself through granular sharing group models that allow per-attribute visibility controls, a workflow automation pipeline for qualifying and publishing threat data, and support for multiple deployment methods including Ansible, Docker, Puppet, and RPM packages. It offers bidirectional TAXII exchange, scheduled push capabilities, and a reverse proxy compatibility layer for large event synchronization. The platform also includes background worker queues for asynchronous processing and plugin-based data format support.

Beyond its core sharing and correlation functions, MISP provides capabilities for importing indicators from PDF reports, managing feed duplication and correlation bloat, and navigating threat data graphically through event graph visualizations. It includes administrative tools for resetting credentials and wiping all data, as well as security hardening measures such as authentication bypass configuration and certificate trust store management. The platform ships with comprehensive documentation in multiple formats and training materials for learning its capabilities.

Features

Threat Intelligence Platforms - An open-source platform for collecting, storing, and sharing structured threat intelligence and indicators of compromise.

Distribution Controls - Ships granular sharing group models with per-attribute visibility controls for distributing structured threat data.

Programmatic Threat Intelligence Interfaces - Ships a documented REST API for programmatic query, creation, update, and deletion of threat data.

REST APIs - Provides a documented REST API with OpenAPI specification for programmatic threat intelligence access.

Threat Intelligence - Provides a REST API for programmatic querying, creation, and updating of threat intelligence data.

Correlation Engines - Provides an attribute-based correlation engine that automatically links matching indicators across events to reveal hidden attack patterns.

Threat Object Models - Provides a flexible object model for structuring and linking detailed threat intelligence data.

Granular Content Sharing - Distributes events and attributes with per-attribute visibility settings and community controls across instances.

Distributed Event Synchronization - Transfers published events to configured remote instances subject to distribution rules and push settings.

Threat Data Stores - Persists structured threat data in a flexible object model with cross-referencing capabilities.

REST APIs - Provides a full REST API with OpenAPI specification for programmatic interaction with the threat intelligence platform.

Threat Intelligence - Provides a documented OpenAPI REST interface for automated threat data retrieval and submission.

OpenAPI Specifications - Ships an OpenAPI specification that documents the entire REST API for programmatic threat intelligence access.

Security Event Correlation - Ships an attribute-based correlation engine that links matching indicators across events to reveal hidden relationships.

Threat Event Pushes - Ships a distributed synchronization protocol for pushing events to remote MISP instances.

Threat Intelligence Synchronizers - Implements a distributed synchronization protocol for exchanging events and attributes between instances with advanced filtering.

Threat Indicator Correlators - Links matching indicators across events using exact matches, fuzzy hashing, and CIDR blocks to reveal hidden relationships.

Distributed Synchronization Protocols - Implements a distributed synchronization protocol for transferring published events between configured remote instances.

Threat Intelligence REST APIs - Provides a programmatic OpenAPI interface to query, create, update, and delete threat data using standard HTTP methods.

Workflow Automation Pipelines - Runs customizable workflows to qualify, analyze, and publish threat data without manual intervention.

Threat Data Workflow Pipelines - Runs customizable pipelines that qualify, analyze, modify, and control publication of threat data automatically.

TAXII Exchanges - Implements bidirectional TAXII exchange for receiving and pushing threat intelligence data.

Threat - Runs customizable workflows that qualify, analyze, modify, and control publication of threat data automatically.

Threat Data Pushes - Ships a scheduled push mechanism for distributing threat intelligence to TAXII servers.

Threat Intelligence Format Integrations - Ships formal specifications for JSON, taxonomy, galaxy, and object template formats to enable tool compatibility.

Security Tool Integration APIs - Exchanges threat data with NIDS, SIEMs, and other systems via STIX and REST API formats.

Message Queue Workers - Processes scheduled tasks and data operations asynchronously through a dedicated background worker queue system.

Threat Relationship Visualizations - Provides event graph visualizations for exploring events, correlations, and object relationships.

Threat Intelligence Format Specifications - Publishes formal specifications for JSON, taxonomy, galaxy, and object template formats for tool interoperability.

Threat Intelligence - Defines formal specifications for JSON, taxonomy, galaxy, and object template formats for threat intelligence exchange.

File Format Plugin Support - Uses plugin-based architecture to support JSON, taxonomy, galaxy, and object template data formats.

Threat Intelligence - Platform for sharing and collaborating on malware intelligence.

Security Lab Environments - Platform for sharing indicators of compromise and threat intelligence.

Development And Analysis Tools - Threat intelligence platform with YARA support.

MISPMISP

Features

Star history