Knogin
[Nachrichtendienst]

Threat Intelligence: MISP Enrichment Modules

MISP Modules is the expansion framework for the MISP threat intelligence ecosystem, providing over 200 enrichment, import, and export modules that run as a microservice alongside a MISP instance. Modules span abuse.ch lo

Modulmetadaten

MISP Modules is the expansion framework for the MISP threat intelligence ecosystem, providing over 200 enrichment, import, and export modules that run as a microservice alongside a MISP instance. Modules span abuse.ch lo

Zurück zur Liste

Quellreferenz

content/modules/threat-intel-misp-modules.md

Letzte Aktualisierung

18. März 2026

Kategorie

Nachrichtendienst

Inhaltsprufsumme

6c4746d25137138e

Tags

intelligencecompliance

Gerenderte Dokumentation

Diese Seite rendert das Markdown und Mermaid des Moduls direkt aus der offentlichen Dokumentationsquelle.

Overview#

MISP Modules is the expansion framework for the MISP threat intelligence ecosystem, providing over 200 enrichment, import, and export modules that run as a microservice alongside a MISP instance. Modules span abuse.ch lookups, VirusTotal submissions, passive DNS queries, geolocation lookups, BGP routing queries, Joe Sandbox analysis submission, CVE lookups, and dozens more. Argus integrates MISP Modules to run targeted enrichment queries against individual IOCs directly from investigation and alert workflows, with results persisted as structured enrichment records.

Key Features#

On-Demand Indicator Enrichment#

Trigger MISP module execution against a specific indicator (IP, domain, hash, email, URL) via 

syncMispModules
. The 
fetch_misp_modules_data
client invokes the MISP Modules REST API on the configured endpoint, requests the specified module, and returns structured enrichment results. Results are persisted to PostgreSQL scoped to the organisation.

Multi-Module Result Management#

Each enrichment result record captures the module name, input value, output data (structured JSON), execution status, and timestamp. The 

mispModulesItems
query allows retrieval of all enrichment results for an organisation, filtered by module name or input value, supporting workflows where multiple modules are run against the same indicator for comprehensive enrichment.

Result Persistence for Audit#

Unlike ad-hoc external lookups, all MISP module enrichment results are persisted and audited. This satisfies EDF Golden Rule 15 requirements for data lineage and supports compliance workflows where enrichment sources must be documented alongside investigation artefacts.

Clearance-Filtered Access#

Enrichment results carry 

secrecy_level
tags, enabling higher-classification enrichment results (e.g., from a classified VirusTotal enterprise account or restricted threat intel API) to be restricted to cleared personnel.

Use Cases#

  • One-Click IOC Enrichment: From an alert detail view, trigger MISP module lookups for the alert's source IP -- getting passive DNS history, BGP ownership, abuse.ch blacklist status, and VirusTotal hits in a single workflow step.
  • Email Header Analysis: Use MISP's email analysis modules to extract indicators (IPs, domains, hashes) from phishing email headers and automatically enrich each extracted indicator.
  • Malware Hash Lookups: Submit file hashes from CAPE Sandbox or MWDB into MISP modules running Joe Sandbox or MalwareBazaar lookups to retrieve additional analysis results without manual portal access.
  • Intelligence Report Enrichment: Before publishing a threat intelligence report, run MISP enrichment modules against all referenced IOCs to add corroborating data from external sources.

Integration#

Available via GraphQL: 

mispModulesItems
, 
mispModulesStats
(queries); 
syncMispModules
(mutation). All operations require authentication and organisation scoping.

Requires a running MISP Modules service (misp-modules Python package). Works alongside the MISP domain (for full MISP event management), MWDB (malware hash enrichment), and TheHive (case observable enrichment).

Last Reviewed: 2026-03-18