Knogin
[Developers]

Threat Intelligence: MISP Enrichment Modules

Enrich any indicator of compromise in seconds by running targeted MISP module queries directly from your investigation workflow, without switching tools or losing context.

Back to All Modules
Category: IntelligenceLast Updated: Mar 18, 2026
intelligencecompliance

Overview#

Enrich any indicator of compromise in seconds by running targeted MISP module queries directly from your investigation workflow, without switching tools or losing context.

A SOC analyst investigating an alert copies the source IP into a case. Without leaving the Argus interface, she triggers a sequence of enrichment queries: passive DNS reveals the IP has hosted twelve domains in the past 90 days, several of which appear in abuse.ch blocklists; BGP routing data points to a VPS provider frequently used by cybercriminal infrastructure; a VirusTotal lookup returns two prior detections associated with a known banking trojan campaign. In under sixty seconds, a raw IP address has become an attributed threat indicator with corroborating evidence from four independent sources.

MISP Modules is the expansion framework for the MISP threat intelligence ecosystem, providing over 200 enrichment, import, and export modules that run as a microservice alongside a MISP instance. Modules span abuse.ch lookups, VirusTotal submissions, passive DNS queries, geolocation lookups, BGP routing queries, Joe Sandbox analysis submission, CVE lookups, and dozens more. Argus integrates MISP Modules to run targeted enrichment queries against individual indicators directly from investigation and alert workflows, with results persisted as structured enrichment records for audit and downstream analysis.

Key Features#

  • On-Demand Indicator Enrichment: Trigger a MISP module enrichment run directly from an alert or case view. The platform invokes the MISP Modules REST service and persists the structured result scoped to your organisation. This on-demand pattern means analysts receive enrichment at the exact moment they need it during an active investigation, rather than waiting for a batch processing cycle to complete.

  • Multi-Module Result Management: Each enrichment result records the module name, input value, input type, execution outcome, and timestamp. Retrieving persisted results for any indicator supports workflows where multiple modules are run against the same indicator over time, building a progressively richer evidence picture across an investigation's lifespan.

  • Full Audit Trail: Unlike ad-hoc external lookups that leave no trace, all MISP module enrichment results are persisted and auditable. This satisfies data-lineage requirements and supports compliance workflows where enrichment sources must be documented alongside investigation artefacts, providing a defensible record of the analytical basis for attribution or escalation decisions.

  • Clearance-Filtered Access: Enrichment results carry access-classification tags, enabling higher-sensitivity results (for example, from a restricted threat intelligence feed) to be restricted to appropriately authorised personnel only.

Use Cases#

  • One-Click IOC Enrichment: From an alert detail view, trigger MISP module lookups for the alert's source IP to get passive DNS history, BGP ownership, abuse.ch blocklist status, and VirusTotal hits in a single workflow step, giving analysts the context they need to triage confidently.
  • Email Header Analysis: Use MISP's email analysis modules to extract indicators including IPs, domains, and file hashes from phishing email headers and automatically enrich each extracted indicator, turning a reported phishing email into a structured set of attributed indicators.
  • Malware Hash Lookups: Submit file hashes from sandbox analysis platforms into MISP modules running MalwareBazaar or similar lookups to retrieve additional analysis results without requiring manual portal access across multiple platforms.
  • Intelligence Report Enrichment: Before publishing a threat intelligence report, run MISP enrichment modules against all referenced indicators to add corroborating data from external sources, strengthening the evidentiary basis of the report.

Integration#

The MISP Modules capability is accessible via GraphQL. Queries allow retrieval of enrichment results and aggregate statistics for your organisation; mutations allow triggering a new module run against a nominated indicator. All operations require authentication and are automatically scoped to your organisation.

Argus connects to a self-hosted or customer-managed MISP Modules service over its REST API using Bearer token authentication. Results are normalised and stored in the platform's enrichment record model, making them available to case management, alerting, and reporting workflows. The capability works alongside the MISP platform feed connector (for full MISP event synchronisation), malware repository connectors (for hash enrichment), and case management integrations.

Open Standards#

  • MISP core format, events, attributes, and objects follow the MISP standard data model; the platform communicates with MISP instances via the MISP REST API v2.4 using JSON payloads.
  • MISP distribution model, the MISP distribution-level field is respected on ingest; indicators inherit an access classification derived from the originating event's distribution setting, controlling who in your organisation can view each record.
  • TLP (Traffic Light Protocol, FIRST), the MISP distribution levels map to TLP-equivalent sharing controls (TLP:WHITE / TLP:GREEN / TLP:AMBER / TLP:RED), ensuring indicators are shared only with audiences permitted by the originating community.
  • REST / JSON, all communication between Argus and both the MISP platform and MISP Modules service uses standard HTTP REST with JSON request and response bodies.
  • OAuth 2.0 / JWT, platform API access, including all GraphQL operations, is authenticated via OAuth 2.0 Bearer tokens in JWT format; organisation scoping is enforced on every request.
  • GraphQL, the enrichment query and mutation surface is exposed through the platform's unified GraphQL API, enabling consistent integration with any GraphQL-capable client or automation pipeline.

Security & Compliance#

All enrichment results are persisted with a full audit trail recording the source module, input indicator, requesting user, and timestamp. Access to enrichment results is enforced at the organisation boundary and further restricted by the indicator's inherited classification level. External calls to MISP module endpoints are subject to fault-isolation controls that prevent a slow or unavailable enrichment service from degrading the broader investigation platform. All API access requires a valid authenticated session; unauthenticated or cross-organisation access is rejected at the API layer.

Last Reviewed: 2026-03-18 / Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.