Knogin
[Developers]

Threat Intelligence: MISP Integration

Following a wave of spear phishing attacks targeting energy sector operators across three EU member states, CERT-EU published a MISP event containing fifty-seven indicators: domains, IPs, file hashes, and a YARA rule. Wi

Back to All Modules
Category: IntelligenceLast Updated: Mar 18, 2026
intelligencereal-timegeospatial

Overview#

Following a wave of spear phishing attacks targeting energy sector operators across three EU member states, CERT-EU published a MISP event containing fifty-seven indicators: domains, IPs, file hashes, and a YARA rule. Within minutes of the event appearing in the CERT-EU MISP feed, each subscribing organisation's Argus instance had ingested those indicators, correlated them against active Suricata alerts, and surfaced matches for analyst review. Two organisations identified retrospective hits against historical traffic they had not previously flagged. The automated feed ingestion compressed what would have been a multi-hour manual distribution cycle into an automated response that operated while analysts slept.

Argus integrates with MISP (Malware Information Sharing Platform), the open-source threat intelligence platform used by national CERTs, law enforcement agencies, and defence organisations worldwide. The integration provides bidirectional IOC sharing: Argus ingests live threat feeds from configured MISP instances and pushes curated intelligence back to partner organisations, enabling real-time indicator enrichment and community-level threat sharing within a multi-tenant data-sovereignty boundary.

The MISP service operates with circuit-breaker protection, meaning temporary MISP instance failures do not cascade into Argus operations. Feed synchronisation can be triggered on demand or scheduled, and every ingest or export event is logged to the EDF-compliant audit trail.

Key Features#

IOC Feed Ingestion#

Configure one or more MISP feed endpoints per organisation. The ingestion pipeline iterates over MISP event attribute lists, normalises each attribute into Argus indicator records, and upserts them to PostgreSQL as the source of truth. Supported attribute types include IP addresses, domain names, URLs, file hashes, email addresses, and YARA rules. Duplicate detection prevents reprocessing of known indicators, keeping the database clean during repeated synchronisation cycles.

Bidirectional Sharing via Push#

Argus publishes curated threat indicators back to a connected MISP instance via the pushToMisp mutation. Analysts mark indicators for sharing and propagate findings to partner MISP communities without leaving the platform, supporting information-sharing frameworks such as TLP (Traffic Light Protocol) and MISP sharing groups. This bidirectional capability is what makes Argus a contributor to collective defence rather than only a consumer of it.

Feed Configuration Management#

Store and manage named MISP feed configurations per organisation, including base URL, API key, feed identifier, and sync cadence. Configurations are persisted in PostgreSQL and available through the mispFeedConfigs GraphQL query. Organisations can maintain different feed configurations for different trust circles: national CERT feeds, sector-specific threat sharing groups, and allied-nation intelligence exchanges, each with their own access credentials and sync schedules.

Circuit-Breaker Fault Isolation#

All external calls to MISP instances pass through a shared circuit breaker with a configurable failure threshold. After five consecutive failures the circuit opens and Argus returns cached data rather than propagating errors. Recovery is automatic after a 60-second timeout, preventing MISP downtime from affecting Argus platform reliability during periods when intelligence sharing infrastructure is under stress or maintenance.

Clearance-Aware Indicator Listing#

Indicator listings apply row-level secrecy filtering: users whose clearance level is below the secrecy_level tag on an indicator will not see it in API responses. This allows a single MISP feed to contain multi-classification intelligence while Argus enforces need-to-know at the query layer, satisfying EDF data sovereignty requirements for coalition deployments where intelligence at different classification levels flows through the same infrastructure.

Use Cases#

  • National CERT Feed Subscription: Pull daily or real-time indicator feeds from national CERTs such as CERT-EU, CIRCL, and CERT-FR directly into the analyst workspace for enrichment and cross-referencing against active investigations, ensuring the organisation's indicator database stays current with the broader European cyber threat landscape.
  • Law Enforcement Intelligence Sharing: Push confirmed threat actor indicators into a law enforcement MISP community after case conclusion, accelerating cross-agency investigation timelines and contributing to prosecutorial intelligence without exposing case-sensitive details prematurely.
  • Lateral Movement Detection: Ingest network IOCs from an on-premises MISP instance and correlate against Suricata alerts and Sigma rule hits in real time, closing the gap between threat intelligence and operational detection that often allows lateral movement to proceed undetected.
  • Partner Attribution Support: Receive MISP events from allied nation partners and automatically attribute observed indicators to known threat actor profiles in the Argus investigation graph, supporting joint attribution analysis in coalition cyber operations.

Integration#

Available via GraphQL: mispIndicators, mispFeedConfigs (queries); syncMispFeed, saveMispFeedConfig, pushToMisp (mutations). All endpoints require authentication and organisation scoping. Feed credentials are stored as organisation-scoped secrets and never returned through the API.

MISP Modules enrichment (a separate domain) can be chained after feed ingestion to run automated enrichment queries against indicators as they arrive. Compatible with MISP 2.4 and above REST API and the MISP standard feed format.

Open Standards#

  • MISP Standard Event/Attribute Format (MISP REST API v2.4+): The integration consumes and produces MISP event and attribute JSON payloads via the MISP REST API, supporting all core attribute types including IP addresses, domain names, file hashes, URLs, email addresses, and YARA rules.
  • STIX 2.1 (OASIS CTI TC): Indicators and intelligence reports ingested from MISP feeds are convertible to and from STIX 2.1 Structured Threat Information Expression objects, enabling interoperability with any STIX-aware platform or feed.
  • TAXII 2.1 (OASIS CTI TC): The platform includes a TAXII 2.1 polling client that can retrieve STIX bundles from TAXII collections, with pagination driven by the X-TAXII-Date-Added-Last response header as specified.
  • TLP (Traffic Light Protocol, FIRST): Sharing controls on both inbound MISP events and outbound push payloads honour TLP marking-definition UUIDs (WHITE/GREEN/AMBER/AMBER+STRICT/RED/CLEAR), mapped to Argus clearance levels for row-level access enforcement.
  • YARA: YARA rule strings are a natively ingested MISP attribute type; rules arriving in MISP events are persisted as indicators and can be correlated against file and memory artefacts within the platform.
  • CVE (MITRE/NVD): Vulnerability attribute types in MISP events are normalised to CVE identifiers and stored as structured indicator records, enabling cross-referencing against observed vulnerability data.
  • MITRE ATT&CK: Threat actor attribution linked to ingested MISP indicators uses MITRE ATT&CK technique IDs (TTP matching) to weight attribution confidence scores and surface tactic/technique mappings to analysts.
  • GraphQL (June 2018 specification): All feed configuration, indicator listing, synchronisation, and push operations are exposed as a typed GraphQL API (queries and mutations), providing a consistent query interface over the MISP integration layer.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.