Overview#
Following a wave of spear phishing attacks targeting energy sector operators across three EU member states, CERT-EU published a MISP event containing fifty-seven indicators: domains, IPs, file hashes, and a YARA rule. Within minutes of the event appearing in the CERT-EU MISP feed, each subscribing organisation's Argus instance had ingested those indicators, correlated them against active Suricata alerts, and surfaced matches for analyst review. Two organisations identified retrospective hits against historical traffic they had not previously flagged. The automated feed ingestion compressed what would have been a multi-hour manual distribution cycle into an automated response that operated while analysts slept.
Argus integrates with MISP (Malware Information Sharing Platform), the open-source threat intelligence platform used by national CERTs, law enforcement agencies, and defence organisations worldwide. The integration provides bidirectional IOC sharing: Argus ingests live threat feeds from configured MISP instances and pushes curated intelligence back to partner organisations, enabling real-time indicator enrichment and community-level threat sharing within a multi-tenant data-sovereignty boundary.
The MISP service operates with circuit-breaker protection, meaning temporary MISP instance failures do not cascade into Argus operations. Feed synchronisation can be triggered on demand or scheduled, and every ingest or export event is logged to the EDF-compliant audit trail.
Diagram
flowchart LR
A[CERT-EU MISP Feed] --> E[Argus MISP Integration]
B[National CERT Feeds] --> E
C[Sector ISAC Feeds] --> E
D[Allied Nation MISP] --> E
E --> F[Attribute Normalisation]
E --> G[Duplicate Detection]
E --> H[Circuit Breaker]
F --> I[PostgreSQL Indicator Store]
I --> J[Suricata Cross-Correlation]
I --> K[Sigma Rule Overlay]
I --> L[Push to Partner MISP]Key Features#
IOC Feed Ingestion#
Configure one or more MISP feed endpoints per organisation. The ingestion pipeline iterates over MISP event attribute lists, normalises each attribute into Argus indicator records, and upserts them to PostgreSQL as the source of truth. Supported attribute types include IP addresses, domain names, URLs, file hashes, email addresses, and YARA rules. Duplicate detection prevents reprocessing of known indicators, keeping the database clean during repeated synchronisation cycles.
Bidirectional Sharing via Push#
Argus publishes curated threat indicators back to a connected MISP instance via the pushToMisp mutation. Analysts mark indicators for sharing and propagate findings to partner MISP communities without leaving the platform, supporting information-sharing frameworks such as TLP (Traffic Light Protocol) and MISP sharing groups. This bidirectional capability is what makes Argus a contributor to collective defence rather than only a consumer of it.
Feed Configuration Management#
Store and manage named MISP feed configurations per organisation, including base URL, API key, feed identifier, and sync cadence. Configurations are persisted in PostgreSQL and available through the mispFeedConfigs GraphQL query. Organisations can maintain different feed configurations for different trust circles: national CERT feeds, sector-specific threat sharing groups, and allied-nation intelligence exchanges, each with their own access credentials and sync schedules.
Circuit-Breaker Fault Isolation#
All external calls to MISP instances pass through a shared circuit breaker with a configurable failure threshold. After five consecutive failures the circuit opens and Argus returns cached data rather than propagating errors. Recovery is automatic after a 60-second timeout, preventing MISP downtime from affecting Argus platform reliability during periods when intelligence sharing infrastructure is under stress or maintenance.
Clearance-Aware Indicator Listing#
Indicator listings apply row-level secrecy filtering: users whose clearance level is below the secrecy_level tag on an indicator will not see it in API responses. This allows a single MISP feed to contain multi-classification intelligence while Argus enforces need-to-know at the query layer, satisfying EDF data sovereignty requirements for coalition deployments where intelligence at different classification levels flows through the same infrastructure.
Use Cases#
- National CERT Feed Subscription: Pull daily or real-time indicator feeds from national CERTs such as CERT-EU, CIRCL, and CERT-FR directly into the analyst workspace for enrichment and cross-referencing against active investigations, ensuring the organisation's indicator database stays current with the broader European cyber threat landscape.
- Law Enforcement Intelligence Sharing: Push confirmed threat actor indicators into a law enforcement MISP community after case conclusion, accelerating cross-agency investigation timelines and contributing to prosecutorial intelligence without exposing case-sensitive details prematurely.
- Lateral Movement Detection: Ingest network IOCs from an on-premises MISP instance and correlate against Suricata alerts and Sigma rule hits in real time, closing the gap between threat intelligence and operational detection that often allows lateral movement to proceed undetected.
- Partner Attribution Support: Receive MISP events from allied nation partners and automatically attribute observed indicators to known threat actor profiles in the Argus investigation graph, supporting joint attribution analysis in coalition cyber operations.
Integration#
Available via GraphQL: mispIndicators, mispFeedConfigs (queries); syncMispFeed, saveMispFeedConfig, pushToMisp (mutations). All endpoints require authentication and organisation scoping. Feed credentials are stored as organisation-scoped secrets and never returned through the API.
MISP Modules enrichment (a separate domain) can be chained after feed ingestion to run automated enrichment queries against indicators as they arrive. Compatible with MISP 2.4 and above REST API and the MISP standard feed format.
Last Reviewed: 2026-03-18 Last Updated: 2026-04-14