Knogin
[Intelligenza]

Threat Intelligence: MISP Integration

Argus integrates with MISP (Malware Information Sharing Platform), the open-source threat intelligence platform used by national CERTs, law enforcement agencies, and defence organisations worldwide. The integration provi

Metadati del modulo

Argus integrates with MISP (Malware Information Sharing Platform), the open-source threat intelligence platform used by national CERTs, law enforcement agencies, and defence organisations worldwide. The integration provi

Torna a tutti i moduli

Riferimento sorgente

content/modules/threat-intel-misp-platform.md

Ultimo aggiornamento

18 mar 2026

Categoria

Intelligenza

Checksum del contenuto

28b0443ab19dc52a

Tag

intelligencereal-time

Documentazione renderizzata

Questa pagina renderizza Markdown e Mermaid del modulo direttamente dalla fonte pubblica di documentazione.

Overview#

Argus integrates with MISP (Malware Information Sharing Platform), the open-source threat intelligence platform used by national CERTs, law enforcement agencies, and defence organisations worldwide. The integration provides bidirectional IOC sharing: Argus can ingest live threat feeds from configured MISP instances and push curated intelligence back to partner organisations, enabling real-time indicator enrichment and community-level threat sharing within a multi-tenant data-sovereignty boundary.

The MISP service is built with circuit-breaker protection, meaning temporary MISP instance failures do not cascade into Argus operations. Feed synchronisation can be triggered on demand or scheduled, and every ingest or export event is logged to the EDF-compliant audit trail.

Key Features#

IOC Feed Ingestion#

Configure one or more MISP feed endpoints per organisation. The ingestion pipeline iterates over MISP event 

Attribute
lists, normalises each attribute into Argus indicator records, and upserts them to PostgreSQL (source of truth). Supported attribute types include IP addresses, domain names, URLs, file hashes, email addresses, and YARA rules. Duplicate detection prevents reprocessing of known indicators.

Bidirectional Sharing via Push#

Argus can publish curated threat indicators back to a connected MISP instance via the 

pushToMisp
mutation. This enables analysts to mark indicators for sharing and propagate findings to partner MISP communities without leaving the platform, supporting information-sharing frameworks such as TLP (Traffic Light Protocol) and MISP sharing groups.

Feed Configuration Management#

Store and manage named MISP feed configurations per organisation, including base URL, API key, feed identifier, and sync cadence. Configurations are persisted in PostgreSQL and available through the 

mispFeedConfigs
GraphQL query. Organisations can maintain different feed configurations for different trust circles -- national CERT feeds, sector-specific threat sharing groups, and allied-nation intelligence exchanges.

Circuit-Breaker Fault Isolation#

All external calls to MISP instances pass through a shared circuit breaker with a configurable failure threshold. After five consecutive failures the circuit opens and Argus returns cached data rather than propagating errors. Recovery is automatic after a 60-second timeout, preventing MISP downtime from affecting Argus platform reliability.

Clearance-Aware Indicator Listing#

Indicator listings apply row-level secrecy filtering: users whose clearance level is below the 

secrecy_level
tag on an indicator will not see it in API responses. This allows a single MISP feed to contain multi-classification intelligence while Argus enforces need-to-know at the query layer.

Use Cases#

  • National CERT Feed Subscription: Pull daily or real-time indicator feeds from national CERTs (CERT-EU, CIRCL, CERT-FR) directly into the analyst workspace for enrichment and cross-referencing against active investigations.
  • Law Enforcement Intelligence Sharing: Push confirmed threat actor indicators into a law enforcement MISP community after case conclusion, accelerating cross-agency investigation timelines.
  • Lateral Movement Detection: Ingest network IOCs from an on-premises MISP instance and correlate against Suricata alerts and Sigma rule hits in real time.
  • Partner Attribution Support: Receive MISP events from allied nation partners and automatically attribute observed indicators to known threat actor profiles in the Argus investigation graph.

Integration#

Available via GraphQL: 

mispIndicators
, 
mispFeedConfigs
(queries); 
syncMispFeed
, 
saveMispFeedConfig
, 
pushToMisp
(mutations). All endpoints require authentication and organisation scoping. Feed credentials are stored as organisation-scoped secrets and never returned through the API.

MISP Modules enrichment (a separate domain) can be chained after feed ingestion to run automated enrichment queries against indicators as they arrive. Compatible with MISP 2.4+ REST API and the MISP standard feed format.

Last Reviewed: 2026-03-18