How to Use MISP

You’ve got a shiny new MISP instance but there’s just one problem: you don’t know how to use it. This guide will help. MISP is incredibly powerful, but the UI can be complex. Here, we’ll share a step-by-step guide on your first steps with MISP, from logging an event to adding a threat intel feed.

A High-level Overview of MISP Use Cases

Before we dig into the details, let’s start with a brief overview of how organisations and SOC analysts typically use MISP.

  1. You can use MISP to consume threat information from outside your organisation. That threat information includes public and paid feeds, as well as information shared by other trusted organisations in your threat sharing community.
  2. You can use MISP to store, organise, search through, and automatically correlate threat-related information and IOCs. Without MISP, the amount of unstructured information that analysts need to wade through can lead to information overload. It can also be difficult to correlate related IOCs based on memory alone, whereas MISP can automate this kind of correlation.
  3. You can use MISP to automatically push out threat information from your peers to your firewalls, IDSs, and endpoint agents. This gives you a level of automatic protection against the latest threats.

This guide will be updated with additional information in the coming weeks.

Installing & Running MISP for the First Time

You can download a MISP appliance from the official MISP website’s download page. This page also includes links to installation guides.

The MISP team recommends using a recent and stable Ubuntu distribution for deploying MISP. You can also use tools like Vagrant and Docker to run MISP on your local machine.

One you’ve got MISP running head to /users/login on the port where you’re running your MISP instance. The default username is admin@admin.test and the default password is admin. Login and immediately change your password.

Adding Your First Threat Intel Feed

When you first run MISP your events list will be empty. It’s time to add your first threat intel feed.

Click ‘Sync Actions’ and then ‘List Feeds’. You’ll see MISP’s default feeds. If you click ‘Load default feed metadata’ you’ll be greeted with a wider range of available feeds.

Select the feeds of interest and then click ‘Enable selected’. You’ll be prompted to confirm this action. Next, click ‘Fetch and store all feed data’. This will start to pull in feed data from the remote servers. You can check the progress of this import by selecting ‘Administration’ and then ‘Jobs’.

Receiving Your First Events

If you click the ‘Home’ tab you’ll see that events from your default feeds are starting to populate.

Click on the ID of an event to open up its detail view. As you can see, Events can include a wide range of information at varying levels of granularity; from blog posts covering an emerging threat all the way down to specific md5 hashes associated with a threat.

From here, there are many more things you can do with MISP:

  • Start storing your own Events
  • Add more feeds (either public or paid)
  • Push out data to your firewalls
  • Share your threat intel with trusted peers