View the Project on GitHub C00kie-/squirrel.lu

MISP logo

MISP micro training for analysts CTI (draft)

Intro part 1

Agenda for this first part:

  1. practical usage from user perspective
  2. MISP project
  3. sharing communities
  4. data model
  5. taxonomies

Full slide deck available from MISP training at : https://github.com/MISP/misp-training

1. Practical usage from user perspective

job purpose in our case:


Operational security

2. What is MISP project

Slide 9 misp project includes:


3. Sharing communities

(?) What is a user group?

MISP is used among different user groups:

Members of a sharing communities can be:

4. Data model: Events, objects, attributes & galaxies

Templates and contextualization

Indicators and attributes



When you create an attribute you add:


Events have an uuid, an owner org and a creator org.

Events can be found in your MISP instance by searching by uuid (or via the url and by adding the uuid of the event), or by keyword search.

While creating an event, you are asked to specify a tagging (if needed) and a sharing parameter.

event data model
creator org
threat level

Events: Classification with tagging

Events: Sharing

Creator of the event decide the sharing parameter of the event.

5. Taxonomies

ex: -> Classification of threat indicators


admiralty-scale source-reliability “c”
namepsace predicate value


existing taxonomies
NATO - Admiralty Scale
CIRCL Taxonomy - Schemes of Classification in Incident
Response and Detection
eCSIRT and IntelMQ incident classification
EUCI EU classified information marking
Information Security Marking Metadata from DNI (Director of National Intelligence - US)
NATO Classification Marking
OSINT Open Source Intelligence - Classification
TLP - Traffic Light Protocol
Vocabulary for Event Recording and Incident Sharing - VERIS
and many more like ENISA, Europol, or the draft FIRST SIGInformation Exchange Policy.

taxonomies create tags: example the distribution of events among MISP instances (push rules) slide 113

manage taxonomies with PyTaxonomies (Python 3 module)






info@circl.lu (if you want to join one of the MISP community operated by CIRCL)

PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5

Intro part 2

Get you hands dirty, general usage part 1:

Check once view and understood:

    • Installing and running a MISP VM
    • create and populate an event
    • viewing data
    • export and API
    • synchronisation

1. Install a MISP VM

Install and run a MISP

download from last image (circl.lu/misp-images/latest) creds for machine: - MISP admin: admin@admin.test - SSH: misp/Password1234

2. Create and populate an event

What is done when importing attributes:


3. Viewing data

There are 4 important points to start:

4. Exports and API

MISP general usage part 2

Check once view and understood:

    • Synchronization
    • Feeds
    • Collaborating
    • MISP basic admin
    • MISP modules
    • PyMISP

1. Synchronization

Distribution typology, see above 4.3 Event sharing

2. Feeds

feeds formats:

4. Basic MISP admin


Normalizing OSINT and private feeds: any normalization is done before pushing data into a MISP

We use warning lists at the exportation of data

normalizing external input and feed into MISP (feed importer)
comparing feeds: similarities, false pos
make warning lists for content to evaluate (quality)
make warning list to avoid false positive associated with well known indicators (JSON file)

see part SIEM integration

5. MISP modules

Existing MISP modules

Expanding MISP

API: PyMISP, API : no integration with the UI

Three types of modules:


PyMISP usage example: See How to make a MISP import script

extra things, TDL (to do later)

MISP admin training with MISP VM


All installation and first tasks as admin (slides 83-104)

### MISP module, UI configuration

activate the modules Go Server Settings : Enrichment