seikaikyo/collecting-threat-intelligence-with-misp
external/anthropic-cybersecurity-skills/skills/collecting-threat-intelligence-with-misp/SKILL.md
MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills collecting-threat-intelligence-with-mispInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 2, 2026, 4:05 AM155.5s7 files scanned
SKILL.md
- name:
- collecting-threat-intelligence-with-misp
- description:
- MISP (Malware Information Sharing Platform) is an open-source threat
- domain:
- cybersecurity
- subdomain:
- threat-intelligence
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Collecting Threat Intelligence with MISP
Overview
MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or counter-terrorism information. This skill covers deploying MISP, configuring threat feeds, using the PyMISP API for programmatic access, and building automated collection pipelines that aggregate IOCs from multiple community and commercial sources.
When to Use
- When managing security operations that require collecting threat intelligence with misp
- When improving security program maturity and operational processes
- When establishing standardized procedures for security team workflows
- When integrating threat intelligence or vulnerability data into operations
Prerequisites
- Python 3.9+ with
pymisplibrary installed - Docker and Docker Compose for MISP deployment
- Understanding of STIX 2.1 and TAXII 2.1 protocols
- Familiarity with IOC types: hashes, IP addresses, domains, URLs, email addresses
- Network access to MISP community feeds (circl.lu, botvrij.eu)
Key Concepts
MISP Architecture
MISP operates on an event-based model where threat intelligence is organized into events containing attributes (IOCs), objects (structured groupings of attributes), galaxies (threat actor/malware clusters linked to MITRE ATT&CK), and tags for classification. Synchronization between MISP instances uses a pull/push model over HTTPS with API key authentication.
Feed Types
- MISP Feeds: Native JSON/CSV feeds from MISP community (CIRCL OSINT, botvrij.eu)
- Freetext Feeds: Unstructured text feeds parsed for IOCs (abuse.ch, Feodo Tracker)
- TAXII Feeds: STIX/TAXII 2.1 compatible feeds from commercial and government sources
- CSV Feeds: Structured CSV feeds with configurable column mapping
PyMISP API
PyMISP is the official Python library to access MISP platforms via their REST API. It supports fetching events, adding/updating events and attributes, uploading samples, and searching across the entire MISP dataset. Authentication uses an API key passed in the Authorization header.
Workflow
Step 1: Deploy MISP with Docker
git clone https://github.com/MISP/misp-docker.git
cd misp-docker
cp template.env .env
# Edit .env to set MISP_BASEURL, MISP_ADMIN_EMAIL, MISP_ADMIN_PASSPHRASE
docker compose up -d
Step 2: Configure Default Feeds
Enable built-in MISP feeds via the web UI or API:
from pymisp import PyMISP
misp = PyMISP('https://misp.local', 'YOUR_API_KEY', ssl=False)
# List available feeds
feeds = misp.feeds()
for feed in feeds:
print(f"{feed['Feed']['id']}: {feed['Feed']['name']} - Enabled: {feed['Feed']['enabled']}")
# Enable CIRCL OSINT Feed
misp.enable_feed(feed_id=1)
misp.cache_feed(feed_id=1)
misp.fetch_feed(feed_id=1)
Step 3: Add Custom Threat Feeds
# Add abuse.ch URLhaus feed
feed_data = {
'name': 'URLhaus Recent URLs',
'provider': 'abuse.ch',
'url': 'https://urlhaus.abuse.ch/downloads/csv_recent/',
'source_format': 'csv',
'input_source': 'network',
'publish': False,
'enabled': True,
'headers': '',
'distribution': 0,
'sharing_group_id': 0,
'tag_id': 0,
'default': False,
'lookup_visible': True
}
result = misp.add_feed(feed_data)
print(f"Feed added: {result}")
Step 4: Programmatic Event Search and Retrieval
from pymisp import PyMISP, MISPEvent
from datetime import datetime, timedelta
misp = PyMISP('https://misp.local', 'YOUR_API_KEY', ssl=False)
# Search for events from the last 7 days
result = misp.search(
controller='events',
date_from=(datetime.now() - timedelta(days=7)).strftime('%Y-%m-%d'),
type_attribute='ip-dst',
to_ids=True,
pythonify=True
)
for event in result:
print(f"Event {event.id}: {event.info}")
for attr in event.attributes:
if attr.type == 'ip-dst' and attr.to_ids:
print(f" IOC: {attr.value} (category: {attr.category})")
Step 5: Export IOCs for Downstream Tools
# Export as STIX 2.1 bundle
stix_output = misp.search(
controller='events',
return_format='stix2',
tags=['tlp:white'],
published=True
)
# Export IDS-flagged attributes as Suricata rules
suricata_rules = misp.search(
controller='attributes',
return_format='suricata',
to_ids=True,
type_attribute=['ip-dst', 'domain', 'url']
)
# Export as CSV for SIEM ingestion
csv_output = misp.search(
controller='attributes',
return_format='csv',
type_attribute='ip-dst',
to_ids=True
)
Validation Criteria
- MISP instance is deployed and accessible via HTTPS
- At least 3 community feeds are enabled and fetching data successfully
- PyMISP script can authenticate, search events, and retrieve IOCs
- Events contain properly tagged and categorized attributes
- Export to STIX 2.1 produces valid STIX bundles
- Automated feed fetch runs on schedule (cron or MISP scheduler)
References
- MISP Project Official Site
- PyMISP Documentation
- MISP GitHub Repository
- MISP OpenAPI Specification
- CIRCL OSINT Feed
Related Skills
seikaikyo/implementing-zero-knowledge-proof-for-authentication
tools
VerifiedTrustedCommunity
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-web-application-logging-with-modsecurity
development
VerifiedTrustedCommunity
Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or CRS deployment.
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-vulnerability-sla-breach-alerting
development
VerifiedTrustedCommunity
Build automated alerting for vulnerability remediation SLA breaches with severity-based timelines, escalation workflows, and compliance reporting dashboards.
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-vulnerability-remediation-sla
testing
VerifiedTrustedCommunity
Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities based on severity, asset criticality, and exploit availability. Effective SLA programs
1SKILL.mdUpdated May 31, 2026