MISP TAXII Push

This page is useful if you’re investigating different Threat Intelligence Platforms (TIPs) and want to understand the differences between them. Here we'll be comparing MISP vs. Recorded Future, two popular names in the threat intel space.

The TAXII push feature in MISP gives you an easy way to publish your MISP events as STIX bundles on a TAXII transport server.

Since MISP can generate STIX, the next thing you’ll very likely want to do is use STIX’s native transport protocol TAXII to share it with other parties.

Why MISP TAXII push is useful

While MISP feeds are great for sharing with other MISPs, TAXII is a common method for publishing and sharing with non-MISP platforms like commercial TIPs, open source TIPs, and SIEMs like Sentinel.

Until recently, automatically exporting MISP events as STIX bundles and pushing them into a TAXII server’s collection required scripting skills.

With the introduction of built-in support to push from MISP to a TAXII server, this becomes a lot easier out of the box.

It’s early days for TAXII push support but well worth a look at where it’s going and how you might use it.

It’s also worth noting you’ll need to provide your own TAXII server instance. If you don't have one yet, feel free to reach out to us to discuss options.

How to use MISP TAXII push:

Navigate to Sync Actions -> List TAXII servers -> Add TAXII server.

You’ll want to set a filter for which events get pushed to the TAXII server, e.g. only those with a particular tag.

How to add a TAXII server connection in MISP.

Could you use this TAXII push capability?

If your team could use this capability but don't have MISP yet, or don't have a reliable and up-to-date MISP instance, we can help.

We offer a fully managed and supported MISP service, CloudMISP, which supports TAXII push.