You’ve got a shiny new MISP instance but there’s just one problem: you don’t know how to use it. This guide will help. MISP is incredibly powerful, but the UI can be complex. Here, we’ll share a step-by-step guide on your first steps with MISP, from logging an event to adding a threat intel feed.
Before we dig into the details, let’s start with a brief overview of how organisations and SOC analysts typically use MISP.
This guide will be updated with additional information in the coming weeks.
You can download a MISP appliance from the official MISP website’s download page. This page also includes links to installation guides.
The MISP team recommends using a recent and stable Ubuntu distribution for deploying MISP. You can also use tools like Vagrant and Docker to run MISP on your local machine.
One you’ve got MISP running head to /users/login on the port where you’re running your MISP instance. The default username is firstname.lastname@example.org and the default password is admin. Login and immediately change your password.
When you first run MISP your events list will be empty. It’s time to add your first threat intel feed.
Click ‘Sync Actions’ and then ‘List Feeds’. You’ll see MISP’s default feeds. If you click ‘Load default feed metadata’ you’ll be greeted with a wider range of available feeds.
Select the feeds of interest and then click ‘Enable selected’. You’ll be prompted to confirm this action. Next, click ‘Fetch and store all feed data’. This will start to pull in feed data from the remote servers. You can check the progress of this import by selecting ‘Administration’ and then ‘Jobs’.
If you click the ‘Home’ tab you’ll see that events from your default feeds are starting to populate.
Click on the ID of an event to open up its detail view. As you can see, Events can include a wide range of information at varying levels of granularity; from blog posts covering an emerging threat all the way down to specific md5 hashes associated with a threat.
From here, there are many more things you can do with MISP: