How to Use MISP: Updated 2025 Guide

You’ve got a shiny new MISP instance but there’s just one problem: you don’t know how to use it. This guide will help. MISP is incredibly powerful, but the UI can be complex. Here, we’ll share a step-by-step guide on your first steps with MISP, from logging an event to adding a threat intel feed.

A High-level Overview of MISP Use Cases

Before we dig into the details, let’s start with a brief overview of how organisations and SOC analysts are using MISP in 2025:

  • Consuming threat intelligence from outside their organisation. This threat intelligence includes public and paid feeds, as well as information shared by other trusted organisations.
  • Storing, organising, searching through, and automatically correlating threat-related information and IOCs. Without MISP, the amount of unstructured information that analysts need to wade through can lead to information overload. It can also be difficult to correlate related IOCs based on memory alone, whereas MISP can automate this kind of correlation.
  • Automatically pushing out threat information from peers to firewalls, IDSs, and endpoint agents. This gives organisations a level of automatic protection against the latest threats.
  • Enriching threat data with contextual information such as passive DNS records, whois data, geolocation, and known vulnerabilities. This can help analysts prioritise which alerts are worth investigating further.
  • Collaborating with external partners or across departments in large organisations. By tagging, filtering, and controlling who can see what, MISP supports secure and selective information sharing at scale.
  • Tracking adversary behaviour over time, particularly by linking events and attributes to known threat actors, TTPs, or malware families. This helps with attribution and long-term threat landscape analysis.
  • Supporting incident response investigations by aggregating all known IOCs and TTPs related to an incident, aiding both containment and post-mortem analysis.
  • Generating dashboards and visualisations that provide real-time insight into threat trends, data volumes, or correlation patterns within your environment.
  • Automating threat intelligence workflows using tools like MISP-modules, ZMQ for real-time data flows, or integrations with SOAR platforms.
  • Testing and refining detection logic by matching imported IOCs against logs or datasets, particularly when used alongside detection platforms or YARA rule deployments.

If that sounds like exactly what your organisation needs, you can get up and running with MISP quickly using CloudMISP, our hosted MISP service.

Next, let's explore a few basic ways you might want to use MISP.

Installing & Running MISP for the First Time

You can download a MISP appliance from the official MISP website’s download page. This page also includes links to installation guides.

The MISP team recommends using a recent and stable Ubuntu distribution for deploying MISP. You can also use tools like Vagrant and Docker to run MISP on your local machine.

One you’ve got MISP running head to /users/login on the port where you’re running your MISP instance. The default username is admin@admin.test and the default password is admin. Login and immediately change your password.

Adding Your First Threat Intel Feed

When you first run MISP your events list will be empty. It’s time to add your first threat intel feed.

Click ‘Sync Actions’ and then ‘List Feeds’. You’ll see MISP’s default feeds. If you click ‘Load default feed metadata’ you’ll be greeted with a wider range of available feeds.

Select the feeds of interest and then click ‘Enable selected’. You’ll be prompted to confirm this action. Next, click ‘Fetch and store all feed data’. This will start to pull in feed data from the remote servers. You can check the progress of this import by selecting ‘Administration’ and then ‘Jobs’.

Receiving Your First MISP Events

If you click the ‘Home’ tab you’ll see that events from your default feeds are starting to populate.

Click on the ID of an event to open up its detail view. As you can see, Events can include a wide range of information at varying levels of granularity; from blog posts covering an emerging threat all the way down to specific md5 hashes associated with a threat.

From here, there are many more things you can do with MISP:

  • Start storing your own Events
  • Add more feeds (either public or paid)
  • Push out data to your firewalls
  • Share your threat intel with trusted peers

If you're keen to dig into more advanced use cases, we offer MISP training, MISP consulting, and even a managed MISP platform.