Welcome back to this series on using MISP for threat intelligence!

MISP (Malware Information Sharing Platform and Threat Sharing) is an open-source threat intelligence platform that allows you to share, collate, analyze, and distribute threat intelligence. It is used across industries and governments worldwide to share and analyze information about the latest threats. This series aims to give you the knowledge you need to get up and running with MISP as quickly as possible.

Today, you will learn how to start using MISP. You will learn about MISP events, how to create them, and how to add context to them using MISP’s galaxies and taxonomies. This will teach you the fundamentals of using MISP to fulfill your threat intelligence needs.

Let’s get started using our MISP instance!

MISP events are “encapsulations for contextually related information represented as attribute and object.” They can be threat intelligence articles, malware analysis reports, threat research, or any other way you can think of representing threat intelligence. Events are the individual containers that group your atomic pieces of threat intelligence with contextual information so analysts can actually use it. They are the main way of interacting with data in MISP.

Let’s go through the process of adding an Event to MISP using a recent threat intelligence from Cyble titled Covert Delivery of Cobalt Strike Beacon via a Sophos Phishing Website.

First, to add an Event in MISP, go to Event Actions > Add Event:

Next, fill out the metadata about the Event:

• Distribution: How you want your event to be shared across MISP instances (your organization only, this community only, connected communities, or all communities). See the documentation on Synchronization/Sharing for more information.
• Threat Level: The sophistication or danger the threat poses (high, medium, low, or undefined).
• Analysis: Which stage of analysis this…