Skip to content
Mimir

MISP feeds

MISP feeds

MISP (Malware Information Sharing Platform) is the de-facto open-source standard for sharing structured threat intelligence between organizations. It started in 2011 inside the Belgian Defence and is now used by hundreds of CERTs, ISACs, government agencies, and security teams worldwide. Public MISP feeds publish curated indicators in a lightweight JSON format that Mimir polls directly — no sidecar, no commercial license, no account.

What you get

Mimir ingests only the indicators marked to_ids = true by the feed publisher. That flag is MISP’s convention for “this indicator is reliable enough for automated detection.” Indicators with to_ids = false (research notes, unconfirmed reports, contextual metadata) are skipped intentionally — including them would dramatically increase alert noise for limited additional signal. The result is high signal-to-noise: feed publishers do the curation work, you get the benefit.

For each MISP attribute that matches the to_ids = true filter, Mimir maps it to one of these indicator types:

MISP attribute typeMimir IOC typeWhere it matches
domain, hostnameDomainDNS lookup events from dns_lookup_events osquery table
ip-dst, ip-srcIPv4Outbound network connections from socket_events
`ip-dstport, ip-srcport`
urlURLStored and searchable; alert matching planned
sha256SHA-256 hashEvery file the agents observe
md5MD5 hashSame
sha1SHA-1 hashSame
`filenamesha256`SHA-256 (filename stripped)
`filenamemd5`MD5
`filenamesha1`SHA-1

Other MISP attribute types (text comments, email subjects, vulnerability identifiers, attack patterns, threat-actor names) are intentionally not ingested. They’re not actionable as endpoint detections — they describe context, not specific indicators to match against.

Why use MISP feeds

Three reasons MISP feeds belong alongside built-in feeds in any tenant:

  1. Different community, different coverage. abuse.ch focuses heavily on commodity malware and active campaigns. MISP feeds cover what their publishers care about — botvrij focuses on phishing infrastructure, CIRCL focuses on European-relevant threats, sector ISACs focus on industry-specific actors. Running both gives broader coverage than either alone.

  2. No account required for public feeds. Same zero-friction onboarding as built-in feeds. Add the URL, save, and you’re done.

  3. Format stability. MISP has been stable since 2014. Public feeds you connect today will keep publishing in the same format five years from now. Low maintenance burden compared to commercial feeds where API contracts shift.

These are free, no account required, refreshed continuously by their maintainers, and broadly applicable to any Mimir tenant:

botvrij.eu OSINThttps://www.botvrij.eu/data/feed-osint/. Operated by Botvrij (Netherlands), focuses on actionable OSINT indicators tied to current threats — phishing infrastructure, malware C2, recently-active domains. Daily volume: hundreds of new indicators. Updated continuously.

CIRCL OSINThttps://www.circl.lu/doc/misp/feed-osint/. Operated by CIRCL, Luxembourg’s national CERT. One of the longest-running MISP feeds (since 2014). Broad coverage, mature curation, focuses on both Europe and global threats.

Tip Both feeds publish overlapping subsets of community indicators. Adding both is redundant for most tenants — pick one and add the other only if your alert volume seems too low. Mimir deduplicates IOCs across feeds, so there’s no functional harm in running both, just no extra signal. Start with botvrij if you don’t have a preference.

If your organization belongs to a sector ISAC (FS-ISAC, H-ISAC, NH-ISAC, EI-ISAC, etc.) those typically run private MISP instances for members. Mimir today only supports public feeds — bearer/HTTP-Basic auth for private MISP instances is on the near-term roadmap. If you’re an ISAC member, ask your ISAC contact whether they expose a public feed mirror in addition to the authenticated one.

How Mimir uses the data

When you add a MISP feed, Mimir:

  1. Fetches the manifest. A MISP feed’s manifest.json is an index listing every event the feed has published, with timestamps. On first poll Mimir downloads the entire manifest history (typically thousands of events for an established feed).

  2. Downloads each event file. Events are individual JSON files, one per published threat report. Mimir downloads only events newer than its poll cursor — initial sync downloads everything, subsequent polls fetch only what’s new.

  3. Filters and imports indicators. From each event Mimir extracts only the to_ids = true attributes whose types it knows how to match. Other attributes are counted as “skipped” but not flagged as errors.

  4. Runs the same downstream pipeline as any IOC source — 90-day historical scan on import, real-time matching on agent activity going forward, confidence decay (5 points/day, deactivate below 20). See the built-in feeds guide for the full IOC lifecycle.

The “to_ids” filter does most of the curation work for you. Feed publishers know which of their attributes are reliable enough for automated alerting and which are context-only. By honoring that flag, Mimir gets you publisher-curated quality without any per-tenant tuning.

Prerequisites

  • An HTTPS feed URL. Mimir enforces HTTPS-only for all external feeds — HTTP URLs are rejected at the form layer. Almost all public MISP feeds are HTTPS.
  • Admin access to Mimir. Adding feeds requires the Admin role. Check by visiting Settings → Threat Feeds: if you don’t see an Add MISP feed button, ask your Mimir admin to grant you the role.

That’s it. No API key, no account, no deployment-side configuration.

Setting up

  1. Open Settings → Threat Feeds.

  2. Click Add MISP feed.

  3. Fill in the form:

    • Name — anything memorable. Suggested: the publisher’s name, e.g. botvrij OSINT. Shows up in alert source attribution and the feeds table.

    • Feed URL — the feed’s base directory URL. Examples:

      • https://www.botvrij.eu/data/feed-osint/
      • https://www.circl.lu/doc/misp/feed-osint/

      Mimir auto-appends /manifest.json if you forget the trailing slash, so either form works.

    • Poll interval — 60 minutes is a good default for public feeds. Public MISP feeds publish on their own cadence; check the publisher’s documentation if you need to tune for a specific feed.

  4. Click Test connection to confirm Mimir can reach the manifest. On success you’ll see a green banner like “MISP feed reachable — N events in manifest.” This counts how many events the feed has ever published, not how many indicators you’ll get — most events contain 5-50 indicators each.

  5. Click Add feed.

The first poll runs within a minute. Initial sync downloads the entire manifest history and can take a few minutes for established feeds; you’ll see the IOC count climb in the table as events import. Subsequent polls only fetch events newer than the last poll cursor, so they’re fast.

What you’ll see after adding

Within a few minutes:

  • The new feed appears in the Threat Feeds table with a MISP tag.
  • The IOCs column shows the imported count. Established feeds like botvrij and CIRCL initially deliver tens of thousands of indicators on first sync.
  • The Last synced column updates to the current time.

Within hours (or sooner, depending on fleet activity):

  • IOC alerts fire on the Alerts page when any agent observes a match. Each alert links back to this feed as the source.
  • Historical alerts fire for any indicator that retroactively matches agent activity from the last 90 days.
  • The Indicators page (filtered by source) shows every imported IOC, with the originating MISP event title in the metadata. This is useful for triage: when an alert fires, you can click through to see which threat-intel event flagged the indicator and what context the publisher provided.

Confidence decay

Threat-intel indicators go stale fast. A C2 domain hot in March is often inactive by September; a phishing landing page registered last week may already be defanged. Mimir handles this by decaying the confidence score of feed-imported IOCs by 5 points per day. When confidence drops below 20 the IOC is auto-deactivated (kept in history, no longer matched against incoming agent activity). A successful poll that re-emits the same IOC bumps confidence back up.

Practical implications:

  • You can leave a MISP feed enabled long-term without worrying about stale-IOC alert noise.
  • If you pause a feed for >10 days, all its IOCs deactivate. Resume the feed and the next successful poll restores them.
  • An indicator that the publisher removes from the feed (because the threat is over) won’t be re-emitted, so it’ll decay and deactivate naturally without you doing anything.

Choosing a poll interval

Unlike built-in feeds (where the bridge polls upstream every 5 minutes), MISP feeds publish on the publisher’s own cadence — typically anywhere from a few times a day to continuously. Your poll interval should match the feed’s update tempo.

IntervalWhen to use
15-30 minHigh-tempo feeds (e.g., MISP feeds tied to live incident response).
60 min (default)Most public OSINT feeds. botvrij and CIRCL both work well at this interval.
240 minSlow-publishing feeds where you’ve checked the manifest and seen <1 update/day.
1440 min (daily)Archive-style feeds that publish weekly digests rather than continuous updates.

If you’re not sure, start at 60 minutes. After a week, check the Recent polls drawer (click Details on the feed row) — if most polls report 0 new events, you’re polling faster than the publisher updates. Increase the interval to reduce database write load.

Troubleshooting

The poll succeeds but the IOC count is 0. The feed publisher may not flag any attributes with to_ids = true. Check by opening one of the event JSON files directly in your browser (the manifest URL plus the event UUID). If to_ids is false everywhere, the feed is informational-only — Mimir is correctly skipping its content. This is sometimes intentional (research feeds, threat-actor profiles) and sometimes a publisher misconfiguration.

“manifest decode” or “event decode” errors in Recent polls. The feed URL is reachable but isn’t returning valid MISP JSON. Open the URL in a browser. If you see HTML (a CAPTCHA page, a login redirect, a 404 page styled with the publisher’s branding), the feed isn’t publicly accessible. Some publishers gate their feeds behind CAPTCHAs to prevent automated scraping; Mimir can’t bypass these.

“http:// URLs are not allowed; use https://” The feed URL must use HTTPS. Almost all public feeds support HTTPS; if a publisher insists on HTTP, they’re publishing data unverified and you shouldn’t ingest it as automated detection input regardless.

The feed paused itself. Long failure streaks (publisher took the feed offline, persistent 5xx responses, etc.) auto-disable a feed. Click Edit, fix the URL if the publisher moved it, then click Resume.

An event imports successfully but I see far fewer indicators than the event file claims. This is the to_ids = true filter working as designed. A typical MISP event publishes both “ready for automated detection” indicators (the ones Mimir imports) and “research context” attributes (URLs of threat-intel writeups, vulnerability CVE IDs, threat-actor names). Mimir imports only the former.

An indicator is matching things it shouldn’t in my environment. Open Indicators, filter by source, find the noisy indicator, and click its Deactivate toggle. The deactivation is preserved across future re-imports. Common cause: a feed lists a domain that’s also a legitimate vendor in your supply chain (e.g., a low-reputation file-sharing service that you actually use for transfers).

Replacing or removing the feed

  • Edit changes name, URL, or interval.
  • Pause stops polling without losing imported IOCs (they decay normally — about 10 days to deactivation).
  • Remove deletes the feed but keeps the IOCs as orphaned (still searchable, no source attribution).

If you want to wipe the imported IOCs as well, filter the Indicators page by source before removing the feed, then bulk-delete the rows there.

Where to next

  • Built-in feeds (abuse.ch) — the other zero-account option, great companion to MISP feeds.
  • Custom STIX/TAXII — for AlienVault OTX (free, account required) or commercial CTI vendors.
  • Indicators page — see what’s been imported, inspect event metadata, deactivate noisy IOCs.
  • MISP project documentationmisp-project.org for the broader MISP ecosystem, sharing protocols, and community.