top of page
Search

Distribution & Sharing Groups in MISP

Updated: Aug 4

Sharing threat intelligence is powerful - but only when done securely and intentionally. In MISP, every piece of data you add can be carefully controlled using flexible distribution settings, sharing groups, and traffic light protocol (TLP) levels.

In this post, we’ll break down how these mechanisms work and how to use them effectively in your goMISP environment or any MISP setup.


Distribution Levels: Who sees what?

When you create or modify an event or attribute in MISP, you’ll choose a distribution level that controls who can access it. This structure is similar to the structure of the user roles and their rights (see here).

This diagram shows how different MISP instances - operated by CIRCL, NATO/NCIRC, and other organizations - collaborate via secure API clearing houses and synchronization. It highlights the decentralized but trusted sharing of threat intelligence across public, private, and international communities. Source: MISP Project - CIRCL
This diagram shows how different MISP instances - operated by CIRCL, NATO/NCIRC, and other organizations - collaborate via secure API clearing houses and synchronization. It highlights the decentralized but trusted sharing of threat intelligence across public, private, and international communities. Source: MISP Project - CIRCL

Here are the four built-in options:

Level

Who Can See It

Use Case

Your Organization Only

Only users within your own org

Internal use only, sensitive data

This Community Only

Other orgs on your local MISP instance

Shared within a closed community

Connected Communities

Federated (synced) MISP instances

Sharing with trusted partners

All Communities

Any MISP instance via sync (global sharing)

Open threat intelligence, public campaigns


Tip: Start conservative. You can always widen the distribution later, but you can’t take data back once it’s widely shared.


Sharing Groups: Fine-grained trust control

Sometimes, distribution levels aren’t enough. You may want to share information only with specific partners - not the whole community.

That’s where Sharing Groups come in.

  • You define a named group of trusted organizations (e.g., “EU CERT Network”)

  • Then assign that group to events or attributes

  • Only members of that group can see the data - regardless of general distribution level


This is ideal for working groups, commercial partnerships, or sensitive data exchanges.


TLP: Traffic Light Protocol for Visibility & Handling

TLP (Traffic Light Protocol) is a simple color-based system for controlling how shared data can be used:

TLP Level

Meaning

TLP:RED

For named recipients only - do not share further

TLP:AMBER

Limited sharing within organizations

TLP:GREEN

Share freely within the community

TLP:CLEAR

Public - no restrictions


In MISP, TLP levels can be applied at the attribute or event level and help external users understand how to handle the data responsibly (see more here).


Best Practices for Secure Sharing in goMISP

  • Use "Your Org Only" or Sharing Groups for sensitive IOCs or client-related data.

  • Use TLP:RED or AMBER for early-stage or confidential intelligence.

  • Always review distribution before publishing — mistakes can’t be undone.

  • Make use of attribute-level distribution when an event mixes public and private content.

  • Use default templates or warninglists to guide proper classification.


Sharing Done Right

With MISP’s distribution controls, sharing groups, and TLP integration, your organization has all the tools needed to share threat data securely, responsibly, and with the right people.

If you're unsure how to set up sharing groups or TLP workflows in your goMISP instance, our support team is ready to help!







 
 
bottom of page