Events in MISP - Creating, Tagging and more...
- Kalina Georgieva
- Jun 11
- 3 min read
Updated: Aug 4
What Is an Event in MISP?
In MISP, an event is the central unit for collecting and sharing cyber threat intelligence. Think of an event as a case file - it contains IOCs (Indicators of Compromise), related context, and threat metadata.
You can use events to describe:
A phishing campaign
Malware behavior
A targeted intrusion
Or any cyber incident relevant to your team or community
Step 1: Creating an Event Manually
To create a new event:
Log in to your goMISP instance (e.g. <instance_name>.eu.gomisp.com) with your username and password.
From the top menu, go to “Event Actions” → “Add Event”.
Fill in the event details:
Info: A short title (e.g., “Suspicious RDP Activity - May 2025”)
Threat Level: Choose Low, Medium, High, or Undefined
Analysis Level: Initial, Ongoing, or Completed
Date: The date the event occurred or was observed
Distribution: Who should see this event (your org, community, all users, etc.)
The event created will be visible to the organisations having an account on this platform, but not synchronised to other MISP instances until it is published.
Tip: Use consistent naming for event titles so you can easily find and group similar events later.
Click “Submit” to create the event.
Tip: If you need more detailed information about the different categories or meaning of, you could visit https://www.circl.lu/doc/misp/using-the-system/#creating-an-event
Step 2: Adding Attributes (Your IOCs)
Now that your event is created, it’s time to populate it with attributes - the actual indicators of compromise such as IP addresses, file hashes, domains, email addresses, etc.
Open the event you just created.
Click “Add Attribute”.
Choose the attribute type:
ip-src, ip-dst – source or destination IP
domain, url, hostname
sha256, md5, sha1 – file hashes
email-src, text, malware-sample – and many more
Enter the value (e.g., 185.143.223.89) and save.
Repeat as needed for each IOC you want to add.
Tip: Use the "Batch Import" feature if you have a list of indicators to upload quickly.
Alternative:
If you already have raw IOCs (IPs, hashes, domains), you can upload a file with the raw information:
Go to "Populate from..."
Choose the file format for the import
Step 3: Tagging Your Event
Tags help organize and classify your event. They can define:
Threat level (TLP): e.g., tlp:red, tlp:green
Severity or type: e.g., ransomware, phishing
Campaign or actor references
MITRE ATT&CK techniques
How to Tag:
Open the event and click “Tag Event”.
Choose from available tags or create custom ones.
Save.
It is important to include tags to your event because tags make searching, filtering, and syncing your data smarter and more structured.
Step 4: Add Galaxies (Advanced Tagging)
Galaxies in MISP are structured threat intelligence sets called clusters - like MITRE ATT&CK, threat actor profiles, malware families, etc. They can be linked to events or attributes and contain key-value details like names, aliases, and attack techniques to provide context.
To add a galaxy:
Inside your event, click “Galaxies” → “Add New Cluster” or “Add New Local Cluster”
Choose a galaxy type (e.g., mitre-attack → Intrusion Set → APT28)
It will auto-tag your event with the relevant context.
Galaxies make your event globally recognizable and easier to correlate across MISP communities!
Step 5: Enrich Your Event
You can enrich IOCs using built-in tools like:
GeoIP (find country of an IP)
VirusTotal (check hash detection ratio)
Passive DNS (see domain history)
YARAify, Shodan, and more
Click an attribute → "Enrich" → Select a module
Some modules require API keys (e.g., for VirusTotal)
Final Thoughts
Creating and tagging events is the core skill for using MISP effectively. Once you’ve added your data, it can be:
Correlated with existing intel
Shared with trusted partners
Used in your SOC or SIEM
Used to build dashboards and alerts
