How to Import Public Threat Intelligence Feeds into Your MISP Instance?
- Kalina Georgieva
- May 26
- 3 min read
Updated: Aug 4
š Why Use Public Feeds?
Public threat intelligence feeds are a powerful way to enrich your MISP instance with up-to-date indicators of compromise (IOCs) from trusted sources like CIRCL, Ā Abuse.ch, and others. These feeds - whether in MISP, CSV, or even free-text format - can be easily imported from remote or local URLs and automatically updated on a schedule.
MISP makes it simple to manage, import, and share feed definitions across instances. You can even export feed configurations as JSON and re-import them elsewhere, making it ideal for collaborative or distributed environments.
Whether you're just starting out or running MISP as a service, integrating public feeds is a quick win that delivers immediate value - giving your organization visibility into emerging threats with minimal setup.
Prerequisites:
Access to your MISP instance.
Admin or sync-level privileges.
Step 1: Log in to Your MISP Instance
Use your browser and log in to your MISP dashboard. This instance was created for you and is fully managed by the goMISPĀ team, so everything you need is ready to go.
Example for a URL of your MISP instance: https://<your instance>.eu.gomisp.com
Use your assigned username and password to sign in. Once you're in, you'll be taken to the main dashboard where you can start working with threat intelligence data.
Step 2: Navigate to the Feed Management Section
SyncĀ Actions ā Feeds
This page lists a variety of public and built-in feeds available in MISP. Feeds are external sources of threat intelligence such as malware hashes, phishing domains, IP addresses, and other indicators of compromise.
Each feed includes metadata such as the source, update frequency, and the type of indicators it contains.
Step 3: Enable Feeds
Browse through the available feeds and choose the ones you want to activate. For each feed you wish to use, simply click the āEnableāĀ button.
Tip: You might want to start with well-known and trusted feeds like CIRCL OSINT, Abuse.ch ThreatFox, or CVE Update Feed.
Once enabled, these feeds are ready to pull data into your MISP instance.
Step 4:Ā Fetch Feed Data
After enabling feeds, you need to manually pull (fetch)Ā the data for the first time. This is done through the web interface by going to the "Sync Actions" Menu >> "List Feeds".
Youāll see a list of enabled feeds. Click āFetchāĀ next to each one you want to import, or use āFetch AllāĀ to retrieve data from all enabled feeds.
This process might take a minute or two depending on the size of the feed.
Step 5:Ā Review the Imported Events
Once the feeds are fetched, go to: EventĀ Actions ā List Events
Here youāll find newly created events that originated from the feeds you just imported. You can filter these events using tags like OSINTĀ or by feed name.
Click on any event to view the indicators (attributes) it contains ā such as IP addresses, domains, file hashes, URLs, etc. You can then correlate these with your own data or export them for further analysis.
MISP will automatically correlate indicatorsĀ across events, helping you spot patterns and linked threats.
Step 6:Ā Load the default feed metadata
The MISP platform makes it easy to get started with a wide range of open-source threat intelligence feeds. With just a click on the "Load default feed metadata"Ā button in the FeedsĀ section, users can instantly populate their instance with a curated list of useful feeds.
After you load the feed metadata, a message will be shown and you will be able to choose which feeds you want to enable.
These definitions are then added to the database as new feed entriesĀ - but here's the smart part: MISP checks each feed's URLĀ to avoid importing duplicates. If a feed with the same URL already exists in your system, it's skipped automatically. This means:
Your local changes are preserved(like custom names, distribution settings, or whether a feed is enabled or disabled)
You wonāt lose any manual configurations
You can safely updateĀ or load new defaults without impacting existing data
This thoughtful design ensures that MISP remains both user-friendlyĀ and admin-safe.
