security analyst security skill risk: medium
MISP Threat Intelligence Sharing with PyMISP
The prompt provides an overview, prerequisites, and numbered steps for using PyMISP to create events, add IOC attributes, apply tags, publish, search, and export threat intelligenc…
- Policy sensitive
- Human review
- External action: medium
SKILL 4 files · 2 folders
SKILL.md
--- name: performing-threat-intelligence-sharing-with-misp description: "Use PyMISP to create, enrich, and share threat intelligence events on a MISP platform, including IOC management," --- # Performing Threat Intelligence Sharing with MISP ## Overview MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform designed for collecting, storing, distributing, and sharing cybersecurity indicators and threat information. PyMISP is the official Python library for interacting with MISP instances via the REST API, enabling programmatic event creation, attribute management, tag assignment, galaxy cluster attachment, and feed synchronization. This skill covers using PyMISP to create events with structured IOCs (IP addresses, domains, file hashes, URLs), enrich events with MITRE ATT&CK tags, manage sharing groups and distribution levels, search for existing intelligence, and export in STIX 2.1 format for interoperability with other platforms. ## When to Use - When conducting security assessments that involve performing threat intelligence sharing with misp - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - MISP instance (v2.4+) with API access enabled - Python 3.9+ with `pymisp` (`pip install pymisp`) - MISP API key (Settings > Auth Keys) - Understanding of MISP data model (Events, Attributes, Objects, Tags, Galaxies) - Knowledge of TLP marking and sharing protocols ## Steps 1. Install PyMISP: `pip install pymisp` 2. Initialize `ExpandedPyMISP(url, key, ssl=True)` connection 3. Create a `MISPEvent` with info, distribution level, threat level, and analysis status 4. Add attributes via `event.add_attribute(type, value)` for IPs, domains, hashes 5. Apply TLP tags and MITRE ATT&CK technique tags 6. Publish the event with `misp.publish(event)` 7. Search existing events with `misp.search(controller='events', value=..., type_attribute=...)` 8. Enable and configure threat feeds for automatic IOC ingestion 9. Export events in STIX 2.1 format for cross-platform sharing 10. Validate sharing group configuration and sync server settings ## Expected Output A JSON report summarizing events created, attributes added, tags applied, feed sync status, and any correlation hits against existing intelligence, with event IDs and distribution metadata.
REQUIRED CONTEXT
- MISP instance URL and API key
- IOC data to add
OPTIONAL CONTEXT
- TLP markings
- MITRE ATT&CK tags
- distribution levels
EXPECTED OUTPUT
- Format
- json
- Schema
- json · events created, attributes added, tags applied, feed sync status, correlation hits against existing intelligence, event IDs, distribution metadata
- Constraints
- summarize events created, attributes added, tags applied, feed sync status, correlation hits
- include event IDs and distribution metadata
SUCCESS CRITERIA
- Produce JSON report summarizing events created, attributes added, tags applied, feed sync status, correlation hits, event IDs and distribution metadata
CAVEATS
- Dependencies
- MISP instance (v2.4+) with API access enabled
- Python 3.9+ with `pymisp`
- MISP API key (Settings > Auth Keys)
- Understanding of MISP data model (Events, Attributes, Objects, Tags, Galaxies)
- Knowledge of TLP marking and sharing protocols
- Missing context
- Exact output format or schema for the JSON report
- Error handling or authentication edge cases
- Ambiguities
- Header description is truncated: "including IOC management,"
QUALITY
- OVERALL
- 0.69
- CLARITY
- 0.78
- SPECIFICITY
- 0.62
- REUSABILITY
- 0.71
- COMPLETENESS
- 0.68
IMPROVEMENT SUGGESTIONS
- Add short, concrete PyMISP code examples under each numbered step
- Specify the exact keys and structure expected in the JSON report
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR SECURITY ANALYST
- Ransomware Network Indicators Analyzersecurity analystsecurity
- APT TTP Mapping with MITRE Navigatorsecurity analystsecurity
- Linux Persistence Mechanisms Analyzersecurity analystsecurity
- Azure AD Lateral Movement KQL Detectorsecurity analystsecurity
- Kerberos Golden Ticket Forgery Detectorsecurity analystsecurity
- LOLBAS Abuse Detection with Sigma Rulessecurity analystsecurity
- Shadow IT Cloud Usage Detectorsecurity analystsecurity
- Registry Run Key Persistence Detection Guidesecurity analystsecurity
- Detect Risky OAuth Consent Grants in Entra IDsecurity analystsecurity
- Windows Service Installation Threat Huntersecurity analystsecurity
- Web Server Log Intrusion Analyzersecurity analystsecurity
- RDP Brute Force Event Log Analyzersecurity analystsecurity
- Rekall Memory Forensics Artifact Extractorsecurity analystsecurity
- Azure Activity Logs Threat Analyzersecurity analystsecurity
- Scapy Network Packet Analysis Guidesecurity analystsecurity
- TLS Certificate Transparency Log Analyzersecurity analystsecurity
- Cobalt Strike Malleable C2 Profile Analyzersecurity analystsecurity
- Email Account Compromise Detection Proceduressecurity analystsecurity
- Credential Stuffing Auth Log Analyzersecurity analystsecurity
- MISP Threat Landscape Analysis Guidesecurity analystsecurity
- Malicious Scheduled Task Sysmon Detectorsecurity analystsecurity
- Kerberos Pass-the-Ticket Attack Detectorsecurity analystsecurity
- NTLM Relay Attack Event Log Analyzersecurity analystsecurity
- Linux Memory Forensics with LiME and Volatilitysecurity analystsecurity
- Insider Data Exfiltration DLP Analyzersecurity analystsecurity