security analyst security skill risk: medium

MISP Threat Landscape Analysis Guide

The prompt provides step-by-step instructions for analyzing threat landscape with MISP, including dependency installation, API configuration, and running a script to pull event sta…

External action: medium

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: analyzing-threat-landscape-with-misp
description: "Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,"
---
# Analyzing Threat Landscape with MISP


## When to Use

- When investigating security incidents that require analyzing threat landscape with misp
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with threat intelligence concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

1. Install dependencies: `pip install pymisp`
2. Configure MISP URL and API key.
3. Run the agent to generate threat landscape analysis:
   - Pull event statistics by threat level and date range
   - Analyze attribute type distributions (IP, domain, hash, URL)
   - Identify top MITRE ATT&CK techniques from event tags
   - Track threat actor activity via galaxy clusters
   - Generate temporal trend analysis of IOC submissions

```bash
python scripts/agent.py --misp-url https://misp.local --api-key YOUR_KEY --days 90 --output landscape_report.json
```

## Examples

### Threat Landscape Summary
```
Period: Last 90 days
Events analyzed: 1,247
Top threat level: High (43%)
Top attribute type: ip-dst (31%), domain (22%), sha256 (18%)
Top MITRE technique: T1566 Phishing (89 events)
Top threat actor: APT28 (34 events)
```

INPUTS

misp-url REQUIRED

URL of the MISP instance

e.g. https://misp.local

api-key REQUIRED

API key for MISP authentication

e.g. YOUR_KEY

days

Number of days for the analysis window

e.g. 90

output

Path for the generated report JSON

e.g. landscape_report.json

REQUIRED CONTEXT

MISP URL
MISP API key

OPTIONAL CONTEXT

days
output file path

EXPECTED OUTPUT

Format

markdown

Constraints

include setup commands
include example CLI invocation
include sample analysis summary

EXAMPLES

Includes one threat landscape summary example with period, events, top threat level, attributes, techniques and actors.

CAVEATS

Dependencies

Familiarity with threat intelligence concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Missing context

Exact expected structure of landscape_report.json
Python dependency versions beyond 3.8+
How to handle production vs lab MISP instances

Ambiguities

Does not specify what 'the agent' refers to or how agent.py is implemented
Lacks details on handling authentication errors or MISP connection issues

QUALITY

OVERALL: 0.68
CLARITY: 0.80
SPECIFICITY: 0.65
REUSABILITY: 0.70
COMPLETENESS: 0.60

IMPROVEMENT SUGGESTIONS

Add explicit output schema or JSON structure for the report
Include error-handling steps and logging guidance in the instructions
Specify required pymisp version and any additional Python packages

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.