Once our MISP instance is properly configured, it contains a set of threat intelligence data that can be leveraged by prevention tools such

Once our MISP instance is properly configured, it contains a set of threat intelligence data that can be leveraged by prevention tools such as Firewalls, Email Gateways, and more.

Let’s explore how to extract IoCs from MISP. Specifically, we’ll look at how to create a list of IP addresses to be proactively blocked by perimeter systems.

Modern firewalls are capable of ingesting External Dynamic Lists (EDLs) , which are simply text files hosted on web servers containing lists of IP addresses. These lists can then be referenced within security policies to take specific actions.

While the number of IP addresses that can be managed via EDLs might seem substantial, it becomes clear that these limits are relatively low when compared to the global volume of IP-based IoCs .

This underscores the importance of managing IoCs in a structured way, with particular attention to their lifecycle.

Native Export

MISP natively supports exporting attributes in multiple formats. By navigating to Event Actions -> Export, we can generate IoC lists in various formats:

Continue reading the post on Patreon .