Threat Intelligence Workshop Series
Part 1: Configuring & tuning MISP
Led by SAFER and the SOC Working Group, supporting R&E communities.
Everyone is welcome to attend this workshop (TLP:CLEAR)
Welcome to our four-part Threat Intelligence Workshop Series!
MISP, Zeek and Threat Intel experts from the Research & Education community join forces to help push forward your threat intelligence program.
We will help you with the basics, but most importantly, share our lessons learned, nice tricks, smart tuning and default working configurations to help you get rolling.
Workshop time in your timezone.
PART 1: Configuring & tuning MISP (2h)
Bridging the gap between installing MISP and making the most of it can be challenging.
MISP is not just a platform — it is a mindset built around managing, contextualizing, and sharing IoCs effectively. We have years of experience and lessons learned in the R&E community, and would love to share some of it. Let’s connect and enhance your MISP setup, configuration, and day-to-day operations together!
The workshop is open to all, and participants are expected to have their own working/fresh MISP 2.5.x instance up and running prior to the workshop -- but fear not, we are here to help before the workshop too!
Date: 11 Nov 2025
Format: Short intro on each topic below (30 min), then deep dive, hands-on with participants working on their own MISP instance (90 min).
Please come with a working instance of MISP 2.5.x. Contact us prior to the workshop if you need any assistance to get your MISP instance running. We will have a test instance as a backup playground too.
At the end of this session you will have:
- A well tuned MISP instance -- for a solid foundation
- A better view on suggested taxonomies & mandatory tags (TLP, PAP), and the sharing models/permission -- because trust is paramount
- Established connection to a remote MISP instance to pull and push IOCs (e.g. SAFER or WLCG) -- Let's get social
- Enabled some feeds -- MISP is not about feeds, but sometimes we have no choice!
- Configured Warning lists, including the SAFER Community warning list -- Let's manage false positives together too!
- A better understanding about best practice for IoCs export via the API & PyMISP -- Pull those IoCs in as many control points as possible (network, servers, firewall)
PART 2: Getting data: Sourcing & processing relevant logs (2h)
Date: 10 Dec 2025
Working with logs from Zeek, DNS, netflow, Splunk, etc. and correlate data sources with IoCs from MISP
PART 3: Matching data with IoCs
Date: tbc
Putting it all together!
Leveraging threat intel automatically and contextualize them (e.g. with Unicor)
PART 4: Alerting
Date: tbc
Designing alerts, IoC decaying, etc.
