Threat Intelligence Workshop Series
PART DEUX: The hunt is on -- Leveraging MISP within your infrastructure
Led by SAFER and the SOC Working Group, supporting R&E communities.
Everyone is welcome to attend this workshop (TLP:CLEAR)
Welcome to our three-part Threat Intelligence Workshop Series!
MISP, Zeek and Threat Intel experts from the Research & Education community join forces to help push forward your threat intelligence program.
We will help you with the basics, but most importantly, share our lessons learned, nice tricks, smart tuning and default working configurations to help you get rolling.
Workshop time in your timezone.
Upcoming events in this series:
PART 1.5: Office Hours: Making your MISP/Zeek/Splunk/ELK work (or at least offer morale support)
If you need help getting your security infrastructure setup & working, this is a clinic session that you can connect to.
There is no registration, just join us!
Date: 5 February 2026 -- Office Hours time in your timezone.
Format: Office Hours, no slide, no registration, just connect and get our hands dirty. Also consider joining us on Keybase to ask questions and share your experience.
PART DEUX: The hunt is on -- Leveraging MISP within your infrastructure (2h)
Date: 25th February 2026 -- Workshop time in your timezone.
Working with logs from Zeek, DNS, netflow, Splunk, etc. and correlate data sources with IoCs from MISP
Now you have a working MISP instance, with some fresh IoCs.
Let's explore how to actually make use of them via the MISP API and deploy them where it matters.
This session will follow the same format as the PART 1:
- 25 min intro on all topics, detailing the goals and going through features you need
- 90 min deep-dive, where we start with topics we think are critical, before letting you decide what you want to dive into next
- MISP —> Zeek Intel Framework (Aashish Sharma, LBNL)
- MISP —> EDLs for firewalls (Axel Schulz, CanSSOC & Liviu Valsan, CERN)
- MISP —> Splunk for Zeek data or netflow (Fatema Bannat Wala, ESnet)
- MISP —> Unicor in DNS mode: A poor man’s SOC if DNS logs is all you got (Romain Wartel, ESnet/CERN)
- MISP —> ELK/OpenSearch (Liviu Valsan, CERN)
- Unicor —> Smarter & more advanced staged/multi-pass IoCs pulls from MISP, based on tags, dates and more, to limit false positives (Romain Wartel, ESnet/CERN)
This workshop will not be recorded, attendance is open to all R&E but registration is required.
PART 3: Alert design, false positives management
Date: tbc
Designing alerts, IoC decaying, etc.
Past events in this series:
PART 0: MISP Office Hours: installing and making your MISP instance work
If you need help getting MISP setup & working, this is a pre-workshop session that you can connect to.
We highly recommend a clean, fresh setup using the JISC CTI docker to get your MISP rolling!
There is no registration, just join us!
Date: 11 Nov 2025 -- Office Hours time in your timezone.
Format: Office Hours, no slide, no registration, just connect and get our hands dirty. Also consider joining us on Keybase to ask questions and share your experience.
PART 1: Configuring & tuning MISP (2h)
Bridging the gap between installing MISP and making the most of it can be challenging.
MISP is not just a platform — it is a mindset built around managing, contextualizing, and sharing IoCs effectively. We have years of experience and lessons learned in the R&E community, and would love to share some of it. Let’s connect and enhance your MISP setup, configuration, and day-to-day operations together!
The workshop is open to all, and participants are expected to have their own working/fresh MISP 2.5.x instance up and running prior to the workshop -- but fear not, we are here to help before the workshop too!
Date: 3 Dec 2025 -- Workshop time in your timezone.
Format: Short intro on each topic below (30 min), then deep dive, hands-on with participants working on their own MISP instance (90 min).
Please come with a working instance of MISP 2.5.x. Contact us prior to the workshop if you need any assistance to get your MISP instance running. We will have a test instance as a backup playground too.
At the end of this session you will have:
- A well tuned MISP instance -- for a solid foundation
- A better view on suggested taxonomies & mandatory tags (TLP, PAP), and the sharing models/permission -- because trust is paramount
- Established connection to a remote MISP instance to pull and push IOCs (e.g. SAFER or WLCG) -- Let's get social
- Enabled some feeds -- MISP is not about feeds, but sometimes we have no choice!
- Configured Warning lists, including the SAFER Community warning list -- Let's manage false positives together too!
- A better understanding about best practice for IoCs export via the API & PyMISP -- Pull those IoCs in as many control points as possible (network, servers, firewall)