Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

MISP Feed Integration

The ELLIO MISP feed delivers IP indicators from ELLIO Threat Intelligence directly into your MISP instance using MISP’s built-in feed-sync mechanism. Subscribe once and MISP keeps a rolling 90-day window of observed attacker activity in sync. Events update in place, every tag is native to MISP’s UI and APIs, and each event carries an ellio:decay-model tag so you can configure a matching MISP decay model to score aging indicators on your side.

  • Millions of non-spoofable IP indicators observed against ELLIO’s internet-facing decoy network, refreshed daily
  • Three feed shapes so you can pick the granularity that matches your workflow - daily snapshots, per-IP timelines, or per-IP timelines with FoxIO JA4+ fingerprints
  • Tagging out of the box: TLP, ELLIO classification (malicious / promiscuous / benign / unknown), Cyber Kill Chain phase, MITRE ATT&CK techniques, and ELLIO source / decay / producer tags
  • Decay-aware tagging - every event carries an ellio:decay-model tag pointing at ELLIO’s recommended 90-day curve. Configure a matching MISP decay model on your side and aging indicators score down automatically.
  • Native MISP correlation on JA3, JARM, MuonFP, and (with a FoxIO licence) the full JA4+ family
  • No duplicates - daily re-syncs update existing events rather than creating copies

ELLIO publishes three parallel feeds. They share the same 90-day observation window and the same source data, but they differ in event shape and use case.

Feed URL One event per Best for
Daily sightings https://misp.integrations.ellio.tech/daily/ Calendar day “Which IPs were active on YYYY-MM-DD?” SIEM date lookups, daily reporting, retrospective hunting.
Per-IP rolling https://misp.integrations.ellio.tech/per-ip/ Source IP IOC correlation, pivoting from a single IP to its full behaviour, threat hunting, automated blocking. Includes JA3, JARM, MuonFP, and basic JA4.
Per-IP rolling + JA4+ https://misp.integrations.ellio.tech/per-ip-ja4plus/ Source IP Same as Per-IP plus the FoxIO-licensed JA4+ Object family (ja4s, ja4h, ja4l, ja4x, ja4ssh, ja4t, ja4ts, ja4tscan). Requires a FoxIO licence.
  • MISP instance you can administer
  • ELLIO platform account with Threat Intelligence Data Feed access
  • Feed URLs and authentication header from your ELLIO platform settings
  • A FoxIO JA4+ licence (only if subscribing to /per-ip-ja4plus/)
  • Setup Guide - server tuning required before the first sync, and how to subscribe MISP to each feed
  • Decay Model - recommended decay-model parameters and tuning guidance for the ELLIO feed
  • Feed Reference - wire shape, tagging baseline, and per-feed event structure for analysts