MISP Feed Integration
The ELLIO MISP feed delivers IP indicators from ELLIO Threat Intelligence
directly into your MISP instance using MISP’s built-in feed-sync mechanism.
Subscribe once and MISP keeps a rolling 90-day window of observed attacker
activity in sync. Events update in place, every tag is native to MISP’s UI and
APIs, and each event carries an ellio:decay-model tag so you can configure a
matching MISP decay model to score aging indicators on your side.
What you get
Section titled “What you get”- Millions of non-spoofable IP indicators observed against ELLIO’s internet-facing decoy network, refreshed daily
- Three feed shapes so you can pick the granularity that matches your workflow - daily snapshots, per-IP timelines, or per-IP timelines with FoxIO JA4+ fingerprints
- Tagging out of the box: TLP, ELLIO classification (malicious / promiscuous / benign / unknown), Cyber Kill Chain phase, MITRE ATT&CK techniques, and ELLIO source / decay / producer tags
- Decay-aware tagging - every event carries an
ellio:decay-modeltag pointing at ELLIO’s recommended 90-day curve. Configure a matching MISP decay model on your side and aging indicators score down automatically. - Native MISP correlation on JA3, JARM, MuonFP, and (with a FoxIO licence) the full JA4+ family
- No duplicates - daily re-syncs update existing events rather than creating copies
Choose your feed
Section titled “Choose your feed”ELLIO publishes three parallel feeds. They share the same 90-day observation window and the same source data, but they differ in event shape and use case.
| Feed | URL | One event per | Best for |
|---|---|---|---|
| Daily sightings | https://misp.integrations.ellio.tech/daily/ |
Calendar day | “Which IPs were active on YYYY-MM-DD?” SIEM date lookups, daily reporting, retrospective hunting. |
| Per-IP rolling | https://misp.integrations.ellio.tech/per-ip/ |
Source IP | IOC correlation, pivoting from a single IP to its full behaviour, threat hunting, automated blocking. Includes JA3, JARM, MuonFP, and basic JA4. |
| Per-IP rolling + JA4+ | https://misp.integrations.ellio.tech/per-ip-ja4plus/ |
Source IP | Same as Per-IP plus the FoxIO-licensed JA4+ Object family (ja4s, ja4h, ja4l, ja4x, ja4ssh, ja4t, ja4ts, ja4tscan). Requires a FoxIO licence. |
Prerequisites
Section titled “Prerequisites”- MISP instance you can administer
- ELLIO platform account with Threat Intelligence Data Feed access
- Feed URLs and authentication header from your ELLIO platform settings
- A FoxIO JA4+ licence (only if subscribing to
/per-ip-ja4plus/)
Next steps
Section titled “Next steps”- Setup Guide - server tuning required before the first sync, and how to subscribe MISP to each feed
- Decay Model - recommended decay-model parameters and tuning guidance for the ELLIO feed
- Feed Reference - wire shape, tagging baseline, and per-feed event structure for analysts