MISP Feed Integration
The ELLIO Threat Intelligence MISP feed delivers IP indicators from the ELLIO Threat Intelligence platform directly into your MISP instance using MISP's built-in feed-sync mechanism. Subscribe once and MISP keeps a rolling 90-day window of observed attacker activity in sync - events update in place, every tag is native to MISP's UI and APIs, and each event carries an ellio:decay-model tag so you can configure a matching MISP decay model to score aging indicators on your side.
What You Get
- Millions of non-spoofable IP indicators observed against ELLIO's internet-facing decoy network, refreshed daily
- Three feed shapes so you can pick the granularity that matches your workflow - daily snapshots, per-IP timelines, or per-IP timelines with FoxIO JA4+ fingerprints
- Rich tagging out of the box: TLP, ELLIO classification (malicious / promiscuous / benign / unknown), Cyber Kill Chain phase, MITRE ATT&CK techniques, and ELLIO source / decay / producer tags
- Decay-aware tagging - every event carries an
ellio:decay-modeltag pointing at ELLIO's recommended 90-day curve. Configure a matching MISP decay model on your side and aging indicators score down automatically. - Native MISP correlation on JA3, JARM, MuonFP, and (with a FoxIO licence) the full JA4+ family
- No duplicates - daily re-syncs update existing events rather than creating copies
Every IP in every feed has completed at least one full TCP 3-way handshake against an ELLIO decoy, so the source is confirmed and the indicator is safe to act on. Spoofable activity (single-packet probes where the source can't be verified) is excluded by default. If your workflow needs spoofable data as well, reach out to your ELLIO account manager.
Choose Your Feed
ELLIO publishes three parallel feeds. They share the same 90-day observation window and the same source data, but they differ in event shape and use case.
| Feed | URL | One event per | Best for |
|---|---|---|---|
| Daily sightings | https://misp.integrations.ellio.tech/daily/ | Calendar day | "Which IPs were active on YYYY-MM-DD?" SIEM date lookups, daily reporting, retrospective hunting. |
| Per-IP rolling | https://misp.integrations.ellio.tech/per-ip/ | Source IP | IOC correlation, pivoting from a single IP to its full behaviour, threat hunting, automated blocking. Includes JA3, JARM, MuonFP, and basic JA4. |
| Per-IP rolling + JA4+ | https://misp.integrations.ellio.tech/per-ip-ja4plus/ | Source IP | Same as Per-IP plus the FoxIO-licensed JA4+ Object family (ja4s, ja4h, ja4l, ja4x, ja4ssh, ja4t, ja4ts, ja4tscan). Requires a FoxIO licence. |
Start with /per-ip/. If you get a FoxIO licence later you can swap to /per-ip-ja4plus/ - MISP replaces each event with the richer version, no data loss.
Prerequisites
- MISP instance you can administer
- ELLIO platform account with Threat Intelligence Data Feed access
- Feed URLs and authentication header from your ELLIO platform settings
- A FoxIO JA4+ licence (only if subscribing to
/per-ip-ja4plus/)
Next Steps
- Setup Guide - server tuning required before the first sync, and how to subscribe MISP to each feed
- Decay Model - recommended decay-model parameters and tuning guidance for the ELLIO feed
- Feed Reference - wire shape, tagging baseline, and per-feed event structure for analysts