Actionist·MISP
MISP

MISP

· #306 most-used

Collect, share, and act on threat intelligence at scale

AnalyticsDeveloperSecurityAutomationMonitoring & Alerts

MISP is the open-source threat intelligence platform used by security teams worldwide to store, correlate, analyse, and share structured information about cybersecurity threats, malware, and attack patterns. Connect MISP to Actionist and your agents can create and enrich threat events, manage indicators of compromise, tag and classify intelligence, manage feeds and organisations, and act on threat data across every team — all without requiring manual dashboard access.

Try MISP with ActionistVisit MISP
Average time saved
14 hours
per person · per month
≈ 2 workdays back

Eliminates manual work. Agents eliminate manual event creation, indicator tagging, feed management, and cross-team intelligence briefing that security analysts currently perform by hand inside the MISP UI.

Schedule

What your MISP agent runs on autopilot

A week of scheduled jobs your Actionist agent will execute on your behalf.

28Scheduled jobs
7Agents at work
24/7Always on
Agents
TueThu
Tue
Wed
Thu
7a
8a
9a
10a
11a
12p
1p
2p
3p
4p
5p
6p
Multi-app workflows

MISP × every other app you use

End-to-end automations that span multiple apps — each one a real business outcome.

6Workflows
4Apps spanned
~13 hrsSaved / week
5Personas served
For security operations
Featured3 apps

Threat event created and analyst briefed on detection

The agent creates a MISP Event for the detection, adds the key indicators as Attributes, applies TLP and ATT&CK taxonomy tags, and posts a structured threat brief to the incident Slack channel — responders have a populated MISP record and full context within a minute of the alert firing.

~5 hrs

Time saved for your team — every week, on autopilot

The flow
Trigger·When an EDR or SIEM raises a high-severity alert
Trigger
Step 1
Slack
Receive high-severity alert notification from EDR/SIEM integration
write
Step 2
MISP
Create Event with incident details and threat level
write
Step 3
MISP
Create Attributes for IOCs (IPs, domains, hashes) extracted from alert
write
Step 4
MISP
Add Event Tags (TLP:AMBER + MITRE ATT&CK technique)
write
Step 5
Slack
Post structured threat brief with MISP event link to incident channel
write
Step 6
Notion
Create incident runbook page with event summary and timeline
Result
Create Event with incident details and threat levelCreate Attributes for IOCs (IPs, domains, hashes) extracted from alertAdd Event Tags (TLP:AMBER + MITRE ATT&CK technique)Post structured threat brief with MISP event link to incident channelCreate incident runbook page with event summary and timeline
The win
Saved per run
35 min
Runs / week
~8×
Analysts enter every incident with a populated MISP record — no manual event setup under pressure
Driven byOperations Agent
ROI

Savings

What your team gets back — two angles: what you stop doing manually, and what that's worth.

Without Actionist

What you do manually today

With Actionist

What your agent runs for you

  • Sales
    20 min / week
    Manual threat research before calls

    Sales engineers spend 30–45 minutes before security-focused calls manually searching threat feeds and vendor advisories to find relevant context — research that rarely gets documented or reused.

    Sales Agent
    0 min
    Agent delivers threat context for prospect industries

    Before a security-focused demo call, the agent searches MISP for recent events tagged to the prospect's industry and summarises active threats relevant to their stack — giving the sales rep credible, current intelligence to reference.

  • Marketing
    30 min / week
    Manual threat trend monitoring

    Marketing relies on security team summaries or manually browsing threat intel newsletters to find content topics — a slow, informal process that misses timely opportunities.

    Marketing Agent
    0 min
    Agent surfaces publishable threat intelligence weekly

    The marketing agent searches MISP events weekly for noteworthy campaigns and extracts key findings, giving the content team a curated brief of current threats that can anchor blogs, webinars, and social content.

  • Customer Support
    25 min / week
    Manual IOC lookup requiring analyst access

    Support engineers without MISP access must escalate every IOC query to the security team, introducing 1–4 hour delays in customer-facing triage and consuming analyst time on routine lookups.

    Customer Support Agent
    0 min
    Agent triages customer IOC reports against MISP in under a minute

    When a customer submits a security report, the agent searches MISP attributes for the extracted indicators and returns a triage summary — known-bad indicators with campaign context, unknown ones queued for analyst review.

  • Human Resources
    10 min / week
    No regular threat briefing for HR

    HR receives security updates only when the security team proactively shares them — typically quarterly, meaning training and policy decisions lag the current threat landscape by months.

    Human Resources Agent
    0 min
    Agent delivers identity and insider threat briefing for HR

    The HR agent retrieves MISP events tagged to credential threats and identity-based attacks weekly, providing HR leadership with a focused briefing to inform security-awareness training and personnel security policy reviews.

  • Finance
    15 min / week
    No automated finance threat intelligence delivery

    Finance teams learn about sector-specific threats only through industry newsletters or when the security team raises an urgent alert — missing the weekly steady-state intelligence that would inform better risk decisions.

    Finance Agent
    0 min
    Agent delivers weekly finance-sector threat briefing from MISP

    Every Monday the finance agent searches MISP for events and attributes tagged to finance, banking, and payment-system threats and delivers a structured briefing to the CFO and treasury team before the working week starts.

  • Operations
    30 min / week
    Feed failures discovered during incidents

    Feed health is checked manually during incident response when analysts notice missing data — by which point the intelligence gap may have existed for days or weeks without detection.

    Operations Agent
    0 min
    Agent monitors feed health and flags gaps before they cause incidents

    The operations agent retrieves all MISP feeds weekly, identifies stale or disabled ones, and alerts the SOC — catching intelligence gaps before an incident exposes that a key feed has been silently failing.

  • Legal
    60 min / week
    Manual MISP export and document assembly

    Legal teams wait 2–4 hours for an analyst to manually export MISP event data, format it into a readable document, and route it through review — creating deadline risk for regulatory notification windows.

    Legal Agent
    0 min
    Agent assembles MISP evidence package for regulatory reporting in minutes

    When an incident is escalated to legal, the agent retrieves the full MISP event timeline, all attributes with timestamps, and tag audit trail — assembling a structured document that meets regulatory evidence standards without requiring analyst time.

+ 100s of other MISP automations
Average time saved
19 hrs / person / month
Calculator

Calculate what your team saves

Team size
5 people
Hourly rate
$75 / hr
Hours saved / week
18
Hours saved / year
875
Annual ROI
$65,625

Based on MISP's typical team usage — the visible tasks plus a few other automations the agent runs: ~3.5 hrs / person / week of admin work automated.

Connect

How to plug MISP into Actionist

Pick the connection method that suits your environment.

Connect using your MISP instance URL and an API authentication key. Suitable for self-hosted or on-premise MISP deployments. Generate the key under Administration → List Auth Keys.

1
Open MISP Administration

Log in to your MISP instance as an admin or site-admin user. Go to Administration → List Auth Keys.

2
Create an authentication key

Click 'Add authentication key', choose the user account you want to connect under, set an expiry date if required, and copy the key shown — it is displayed only once.

3
Paste credentials into Actionist

Enter your MISP instance base URL (e.g. https://misp.yourcompany.com) and the API key, then click Test connection. Actionist will run a read-only call to confirm the handshake.

Credentials you'll need
MISP API key*
MISP → Administration → List Auth Keys → Add authentication key
MISP base URL*
The URL of your self-hosted MISP instance, e.g. https://misp.yourcompany.com
Actions

19 actions your agent can call

Read and write operations available to your Actionist agent.

Triggers

0 events your agent can react to

Events your agent watches for, and the actions it kicks off in response.

This app has no triggers yet.
FAQs

Questions about MISP + Actionist

How does Actionist connect to MISP?
Go to the Apps tab, find MISP, and click Connect. MISP uses API key authentication — you will need the base URL of your self-hosted MISP instance (e.g. https://misp.yourcompany.com) and an API authentication key generated under Administration → List Auth Keys. Actionist runs a read-only test call to confirm connectivity before any actions execute. MISP is self-hosted or deployed in your cloud environment; Actionist connects to whichever URL you provide.
What permissions does the MISP API key need?
The API key should belong to a MISP user with at least 'User' role for read operations (Search Attributes, Get Event, Get All Feeds). For write operations — creating events, adding attributes, publishing events, managing feeds — the user needs 'Publisher' or 'Org Admin' role. If you want to manage users and organisations, the account needs 'Site Admin'. The minimal-privilege approach is to create a dedicated Actionist service account with 'Publisher' role, which covers the majority of agent use cases without granting administrative access.
Can agents automatically publish MISP events, or does that need analyst approval?
This is configurable in Actionist's Approval Modes. By default, the Publish Event action requires human approval before execution — the agent drafts the publish action and waits for a team member to confirm. You can switch to autonomous mode for lower-risk publish operations (e.g. scheduled batch publishing of analyst-reviewed events) while keeping human approval on real-time incident publishing. The Publish Event action is irreversible in terms of sharing-group notification, so most teams keep approval on for first-time publishing of sensitive events.
Can I connect Actionist to a MISP instance that is behind a VPN or firewall?
Yes, provided Actionist's cloud runtime can reach your MISP instance's API endpoint over HTTPS. For instances behind a corporate VPN, you will typically need to whitelist the Actionist egress IP range in your VPN or firewall rules. For air-gapped or fully isolated instances, the connection is not possible from the cloud runtime — in those cases the Desktop Actionist app with Computer Use can interact with the MISP web UI on your local machine. Contact the Actionist team for specific network requirements for your deployment.
What are the most common things agents do with MISP?
The patterns that come up most often: (1) automatic event creation — when a SIEM or EDR alert fires, the agent creates a MISP event and populates it with extracted indicators before the analyst opens their laptop; (2) IOC triage — searching MISP for indicators from incoming reports or alerts to determine if they are already known and categorised; (3) scheduled intel briefings — pulling sector-specific events and attributes on a weekly cadence and delivering them as a formatted briefing to finance, operations, or executive stakeholders; (4) feed health monitoring — checking all configured feeds for staleness and alerting the SOC when a feed stops updating; (5) scheduled publishing — reviewing analyst-completed events and publishing them to sharing groups on a predictable cadence.
How does MISP integrate with other security tools already connected to Actionist?
MISP works well as the intelligence backbone in multi-app agent tasks. Common combinations: indicators extracted from a Slack alert trigger a MISP attribute search; MISP events are created from tickets in project management tools; MISP feed data is written to Google Sheets for executive dashboards; published MISP events trigger notifications in Slack or Teams channels. Any of Actionist's connected apps can send data into MISP or receive intelligence back from it in the same agent task.
Does Actionist support MISP's tagging and taxonomy system?
Yes. The Add Event Tag and Remove Event Tag actions work with any taxonomy installed in your MISP instance — TLP, PAP, MITRE ATT&CK, CIRCL's own taxonomies, or custom ones you have defined. You pass the tag name as a parameter. Actionist does not manage the taxonomy library itself (adding new tags to MISP requires admin access via the MISP UI), but agents can apply and remove any existing tag across events as part of automated workflows.
Can I use MISP with Actionist without running my own MISP server?
MISP is primarily a self-hosted or self-managed deployment — there is no single official MISP SaaS endpoint that Actionist can connect to. However, some managed security service providers and ISAC/ISAO communities host shared MISP instances for members. If you have access to such an instance and have been issued an API key, you can connect Actionist to it using that instance's URL and your key. The MISP-as-a-Service market is growing, with providers like CIRCL's public community instance available to qualifying organisations.