The core functionality of MISP is sharing. Everyone can be a consumer and/or a contributor/producer. Users get quick results without the obligation to contribute. The access to the tool is designed to be low threshold so that people can quickly become familiar with the system. MISP has a variety of features to help users create, collaborate, and share threat information – such as flexible sharing groups, automatic correlation, free-text import help, event distribution, and proposals. Many export formats are provided, and a rich set of MISP modules to add extension, import and export functionalities is also available.
The correlation functions, for instance, are a brilliant tool for analysts. They are needed to confirm a finding (e.g. is it the same campaign?), to support an analysis (e.g. do other analysts have the same hypothesis?), to confirm a particular aspect (e.g. are sinkhole IP addresses used for one campaign?), or simply to find out if this threat is new or known in the community. Contributors can use the UI, API, or freetext import to add events and attributes. Contributions can be made directly by creating an event, and colleagues can also suggest attribute updates to the event owner. MISP includes a flexible tagging scheme where users can choose from more than 42 existing taxonomies or they can create their own.