A dashboard for a real-time overview of threat intelligence from MISP instances
Go to file
VVX7 4d5ee49357 chg: [Authentication] User authentication can be disabled in config. If disabled, users are automatically logged in with a randomly generated account name and redirected to /index. 2019-10-03 17:26:58 -04:00
config chg: [Authentication] User authentication can be disabled in config. If disabled, users are automatically logged in with a randomly generated account name and redirected to /index. 2019-10-03 17:26:58 -04:00
data feature: Added geolocation of phone numbers 2017-11-27 16:32:02 +01:00
doc - some formatting updates 2018-04-05 09:49:12 +02:00
helpers fix: Catch if country does not have alpha_2 attribute - fix #119 2019-08-30 11:05:43 +02:00
screenshots update: Readme + added screenshots 2017-11-21 16:45:20 +01:00
static chg: [authentication] added misp logo 2019-10-02 12:35:21 -04:00
templates chg: [authentication] add logout endpoint to dashboard dropdown 2019-10-02 20:15:34 -04:00
tests fix: [isort] isort source files: https://github.com/timothycrosley/isort/wiki/isort-Plugins 2019-05-29 08:42:39 +09:00
.gitignore fix: [deps] Fixed a dependency issue as per https://github.com/MISP/misp-dashboard/issues/76 2018-11-21 12:33:04 +09:00
LICENSE chg: [doc] default LICENSE template is not there to be changed 2019-06-02 07:33:27 +02:00
README.md Update README.md 2019-09-27 10:46:02 +02:00
clean.py chg: [sort] isort on source files 2019-05-29 08:30:57 +09:00
diagnostic.py fix: [diagnostic] Corrected copy/paste typo 2019-08-28 16:04:45 +02:00
diagnostic_util.py chg: [diagnostic] Improved config comparison 2019-06-20 15:40:14 +02:00
give_honors_to_org.py fix: [all] Fixed issue with py-redis>2.x and fix failed merge conflict 2019-06-18 11:25:17 +02:00
install_dependencies.sh added net-tools to debian-based install command 2019-07-02 09:14:35 +02:00
misp-dashboard.wsgi - Fixed the brokeness of: - echo export DASH_CONFIG=$(pwd)/config/ >> ./DASHENV/bin/activate 2018-03-31 19:21:52 +09:00
requirements.txt new: [authentication] Flask-login authentication via MISP instance. 2019-10-01 21:06:29 -04:00
retrieve_map_pic.py chg: [sort] isort on source files 2019-05-29 08:30:57 +09:00
server.py chg: [Authentication] User authentication can be disabled in config. If disabled, users are automatically logged in with a randomly generated account name and redirected to /index. 2019-10-03 17:26:58 -04:00
start_all.sh chg: [startup] Wait until redis is ready before starting the zmqs 2019-08-30 11:39:14 +02:00
start_zmq.sh chg: [startup] Wait until redis is ready before starting the zmqs 2019-08-30 11:39:14 +02:00
updates.py fix: [update] Changed string formating to `format` 2019-08-28 15:57:13 +02:00
util.py chg: More sane response decoding, done by the ORM 2019-06-19 11:32:06 +02:00
zmq_dispatcher.py chg: More sane response decoding, done by the ORM 2019-06-19 11:32:06 +02:00
zmq_subscriber.py fix: mergeconflict and log filename 2019-06-21 15:32:59 +02:00
zmq_subscribers.py fix: mergeconflict and log filename 2019-06-21 15:32:59 +02:00



A dashboard showing live data and statistics from the ZMQ feeds of one or more MISP instances. The dashboard can be used as a real-time situational awareness tool to gather threat intelligence information. The misp-dashboard includes a gamification tool to show the contributions of each organisation and how they are ranked over time. The dashboard can be used for SOCs (Security Operation Centers), security teams or during cyber exercises to keep track of what is being processed on your various MISP instances.


Live Dashboard

  • Possibility to subscribe to multiple ZMQ feeds from different MISP instances
  • Shows immediate contributions made by organisations
  • Displays live resolvable posted geo-locations

Dashboard live

Geolocalisation Dashboard

  • Provides historical geolocalised information to support security teams, CSIRTs or SOCs in finding threats within their constituency
  • Possibility to get geospatial information from specific regions

Dashbaord geo

Contributors Dashboard


  • The monthly rank of all organisations
  • The last organisation that contributed (dynamic updates)
  • The contribution level of all organisations
  • Each category of contributions per organisation
  • The current ranking of the selected organisation (dynamic updates)


  • Gamification of the platform:
    • Two different levels of ranking with unique icons
    • Exclusive obtainable badges for source code contributors and donator

Dashboard contributors Dashboard contributors2

Users Dashboard

  • Shows when and how the platform is used:
    • Login punchcard and contributions over time
    • Contribution vs login

Dashboard users

Trendings Dashboard

  • Provides real time information to support security teams, CSIRTs or SOC showing current threats and activity
    • Shows most active events, categories and tags
    • Shows sightings and discussion overtime

Dashboard users


Before installing, consider that the only supported system are open source Unix-like operating system such as Linux and others.

  • Launch ./install_dependencies.sh from the MISP-Dashboard directory (idempotent-ish)
  • Update the configuration file config.cfg so that it matches your system
    • Fields that you may change:
      • RedisGlobal -> host
      • RedisGlobal -> port
      • RedisGlobal -> zmq_url
      • RedisGlobal -> misp_web_url
      • RedisMap -> pathMaxMindDB

Updating by pulling

  • Re-launch ./install_dependencies.sh to fetch new required dependencies
  • Re-update your configuration file config.cfg by comparing eventual changes in config.cfg.default

⚠️ Make sure no zmq python3 scripts are running. They block the update.

+ virtualenv -p python3 DASHENV
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /home/steve/code/misp-dashboard/DASHENV/bin/python3
Traceback (most recent call last):
  File "/usr/bin/virtualenv", line 9, in <module>
    load_entry_point('virtualenv==15.0.1', 'console_scripts', 'virtualenv')()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 942, in create_environment
    site_packages=site_packages, clear=clear, symlink=symlink))
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 1261, in install_python
    shutil.copyfile(executable, py_executable)
  File "/usr/lib/python3.5/shutil.py", line 115, in copyfile
    with open(dst, 'wb') as fdst:
OSError: [Errno 26] Text file busy: '/home/steve/code/misp-dashboard/DASHENV/bin/python3'
  • Restart the System: ./start_all.sh OR ./start_zmq.sh and ./server.py &

Starting the System

⚠️ You should not run it as root. Normal privileges are fine.

  • Be sure to have a running redis server
    • e.g. redis-server --port 6250
  • Activate your virtualenv . ./DASHENV/bin/activate
  • Listen to the MISP feed by starting the zmq_subscriber ./zmq_subscriber.py &
  • Start the dispatcher to process received messages ./zmq_dispatcher.py &
  • Start the Flask server ./server.py &
  • Access the interface at http://localhost:8001/

Alternatively, you can run the start_all.sh script to run the commands described above.


Debug is fun and gives you more details on what is going on when things fail. Bare in mind running Flask in debug is NOT suitable for production, it will drop you to a Python shell if enabled, to do further digging.

Just before running ./server.py do:

export FLASK_DEBUG=1
export FLASK_APP=server.py
flask run --host= --port=8001 # <- Be careful here, this exposes it on ALL ip addresses. Ideally if run locally --host=

OR, just toggle the debug flag in start_all.sh or config.cfg.

Happy hacking ;)

Restart from scratch

To restart from scratch and empty all data from your dashboard you can use the dedicated cleaning script clean.py

Clean data stored in the redis server specified in the configuration file

optional arguments:
  -h, --help    show this help message and exit
  -b, --brutal  Perfom a FLUSHALL on the redis database. If not set, will use
                a soft method to delete only keys used by MISP-Dashboard.

Notes about ZMQ

The misp-dashboard being stateless in regards to MISP, it can only process data that it received. Meaning that if your MISP is not publishing all notifications to its ZMQ, the misp-dashboard will not have them.

The most revelant example could be the user login punchcard. If your MISP doesn't have the option Plugin.ZeroMQ_audit_notifications_enable set to true, the punchcard will be empty.

Dashboard not showing results - No module named zmq

When the misp-dashboard does not show results then first check if the zmq module within MISP is properly installed.

In Administration, Plugin Settings, ZeroMQ check that Plugin.ZeroMQ_enable is set to True.

Publish a test event from MISP to ZMQ via Event Actions, Publish event to ZMQ.

Verify the logfiles


If there's an error ModuleNotFoundError: No module named 'zmq' then install pyzmq.

$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install pyzmq

zmq_subscriber options

A zmq subscriber. It subscribe to a ZMQ then redispatch it to the MISP-dashboard

optional arguments:
  -h, --help            show this help message and exit
  -n ZMQNAME, --name ZMQNAME
                        The ZMQ feed name
  -u ZMQURL, --url ZMQURL
                        The URL to connect to

Deploy in production using mod_wsgi

Install Apache mod-wsgi for Python3

sudo apt-get install libapache2-mod-wsgi-py3

Caveat: If you already have mod-wsgi installed for Python2, it will be replaced!

The following packages will be REMOVED:
The following NEW packages will be installed:

Configuration file /etc/apache2/sites-available/misp-dashboard.conf assumes that misp-dashboard is cloned into /var/www/misp-dashboard. It runs as user misp in this example. Change the permissions to your custom folder and files accordingly.

<VirtualHost *:8001>
    ServerAdmin admin@misp.local
    ServerName misp.local

    DocumentRoot /var/www/misp-dashboard
    WSGIDaemonProcess misp-dashboard \
       user=misp group=misp \
       python-home=/var/www/misp-dashboard/DASHENV \
       processes=1 \
       threads=15 \
       maximum-requests=5000 \
       listen-backlog=100 \
       queue-timeout=45 \
       socket-timeout=60 \
       connect-timeout=15 \
       request-timeout=60 \
       inactivity-timeout=0 \
       deadlock-timeout=60 \
       graceful-timeout=15 \
       eviction-timeout=0 \
       shutdown-timeout=5 \
       send-buffer-size=0 \
       receive-buffer-size=0 \
       header-buffer-size=0 \
       response-buffer-size=0 \

    WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi

    <Directory /var/www/misp-dashboard>
        WSGIProcessGroup misp-dashboard
        WSGIApplicationGroup %{GLOBAL}
        Require all granted

    LogLevel info
    ErrorLog /var/log/apache2/misp-dashboard.local_error.log
    CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
    ServerSignature Off


    Copyright (C) 2017-2019 CIRCL - Computer Incident Response Center Luxembourg (c/o smile, security made in Lëtzebuerg, Groupement d'Intérêt Economique)
    Copyright (c) 2017-2019 Sami Mokaddem

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

Images and logos are handmade for:

  • rankingMISPOrg/
  • rankingMISPMonthly/
  • MISPHonorableIcons/

Note that: