alphaMountain now integrates directly with MISP as a native enrichment module. If you’re running MISP to collect and share threat intelligence, you can now enrich your network indicators — IPs, domains, hostnames, and URLs — with alphaMountain’s AI-powered risk ratings without leaving the platform.
No pivoting to a separate tool. No manual lookups. Risk context, stamped directly on each attribute, the moment you run enrichment.
Here’s what it does, how it works, and how to get it running in your environment.
Why This Integration Exists
MISP is excellent at collecting, correlating, and sharing threat indicators. What it doesn’t provide natively is a current severity signal on those indicators — and that gap matters.
Most MISP deployments accumulate network IOCs from a mix of community feeds, commercial intel, internal detections, and analyst submissions. Those sources don’t always agree on severity, and even when they do, that assessment has a shelf life. Domains and IPs used for phishing, malware distribution, and command infrastructure spin up fast and get recycled just as fast. A blocklist entry from 72 hours ago may already be stale. A domain that was parked last week may now be serving a payload.
alphaMountain’s threat intelligence updates hourly. When you enrich MISP attributes using the new alphaMountain module, the risk ratings reflect the current state of that infrastructure — not a snapshot from whenever some feed last ran its batch job.
The output is a decimal risk score on the 1.00–10.00 scale, tagged directly to each attribute. alphaMountain:risk-score="8.0" on a domain means what it says. alphaMountain:risk-score="1.29" on amazon.com also means what it says. The scale doesn’t collapse to binary block/allow — it gives analysts a number they can reason with and set their own thresholds against.
What Gets Enriched
The module supports the full range of network observables you’re likely to encounter in a threat event:
- IP addresses (
ip,ip-src,ip-dst,ip-src|port,ip-dst|port) - Domains and hostnames (
domain,hostname) - URLs and URIs (
url,uri,link)
If the attribute category is set to “Network activity” and the type matches one of the above, alphaMountain will enrich it. You can run enrichment on individual attributes or fire it against an entire event at once via “Enrich Event” in the sidebar.
How to Set It Up
The alphaMountain module plugs into MISP’s native enrichment framework — no custom development required. You’ll need an alphaMountain license entitled to the threat endpoint. If you don’t have one yet, request a free trial at [email protected].
Step 1: Configure the module settings
Navigate to Administration → Server Settings and Maintenance → Enrichment and scroll to the Plugin.Enrichment_alphaMountain* block. The key settings:
Plugin.Enrichment_alphaMountain_enabled→truePlugin.Enrichment_alphaMountain_license→ your license keyPlugin.Enrichment_alphaMountain_scan_depth→medium(recommended)Plugin.Enrichment_alphaMountain_partner_type→partner.info
If you’re spinning up a fresh MISP instance for evaluation, the quickest path is via Docker:
git clone https://github.com/MISP/misp-docker
cd misp-docker
cp template.env .env
docker compose up -dAccess it on localhost with the credentials from your .env file, then configure enrichment as above.
Step 2: Create an event and add attributes
Add a new MISP event, then populate it with attributes — IPs, domains, hostnames, URLs — categorized as “Network activity.” Set the attribute type to match the value you’re testing.
Step 3: Enrich
You have two options:
- Single attribute: Scroll to the far right of the attribute table and click the asterisk (“Add Enrichment”)
- Entire event: Use “Enrich Event” in the left sidebar, check the alphaMountain checkbox, and click Enrich
Step 4: Read the results
Enriched attributes will now carry tags in the format alphaMountain:risk-score="X.XX". In a test event with six attributes, you might see output like:
| Attribute | Risk Score |
|---|---|
| 141.193.213.20 (ip-src) | 4.75 |
| alphamountain.ai (domain) | 3.26 |
| amazon.com (hostname) | 1.29 |
| 1wkzka.top (domain) | 4.88 |
| portalcontatosa.online (domain) | 8.0 |
That last entry — portalcontatosa.online at 8.0 — would be worth a closer look. High score, unfamiliar domain, probably registered recently. You’d want to confirm in threatYeti before deciding what to do with it.
From Score to Investigation
The risk score is the starting point. If an attribute comes back with a high rating and you want to understand why — what infrastructure it’s connected to, what it may be impersonating, whether it shares an IP with other malicious hosts — that’s where threatYeti picks up.
Paste the domain or IP into threatYeti.com and you get the full aM Intelligence™ picture: passive DNS history, WHOIS, shared IP relationships, impersonation probability, DGA score, open ports, and response headers — all surfaced in a single interface. The same data is available programmatically through the API for teams who want to automate enrichment at scale.
The MISP integration surfaces the threat score. For the full picture — URL classification, passive DNS, shared infrastructure, impersonation detection, and more — that’s what the alphaMountain API and threatYeti are built for.
Get Started
The alphaMountain MISP enrichment module is available now. If you’re running MISP and want to start tagging network indicators with real-time risk ratings, the fastest path is a free API trial.
Request a free API trial → here.
Investigate any domain or IP now → threatYeti.com
Talk to our team → [email protected]