Q: Is there a hard cap on the # of IOCs on the risk lists that are generated for MISP?
A: Yes, there is a hard cap (60,000 indicators) in the generator transforming our risk lists into MISP Feeds. MISP generally does not seem to handle the large amount of indicators that Recorded Future is able to provide (of course this depends on the resources client have allocated to their instances). The hard cap helps with app performance, preventing a client's MISP environment from ingesting large amounts of data all at once from Recorded Future.
Q: Why do some IOCs on the Recorded Future threat lists have their states set to 'hidden'?
A: Recorded Future feeds contain many thousand of indicators that have their state set to hidden. This is used to allow Recorded Future's feed updates to remove indicators from the client's environment that have since been removed from the source risk list. This process removes old indicators from the client's environment.