MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

pull/150/head
Steve Clement 2019-03-04 06:35:13 +09:00
parent 761824e3f1 5d55b82643
commit 0ad02cf66e
7 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
faq/README.md
View File

@ -184,6 +184,15 @@ sudo pip3 install -I .
```
## How to disable freetext/custom/user-created tags and only allow certain tags
Remove the "tag editor" from the permissions that you grant to users.
Set all tags that you do not want to "hidden".
There is a server setting to treat all incoming tags as hidden by default: `MISP.incoming_tags_disabled_by_default`
**Important** Make sure that you don't remove "tag editor" from sync users, or you'll be stripping tags from synchronized data.
<!--
Comment Place Holder
-->

24
misp-object/README.md
View File

@ -11,10 +11,15 @@ Objects can be added by using the side menu:
This will open a popup where you can choose the type of object:
![Object Popup](figures/select_obj_cat.png)
![Object Popup All](figures/select_object.png)
If there are only few templates available for this type, they will all be shown this way:
![Object Popup All](figures/select_object1.png)
Otherwise you will be able to search and select the desired object within a scrolling list (a search field is available)
![Object Popup All](figures/select_object2.png)
A description of each object is shown by hovering the info icon or directly besides it.
For this example we will try to add an ip|port object:
![ip|port form](figures/object_ipport.png)
Note: This screenshot displays an old version of the template
For some objects, there might be attributes that required to be set. For instance in this object, there is a required attribute, "Ip", and it is also required to set one of the attributes between "dst-port" and "src-port". If these requirements are not met, the object will not be valid and therefore not added to the event. Also you can't add an object without setting any attribute.
After pressing "Submit, you are given the possibility to review your object before saving it.
@ -22,21 +27,20 @@ After pressing "Submit, you are given the possibility to review your object befo
### Creating object
An object is designed using a JSON file which should repect a format described in [this document](https://github.com/MISP/misp-objects/blob/master/schema_objects.json).
An object is designed using a JSON file which should respect a format described in [this document](https://github.com/MISP/misp-objects/blob/master/schema_objects.json).
An object is basically a combinaison of two or more attributes that can be used together to represent real cyber security use-cases. These attributes are listed in a JSON object.
An object is basically a combination of two or more attributes that can be used together to represent real cyber security use-cases. These attributes are listed in a JSON object.
Each attribute is an JSON object defined by a name, a description, a misp-attribute and an ui-priority value.
- Name and description are self-explanatory.
- misp-attribute is an existing type of attribute in misp that matches the attribute.
Each attribute is an JSON object defined by a name, a description, a misp-attribute and an ui-priority value.
- Name and description are self-explanatory.
- misp-attribute is an existing type of attribute in misp that matches the attribute.
- Concerning ui-priority, the higher the number is, the most it is expected to be seen.
There are also others options that can be added to define an attribute more precisely.
- sane_default is a list of default valid value for this attribute. The user can pick a value from this list or choose "Enter value manually"
- disable_correlation will disable correlation for this value. Usefull for dates for instance
- disable_correlation will disable correlation for this value. Useful for dates for instance
- recommended value for this field
- multiple, if set to true, allow the user to add multiple instances of this attribute.
Not all attributes are mandatory, but some can be required. If s, they need to be listed in a list called "required". The object will only be valid if the listed attributes are set.
The same way, there are sometimes when only one attribute in a set is needed. This set can be put in a list called "requiredOneOf". If at least oen of the attributes in this list is set, the object will be valid.
Not all attributes are mandatory, but some can be required. If so, they need to be listed in a list called "required". The object will only be valid if the listed attributes are set.
The same way, there are sometimes when only one attribute in a set is needed. This set can be put in a list called "requiredOneOf". If at least oen of the attributes in this list is set, the object will be valid.

BIN
misp-object/figures/select_obj_cat.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 33 KiB

BIN
misp-object/figures/select_object.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
misp-object/figures/select_object1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
misp-object/figures/select_object2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

3
noticelist/README.md Normal file
View File

@ -0,0 +1,3 @@
<!-- toc -->
## MISP-noticelist