mirror of https://github.com/MISP/misp-book
Moves Warning List information from taxonomy page.
parent
c05d80a723
commit
40f89e53a9
|
@ -214,26 +214,6 @@ Tags can be used to:
|
||||||
|
|
||||||
* Enrich IDS export with tags to fit your NIDS deployment.
|
* Enrich IDS export with tags to fit your NIDS deployment.
|
||||||
|
|
||||||
## MISP warning lists: The dilemma of false-positive
|
|
||||||
|
|
||||||
- False-positive is a common issue in threat intelligence sharing.
|
|
||||||
|
|
||||||
- It’s often a contextual issue:
|
|
||||||
- false-positive might be different per community of users sharing
|
|
||||||
information.
|
|
||||||
|
|
||||||
- organization might have their own view on false-positive.
|
|
||||||
|
|
||||||
- Based on the success of the MISP taxonomy model, we build misp-warninglists. They are lists of well-known indicators that can be
|
|
||||||
associated to potential false positives, errors or mistakes. They are Simple JSON files.
|
|
||||||
|
|
||||||
![MISP warning lists](./figures/MISPwarninglist.png)
|
|
||||||
|
|
||||||
The warning lists are integrated in MISP to display an info/warning box at the event and attribute level. This can be enabled at MISP instance level. Default warning lists can be enabled or disabled like known public
|
|
||||||
resolver, multicast IP addresses, hashes for empty values, rfc1918, TLDs or known google domains. The warning lists can be expanded or added in JSON locally or via
|
|
||||||
pull requests (https://github.com/MISP/misp-warninglists). Warning lists can be also used for critical or core infrastructure
|
|
||||||
warning, personally identifiable information...
|
|
||||||
|
|
||||||
## Future functionalities related to MISP taxonomies
|
## Future functionalities related to MISP taxonomies
|
||||||
|
|
||||||
- Sighting support (thanks to NCSC-NL) is integrated in MISP allowing to auto expire IOC based on user detection.
|
- Sighting support (thanks to NCSC-NL) is integrated in MISP allowing to auto expire IOC based on user detection.
|
||||||
|
|
|
@ -3,3 +3,22 @@ MISP warninglists are lists of well-known indicators that can be associated to p
|
||||||
There is a Python module available to work with warninglists in a Pythonic way called [PyMISPWarningLists](https://github.com/MISP/PyMISPWarningLists).
|
There is a Python module available to work with warninglists in a Pythonic way called [PyMISPWarningLists](https://github.com/MISP/PyMISPWarningLists).
|
||||||
[MISP warninglists GitHub Repo](https://github.com/MISP/misp-warninglists)
|
[MISP warninglists GitHub Repo](https://github.com/MISP/misp-warninglists)
|
||||||
|
|
||||||
|
## MISP warning lists: The dilemma of false-positive
|
||||||
|
|
||||||
|
- False-positive is a common issue in threat intelligence sharing.
|
||||||
|
|
||||||
|
- It’s often a contextual issue:
|
||||||
|
- false-positive might be different per community of users sharing
|
||||||
|
information.
|
||||||
|
|
||||||
|
- organization might have their own view on false-positive.
|
||||||
|
|
||||||
|
- Based on the success of the MISP taxonomy model, we build misp-warninglists. They are lists of well-known indicators that can be
|
||||||
|
associated to potential false positives, errors or mistakes. They are Simple JSON files.
|
||||||
|
|
||||||
|
![MISP warning lists](./figures/MISPwarninglist.png)
|
||||||
|
|
||||||
|
The warning lists are integrated in MISP to display an info/warning box at the event and attribute level. This can be enabled at MISP instance level. Default warning lists can be enabled or disabled like known public
|
||||||
|
resolver, multicast IP addresses, hashes for empty values, rfc1918, TLDs or known google domains. The warning lists can be expanded or added in JSON locally or via
|
||||||
|
pull requests (https://github.com/MISP/misp-warninglists). Warning lists can be also used for critical or core infrastructure
|
||||||
|
warning, personally identifiable information...
|
||||||
|
|
Loading…
Reference in New Issue