Merge remote-tracking branch 'upstream/master'

pull/200/head
Steve Clement 2020-02-16 09:45:53 +09:00
commit 5536af3925
No known key found for this signature in database
GPG Key ID: 69A20F509BE4AEE9
3 changed files with 8 additions and 4 deletions

View File

@ -233,6 +233,7 @@ This section lists the projects that can be found on the main [MISP GitHub](http
| Project | Description | Status |
| -- | -- | -- |
| [misp-objects](https://github.com/MISP/misp-objects) | Definition, description and relationship types of MISP objects | Core to MISP, frequently updated and tested |
| [Best Practices in ThreatIntel](https://github.com/MISP/best-practices-in-threat-intelligence) | Best practices in threat intelligence | Book available here: https://www.misp-project.org/best-practices-in-threat-intelligence.html |
<!--
| []() | | Core to MISP, frequently updated and tested |
@ -305,7 +306,6 @@ This section lists some projects we know of but not officially support and rely
A brief list of online ressources that around #ThreatIntel
* [Curated list of awesome cybersecurity companies and solutions.](https://github.com/Annsec/awesome-cybersecurity/blob/master/README.md) (Updated April 2017)
* [A curated list of awesome malware analysis tools and resources](https://github.com/rshipp/awesome-malware-analysis/blob/master/README.md). Inspired by [awesome-python](https://github.com/vinta/awesome-python) and [awesome-php](https://github.com/ziadoz/awesome-php).
* [An authoritative list of awesome devsecops tools with the help from community experiments and contributions](https://github.com/devsecops/awesome-devsecops/blob/master/README.md).[DEV.SEC.OPS](http://devsecops.org)
* [Advance Python IoC extractor](https://github.com/InQuest/python-iocextract)

View File

@ -19,6 +19,7 @@
|campaign-name| | | X | | | |
|cc-number| | | | | X | |
|cdhash| | X | | | | |
|chrome-extension-id| | | | | | |
|comment| X | X | X | X | X | X |
|community-id| | | | X | | |
|cookie| | X | | | | |
@ -185,6 +186,7 @@
|campaign-name| | | | | | |
|cc-number| | | | | | |
|cdhash| | | X | X | | |
|chrome-extension-id| | | X | X | | |
|comment| X | X | X | X | X | X |
|community-id| X | | | | | |
|cookie| X | | | | | |
@ -351,6 +353,7 @@
|campaign-name| | | | |
|cc-number| | | | |
|cdhash| | | | |
|chrome-extension-id| | | | |
|comment| X | X | X | X |
|community-id| | | | |
|cookie| | | | |
@ -537,6 +540,7 @@
* **campaign-name**: Associated campaign name
* **cc-number**: Credit-Card Number
* **cdhash**: An Apple Code Directory Hash, identifying a code-signed Mach-O executable file
* **chrome-extension-id**: Chrome extension id
* **comment**: Comment or description in a human language
* **community-id**: a community ID flow hashing algorithm to map multiple traffic monitors into common flow id
* **cookie**: HTTP cookie as often stored on the user web client. This can include authentication cookie or session cookie.

View File

@ -89,7 +89,7 @@ Sharing groups consist of the following elements, each of which has its own page
![The servers tab of the sharing group tool](figures/sgpage3.png)
* **Servers:** The third page of the tool describes the MISP instances the data marked with the given sharing group are allowed to be synchronised with. Keep in mind that any user that can view an event on a given instance will have the right to pull the event to their home instance, as they are part of the sharing group, however the organisation distribution list will still apply.
* **Enable roaming mode:** This setting will disable the server list and rely purely ont he organisation list to distribute the data. If a sync connection's host organisation is in the organisation distribution list the instance becomes eligible for synchronising the data marked with the sharing group. Generally this carries a slightly higher risk as it relies on administrators correctly setting up the host organisation settings, but it removes the need to know the specific instance urls where the event/attribute should flow.
* **Enable roaming mode:** This setting will disable the server list and rely purely on the organisation list to distribute the data. If a sync connection's host organisation is in the organisation distribution list the instance becomes eligible for synchronising the data marked with the sharing group. Generally this carries a slightly higher risk as it relies on administrators correctly setting up the host organisation settings, but it removes the need to know the specific instance urls where the event/attribute should flow.
* **Add instance:** Add an instance to the distribution list from the sync instances set up under sync actions -> servers
* **All orgs:** Checking this checkmark will automatically include all organisations on the given instance in the sharing group. This means that in order to exchange with all users of a linked community, one does not need to know every organisation residing on the instance. This also means that the distribution list will not include the organisation names, which can be interesting for certain privacy sensitive communities.
@ -112,7 +112,7 @@ Templates are devided into sections, with each section having a title and a desc
* **Field**: The name of the field along with an indication if the field is mandatory.
* **Description**: A short description of the field.
* **Types**: The value(s) that are valid for the field. In the case of several types being shown here, you can enter value(s) matching any one of the types, or in the case of a batch import field, any mixture of the given types.
* **Text field**: This field can either be a single line textfield or a multi-line text area. For the former, enter a single value of the above indicated type, whilst for the latter you cna paste a list of values separated by line-breaks.
* **Text field**: This field can either be a single line textfield or a multi-line text area. For the former, enter a single value of the above indicated type, whilst for the latter you can paste a list of values separated by line-breaks.
### Freetext Import Tool
@ -175,7 +175,7 @@ The result will be a list of attributes that get added to the currently selected
### Adding IOCs from a PDF report
You can You can use a generic script called [IOC parser](https://github.com/armbues/ioc_parser) or use a script published by Palo Alto to convert IOC parser output to a MISP event: [report_to_misp] (https://github.com/PaloAltoNetworks-BD/report_to_misp/).
You can use a generic script called [IOC parser](https://github.com/armbues/ioc_parser) or use a script published by Palo Alto to convert IOC parser output to a MISP event: [report_to_misp] (https://github.com/PaloAltoNetworks-BD/report_to_misp/).
### Publish an event