Merge pull request #256 from PROTechThor/user-stories

MISP user stories and workflows
pull/257/head
Alexandre Dulaunoy 2021-03-26 23:18:14 +01:00 committed by GitHub
commit 620a6a55c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 0 deletions

View File

@ -33,6 +33,7 @@
* [FAQ](faq/README.md)
* [Dev FAQ](dev-faq/README.md)
* [Best Practices](best-practices/README.md)
* [User stories](user-stories/README.md)
* [User personas](user-personas/README.md)
* [Appendices](appendices/README.md)

53
user-stories/README.md Normal file
View File

@ -0,0 +1,53 @@
# MISP User Stories
| User story | Example workflow |
|-|-|
| As a lead threat intelligence analyst, I want to lead a team focused on hunting down threats so that I can prevent attacks against ICT infrastructures and organizations | <ul> <li>Monitor what teams are up to in real-time using the Live Dashboard </li></ul>|
| As a threat analyst, I want to research, analyze and reverse engineer malware so that I can know how to counter it | <ul> <li> Attach and download files and malware samples from events</li> <li>Search for hashes/IPs/domains/URLs from malware events, or add malware samples hashes to an event</li> <li>Analyse observables and malware collected during an incident (e.g. domain name, IP addresses etc.) by checking whether observables are IoCs or false positives using correlation graph and expansion modules.</li> <li> Enrich malware events by querying data sources external to MISP using modules</li> <li>Perform dynamic malware analysis correlations</li> <li> Submit events with malware samples to analysis tools (e.g VirusTotal, VMRay) for further analysis, and then extend MISP with malware analysis results</li> </ul> |
| As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture. | <ul> <li>Import data from external sources</li> <li>Add feeds</li> <li>Contextualise events and attributes using tags, taxonomies and galaxies</li></li> |
| As a threat analyst, I want to exchange threat information with third parties so that we can gain shared situational awareness | <ul> <li>Setup different models of distribution on MISP instance</li> <li>Sync events and attributes between instances</li> <li>Use filtering functionalities to meet an organisation's sharing policy</li> <li>Share information, pentest information, malware samples, vulnerabilities internally and externally</li> <li>Use feature/achievements widget adding gamification to the information sharing</li> </ul> |
| As a threat analyst, I want to monitor threats and access live data so that I can manage threats before they cause major damage | <ul> <li>Import lists of indicators and check if the IOCs are present in feeds.</li> <li>Monitor statistics and sightings using widgets</li> <li>Show live data and stats from one or more MISP instances via the Dashboard</li> <li>Process information in real-time when it's updated, created, or published by instances by integrating with ZMQ</li> <li>Use sightings to notify an instance about activities related to an indicator</li> </ul> |
| As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats | <ul><li>Join communities and subscribe to the feeds</li> <li>Add events and assign events to specific feeds</li> <li>Correlate indicators using MISP's automated correlation engine</li> <li>Link events and attributes using the correlation graph</li> <li>Analyse and gain more information on attributes using modules</li> <li>Link events with malware, threat actors etc using galaxies (e.g ATT&CK)</li></ul> |
| As a threat analyst, I want to have a structured database of threat data that I can use to perform lookups/queries when investigating new threats | <ul><li>Store information in a structured format using STIX</li> <li>Import unstructured reports using the free-text import tool</li> <li>Use MISP as a centralized hub for security and fraud threat intel. Centralize threat intel by aggregating indicators from OSINT and commercial feeds</li> <li>Remove false positives and duplicates</li> <li>Score indicators based on Sightings and other metrics</li> <ll>Import/integrate feeds or threat intelligence from third parties</li> <ll>Generate, select, exchange, and collect intelligence using feeds</li> <li>Select and import events</li> <li>Look for correlations between events using the correlation graph</li> <li>Build filtered subsets of the data repository for feed creation.</li> <li>Preview and correlate feed data directly for evaluation</li></ul> |
| As a threat analyst, I want to contextualize and enrich raw threat data so that I can produce actionable intelligence | <ul><li>Understand attacker TTPs by using taxonomies to link events</li> <li>Categorize risks and incidents using galaxies and taxonomies</li> <li>Quickly classify information using tags collections</li> <li>Contextualise sightings with information on the source</li> <li>Enrich IDSes export with tags to fit your NIDS deployment</li> <li>Decay attributes and score indicators using sightings (reported by IDSes)</li> <li>Describe and visualise complex scenarios using MISP's richer data structure</li> <li>Allow advanced combination of attributes using MISP objects</li></ul> |
| As a threat analyst, I want to investigate threats so that I can protect computer systems from attacks | <ul><li>Find relevant data for investigations from MISP communities. Preview new MISP events and alerts from multiple sources such as email reports, CTI providers, and SIEMs</li> <li>Query a MISP instance for events that include a given IOC. Browse through other MISP events, attributes, objects, tags, and galaxies</li> <li>Create events, add IoCs (attributes), and contextualise (using tags)</li> <li>Pivot an event into its attributes, objects, tags, galaxies, and/or related Events</li> <li>Explore further details from Galaxies and related Events</li> <li>Categorize available related information within the ATT&CK framework.</li> <li>Query tools (e.g Cytomic Orion API) to check if certain MISP indicators have been observed, and the import sighting details to add them to MISP events</li> <li>Prioritize threats using Sightings collected from users, scripts and IDSes.</li> <li>Decay/expire indicators using sightings reported by users, scripts and IDSes</li> <li>Launch lookups from MISP against SIEMs as part of an investigation</li> <li>Correlate network forensic flows from several tools</li></ul> |
| As a SOC team, we want to ingest, analyse, store and make connections between threat data so as to discover potential threats | <ul><li>See connections between events using the correlations graph</li> <li>Import CVEs and vulnerabilities (e.g from MetaSploit) and contextualise them</li> <li>Contextualise CVEs using events gotten from articles/reports</li> <li>Convert CVE information into a feed</li> <li>Pull shared CVE feeds</li> <li>Combine collected data with your MISP data set for correlation</li> <li>Share correlated info to the team using the export function or API search</li> <li>View current threats and activity, historical, geolocalized information using MISP Dashboard</li></ul> |
| As a junior SOC analyst, I want to enrich alerts so that I can "punch above my weight" and make connections that would have otherwise required more experience | <ul><li>Create events, add/import observables</li> <li>Use Cortex and its analyzers to gain insight</li> <li>Leverage tags, sightings, and previously-seen observables to feed your threat intelligence</li> <li>Export IOCs to MISP instances after investigations are complete</li> <li>Integrate MISP with Maltego to generate visualisations of data</li> <li>Integrate MISP with Elastic to access threat data without the complexities of the MISP interface.</li> <li>Push attributes from MISP to Elastic and have a representation with graphs, an alternative to using MISP Dashboard.</li> <li>Create taxonomies using the taxonomy editor.</li> <li>Contextualise data using taxonomies, clusters and galaxies</li></ul> |
| As a SOC analyst, I want to customize risk feeds to ignore or downgrade alerts that do not match organization/ industry-specific criteria, so that I can focus on relevant alerts | <ul><li>Filter incidents based on taxonomies (e.g the veris country taxonomy to indicate countries affected by an incident)</li> <li>Normalise external input and feeds in MISP (e.g. feed importer).</li> <li>Compare feeds before import to find similarities and false positives.</li> <li>Evaluate the quality of the information before importing it (warning-list lookups at feed evaluation)</li></ul> |
| As a SOC analyst, I want to share real-time information pertaining to new or existing cases/observables to team members so that we can collaborate on investigations simultaneously | <ul><li>Control threat sharing using distribution settings: sharing group, community-only, connected communities, all communities.</li> <li>Share sensitive and confidential events using the sharing group functionality</li> <li>Measure the impact of an incident using taxonomies based on NISD/OESs impact criteria</li> <li>Export and share sightings in ATT&CK sightings format to give insights on TTPs and frequency of usage</li></ul> |
| As a SOC analyst, I want to rule out false positives so that I can focus on significant threats | <ul><li>Weed out false positives using warning lists</li> <li>Crowd source data validation from community</li> <li>Filter indicators based on specific criteria</li> <li>Receive information on false positives using collaborative tools (proposals, sightings)</li></ul> |
| As a threat analyst, I want to remove false positives, filter and prioritize alerts so that I can focus on what really matters to my organization | <ul><li>Evaluate the quality and freshness of indicators using decaying models</li> <li>Enforce warninglists to exclude events with certain attributes</li> <li>Enable warninglists to alert for certain issues</li> <li>Classify information (add/remove tags) based on their score or visibility via sightings</li> <li>Use tags to set events or attributes for further processing by external tools (e.g. VirusTotal auto-expansion using Viper)</li> <li>Notify an instance about activities related to an indicator via Sighting</li> <li>Limit NIDS exports and improve rules using Sightings</li> <li>Filter indicators based on specific criteria</li> <li>Filter out relevant data when feeding protective tools</li></ul> |
| As a security analyst, I want to unravel the inner workings of a malicious file, phishing email or domain so that I can prevent attacks | <ul><li>Integrate MISP with a Security Incident Response Platform (e.g TheHive)</li> <li>Import indicators from MISP into the SIRP for further analysis</li></ul> |
| As a security analyst, I want to create blacklists/whitelists (e.g of domains) so that I can protect customers from malicious activity | <ul><li>Import threat data into MISP from synced servers and label using taxonomies</li> <li>Enable warning lists, and exclude attributes that exist on the warning lists</li> <li>Create lists with preferred attributes and export the list in an easy accessible format as CSV</li></ul> |
| As a security analyst, I need a real-time overview of threat information so that I can quickly glance at important metrics | <ul><li>Integrate ZMQ to access a dashboard showing live data and stats</li> <li>Monitor ongoing trends based on interests using the EventStream widget</li> <li>Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds</li> <li>View immediate contributions made by organisations from MISP's live dashboard</li> <li>Find threats within your constituency using MISP Geolocalisation Dashboard</li> <li>Get geospatial threat information from specific regions using the Geolocalisation Dashboard</li></ul> |
| As a security analyst, I want to automate repetitive tasks related to data normalization, importation, aggregation and enrichment so that I can have more time to put into threat analysis efforts | <ul><li>Automate tasks using PyMISP</li> <li>Use PyMISP for Scripted processing of events and attributes</li></ul> |
| As a security analyst, I want to collaborate with other analysts within and out of my organizations sector so that we can support one another | <ul><li>Build or join communities to exchange specific data structures</li> <li>Share real-time analysis of an incident</li> <li>Propose modifications to someone else's analysis using Proposals</li></ul> |
| As a security analyst, I want to triage and prioritize alerts so as to avoid alert fatigue | <ul><li>Evaluate the quality and freshness of indicators using decaying models</li> <li>Weed out false positives using warning lists</li> <li>Enable warning lists to alert for critical issues</li> <li>Filter indicators based on specific criteria</li> <li>Score indicators based on user sightings, including negative sightings and expiration sightings.</li> <li>Classify information (add/remove tags) based on their score or visibility via sightings</li> |
| As an incident responder, I want to get an up-to-date picture of the threat landscape so that I can prepare for threats in advance | <ul><li>Describe the impact of threat using taxonomies (e.g using the veris timeline taxonomy to indicate the duration of the incident)</li> <li>Classify data to gain insight into the threat landscape.</li> <li>Classify data so IDSes can alert on a rule</li> <li>Integrate ZMQ to have a dashboard showing live data and statistics.</li> <li>Integrate ZMQ to process information in real-time when it's updated, created, or gathered in MISP.</li></ul> |
| As an incident responder, I want to identify and respond to incidents so that I can reduce the impact and severity of an attack | <ul><li>Report false or true positives using the sighting mechanism, based on an incident investigation <li>Decay indicators to guarantee the quality of the indicators</li></ul> |
| As an incident responder, I want to receive early warnings and alerts about threats/incidents so that I can retaliate before they cause any harm | <ul><li>Receive correlated threat intel from sharing groups and communities</li> <li>Monitor MISP feeds for alerts</li> <li>Preview new events and alerts from multiple sources</li> <li>Automate import/export of IoCs to/from protective or detection tools like IDSes and IPSes</li> <li>Dispatch notifications when certain events are created or modified using the alert feature</li> <li>Create filter rules based on personalised uses. Restrict alert messaged by tags, publishing organisation or other metrics</li></ul> |
| As an incident responder, I want to store information identified during an incident investigation so that I can perform lookups/queries against the historical database during future incidents | <ul><li>Use a MISP instance as a database of events representing incidents. Store incident response data internally in a structured manner on MISP</li> <li>Represent indicators using attributes. Attributes such as network indicators (e.g. IP address) or system indicators (e.g. a string in memory)</li> <li>Combine OSINT and your own intelligence</li> <li>Create events made up of indicators (attributes) and then leverage these as a threat data feed</li> <li>Modify events representing incidents to enable monitoring over time</li> <li>Add object types to describe incidents</li> <li>Monitor indicators for relevancy using Sightings</li> <li>Ensure information quality and freshness by expiring indicators depending on their personalised objectives</li> <li>Pull events from indicator lists to perform lookups against SIEMs</li> <li>Use indicators to check logs and verify if youre affected by a threat</li> <li>Correlate indicators with actual incidents to get more information</li> <li>Integrate MISP with IR tools (e.g TheHive) to (1) analyse observables during an incident, (2) import and (3) export events from MISP to TheHive and vice-versa</li> <li>Perform large-scale bulk data/traffic analysis and correlation against your MISP database using SightingsDB</li></ul> |
| As an incident responder, I want to export and feed data between security tools so that I can enhance their functionalities | <ul><li>Export data from MISP to feed protective/detective tools and early warning systems. Export formats support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ)</li> <li>Feed MISP using automatic tools (e.g. Sandbox Analysis, low-value information needing correlation, Analyst workbench)</li> <li>Pull events from feeds or indicator lists to perform lookups against SIEMs</li> <li>Subscribe to ZMQ pub-sub to get published events for use in lookup processes</li> <li>Match attributes against SIEMs using the lookup expansion module</li> <li>Import activities from a SIEM (e.g. Splunk lookup validation or false-positive feedback), NIDS or honeypot devices</li> <li>Post Sightings from IDSes, IPSes, SIEMs back to MISP</li> <li>Use sightings to improve NIDS rule-sets</li> <li>Generate IDS and NIDS rules automatically or manually using IoCs</li> <li>Feed data to honeypots to generate blocklists and DNS RPZ zones</li> <li>Consume correlated results in SIEMs using the API</li> <li>Search indicators in real-time into a SIEM using MISP ZMQ</li> <li>Submit large sets of IoCs from MISP into SIEMs using PyMISP</li> <li>Import indicators into MISP from other tools (SIEMs, IDSes) and be notified when those indicators appear again</li></ul> |
| As a CSIRT, we want to exchange and discuss information related to incidents and associated risks so that we can collaboratively respond to incidents | <ul><li>Build communities to exchange specific data structures</li> <li>Discuss non-event related topics in Forums</li> <li>Add comments to events (which may represent an incident)</li> <li>Contact a reporter (e.g. another CSIRT) via email (encrypted, anonymously or not) to discuss commercially-sensitive information related to an incident</li></ul> |
| As a CSIRT, we want to interact with threat data in various ways during the threat investigation and incident response process | <ul><li>View events, indicators and feeds</li> <li>Search and filter the data set</li> <li>Classify, contextualize and correlate data</li> <li>Download the viewed data in various formats</li> <li>Interact with MISP data using other tools in the MISP ecosystem (e.g MISP Workbench, Viper, MISPego)</li></ul> |
| As a CSIRT, we want to coordinate with team members and other organisations so that we can avoid duplication of work | <ul><li>Create and manage sharing groups between sectors</li> <li>Join existing communities or sharing groups</li> <li>Create and exchange events and indicators</li> <li>Propose changes to existing analysis or reports</li> <li>Enhance an analysis with additional information using Extended Events</li> <li>Report sightings as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)</li> <li>Contribute to threat intel feeds and analyse overlapping data</li></ul> |
| As a CSIRT, we want to share incident information and discuss risks with other team members so that we can collaboratively perform incident analysis | <ul><li>Create, modify, delete and exchange events and indicators</li> <li>Modify distribution settings to exchange individual incidents and ensure confidentiality</li> <li>Use taxonomies and galaxies to classify data before exchange (e.g Indicate the confidentiality of incidents using the NATO classification, indicate the risk of an incident using the threat-level taxonomy)</li> <li>Edit, visualize, and share reports using Event Report</li> <li>Incorporate reports from information sources using the Event Report module</li> <li>Share indicators derived during incident response</li> <li>Correlate and enrich data derived during incidents</li> <li>Coordinate with affected parties during incident response using MISPs collaborative tools (proposals, sightings, emails)</li></ul> |
| As a fraud analyst, I want to investigate financial threats so that I can help financial institutions and consumers prevent financial fraud | <ul><li>Join communities and receive shared IOCs</li> <li>Subscribe to feeds and get IOCs in an easily accessible format</li> <li>Access lists and public feeds of malicious domains (e.g phishing sites) and threats</li> <li>Use indicators to check logs and verify if youre affected by a threat</li> <li>Gather information related to a phishing site and create events</li> <li>Integrate MISP with Maltego to visualise the full ATT&CK framework</li></ul> |
| As a fraud analyst, I want to blend updated threat intel with anti-fraud tools so that I can prevent fraud in real-time | <ul><li>Feed data from MISP to fraud prevention tools</li> <li>Report sightings to MISP from fraud prevention tools</li></ul> |
| As a fraud analyst, I want to collaborate with analysts from other institutions so that we can gain shared situational awareness | <ul><li>Implement a MISP instance, and join relevant communities</li> <li>Publish fraud perpetrators for others to see</li> <li>Exchange events containing fraud information (e.g a bank account number)</li> <li>Use shared fraud data to feed firewalls and blocklists</li> <li>Warn of false positives by alerting for invalid financial indicators</li> <li>Give more credibility to indicators by reacting to event attributes (Sightings)</li> <li>Get feedback from the community on the quality of indicators (Sightings)</li></ul> |
| As a customs and border control agent, I want to facilitate the flow of legal immigration and goods while preventing the illegal trafficking of people and contraband so that I can ensure homeland security | <ul><li>Create or join sharing groups and communities</li> <li>Share information (e.g travel documents / biometric information) between border control agencies using MISP </li> <li>Categorize data using predefined types such PNR (passenger name records)</li> <li>Share information / involve experts for the identification of smuggled goods</li> <li>Perform anonymised lookups against exported data sets information (e.g. offline border control check)</li></ul> |
| As a law enforcement officer, I want to investigate digital crimes and threats so that I can apprehend criminals | <ul><li>Access information sharing communities</li> <li>Get indicators and actionable information from CSIRTs/CERTs networks or researchers</li> <li>Exchange information with other officers via sharing communities</li> <li>Exchange and store incident information on MISP, enabling the system to act as a forensic tool over time</li> |
| As a law enforcement officer, I want to collect and verify evidence of digital crimes so that I can bootstrap my DFIR cases | <ul><li>Collect indicators from shared events</li> <li>Propose changes to existing analysis or reports</li> <li>Enhance existing events with additional pieces of evidence using Extended Events</li> <li>Exchange analysis and reports of digital forensic evidence</li> <li>Correlate indicators corresponding to forensic pieces of evidence</li> <li>Import Mactime timelines to describe forensic activities on an analysed file system</li> <li>Describe forensic analysis cases using objects templates</li> <li>Create, modify and visualise the timeline of events</li> <li>Share analysis and reports of digital forensic evidence</li> <li>Report sightings such as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)</li></ul> |
| As a cybersecurity consultant, I want to provide structured threat intelligence to cross-sector partners with diverse requirements so that I can secure their infrastructure | <ul><li>Implement an instance and join relevant communities</li> <li>Integrate MISP with an organisations existing solutions using the API</li> <li>Exchange events containing indicators</li> <li>Setup distribution levels to ensure confidentiality during threat sharing</li> <li>Sync between untrusted and trusted networks using Feed support</li> <li>Notify the community about activities related to an indicator using Sightings</li> <li>Score indicators based on user sightings, including negative sightings and expiration sightings</li> <li>Propose updates to an event owner or indicate a sighting</li> <li>Share attacker techniques via integration with ATT&CK</li> <li>Set an attribute for detection tools using the IDS flag</li></ul> |
| As a cybersecurity specialist, I want to anonymously publish threat intel so that I can protect the identity of people who dont want to be associated with the information | <ul><li>Pseudo-anonymously publish data using Event Delegation</li></ul> |
| As a cybersecurity specialist, I want to investigate threats so that I can remediate and prevent cyber attacks | <ul><li>Query an instance for events that include a given IOC</li> <li>Explore more details from Galaxies and related events</li> <li>Categorize related information within the MITRE ATT&CK framework</li></ul> |
| As a security analyst, I want to access threat data so that I can use it to support my research | <ul><li>Contextualise indicators (attributes) using categories, taxonomies and galaxies</li> <li>Reinforce an analysis using correlation features (e.g. do other analysts have the same hypothesis?)</li> <li>Confirm a specific aspect using correlation features (e.g. are the sinkhole IP addresses used for one campaign?)</li> <li>Verify if a threat is new or unknown in your community using correlation features</li></ul> |
| As a security analyst, I want to access updated threat data so that I can build protection in real time | <ul><li>Monitor feeds for recent indicators</li> <li>Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds</li> <li>Process information in real-time when it's updated, created or gathered using ZMQ</li></ul> |
| As a risk analyst, I want to identify and predict risks to my organization so that I can improve the organizations security posture and situational awareness | <ul><li>Use a MISP instance as a database of events representing threats</li> <li>Classify risks using taxonomies and galaxies</li> <li>Generate statistics from your MISP instance to deduce from incidents the current operational status, risk posture, and threats to the cyber environment</li> <li>Monitor trends and adversary TTPs using MISP-dashboard and built-in statistics</li> |
| As a risk analyst, I want to present risk data to stakeholders in various formats (depending on their technical ability), so that I can justify the need for risk-mitigating strategies | <ul><li>Show trends within the sector/geographical region using MISP dashboard and built-in statistics</li> <li>Turn MISP data into explorable graphs or timelines representing their activity or events</li> <li>Export data from MISP in various formats</li> <li>Share reports along with actionable data using Events Report</li></ul> |
| As a disinformation researcher, I want to identify indicators associated with a specific operation or campaign so that I can help track and mitigate threats | <ul><li>Monitor MISP feeds for indicators</li><li>Find relationships between indicators using correlation</li></ul> |
| As a disinformation researcher and journalist, I want to investigate information campaigns so that I can report whether there is or isnt disinformation or misinformation | <ul><li>Compare external feeds information with already-available information</li> <li>Analyze the connections between incident objects</li> <li>Map data with AMITT (embedded in MISP) to understand threat actor capabilities</li> <li>Generate events that can be shared directly, via email or MISP</li> <li>Add object types (e.g for common social media platforms), relationship types (to make the graphs that users can traverse in MISP richer) and taxonomies (e.g DFRLabs Dichotomies of Disinformation, and a NATO-led tactical variant) to describe indicators and events</li> <li>Generate and share information operations data in MISP JSON or STIX format for easy sharing</li> <li>Classify events with AM!TT techniques using the inline AM!TT Navigator</li> <li>Describe attack patterns using AMITT for the attack patterns</li> <li>Track disinformation techniques using the AMITT galaxy</li> <li>Integrate MISP with TheHive for case tracking</li> <li>Describe additional disinformation cases using object templates</li></ul> |
| As a disinformation researcher, I want to connect with other researchers and responders so that we can collaboratively verify if an article/video/image contains disinformation and verify that a source (publisher, domain, etc) doesnt distribute disinformation | <ul><li>Join a disinformation community</li> <li>Notify the community about activities related to an indicator</li> <li>Score indicators based on users sighting</li> <li>Corroborate a finding using correlation features (e.g. is this the same campaign?)</li></ul> |
| As a disinformation researcher, I want to collaborate with other researchers and responders so that we can collectively stop disinformation campaigns | <ul><li>Browse and Join disinformation communities (e.g CogSec Collab MISP)</li> <li>Contextualise data using tags, taxonomies and galaxies</li> <li>Describe information campaigns indicators and events using taxonomies (e.g DFRLab Dichotomies of Disinformation)</li> <li>Find relationships between indicators using correlation</li> <li>Describe misinformation tactics/techniques using the AMI!TT framework (galaxy)</li> <li>Include relevant techniques found in a report or sighting in misinformation event data using AM!TT Navigator</li></ul> |
| As a data scientist, I want to automate tasks related to data collection, curation, analysis, and visualization so that I can reduce security analysts' workloads | <ul><li>Collect, add, update, search events/attributes/tags using PyMISP</li> <li>Study malware samples using PyMISP</li> <li>Write scripts to import (from other tools such as VirusTotal) additional attributes or IOC data (such as hashes) to build up knowledge on an event</li> <li>Automatically handle indicators in third-party tools using PyMISP</li> <li>Integrate MISP with existing infrastructure using PyMISP</li> <li>Automate the dissemination of threat intelligence and threat data using the API</li> <li>Generate exports to be ingested into other platforms</li> <li>Create a range of filtered subsets of the dataset for various protective measures</li> <li>Write scripts to disable the IDS flag based on the number of false-positive reported sightings, in order to prevent using false-positive indicators for detection or correlation actions</li> <li>Generate data statistics and send reports via email, attached as CSV files using the API</li> <li>Feed processed data into IDSes and 3rd party visualization using PyMISP</li> <li>Build custom widgets to visualise/track data via the Dashboard</li> <li>Extend MISP with Python scripts using MISP modules</li> <li>Auto-discover new modules with their features using the API</li></ul> |
| As a data scientist, I want to collect and analyze data from various sources so that I can prioritize and predict risk | <ul><li>Aggregate indicators and sightings of all attributes/objects, useful for detecting particular security events or threats</li> <li>Use PyMISP for Scripted processing of events and attributes</li> <li>Collect data from open data portals using the API</li> <li>Publish open data and create data sets</li> <li>Investigate file hashes, malicious website URLs, IP Addresses and domain names using shared indicators</li> <li>Aggregate data sets for security research and threat analysis</li> <li>Analyse and select threat feeds for incorporation into other tools to hunt known indicators</li> <li>Indicate if an attribute should be used for detection or correlation actions using the IDS flag</li> <li>Download data in various formats for ingestion in other tools, and for training ML models</li></ul> |