diff --git a/SUMMARY.md b/SUMMARY.md
index 1da76d1..56d5fec 100755
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -33,6 +33,7 @@
* [FAQ](faq/README.md)
* [Dev FAQ](dev-faq/README.md)
* [Best Practices](best-practices/README.md)
+* [User stories](user-stories/README.md)
* [User personas](user-personas/README.md)
* [Appendices](appendices/README.md)
diff --git a/user-stories/README.md b/user-stories/README.md
new file mode 100644
index 0000000..1a9375a
--- /dev/null
+++ b/user-stories/README.md
@@ -0,0 +1,53 @@
+# MISP User Stories
+
+| User story | Example workflow |
+|-|-|
+| As a lead threat intelligence analyst, I want to lead a team focused on hunting down threats so that I can prevent attacks against ICT infrastructures and organizations | - Monitor what teams are up to in real-time using the Live Dashboard
|
+| As a threat analyst, I want to research, analyze and reverse engineer malware so that I can know how to counter it | - Attach and download files and malware samples from events
- Search for hashes/IPs/domains/URLs from malware events, or add malware samples hashes to an event
- Analyse observables and malware collected during an incident (e.g. domain name, IP addresses etc.) by checking whether observables are IoCs or false positives using ‘correlation graph’ and ‘expansion modules’.
- Enrich malware events by querying data sources external to MISP using modules
- Perform dynamic malware analysis correlations
- Submit events with malware samples to analysis tools (e.g VirusTotal, VMRay) for further analysis, and then extend MISP with malware analysis results
|
+| As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture. | - Import data from external sources
- Add feeds
- Contextualise events and attributes using tags, taxonomies and galaxies
|
+| As a threat analyst, I want to exchange threat information with third parties so that we can gain shared situational awareness | - Setup different models of distribution on MISP instance
- Sync events and attributes between instances
- Use filtering functionalities to meet an organisation's sharing policy
- Share information, pentest information, malware samples, vulnerabilities internally and externally
- Use feature/achievements widget adding gamification to the information sharing
|
+| As a threat analyst, I want to monitor threats and access live data so that I can manage threats before they cause major damage | - Import lists of indicators and check if the IOCs are present in feeds.
- Monitor statistics and sightings using widgets
- Show live data and stats from one or more MISP instances via the Dashboard
- Process information in real-time when it's updated, created, or published by instances by integrating with ZMQ
- Use sightings to notify an instance about activities related to an indicator
|
+| As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats | - Join communities and subscribe to the feeds
- Add events and assign events to specific feeds
- Correlate indicators using MISP's automated correlation engine
- Link events and attributes using the correlation graph
- Analyse and gain more information on attributes using modules
- Link events with malware, threat actors etc using galaxies (e.g ATT&CK)
|
+| As a threat analyst, I want to have a structured database of threat data that I can use to perform lookups/queries when investigating new threats | - Store information in a structured format using STIX
- Import unstructured reports using the free-text import tool
- Use MISP as a centralized hub for security and fraud threat intel. Centralize threat intel by aggregating indicators from OSINT and commercial feeds
- Remove false positives and duplicates
- Score indicators based on Sightings and other metrics
Import/integrate feeds or threat intelligence from third parties Generate, select, exchange, and collect intelligence using feeds - Select and import events
- Look for correlations between events using the correlation graph
- Build filtered subsets of the data repository for feed creation.
- Preview and correlate feed data directly for evaluation
|
+| As a threat analyst, I want to contextualize and enrich raw threat data so that I can produce actionable intelligence | - Understand attacker TTPs by using taxonomies to link events
- Categorize risks and incidents using galaxies and taxonomies
- Quickly classify information using tags collections
- Contextualise sightings with information on the source
- Enrich IDSes export with tags to fit your NIDS deployment
- Decay attributes and score indicators using sightings (reported by IDSes)
- Describe and visualise complex scenarios using MISP's richer data structure
- Allow advanced combination of attributes using MISP objects
|
+| As a threat analyst, I want to investigate threats so that I can protect computer systems from attacks | - Find relevant data for investigations from MISP communities. Preview new MISP events and alerts from multiple sources such as email reports, CTI providers, and SIEMs
- Query a MISP instance for events that include a given IOC. Browse through other MISP events, attributes, objects, tags, and galaxies
- Create events, add IoCs (attributes), and contextualise (using tags)
- Pivot an event into its attributes, objects, tags, galaxies, and/or related Events
- Explore further details from Galaxies and related Events
- Categorize available related information within the ATT&CK framework.
- Query tools (e.g Cytomic Orion API) to check if certain MISP indicators have been observed, and the import sighting details to add them to MISP events
- Prioritize threats using Sightings collected from users, scripts and IDSes.
- Decay/expire indicators using sightings reported by users, scripts and IDSes
- Launch lookups from MISP against SIEMs as part of an investigation
- Correlate network forensic flows from several tools
|
+| As a SOC team, we want to ingest, analyse, store and make connections between threat data so as to discover potential threats | - See connections between events using the correlations graph
- Import CVEs and vulnerabilities (e.g from MetaSploit) and contextualise them
- Contextualise CVEs using events gotten from articles/reports
- Convert CVE information into a feed
- Pull shared CVE feeds
- Combine collected data with your MISP data set for correlation
- Share correlated info to the team using the export function or API search
- View current threats and activity, historical, geolocalized information using MISP Dashboard
|
+| As a junior SOC analyst, I want to enrich alerts so that I can "punch above my weight" and make connections that would have otherwise required more experience | - Create events, add/import observables
- Use Cortex and its analyzers to gain insight
- Leverage tags, sightings, and previously-seen observables to feed your threat intelligence
- Export IOCs to MISP instances after investigations are complete
- Integrate MISP with Maltego to generate visualisations of data
- Integrate MISP with Elastic to access threat data without the complexities of the MISP interface.
- Push attributes from MISP to Elastic and have a representation with graphs, an alternative to using MISP Dashboard.
- Create taxonomies using the taxonomy editor.
- Contextualise data using taxonomies, clusters and galaxies
|
+| As a SOC analyst, I want to customize risk feeds to ignore or downgrade alerts that do not match organization/ industry-specific criteria, so that I can focus on relevant alerts | - Filter incidents based on taxonomies (e.g the veris country taxonomy to indicate countries affected by an incident)
- Normalise external input and feeds in MISP (e.g. feed importer).
- Compare feeds before import to find similarities and false positives.
- Evaluate the quality of the information before importing it (warning-list lookups at feed evaluation)
|
+| As a SOC analyst, I want to share real-time information pertaining to new or existing cases/observables to team members so that we can collaborate on investigations simultaneously | - Control threat sharing using ‘distribution settings’: sharing group, community-only, connected communities, all communities.
- Share sensitive and confidential events using the ‘sharing group’ functionality
- Measure the impact of an incident using taxonomies based on NISD/OESs impact criteria
- Export and share sightings in ATT&CK sightings format to give insights on TTPs and frequency of usage
|
+| As a SOC analyst, I want to rule out false positives so that I can focus on significant threats | - Weed out false positives using warning lists
- Crowd source data validation from community
- Filter indicators based on specific criteria
- Receive information on false positives using collaborative tools (proposals, sightings)
|
+| As a threat analyst, I want to remove false positives, filter and prioritize alerts so that I can focus on what really matters to my organization | - Evaluate the quality and freshness of indicators using decaying models
- Enforce warninglists to exclude events with certain attributes
- Enable warninglists to alert for certain issues
- Classify information (add/remove tags) based on their score or visibility via sightings
- Use tags to set events or attributes for further processing by external tools (e.g. VirusTotal auto-expansion using Viper)
- Notify an instance about activities related to an indicator via Sighting
- Limit NIDS exports and improve rules using Sightings
- Filter indicators based on specific criteria
- Filter out relevant data when feeding protective tools
|
+| As a security analyst, I want to unravel the inner workings of a malicious file, phishing email or domain so that I can prevent attacks | - Integrate MISP with a Security Incident Response Platform (e.g TheHive)
- Import indicators from MISP into the SIRP for further analysis
|
+| As a security analyst, I want to create blacklists/whitelists (e.g of domains) so that I can protect customers from malicious activity | - Import threat data into MISP from synced servers and label using taxonomies
- Enable warning lists, and exclude attributes that exist on the warning lists
- Create lists with preferred attributes and export the list in an easy accessible format as CSV
|
+| As a security analyst, I need a real-time overview of threat information so that I can quickly glance at important metrics | - Integrate ZMQ to access a dashboard showing live data and stats
- Monitor ongoing trends based on interests using the EventStream widget
- Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds
- View immediate contributions made by organisations from MISP's live dashboard
- Find threats within your constituency using MISP Geolocalisation Dashboard
- Get geospatial threat information from specific regions using the Geolocalisation Dashboard
|
+| As a security analyst, I want to automate repetitive tasks related to data normalization, importation, aggregation and enrichment so that I can have more time to put into threat analysis efforts | - Automate tasks using PyMISP
- Use PyMISP for Scripted processing of events and attributes
|
+| As a security analyst, I want to collaborate with other analysts within and out of my organization’s sector so that we can support one another | - Build or join communities to exchange specific data structures
- Share real-time analysis of an incident
- Propose modifications to someone else's analysis using Proposals
|
+| As a security analyst, I want to triage and prioritize alerts so as to avoid alert fatigue | - Evaluate the quality and freshness of indicators using decaying models
- Weed out false positives using warning lists
- Enable warning lists to alert for critical issues
- Filter indicators based on specific criteria
- Score indicators based on user sightings, including negative sightings and expiration sightings.
- Classify information (add/remove tags) based on their score or visibility via sightings
|
+| As an incident responder, I want to get an up-to-date picture of the threat landscape so that I can prepare for threats in advance | - Describe the impact of threat using taxonomies (e.g using the veris timeline taxonomy to indicate the duration of the incident)
- Classify data to gain insight into the threat landscape.
- Classify data so IDSes can alert on a rule
- Integrate ZMQ to have a dashboard showing live data and statistics.
- Integrate ZMQ to process information in real-time when it's updated, created, or gathered in MISP.
|
+| As an incident responder, I want to identify and respond to incidents so that I can reduce the impact and severity of an attack | - Report false or true positives using the sighting mechanism, based on an incident investigation
- Decay indicators to guarantee the quality of the indicators
|
+| As an incident responder, I want to receive early warnings and alerts about threats/incidents so that I can retaliate before they cause any harm | - Receive correlated threat intel from sharing groups and communities
- Monitor MISP feeds for alerts
- Preview new events and alerts from multiple sources
- Automate import/export of IoCs to/from protective or detection tools like IDSes and IPSes
- Dispatch notifications when certain events are created or modified using the alert feature
- Create filter rules based on personalised uses. Restrict alert messaged by tags, publishing organisation or other metrics
|
+| As an incident responder, I want to store information identified during an incident investigation so that I can perform lookups/queries against the historical database during future incidents | - Use a MISP instance as a database of events representing incidents. Store incident response data internally in a structured manner on MISP
- Represent indicators using attributes. Attributes such as network indicators (e.g. IP address) or system indicators (e.g. a string in memory)
- Combine OSINT and your own intelligence
- Create events made up of indicators (attributes) and then leverage these as a threat data feed
- Modify events representing incidents to enable monitoring over time
- Add object types to describe incidents
- Monitor indicators for relevancy using Sightings
- Ensure information quality and freshness by expiring indicators depending on their personalised objectives
- Pull events from indicator lists to perform lookups against SIEMs
- Use indicators to check logs and verify if you’re affected by a threat
- Correlate indicators with actual incidents to get more information
- Integrate MISP with IR tools (e.g TheHive) to (1) analyse observables during an incident, (2) import and (3) export events from MISP to TheHive and vice-versa
- Perform large-scale bulk data/traffic analysis and correlation against your MISP database using SightingsDB
|
+| As an incident responder, I want to export and feed data between security tools so that I can enhance their functionalities | - Export data from MISP to feed protective/detective tools and early warning systems. Export formats support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ)
- Feed MISP using automatic tools (e.g. Sandbox Analysis, low-value information needing correlation, Analyst workbench)
- Pull events from feeds or indicator lists to perform lookups against SIEMs
- Subscribe to ZMQ pub-sub to get published events for use in lookup processes
- Match attributes against SIEMs using the lookup expansion module
- Import activities from a SIEM (e.g. Splunk lookup validation or false-positive feedback), NIDS or honeypot devices
- Post Sightings from IDSes, IPSes, SIEMs back to MISP
- Use sightings to improve NIDS’ rule-sets
- Generate IDS and NIDS rules automatically or manually using IoCs
- Feed data to honeypots to generate blocklists and DNS RPZ zones
- Consume correlated results in SIEMs using the API
- Search indicators in real-time into a SIEM using MISP ZMQ
- Submit large sets of IoCs from MISP into SIEMs using PyMISP
- Import indicators into MISP from other tools (SIEMs, IDSes) and be notified when those indicators appear again
|
+| As a CSIRT, we want to exchange and discuss information related to incidents and associated risks so that we can collaboratively respond to incidents | - Build communities to exchange specific data structures
- Discuss non-event related topics in Forums
- Add comments to events (which may represent an incident)
- Contact a reporter (e.g. another CSIRT) via email (encrypted, anonymously or not) to discuss commercially-sensitive information related to an incident
|
+| As a CSIRT, we want to interact with threat data in various ways during the threat investigation and incident response process | - View events, indicators and feeds
- Search and filter the data set
- Classify, contextualize and correlate data
- Download the viewed data in various formats
- Interact with MISP data using other tools in the MISP ecosystem (e.g MISP Workbench, Viper, MISPego)
|
+| As a CSIRT, we want to coordinate with team members and other organisations so that we can avoid duplication of work | - Create and manage sharing groups between sectors
- Join existing communities or sharing groups
- Create and exchange events and indicators
- Propose changes to existing analysis or reports
- Enhance an analysis with additional information using Extended Events
- Report sightings as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)
- Contribute to threat intel feeds and analyse overlapping data
|
+| As a CSIRT, we want to share incident information and discuss risks with other team members so that we can collaboratively perform incident analysis | - Create, modify, delete and exchange events and indicators
- Modify distribution settings to exchange individual incidents and ensure confidentiality
- Use taxonomies and galaxies to classify data before exchange (e.g Indicate the confidentiality of incidents using the NATO classification, indicate the risk of an incident using the threat-level taxonomy)
- Edit, visualize, and share reports using Event Report
- Incorporate reports from information sources using the Event Report module
- Share indicators derived during incident response
- Correlate and enrich data derived during incidents
- Coordinate with affected parties during incident response using MISP’s collaborative tools (proposals, sightings, emails)
|
+| As a fraud analyst, I want to investigate financial threats so that I can help financial institutions and consumers prevent financial fraud | - Join communities and receive shared IOCs
- Subscribe to feeds and get IOCs in an easily accessible format
- Access lists and public feeds of malicious domains (e.g phishing sites) and threats
- Use indicators to check logs and verify if you’re affected by a threat
- Gather information related to a phishing site and create events
- Integrate MISP with Maltego to visualise the full ATT&CK framework
|
+| As a fraud analyst, I want to blend updated threat intel with anti-fraud tools so that I can prevent fraud in real-time | - Feed data from MISP to fraud prevention tools
- Report sightings to MISP from fraud prevention tools
|
+| As a fraud analyst, I want to collaborate with analysts from other institutions so that we can gain shared situational awareness | - Implement a MISP instance, and join relevant communities
- Publish fraud perpetrators for others to see
- Exchange events containing fraud information (e.g a bank account number)
- Use shared fraud data to feed firewalls and blocklists
- Warn of false positives by alerting for invalid financial indicators
- Give more credibility to indicators by reacting to event attributes (Sightings)
- Get feedback from the community on the quality of indicators (Sightings)
|
+| As a customs and border control agent, I want to facilitate the flow of legal immigration and goods while preventing the illegal trafficking of people and contraband so that I can ensure homeland security | - Create or join sharing groups and communities
- Share information (e.g travel documents / biometric information) between border control agencies using MISP
- Categorize data using predefined types such PNR (passenger name records)
- Share information / involve experts for the identification of smuggled goods
- Perform anonymised lookups against exported data sets information (e.g. offline border control check)
|
+| As a law enforcement officer, I want to investigate digital crimes and threats so that I can apprehend criminals | - Access information sharing communities
- Get indicators and actionable information from CSIRTs/CERTs networks or researchers
- Exchange information with other officers via sharing communities
- Exchange and store incident information on MISP, enabling the system to act as a forensic tool over time
|
+| As a law enforcement officer, I want to collect and verify evidence of digital crimes so that I can bootstrap my DFIR cases | - Collect indicators from shared events
- Propose changes to existing analysis or reports
- Enhance existing events with additional pieces of evidence using Extended Events
- Exchange analysis and reports of digital forensic evidence
- Correlate indicators corresponding to forensic pieces of evidence
- Import Mactime timelines to describe forensic activities on an analysed file system
- Describe forensic analysis cases using objects templates
- Create, modify and visualise the timeline of events
- Share analysis and reports of digital forensic evidence
- Report sightings such as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)
|
+| As a cybersecurity consultant, I want to provide structured threat intelligence to cross-sector partners with diverse requirements so that I can secure their infrastructure | - Implement an instance and join relevant communities
- Integrate MISP with an organisation’s existing solutions using the API
- Exchange events containing indicators
- Setup distribution levels to ensure confidentiality during threat sharing
- Sync between untrusted and trusted networks using Feed support
- Notify the community about activities related to an indicator using Sightings
- Score indicators based on user sightings, including negative sightings and expiration sightings
- Propose updates to an event owner or indicate a sighting
- Share attacker techniques via integration with ATT&CK
- Set an attribute for detection tools using the IDS flag
|
+| As a cybersecurity specialist, I want to anonymously publish threat intel so that I can protect the identity of people who don’t want to be associated with the information | - Pseudo-anonymously publish data using Event Delegation
|
+| As a cybersecurity specialist, I want to investigate threats so that I can remediate and prevent cyber attacks | - Query an instance for events that include a given IOC
- Explore more details from Galaxies and related events
- Categorize related information within the MITRE ATT&CK framework
|
+| As a security analyst, I want to access threat data so that I can use it to support my research | - Contextualise indicators (attributes) using categories, taxonomies and galaxies
- Reinforce an analysis using correlation features (e.g. do other analysts have the same hypothesis?)
- Confirm a specific aspect using correlation features (e.g. are the sinkhole IP addresses used for one campaign?)
- Verify if a threat is new or unknown in your community using correlation features
|
+| As a security analyst, I want to access updated threat data so that I can build protection in real time | - Monitor feeds for recent indicators
- Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds
- Process information in real-time when it's updated, created or gathered using ZMQ
|
+| As a risk analyst, I want to identify and predict risks to my organization so that I can improve the organization’s security posture and situational awareness | - Use a MISP instance as a database of events representing threats
- Classify risks using taxonomies and galaxies
- Generate statistics from your MISP instance to deduce from incidents the current operational status, risk posture, and threats to the cyber environment
- Monitor trends and adversary TTPs using MISP-dashboard and built-in statistics
|
+| As a risk analyst, I want to present risk data to stakeholders in various formats (depending on their technical ability), so that I can justify the need for risk-mitigating strategies | - Show trends within the sector/geographical region using MISP dashboard and built-in statistics
- Turn MISP data into explorable graphs or timelines representing their activity or events
- Export data from MISP in various formats
- Share reports along with actionable data using Events Report
|
+| As a disinformation researcher, I want to identify indicators associated with a specific operation or campaign so that I can help track and mitigate threats | - Monitor MISP feeds for indicators
- Find relationships between indicators using correlation
|
+| As a disinformation researcher and journalist, I want to investigate information campaigns so that I can report whether there is or isn’t disinformation or misinformation | - Compare external feeds information with already-available information
- Analyze the connections between incident objects
- Map data with AMITT (embedded in MISP) to understand threat actor capabilities
- Generate events that can be shared directly, via email or MISP
- Add object types (e.g for common social media platforms), relationship types (to make the graphs that users can traverse in MISP richer) and taxonomies (e.g DFRLab’s Dichotomies of Disinformation, and a NATO-led tactical variant) to describe indicators and events
- Generate and share information operations data in MISP JSON or STIX format for easy sharing
- Classify events with AM!TT techniques using the inline AM!TT Navigator
- Describe attack patterns using AMITT for the attack patterns
- Track disinformation techniques using the AMITT galaxy
- Integrate MISP with TheHive for case tracking
- Describe additional disinformation cases using object templates
|
+| As a disinformation researcher, I want to connect with other researchers and responders so that we can collaboratively verify if an article/video/image contains disinformation and verify that a source (publisher, domain, etc) doesn’t distribute disinformation | - Join a disinformation community
- Notify the community about activities related to an indicator
- Score indicators based on users sighting
- Corroborate a finding using correlation features (e.g. is this the same campaign?)
|
+| As a disinformation researcher, I want to collaborate with other researchers and responders so that we can collectively stop disinformation campaigns | - Browse and Join disinformation communities (e.g CogSec Collab MISP)
- Contextualise data using tags, taxonomies and galaxies
- Describe information campaigns indicators and events using taxonomies (e.g DFRLab Dichotomies of Disinformation)
- Find relationships between indicators using correlation
- Describe misinformation tactics/techniques using the AMI!TT framework (galaxy)
- Include relevant techniques found in a report or sighting in misinformation event data using AM!TT Navigator
|
+| As a data scientist, I want to automate tasks related to data collection, curation, analysis, and visualization so that I can reduce security analysts' workloads | - Collect, add, update, search events/attributes/tags using PyMISP
- Study malware samples using PyMISP
- Write scripts to import (from other tools such as VirusTotal) additional attributes or IOC data (such as hashes) to build up knowledge on an event
- Automatically handle indicators in third-party tools using PyMISP
- Integrate MISP with existing infrastructure using PyMISP
- Automate the dissemination of threat intelligence and threat data using the API
- Generate exports to be ingested into other platforms
- Create a range of filtered subsets of the dataset for various protective measures
- Write scripts to disable the IDS flag based on the number of false-positive reported sightings, in order to prevent using false-positive indicators for detection or correlation actions
- Generate data statistics and send reports via email, attached as CSV files using the API
- Feed processed data into IDSes and 3rd party visualization using PyMISP
- Build custom widgets to visualise/track data via the Dashboard
- Extend MISP with Python scripts using MISP modules
- Auto-discover new modules with their features using the API
|
+| As a data scientist, I want to collect and analyze data from various sources so that I can prioritize and predict risk | - Aggregate indicators and sightings of all attributes/objects, useful for detecting particular security events or threats
- Use PyMISP for Scripted processing of events and attributes
- Collect data from open data portals using the API
- Publish open data and create data sets
- Investigate file hashes, malicious website URLs, IP Addresses and domain names using shared indicators
- Aggregate data sets for security research and threat analysis
- Analyse and select threat feeds for incorporation into other tools to hunt known indicators
- Indicate if an attribute should be used for detection or correlation actions using the IDS flag
- Download data in various formats for ingestion in other tools, and for training ML models
|