MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' into contributing

pull/261/head
E. Cleopatra 2021-04-12 08:39:35 +01:00 committed by GitHub
parent ebcf0e97d1 f3850af90a
commit 666d2a83b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 636 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -15,7 +15,7 @@ install:
- sudo npm update -g
- npm install honkit
- npm install gitbook-plugin-github
- npm install gitbook-plugin-toc
- npm install gitbook-plugin-atoc
- npm install gitbook-plugin-anchors
- npm install gitbook-plugin-image-class
- npm install gitbook-plugin-codesnippet

6
README.md
View File

@ -40,9 +40,9 @@ The MISP user guide is dual-licensed under [GNU Affero General Public License ve
* Copyright \(C\) 2012 Christophe Vandeplas
* Copyright \(C\) 2012 Belgian Defence
* Copyright \(C\) 2012 NATO / NCIRC
* Copyright \(C\) 2013-2021 Andras Iklody
* Copyright \(C\) 2013-2020 Andras Iklody
* Copyright \(C\) 2015-2021 Alexandre Dulaunoy
* Copyright \(C\) 2014-2021 CIRCL - Computer Incident Response Center Luxembourg
* Copyright \(C\) 2018 Camille Schneider
* Copyright \(C\) 2018-2021 Steve Clement
* Copyright \(C\) 2018-2020 Steve Clement
* Copyright \(C\) 2021 Jeroen Pinoy

2
SUMMARY.md
View File

@ -33,5 +33,7 @@
* [FAQ](faq/README.md)
* [Dev FAQ](dev-faq/README.md)
* [Best Practices](best-practices/README.md)
* [User stories](user-stories/README.md)
* [User personas](user-personas/README.md)
* [Appendices](appendices/README.md)

16
administration/README.md
View File

@ -39,7 +39,7 @@ To add a new user, click on the Add User button in the administration menu to th
* **Organisation:** A drop-down list enables you to choose an organisation for the user. To learn more about organisation, [click here](#organisation).
* **Roles:** A drop-down list allows you to select a role-group that the user should belong to. Roles define user privileges attributed to the user. To learn more about roles, [click here](#managing-the-roles).
* **Authkey:** This is assigned automatically and is the unique authentication key of said user (he/she will be able to reset this and receive a new key). It is used for exports and for connecting one server to another, but it requires the user to be assigned to a role that has auth permission enabled.
* **NIDS Sid:** ID of network intrusion detection systems.
* **NIDS SID:** Network Intrusion Detection System (NIDS) Signature ID (SID). Snort rules exported by the created user will have the offset defined in the user profile and each rule generated during the export will receive an incrementing SID starting with the user's offset. If no SID offset is specified a default, randomized value will be set.
* **Sync user for:** Use this option for granting the user the right to synchronize the event between MISP server. This option is available for admin, Org Admin and Sync user role.
* **Gpgkey:** The key used to encrypt e-mails sent through the system.
* **Fetch GnuPG key:** Fetch GnuPG public key.
@ -363,6 +363,18 @@ When viewing the list of allowlisted addresses, the following data is shown: The
![You can edit or delete currently allowlisted addresses using the action buttons on this list.](figures/allowedlist.png)
## Managing correlation exclusions
Correlation exclusions allow you to exclude certain values from the correlation engine. Values can be 1:1 matches or substring searches denoted with a leading or ending '%', or both.
Examples:
- https://www.google.com/% will match anything starting with https://www.google.com/
- %google.com% will match anything that contains google.com
After adding an exclusion, new values coming in will not correlate if they match any of the correlation exclusions. To remove existing correlations run the cleaner tool (see 'Clean up correlations' button in screenshot below).
![index view of correlation exclusions, showing examples of exclusions with a leading, ending wildcard](./figures/correlationExclusions.png)
*Note: the JSON source field is not used yet*
## Using MISP logs
Users with audit permissions are able to browse or search logs that MISP automatically appends each time certain actions are taken (actions that modify data or if a user logs in and out).
@ -813,6 +825,8 @@ The below info is also available in the MISP GUI. Go to event actions -> automat
MISP/app/Console/cake Admin updateGalaxies
#### Update Taxonomy Definitions
MISP/app/Console/cake Admin updateTaxonomies
#### Enable all tags of a taxonomy
MISP/app/Console/cake Admin enableTaxonomyTags [taxonomy_id]
#### Update Object Templates
MISP/app/Console/cake Admin updateObjectTemplates
#### Update Warninglists

BIN
administration/figures/correlationExclusions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

284
automation/README.md
View File

@ -139,15 +139,15 @@ Find below a non exhaustive list of parameters that can be used to filter data i
- **withAttachments**: If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute
- **metadata**: Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.
- **uuid**: Restrict the results by uuid.
- **publish_timestamp**: Restrict the results by the timestamp of the last publishing of the event. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **last**: (Deprecated synonym for publish_timestamp) Restrict the results by the timestamp of the last publishing of the event. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **timestamp**: Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute's timestamp will be used for the lookup. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **publish_timestamp**: Restrict the results by the timestamp of the last publishing of the event. The input can be a timsetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **last**: (Deprecated synonym for publish_timestamp) Restrict the results by the timestamp of the last publishing of the event. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **timestamp**: Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute's timestamp will be used for the lookup. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **published**: Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
- **enforceWarninglist**: Remove any attributes from the result that would cause a hit on a warninglist entry.
- **to_ids**: By default (0) all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. You can only use the special "exclude" setting to only return attributes that have the to_ids flag disabled.
- **deleted**: If this parameter is set to 1, it will return soft-deleted attributes along with active ones. By using "only" as a parameter it will limit the returned data set to soft-deleted data only.
- **deleted**: Default value 0. If set to 1, only deleted attributes will be returned. If set to [0,1] , both deleted and non-deleted attributes wil be returned.
- **includeEventUuid**: Instead of just including the event ID, also include the event UUID in each of the attributes.
- **event_timestamp**: Only return attributes from events that have received a modification after the given timestamp. The input can be a timetamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **event_timestamp**: Only return attributes from events that have received a modification after the given timestamp. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **sgReferenceOnly**: If this flag is set, sharing group objects will not be included, instead only the sharing group ID is set.
- **eventinfo**: Filter on the event's info field.
- **searchall**: Search for a full or a substring (delimited by % for substrings) in the event info, event tags, attribute tags, attribute values or attribute comment fields.
@ -844,6 +844,251 @@ https://<misp url>/attributes/describeTypes
Depending on the headers passed the returned data will be a JSON object or an XML, with 3 main sections: types, categories, category\_type\_mappings.
### POST /attributes/restSearch
Do not use this function with GET!
#### Parameters
- **returnFormat**: The format to return data in. Allowed formats:
- **attack-sightings**: Returns ATTA&CK Sightings in json format for
attributes with mitre-attack-pattern galaxies attached. For further details on the ATT&CK Sightings, please visit the related [MITRE website page](https://attack.mitre.org/resources/sightings/).
- **cache**: Hashes the attributes and returns them as txt. A hashing algorithm can be chosen by also adding the hash_type parameter. Supported hashing algorithms can be found on the [PHP website](https://www.php.net/manual/en/function.hash-algos.php]).
- **count**: Returns the attribute count as txt.
- **csv**
- **hashes**: Returns hash attributes in txt format. For composite attributes, only the hash part is returned.
- **json**
- **netfilter**: Returns netfilter rules for IPs. Action can be set with the netfilter_action parameter. The default action is DROP.
- **opendata**: Please refer to the related MISP project [blog post](https://www.misp-project.org/2020/07/30/publishing-open-data-using-MISP.html).
- **openioc**
- **rpz**
- **snort**
- **suricata**
- **text**: Returns only the attribute values in text format.
- **xml**
- **yara**:
- **yara-json**
- **value**: Search for the given value in the attributes' value field.
- **type**: The attribute type, any valid MISP attribute type is accepted.
- **category**: The attribute category, any valid MISP attribute category is accepted.
- **org**: Search by the creator organisation by supplying the organisation identifier.
- **tags**: Include or exclude attributes with certain tags. See example below. It is strongly recommended to specifically exclude the tags you want to avoid, even if the tags should be exclusive, for example tlp:red and tlp:green.
~~~~json
{
"returnFormat": "json",
"tags": {
"NOT": [
"tlp:red"
],
"OR": [
"tlp:green"
]
}
}
~~~~
- **from**: Will return attributes from events with the date set to a date after the one specified in the from field (format: 2015-02-15).
- **to**: Will return attributes with the date set to a date before the one specified in the to field (format: 2015-02-15).
- **last**: ***Deprecated!!!*** (synonym for publish_timestamp) Restrict the results by the timestamp of the last publication of the event. Any attribute with a last publication timestamp newer than the given timestamp will be returned. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **eventid**: The events that should be included / excluded from the search.
- **withAttachments**: If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute
- **uuid**: Restrict the results by uuid.
- **publish_timestamp**: Restrict the results by the timestamp of the last publication of the event. Any attribute with a last publication timestamp newer than the given timestamp will be returned. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **published**: Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
- **timestamp**: ***Deprecated!!!*** (synonym for attribute_timestamp) Restrict the results by the timestamp (last edit). Any attribute with a timestamp newer than the given timestamp will be returned. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **enforceWarninglist**: Remove any attributes from the result that would cause a hit on a warninglist entry.
- **to_ids**: By default (0) all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. You can only use the special "exclude" setting to only return attributes that have the to_ids flag disabled.
- **deleted**: Default value 0. If set to 1, only deleted attributes will be returned. If set to [0,1] , both deleted and non-deleted attributes wil be returned.
- **includeEventUuid**: Instead of just including the event ID, also include the event UUID in each of the attributes.
- **event_timestamp**: Only return attributes from events that have received a modification after the given timestamp. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **threat_level_id**: Only return attributes of events with the given threat level id(s). 1 = High, 2 = Medium, 3=Low, 4 = Undefined. See example below.
```
{
"returnFormat": "json",
"threat_level_id": [1,2]
}
```
- **includeEventTags**: If set to 1, the event tags of the event the attribute belongs to will be added to the attribute.
- **limit**: Limit the number of results returned, for example 10 attributes.
- **page**: If a limit is set, sets the page to be returned. page 3, limit 100 will return records 201->300).
- **requested_attributes**: Only for CSV export. Choose the fields you want in the csv output. Available fields are (*non-exhaustive list, more fields can be available depending on the values of other parameters*):
- uuid
- event_id
- category
- type
- value
- comment
- to_ids
- date
- object_relation
- attribute_tag
- object_uuid
- object_name
- object_meta_category
- event_info. Only available if includeContext parameter is set to 1.
- event_member_org. Only available if includeContext parameter is set to 1.
- event_source_org. Only available if includeContext parameter is set to 1.
- event_distribution. Only available if includeContext parameter is set to 1.
- event_threat_level_id. Only available if includeContext parameter is set to 1.
- event_analysis. Only available if includeContext parameter is set to 1.
- event_date. Only available if includeContext parameter is set to 1.
- event_tag. Only available if includeContext parameter is set to 1.
- event_timestamp. Only available if includeContext parameter is set to 1.
- **includeContext**: Adds extra event level context to the output. For each attribute more details are added to the Event object in the output. Please note that this significantly bloats the output data. Example below.
```
"Event": {
"id": "31",
"orgc_id": "1",
"org_id": "1",
"date": "2021-03-11",
"threat_level_id": "1",
"info": "Correlation 2",
"published": true,
"uuid": "0bfe7bf3-f793-4761-8450-8b30ca9d9964",
"analysis": "0",
"timestamp": "1616972381",
"distribution": "1",
"publish_timestamp": "1616972392",
"sharing_group_id": "0",
"extends_uuid": "",
"Tag": [],
"Orgc": {
"id": "1",
"name": "SHARINGORG",
"uuid": "26867ddf-5a9b-4af0-b552-e4020a913b95",
"local": true
}
}
```
- **headerless**: Only for CSV export. The CSV created when this setting is set to true will not contain the header row.
- **includeWarninglistHits**: Adds a warnings block to an attribute if it has warninglist hits. See example below.
```
"warnings": [
{
"match": "10.0.0.0/8",
"value": "10.0.0.1",
"warninglist_name": "List of RFC 5735 CIDR blocks",
"warninglist_id": "46"
},
{
"match": "10.0.0.0/8",
"value": "10.0.0.1",
"warninglist_name": "List of RFC 1918 CIDR blocks",
"warninglist_id": "44"
}
]
```
- **object_relation**: Search on the object_relation field of attributes. You can search for 'malware-sample' attributes of file objects for example. Searching for multiple values at the same time is possible as well.
```
{
"returnFormat": "json",
"object_relation": ["malware-sample", "institution-name"]
}
```
- **includeSightings**: Adds a list of sightings for attributes that have sightings. See example below.
```
"Sighting": [
{
"id": "1",
"attribute_id": "29",
"event_id": "31",
"org_id": "1",
"date_sighting": "1617017091",
"uuid": "48d21518-6b2a-4615-8c4e-91fbe4f08fe7",
"source": "",
"type": "0",
"attribute_uuid": "b3c25257-7f47-41af-a29b-89188e583b5c",
"Organisation": {
"id": "1",
"uuid": "26867ddf-5a9b-4af0-b552-e4020a913b95",
"name": "SHARINGORG"
}
}
]
```
- **includeCorrelations**: Adds a list of correlated attributes for attributes that have correlations. See example below.
```
"RelatedAttribute": [
{
"id": "31",
"event_id": "30",
"object_id": "0",
"object_relation": null,
"category": "Network activity",
"type": "ip-dst",
"uuid": "f3b54c94-89ff-4fcf-9f47-52f70c6540b8",
"timestamp": "1616961683",
"distribution": "5",
"sharing_group_id": "0",
"to_ids": false,
"comment": "",
"value": "10.0.0.1",
"Event": {
"id": "30",
"uuid": "8cca9f2f-9281-49fd-9b30-e16a8dbf6855",
"threat_level_id": "1",
"analysis": "0",
"info": "Correlation 1",
"extends_uuid": "",
"distribution": "1",
"sharing_group_id": "0",
"published": false,
"date": "2021-03-11",
"orgc_id": "1",
"org_id": "1"
}
}
]
```
- **includeDecayScore**: If set to 1, decay score information will be included for attributes that are affected by decaying. See example below. Note that includeEventTags will be set to 1 automatically if includeDecayScore is true.
```
"decay_score": [
{
"score": 77.40239901751683,
"base_score": 80,
"decayed": false,
"DecayingModel": {
"id": "2",
"name": "NIDS Simple Decaying Model"
}
}
],
```
- **decayingModel**: Allows you to set the decaying model(s) to use to calculate the decay score. You can use a model that is not enabled. The value should be set to the id of the model. If this value is not set, a decay score entry will be added for all enabled decaying models that apply to the attribute type.
- **excludeDecayed**: Filter out all expired IOCs. Note that includeDecayScore will be set to 1 automatically if excludeDecayed is true.
- **modelOverrides**: JSON that can be used to modify Model parameters on-the-fly. Example can be found beow.
```
{
"type": "ip-src",
"tags": ["tlp:%","phishing:%"],
"includeDecayScore": 1,
"excludeDecayed": 1,
"modelOverrides": {
"threshold": 30
}
"decayingModel": [84, 12],
}
```
- **includeFullModel**: If set to 1, includes the full decaying model details instead of just the id and name.
- **score**: Overrides the model threshold value with the one you set. This means attributes for which the decay score calculated for all relevant models is lower than this value, will be considered decayed.
- **attribute_timestamp**: Restrict the results by the timestamp (last edit). Any attribute with a timestamp newer than the given timestamp will be returned. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **first_seen**: Restrict the results by the first_seen timestamp of the attribute. Any attribute with a first_seen timestamp newer than the given timestamp will be returned. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **last_seen**: Restrict the results by the last_seen timestamp of the attribute. Any attribute with a first_seen timestamp newer than the given timestamp will be returned. The input can be a timestamp or a short-hand time description (7d or 24h for example). You can also pass a list with two values to set a time range (for example ["14d", "7d"]).
- **searchall**: Search for a full or a substring (delimited by % for substrings) in the attribute tags, attribute values or attribute comment fields.
#### Example
~~~~
curl \
-d '{"returnFormat":"json","value":"foobar"}' \
-H "Authorization: YOUR API KEY" \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-X POST https://192.168.0.220/attributes/restSearch
~~~~
~~~~json
{"response": {"Attribute": [{"id":"44","event_id":"30","object_id":"0","object_relation":null,"category":"Other","type":"comment","to_ids":false,"uuid":"7a5d856c-048a-4dbd-8e6d-41d1790c5ad0","timestamp":"1617056037","distribution":"5","sharing_group_id":"0","comment":"","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"foobar","Event":{"org_id":"1","distribution":"1","id":"30","info":"Correlation 1","orgc_id":"1","uuid":"8cca9f2f-9281-49fd-9b30-e16a8dbf6855"}}]}}
~~~~
## Objects management
### POST /objects/delete/[object_id]/[hard_delete]
#### Description
@ -1564,35 +1809,6 @@ For example, to retrieve all attributes for event #5, including non IDS marked a
https://<misp url>/attributes/text/download/all/null/5/true
~~~~
## RESTful searches with JSON result
It is possible to search the database for attributes based on a list of criteria
To return an event with all of its attributes, relations, shadowAttributes, use the following syntax:
~~~~
https://<misp url>/attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[eventid]/[withAttachments]/[metadata]/[uuid]
~~~~
If you include "includeEventUuid":1" in the json request, it will give you the event_uuid as a result as well.
Be careful if you GET the /attributes/restSearch/json/ without an value, it will return all attributes.
### POST /attributes/restSearch
Do not use that function with GET!
#### Example
~~~~
curl -X POST -k -H 'Accept: application/json' -H 'Authorization: API Key' -H 'Content-Type: application/json' -i 'https://URL/attributes/restSearch' --data '{"value":"foobar"}'
~~~~
~~~~json
{
"response": []
}
~~~~
## RESTful searches with XML result export
It is possible to search the database for attributes based on a list of criteria.

4
sharing/README.md
View File

@ -170,8 +170,8 @@ More details on publishing events [here](../using-the-system/#publish-an-event).
#### Visibility of data - events objects and attributes
Assuming that none of the ancestors of the object of attribute are too restrictive, you can view an event/object/attribute on an instance if:
- You are a site admin
- You have any of the other roles and one of the below statements are true:
- You belong to the owner organisation of the event and the distribution is 'Your organisation only'
- Your organisation is owner of the event
- Neither of the above apply and one of the below statements is true:
- The distribution of the event/object/attribute is 'This community only', 'Connected communities' or 'All communities'
- Your organisation belongs to the sharing group of the event/object/attribute or the sharing group has the 'all orgs' flag set for the instance

310
user-personas/README.md Normal file
View File

@ -0,0 +1,310 @@
# MISP user personas
These personas are fictitious but are concrete representations of the people using MISP.
We can use these personas to keep in mind who we are working for, what are their needs, and what MISP should do for them.
These personas come from OSINT on current MISP users (Gitter chats, GitHub issues, LinkedIn) and other sources of information about cybersecurity.
## Primary personas
Farrah and Adam represent the users that are the most important to us.
### Farrah
_**The Threat Hunter**_
Farrah works as a threat intelligence for a security service provider in Malaysia that offers a range of cybersecurity solutions.
He leads a threat intelligence team made up of experienced intelligence analysts who are former military/government employees and contractors.
Farrah uses MISP to analyze malware, gather information about specific adversary groups, and discover emerging threats.
He also uses MISP for data normalization (consolidating data across different source formats), de-duplication (removal of duplicate information), and enrichment (removal of false positives, scoring of indicators, and the addition of context).
_"In order to effectively address threats, you must maintain a team focused on monitoring, generating and triaging alerts"_
#### Role
Lead Threat Intelligence Analyst
#### His primary goals are to:
- Hunt down threats, analyze malware, manage vulnerabilities and prevent attacks against ICT infrastructures, organizations, or people.
- Improve security posture through the aggregation, correlation, and analysis of threat data from multiple sources
- Investigate and understand adversarial capabilities, infrastructure & TTPs.
- Turn threat data from various sources into actionable threat intelligence.
#### He uses MISP to:
- Dispatch notifications containing IoCs to various parties via mail_to_misp.
- Monitor feeds for indicators and correlate attributes and analyze malware (check ransom notes, look for any indicators, check the origin, etc).
- Store attack info in a structured format and allow for automated use of the database for various purposes using the API.
- Prioritize indicators using sighting reports and purge false positives using warning lists.
- Classify and contextualize data using taxonomies and galaxies, and keep track of the advancement of an analysis using tags.
- View and visualize events and activities using MISP-dashboard or Maltego.
- Automatically import, aggregate, compare, contextualize, query, and cross-reference data using PyMISP
- Import, export and enrich data using MISP modules
- Aggregate, curate, and validate indicators from various feeds, then feed the data into detection and analysis tools like NIDs, IDS, and SIEMs
- Query vulnerability scan results in MISP, automatically create/classify events on matching results, then create blocklists by excluding attributes that exist on warning lists.
- Collaborate with others in a sharing community using Proposals (send and receive feedback), Extended Events (add additional information to others analytics), and Event Reports (supply resolution steps and recommendations).
- Share and receive reports of a specific threat, false positives, or post-mortem analysis of an incident from sharing groups.
#### His objectives are to:
- Join relevant sharing communities, produce and publish indicators and share information across sectors to avoid hybrid threats.
- Use IoCs from feeds to identify vulnerabilities, compromised assets, data leaks and to verify the results of a malware scan.
- Triage threat intel, prioritize vulnerabilities, and customize risk feeds to ignore or downgrade irrelevant alerts in order to avoid alert fatigue.
- Generate and share alerts to provide critical information to internal teams and external peers.
- Share information about relevant vulnerabilities, coordinate with security vendors to get notifications, and community sharing of pentest results with other analysts.
- Research the evolution of high-risk malware families, validate malware signatures and domain reputations.
- Use indicators to query security logs/systems and databases, identify compromised systems, and add/modify signatures (used by firewalls, intrusion detection systems, etc), and block or alert on activity matching the indicators.
- Correlate shared indicators from feeds with those captured by other security and network tools to produce intelligence placed in the context of wider threat landscapes.
- Integrate with existing security solutions so as to centralize security in one place. Leverage integrations to alert on information leaks (AIL 2), hunt down threats (McAfee OpenDXL), share attackers techniques (ATT&CK), query and prioritize indicators (MVISION EDR), speed up investigations (Cytomic Orion), and enhance the power of threat data (Carbon Black).
### Adam
_**The Remediator**_
Adam is part of the Computer Security Incident Response Team (CSIRT) at a Belgian cybersecurity consulting firm.
His responsibilities involve incident response, incident coordination, threat intelligence, and vulnerability management.
He monitors potential threats, investigates attacks, and works with other security personnel to reduce the impact and severity of an attack.
Adam uses MISP to monitor incidents, provide early warnings/alerts about incidents, respond to incidents and provide incident analysis and situational awareness.
_“A breach alone is not a disaster, but mishandling it is. The goal is to handle the situation in a way that limits damage and reduces recovery and time costs”_
#### Role
Incident Response
#### His primary goals are to:
- Uncover the effects of attacks, determine how to clean up its impact, and inform a response to an existing incident to mitigate its extent or impacts.
- Develop and maintain strong processes for the most common incidents and threats, and create actionable results and remediation plans for internal stakeholders to proactively improve the security posture and maturity.
- Accelerate incident investigations, management, and prioritization by looking for information on the who/what/why/when/how of an incident.
- Determine the scope of incidents and limit the potential damage.
#### He uses MISP to:
- Store incidents as a database of events, describe incidents through event classification (using taxonomies and galaxies) and use the API to deduce from all incidents the current operational status, risk posture, and threats to the cyber environment.
- Join sharing groups and communities to share incident information with others and discuss information related to risks associated with incidents via Forums, comments to events, and contact a reporter.
- Analyze observables/malware collected during an incident, determining whether they are IoCs or false positives using the correlation graph and expansion modules.
- Alert and send emails when events are created in the system or major changes occur in the events, serving as part of an early warning system.
- Pull events via the API or export IOCs in formats for easy ingestion into other tools (such as SIEMs and IDS) and carrying out investigations by launching lookups against databases.
- Collaborate and get feedback from team members and affected parties during incident response using Proposals.
- Dismiss false positives (using warning lists) and enable alert prioritization.
- Aggregate and compare information from internal and external feeds to identify genuine threats.
- Perform large-scale data/traffic analysis and correlation through lookups against SightingDB.
- Share, receive, store and forward incidents and information identified during an incident investigation, enabling the MISP system to act as a forensic tool over time.
- Correlate and reference network forensic flows from different tools or network equipment
- Speed up incident response via integration with TheHive.
#### His objectives are to:
- Share information and get critical alerts and relevant actionable information in the event of a crisis situation.
- Support forensic analysts and collaborate with law enforcement.
- Improve incident response functionality and increase coverage and detection through integrations with tools like SIEMs.
- Use threat data to validate alarms/events and decide which to escalate to the rest of the incident response team for remediation.
- Aggregate information from various sources and correlating in order to understand how this data fits together in the broad threat landscape.
- Get insights (e.g using data feeds) into attacks, thereby helping incident response teams understand the nature, intent, and timing of specific attacks.
- Prioritize incidents based on risk and impact to the organization and filter out false alerts.
## Secondary personas
Tina, Henry, Jacob, and Sarah represent other users that are also important to us.
### Tina
_**The Fraud Catcher**_
Tina works as a fraud analyst at a National bank in Canada. She is responsible for investigating any forgery or theft within customers' accounts and transactions on behalf of the bank.
Tina uses MISP to find and share financial indicators in order to detect financial frauds.
_"Fighting fraud with threat intelligence is all about alerting"_
#### Role
Fraud analyst
#### Her primary goals are to:
- Identify and trace fraudulent activity.
- Create models for analyzing and determining financial fraud in order to protect consumers and stakeholders.
- Assess and analyze the attack surface, conduct threat modeling, and deliver actionable intelligence with a focus on current and emerging cyber-attacks against financial sector assets.
#### She uses MISP to:
- Map legacy and internal systems/models using MISP objects.
- Find IoCs, malware, vulnerabilities, financial threat, fraud information and share data between other banks and financial institutions using sharing groups.
- Create, modify and visualize the timeline of events, use MISP Dashboard to provide real-time information showing current threats and activity.
- Minimize false positives during the fraud vetting process using warning lists and sightings.
- Detect fraud using threat intel such as real-time notifications for stolen credit cards and phishing URLs from MISP feeds.
- Prevent fraud by integrating MISP with a network of crawlers, honeypots, and other techniques that can cross-reference indicators against feeds, enabling the bank to intercept cards before they are sold on the black market and therefore reduce this risk of fraud.
- Monitor feeds for specific indicators (e.g. email header content, attachments, embedded URLs) related to phishing and fraud attacks.
- Block wire transfers to money mule accounts by integrating MISP warning lists and sightings with blocking systems.
- Aggregate sightings of attributes/objects so as to detect particular security events or threats.
#### Her objectives are to:
- Investigate financial indicators and handle false positives in order to detect and alert for certain potentially invalid data points.
- Aggregate, correlate, and analyze financial indicators from multiple feeds to discover any fraudulent activity.
- Blend threat intel from MISP with anti-fraud tools to identify and prevent fraud in real-time.
- Use threat intel to produce awareness reports informing the institution of threats in the financial sector, and then develop proactive defense strategies against fraud activity.
- Engage with sharing communities that allow individual enterprises to receive and share data so they can protect themselves before they are compromised.
### Henry
_**The Enforcer**_
Henry is a law enforcement officer living in Florida, USA. He works with the Digital Forensics and Incident Response (DFIR) team.
He is responsible for investigating digital security incidents, identifying digital assets targeted during attacks, and documenting all findings.
He uses MISP to support or bootstrap his DFIR cases.
_"I worry about what I dont know, not what I know"_
#### Role
Law Enforcement Officer
#### His primary goals are to:
- Find, gather and analyze digital evidence for criminal investigations.
- Carry out data breach and malware investigations.
#### He uses MISP to:
- Propose changes to existing analyses or reports.
- Correlate (1-to-1 value matches, fuzzy hashing, CIDR block matching) evidence against external/local attributes.
- Correlate and reference network forensic flows from different tools or network equipment using the community-id feature.
- Export data in various formats to feed into and lookup in other security tools.
- Join sharing groups and collaborate with other investigators.
- Receive, gather, analyze and share intelligence on digital crimes.
- Report digital evidence (in STIX) in a structured way for forensic use.
- Collect evidence for forensic analysis from feeds, using shared indicators to carry out cybercriminal behavior investigations, attribution, and identifying the link to organized crime activities.
- Exchange, store and forward incidents/information identified during an incident investigation, enabling the MISP system to act as a forensic tool over time.
#### His objectives are to:
- Share indicators, analyses, and reports of forensic evidence among other law enforcement officers within and out of his team.
- Collaborate with CSIRT/CERTs and security researchers in the investigation of cyberattacks.
- Correlate data identified in a recent incident with data from previous investigations or external feeds.
- Bridge their use-cases with MISPs information-sharing mechanism.
### Jacob
_**The Veteran**_
Jacob is a cybersecurity consultant for organizations looking to secure their infrastructure.
He has founded a cybersecurity agency that provides threat intel and security consulting services to small and medium-sized businesses.
Jacob uses MISP to investigate threats and find IOCs.
He works with many clients and typically wants to integrate MISP into existing client solutions.
_"Theres a difference between threat data and threat intelligence"_
#### Role
Cyber Security consultant
#### His primary goals are to:
- Produce intelligence that will be embedded into organizational workflows and would serve decision-makers.
- Scope and implement custom security solutions across a variety of client software, architectures, and tools.
- Detect, contain, and remediate cybersecurity incidents, manually or programmatically.
#### He uses MISP to:
- Create, collaborate, automate and share threat intel using flexible sharing groups, automatic correlation, free-text import helper, event distribution, and proposals.
- Allow users to notify a MISP instance about activities (gotten from SIEMs, NIDS, honeypot devices, etc) related to an indicator using sightings.
- Monitor feeds delivered through a REST API and correlate IOCs with firewall and other logs to identify potential threats in the organization.
- Push/pull events between local and client MISP instances in order to exchange intel internally and externally.
- Import, export, and enrich data using modules, automate such tasks using PyMISP.
- Create sub-communities and MISP object templates to allow rapid sharing of information using specific data models with existing communities.
- Validate data and flag false positives using warning lists and sightings.
- View live data/statistics and process information in real-time through integration with ZMQ to access MISP-dashboard.
- Pseudo-anonymously publish data using the MISP delegation system.
- Contextualize shared information within MISP instances and communities (using taxonomies and tags), and attach more complex structures to data (using MITRE ATT&CK and other galaxies)
#### His objectives are to:
- Run a Cyber Threat Intel platform using MISP integrated with existing client solutions (such as Active Directory, Splunk ES, ThreatConnect, Recorded Future, and Crowdstrike).
- Gather unstructured data from various sources and connect the dots to provide context on IoCs and TTPs of threat actors.
- Identify incoming threats, triage and prioritize alerts as they emerge.
- Feed SIEMs from MISP and feed MISP from other sources (SIEMs included).
- Share incidents and IOCs for detection (checking if IoCs are present in client infrastructure), blocking (using attributes to block, sinkhole, or divert the traffic), and intelligence (gathering information about campaigns and attacks) purposes.
### Jay
_**The Inquisitor**_
Jay is a risk analyst for a large technology company in the USA.
He is responsible for identifying and predicting risks, as well as forecasting the cost of certain attacks to the organization.
Jay uses MISP data to learn about the broad threat landscape and analyze the likelihood of certain risks, so as to gain situational awareness.
_"The more certain you can be about the probability of a specific exploit impacting your environment, the easier it is to manage risk"_
#### Role
Risk analyst
#### His primary goals are to:
- Improve the organizations security posture, situational awareness, and resilience.
- Forecast evolving threats before they materialize, provide detailed insights into which vulnerabilities pose the greatest risk, and plan accordingly to avoid them.
- Assess business and technical risks, identify the right strategies and technologies to mitigate the risks, communicate the nature of the risks to top management and justify investments in defensive measures.
#### He uses MISP to:
- Monitor trends and adversary TTPs within the companys sector/geographical region, share and track information emerging on a particular topic from the MISP dashboard in order to gain situational awareness.
- Monitor IoCs from various technical feeds and add additional context to internal sources of data using the automatic correlation engine.
- Access risk scores using correlation and sightings.
- Present data using different export formats, event reports, and the MISP dashboard timeline.
#### His objectives are to:
- Use shared indicators to perform a risk assessment, identify key information/assets and illustrate the intent/capability of actors to target these assets through impact assessments.
- Score threats according to the organizations specific needs and prepare processes in advance based on threat data gathered from feeds
- Present data to stakeholders in various formats articles, timelines, graphs, raw data depending on their technical knowledge.
- Gain shared situational awareness through information sharing and collaboration with other experts in the same sector.
### Sarah
_**The Fact Checker**_
Sarah is a disinformation researcher and journalist working for a large American newspaper.
She works with security researchers around the world to investigate cybercrimes and report disinformation.
In the past, she has written about national security and geopolitics. She is used to making decisions on what should or shouldn't be published or shared.
Sarah uses MISP to collaborate with security researchers and investigate disinformation as it happens.
_"Decisions as to what is or isn't published or shared go far beyond what is technically interesting"_
#### Role
Disinformation researcher and journalist
#### Her primary goals are to:
- Conduct research and write intelligence reports about up-and-coming emerging threats and recent breaches.
- Investigate and report disinformation as it happens.
- Convert technical data into articles and reports that non-technical people can understand.
#### She uses MISP to:
- Write/read event reports, create misinformation events using relevant techniques found in a report or sighting.
- Join sharing groups and communities (e.g [Cogsec Collab](https://www.misp-project.org/2020/03/26/cogsec-collab-misp-community.html)) that connect misinformation researchers and responders, share incident data with organizations focusing on response and counter-campaigns.
- Integrate with the AM!TT Framework (as a galaxy) in order to describe misinformation tactics/techniques, break an incident into techniques that can be analyzed/countered, and check for disinformation through mapping.
- Monitor feeds, investigate disinformation using shared indicators in feeds, generate structured intelligence using the automated correlation engine, and decide if there are any falsehoods in data.
- Enrich threat data by adding object types, new relationship types (to make the graphs that users can traverse in MISP richer), and taxonomies to cover things like types of threat actors.
- Classify events, indicators, and threats using taxonomies (such as the Admiralty Scale taxonomy), which ranks the reliability of a source and the credibility of the information.
#### Her objectives are to:
- Distill essential information from a large piece of data, making it clear to the reader what really matters.
- Integrate MISP with TheHive for enhanced disinformation investigation and reporting.
- Verify that an article (or image, video, etc) doesnt contain disinformation and verify that a source (publisher, domain, etc) doesnt distribute disinformation.
- Extend MISP for disinformation, adding object types for incidents and narratives, and using [AMITT](https://www.misp-project.org/galaxy.html#_misinformation_pattern) for attack patterns.
## Other personas
Malcolm represents users that we care about but aren't so important to us.
### Malcolm
_**The Data Expert**_
Malcolm is a data scientist for a telecom operator in the USA.
He assists the Security Operations Center with tasks related to anomaly detection, exploratory data analysis, data visualization, modeling, and optimization of security solutions.
Malcolm uses data from MISP alongside natural language processing, predictive modeling, and other data science techniques to assess, prioritize, and even predict risk.
He can process threat data to help with alert prioritization and data-driven decision making.
_"It is a mistake to theorize before one has data. Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts"_
#### Role
Data Scientist
#### His primary goals are to:
- Develop tools to help businesses detect threats so they can develop solid plans of action and better protect themselves.
- Make predictions, perform data analysis, and detect patterns in data.
- Support the threat analysis team with the development of new and innovative ways of extracting insight from large sets of structured and unstructured data.
- Translate complex data into relevant insights and visualize information.
#### He uses MISP to:
- Collect IoCs and sift through data from feeds to derive useful insights and connect dots between actors from various sources.
- Join sharing groups to collaborate with threat analysts and reduce analysts workload by taking on many tasks related to data collection and correlation.
- Automatically aggregate, parse, de-duplicate, and manage indicators using the API.
- Visualize events in real-time by setting up MISP-dashboard.
- Export large threat data sets that can be used to train ML models
#### His objectives are to:
- Combine data from MISP and other security sources to find patterns/relationships in data, develop models, assess, prioritize, and predict risk using data science and AI techniques.
- Produce informative visualizations and knowledge graphs based on large data sets.
- Eliminate manual tasks by writing scripts that automatically aggregate, parse, de-duplicate, and manage indicators in MISP.
- Classify risks in order to save analysts time sorting through false positives and deciding what to prioritize.

53
user-stories/README.md Normal file
View File

@ -0,0 +1,53 @@
# MISP User Stories
| User story | Example workflow |
|-|-|
| As a lead threat intelligence analyst, I want to lead a team focused on hunting down threats so that I can prevent attacks against ICT infrastructures and organizations | <ul> <li>Monitor what teams are up to in real-time using the Live Dashboard </li></ul>|
| As a threat analyst, I want to research, analyze and reverse engineer malware so that I can know how to counter it | <ul> <li> Attach and download files and malware samples from events</li> <li>Search for hashes/IPs/domains/URLs from malware events, or add malware samples hashes to an event</li> <li>Analyse observables and malware collected during an incident (e.g. domain name, IP addresses etc.) by checking whether observables are IoCs or false positives using correlation graph and expansion modules.</li> <li> Enrich malware events by querying data sources external to MISP using modules</li> <li>Perform dynamic malware analysis correlations</li> <li> Submit events with malware samples to analysis tools (e.g VirusTotal, VMRay) for further analysis, and then extend MISP with malware analysis results</li> </ul> |
| As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture. | <ul> <li>Import data from external sources</li> <li>Add feeds</li> <li>Contextualise events and attributes using tags, taxonomies and galaxies</li></li> |
| As a threat analyst, I want to exchange threat information with third parties so that we can gain shared situational awareness | <ul> <li>Setup different models of distribution on MISP instance</li> <li>Sync events and attributes between instances</li> <li>Use filtering functionalities to meet an organisation's sharing policy</li> <li>Share information, pentest information, malware samples, vulnerabilities internally and externally</li> <li>Use feature/achievements widget adding gamification to the information sharing</li> </ul> |
| As a threat analyst, I want to monitor threats and access live data so that I can manage threats before they cause major damage | <ul> <li>Import lists of indicators and check if the IOCs are present in feeds.</li> <li>Monitor statistics and sightings using widgets</li> <li>Show live data and stats from one or more MISP instances via the Dashboard</li> <li>Process information in real-time when it's updated, created, or published by instances by integrating with ZMQ</li> <li>Use sightings to notify an instance about activities related to an indicator</li> </ul> |
| As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats | <ul><li>Join communities and subscribe to the feeds</li> <li>Add events and assign events to specific feeds</li> <li>Correlate indicators using MISP's automated correlation engine</li> <li> Use the overlap feed analysis available in MISP</li> <li>Link events and attributes using the correlation graph</li> <li>Analyse and gain more information on attributes using modules</li> <li>Link events with malware, threat actors etc using galaxies (e.g ATT&CK)</li></ul> |
| As a threat analyst, I want to have a structured database of threat data that I can use to perform lookups/queries when investigating new threats | <ul><li>Store information in a structured format using STIX</li> <li>Import unstructured reports using the free-text import tool</li> <li>Use MISP as a centralized hub for security and fraud threat intel. Centralize threat intel by aggregating indicators from OSINT and commercial feeds</li> <li>Remove false positives and duplicates</li> <li>Score indicators based on Sightings and other metrics</li> <ll>Import/integrate feeds or threat intelligence from third parties</li> <ll>Generate, select, exchange, and collect intelligence using feeds</li> <li>Select and import events</li> <li>Look for correlations between events using the correlation graph</li> <li>Build filtered subsets of the data repository for feed creation.</li> <li>Preview and correlate feed data directly for evaluation</li></ul> |
| As a threat analyst, I want to contextualize and enrich raw threat data so that I can produce actionable intelligence | <ul><li>Understand attacker TTPs by using taxonomies to link events</li> <li>Categorize risks and incidents using galaxies and taxonomies</li> <li>Quickly classify information using tags collections</li> <li>Contextualise sightings with information on the source</li> <li>Enrich IDSes export with tags to fit your NIDS deployment</li> <li>Decay attributes and score indicators using sightings (reported by IDSes)</li> <li>Describe and visualise complex scenarios using MISP's richer data structure</li> <li>Allow advanced combination of attributes using MISP objects</li></ul> |
| As a threat analyst, I want to investigate threats so that I can protect computer systems from attacks | <ul><li>Find relevant data for investigations from MISP communities. Preview new MISP events and alerts from multiple sources such as email reports, CTI providers, and SIEMs</li> <li>Query a MISP instance for events that include a given IOC. Browse through other MISP events, attributes, objects, tags, and galaxies</li> <li>Create events, add IoCs (attributes), and contextualise (using tags)</li> <li>Pivot an event into its attributes, objects, tags, galaxies, and/or related Events</li> <li>Explore further details from Galaxies and related Events</li> <li>Categorize available related information within the ATT&CK framework.</li> <li>Query tools (e.g Cytomic Orion API) to check if certain MISP indicators have been observed, and the import sighting details to add them to MISP events</li> <li>Prioritize threats using Sightings collected from users, scripts and IDSes.</li> <li>Decay/expire indicators using sightings reported by users, scripts and IDSes</li> <li>Launch lookups from MISP against SIEMs as part of an investigation</li> <li>Correlate network forensic flows from several tools</li></ul> |
| As a SOC team, we want to ingest, analyse, store and make connections between threat data so as to discover potential threats | <ul><li>See connections between events using the correlations graph</li> <li>Import CVEs and vulnerabilities (e.g from MetaSploit) and contextualise them</li> <li>Contextualise CVEs using events gotten from articles/reports</li> <li>Convert CVE information into a feed</li> <li>Pull shared CVE feeds</li> <li>Combine collected data with your MISP data set for correlation</li> <li>Share correlated info to the team using the export function or API search</li> <li>View current threats and activity, historical, geolocalized information using MISP Dashboard</li></ul> |
| As a junior SOC analyst, I want to enrich alerts so that I can "punch above my weight" and make connections that would have otherwise required more experience | <ul><li>Create events, add/import observables</li> <li>Use Cortex and its analyzers to gain insight</li> <li>Leverage tags, sightings, and previously-seen observables to feed your threat intelligence</li> <li>Export IOCs to MISP instances after investigations are complete</li> <li>Integrate MISP with Maltego to generate visualisations of data</li> <li>Integrate MISP with Elastic to access threat data without the complexities of the MISP interface.</li> <li>Push attributes from MISP to Elastic and have a representation with graphs, an alternative to using MISP Dashboard.</li> <li>Create taxonomies using the taxonomy editor.</li> <li>Contextualise data using taxonomies, clusters and galaxies</li></ul> |
| As a SOC analyst, I want to customize risk feeds to ignore or downgrade alerts that do not match organization/ industry-specific criteria, so that I can focus on relevant alerts | <ul><li>Filter incidents based on taxonomies (e.g the veris country taxonomy to indicate countries affected by an incident)</li> <li>Normalise external input and feeds in MISP (e.g. feed importer).</li> <li>Compare feeds before import to find similarities and false positives.</li> <li>Evaluate the quality of the information before importing it (warning-list lookups at feed evaluation)</li></ul> |
| As a SOC analyst, I want to share real-time information pertaining to new or existing cases/observables to team members so that we can collaborate on investigations simultaneously | <ul><li>Control threat sharing using distribution settings: sharing group, community-only, connected communities, all communities.</li> <li>Share sensitive and confidential events using the sharing group functionality</li> <li>Measure the impact of an incident using taxonomies based on NISD/OESs impact criteria</li> <li>Export and share sightings in ATT&CK sightings format to give insights on TTPs and frequency of usage</li></ul> |
| As a SOC analyst, I want to rule out false positives so that I can focus on significant threats | <ul><li>Weed out false positives using warning lists</li> <li>Crowd source data validation from community</li> <li>Filter indicators based on specific criteria</li> <li>Receive information on false positives using collaborative tools (proposals, sightings)</li></ul> |
| As a threat analyst, I want to remove false positives, filter and prioritize alerts so that I can focus on what really matters to my organization | <ul><li>Evaluate the quality and freshness of indicators using decaying models</li> <li>Enforce warninglists to exclude events with certain attributes</li> <li>Enable warninglists to alert for certain issues</li> <li>Classify information (add/remove tags) based on their score or visibility via sightings</li> <li>Use tags to set events or attributes for further processing by external tools (e.g. VirusTotal auto-expansion using Viper)</li> <li>Notify an instance about activities related to an indicator via Sighting</li> <li>Limit NIDS exports and improve rules using Sightings</li> <li>Filter indicators based on specific criteria</li> <li>Filter out relevant data when feeding protective tools</li></ul> |
| As a security analyst, I want to unravel the inner workings of a malicious file, phishing email or domain so that I can prevent attacks | <ul><li>Integrate MISP with a Security Incident Response Platform (e.g TheHive)</li> <li>Import indicators from MISP into the SIRP for further analysis</li></ul> |
| As a security analyst, I want to create blacklists/whitelists (e.g of domains) so that I can protect customers from malicious activity | <ul><li>Import threat data into MISP from synced servers and label using taxonomies</li> <li>Enable warning lists, and exclude attributes that exist on the warning lists</li> <li>Create lists with preferred attributes and export the list in an easy accessible format as CSV</li></ul> |
| As a security analyst, I need a real-time overview of threat information so that I can quickly glance at important metrics | <ul><li>Integrate ZMQ to access a dashboard showing live data and stats</li> <li>Monitor ongoing trends based on interests using the EventStream widget</li> <li>Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds</li> <li>View immediate contributions made by organisations from MISP's live dashboard</li> <li>Find threats within your constituency using MISP Geolocalisation Dashboard</li> <li>Get geospatial threat information from specific regions using the Geolocalisation Dashboard</li></ul> |
| As a security analyst, I want to automate repetitive tasks related to data normalization, importation, aggregation and enrichment so that I can have more time to put into threat analysis efforts | <ul><li>Automate tasks using PyMISP</li> <li>Use PyMISP for Scripted processing of events and attributes</li></ul> |
| As a security analyst, I want to collaborate with other analysts within and out of my organizations sector so that we can support one another | <ul><li>Build or join communities to exchange specific data structures</li> <li>Share real-time analysis of an incident</li> <li>Propose modifications to someone else's analysis using Proposals</li></ul> |
| As a security analyst, I want to triage and prioritize alerts so as to avoid alert fatigue | <ul><li>Evaluate the quality and freshness of indicators using decaying models</li> <li>Weed out false positives using warning lists</li> <li>Enable warning lists to alert for critical issues</li> <li>Filter indicators based on specific criteria</li> <li>Score indicators based on user sightings, including negative sightings and expiration sightings.</li> <li>Classify information (add/remove tags) based on their score or visibility via sightings</li> |
| As an incident responder, I want to get an up-to-date picture of the threat landscape so that I can prepare for threats in advance | <ul><li>Describe the impact of threat using taxonomies (e.g using the veris timeline taxonomy to indicate the duration of the incident)</li> <li>Classify data to gain insight into the threat landscape.</li> <li>Classify data so IDSes can alert on a rule</li> <li>Integrate ZMQ to have a dashboard showing live data and statistics.</li> <li>Integrate ZMQ to process information in real-time when it's updated, created, or gathered in MISP.</li></ul> |
| As an incident responder, I want to identify and respond to incidents so that I can reduce the impact and severity of an attack | <ul><li>Report false or true positives using the sighting mechanism, based on an incident investigation <li>Decay indicators to guarantee the quality of the indicators</li></ul> |
| As an incident responder, I want to receive early warnings and alerts about threats/incidents so that I can retaliate before they cause any harm | <ul><li>Receive correlated threat intel from sharing groups and communities</li> <li>Monitor MISP feeds for alerts</li> <li>Preview new events and alerts from multiple sources</li> <li>Automate import/export of IoCs to/from protective or detection tools like IDSes and IPSes</li> <li>Dispatch notifications when certain events are created or modified using the alert feature</li> <li>Create filter rules based on personalised uses. Restrict alert messaged by tags, publishing organisation or other metrics</li></ul> |
| As an incident responder, I want to store information identified during an incident investigation so that I can perform lookups/queries against the historical database during future incidents | <ul><li>Use a MISP instance as a database of events representing incidents. Store incident response data internally in a structured manner on MISP</li> <li>Represent indicators using attributes. Attributes such as network indicators (e.g. IP address) or system indicators (e.g. a string in memory)</li> <li>Combine OSINT and your own intelligence</li> <li>Create events made up of indicators (attributes) and then leverage these as a threat data feed</li> <li>Modify events representing incidents to enable monitoring over time</li> <li>Add object types to describe incidents</li> <li>Monitor indicators for relevancy using Sightings</li> <li>Ensure information quality and freshness by expiring indicators depending on their personalised objectives</li> <li>Pull events from indicator lists to perform lookups against SIEMs</li> <li>Use indicators to check logs and verify if youre affected by a threat</li> <li>Correlate indicators with actual incidents to get more information</li> <li>Integrate MISP with IR tools (e.g TheHive) to (1) analyse observables during an incident, (2) import and (3) export events from MISP to TheHive and vice-versa</li> <li>Perform large-scale bulk data/traffic analysis and correlation against your MISP database using SightingsDB</li></ul> |
| As an incident responder, I want to export and feed data between security tools so that I can enhance their functionalities | <ul><li>Export data from MISP to feed protective/detective tools and early warning systems. Export formats support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ)</li> <li>Feed MISP using automatic tools (e.g. Sandbox Analysis, low-value information needing correlation, Analyst workbench)</li> <li>Pull events from feeds or indicator lists to perform lookups against SIEMs</li> <li>Subscribe to ZMQ pub-sub to get published events for use in lookup processes</li> <li>Match attributes against SIEMs using the lookup expansion module</li> <li>Import activities from a SIEM (e.g. Splunk lookup validation or false-positive feedback), NIDS or honeypot devices</li> <li>Post Sightings from IDSes, IPSes, SIEMs back to MISP</li> <li>Use sightings to improve NIDS rule-sets</li> <li>Generate IDS and NIDS rules automatically or manually using IoCs</li> <li>Feed data to honeypots to generate blocklists and DNS RPZ zones</li> <li>Consume correlated results in SIEMs using the API</li> <li>Search indicators in real-time into a SIEM using MISP ZMQ</li> <li>Submit large sets of IoCs from MISP into SIEMs using PyMISP</li> <li>Import indicators into MISP from other tools (SIEMs, IDSes) and be notified when those indicators appear again</li></ul> |
| As a CSIRT, we want to exchange and discuss information related to incidents and associated risks so that we can collaboratively respond to incidents | <ul><li>Build communities to exchange specific data structures</li> <li>Discuss non-event related topics in Forums</li> <li>Add comments to events (which may represent an incident)</li> <li>Contact a reporter (e.g. another CSIRT) via email (encrypted, anonymously or not) to discuss commercially-sensitive information related to an incident</li></ul> |
| As a CSIRT, we want to interact with threat data in various ways during the threat investigation and incident response process | <ul><li>View events, indicators and feeds</li> <li>Search and filter the data set</li> <li>Classify, contextualize and correlate data</li> <li>Download the viewed data in various formats</li> <li>Interact with MISP data using other tools in the MISP ecosystem (e.g MISP Workbench, Viper, MISPego)</li></ul> |
| As a CSIRT, we want to coordinate with team members and other organisations so that we can avoid duplication of work | <ul><li>Create and manage sharing groups between sectors</li> <li>Join existing communities or sharing groups</li> <li>Create and exchange events and indicators</li> <li>Propose changes to existing analysis or reports</li> <li>Enhance an analysis with additional information using Extended Events</li> <li>Report sightings as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)</li> <li>Contribute to threat intel feeds and analyse overlapping data</li></ul> |
| As a CSIRT, we want to share incident information and discuss risks with other team members so that we can collaboratively perform incident analysis | <ul><li>Create, modify, delete and exchange events and indicators</li> <li>Modify distribution settings to exchange individual incidents and ensure confidentiality</li> <li>Use taxonomies and galaxies to classify data before exchange (e.g Indicate the confidentiality of incidents using the NATO classification, indicate the risk of an incident using the threat-level taxonomy)</li> <li>Edit, visualize, and share reports using Event Report</li> <li>Incorporate reports from information sources using the Event Report module</li> <li>Share indicators derived during incident response</li> <li>Correlate and enrich data derived during incidents</li> <li>Coordinate with affected parties during incident response using MISPs collaborative tools (proposals, sightings, emails)</li></ul> |
| As a fraud analyst, I want to investigate financial threats so that I can help financial institutions and consumers prevent financial fraud | <ul><li>Join communities and receive shared IOCs</li> <li>Subscribe to feeds and get IOCs in an easily accessible format</li> <li>Access lists and public feeds of malicious domains (e.g phishing sites) and threats</li> <li>Use indicators to check logs and verify if youre affected by a threat</li> <li>Gather information related to a phishing site and create events</li> <li>Integrate MISP with Maltego to visualise the full ATT&CK framework</li></ul> |
| As a fraud analyst, I want to blend updated threat intel with anti-fraud tools so that I can prevent fraud in real-time | <ul><li>Feed data from MISP to fraud prevention tools</li> <li>Report sightings to MISP from fraud prevention tools</li></ul> |
| As a fraud analyst, I want to collaborate with analysts from other institutions so that we can gain shared situational awareness | <ul><li>Implement a MISP instance, and join relevant communities</li> <li>Publish fraud perpetrators for others to see</li> <li>Exchange events containing fraud information (e.g a bank account number)</li> <li>Use shared fraud data to feed firewalls and blocklists</li> <li>Warn of false positives by alerting for invalid financial indicators</li> <li>Give more credibility to indicators by reacting to event attributes (Sightings)</li> <li>Get feedback from the community on the quality of indicators (Sightings)</li></ul> |
| As a customs and border control agent, I want to facilitate the flow of legal immigration and goods while preventing the illegal trafficking of people and contraband so that I can ensure homeland security | <ul><li>Create or join sharing groups and communities</li> <li>Share information (e.g travel documents / biometric information) between border control agencies using MISP </li> <li>Categorize data using predefined types such PNR (passenger name records)</li> <li>Share information / involve experts for the identification of smuggled goods</li> <li>Perform anonymised lookups against exported data sets information (e.g. offline border control check)</li></ul> |
| As a law enforcement officer, I want to investigate digital crimes and threats so that I can apprehend criminals | <ul><li>Access information sharing communities</li> <li>Get indicators and actionable information from CSIRTs/CERTs networks or researchers</li> <li>Exchange information with other officers via sharing communities</li> <li>Exchange and store incident information on MISP, enabling the system to act as a forensic tool over time</li> |
| As a law enforcement officer, I want to collect and verify evidence of digital crimes so that I can bootstrap my DFIR cases | <ul><li>Collect indicators from shared events</li> <li>Propose changes to existing analysis or reports</li> <li>Enhance existing events with additional pieces of evidence using Extended Events</li> <li>Exchange analysis and reports of digital forensic evidence</li> <li>Correlate indicators corresponding to forensic pieces of evidence</li> <li>Import Mactime timelines to describe forensic activities on an analysed file system</li> <li>Describe forensic analysis cases using objects templates</li> <li>Create, modify and visualise the timeline of events</li> <li>Share analysis and reports of digital forensic evidence</li> <li>Report sightings such as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)</li></ul> |
| As a cybersecurity consultant, I want to provide structured threat intelligence to cross-sector partners with diverse requirements so that I can secure their infrastructure | <ul><li>Implement an instance and join relevant communities</li> <li>Integrate MISP with an organisations existing solutions using the API</li> <li>Exchange events containing indicators</li> <li>Setup distribution levels to ensure confidentiality during threat sharing</li> <li>Sync between untrusted and trusted networks using Feed support</li> <li>Notify the community about activities related to an indicator using Sightings</li> <li>Score indicators based on user sightings, including negative sightings and expiration sightings</li> <li>Propose updates to an event owner or indicate a sighting</li> <li>Share attacker techniques via integration with ATT&CK</li> <li>Set an attribute for detection tools using the IDS flag</li></ul> |
| As a cybersecurity specialist, I want to anonymously publish threat intel so that I can protect the identity of people who dont want to be associated with the information | <ul><li>Pseudo-anonymously publish data using Event Delegation</li></ul> |
| As a cybersecurity specialist, I want to investigate threats so that I can remediate and prevent cyber attacks | <ul><li>Query an instance for events that include a given IOC</li> <li>Explore more details from Galaxies and related events</li> <li>Categorize related information within the MITRE ATT&CK framework</li></ul> |
| As a security analyst, I want to access threat data so that I can use it to support my research | <ul><li>Contextualise indicators (attributes) using categories, taxonomies and galaxies</li> <li>Reinforce an analysis using correlation features (e.g. do other analysts have the same hypothesis?)</li> <li>Confirm a specific aspect using correlation features (e.g. are the sinkhole IP addresses used for one campaign?)</li> <li>Verify if a threat is new or unknown in your community using correlation features</li></ul> |
| As a security analyst, I want to access updated threat data so that I can build protection in real time | <ul><li>Monitor feeds for recent indicators</li> <li>Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds</li> <li>Process information in real-time when it's updated, created or gathered using ZMQ</li></ul> |
| As a risk analyst, I want to identify and predict risks to my organization so that I can improve the organizations security posture and situational awareness | <ul><li>Use a MISP instance as a database of events representing threats</li> <li>Classify risks using taxonomies and galaxies</li> <li>Generate statistics from your MISP instance to deduce from incidents the current operational status, risk posture, and threats to the cyber environment</li> <li>Monitor trends and adversary TTPs using MISP-dashboard and built-in statistics</li> |
| As a risk analyst, I want to present risk data to stakeholders in various formats (depending on their technical ability), so that I can justify the need for risk-mitigating strategies | <ul><li>Show trends within the sector/geographical region using MISP dashboard and built-in statistics</li> <li>Turn MISP data into explorable graphs or timelines representing their activity or events</li> <li>Export data from MISP in various formats</li> <li>Share reports along with actionable data using Events Report</li></ul> |
| As a disinformation researcher, I want to identify indicators associated with a specific operation or campaign so that I can help track and mitigate threats | <ul><li>Monitor MISP feeds for indicators</li><li>Find relationships between indicators using correlation</li></ul> |
| As a disinformation researcher and journalist, I want to investigate information campaigns so that I can report whether there is or isnt disinformation or misinformation | <ul><li>Compare external feeds information with already-available information</li> <li>Analyze the connections between incident objects</li> <li>Map data with AMITT (embedded in MISP) to understand threat actor capabilities</li> <li>Generate events that can be shared directly, via email or MISP</li> <li>Add object types (e.g for common social media platforms), relationship types (to make the graphs that users can traverse in MISP richer) and taxonomies (e.g DFRLabs Dichotomies of Disinformation, and a NATO-led tactical variant) to describe indicators and events</li> <li>Generate and share information operations data in MISP JSON or STIX format for easy sharing</li> <li>Classify events with AM!TT techniques using the inline AM!TT Navigator</li> <li>Describe attack patterns using AMITT for the attack patterns</li> <li>Track disinformation techniques using the AMITT galaxy</li> <li>Integrate MISP with TheHive for case tracking</li> <li>Describe additional disinformation cases using object templates</li></ul> |
| As a disinformation researcher, I want to connect with other researchers and responders so that we can collaboratively verify if an article/video/image contains disinformation and verify that a source (publisher, domain, etc) doesnt distribute disinformation | <ul><li>Join a disinformation community</li> <li>Notify the community about activities related to an indicator</li> <li>Score indicators based on users sighting</li> <li>Corroborate a finding using correlation features (e.g. is this the same campaign?)</li></ul> |
| As a disinformation researcher, I want to collaborate with other researchers and responders so that we can collectively stop disinformation campaigns | <ul><li>Browse and Join disinformation communities (e.g CogSec Collab MISP)</li> <li>Contextualise data using tags, taxonomies and galaxies</li> <li>Describe information campaigns indicators and events using taxonomies (e.g DFRLab Dichotomies of Disinformation)</li> <li>Find relationships between indicators using correlation</li> <li>Describe misinformation tactics/techniques using the AMI!TT framework (galaxy)</li> <li>Include relevant techniques found in a report or sighting in misinformation event data using AM!TT Navigator</li></ul> |
| As a data scientist, I want to automate tasks related to data collection, curation, analysis, and visualization so that I can reduce security analysts' workloads | <ul><li>Collect, add, update, search events/attributes/tags using PyMISP</li> <li>Study malware samples using PyMISP</li> <li>Write scripts to import (from other tools such as VirusTotal) additional attributes or IOC data (such as hashes) to build up knowledge on an event</li> <li>Automatically handle indicators in third-party tools using PyMISP</li> <li>Integrate MISP with existing infrastructure using PyMISP</li> <li>Automate the dissemination of threat intelligence and threat data using the API</li> <li>Generate exports to be ingested into other platforms</li> <li>Create a range of filtered subsets of the dataset for various protective measures</li> <li>Write scripts to disable the IDS flag based on the number of false-positive reported sightings, in order to prevent using false-positive indicators for detection or correlation actions</li> <li>Generate data statistics and send reports via email, attached as CSV files using the API</li> <li>Feed processed data into IDSes and 3rd party visualization using PyMISP</li> <li>Build custom widgets to visualise/track data via the Dashboard</li> <li>Extend MISP with Python scripts using MISP modules</li> <li>Auto-discover new modules with their features using the API</li></ul> |
| As a data scientist, I want to collect and analyze data from various sources so that I can prioritize and predict risk | <ul><li>Aggregate indicators and sightings of all attributes/objects, useful for detecting particular security events or threats</li> <li>Use PyMISP for Scripted processing of events and attributes</li> <li>Collect data from open data portals using the API</li> <li>Publish open data and create data sets</li> <li>Investigate file hashes, malicious website URLs, IP Addresses and domain names using shared indicators</li> <li>Aggregate data sets for security research and threat analysis</li> <li>Analyse and select threat feeds for incorporation into other tools to hunt known indicators</li> <li>Indicate if an attribute should be used for detection or correlation actions using the IDS flag</li> <li>Download data in various formats for ingestion in other tools, and for training ML models</li></ul> |