MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [user-stories] add a reference to the feed overlap analysis

pull/257/head
Alexandre Dulaunoy 2021-03-27 11:12:14 +01:00
parent d1ccce593d
commit 973c54a383
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
user-stories/README.md
View File

@ -7,7 +7,7 @@
| As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture. | <ul> <li>Import data from external sources</li> <li>Add feeds</li> <li>Contextualise events and attributes using tags, taxonomies and galaxies</li></li> |
| As a threat analyst, I want to exchange threat information with third parties so that we can gain shared situational awareness | <ul> <li>Setup different models of distribution on MISP instance</li> <li>Sync events and attributes between instances</li> <li>Use filtering functionalities to meet an organisation's sharing policy</li> <li>Share information, pentest information, malware samples, vulnerabilities internally and externally</li> <li>Use feature/achievements widget adding gamification to the information sharing</li> </ul> |
| As a threat analyst, I want to monitor threats and access live data so that I can manage threats before they cause major damage | <ul> <li>Import lists of indicators and check if the IOCs are present in feeds.</li> <li>Monitor statistics and sightings using widgets</li> <li>Show live data and stats from one or more MISP instances via the Dashboard</li> <li>Process information in real-time when it's updated, created, or published by instances by integrating with ZMQ</li> <li>Use sightings to notify an instance about activities related to an indicator</li> </ul> |
| As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats | <ul><li>Join communities and subscribe to the feeds</li> <li>Add events and assign events to specific feeds</li> <li>Correlate indicators using MISP's automated correlation engine</li> <li>Link events and attributes using the correlation graph</li> <li>Analyse and gain more information on attributes using modules</li> <li>Link events with malware, threat actors etc using galaxies (e.g ATT&CK)</li></ul> |
| As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats | <ul><li>Join communities and subscribe to the feeds</li> <li>Add events and assign events to specific feeds</li> <li>Correlate indicators using MISP's automated correlation engine</li> <li> Use the overlap feed analysis available in MISP</li> <li>Link events and attributes using the correlation graph</li> <li>Analyse and gain more information on attributes using modules</li> <li>Link events with malware, threat actors etc using galaxies (e.g ATT&CK)</li></ul> |
| As a threat analyst, I want to have a structured database of threat data that I can use to perform lookups/queries when investigating new threats | <ul><li>Store information in a structured format using STIX</li> <li>Import unstructured reports using the free-text import tool</li> <li>Use MISP as a centralized hub for security and fraud threat intel. Centralize threat intel by aggregating indicators from OSINT and commercial feeds</li> <li>Remove false positives and duplicates</li> <li>Score indicators based on Sightings and other metrics</li> <ll>Import/integrate feeds or threat intelligence from third parties</li> <ll>Generate, select, exchange, and collect intelligence using feeds</li> <li>Select and import events</li> <li>Look for correlations between events using the correlation graph</li> <li>Build filtered subsets of the data repository for feed creation.</li> <li>Preview and correlate feed data directly for evaluation</li></ul> |
| As a threat analyst, I want to contextualize and enrich raw threat data so that I can produce actionable intelligence | <ul><li>Understand attacker TTPs by using taxonomies to link events</li> <li>Categorize risks and incidents using galaxies and taxonomies</li> <li>Quickly classify information using tags collections</li> <li>Contextualise sightings with information on the source</li> <li>Enrich IDSes export with tags to fit your NIDS deployment</li> <li>Decay attributes and score indicators using sightings (reported by IDSes)</li> <li>Describe and visualise complex scenarios using MISP's richer data structure</li> <li>Allow advanced combination of attributes using MISP objects</li></ul> |
| As a threat analyst, I want to investigate threats so that I can protect computer systems from attacks | <ul><li>Find relevant data for investigations from MISP communities. Preview new MISP events and alerts from multiple sources such as email reports, CTI providers, and SIEMs</li> <li>Query a MISP instance for events that include a given IOC. Browse through other MISP events, attributes, objects, tags, and galaxies</li> <li>Create events, add IoCs (attributes), and contextualise (using tags)</li> <li>Pivot an event into its attributes, objects, tags, galaxies, and/or related Events</li> <li>Explore further details from Galaxies and related Events</li> <li>Categorize available related information within the ATT&CK framework.</li> <li>Query tools (e.g Cytomic Orion API) to check if certain MISP indicators have been observed, and the import sighting details to add them to MISP events</li> <li>Prioritize threats using Sightings collected from users, scripts and IDSes.</li> <li>Decay/expire indicators using sightings reported by users, scripts and IDSes</li> <li>Launch lookups from MISP against SIEMs as part of an investigation</li> <li>Correlate network forensic flows from several tools</li></ul> |