From 9ec01731c223fac2786e771023a2f5719222d362 Mon Sep 17 00:00:00 2001
From: deralexxx <mail@alexanderjaeger.de>
Date: Sun, 11 Jun 2017 13:06:06 +0200
Subject: [PATCH] first hackathon 2017 mention events, sharing groups and
 recommendations

---
 sharing/README.md | 83 +++++++++++++++++++++++++++++++++++++----------
 1 file changed, 65 insertions(+), 18 deletions(-)

diff --git a/sharing/README.md b/sharing/README.md
index 8075652..06d168b 100644
--- a/sharing/README.md
+++ b/sharing/README.md
@@ -7,6 +7,9 @@
 * [Roles](#roles)
 * [Tools](#tools)
 * [Server Settings](#server-settings)
+* [Events](#events)
+* [Sharing groups](#sharing-groups)
+* [Recommendations](#recommendations)
 
 * MISP's core functionality is sharing where everyone can be a consumer and/or a contributor/producer.
 * Quick benefit without the obligation to contribute
@@ -14,8 +17,9 @@
 
 ##Concept
 
-![Scenario example](figures/MISP_scenario_example.png)
+The following figure shows the concept how different MISP instances could tie together.
 
+![Scenario example](figures/MISP_scenario_example.png)
 
 ##Setup
 
@@ -29,50 +33,56 @@ https://<misp url>/servers/add
 
 ![Add Server](figures/add_server_1.png)
 
-
-The Add Server Form has several input fields:
+    The Add Server Form has several input fields:
 
 ![Add Server](figures/add_server_ui.png)
 
 1. Base URL 
 
-The base-url to the external server you want to sync with. Example: https://foo.sig.mil.be
+    The base-url to the external server you want to sync with. Example: https://foo.sig.mil.be
 
 2. Instance Name
 
-A name that will make it clear to your users what this instance is. For example: Organisation A's instance
+    A name that will make it clear to your users what this instance is. For example: Organisation A's instance
 
 3. Remote Sync Organisation Type
 
-The organization having the external server you want to sync with. Example: BE
+    The organization having the external server you want to sync with. Example: BE
 
 4. Local Organisation
 
+    This setting will configure which organisation will be assigned to the events being pulled.
+
 5. Authkey
 
-You can find the authentication key on your profile on the external server.
+    You can find the authentication key on your profile on the external server.
 
 6. Push
 
-Allow the upload of events and their attributes.
+    Allow the upload of events and their attributes. That means only Events that match the given filter will
+    be pushed to the server.
+    
+    E.g. it can limit push of events to events not being TLP:RED
+    
 
 7. Pull
 
-Allow the download of events and their attributes from the server.
+    Allow the download of events and their attributes from the server. That means only Events
+    matching the given criteria will be pulled.
+    
+    E.g. it can limit to NOT download Type:OSINT events.
 
 8. Self Signed
 
-Click this, if you would like to allow a connection despite the other instance using a self-signed certificate (not recommended). (server certificate file still needed)
+    Click this, if you would like to allow a connection despite the other instance using a self-signed certificate (not recommended). (server certificate file still needed)
 
 9. Server certificate file
 
-You can also upload a certificate file if the instance you are trying to connect to has its own signing authority.  (*.pem)
+    You can also upload a certificate file if the instance you are trying to connect to has its own signing authority.  (*.pem)
 
 10. Client certificate file
 
-You can also upload a certificate file if the instance you are trying to connect to has its own signing authority.  (*.pem)
-
-
+    You can also upload a certificate file if the instance you are trying to connect to has its own signing authority.  (*.pem)
 
 ###Test connection
 
@@ -82,18 +92,27 @@ Test connection can be used to test the connection to the remote server and will
 
 Rules are used to limit sharing to e.g. events with a given tag, or disabling sharing for events containing a certain Tag.
 
-####
+###Troubleshooting
+
+If you have issues connecting to a remote servers try to do the following things:
+
+- try to connect with your user account to the remote server, to ensure the password is still valid and that your API key is valid
+- try to connect with your user account to the remote server and check your roles on the remote server
 
 ##Collaboration
 
 ### Proposals
 
+Proposals can be used to propose new attribute values that can be reviewed by the event owner.
+
 ### Forums / Threats
 
 Forums can be used to discuss non event related topics.
 
 Discussions can be accessed on the top "Global Actions - List Discussions"
 
+**Discussions will and can not be shared with other servers**
+
 and via URL:
 
 ~~~~
@@ -120,14 +139,13 @@ A topic can be commented by any user
 https://<misp url>/threads/view/<topic id>
 ~~~~
 
-
 ### Comments to events
 
-In MISP ongoing events can be commented by every user.
+In MISP ongoing events can be commented by every user to ask free text question to events.
+**Comments to events will not be shared with other servers**
 
 ![Contact reporter](figures/comment_an_event.png)
 
-
 ### Contact a reporter
 
 This feature can be used to contact the person or the organisation that the person belongs to that has created the event.
@@ -147,3 +165,32 @@ It is possible to get alerts via encrypted mail in the following cases:
 These E-Mail alerts are an opt-in feature
 
 ![Change user settings](figures/profile_receive_alerts.png)
+
+# Events
+
+This will describe what to do within events to be shared.
+
+* Only events that are **published** will be shared
+
+# Sharing-groups
+
+There is an article about sharing groups in [here](using-the-system/#create-and-manage-sharing-groups)
+
+#Recommendation
+
+The following section will describe what is the best practice how many MISP instances that showed to be good for orgs.
+Of course depending on your specific requirements an architecture could be more spread or simplified.
+
+The architecture is divided into several systems / stages beginning with:
+
+## MISP Staging System
+
+This systems purpose is to be linked to all available external MISP systems that you have access to.
+It will download all events and do enrichment between these events.
+
+## MISP SECOps System
+
+This system is the main system used by human analysts.
+It will it is not linked to any external MISP instance other then the Staging System.
+
+To publish events to the community assign the right tags to match your push [Rules](#rules) and **publish the event**
\ No newline at end of file