chg: [doc] Update quickstart, added Local Tags to glossary.
|
@ -92,6 +92,9 @@ For more details on taxonomies and classification [the documentation](https://ww
|
||||||
There is a Python module available to work with Taxonomies in a Pythonic way called [PyTaxonomies](https://github.com/MISP/PyTaxonomies).
|
There is a Python module available to work with Taxonomies in a Pythonic way called [PyTaxonomies](https://github.com/MISP/PyTaxonomies).
|
||||||
[MISP taxonomies GitHub Repo](https://github.com/MISP/misp-taxonomies)
|
[MISP taxonomies GitHub Repo](https://github.com/MISP/misp-taxonomies)
|
||||||
|
|
||||||
|
## Local tags
|
||||||
|
You can create tags locally if you are a member of the given MISP instance’s host organisation, enabling “in-place” tagging for synchronisation and export filtering. MISP events are not modified while using the local tags and are in turn always stripped before being synchronised with other MISP instances and sharing communities. Local tags allow users to avoid violating the ownership model of MISP, but still be able to tag any event or attribute for further dissemination and data contextualisation. Local tagging works for tags, tag collections, galaxies and matrix-like galaxies such as ATT&CK.
|
||||||
|
|
||||||
## MISP warninglists
|
## MISP warninglists
|
||||||
MISP warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.
|
MISP warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes.
|
||||||
There is a Python module available to work with warninglists in a Pythonic way called [PyMISPWarningLists](https://github.com/MISP/PyMISPWarningLists).
|
There is a Python module available to work with warninglists in a Pythonic way called [PyMISPWarningLists](https://github.com/MISP/PyMISPWarningLists).
|
||||||
|
|
|
@ -3,7 +3,7 @@ And Justice for All! -->
|
||||||
|
|
||||||
# Quick Start
|
# Quick Start
|
||||||
|
|
||||||
MISP (Open Source Threat Intelligence and Sharing Platform) software facilitates the exchange and sharing of threat intelligence, Indicators of Compromise (IOCs) about targeted malware and attacks, financial fraud or any intelligence within your community of trusted members. MISP sharing is a distributed model containing technical and non-technical information which can be shared within closed, semi-private or open communities. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives.
|
MISP (Open Source Threat Intelligence and Sharing Platform) software facilitates the exchange and sharing of threat intelligence, Indicators of Compromise (IoCs) about targeted malware and attacks, financial fraud or any intelligence within your community of trusted members. MISP sharing is a distributed model containing technical and non-technical information which can be shared within closed, semi-private or open communities. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives.
|
||||||
|
|
||||||
With the focus on automation and standards, MISP provides you with a powerful ReST API, extensibility (via misp-modules) or additional libraries such as PyMISP, jump ahead to these chapters to get started.
|
With the focus on automation and standards, MISP provides you with a powerful ReST API, extensibility (via misp-modules) or additional libraries such as PyMISP, jump ahead to these chapters to get started.
|
||||||
|
|
||||||
|
@ -21,12 +21,21 @@ MISP default credentials:
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
## I forgot my admin password :(
|
||||||
|
|
||||||
|
You can quickly reset it via the command line. You need to know the Admins E-Mail address.
|
||||||
|
Replace www-data with whoever runs the webserver.
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Password admin@admin.test Password1234
|
||||||
|
```
|
||||||
|
|
||||||
## Tasks to do after first Start
|
## Tasks to do after first Start
|
||||||
|
|
||||||
<!-- TODO: Consollidate all sources to misp-book -->
|
<!-- TODO: Consollidate all sources to misp-book -->
|
||||||
1. [Change site admin password](https://misp.gitbooks.io/misp-book/content/quick-start/#password-policy)
|
1. [Change site admin password](https://www.circl.lu/doc/misp/quick-start/#password-policy)
|
||||||
2. [Activate Feeds](https://www.circl.lu/doc/misp/managing-feeds/)
|
2. [Activate Feeds](https://www.circl.lu/doc/misp/managing-feeds/)
|
||||||
3. [Setup your User](https://misp.gitbooks.io/misp-book/content/user-management/#first-run-of-the-system)
|
3. [Setup your User](https://www.circl.lu/doc/misp/user-management/#first-run-of-the-system)
|
||||||
3.1 Designate a Site Admin and an Org Admin
|
3.1 Designate a Site Admin and an Org Admin
|
||||||
3.2 Add some contributing users and assign the corresponding Roles
|
3.2 Add some contributing users and assign the corresponding Roles
|
||||||
4. [MISP Administration](https://www.circl.lu/doc/misp/administration/)
|
4. [MISP Administration](https://www.circl.lu/doc/misp/administration/)
|
||||||
|
@ -69,42 +78,70 @@ You only have to add a few pieces of information to register your Event. Further
|
||||||
|
|
||||||
## Describe Event
|
## Describe Event
|
||||||
|
|
||||||
Red is totally normal. No worries. (In future releases this will change to a more harmonious color)
|
![Describe Event](figures/AddEventOK.png)
|
||||||
|
|
||||||
![Describe Event](figures/AddEventOK.jpg)
|
|
||||||
|
|
||||||
Now you can specify the information for your Event (you will need to scroll the window).
|
Now you can specify the information for your Event (you will need to scroll the window).
|
||||||
|
|
||||||
### Free-Text Import Tool
|
### Free-Text Import Tool
|
||||||
|
|
||||||
![Use Freetext import](figures/AddEventDescription.jpg)
|
![Use Freetext import](figures/AddEventDescription.png)
|
||||||
|
|
||||||
|
The following will pop-up.
|
||||||
|
|
||||||
If you have a list of indicators from which you would like to quickly generate attributes then the **Free-text import tool** is
|
If you have a list of indicators from which you would like to quickly generate attributes then the **Free-text import tool** is
|
||||||
just what you need. Simply paste your list of indicators (separated by line-breaks) into this tool.
|
just what you need. Simply paste your list of indicators (separated by line-breaks) into this tool.
|
||||||
|
|
||||||
|
![Freetext import pop-up](figures/freetextImportPopUp.png)
|
||||||
|
|
||||||
![FreeText Import result](figures/FreeTextImportResult.jpg)
|
![FreeText Import result](figures/FreeTextImportResult.jpg)
|
||||||
|
|
||||||
The tool will help you to find similarities between your import and other issues already registered in MISP.
|
The tool will help you to find similarities between your import and other issues already registered in MISP.
|
||||||
|
|
||||||
![FreeText Suggest](figures/FreeTextSuggest.jpg)
|
![FreeText Suggest](figures/FreeTextSuggest.png)
|
||||||
|
|
||||||
For example, you can see the ID of all related Events and view their information.
|
For example, you can see the ID of all related Events and view their information.
|
||||||
|
|
||||||
|
##### Alternative to import
|
||||||
|
|
||||||
|
An alternative route to reach the Freetext import tool is shown below.
|
||||||
|
|
||||||
|
![Import From](figures/populateFrom.png)
|
||||||
|
|
||||||
|
![Import From pop-up](figures/populateFromPopUp.png)
|
||||||
|
|
||||||
### Tags and Taglist
|
### Tags and Taglist
|
||||||
|
|
||||||
#### Using existing Data
|
#### Using existing Data
|
||||||
|
|
||||||
Another easy way to add information is to use Tags. You can see the result of adding existing Tags (circl:incident-classification=XSS ans circl:incident-classification="information-leak).
|
Another easy way to add information is to use Tags. You can see the result of adding existing Tags (circl:incident-classification=XSS ans circl:incident-classification="information-leak).
|
||||||
|
|
||||||
![Add Tag](figures/SelectTag.jpg)
|
![Add Tag](figures/SelectTag.png)
|
||||||
|
|
||||||
By clicking the button, you can add more tags from an existing Taglist.
|
By clicking the button, you can add more tags from an existing Taglist.
|
||||||
|
|
||||||
![Taglist](figures/AddEventTagsList.jpg)
|
![Taglist](figures/AddEventTagsList.png)
|
||||||
|
|
||||||
In particular the "Taxonomy Library: circl" Taglist is very complete, as you can see:
|
In particular the "Taxonomy Library: circl" Taglist is very complete.
|
||||||
|
|
||||||
![Select Tag from Taglis](figures/AddEventSelectTag.jpg)
|
Once you added the tag(s) it will show in you main event window and in the list event view.
|
||||||
|
|
||||||
|
![Tag Added](figures/tagAdded.png)
|
||||||
|
|
||||||
|
### Local tags
|
||||||
|
|
||||||
|
Local tags can be added in a similar fashion.
|
||||||
|
|
||||||
|
![Add Local Tag](figures/addLocalTag.png)
|
||||||
|
|
||||||
|
They will be identified by a corresponding icon.
|
||||||
|
|
||||||
|
![Local Tags Mix](figures/localTagsOverview.png)
|
||||||
|
|
||||||
|
#### No tags in list
|
||||||
|
|
||||||
|
In case you get the below. You need to either enable an existing Taxonomy or add some custom tags.
|
||||||
|
|
||||||
|
![No tags](figures/addTagEmpty.png)
|
||||||
|
|
||||||
#### Make your own Taglist
|
#### Make your own Taglist
|
||||||
|
|
||||||
|
@ -134,7 +171,7 @@ To see your Event, select List Events from the menu Events Action. You can click
|
||||||
|
|
||||||
If you click on your Event's number, you can see all the information related to your Event.
|
If you click on your Event's number, you can see all the information related to your Event.
|
||||||
|
|
||||||
![See Event](figures/SeeEvent.jpg)
|
![See Event](figures/SeeEvent.png)
|
||||||
|
|
||||||
## Export Events for Log Search
|
## Export Events for Log Search
|
||||||
|
|
||||||
|
@ -145,3 +182,7 @@ Export functionality is designed to automatically generate signatures for intrus
|
||||||
Simply click on any of the following buttons to download the appropriate data for log correlation.
|
Simply click on any of the following buttons to download the appropriate data for log correlation.
|
||||||
|
|
||||||
![Select Format](figures/SelectExport.jpg)
|
![Select Format](figures/SelectExport.jpg)
|
||||||
|
|
||||||
|
## Enable a Taxonomy
|
||||||
|
|
||||||
|
## Enable and fetch a feeds
|
||||||
|
|
Before Width: | Height: | Size: 189 KiB |
After Width: | Height: | Size: 89 KiB |
Before Width: | Height: | Size: 84 KiB |
After Width: | Height: | Size: 63 KiB |
Before Width: | Height: | Size: 55 KiB |
Before Width: | Height: | Size: 18 KiB |
After Width: | Height: | Size: 89 KiB |
Before Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 75 KiB |
After Width: | Height: | Size: 74 KiB |
Before Width: | Height: | Size: 15 KiB |
After Width: | Height: | Size: 62 KiB |
After Width: | Height: | Size: 62 KiB |
After Width: | Height: | Size: 72 KiB |
After Width: | Height: | Size: 28 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 93 KiB |
After Width: | Height: | Size: 57 KiB |
After Width: | Height: | Size: 52 KiB |