From bd85dbbce51d762f4134f23e78302a9be8c3c3ac Mon Sep 17 00:00:00 2001 From: Iglocska Date: Fri, 15 Apr 2016 22:42:25 +0200 Subject: [PATCH] Added STIX sighting examples --- automation/README.md | 123 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) diff --git a/automation/README.md b/automation/README.md index c1887c9..47f9f41 100644 --- a/automation/README.md +++ b/automation/README.md @@ -841,6 +841,129 @@ https:///sightings/add/stix MISP will use the sighting's related observables to gather all values and create sightings for each attribute that matches any of the values. If no related observables are provided in the Sighting object, then MISP will fall back to the Indicator itself and use its observables' values to create the sightings. The time of the sighting is the current time, unless the timestamp attribute is set on the Sightings object, in which case that is taken. +An example STIX sightings document: + +~~~~xml + + + Example watchlist that contains IP information. + Indicators - Watchlist + + + + Domain Watchlist + + + + malicious1.example.com##comma##malicious2.example.com##comma##malicious3.example.com + + + + + + + + FooBar Inc. + + + + + + + + malicious2.example.com + + + + + + + + + + +~~~~ + +POSTing this as the message's body to MISP will sight any attributes visible to the user witht he value "malicious2.example.com". For composite types, a match on a component will also trigger a sighting (so for example for attributes of type domain|ip a domain match would be sufficient). + +If no Related observables are set in the Sighting itself, MISP will fall back to the observable directly contained in the indicator. So in the following example: + +~~~~xml + + + Example watchlist that contains IP information. + Indicators - Watchlist + + + + Domain Watchlist + + + + malicious1.example.com##comma##malicious2.example.com##comma##malicious3.example.com + + + + + + + + FooBar Inc. + + + + + + + +~~~~ + +MISP would create sightings for attributes matching any of the following: malicious1.example.com, malicious2.example.com, malicious3.example.com + # Automation using PyMISP PyMISP is a Python library to access MISP platforms via their REST API.