diff --git a/galaxy/README.md b/galaxy/README.md index 94c55b0..3526788 100644 --- a/galaxy/README.md +++ b/galaxy/README.md @@ -8,19 +8,37 @@ There are default vocabularies available in MISP galaxy but those can be overwri Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. -The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared). +The objective is to have a common set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared). -WIP - -[MISP galaxy](https://github.com/MISP/misp-galaxy) +[MISP galaxy](https://github.com/MISP/misp-galaxy) are available on Github. ### Managing Galaxies in MISP -WIP +> [warning] You need to have a specific role to manage Galaxies on a MISP instance. + +Galaxies management is accessed using the Galaxies link on the top menu. + +![MenuGalaxy](./figures/GalaxyMenu.png) + +A list with all the galaxies existing on the server will appear. + +![GalaxyView](./figures/GalaxyView.png) + +Each galaxy can be explored using the icon at the end of the line. + +![GalaxyList](./figures/GalaxyList.png) + +Here is shown the metadata of the selected galaxy as well as a table with each available value as well as some complementary data such as a description of the value or the activity, that is to say the evolution of the use of each value. + +Galaxies can be reimported from the submodules by cliking the "Update Galaxies" link on either the galaxies list or while browsing a specific galaxy. A popup will appear to confirm the reimportation. + +![GalaxyUpdate](./figures/GalaxyUpdate.png) + +All galaxies will always be updated, even while browsing a specific galaxy. ### Using Galaxies in MISP Events - Example -For this example, we will try to add a cluster to an existing event. This cluster will contains informations about threath actor known as Sneaky Panda. +For this example, we will try to add a cluster to an existing event. This cluster will contains informations about threat actor known as Sneaky Panda. ![EventWithoutCluster](./figures/EventWithoutCluster.png) @@ -56,28 +74,29 @@ Clicking on the addition symbole on the left of Beijing Group extends the module [Microsoft Activity Group](https://github.com/MISP/misp-galaxy/blob/master/clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft. +[Preventive Measure](https://github.com/MISP/misp-galaxy/blob/master/clusters/preventive-measure.json) - Preventive measures. + +[Ransomware](https://github.com/MISP/misp-galaxy/blob/master/clusters/ransomware.json) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml + [TDS - Traffic Direction System](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries. [Threats Actors](https://github.com/MISP/misp-galaxy/blob/master/clusters/threat-actor.json) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour. [Tools](https://github.com/MISP/misp-galaxy/blob/master/clusters/tool.json) - Enumeration of software tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. - #### Vocabularies ##### Common - [certainty-level] - (https://github.com/MISP/misp-galaxy/blob/master/vocabularies/common/certainty-level.json) - +[certainty-level](https://github.com/MISP/misp-galaxy/blob/master/vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster ##### threat-actor - [intended-effect] - (https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/intended-effect.json) - default STIX vocabulary for expressing the intended effect of a threat actor - [motivation] - (https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/motivation.json) - default STIX vocabulary for expressing the motivation of a threat actor. - [planning-and-operational-support] - (https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/planning-and-operational-support.json) - default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. - [sophistication] - (https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/sophistication.json) - default STIX vocabulary for expressing the subjective level of sophistication of a threat actor. - [type] - (https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/type.json) - default STIX vocabulary for expressing the subjective type of a threat actor. +[intended-effect](https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/intended-effect.json) - default STIX vocabulary for expressing the intended effect of a threat actor + +[motivation](https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/motivation.json) - default STIX vocabulary for expressing the motivation of a threat actor + +[planning-and-operational-support](https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/planning-and-operational-support.json) - default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. + +[sophistication](https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/sophistication.json) - default STIX vocabulary for expressing the subjective level of sophistication of a threat actor. + +[type](https://github.com/MISP/misp-galaxy/blob/master/vocabularies/threat-actor/type.json) - default STIX vocabulary for expressing the subjective type of a threat actor. diff --git a/galaxy/figures/GalaxyList.png b/galaxy/figures/GalaxyList.png new file mode 100644 index 0000000..ba78d05 Binary files /dev/null and b/galaxy/figures/GalaxyList.png differ diff --git a/galaxy/figures/GalaxyMenu.png b/galaxy/figures/GalaxyMenu.png new file mode 100644 index 0000000..e9f4409 Binary files /dev/null and b/galaxy/figures/GalaxyMenu.png differ diff --git a/galaxy/figures/GalaxyUpdate.png b/galaxy/figures/GalaxyUpdate.png new file mode 100644 index 0000000..9bbd89f Binary files /dev/null and b/galaxy/figures/GalaxyUpdate.png differ diff --git a/galaxy/figures/GalaxyView.png b/galaxy/figures/GalaxyView.png new file mode 100644 index 0000000..b81f79a Binary files /dev/null and b/galaxy/figures/GalaxyView.png differ