diff --git a/GLOSSARY.md b/GLOSSARY.md
index ecbe45e..35d1905 100644
--- a/GLOSSARY.md
+++ b/GLOSSARY.md
@@ -39,8 +39,11 @@ Attributes in MISP can be network indicators (e.g. IP address), system indicator
◦ An IDS flag on an attribute allows to determine if an attribute can be automated (such as being exported as an IDS ruleset or used for detection). If the IDS flag is not present, the attribute
can be useful for contextualisation only.
+## Observable
+Some other SIEMs or formats (STIX) use the term observable. This is the same as an attribute in MISP-speak. Usually an observable is a MISP attribute without the IDS flag set.
+
## MISP Event
-MISP events are encapsulations for contextually linked information
+MISP events are encapsulations for contextually related information represented as attribute and object.
## MISP Extended Events
MISP can now extend an event (starting from version 2.4.90). This allows users to build full blown events that extend an existing event, giving way to a combined event view that includes a sum total of the event along with all extending events.
@@ -149,6 +152,11 @@ You can add new Roles depending on your use case. The following permissions can
## Scheduled Tasks
Certain common tasks can be scheduled for a later execution or for regular recurring executions. These tasks currently include caching all of the export formats, pulling from all eligible instances and pushing to all eligible instances.
+## Standard MISP Install
+Any MISP instance install that is strongly aligned with our [official install guides](https://misp.github.io/MISP/).
+This is mostly to make sure you have a similar folder structure, /var/www/MISP for an Ubuntu Server Install.
+It will also be easier to debug any Web Server issues or other system related problems.
+
## Sync User
A user of a role that grants sync permissions, these users (and their authentication keys) are used to serve as the points of connection between instances. Events pushed to an instance are pushed to a sync user, who then creates the events on the remote instance. Events pulled are added by the sync user that is used to connect the remote instance to your instance. As an administrator, keep in mind that a sync user needs auth key and publish permissions, has to have undergone the mandatory password change and has to have accepted the Terms of Use in order for the sync to work. Please make sure that all of these steps are taken before attempting to push or pull.
diff --git a/README.md b/README.md
index 2da1e34..0ef3836 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,10 @@ We welcome contributions to the MISP book. If you want to contribute, fork the [
+## Format
+
+MISP book is available in [HTML](https://www.circl.lu/doc/misp/), [PDF](https://www.circl.lu/doc/misp/book.pdf), [ePub](https://www.circl.lu/doc/misp/book.epub) and [Kindle mobi format](https://www.circl.lu/doc/misp/book.mobi).
+
## License
The MISP user guide is dual-licensed under [GNU Affero General Public License version 3](http://www.gnu.org/licenses/agpl-3.0.html) and [CC-BY-SA 4.0 international](https://creativecommons.org/licenses/by-sa/4.0/).
diff --git a/SUMMARY.md b/SUMMARY.md
index 25bfc37..a8dd090 100755
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -20,9 +20,10 @@
* [Sightings](sightings/README.md) - in progress
* [Warning lists](warninglists/README.md) - in progress
* [Notice lists](noticelists/README.md) - in progress
-* [Modules](modules/README.md) - in progress
* [Categories and Types](categories-and-types/README.md)
* [Synchronisation/Sharing](sharing/README.md)
+* [External Connectors](connectors/README.md)
+* [Modules](modules/README.md) - in progress
* [ZeroMQ - MISP publish-subscribe](misp-zmq/README.md)
* [Translations - i18n & l10n](translation/README.md)
* [FAQ](faq/README.md)
diff --git a/categories-and-types/README.md b/categories-and-types/README.md
index cd3311f..2d1ef83 100644
--- a/categories-and-types/README.md
+++ b/categories-and-types/README.md
@@ -6,6 +6,7 @@
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|AS| | | | X | | |
|aba-rtn| | | | | X | |
+|anonymised| X | X | X | X | X | X |
|attachment| X | X | | X | | |
|authentihash| | X | | | | |
|bank-account-nr| | | | | X | |
@@ -17,6 +18,7 @@
|campaign-id| | | X | | | |
|campaign-name| | | X | | | |
|cc-number| | | | | X | |
+|cdhash| | X | | | | |
|comment| X | X | X | X | X | X |
|cookie| | X | | | | |
|cortex| | | | X | | |
@@ -64,6 +66,8 @@
|github-organisation| | | | | | |
|github-repository| | | | X | | |
|github-username| | | | | | |
+|hassh-md5| | | | X | | |
+|hasshserver-md5| | | | X | | |
|hex| X | X | | | X | X |
|hostname| | | | X | | |
|hostname|port| | | | | | |
@@ -77,6 +81,7 @@
|ip-src| | | | X | | |
|ip-src|port| | | | X | | |
|issue-date-of-the-visa| | | | | | |
+|ja3-fingerprint-md5| | | | X | | |
|jabber-id| | | | | | |
|last-name| | | | | | |
|link| X | | | X | | X |
@@ -156,11 +161,13 @@
|x509-fingerprint-sha256| | X | X | X | | |
|xmr| | | | | X | |
|yara| | X | | | | |
+|zeek| | | | X | | |
|Category| Network activity | Other | Payload delivery | Payload installation | Payload type | Persistence mechanism |
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|AS| X | | X | | | |
|aba-rtn| | | | | | |
+|anonymised| X | X | X | X | X | X |
|attachment| X | | X | X | | |
|authentihash| | | X | X | | |
|bank-account-nr| | | | | | |
@@ -172,6 +179,7 @@
|campaign-id| | | | | | |
|campaign-name| | | | | | |
|cc-number| | | | | | |
+|cdhash| | | X | X | | |
|comment| X | X | X | X | X | X |
|cookie| X | | | | | |
|cortex| | | | | | |
@@ -219,6 +227,8 @@
|github-organisation| | | | | | |
|github-repository| | | | | | |
|github-username| | | | | | |
+|hassh-md5| X | | X | | | |
+|hasshserver-md5| X | | X | | | |
|hex| X | X | X | X | | X |
|hostname| X | | X | | | |
|hostname|port| X | | X | | | |
@@ -232,6 +242,7 @@
|ip-src| X | | X | | | |
|ip-src|port| X | | X | | | |
|issue-date-of-the-visa| | | | | | |
+|ja3-fingerprint-md5| X | | X | | | |
|jabber-id| | | | | | |
|last-name| | | | | | |
|link| | | X | | | |
@@ -306,16 +317,18 @@
|windows-scheduled-task| | | | | | |
|windows-service-displayname| | | | | | |
|windows-service-name| | | | | | |
-|x509-fingerprint-md5| | | X | X | | |
+|x509-fingerprint-md5| X | | X | X | | |
|x509-fingerprint-sha1| X | | X | X | | |
-|x509-fingerprint-sha256| | | X | X | | |
+|x509-fingerprint-sha256| X | | X | X | | |
|xmr| | | | | | |
|yara| | | X | X | | |
+|zeek| X | | | | | |
|Category| Person | Social network | Support Tool | Targeting data |
| --- |:---:|:---:|:---:|:---:|
|AS| | | | |
|aba-rtn| | | | |
+|anonymised| X | X | X | X |
|attachment| | | X | |
|authentihash| | | | |
|bank-account-nr| | | | |
@@ -327,6 +340,7 @@
|campaign-id| | | | |
|campaign-name| | | | |
|cc-number| | | | |
+|cdhash| | | | |
|comment| X | X | X | X |
|cookie| | | | |
|cortex| | | | |
@@ -374,6 +388,8 @@
|github-organisation| | X | | |
|github-repository| | X | | |
|github-username| | X | | |
+|hassh-md5| | | | |
+|hasshserver-md5| | | | |
|hex| | | X | |
|hostname| | | | |
|hostname|port| | | | |
@@ -387,6 +403,7 @@
|ip-src| | | | |
|ip-src|port| | | | |
|issue-date-of-the-visa| X | | | |
+|ja3-fingerprint-md5| | | | |
|jabber-id| | X | | |
|last-name| X | | | |
|link| | | X | |
@@ -466,6 +483,7 @@
|x509-fingerprint-sha256| | | | |
|xmr| | | | |
|yara| | | | |
+|zeek| | | | |
### Categories
@@ -491,6 +509,7 @@
* **AS**: Autonomous system
* **aba-rtn**: ABA routing transit number
+* **anonymised**: Anonymised value - described with the anonymisation object via a relationship
* **attachment**: Attachment with external information
* **authentihash**: Authenticode executable signature hash
* **bank-account-nr**: Bank account number without any routing number
@@ -502,6 +521,7 @@
* **campaign-id**: Associated campaign ID
* **campaign-name**: Associated campaign name
* **cc-number**: Credit-Card Number
+* **cdhash**: An Apple Code Directory Hash, identifying a code-signed Mach-O executable file
* **comment**: Comment or description in a human language
* **cookie**: HTTP cookie as often stored on the user web client. This can include authentication cookie or session cookie.
* **cortex**: Cortex analysis result
@@ -549,6 +569,8 @@
* **github-organisation**: A github organisation
* **github-repository**: A github repository
* **github-username**: A github user name
+* **hassh-md5**: hassh is a network fingerprinting standard which can be used to identify specific Client SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
+* **hasshserver-md5**: hasshServer is a network fingerprinting standard which can be used to identify specific Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
* **hex**: A value in hexadecimal format
* **hostname**: A full host/dnsname of an attacker
* **hostname|port**: Hostname and port number seperated by a |
@@ -562,6 +584,7 @@
* **ip-src**: A source IP address of the attacker
* **ip-src|port**: IP source and port number seperated by a |
* **issue-date-of-the-visa**: The date on which the visa was issued
+* **ja3-fingerprint-md5**: JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.
* **jabber-id**: Jabber ID
* **last-name**: Last name of a natural person
* **link**: Link to an external information
@@ -641,3 +664,4 @@
* **x509-fingerprint-sha256**: X509 fingerprint in SHA-256 format
* **xmr**: Monero Address
* **yara**: Yara signature
+* **zeek**: An NIDS rule in the Zeek rule-format
diff --git a/connectors/README.md b/connectors/README.md
new file mode 100644
index 0000000..da4b0fe
--- /dev/null
+++ b/connectors/README.md
@@ -0,0 +1,175 @@
+# External Connectors
+
+Below you will find various tweaks and tips when integrating 3rd party connectors.
+
+## Microsoft Azure Sentinel
+
+[Azure Sentinel](https://azure.microsoft.com/en-us/services/azure-sentinel/)
+
+# MISP to Microsoft Graph Security Script
+The script provides clients with MISP instances to migrate threat indicators to the Microsoft Graph Security API.
+
+For more information on Microsoft Security Graph visit [Microsoft Graph] (https://developer.microsoft.com/en-us/graph)
+
+## Prerequisites
+Before installing the sample:
+* Install Python 3.x version from https://www.python.org/.
+* To register your application for access to Microsoft Graph, you'll need either a [Microsoft account](https://www.outlook.com/) or an [Office 365 for business account](https://msdn.microsoft.com/en-us/office/office365/howto/setup-development-environment#bk_Office365Account). If you don't have one of these, you can create a Microsoft account for free at [outlook.com](https://www.outlook.com/).
+
+## Getting Started
+After the prerequisites are installed or met, perform the following steps to use these scripts:
+
+1. Download or clone this repository.
+1. Go to directory `security-api-solutions/Samples/MISP`
+1. Install dependencies. In the command line, run `pip3 install requests requests-futures pymisp`
+1. To run script, go to the root directory of misp-graph-script and enter `PYTHONHASHSEED=0 python3 script.py` in the command line.
+
+## App Registration
+To configure the samples, you'll need to register a new application in the Microsoft [Application Registration Portal](https://apps.dev.microsoft.com/).
+### Follow these steps to register a new application:
+1. Sign in to the [Azure Portal](https://portal.azure.com/) using either your personal or work or school account.
+
+1. Under My Azure Active Directory, choose App registrations (if you are suggested to use the preview, use that) choose New registration.
+
+1. Enter an application name, and choose Register
+
+1. Next you'll see the registration page for your app. Copy and save the `Application (client) Id` & `Directory (tenant) ID` field.You will need it later to complete the configuration process.
+
+1. Under Certificates & secrets, choose `New client secret` and give it a name. A new password will be displayed under Client secrets. Copy this password. This will be your `client secret`. You will need it later to complete the configuration process.
+
+1. Under Authentication, find Implicit grant choose both `Access tokens` & `ID tokens` and save.
+
+1. Under API permissions click `Add a permission`, choose Microsoft Graph, under `Application permissions`, under ThreatIndicators add ThreatIndicators.ReadWrite.OwnedBy. You will be taken back to the API permissions screen, click `Grant admin consent for Default Directory`
+ >Note: See the [Microsoft Graph permissions reference](https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference) for more information about Graph's permission model.
+
+1. Modify the RequestManager.py file to comment out line 121-124. (This allows the script to run without failing due to line 123 being divided by `avg_speed` incase it starts as `0`.
+
+1. Modify the script.py to add in `config.misp_verifycert` at line 13. Ensure it looks like below.
+```
+ misp = PyMISP(config.misp_domain, config.misp_key, config.misp_verifycert)
+```
+
+1. Modify config.py file to add in `misp_verifycert = False` anywhere in the file.
+
+As the final step in configuring the script, modify the config.py file in the root folder of your cloned repo.
+
+Update tenent, client_id, and client_secret in config.py
+```
+graph_auth = {
+ 'tenant': '',
+ 'client_id': '',
+ 'client_secret': '',
+}
+```
+Once changes are complete, save the config file.
+
+## Configurations
+### Target Product
+`targetProduct = "Azure Sentinel"`
+
+### Misp Event Filter
+Filters can be set in the config.py file under the "misp_event_filters" property
+
+Below is a list of parameters that can be passed to the filter (source: https://pymisp.readthedocs.io/modules.html):
+* values – values to search for
+* not_values – values not to search for
+* type_attribute – Type of attribute
+* category – Category to search
+* org – Org reporting the event
+* tags – Tags to search for
+* not_tags – Tags not to search for
+* date_from – First date (Format: '2019-01-01')
+* date_to – Last date (Format: '2019-01-01')
+* last – Last published events (for example 5d or 12h or 30m)
+* eventid – Evend ID
+* withAttachments – return events with or without the attachments
+* uuid – search by uuid
+* publish_timestamp – the publish timestamp (Note: Uses UNIX timestamp. Format: '1551811160')
+* published – return only published events (Format: True or False)
+
+A list or a specific value can be passed to the above parameters. If a list is passed to the parameter, the filtered events are the result of the union of provided list.
+
+This field needs to be a list that contains multiple filters. The filtered events are the result of the intersection of provided filters.
+
+#### First Example of How This Field can be Configured
+```
+misp_event_filters = [
+ {
+ "type_attribute": 'mutex'
+ },
+ {
+ "type_attribute": 'filename|md5'
+ },
+]
+```
+An event meets this filtering criteria if the event has an attribute with attribute type of 'mutex' AND the event has an attribute with attribute type of 'filename|md5'.
+
+#### Second Example of How This Field can be Configured
+```
+misp_event_filters = [
+ {
+ "type_attribute": ['mutex', 'filename|md5']
+ }
+]
+```
+An event meets this filtering criteria if the event has an attribute with attribute type of 'mutex' OR the event has an attribute with attribute type of 'filename|md5'.
+
+#### Third Example of How This Field can be Configured
+```
+misp_event_filters = [
+ {
+ "values": 'http://www.test.com'
+ }
+]
+```
+An event meets this filtering criteria if the event has an attribute with attribute value of 'http://www.test.com'.
+
+#### Fourth Example of How This Field can be Configured
+```
+misp_event_filters = []
+```
+This gets all events.
+
+### Action
+`action = "alert"` (This is default).
+
+### Passive Only
+`passiveOnly = False` (This is default).
+
+### Days to Expire
+This property is used to specify the amount of days the records will expire in Microsoft Graph Security API. The default value for days to expire is 30.
+
+`days_to_expire = 5`
+
+### Misp Key
+The Misp Auth Key is required to fetch data from your Misp instance.
+Configure a sync user.
+
+`misp_key = ''`
+
+### Verify Cert
+This gives you the option to choose if python should validate the certificate of the misp instance. (This allows ease within testing environments)
+
+`misp_verifycert = False` IT IS RECOMENDED TO USE A VALID SSL CERT IN PRODUCTION AND CHANGE THIS TO TRUE
+
+## Instructions on Reading TiIndicators That Have Been Pushed
+In the command line, run `python3 script.py -r`
+
+## Instructions on Seeing All Requests That Resulted in Errors
+1. In the command line, run `cd logs` to go to the logs folder.
+2. * To print all the requests that resulted in errors to the console, simply run `cat *_error_*` in the command line.
+ * To aggregate all the requests that resulted in errors to a file, run `cat *_error_* > .txt` in the command line.
+
+## Script Output
+As the script runs, it prints out the request body sent to the Graph API and the response from the Graph API.
+
+Every request is logged as a json file under the directory "logs". The name of the json file is the datetime of when the request is completed.
+
+## Schedule with CRONTAB
+Below is a CRONTAB entry example of running the script every Sunday at 2am
+
+0 2 * * Sun /home/mark/misp-graph-script/python3 script.sh
+
+
+
+This README.md has been adapted from the README.md found here [Microsoft Graph MISP sample](https://github.com/microsoftgraph/security-api-solutions/blob/master/Samples/MISP/README.md)
diff --git a/faq/README.md b/faq/README.md
index 3792440..21606cb 100644
--- a/faq/README.md
+++ b/faq/README.md
@@ -2,7 +2,60 @@
# Frequently Asked Questions
-The following page hosts most frequently asked questions as seen on our [issues](https://github.com/MISP/issues) and [gitter](https://gitter.im/MISP/MISP).
+The following page hosts most frequently asked questions as seen on our [issues](https://github.com/MISP/issues) and [gitter](https://gitter.im/MISP/Support).
+
+## Usage
+
+### How can I see all the deleted events in a MISP instance?
+
+You can use the logging system for this, to see all deleted events, simply go to audit actions -> search logs and use the following parameters:
+
+~~~~
+ model: Event
+ action: delete
+~~~~
+
+This will list all event deletions. To find out more about what a particular deleted event
+was, simply grab the ID from the above search results and search for:
+
+~~~~
+ model: Event
+ action: add
+ model_id:
+~~~~
+
+To do the same via the API, first search for the deletions:
+
+~~~~
+ POST request:
+ url: https://url.of.your.misp/logs/index
+ headers:
+ Authorization:
+ Accept: application/json
+ Content-type: application/json
+ Body:
+ {
+ "model": "Event",
+ "action": "delete"
+ }
+~~~~
+
+Then find the individual event's metadata that was deleted
+
+~~~~
+ POST request:
+ url: https://url.of.your.misp/logs/index
+ headers:
+ Authorization:
+ Accept: application/json
+ Content-type: application/json
+ Body:
+ {
+ "model": "Event",
+ "action": "add",
+ "model_id": ""
+ }
+~~~~
## Permission issues
@@ -113,6 +166,107 @@ There is no official procedure to uninstalling a MISP instance.
If you want to re-use a machine where MISP was installed, wipe the machine and do a fresh install.
Consider the data in your MISP instance as potentially confidential and if you synchronized with other instances, be respectful and wipe it clean.
+
+## Updating PyMISP to incorporate newer versions of the MISP object templates
+
+In some cases, for instance if a newer version of a MISP object is present on the server but not yet on PyMISP, you want to reflect the current state in your PyMISP installation.
+
+In order to do so, perform the following steps. It fetches the latest object templates and installs PyMISP again:
+
+```
+git clone https://github.com/MISP/PyMISP.git
+cd PyMISP/pymisp/data
+git submodule update --init
+cd misp-objects
+git pull origin master
+cd ../../../
+sudo pip3 install -I .
+```
+
+
+## How to disable freetext/custom/user-created tags and only allow certain tags
+
+Remove the "tag editor" from the permissions that you grant to users.
+Set all tags that you do not want to "hidden".
+There is a server setting to treat all incoming tags as hidden by default: `MISP.incoming_tags_disabled_by_default`
+
+**Important** Make sure that you don't remove "tag editor" from sync users, or you'll be stripping tags from synchronized data.
+
+
+## How to enable the csv import module?
+
+First you have to enable the import services: double-click on "false" in the very first line and change it to "true".
+
+In Server Settings & Maintenance -> Plugin Settings -> Import -> set "Plugin.Import_csvimport_enabled" to true.
+Afterwards you'll find the csvimport from within the newly created event: "Populate from..."
+
+Don't use from the main site ("Import from...").
+
+
+## Why do I see 'The request has been black-holed' when I submit forms?
+
+That's a security measure for form tampering protection.
+
+All forms have a timeout (~15min) and all of them can only be submitted once. If you use your browser's "back" button and resubmit the form MISP will consider it as a potential attempt at form tampering.
+
+
+## Importing large feeds creates PHP Fatal error
+
+When importing a large feed like the CIRCL feed, the job reaches 99% and then fails.
+The log file records:
+```
+PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 1941504 bytes) in /var/www/MISP/app/Model/Feed.php on line 691
+```
+
+In this case you will need to increase the memory_limit option in `php.ini` file
+
+
+## I deleted the admin user by mistake
+
+
+Now, I only have Org Admin.
+
+You have several options:
+
+1. Delete the org admin. MISP automatically creates a new default site admin user if no users are found in the db (mysql: truncate users;)
+
+2. Upgrade a user to a site admin, such as an org admin user:
+```
+SELECT id, email from users;
+```
+Note down the ID you want to upgrade. Let's say this is 2 for the example's sake.
+```
+SELECT id, name from roles;
+```
+Note down the role ID you want to upgrade. Let's say this is 1 for the example's sake.
+```
+UPDATE users set role_id = 1 where id = 2;
+```
+
+## config.php is not writeable
+
+```
+Warning: app/Config/config.php is not writeable. This means that any setting changes made here will NOT be saved.
+```
+
+According to the install guide, make sure to:
+```
+chown -R apache:apache /var/www/MISP
+find /var/www/MISP -type d -exec chmod g=rx {} \;
+chmod -R g+r,o= /var/www/MISP
+```
+If it still doesn't work, make sure SELinxu is not enabled or modify the rule set:
+```
+chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
+chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
+chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
+chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
+chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
+chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
+chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
+```
+
+
diff --git a/misp-object/README.md b/misp-object/README.md
index 5bc5945..b39a48b 100644
--- a/misp-object/README.md
+++ b/misp-object/README.md
@@ -11,10 +11,15 @@ Objects can be added by using the side menu:
This will open a popup where you can choose the type of object:
-
+If there are only few templates available for this type, they will all be shown this way:
+
+Otherwise you will be able to search and select the desired object within a scrolling list (a search field is available)
+ 
+A description of each object is shown by hovering the info icon or directly besides it.
For this example we will try to add an ip|port object:
+Note: This screenshot displays an old version of the template
For some objects, there might be attributes that required to be set. For instance in this object, there is a required attribute, "Ip", and it is also required to set one of the attributes between "dst-port" and "src-port". If these requirements are not met, the object will not be valid and therefore not added to the event. Also you can't add an object without setting any attribute.
After pressing "Submit, you are given the possibility to review your object before saving it.
@@ -22,21 +27,20 @@ After pressing "Submit, you are given the possibility to review your object befo
### Creating object
-An object is designed using a JSON file which should repect a format described in [this document](https://github.com/MISP/misp-objects/blob/master/schema_objects.json).
+An object is designed using a JSON file which should respect a format described in [this document](https://github.com/MISP/misp-objects/blob/master/schema_objects.json).
-An object is basically a combinaison of two or more attributes that can be used together to represent real cyber security use-cases. These attributes are listed in a JSON object.
+An object is basically a combination of two or more attributes that can be used together to represent real cyber security use-cases. These attributes are listed in a JSON object.
-Each attribute is an JSON object defined by a name, a description, a misp-attribute and an ui-priority value.
-- Name and description are self-explanatory.
-- misp-attribute is an existing type of attribute in misp that matches the attribute.
+Each attribute is an JSON object defined by a name, a description, a misp-attribute and an ui-priority value.
+- Name and description are self-explanatory.
+- misp-attribute is an existing type of attribute in misp that matches the attribute.
- Concerning ui-priority, the higher the number is, the most it is expected to be seen.
There are also others options that can be added to define an attribute more precisely.
- sane_default is a list of default valid value for this attribute. The user can pick a value from this list or choose "Enter value manually"
-- disable_correlation will disable correlation for this value. Usefull for dates for instance
+- disable_correlation will disable correlation for this value. Useful for dates for instance
- recommended value for this field
- multiple, if set to true, allow the user to add multiple instances of this attribute.
-Not all attributes are mandatory, but some can be required. If s, they need to be listed in a list called "required". The object will only be valid if the listed attributes are set.
-The same way, there are sometimes when only one attribute in a set is needed. This set can be put in a list called "requiredOneOf". If at least oen of the attributes in this list is set, the object will be valid.
-
+Not all attributes are mandatory, but some can be required. If so, they need to be listed in a list called "required". The object will only be valid if the listed attributes are set.
+The same way, there are sometimes when only one attribute in a set is needed. This set can be put in a list called "requiredOneOf". If at least oen of the attributes in this list is set, the object will be valid.
diff --git a/misp-object/figures/select_obj_cat.png b/misp-object/figures/select_obj_cat.png
index 6e5801b..86348f7 100644
Binary files a/misp-object/figures/select_obj_cat.png and b/misp-object/figures/select_obj_cat.png differ
diff --git a/misp-object/figures/select_object.png b/misp-object/figures/select_object.png
deleted file mode 100644
index cf7dd45..0000000
Binary files a/misp-object/figures/select_object.png and /dev/null differ
diff --git a/misp-object/figures/select_object1.png b/misp-object/figures/select_object1.png
new file mode 100644
index 0000000..743d84e
Binary files /dev/null and b/misp-object/figures/select_object1.png differ
diff --git a/misp-object/figures/select_object2.png b/misp-object/figures/select_object2.png
new file mode 100644
index 0000000..a677c94
Binary files /dev/null and b/misp-object/figures/select_object2.png differ
diff --git a/misp-zmq/README.md b/misp-zmq/README.md
index 3d122eb..bab642b 100644
--- a/misp-zmq/README.md
+++ b/misp-zmq/README.md
@@ -32,6 +32,13 @@ Prior to enabling it, make sure that you have the pyzmq installed by running
~~~~
sudo pip install pyzmq
+sudo pip install redis
+~~~~
+
+If you have problems and the plugin does not start, the logfile may be helpful.
+
+~~~~
+sudo cat /var/www/MISP/app/tmp/logs/mispzmq.error.log
~~~~
diff --git a/noticelist/README.md b/noticelist/README.md
new file mode 100644
index 0000000..39ee720
--- /dev/null
+++ b/noticelist/README.md
@@ -0,0 +1,3 @@
+
+
+## MISP-noticelist
diff --git a/quick-start/README.md b/quick-start/README.md
index 791ae14..2ac7509 100644
--- a/quick-start/README.md
+++ b/quick-start/README.md
@@ -2,8 +2,10 @@
And Justice for All! -->
# Quick Start
-The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives.
-With the focus on automation and standards, MISP provides you with a powerful API via PyMISP, jump ahead to these chapters to get started.
+
+MISP (Open Source Threat Intelligence and Sharing Platform) software facilitates the exchange and sharing of threat intelligence, Indicators of Compromise (IOCs) about targeted malware and attacks, financial fraud or any intelligence within your community of trusted members. MISP sharing is a distributed model containing technical and non-technical information which can be shared within closed, semi-private or open communities. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives.
+
+With the focus on automation and standards, MISP provides you with a powerful ReST API, extensibility (via misp-modules) or additional libraries such as PyMISP, jump ahead to these chapters to get started.
## Login into MISP