misp-book/user-stories

MISP User Stories

User story	Example workflow
As a lead threat intelligence analyst, I want to lead a team focused on hunting down threats so that I can prevent attacks against ICT infrastructures and organizations	Monitor what teams are up to in real-time using the Live Dashboard
As a threat analyst, I want to research, analyze and reverse engineer malware so that I can know how to counter it	Attach and download files and malware samples from events Search for hashes/IPs/domains/URLs from malware events, or add malware samples hashes to an event Analyse observables and malware collected during an incident (e.g. domain name, IP addresses etc.) by checking whether observables are IoCs or false positives using ‘correlation graph’ and ‘expansion modules’. Enrich malware events by querying data sources external to MISP using modules Perform dynamic malware analysis correlations Submit events with malware samples to analysis tools (e.g VirusTotal, VMRay) for further analysis, and then extend MISP with malware analysis results
As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture.	Import data from external sources Add feeds Contextualise events and attributes using tags, taxonomies and galaxies
As a threat analyst, I want to exchange threat information with third parties so that we can gain shared situational awareness	Setup different models of distribution on MISP instance Sync events and attributes between instances Use filtering functionalities to meet an organisation's sharing policy Share information, pentest information, malware samples, vulnerabilities internally and externally Use feature/achievements widget adding gamification to the information sharing
As a threat analyst, I want to monitor threats and access live data so that I can manage threats before they cause major damage	Import lists of indicators and check if the IOCs are present in feeds. Monitor statistics and sightings using widgets Show live data and stats from one or more MISP instances via the Dashboard Process information in real-time when it's updated, created, or published by instances by integrating with ZMQ Use sightings to notify an instance about activities related to an indicator
As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats	Join communities and subscribe to the feeds Add events and assign events to specific feeds Correlate indicators using MISP's automated correlation engine Use the overlap feed analysis available in MISP Link events and attributes using the correlation graph Analyse and gain more information on attributes using modules Link events with malware, threat actors etc using galaxies (e.g ATT&CK)
As a threat analyst, I want to have a structured database of threat data that I can use to perform lookups/queries when investigating new threats	Store information in a structured format using STIX Import unstructured reports using the free-text import tool Use MISP as a centralized hub for security and fraud threat intel. Centralize threat intel by aggregating indicators from OSINT and commercial feeds Remove false positives and duplicates Score indicators based on Sightings and other metrics Import/integrate feeds or threat intelligence from third parties Generate, select, exchange, and collect intelligence using feeds Select and import events Look for correlations between events using the correlation graph Build filtered subsets of the data repository for feed creation. Preview and correlate feed data directly for evaluation
As a threat analyst, I want to contextualize and enrich raw threat data so that I can produce actionable intelligence	Understand attacker TTPs by using taxonomies to link events Categorize risks and incidents using galaxies and taxonomies Quickly classify information using tags collections Contextualise sightings with information on the source Enrich IDSes export with tags to fit your NIDS deployment Decay attributes and score indicators using sightings (reported by IDSes) Describe and visualise complex scenarios using MISP's richer data structure Allow advanced combination of attributes using MISP objects
As a threat analyst, I want to investigate threats so that I can protect computer systems from attacks	Find relevant data for investigations from MISP communities. Preview new MISP events and alerts from multiple sources such as email reports, CTI providers, and SIEMs Query a MISP instance for events that include a given IOC. Browse through other MISP events, attributes, objects, tags, and galaxies Create events, add IoCs (attributes), and contextualise (using tags) Pivot an event into its attributes, objects, tags, galaxies, and/or related Events Explore further details from Galaxies and related Events Categorize available related information within the ATT&CK framework. Query tools (e.g Cytomic Orion API) to check if certain MISP indicators have been observed, and the import sighting details to add them to MISP events Prioritize threats using Sightings collected from users, scripts and IDSes. Decay/expire indicators using sightings reported by users, scripts and IDSes Launch lookups from MISP against SIEMs as part of an investigation Correlate network forensic flows from several tools
As a SOC team, we want to ingest, analyse, store and make connections between threat data so as to discover potential threats	See connections between events using the correlations graph Import CVEs and vulnerabilities (e.g from MetaSploit) and contextualise them Contextualise CVEs using events gotten from articles/reports Convert CVE information into a feed Pull shared CVE feeds Combine collected data with your MISP data set for correlation Share correlated info to the team using the export function or API search View current threats and activity, historical, geolocalized information using MISP Dashboard
As a junior SOC analyst, I want to enrich alerts so that I can "punch above my weight" and make connections that would have otherwise required more experience	Create events, add/import observables Use Cortex and its analyzers to gain insight Leverage tags, sightings, and previously-seen observables to feed your threat intelligence Export IOCs to MISP instances after investigations are complete Integrate MISP with Maltego to generate visualisations of data Integrate MISP with Elastic to access threat data without the complexities of the MISP interface. Push attributes from MISP to Elastic and have a representation with graphs, an alternative to using MISP Dashboard. Create taxonomies using the taxonomy editor. Contextualise data using taxonomies, clusters and galaxies
As a SOC analyst, I want to customize risk feeds to ignore or downgrade alerts that do not match organization/ industry-specific criteria, so that I can focus on relevant alerts	Filter incidents based on taxonomies (e.g the veris country taxonomy to indicate countries affected by an incident) Normalise external input and feeds in MISP (e.g. feed importer). Compare feeds before import to find similarities and false positives. Evaluate the quality of the information before importing it (warning-list lookups at feed evaluation)
As a SOC analyst, I want to share real-time information pertaining to new or existing cases/observables to team members so that we can collaborate on investigations simultaneously	Control threat sharing using ‘distribution settings’: sharing group, community-only, connected communities, all communities. Share sensitive and confidential events using the ‘sharing group’ functionality Measure the impact of an incident using taxonomies based on NISD/OESs impact criteria Export and share sightings in ATT&CK sightings format to give insights on TTPs and frequency of usage
As a SOC analyst, I want to rule out false positives so that I can focus on significant threats	Weed out false positives using warning lists Crowd source data validation from community Filter indicators based on specific criteria Receive information on false positives using collaborative tools (proposals, sightings)
As a threat analyst, I want to remove false positives, filter and prioritize alerts so that I can focus on what really matters to my organization	Evaluate the quality and freshness of indicators using decaying models Enforce warninglists to exclude events with certain attributes Enable warninglists to alert for certain issues Classify information (add/remove tags) based on their score or visibility via sightings Use tags to set events or attributes for further processing by external tools (e.g. VirusTotal auto-expansion using Viper) Notify an instance about activities related to an indicator via Sighting Limit NIDS exports and improve rules using Sightings Filter indicators based on specific criteria Filter out relevant data when feeding protective tools
As a security analyst, I want to unravel the inner workings of a malicious file, phishing email or domain so that I can prevent attacks	Integrate MISP with a Security Incident Response Platform (e.g TheHive) Import indicators from MISP into the SIRP for further analysis
As a security analyst, I want to create blacklists/whitelists (e.g of domains) so that I can protect customers from malicious activity	Import threat data into MISP from synced servers and label using taxonomies Enable warning lists, and exclude attributes that exist on the warning lists Create lists with preferred attributes and export the list in an easy accessible format as CSV
As a security analyst, I need a real-time overview of threat information so that I can quickly glance at important metrics	Integrate ZMQ to access a dashboard showing live data and stats Monitor ongoing trends based on interests using the EventStream widget Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds View immediate contributions made by organisations from MISP's live dashboard Find threats within your constituency using MISP Geolocalisation Dashboard Get geospatial threat information from specific regions using the Geolocalisation Dashboard
As a security analyst, I want to automate repetitive tasks related to data normalization, importation, aggregation and enrichment so that I can have more time to put into threat analysis efforts	Automate tasks using PyMISP Use PyMISP for Scripted processing of events and attributes
As a security analyst, I want to collaborate with other analysts within and out of my organization’s sector so that we can support one another	Build or join communities to exchange specific data structures Share real-time analysis of an incident Propose modifications to someone else's analysis using Proposals
As a security analyst, I want to triage and prioritize alerts so as to avoid alert fatigue	Evaluate the quality and freshness of indicators using decaying models Weed out false positives using warning lists Enable warning lists to alert for critical issues Filter indicators based on specific criteria Score indicators based on user sightings, including negative sightings and expiration sightings. Classify information (add/remove tags) based on their score or visibility via sightings
As an incident responder, I want to get an up-to-date picture of the threat landscape so that I can prepare for threats in advance	Describe the impact of threat using taxonomies (e.g using the veris timeline taxonomy to indicate the duration of the incident) Classify data to gain insight into the threat landscape. Classify data so IDSes can alert on a rule Integrate ZMQ to have a dashboard showing live data and statistics. Integrate ZMQ to process information in real-time when it's updated, created, or gathered in MISP.
As an incident responder, I want to identify and respond to incidents so that I can reduce the impact and severity of an attack	Report false or true positives using the sighting mechanism, based on an incident investigation Decay indicators to guarantee the quality of the indicators
As an incident responder, I want to receive early warnings and alerts about threats/incidents so that I can retaliate before they cause any harm	Receive correlated threat intel from sharing groups and communities Monitor MISP feeds for alerts Preview new events and alerts from multiple sources Automate import/export of IoCs to/from protective or detection tools like IDSes and IPSes Dispatch notifications when certain events are created or modified using the alert feature Create filter rules based on personalised uses. Restrict alert messaged by tags, publishing organisation or other metrics
As an incident responder, I want to store information identified during an incident investigation so that I can perform lookups/queries against the historical database during future incidents	Use a MISP instance as a database of events representing incidents. Store incident response data internally in a structured manner on MISP Represent indicators using attributes. Attributes such as network indicators (e.g. IP address) or system indicators (e.g. a string in memory) Combine OSINT and your own intelligence Create events made up of indicators (attributes) and then leverage these as a threat data feed Modify events representing incidents to enable monitoring over time Add object types to describe incidents Monitor indicators for relevancy using Sightings Ensure information quality and freshness by expiring indicators depending on their personalised objectives Pull events from indicator lists to perform lookups against SIEMs Use indicators to check logs and verify if you’re affected by a threat Correlate indicators with actual incidents to get more information Integrate MISP with IR tools (e.g TheHive) to (1) analyse observables during an incident, (2) import and (3) export events from MISP to TheHive and vice-versa Perform large-scale bulk data/traffic analysis and correlation against your MISP database using SightingsDB
As an incident responder, I want to export and feed data between security tools so that I can enhance their functionalities	Export data from MISP to feed protective/detective tools and early warning systems. Export formats support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ) Feed MISP using automatic tools (e.g. Sandbox Analysis, low-value information needing correlation, Analyst workbench) Pull events from feeds or indicator lists to perform lookups against SIEMs Subscribe to ZMQ pub-sub to get published events for use in lookup processes Match attributes against SIEMs using the lookup expansion module Import activities from a SIEM (e.g. Splunk lookup validation or false-positive feedback), NIDS or honeypot devices Post Sightings from IDSes, IPSes, SIEMs back to MISP Use sightings to improve NIDS’ rule-sets Generate IDS and NIDS rules automatically or manually using IoCs Feed data to honeypots to generate blocklists and DNS RPZ zones Consume correlated results in SIEMs using the API Search indicators in real-time into a SIEM using MISP ZMQ Submit large sets of IoCs from MISP into SIEMs using PyMISP Import indicators into MISP from other tools (SIEMs, IDSes) and be notified when those indicators appear again
As a CSIRT, we want to exchange and discuss information related to incidents and associated risks so that we can collaboratively respond to incidents	Build communities to exchange specific data structures Discuss non-event related topics in Forums Add comments to events (which may represent an incident) Contact a reporter (e.g. another CSIRT) via email (encrypted, anonymously or not) to discuss commercially-sensitive information related to an incident
As a CSIRT, we want to interact with threat data in various ways during the threat investigation and incident response process	View events, indicators and feeds Search and filter the data set Classify, contextualize and correlate data Download the viewed data in various formats Interact with MISP data using other tools in the MISP ecosystem (e.g MISP Workbench, Viper, MISPego)
As a CSIRT, we want to coordinate with team members and other organisations so that we can avoid duplication of work	Create and manage sharing groups between sectors Join existing communities or sharing groups Create and exchange events and indicators Propose changes to existing analysis or reports Enhance an analysis with additional information using Extended Events Report sightings as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator) Contribute to threat intel feeds and analyse overlapping data
As a CSIRT, we want to share incident information and discuss risks with other team members so that we can collaboratively perform incident analysis	Create, modify, delete and exchange events and indicators Modify distribution settings to exchange individual incidents and ensure confidentiality Use taxonomies and galaxies to classify data before exchange (e.g Indicate the confidentiality of incidents using the NATO classification, indicate the risk of an incident using the threat-level taxonomy) Edit, visualize, and share reports using Event Report Incorporate reports from information sources using the Event Report module Share indicators derived during incident response Correlate and enrich data derived during incidents Coordinate with affected parties during incident response using MISP’s collaborative tools (proposals, sightings, emails)
As a fraud analyst, I want to investigate financial threats so that I can help financial institutions and consumers prevent financial fraud	Join communities and receive shared IOCs Subscribe to feeds and get IOCs in an easily accessible format Access lists and public feeds of malicious domains (e.g phishing sites) and threats Use indicators to check logs and verify if you’re affected by a threat Gather information related to a phishing site and create events Integrate MISP with Maltego to visualise the full ATT&CK framework
As a fraud analyst, I want to blend updated threat intel with anti-fraud tools so that I can prevent fraud in real-time	Feed data from MISP to fraud prevention tools Report sightings to MISP from fraud prevention tools
As a fraud analyst, I want to collaborate with analysts from other institutions so that we can gain shared situational awareness	Implement a MISP instance, and join relevant communities Publish fraud perpetrators for others to see Exchange events containing fraud information (e.g a bank account number) Use shared fraud data to feed firewalls and blocklists Warn of false positives by alerting for invalid financial indicators Give more credibility to indicators by reacting to event attributes (Sightings) Get feedback from the community on the quality of indicators (Sightings)
As a customs and border control agent, I want to facilitate the flow of legal immigration and goods while preventing the illegal trafficking of people and contraband so that I can ensure homeland security	Create or join sharing groups and communities Share information (e.g travel documents / biometric information) between border control agencies using MISP Categorize data using predefined types such PNR (passenger name records) Share information / involve experts for the identification of smuggled goods Perform anonymised lookups against exported data sets information (e.g. offline border control check)
As a law enforcement officer, I want to investigate digital crimes and threats so that I can apprehend criminals	Access information sharing communities Get indicators and actionable information from CSIRTs/CERTs networks or researchers Exchange information with other officers via sharing communities Exchange and store incident information on MISP, enabling the system to act as a forensic tool over time
As a law enforcement officer, I want to collect and verify evidence of digital crimes so that I can bootstrap my DFIR cases	Collect indicators from shared events Propose changes to existing analysis or reports Enhance existing events with additional pieces of evidence using Extended Events Exchange analysis and reports of digital forensic evidence Correlate indicators corresponding to forensic pieces of evidence Import Mactime timelines to describe forensic activities on an analysed file system Describe forensic analysis cases using objects templates Create, modify and visualise the timeline of events Share analysis and reports of digital forensic evidence Report sightings such as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)
As a cybersecurity consultant, I want to provide structured threat intelligence to cross-sector partners with diverse requirements so that I can secure their infrastructure	Implement an instance and join relevant communities Integrate MISP with an organisation’s existing solutions using the API Exchange events containing indicators Setup distribution levels to ensure confidentiality during threat sharing Sync between untrusted and trusted networks using Feed support Notify the community about activities related to an indicator using Sightings Score indicators based on user sightings, including negative sightings and expiration sightings Propose updates to an event owner or indicate a sighting Share attacker techniques via integration with ATT&CK Set an attribute for detection tools using the IDS flag
As a cybersecurity specialist, I want to anonymously publish threat intel so that I can protect the identity of people who don’t want to be associated with the information	Pseudo-anonymously publish data using Event Delegation
As a cybersecurity specialist, I want to investigate threats so that I can remediate and prevent cyber attacks	Query an instance for events that include a given IOC Explore more details from Galaxies and related events Categorize related information within the MITRE ATT&CK framework
As a security analyst, I want to access threat data so that I can use it to support my research	Contextualise indicators (attributes) using categories, taxonomies and galaxies Reinforce an analysis using correlation features (e.g. do other analysts have the same hypothesis?) Confirm a specific aspect using correlation features (e.g. are the sinkhole IP addresses used for one campaign?) Verify if a threat is new or unknown in your community using correlation features
As a security analyst, I want to access updated threat data so that I can build protection in real time	Monitor feeds for recent indicators Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds Process information in real-time when it's updated, created or gathered using ZMQ
As a risk analyst, I want to identify and predict risks to my organization so that I can improve the organization’s security posture and situational awareness	Use a MISP instance as a database of events representing threats Classify risks using taxonomies and galaxies Generate statistics from your MISP instance to deduce from incidents the current operational status, risk posture, and threats to the cyber environment Monitor trends and adversary TTPs using MISP-dashboard and built-in statistics
As a risk analyst, I want to present risk data to stakeholders in various formats (depending on their technical ability), so that I can justify the need for risk-mitigating strategies	Show trends within the sector/geographical region using MISP dashboard and built-in statistics Turn MISP data into explorable graphs or timelines representing their activity or events Export data from MISP in various formats Share reports along with actionable data using Events Report
As a disinformation researcher, I want to identify indicators associated with a specific operation or campaign so that I can help track and mitigate threats	Monitor MISP feeds for indicators Find relationships between indicators using correlation
As a disinformation researcher and journalist, I want to investigate information campaigns so that I can report whether there is or isn’t disinformation or misinformation	Compare external feeds information with already-available information Analyze the connections between incident objects Map data with AMITT (embedded in MISP) to understand threat actor capabilities Generate events that can be shared directly, via email or MISP Add object types (e.g for common social media platforms), relationship types (to make the graphs that users can traverse in MISP richer) and taxonomies (e.g DFRLab’s Dichotomies of Disinformation, and a NATO-led tactical variant) to describe indicators and events Generate and share information operations data in MISP JSON or STIX format for easy sharing Classify events with AM!TT techniques using the inline AM!TT Navigator Describe attack patterns using AMITT for the attack patterns Track disinformation techniques using the AMITT galaxy Integrate MISP with TheHive for case tracking Describe additional disinformation cases using object templates
As a disinformation researcher, I want to connect with other researchers and responders so that we can collaboratively verify if an article/video/image contains disinformation and verify that a source (publisher, domain, etc) doesn’t distribute disinformation	Join a disinformation community Notify the community about activities related to an indicator Score indicators based on users sighting Corroborate a finding using correlation features (e.g. is this the same campaign?)
As a disinformation researcher, I want to collaborate with other researchers and responders so that we can collectively stop disinformation campaigns	Browse and Join disinformation communities (e.g CogSec Collab MISP) Contextualise data using tags, taxonomies and galaxies Describe information campaigns indicators and events using taxonomies (e.g DFRLab Dichotomies of Disinformation) Find relationships between indicators using correlation Describe misinformation tactics/techniques using the AMI!TT framework (galaxy) Include relevant techniques found in a report or sighting in misinformation event data using AM!TT Navigator
As a data scientist, I want to automate tasks related to data collection, curation, analysis, and visualization so that I can reduce security analysts' workloads	Collect, add, update, search events/attributes/tags using PyMISP Study malware samples using PyMISP Write scripts to import (from other tools such as VirusTotal) additional attributes or IOC data (such as hashes) to build up knowledge on an event Automatically handle indicators in third-party tools using PyMISP Integrate MISP with existing infrastructure using PyMISP Automate the dissemination of threat intelligence and threat data using the API Generate exports to be ingested into other platforms Create a range of filtered subsets of the dataset for various protective measures Write scripts to disable the IDS flag based on the number of false-positive reported sightings, in order to prevent using false-positive indicators for detection or correlation actions Generate data statistics and send reports via email, attached as CSV files using the API Feed processed data into IDSes and 3rd party visualization using PyMISP Build custom widgets to visualise/track data via the Dashboard Extend MISP with Python scripts using MISP modules Auto-discover new modules with their features using the API
As a data scientist, I want to collect and analyze data from various sources so that I can prioritize and predict risk	Aggregate indicators and sightings of all attributes/objects, useful for detecting particular security events or threats Use PyMISP for Scripted processing of events and attributes Collect data from open data portals using the API Publish open data and create data sets Investigate file hashes, malicious website URLs, IP Addresses and domain names using shared indicators Aggregate data sets for security research and threat analysis Analyse and select threat feeds for incorporation into other tools to hunt known indicators Indicate if an attribute should be used for detection or correlation actions using the IDS flag Download data in various formats for ingestion in other tools, and for training ML models