misp-book/delegation/README.md

3.5 KiB

Delegation

In information sharing, privacy of the reporting organisation can be important in case such as an incident doesn't to be linked to a potential victim or to avoid relate an organisation to information shared. MISP has a functionality to delegate the publication and completely remove the binding between the information sharing and the organisation. If you want to publish an event without you or your organisation being tied to it, you can delegate the publication to an other organisation. That also means they will take the ownership of the event.

[warning] You need to have a role with "Delegation access" to delegate an event.

Send a delegation request

To do so, you first need to put the distribution of the event as "your organisation only".
Delegation possible
Otherwise the delagating option will not be available.
Delegation impossible

When the "Delegate Publishing" option is clicked, a popup will show up:
Delegation Popup
Here you can choose

  • to which organisation you wish to delegate the event among all those registered on the server. For this example we are going to ask Setec Astronomy to publish the event for us.
  • The distribution option you would like to put on the event. You can let the other organisation (called "recipient") choose if you don't mind it. For this example, we will request the recipient to share it to all communities, but it is only a suggestion, and the recipient will be able to modify the diffusion setting if wanted.
    Desired Distribution
  • Finally you can leave a free message to the recipient organisation.
    Distribution ready

Once the request is sent, a message will appear on the event to remind you of your request.
Reminder
You can also see more details by clicking on "View request details"
Request Details
And you can also discard the request your self, by using this popup or the link in the left menu.

Answer a delegation request

As the recipient organisation, you will then recieve the request of delegation. You will be notified by a red circl around the envelope on the top right of the screen.
Notification
When you click it, you will be redirected as usual on the dashboard, where we can see one delegation request on the left frame.
Dashboard
Clicking on the "view" link then redirect to an event list view showing all the events other organisations wish to delagate to your organisation. Here we only see one event, from Acme Factory.
Delegated list
And here are the metadata of the so called event.
Delegated event
You will be able to view the details by clicking the so called link.
Delegated event
If your role have publishing rights, you will be able to manage the delegation request by using one of the two links in the left menu.
You can either discard it:
Discard request
Or accept the delegation:
Accept request
Please notice that the diffusion desired by the requester will not automatically be set on the event, which will stay as diffused to your own organisation only if the parameter is not modified.