MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

Some additional information

pull/5/head
Alexandre Dulaunoy 2018-04-20 14:34:12 +02:00
parent 71a3fff2d9
commit 957d3f247c
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
_posts/2018-04-19-Extended-Events-Feature.md
View File

@ -31,4 +31,18 @@ Users viewing the original report, will now see a new field called "Extended by"
Clicking on the atomic view / extended view toggle button will allow you to jump from the classical event view to the extended event view rapidly. The extended view will add all of the relations, tags, galaxy clusters, attributes and objects of the extender events. The attribute list in extended view also shows the event it originates from along with the creator organisation. Keep in mind that duplicates across several events are not culled.
Extending an event is easy and a nifty lookup interface helps you to select the appropriate event to extend:
![A MISP event extended by another event](/assets/images/misp/blog/extendadd.png){:class="img-responsive"}
In the above case, OSINT information contained within an event is extended with additional threat hunting information which are limited to your organisation. The major advantage of such approach is allowing any organisation to expand information without touching the original event.
In MISP, we strongly believe that we should create open source tool that give freedom to organisations and people to use the information sharing tools for any use-cases. With the extend event feature, many new analysis practices can be covered:
- Counter analysis of reports and distributing the counter analysis to your trusted partners.
- Extending external information from threat-hunting such as [TheHive](https://thehive-project.org/) and storing it back in your knowledge-database in MISP.
- Sharing qualification information to your ISAC members along with the original information. The model allows competitive analysis from different ISACs to be shared from the original report.
- Embargo information can be safely contained in an external event (e.g. to limit risk of analysts editing incorrect information).
The design of the feature was minimal and light to ensure a smooth integration with existing sharing communities. The extended event feature allows to build new sharing and analysis practices to be used in MISP. We welcome welcome your feedback and are interested in all new use-cases using this feature.