From 957d3f247c98b2262cf626c7cc48bd6588593a00 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Apr 2018 14:34:12 +0200 Subject: [PATCH] Some additional information --- _posts/2018-04-19-Extended-Events-Feature.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/_posts/2018-04-19-Extended-Events-Feature.md b/_posts/2018-04-19-Extended-Events-Feature.md index 128fd2c..f2f73de 100755 --- a/_posts/2018-04-19-Extended-Events-Feature.md +++ b/_posts/2018-04-19-Extended-Events-Feature.md @@ -31,4 +31,18 @@ Users viewing the original report, will now see a new field called "Extended by" Clicking on the atomic view / extended view toggle button will allow you to jump from the classical event view to the extended event view rapidly. The extended view will add all of the relations, tags, galaxy clusters, attributes and objects of the extender events. The attribute list in extended view also shows the event it originates from along with the creator organisation. Keep in mind that duplicates across several events are not culled. +Extending an event is easy and a nifty lookup interface helps you to select the appropriate event to extend: + +![A MISP event extended by another event](/assets/images/misp/blog/extendadd.png){:class="img-responsive"} + +In the above case, OSINT information contained within an event is extended with additional threat hunting information which are limited to your organisation. The major advantage of such approach is allowing any organisation to expand information without touching the original event. + +In MISP, we strongly believe that we should create open source tool that give freedom to organisations and people to use the information sharing tools for any use-cases. With the extend event feature, many new analysis practices can be covered: + +- Counter analysis of reports and distributing the counter analysis to your trusted partners. +- Extending external information from threat-hunting such as [TheHive](https://thehive-project.org/) and storing it back in your knowledge-database in MISP. +- Sharing qualification information to your ISAC members along with the original information. The model allows competitive analysis from different ISACs to be shared from the original report. +- Embargo information can be safely contained in an external event (e.g. to limit risk of analysts editing incorrect information). + +The design of the feature was minimal and light to ensure a smooth integration with existing sharing communities. The extended event feature allows to build new sharing and analysis practices to be used in MISP. We welcome welcome your feedback and are interested in all new use-cases using this feature.