MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

gnz

pull/5/head
Andras Iklody 2018-04-20 14:46:14 +02:00 committed by GitHub
parent 06397b3ffd
commit c65361ed5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
_posts/2018-04-19-Extended-Events-Feature.md
View File

@ -29,20 +29,20 @@ Users viewing the original report, will now see a new field called "Extended by"
![A MISP event extended by another event](/assets/images/misp/blog/extended.png){:class="img-responsive"}
Clicking on the atomic view / extended view toggle button will allow you to jump from the classical event view to the extended event view rapidly. The extended view will add all of the relations, tags, galaxy clusters, attributes and objects of the extender events. The attribute list in extended view also shows the event it originates from along with the creator organisation. Keep in mind that duplicates across several events are not culled.
Clicking on the atomic view / extended view toggle button will allow you to jump from the classical event view to the extended event view. The extended view will add all of the relations, tags, galaxy clusters, attributes and objects of the extender events. The attribute list in extended view also shows the event it originates from along with the creator organisation. Keep in mind that duplicates across several events are not culled.
Extending an event is easy and a nifty lookup interface helps you to select the appropriate event to extend:
![Extending a event when creating a new MISP event](/assets/images/misp/blog/extendadd.png){:class="img-responsive"}
In the above case, OSINT information contained within an event is extended with additional threat hunting information which are limited to your organisation. The major advantage of such approach is allowing any organisation to expand information without touching the original event.
In the above case, OSINT information contained within an event is extended with additional threat hunting information which are limited to your organisation. The major advantage of such an approach is allowing any organisation to expand information without touching the original event.
In MISP, we strongly believe that we should create open source tool that give freedom to organisations and people to use the information sharing tools for any use-cases. With the extend event feature, many new analysis practices can be covered:
At MISP project, we strongly believe that our primary objective should be to create open source tools that serve as a liberating organisations from locked eco-systems and to instead spend their energy and effort on what really matters: information sharing and their own use-cases. With the extend event feature, many new analyst practices can be covered, such as for example:
- Counter analysis of reports and distributing the counter analysis to your trusted partners.
- Extending external information from threat-hunting such as [TheHive](https://thehive-project.org/) and storing it back in your knowledge-database in MISP.
- Sharing qualification information to your ISAC members along with the original information. The model allows competitive analysis from different ISACs to be shared from the original report.
- Embargo information can be safely contained in an external event (e.g. to limit risk of analysts editing incorrect information).
- Counter analysis of reports and distribution thereof to your trusted partners.
- Extending external information from threat-hunting activities such as those derived from [TheHive](https://thehive-project.org/) and incorporating it back into your knowledgebase within MISP.
- Sharing the qualification of information to your ISAC members along with the original information. The model allows competitive analysis from different ISACs to be shared along with the original report. We all have different viewpoints and sharing those unhindered is a natural evolution of collaborative information sharing.
- Embargoed information can be safely contained in an extension event (e.g. to limit risk of analysts editing incorrect information). This also serves as a potential safeguard for higher classified information that is not to be shared with the broader community.
The design of the feature was minimal and light to ensure a smooth integration with existing sharing communities. The extended event feature allows to build new sharing and analysis practices to be used in MISP. We welcome welcome your feedback and are interested in all new use-cases using this feature.
The design concept of the feature was to be as minimalistic and lightweight as possible to ensure a smooth integration with existing sharing communities. The extended event feature allows us to build new sharing and analysis practices to be used in MISP. We welcome welcome your feedback and look forward to any new use-cases that emerge using this feature.