MISP User Training - General usage of MISPMISP - Threat Sharing

Threat Sharing

Team MISP Project

http://www.misp-project.org/Twitter: @MISPProject

GSMA Edition

MISP - VM

CredentialsI MISP admin: admin@admin.test/adminI SSH: misp/Password1234

Available at the following location (VirtualBox and VMWare):I https://www.circl.lu/misp-images/latest/

1 22

MISP - VM

It is a bit broken.I sudo -sI cd /var/www/MISP/I sudo pear installINSTALL/dependencies/Console_CommandLine/package.xml

I sudo pear installINSTALL/dependencies/Crypt_GPG/package.xml

I cd /usr/local/src/misp-modulesI pip3 install -r REQUIREMENTSI pip3 install .I reboot

2 22

MISP - General Usage

Plan for this part of the trainingData modelViewing dataCreating dataCo-operationDistributionExports

3 22

MISP - Event (MISP’s basic building block)

4 22

MISP - Event (Attributes, giving meaning toevents)

5 22

MISP - Event (Correlations on similarattributes)

6 22

MISP - Event (Proposals)

7 22

MISP - Event (Tags)

8 22

MISP - Event (Discussions)

9 22

MISP - Event (Taxonomies and proposalcorrelations)

10 22

MISP - Event (The state of the art MISPdatamodel)

11 22

MISP - Viewing the Event Index

Event IndexI Event contextI TagsI DistributionI Correlations

Filters

12 22

MISP - Viewing an Event

Event ViewI Event contextI Attributes

Category/type, IDS, CorrelationsI ObjectsI GalaxiesI ProposalsI Discussions

Tools to �nd what you are looking forCorrelation graphs

13 22

MISP - Creating and populating events in variousways (demo)

The main tools to populate an eventI Adding attributes / batch addI Adding objects and how the object templates workI Freetext importI ImportI TemplatesI Adding attachments / screenshotsI API

14 22

MISP - Various features while adding data

What happens automatically when adding data?I Automatic correlationI Input modi�cation via validation and �lters (regex)I Tagging / Galaxy Clusters

Various ways to publish dataI Publish with/without e-mailI Publishing via the APII Delegation

15 22

MISP - Using the data

Correlation graphsDownloading the data in various formatsCached exportsAPI (explained later)Collaborating with users (proposals, discussions, emails)

16 22

MISP - Sync explained (if no admin training)

Sync connectionsPull/push modelPreviewing instancesFiltering the syncConnection test toolCherry pick mode

17 22

MISP - Feeds explained (if no admin training)

Feed types (MISP, Freetext, CSV)Adding/editing feedsPreviewing feedsLocal vs Network feeds

18 22

MISP - Distributions explained

Your Organisation OnlyThis Community OnlyConnected CommunitiesAll CommunitiesSharing Group

19 22

MISP - Distribution and Topology

20 22

MISP - Exports and API

Download an eventQuick glance at the APIsDownload search resultsCached exports

21 22

MISP - Shorthand admin (if no admin training)

SettingsTroubleshootingWorkersLogs

22 / 22