fix: action-taken and classification added in the flowchart

This commit is contained in:
Alexandre Dulaunoy 2017-12-04 17:17:08 +01:00
parent 120a92ca8a
commit b5ebcc63a1
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD
6 changed files with 41975 additions and 18396 deletions

View file

@ -1,2 +1,12 @@
# misp-osint-collection # misp-osint-collection
Collection of best practices to add OSINT into MISP and/or MISP communities Collection of best practices to add OSINT into MISP and/or MISP communities
![](docs/Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform.png)
The document is available in XMind format and the [source is available](docs/Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform.xmind).
# How to contribute?
Fork the project, download the XMind format document, edit the document with XMind, commit and do a pull-request.

View file

@ -11,41 +11,41 @@
<a name="20uk789ukeagkl9e3m2i391u8b">Collecting and analysing OSINT into MISP threat intelligence platform.</a> <a name="20uk789ukeagkl9e3m2i391u8b">Collecting and analysing OSINT into MISP threat intelligence platform.</a>
</h1> </h1>
<div align="center" class="globalOverview"> <div align="center" class="globalOverview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Collecting and analysing OSINT into MISP threat intelligence platform..jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Collecting and analysing OSINT into MISP threat intelligence platform. 2.jpg"></div>
<p align="center" class="topicImage"> <p align="center" class="topicImage">
<img height="139" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/26esv1mp7d84gjtd2b95t0p2cm.png" width="139"></p> <img height="139" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/26esv1mp7d84gjtd2b95t0p2cm 2.png" width="139"></p>
<h2 class="topic"> <h2 class="topic">
<a name="18qn49v1dn59nsrl74hu1lblq1">Cross-checking if the OSINT is already known</a> <a name="18qn49v1dn59nsrl74hu1lblq1">Cross-checking if the OSINT is already known</a>
</h2> </h2>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Cross-checking if the OSINT is already known.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Cross-checking if the OSINT is already known 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a name="2lotcssbdimc6ir0h2cpesgm0k">&nbsp;Search in public indexer if already reported in other blog posts, reports or any public sources.</a> <a name="2lotcssbdimc6ir0h2cpesgm0k">&nbsp;Search in public indexer if already reported in other blog posts, reports or any public sources.</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<h2 class="topic"> <h2 class="topic">
<a name="6bv9guc84jss5apved4fgorn9q">Cross-checking if the OSINT already exists in one or more MISP communities (public or private)</a> <a name="6bv9guc84jss5apved4fgorn9q">Cross-checking if the OSINT already exists in one or more MISP communities (public or private)</a>
</h2> </h2>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Cross-checking if the OSINT already exists in one or more MISP communities (public or private).jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Cross-checking if the OSINT already exists in one or more MISP communities (public or private) 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a name="56r4g2b4dgn8nco6vm7e7g8fg8">&nbsp;If not create a new MISP event</a> <a name="56r4g2b4dgn8nco6vm7e7g8fg8">&nbsp;If not create a new MISP event</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<p class="relationships">See Also: <a href="#2f33hrh2mj7cn1ksscus3ac49i">Create one or more MISP events</a> <p class="relationships">See Also: <a href="#2f33hrh2mj7cn1ksscus3ac49i">Create one or more MISP events</a>
</p> </p>
<h3 class="topic"> <h3 class="topic">
<a name="7oa8hc3elmtfrgiohu3ir7gv4g">&nbsp;If some events already exist and require an update, then make a MISP proposal.</a> <a name="7oa8hc3elmtfrgiohu3ir7gv4g">&nbsp;If some events already exist and require an update, then make a MISP proposal.</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<h2 class="topic"> <h2 class="topic">
<a name="2f33hrh2mj7cn1ksscus3ac49i">Create one or more MISP events</a> <a name="2f33hrh2mj7cn1ksscus3ac49i">Create one or more MISP events</a>
</h2> </h2>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Create one or more MISP events.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Create one or more MISP events 2.jpg"></div>
<div class="notesContainer"> <div class="notesContainer">
<p>A MISP event is usually a semantic bundle of information depending from a specific report, event, notes, blog posts or information.</p> <p>A MISP event is usually a semantic bundle of information depending from a specific report, event, notes, blog posts or information.</p>
<p></p> <p></p>
@ -63,7 +63,7 @@
<a name="2q4s6b1e6901850ojb3f43dfje">&nbsp;Set a meaningful event info</a> <a name="2q4s6b1e6901850ojb3f43dfje">&nbsp;Set a meaningful event info</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<div class="notesContainer"> <div class="notesContainer">
<p>The Event Info field in MISP is also a summary and a title of the event. It's important to set a meaning and concise summary.</p> <p>The Event Info field in MISP is also a summary and a title of the event. It's important to set a meaning and concise summary.</p>
<p></p> <p></p>
@ -89,7 +89,7 @@
<a name="6077f7ch5k48er1kv495mck88f">&nbsp;Set a date in accordance with the event</a> <a name="6077f7ch5k48er1kv495mck88f">&nbsp;Set a date in accordance with the event</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<div class="notesContainer"> <div class="notesContainer">
<p>A MISP event contains a date which is usually the date related to when the activity happens or detected. It's often easier and clearer to set the publishing date of the OSINT information even if the event happened in the past. </p> <p>A MISP event contains a date which is usually the date related to when the activity happens or detected. It's often easier and clearer to set the publishing date of the OSINT information even if the event happened in the past. </p>
<p></p> <p></p>
@ -101,9 +101,9 @@
<a name="7m3bn1rtme01cogkjkrs0fqe69">&nbsp;Tag and classify information at event level (default tagging for the whole event)</a> <a name="7m3bn1rtme01cogkjkrs0fqe69">&nbsp;Tag and classify information at event level (default tagging for the whole event)</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<p class="topicImage"> <p class="topicImage">
<img height="153" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/5a4lvhfjva27c128rqm3g0liab.png" width="400"></p> <img height="153" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/5a4lvhfjva27c128rqm3g0liab 2.png" width="400"></p>
<div class="notesContainer"> <div class="notesContainer">
<p>Tagging is important because it helps analyst at a later state to group or search per specific classification or categories.</p> <p>Tagging is important because it helps analyst at a later state to group or search per specific classification or categories.</p>
<p></p> <p></p>
@ -115,14 +115,14 @@
<a name="0pfohr2csagm0jac0p5f65nj7c">&nbsp;Add attributes related to the OSINT source</a> <a name="0pfohr2csagm0jac0p5f65nj7c">&nbsp;Add attributes related to the OSINT source</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add attributes related to the OSINT source.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add attributes related to the OSINT source 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a name="3rro9n9pdeuu0h71c4neesua68">&nbsp;&nbsp;Add "External analysis"/link to the original source </a> <a name="3rro9n9pdeuu0h71c4neesua68">&nbsp;&nbsp;Add "External analysis"/link to the original source </a>
</h3> </h3>
<p class="topicImage"> <p class="topicImage">
<img height="322" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/6pkedn123t88n9n8cqbuclpk46.png" width="400"></p> <img height="322" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/6pkedn123t88n9n8cqbuclpk46 2.png" width="400"></p>
<div class="notesContainer"> <div class="notesContainer">
<p>Adding reference to the original source is a critical step to ensure proper credits, further analysis or set a confidence/credibility level of the OSINT source.</p> <p>Adding reference to the original source is a critical step to ensure proper credits, further analysis or set a confidence/credibility level of the OSINT source.</p>
<p></p> <p></p>
@ -143,129 +143,204 @@
<a name="6ldnh030g2j2rrfj04i8g7ke77">&nbsp;&nbsp;Classify and tags the OSINT source (with at least the osint namespace)</a> <a name="6ldnh030g2j2rrfj04i8g7ke77">&nbsp;&nbsp;Classify and tags the OSINT source (with at least the osint namespace)</a>
</h3> </h3>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Classify and tags the OSINT source (with at least the osint namespace).jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Classify and tags the OSINT source (with at least the osint namespace) 2.jpg"></div>
<p class="topicImage"> <p class="topicImage">
<img height="208" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/1tjbk0vcv683uh8889lqol26qk.png" width="400"></p> <img height="208" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/1tjbk0vcv683uh8889lqol26qk 2.png" width="400"></p>
<h3 class="topic"> <h3 class="topic">
<a name="2e3vq7pmn1m13bgf60h16imei7">&nbsp;&nbsp;&nbsp;If there is a missing value in an existing taxonomy or a new one have to be created. </a> <a name="2e3vq7pmn1m13bgf60h16imei7">&nbsp;&nbsp;&nbsp;If there is a missing value in an existing taxonomy or a new one have to be created. </a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<p class="relationships">See Also: <a href="#3oqs7n1ncqmed6be2rck3k90qj">Update an existing MISP taxonomy</a> <p class="relationships">See Also: <a href="#3oqs7n1ncqmed6be2rck3k90qj">Update an existing MISP taxonomy</a>
</p> </p>
<h3 class="topic"> <h3 class="topic">
<a name="11cp43ubsqh4t5hhfpqrc9ncph">&nbsp;Add one or more galaxy/cluster to the event</a> <a name="11cp43ubsqh4t5hhfpqrc9ncph">&nbsp;Add one or more galaxy/cluster to the event</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add one or more galaxy cluster to the event.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add one or more galaxy cluster to the event 2.jpg"></div>
<p class="topicImage"> <p class="topicImage">
<img height="400" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/2aommk8t62okah23ifkfo3ivs7.png" width="356"></p> <img height="400" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/2aommk8t62okah23ifkfo3ivs7 2.png" width="356"></p>
<h3 class="topic"> <h3 class="topic">
<a name="32bt7q3qe91mkophrv2ll8b32i">&nbsp;&nbsp;If there is no related galaxy/cluster/value, add a new one.</a> <a name="32bt7q3qe91mkophrv2ll8b32i">&nbsp;&nbsp;If there is no related galaxy/cluster/value, add a new one.</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<p class="relationships">See Also: <a href="#40lq7ghhlibm3e5jabfkg2aftm">Update an existing MISP galaxy cluster</a> <p class="relationships">See Also: <a href="#40lq7ghhlibm3e5jabfkg2aftm">Update an existing MISP galaxy cluster</a>
</p> </p>
<h3 class="topic"> <h3 class="topic">
<a name="0kurr339st0hjl3f372glnj7l7">&nbsp;Add attributes related to the indicators mentioned in the OSINT document</a> <a name="0kurr339st0hjl3f372glnj7l7">&nbsp;Add attributes related to the indicators mentioned in the OSINT document</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add attributes related to the indicators mentioned in the OSINT document.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add attributes related to the indicators mentioned in the OSINT document 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a name="5utopcfbbl1f549r5intleg36o">&nbsp;&nbsp;If there is any files mentioned in the OSINT information, add corresponding file object(s).</a> <a name="5utopcfbbl1f549r5intleg36o">&nbsp;&nbsp;If there is any files mentioned in the OSINT information, add corresponding file object(s).</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<p class="topicImage"> <p class="topicImage">
<img height="126" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/2bosl9uhkkg8unudkbbude61ah.png" width="400"></p> <img height="126" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/2bosl9uhkkg8unudkbbude61ah 2.png" width="400"></p>
<h3 class="topic">
<a name="1rh5q85trp7jtpl4uhvo71cfjn">&nbsp;&nbsp;If there is any missing objects or attributes type in MISP to describe this OSINT, propose a new one.</a>
</h3>
<h3 class="topic"> <h3 class="topic">
<a name="0re5puuscd0nqlhtp41sbbe6q0">&nbsp;Add attributes related to the target groups mentioned in the OSINT document</a> <a name="0re5puuscd0nqlhtp41sbbe6q0">&nbsp;Add attributes related to the target groups mentioned in the OSINT document</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add attributes related to the target groups mentioned in the OSINT document.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add attributes related to the target groups mentioned in the OSINT document 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a name="66nnj1qajolck937t6d9g045ml">&nbsp;&nbsp;If there is any target groups, pick the right attribute types in the "Targeting data" category.</a> <a name="66nnj1qajolck937t6d9g045ml">&nbsp;&nbsp;If there is any target groups, pick the right attribute types in the "Targeting data" category.</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<p class="topicImage"> <p class="topicImage">
<img height="299" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/5h5g9i2rh777tdiburu32iv7th.png" width="400"></p> <img height="299" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/5h5g9i2rh777tdiburu32iv7th 2.png" width="400"></p>
<h3 class="topic"> <h3 class="topic">
<a name="2v1t90q36bvff159ot7rcbn8k9">&nbsp;Add and attach evidences</a> <a name="2v1t90q36bvff159ot7rcbn8k9">&nbsp;Add and attach evidences</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add and attach evidences.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Add and attach evidences 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a name="05ro8ahnubevtjcld3erbkkugc">&nbsp;&nbsp;Evidence like screenshot or static report</a> <a name="05ro8ahnubevtjcld3erbkkugc">&nbsp;&nbsp;Evidence like screenshot or static report</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<p class="topicImage"> <p class="topicImage">
<img height="267" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/07dkpqsoc6frqllp8hrm8bag7h.png" width="400"></p> <img height="267" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/07dkpqsoc6frqllp8hrm8bag7h 2.png" width="400"></p>
<h3 class="topic"> <h3 class="topic">
<a name="79mp5uq5jdhl1spujbnb8899it">&nbsp;&nbsp;Evidence like malicious sample files or malware</a> <a name="79mp5uq5jdhl1spujbnb8899it">&nbsp;&nbsp;Evidence like malicious sample files or malware</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_1 2.png"></p>
<div class="notesContainer"> <div class="notesContainer">
<p>Add attachment in MISP allows to include malicious or non-malicious file to the platform. The difference is a matter of flag "IDS (encrypt and hash" where the evidence will be encrypted with a default password "infected" to avoid any human-error to execute malicious binaries.</p> <p>Add attachment in MISP allows to include malicious or non-malicious file to the platform. The difference is a matter of flag "IDS (encrypt and hash" where the evidence will be encrypted with a default password "infected" to avoid any human-error to execute malicious binaries.</p>
</div> </div>
<h2 class="topic"> <h2 class="topic">
<a name="2a7ju3ea4cg73soahc6302uk7s">Review classification and tagging on the created events</a>
</h2>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Review classification and tagging on the created events.jpg"></div>
<h3 class="topic">
<a name="33dpdjeej2e1uiun3td5oh2qmf">&nbsp;Confidence level of the OSINT information</a>
</h3>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Confidence level of the OSINT information.jpg"></div>
<h3 class="topic">
<a href="https://www.misp-project.org/taxonomies.html#_osint" name="0rp3qmqh4gmouhemffktra5b7u">&nbsp;&nbsp;Taxonomy - osint:certainty</a>
</h3>
<h3 class="topic">
<a href="https://www.misp-project.org/taxonomies.html#_admiralty_scale" name="78plro6urnun93h458odmd0gj2">&nbsp;&nbsp;Taxonomy admiralty-scale</a>
</h3>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Taxonomy admiralty-scale.jpg"></div>
<h3 class="topic">
<a name="510rhb21ndqf8kgnpell3n6kpn">&nbsp;&nbsp;&nbsp;Review source-reliability</a>
</h3>
<h3 class="topic">
<a name="63ce35fc0e66ind2kge195j4h9">&nbsp;&nbsp;&nbsp;Review information-credibility</a>
</h3>
<h3 class="topic">
<a name="5sbk8cqf19jicqfk6kad4escet">&nbsp;Request for competitive analysis or additional information (e.g. sample, context)</a>
</h3>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Request for competitive analysis or additional information (e.g. sample, context).jpg"></div>
<h3 class="topic">
<a href="https://www.misp-project.org/taxonomies.html#_collaborative_intelligence" name="38lruop3n5tlenl8oq6mkrf6pt">&nbsp;&nbsp;Taxonomy - collaborative-intelligence</a>
</h3>
<h2 class="topic">
<a name="263ime1ome71421p9f1qec5ojm">Action taken from the OSINT entered in MISP</a>
</h2>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Action taken from the OSINT entered in MISP.jpg"></div>
<div class="notesContainer">
<p>When dealing with OSINT information, you might have taken additional actions beside entering a MISP event. An example can be the notification of an ISP if a system is compromised or the notification of a registrar because a domain is abused. This kind of information should be also added in MISP to support other analysts.</p>
<p></p>
</div>
<h3 class="topic">
<a name="6e7j5sjib3jscc73j6c086ilhq">&nbsp;Notified or informed a third-party</a>
</h3>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Notified or informed a third-party.jpg"></div>
<h3 class="topic">
<a href="https://www.misp-project.org/taxonomies.html#_action_taken" name="0pnepfqle5qv075a4cvfsvi5dt">&nbsp;&nbsp;Add tagging and classification regarding the OSINT where actions were taken</a>
</h3>
<h2 class="topic">
<a href="https://www.misp-project.org/galaxy.html" name="40lq7ghhlibm3e5jabfkg2aftm">Update an existing MISP galaxy cluster</a> <a href="https://www.misp-project.org/galaxy.html" name="40lq7ghhlibm3e5jabfkg2aftm">Update an existing MISP galaxy cluster</a>
</h2> </h2>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Update an existing MISP galaxy cluster.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Update an existing MISP galaxy cluster 2.jpg"></div>
<p class="relationships">See Also: <a href="#32bt7q3qe91mkophrv2ll8b32i">If there is no related galaxy/cluster/value, add a new one.</a> <p class="relationships">See Also: <a href="#32bt7q3qe91mkophrv2ll8b32i">If there is no related galaxy/cluster/value, add a new one.</a>
</p> </p>
<h3 class="topic"> <h3 class="topic">
<a href="https://github.com/MISP/misp-galaxy" name="4ldddje35o0c16v7v45a7gr41n">&nbsp;Adding a new value to an existing cluster (or fix an existing one)</a> <a href="https://github.com/MISP/misp-galaxy" name="4ldddje35o0c16v7v45a7gr41n">&nbsp;Adding a new value to an existing cluster (or fix an existing one)</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Adding a new value to an existing cluster (or fix an existing one).jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Adding a new value to an existing cluster (or fix an existing one) 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a href="https://github.com/MISP/misp-galaxy/issues" name="2ln09evt2fkn64t3joab3u301v">&nbsp;&nbsp;Open an issue</a> <a href="https://github.com/MISP/misp-galaxy/issues" name="2ln09evt2fkn64t3joab3u301v">&nbsp;&nbsp;Open an issue</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_3.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_3 2.png"></p>
<h3 class="topic"> <h3 class="topic">
<a name="6qc1uca2dg7v80kcjl0qdn91en">&nbsp;&nbsp;Update the JSON of the cluster and create a pull-request</a> <a name="6qc1uca2dg7v80kcjl0qdn91en">&nbsp;&nbsp;Update the JSON of the cluster and create a pull-request</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<h2 class="topic"> <h2 class="topic">
<a href="https://www.misp-project.org/taxonomies.html" name="3oqs7n1ncqmed6be2rck3k90qj">Update an existing MISP taxonomy</a> <a href="https://www.misp-project.org/taxonomies.html" name="3oqs7n1ncqmed6be2rck3k90qj">Update an existing MISP taxonomy</a>
</h2> </h2>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Update an existing MISP taxonomy.jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Update an existing MISP taxonomy 2.jpg"></div>
<p class="relationships">See Also: <a href="#2e3vq7pmn1m13bgf60h16imei7">If there is a missing value in an existing taxonomy or a new one have to be created. </a> <p class="relationships">See Also: <a href="#2e3vq7pmn1m13bgf60h16imei7">If there is a missing value in an existing taxonomy or a new one have to be created. </a>
</p> </p>
<h3 class="topic"> <h3 class="topic">
<a href="https://github.com/MISP/misp-taxonomies/" name="630troncsdvbgv4jcf05o8icd6">&nbsp;Adding a new value to an existing taxonomy (or fix an existing one)</a> <a href="https://github.com/MISP/misp-taxonomies/" name="630troncsdvbgv4jcf05o8icd6">&nbsp;Adding a new value to an existing taxonomy (or fix an existing one)</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<div class="overview"> <div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Adding a new value to an existing taxonomy (or fix an existing one).jpg"></div> <img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Adding a new value to an existing taxonomy (or fix an existing one) 2.jpg"></div>
<h3 class="topic"> <h3 class="topic">
<a href="https://github.com/MISP/misp-taxonomies/issues" name="62rhsgsocoqosnjp74pqujrvb4">&nbsp;&nbsp;Open an issue</a> <a href="https://github.com/MISP/misp-taxonomies/issues" name="62rhsgsocoqosnjp74pqujrvb4">&nbsp;&nbsp;Open an issue</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_3.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_3 2.png"></p>
<h3 class="topic"> <h3 class="topic">
<a name="0q1m70tmb67rkulimfds00hb6s">&nbsp;&nbsp;Update the JSON and create a pull-request</a> <a name="0q1m70tmb67rkulimfds00hb6s">&nbsp;&nbsp;Update the JSON and create a pull-request</a>
</h3> </h3>
<p class="labelsAndMarkers"> <p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2.png"></p> <img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<h2 class="topic">
<a name="2g18pjsj78hjjcvfahj1su7k3m">Propose a new attribute type in MISP</a>
</h2>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Propose a new attribute type in MISP.jpg"></div>
<h3 class="topic">
<a name="721gmpsgomo77ubdgprgeoqh8b">&nbsp;Attribute type are really atomic information, misp object should be preferred.</a>
</h3>
<h2 class="topic">
<a name="229f4anhse7d3ov8ivtf5smepn">Propose a new MISP object template</a>
</h2>
<div class="overview">
<img src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/Propose a new MISP object template.jpg"></div>
<h3 class="topic">
<a name="40d15obs8kk00vv7eqeu840mub">&nbsp;Update the JSON and create a pull-request</a>
</h3>
<p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_2 2.png"></p>
<h3 class="topic">
<a href="https://github.com/MISP/misp-objects/issues" name="4cblda2a65tlv8s86990i0lc0j">&nbsp;Open an issue</a>
</h3>
<p class="labelsAndMarkers">
<img class="marker" src="Collecting_and_analysing_OSINT_into_MISP_threat_intelligence_platform_files/images/priority_3 2.png"></p>
</body> </body>
</html> </html>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 385 KiB

After

Width:  |  Height:  |  Size: 459 KiB