1.7 KiB
MISP for OSINT: create new event
cross checking
Is the OSINT already known?
-
Is known from public sources (search in public indexer, blog posts, reports)
-
yes
-
no
-
-
Is known accross communities
-
yes : make a proposal for update if the event requires update
-
no: create a new event
-
create event
set-up basic informations
step 1: event info
-
summary, concise
-
can add "OSINT" in the text field
step 2: event distribution
-
who will see your event
-
your organisation only
-
this community only
-
connected communities
-
All communities
-
A sharing group
-
step 3: timeline
-
activity detected, when it happened
-
is there a date of publication, some mentions?
step 4: add tags
-
this step is important for correlation and classification
-
use existing tag: source type, requests, certainty, etc...
-
TLP: white
-
requests
- collaborative intelligence
-
confidence level
-
osint certainty
-
information credibility
-
-
-
some tags are missing
-
you can create your own
-
or post an issue on Github
-
event content
step 5: create attributes
-
object: is there an object template?
-
yes
- review and complete the attributes
-
no
- create an issue or proposal on Github
-
step 6: create relationships
-
set references between the entities
-
via the correlation graph (visual)
-
via the object reference
-
step 7: galaxies
- explore galaxies for additional contextual informations
review and publish
review the event details, tags, TLP/PAP tags and distribution
publish or download your event
MISP community
Ask for help
-
Issues on Github
Contribute
-
MISP Project