Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sightings Visibility #1704

Closed
liz-cullen opened this issue Dec 1, 2016 · 4 comments

Comments

Projects
None yet
4 participants
@liz-cullen
Copy link

commented Dec 1, 2016

Hi everyone,

Are sightings input via the UI synced between MISP instances? I have a test setup with 2 instances of MISP and users can see sightings from users on the local MISP bit not from users on the remote MISP.

@iglocska

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

@adulau adulau added the enhancement label Dec 1, 2016

@adulau

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

We are doing some work (still a very early experiment) to share IOC information using privacy-preserving data structure:

https://github.com/charly077/thesis/tree/master/encrypted_rules_implem/encrypt_backend

This is basically based on the following paper

van de Kamp, T., Peter, A., Everts, M. H., & Jonker, W. (2016, October). Private Sharing of IOCs and Sightings. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security (pp. 35-38). ACM.

We would like to extend it for Sighting too and allow the sync. Feedback and idea more than welcome.

@xme

This comment has been minimized.

Copy link

commented Jan 3, 2017

AFAIK, the current API allows to create a new sighting entry for an attribute but there is no way to get Sightings previously defined. My goal is to automatically add sightings from external detection tools when a match is found against a MISP attribute. Then, I'd like to have a (daily|monthly) reporting about what was detected. What do you thing?
In the meantime, I wrote a quick Python script to extract existing sightings:
https://github.com/xme/toolbox/blob/master/misp_sigthings.py

@adulau adulau added the api label Jan 3, 2017

@adulau

This comment has been minimized.

Copy link
Member

commented Nov 22, 2018

The sighting API has been updated recently and also sync of the sighting. Feel free to test and reopen the issue if this is not fixed.

API info
Description:
Search MISP sightings using a list of filter parameters and return the data in the JSON format. The search is available on an event, attribute or instance level, just select the scope via the URL (/sighting/restSearch/event vs /sighting/restSearch/attribute vs /sighting/restSearch/). id MUST be provided if context is set.
ReturnFormat:
json
xml
csv
Mandatory:
returnFormat
Optional:
id
type
from
to
last
org_id
source
includeAttribute
includeEvent
Params:
context

@adulau adulau closed this Nov 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.