Support: What MISP can do

[Nicolas-Pellletier]

Support Questions

Hello,

I know that my request will probably remain unanswered but i think it could help to have a broad view on what misp can do. I've seen in misp gitter chat that MISP can do a lot (around 80% is answered by yes):

> Is MISP capable of applying (custom) taxonomies to threat data in a predefined or manual way. There should also be the capability that the taxonomies would remain local and not shared.
Yes [OK]
> Is MISP capable of providing automatic classification of information.
Depends on your definition of automatic. We script it using MISP's APIs normally.
> Capability to apply marking, tagging and confidence at event, attribute, feed and source levels in a predefined way.
Yes to most, not for the source itself (unless it's a feed)
> Does MISP have the capability to manage marking information, e.g. TLP.
Yes
> Capability to match and link imported intelligence against custom rules and signatures (e.g. regular expressions, whitelists, blacklists, Yara rules, etc.) and apply subsequent predefined actions (e.g. identify internal IP addresses and do not tag them as indicators).
Yes and no. There are managements of what we call warninglists to maintain lists such as internal IPs, etc - you can use these via recurring API scripts to trigger such actions. Something new is coming that will be integrated and GUI driven though (currently in development)
> Taking into account the complexity of the cyber domain, Is MISP able to (automatically) link brand new data to already existing data via complex bindings such as aggregation, composition, generalization or realization.
The linking happens via something we call correlation, but it's not nearly that complex. We correlate on matching data points and some partial matches (IPs vs CIDR blocks, fuzzy hashing overlap, etc)
> Capability to generate warnings based on custom signatures and rules, before and after data enrichment.
Yes
> Does MISP have the capability to determine provenance and confidence information from different perspectives.
Yes and no. The tools exist to convey and label the information, but external tools are used in the decision process.
> Does MISPP allow analysts building custom workflows?
Not yet. Coming in an upcoming release.
> Does MISP have the capability for custom workflows that will enable multi-step approval for actions affecting sensitive data.
Yes. We have specifically separated the publishing duties from information creation duties for this reason.
> Does MISP have the the capability and tools to enable collaboration with internal and external stakeholders on threat triage, analysis and response. Iterative processes should also be able to be established so that each individual can provide his/her perspective and feedback.
Yes, absolutely
> Does MISP have the tasking capability, alerting on task deadline and logging analysts’ activities (so that changes can be tracked).
No, this is currently not in scope, MISP is hovered linked with case management (IRIS, The Hive) and ticketing systems (RTIR).
> Does MISP have the provide a human interface that will be customizable for data visualisations (visual graph-based representation).
Yes, event graphs, correlation graphs, timeline graphs, custom dashboarding
> Does MISP have the provide the capability to visualise trend information over the data and other characteristics via data exploration.
Yes, via the dashboarding, heatmap visualisations, etc [OK]
> Does MISP have the provide the capability of effective tactical indicator management with assurance that information is of relevant quality and fit for purpose.
Yes, via the decaying system
> Does MISP have the Capability to automate or semi-automated threat triage.
Yes by connecting it to external tools via the enrichment system
> Does MISP have the allow analysts to prioritize IoCs and threats by helping them determine intelligence relevance based on technical constructs and organizational input. This could be achieved via rule-based or heuristics-based recommendation engines for threat information processing.
Yes, via the decaying / scoring system
> Does MISP have the capability to the analysts to enrich the data with confidence scores, ratings, tags, prioritizations, annotations, etc.
MISP directly no. However, via enrichment modules and external reputation services, yes.
> Does MISP have the provide the capability for the analysts to easily maintain their watchlists (e.g. domain resolution watchlist) and provide alerting based on predefined criteria.
Only in very basic ways (such as alert filtering)
> Does MISP use statistics methods and present them to the analysts so that trends can be identified and data analysis would be simplified.
It provides the tools / APIs for users to build their own, with some basic trends and statistics built into the dashboarding
> Does MISP use advanced data analytics and present them to the analysts so that trends can be identified and data analysis could be simplified.
It provides the tools / APIs for users to build their own, with some basic trends and statistics built into the dashboarding
> Is MISP able to collect metrics on usage of threat data to enable ranking of feeds and sources.
MISP can collect the data but it will not use it to rank feeds/sources based on usage. However, the information can be made available for external aggregation.
> Does MISP have an audit trail for intelligence that has been shared.
Only within the platform, since MISP networks can be large peer to peer networks the audit trail ends once the data leaves the instance.
> Is MISP able to sanitize and anonymize information before being shared with the rest of the stakeholders where appropriate.
Sanitise, yes. Anonymise, only partially.
> Does MISP provide the mechanisms for the organisation to identify sensitive data and replace them with privacy protected label before being shared.
It has a subsystem that allows organisations to build rules for detecting sensitive data and warning the users about the impact of sharing them, the labelling is then up to the user / automation scripts.
> Does MISP have the capability to provide granular access policies e.g. an intelligence product can have different parts that are TLP RED while the other parts may be TLP Amber.
yes
> Does MISP have the capability to disseminate provenance and confidence information from different perspectives.
yes
> Does MISP provide the capability for custom workflows that will enable multi-step approval for actions affecting sensitive data, e.g. information sharing of sensitive data.
yes
> Can MISP incorporate collaboration, iteration, and feedback between threat intelligence analysts.
yes

But still for a lot of "yes" answer, i don't how concretely it is possible in MISP. If anyone from the development team could attach a link or a word to deepthen the search I would be very grateful to you .

MISP version

2.4.169

Operating System

Ubuntu

Operating System version

22.04

PHP version

7.4.33

Browser

No response

Browser version

No response

Relevant log output

No response

Extra attachments

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[adulau]

Thanks for the list. We could add this in misp-book and on the web page. I see some points where workflow could help especially to have automated decision processes. How do you see the dissemination of such open questions?

[Nicolas-Pellletier]

Yes, I think it could be great to add it in the misp-book and on the web page so that everyone can see it. I will add it

[Nicolas-Pellletier]

I'm currently answering all these questions in order to integrate it in MISP book. Instead of having a simple yes/no answer if this functionality is available in misp, i'm trying to describe as much as possible how in practical MISP enable this feature. I redirect to workshop link that could help the reader to know more about the feature.

There is 10 more questions left.. I think it would be finish at the end of weekend