Create a MISP event on a malware incident – static malware analysis #2
Assignees
Labels
needs triage
This issue has been automatically labelled and needs further triage
playbook:activity=3
Playbooks for activity 2
playbook:state=proposal
A 'proposal' for a new playbook
Comments
cudeso
added
playbook:state=proposal
This was referenced Feb 16, 2023
cudeso
added
playbook:activity=3
cudeso
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The title of the playbook
Create a MISP event on a malware incident – with sample
Purpose of the playbook
This playbook creates a MISP event on a malware incident (this can also be a phishing incident where there is an attachment instead of a link). The playbook sets default tags (taxonomies) and clusters on event and attributes. It asks the analyst to upload the sample to the Jupyter notebook (the exact implementation needs to be verified). The sample is attached to the MISP event and sent to a local instance of MWDBcore. Attributes are tagged with PAP or course-of-action matrix and enclosed in objects where needed. The playbook creates relationships between the objects. The playbook queries MISP events and the enabled OSINT feeds for matches with the sample details (hashes). The details of the malware sample (hashes) are queried at VirusTotal and OTX with the help of MISP modules. A query is done with Hashlookup. The hashes are added to a Watchlist at Azure Sentinel. A final report with a list of indicators is summarised in the playbook and sent to Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
MWDBcore, VirusTotal, OTX, Hashlookup, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
SOC, CSIRT
Breefly list the execution steps or workflow
No response
The text was updated successfully, but these errors were encountered: