Starting from version 2.4.160, MISP supports the "workflow" feature allowing site-administrator to modify the default behavior of MISP. Action such as the list below are now possible thanks to this feature:
- Prevent the publishing of Event if some criteria are not met
- Prevent queries against third-party services based on tags attached to Attribute/Event (e.g.
PAP:RED) - Post data using webhook for some actions
- Send notifications to chat platform such as Mattermost or Slack
- And much more
MISP comes with some default workflow blueprints which can be added in any MISP. This repository contains all the default blueprints.
For more information about MISP workflows in MISP, the training materials MISP Workflows is a good start.
- Attach
tlp:clearontlp:white- Attach thetlp:cleartag on elements having thetlp:whitetag. PAP:REDandtlp:redBlocking - Block actions if any attributes have thePAP:REDortlp:redtag.- Remote
to_idsflag if the indicator appears in known file list - Disable to_ids flag for existing hash in hashlookup. - Set tag based on BGP Ranking maliciousness level - Set tag based on BGP Ranking maliciousness level.
- Curation - Allow curation process
- Curation - Assign threat-level based on enriched location
- Curation - Assign a country GalaxyCluster on IPs
- Curation - Normalize TLP & PAP Tag
- Curation - Remove automation flag from known non-malicious hashes
- Curation - Remove automation flag from false-positive tripping over warninglist
- Curation - Remove automation flag from data having correlation with predefined feed
- Curation - Toggle automation flag from network IoC based on AbuseIPDB
- Curation - Toggle automation flag from URLs based on Google-Safe-Browsing
It's very easy. Fork the repository, create a new JSON file with your blueprint and make a pull-request.
The MISP workfows are dual-licensed under CC-0 and a simple 2-clause BSD license.