New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MISP - Add an Event Tag instead of/additionnally to Attribute Tag #836

Closed
Tux-Panik opened this Issue Dec 19, 2018 · 6 comments

Comments

Projects
None yet
3 participants
@Tux-Panik
Copy link

Tux-Panik commented Dec 19, 2018

Request Type

Feature Request

Work Environment

Question Answer
OS version (server) CentOS 7
OS version (client) Nevermind
TheHive version / git hash 3.1.1
Package Type Docker

Problem Description

In the MISP section of the application.conf, I found "optional tags to add to each observable imported from an event available on this instance" and using:
tags = ["misp"]

I would like to request a feature to also add an event tag, additionnally to the TLP tag.
It is usefull to identify what events comes from TheHive among the MISP stream.

Again, thanks for your great work.
Kind regards,
Julien

@nadouani nadouani added the question label Jan 2, 2019

@nadouani

This comment has been minimized.

Copy link
Contributor

nadouani commented Jan 2, 2019

Hello, you can define a case template to use when importing MISP alerts into cases, and set set the tags you want to that case template.

When you convert a MISP alert to a Case, the tags from the Case Template will be appended to the newly created case, allowing you to filter the case by that tag to find all the cases created from a MISP alert.

@nadouani nadouani closed this Jan 2, 2019

@nadouani nadouani reopened this Jan 2, 2019

@nadouani

This comment has been minimized.

Copy link
Contributor

nadouani commented Jan 2, 2019

Well, I think that I was too fast reading the feature request. Do you want to set a tag to the MISP event when pushed from TheHive to MISP?

@Tux-Panik

This comment has been minimized.

Copy link
Author

Tux-Panik commented Jan 2, 2019

Hello, Happy New Year guys :-)
In fact, I'd like to set a dedicated tag attached to the MISP events when I share cases from The Hive.
It already exists for each attributes (based on TheHive's TLP) but not as a global for the event.

Does it make sense for you?

Regards,
JMO

@nadouani

This comment has been minimized.

Copy link
Contributor

nadouani commented Jan 2, 2019

Yes, this makes sense I agree, and it shouldn't be a big deal.

@nadouani nadouani added this to the 3.3.0 milestone Jan 2, 2019

@nadouani nadouani removed this from the 3.3.0 milestone Feb 1, 2019

@To-om To-om added enhancement and removed question labels Feb 5, 2019

@To-om To-om added this to the 3.3.0 milestone Feb 5, 2019

@To-om

This comment has been minimized.

Copy link
Contributor

To-om commented Feb 5, 2019

I add a setting exportCaseTags in MISP section, in application.conf. If true, case tags are exported to event.
Example for configuration:

misp {
  "local" {
    url = "http://127.0.0.1"
    key = "_my_key_"
    exportCaseTags = true
  }
}

To-om added a commit that referenced this issue Feb 5, 2019

@To-om To-om closed this Feb 5, 2019

@Tux-Panik

This comment has been minimized.

Copy link
Author

Tux-Panik commented Feb 5, 2019

Thank you. I'll try it on the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment