Document usage of data filtering strategy #67
Labels
help wanted
This is an issue that community can help with
S: stale
Status: stale. This issue has had no activity in a long time, it may not be relevant anymore
T: enhancement
Type: enhancement. This issue seeks an improvement of an existing feature
Comments
enjeck
added
help wanted
|
I'm guessing this would translate to using the decaying mechanism now? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Quote from a mail, this but better explained:
"our mantra is, keep your data for correlation and exclude it from the exports. What I'd suggest:
a. Set an automatic tag for your feed (such as "expireMeInAMonth") - these tags will be automatically applied to all events coming from the feed hereafter
b. When exporting data from MISP, for example for your SIEM/NIDS/etc use the following rules:
c. Feed both data sets to your tools
This will get you all your regular data + the past 30 day's worth of data from the feed."
The text was updated successfully, but these errors were encountered: