MISP User Training - Administration of MISP 2.4MISP Threat Sharing
Threat Sharing
Team CIRCL
http://www.misp-project.org/Twitter: @MISPProject
ESDC 20200303
MISP - VM
VM can be downloaded athttps://www.circl.lu/misp-training/CredentialsI MISP admin: [email protected]/adminI SSH: misp/Password1234
2 network interfacesI NATI Host only adapter
Start the enrichment system by typing:I cd /home/misp/misp-modules/binI python3 misp-modules.py
1 21
MISP - Administration
Plan for this part of the trainingI User and Organisaton administrationI Sharing group creationI TemplatesI Tags and TaxonomyI Whitelisting and Regexp entriesI Setting up the synchronisationI Scheduled tasksI FeedsI Settings and diagnosticsI LoggingI Troubleshooting and updating
2 21
MISP - Creating Users
Add new user ([email protected])NIDS SID, Organisation, disable userFetch the PGP keyRolesI Re-using standard rolesI Creating a new custom role
Send out credentials
3 21
MISP - Creating Organisations
Adding a new organisationUUIDLocal vs External organisationMaking an organisation self sustaining with Org AdminsCreating a sync user
4 21
MISP - Sharing groups
The concept of a sharing groupCreating a sharing groupAdding extending rights to an organisationInclude all organisations of an instanceNot specifying an instanceMaking a sharing group activeReviewing the sharing group
5 21
MISP - Templates
Why templating?Create a basic templateText �eldsAttribute �eldsAttachment �eldsAutomatic tagging
6 21
MISP - Tags and Taxonomies
git submodule init && git submodule updateLoading taxonomiesEnabling taxonomies and associated tagsTag managementExportable tags
7 21
MISP - Object Templates
git submodule init && git submodule updateEnabling objects (and what about versioning)
8 21
MISP - Whitelisting, Regexp entries,Warninglists
Block from exports - whitelistingBlock from imports - blacklisting via regexpModify on import - modi�cation via regexpMaintaining the warninglists
9 21
MISP - Setting up the synchronisation
Requirements - versionsPull/PushOne way vs Two way synchronisationExchanging sync usersCerti�catesFilteringConnection test toolPreviewing an instanceCherry picking and keeping the list updated
10 21
MISP - Scheduled tasks
How to schedule the next executionFrequency, next executionWhat happens if a job fails?
11 21
MISP - Setting up the synchronisation
MISP Feeds and their generationPyMISPDefault free feedsEnabling a feedPreviewing a feed and cherry pickingFeed �ltersAuto tagging
12 21
MISP - Settings and diagnostics
SettingsI Settings interfaceI The tabs explained at a glanceI Issues and their severityI Setting guidance and how to best use it
13 21
MISP - Settings and diagnostics continued
Basic instance setupAdditional features released as hot�xesCustomise the look and feel of your MISPDefault behaviour (encryption, e-mailing, defaultdistributions)Maintenance modeDisabling the e-mail alerts for an initial sync
14 21
MISP - Settings and diagnostics continued
DiagnosticsI Updating MISPI Writeable DirectoriesI PHP settingsI Dependency diagnostics
16 21
MISP - Settings and diagnostics continued
WorkersI What do the background workers do?I QueuesI Restarting workers, adding workers, removing workersI Worker diagnostics (queue size, jobs page)I Clearing worker queuesI Worker and background job debugging
17 21
MISP - Settings and diagnostics continued
Seeking helpI Dump your settings to a �le!I Make sure to sanitise itI Send it to us together with your issue to make our lives easierI Ask Github (https://github.com/MISP/MISP)I Have a chat with us on gitter (https://gitter.im/MISP/MISP)I Ask the MISP mailing listI If this is security related, drop us a PGP encrypted email to
mailto:[email protected]
18 21
MISP - Logging
Audit logs in MISPEnable IP logging / API loggingSearch the logs, the �elds explainedExternal logsI /var/www/MISP/app/tmp/logs/error.logI /var/www/MISP/app/tmp/logs/resque-worker-error.logI /var/www/MISP/app/tmp/logs/resque-scheduler-error.logI /var/www/MISP/app/tmp/logs/resque-[date].logI /var/www/MISP/app/tmp/logs/error.logI apache access logs
19 21
MISP - Updating MISP
git pullgit submodule init && git submodule updatereset the permissions if it goes wrong according to theINSTALL.txtwhen MISP complains about missing �elds, make sure toclear the cachesI in /var/www/MISP/app/tmp/cache/models remove myapp*I in /var/www/MISP/app/tmp/cache/persistent removemyapp*
No additional action required on hot�x levelRead the migration guide for major and minor versionchanges
20 21