MISP User Training - Administration of MISP 2.4MISP Threat Sharing

Threat Sharing

Team CIRCL

http://www.misp-project.org/Twitter: @MISPProject

ESDC 20200303

MISP - VM

VM can be downloaded athttps://www.circl.lu/misp-training/CredentialsI MISP admin: admin@admin.test/adminI SSH: misp/Password1234

2 network interfacesI NATI Host only adapter

Start the enrichment system by typing:I cd /home/misp/misp-modules/binI python3 misp-modules.py

1 21

MISP - Administration

Plan for this part of the trainingI User and Organisaton administrationI Sharing group creationI TemplatesI Tags and TaxonomyI Whitelisting and Regexp entriesI Setting up the synchronisationI Scheduled tasksI FeedsI Settings and diagnosticsI LoggingI Troubleshooting and updating

2 21

MISP - Creating Users

Add new user (andras.iklody@circl.lu)NIDS SID, Organisation, disable userFetch the PGP keyRolesI Re-using standard rolesI Creating a new custom role

Send out credentials

3 21

MISP - Creating Organisations

Adding a new organisationUUIDLocal vs External organisationMaking an organisation self sustaining with Org AdminsCreating a sync user

4 21

MISP - Sharing groups

The concept of a sharing groupCreating a sharing groupAdding extending rights to an organisationInclude all organisations of an instanceNot specifying an instanceMaking a sharing group activeReviewing the sharing group

5 21

MISP - Templates

Why templating?Create a basic templateText �eldsAttribute �eldsAttachment �eldsAutomatic tagging

6 21

MISP - Tags and Taxonomies

git submodule init && git submodule updateLoading taxonomiesEnabling taxonomies and associated tagsTag managementExportable tags

7 21

MISP - Object Templates

git submodule init && git submodule updateEnabling objects (and what about versioning)

8 21

MISP - Whitelisting, Regexp entries,Warninglists

Block from exports - whitelistingBlock from imports - blacklisting via regexpModify on import - modi�cation via regexpMaintaining the warninglists

9 21

MISP - Setting up the synchronisation

Requirements - versionsPull/PushOne way vs Two way synchronisationExchanging sync usersCerti�catesFilteringConnection test toolPreviewing an instanceCherry picking and keeping the list updated

10 21

MISP - Scheduled tasks

How to schedule the next executionFrequency, next executionWhat happens if a job fails?

11 21

MISP - Setting up the synchronisation

MISP Feeds and their generationPyMISPDefault free feedsEnabling a feedPreviewing a feed and cherry pickingFeed �ltersAuto tagging

12 21

MISP - Settings and diagnostics

SettingsI Settings interfaceI The tabs explained at a glanceI Issues and their severityI Setting guidance and how to best use it

13 21

MISP - Settings and diagnostics continued

Basic instance setupAdditional features released as hot�xesCustomise the look and feel of your MISPDefault behaviour (encryption, e-mailing, defaultdistributions)Maintenance modeDisabling the e-mail alerts for an initial sync

14 21

MISP - Settings and diagnostics continued

PluginsI Enrichment ModulesI RPZI ZeroMQ

15 21

MISP - Settings and diagnostics continued

DiagnosticsI Updating MISPI Writeable DirectoriesI PHP settingsI Dependency diagnostics

16 21

MISP - Settings and diagnostics continued

WorkersI What do the background workers do?I QueuesI Restarting workers, adding workers, removing workersI Worker diagnostics (queue size, jobs page)I Clearing worker queuesI Worker and background job debugging

17 21

MISP - Settings and diagnostics continued

Seeking helpI Dump your settings to a �le!I Make sure to sanitise itI Send it to us together with your issue to make our lives easierI Ask Github (https://github.com/MISP/MISP)I Have a chat with us on gitter (https://gitter.im/MISP/MISP)I Ask the MISP mailing listI If this is security related, drop us a PGP encrypted email to

mailto:info@circl.lu

18 21

MISP - Logging

Audit logs in MISPEnable IP logging / API loggingSearch the logs, the �elds explainedExternal logsI /var/www/MISP/app/tmp/logs/error.logI /var/www/MISP/app/tmp/logs/resque-worker-error.logI /var/www/MISP/app/tmp/logs/resque-scheduler-error.logI /var/www/MISP/app/tmp/logs/resque-[date].logI /var/www/MISP/app/tmp/logs/error.logI apache access logs

19 21

MISP - Updating MISP

git pullgit submodule init && git submodule updatereset the permissions if it goes wrong according to theINSTALL.txtwhen MISP complains about missing �elds, make sure toclear the cachesI in /var/www/MISP/app/tmp/cache/models remove myapp*I in /var/www/MISP/app/tmp/cache/persistent removemyapp*

No additional action required on hot�x levelRead the migration guide for major and minor versionchanges

20 21

MISP - Administrative tools

Upgrade scripts for minor / major versionsMaintenance scripts

21 / 21