misp user training - general usage of misp - misp - threat ... · misp - various features while...
TRANSCRIPT
MISP User Training - General usage of MISPMISP - Threat Sharing
Threat Sharing
Team MISP Project
http://www.misp-project.org/Twitter: @MISPProject
GSMA Edition
MISP - VM
CredentialsI MISP admin: [email protected]/adminI SSH: misp/Password1234
Available at the following location (VirtualBox and VMWare):I https://www.circl.lu/misp-images/latest/
1 22
MISP - VM
It is a bit broken.I sudo -sI cd /var/www/MISP/I sudo pear installINSTALL/dependencies/Console_CommandLine/package.xml
I sudo pear installINSTALL/dependencies/Crypt_GPG/package.xml
I cd /usr/local/src/misp-modulesI pip3 install -r REQUIREMENTSI pip3 install .I reboot
2 22
MISP - General Usage
Plan for this part of the trainingData modelViewing dataCreating dataCo-operationDistributionExports
3 22
MISP - Event (MISP’s basic building block)
4 22
MISP - Event (Attributes, giving meaning toevents)
5 22
MISP - Event (Correlations on similarattributes)
6 22
MISP - Event (Proposals)
7 22
MISP - Event (Tags)
8 22
MISP - Event (Discussions)
9 22
MISP - Event (Taxonomies and proposalcorrelations)
10 22
MISP - Event (The state of the art MISPdatamodel)
11 22
MISP - Viewing the Event Index
Event IndexI Event contextI TagsI DistributionI Correlations
Filters
12 22
MISP - Viewing an Event
Event ViewI Event contextI Attributes
Category/type, IDS, CorrelationsI ObjectsI GalaxiesI ProposalsI Discussions
Tools to �nd what you are looking forCorrelation graphs
13 22
MISP - Creating and populating events in variousways (demo)
The main tools to populate an eventI Adding attributes / batch addI Adding objects and how the object templates workI Freetext importI ImportI TemplatesI Adding attachments / screenshotsI API
14 22
MISP - Various features while adding data
What happens automatically when adding data?I Automatic correlationI Input modi�cation via validation and �lters (regex)I Tagging / Galaxy Clusters
Various ways to publish dataI Publish with/without e-mailI Publishing via the APII Delegation
15 22
MISP - Using the data
Correlation graphsDownloading the data in various formatsCached exportsAPI (explained later)Collaborating with users (proposals, discussions, emails)
16 22
MISP - Sync explained (if no admin training)
Sync connectionsPull/push modelPreviewing instancesFiltering the syncConnection test toolCherry pick mode
17 22
MISP - Feeds explained (if no admin training)
Feed types (MISP, Freetext, CSV)Adding/editing feedsPreviewing feedsLocal vs Network feeds
18 22
MISP - Distributions explained
Your Organisation OnlyThis Community OnlyConnected CommunitiesAll CommunitiesSharing Group
19 22
MISP - Distribution and Topology
20 22
MISP - Exports and API
Download an eventQuick glance at the APIsDownload search resultsCached exports
21 22
MISP - Shorthand admin (if no admin training)
SettingsTroubleshootingWorkersLogs
22 / 22