A collection of tips for using MISP. Published via BelgoMISP (todo) and this repository. Available in MD and JSON.
Do you want to contribute? Suggest a tip via a Github issue or do a PR to the JSON file.
20240402 Administration server sync remoteserver
Confused about the statuses returned by MISP remote servers? This small mindmap clarifies them. You can also display the status as a widget in the MISP dashboard.
20240213 Administration sso azure usermanagement
MISP supports SSO with Entra-ID (Azure AD) https://github.com/MISP/MISP/tree/2.4/app/Plugin/AadAuth . Don't forget to use 'Delegated permissions' (instead of Application permissions) when assigning the API permissions of the Azure App.
20231215 Administration synced servers sharing tags distribution
When you set a 'Remote MISP server' as an internal instance it allows you to transfer local tags (next to global tags) when synchronising events. Make sure 'MISP.host_org_id' is set and check 'Internal instance'. An ideal option for organisations running multiple MISPs.
20231030 Threatintel synced servers correlation pivoting enrichment feeds overlap distribution
The remote (sync) server cache feature allows you to build a cache of events of remote MISP servers, without actually importing them. This works similar as MISP feeds, including pick&choose events to import.
20230707 Administration sharing sharingroups distribution
Sharing group blueprints allow (1) you to create or update sharing groups based on a set of criteria (in JSON) without having to manually add organisations. Update sharing groups with one click of a button (2)!
20230615 Administration security users audit mfa
Starting from 2.4.172 MISP has support for multi-factor authentication. Install the Composer libraries and then enable it under your profile settings. Enforce it system-wide with 'MISP.totp_required'.
https://www.misp-project.org/2023/06/13/MISP.2.4.172.released.html/
20230608 Administration dashboard users audit
The MISP dashboard (since v2.4.171) has new widgets allowing you to monitor the use of API keys, user logins and user creation.
20230331 Threatintel objects context relations
MISP objects are a powerful way to add contextually linked attributes to threat events. And it's available via PyMISP. Use this notebook as a starter or learn how to add your own custom objects.
https://github.com/cudeso/misp-tip-of-the-week/blob/main/originals/MISP_objects_relations.ipynb https://www.misp-project.org/2021/03/17/MISP-Objects-101.html/
20230324 Administration sharing distribution
You can limit the access to unpublished events on your server to only users part of the event creator organisation with the setting 'MISP.unpublishedprivate'. A great way to make the event only available once you consider it ready for publication.
20230317 Misc attribute datamodel validation
MISP comes with an extensive set of built-in attributes. Consult generateTypeDefinitions in 'app/Model/Attribute.php' for implementation details and 'app/Lib/Tools/AttributeValidationTool.php' for the attribute validations.
20230310 Administration authentication sso openid oauth
MISP supports Single Sign-On (SSO) with different authentication providers, such as AzureAD (via oAuth2) and OpenIDConnect (fe. for OneLogin). Simply enable the provider in 'Security/auth' and configure the provider settings.
https://github.com/MISP/MISP/tree/2.4/app/Plugin/OidcAuth https://github.com/MISP/MISP/tree/2.4/app/Plugin/AadAuth
20230303 Administration dataproviders synchronisation feeds connectivity monitoring
It's a good idea to monitor connectivity to your TI data providers. Use the dashboard to monitor sync-servers or use PyMISP (fe. with alerting) to monitor both sync-servers and external feeds.
20230224 Administration support configuration status
You can get a JSON report with all the MISP diagnostic information by simply adding '.json' to the MISP diagnostics page. This report is useful to include if you require support or assistance with your MISP.
20230217 Administration malware sample attachment encryption
MISP stores attachments in /var/www/MISP/app/files/<event_id>/<attachment_id>. Change this with MISP.attachments_dir. Malware samples are in an encrypted ZIP, other attachments are stored 'as is'. Be aware of this when monitoring your MISP server with an EDR.
20230210 Administration logging auditing syslog
MISP can log all event, user and synchronisation actions to Syslog. Set 'MISP.log_new_audit' and 'Security.syslog' to True. Then send the (misp-)syslog file to your central log collector.
20230203 Misc enrichment modules extension
The MISP modules are more powerful than you think. If you set the format of a module to 'misp_standard' you cannot only return attributes, but also MISP objects as part of your CTI enrichment operations.
20230127 Administration organisations owner creator
There is a difference between the MISP 'Creator' and 'Owner' organisation. The former created the threat event and is allowed to modify it, the latter owns the event on the instance where it is received. They can be different.
20230120 Threatintel search query
You can use the PyMISP function 'build_complex_query' to build complex MISP search queries ('or', 'and', 'not') for threat indicators (values) or context (tags). Use the example in the Jupyter notebook to get started.
https://pymisp.readthedocs.io/en/latest/modules.html#pymisp.PyMISP.build_complex_query https://github.com/cudeso/misp-tip-of-the-week/blob/main/originals/Complex%20search%20query.ipynb
20230113 Threatintel reporting sharing dissemination
You can use the pdfexport module to create a PDF report from a MISP event, including a summary and an overview of attributes and objects. Ideal to share with users that do not have immediate access to your MISP instance.
https://github.com/MISP/PyMISP/tree/main/docs/PDF-export
20230106 Misc security vulnerability cve
You can report security vulnerabilities for MISP or related MISP project repositories to CIRCL. You can encrypt your report with the public GPG key 'CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5'.
https://www.misp-project.org/security/
20221230 Misc extension enrichment misp-modules openai
MISP modules provide an easy way to extend your threat intelligence platform. Use inspiration from the example on integrating our new overlords from @openai ('ChatGPT') with MISP.
https://github.com/cudeso/misp-tip-of-the-week/blob/main/originals/misp-module-openai.py
20221223 Threatintel correlation cidr pivoting
Although the advanced correlation features can be performance heavy, they provide you excellent leads for pivoting via CIDR (IPs part of a network) or fuzzy hashing (ssdeep).
https://securityintelligence.com/how-pivoting-can-help-your-incident-response-process/
20221216 Threatintel galaxies clusters contextualisation
Sharing clusters has become much easier. Create a custom galaxy cluster (Galaxies>List galaxies, select galaxy, add cluster), add relationships and enable push/pull galaxies in the server synchronisation setting.
20221209 Misc warninglists export automation
You can export MISP warninglists (including your own custom lists) by replacing 'view' with 'export in the URL. Or use the example Jupyter Notebook to access or export the lists with PyMISP.
20221202 Administration database sql monitoring audit
The MISP audit log (MISP.log_new_audit) provides a detailed history of event and attribute changes. But it can also exponentially grow in size. Deleting older events only impacts the event history and not any MISP functionality.
20221125 Administration usability ux customisation
When you provision users you can set their start page and customise the columns displayed on the event index via 'set_user_setting' with PyMISP (or manually under 'Administration>Set User Setting').
20221118 Administration security hardening audit
Encrypt authentication keys that you use to synchronise with remote MISP servers. Set the key (min. length 32) from the command line with cake. Remember that the key is displayed and -likely- also in the bash history.
20221111 Administration sharing synchronisation
Server synchronisation rules go beyond tag or organisation filtering. You can use filters to get only those events from the last 30 days ('timestamp') or unleash the real/dangerous power and filter on attribute/object type.
20221104 Threatintel indicators delete
A 'soft' delete propagates to other MISPs. A 'hard' delete removes the attribute on your instance, preventing propagation. Recover deleted attributes under the 'delete' tab or use the 'get-deleted-attributes' notebook.
20221028 Administration sql database
Manually fixing the database schema is time consuming. Paste the HTML source from the 'Diagnostics' page in CyberChef and use this recipe to extract all the SQL queries.
20221021 Threatintel collection
Picked up during #CTIS2022: Use mail_to_misp to connect your mail infrastructure to MISP and create threat events from information that is contained in mails.
https://github.com/MISP/mail_to_misp
20221014 Administration security hardening audit
The MISP diagnostics page contains useful security audit recommendations. Visit Administration > Diagnostics and scroll down to 'Security Audit' to check which settings require a review.
20221007 Threatintel indicators attributes search
You can search for multiple (substring) MISP attributes at the same time with a '%VALUE%' string per newline. Further refine your search with for example tags and the first seen or last seen of the attributes/values.
20220930 Threatintel enrichment modules
The MISP modules can also be used outside MISP. Query the module server for its enabled modules or immediately start using a MISP module with one simple request.
https://github.com/cudeso/misp-tip-of-the-week/blob/main/originals/misp_modules.ipynb
20220923 Threatintel contextualisation taxonomy
Use a private taxonomy to describe internal sources, (risk) classifications or workflows. Taxonomies are simple JSON files in 'app/files/taxonomies//machinetag.json'. Then 'Update taxonomies' and enable the required tags.
https://www.circl.lu/doc/misp/taxonomy/#adding-a-private-taxonomy
20220916 Administration security privacy
Enhance the security of your MISP platform by enabling Content Security Policy (CSP) support and then further configure the policy via the Security.csp setting.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
20220909 Administration workers monitoring
Monitor the status of background workers via 'app/Console/cake Admin getWorkers' or an API request to 'servers/getWorkers'. Use Cacti (https://www.misp-project.org/2020/08/22/MISP-Monitoring-with-Cacti.html/) to track the number of jobs in the worker queues.
https://www.misp-project.org/2020/08/22/MISP-Monitoring-with-Cacti.html/
20220902 Administration notification template
You can change the event notification e-mail template by dropping a custom 'alert.ctp' in 'app/View/Emails/text/Custom'. Use the default template as inspiration.
20220826 Threatintel pivoting context
The 'Event Graph' helps analysts in understanding details of an event by visually representing attributes in a grouped tree. Make sure to apply filters for events with a lot of attributes.
20220819 Threatintel correlations context
Use correlation exclusions (Administration > Top correlations) to avoid unnecessary or irrelevant threat data correlations. Have a look at the Jupyter notebook for an example API usage.
20220812 Administration authentication usermanagement password
You can set the minimum password length 'Security.password_policy_length' (default 12) and complexity 'Security.password_policy_complexity' (https://regexr.com/6oren) via Server Settings & Maintenance>Security Settings.
20220805 Administration samples malware php
If you store (large) malware samples in MISP and run into '500: Internal Server Error' then it's time to increase the file upload limits in PHP. Change upload_max_filesize and post_max_size and restart Apache.
20220729 Misc web usage customisation
Bored with the looks and feel of the MISP interface? You can customise it easily with a bootstrap theme from https://bootswatch.com/2/ (or build your own). Copy the CSS to 'app/webroot/css/' and set MISP.custom_css. Share your art-work!
20220722 Administration workers backgroundjobs
If you have not already done so, now is a good time to migrate the MISP background jobs backend to supervisord (CakeResque is no longer maintained). Use the migration guide and some of the tips to get started.
https://github.com/cudeso/misp-tip-of-the-week/blob/main/originals/MISP-background-jobs-tips.md https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md
20220715 Threatintel quality indicators attributes
Quality is more important than quantity in threat intelligence. MISP warns you if you add redundant or similar information to threat events. This works for both objects and attributes.
20220708 Administration optimisation usermanagement
It's a good idea to assign additional MISP system resources to scripts that collect large sets of data (or for users that do a lot of data crunching). Create a dedicated user role and set the memory limit and execution time.
20220701 Administration stix taxii conversion
You can use the STIX 2 MISP conversion script (app/files/scripts/stix2misp.py or https://github.com/MISP/MISP/blob/2.4/app/files/scripts/stix2misp.py) outside the MISP web UI to manually convert STIX files to (MISP) JSON format. Output files are written in the tmp directory.
20220624 Threatintel contextualisation taxonomy tags
Instead of global tags use local tags from a private taxonomy to contextualise events with the specifics of your company environment. These local tags are stripped from events when shared (synced) with external communities.
20220617 Administration backups bcp
Backups are important! Use the built-in MISP backup script (tools/misp-backup/misp-backup.sh) to create backups (or snapshots). Backups include data and config and can be restored over an existing MISP install.
20220610 Threatintel automation pymisp procedures
Document your CTI operational procedures with Jupyter notebooks and PyMISP. Use the examples at https://github.com/cudeso/misp-tip-of-the-week/tree/main/originals and https://github.com/MISP/PyMISP/tree/main/docs/tutorial to get started.
20220603 Administration usermanagement organisations
You can combine ('merge') an organisation with another and basically transfer all the users and data from one organisation to another. First edit the organisation, and then choose Merge in the left menu.
20220527 Administration logging auditing
The API /admin/logs supports different models that can be used for audit reports. Track the latest changes on events, attributes, authentication actions and password resets and alert on unusual behaviour. Supported models include Attribute, Event, Role, Server, Taxonomy, User and many more.
20220520 Administration sharing distribution usermanagement
Use sharing groups to setup re-usable distribution lists for sharing threat events with different communities ('multi-tenancy'-ish). Watch a video https://vimeo.com/710012285 on basic usage of sharing groups.
20220512 Administration correlation database performance
Regularly remove orphaned attributes or correlations via the diagnostics page or remove orphaned correlations via the CLI 'cake admin removeOrphanedCorrelations'. And don't forget to run 'optimize table correlations' in the mysql console.
https://www.vanimpe.eu/2021/03/25/staying-in-control-of-misp-correlations/
20220505 Threatintel feeds
You can use MISP feeds without having to import the events in your instance. Use them as 'lookup' to check if there is OSINT on an indicator. BONUS: create a custom feed from your ticketing system and lookup incident data/occurrences.
20220429 Threatintel scraping reports
Did you know you can use MISP as a simple web scraper? Automatically convert HTML from a remote website into Markdown and extract useful threat tactics, techniques and indicators. Enable module 'html_to_markdown' and create MISP reports from a URL. Or do it via the API (see pseudo-code).
20220422 Threatintel taxonomy tlp classification
Make it mandatory for MISP event publishers to add a TLP designation to their events. Set the 'Required' checkbox under the TLP taxonomy in taxonomies/index.
20220415 Threatintel opsec
Use the MISP Event Delegation feature to have events published by another organisations. This way you can guarantee the anonymity of the threat event author. First put the distribution of the event as "your organisation only" and then choose Delegate Publishing.
20220408 Administration usermanagement
You got an API key but forgot the associated user account? Access 'users/view/me.json' with the API key to get your user details. curl -k -H "Authorization: API_KEY" https://misp/users/view/me.json
20220401 Misc web usage
You can change the list of columns in the event overview for cleaner output. For example, remove the 'clusters' and 'creator user' to get additional space to display the event details that are important to you. The changes are automatically stored in your user profile under "event_index_hide_columns".
20220302 Administration workers jobs
You can get the number of pending jobs in the MISP workers via {misp_url}/servers/getWorkers .
https://www.misp-project.org/2020/08/22/MISP-Monitoring-with-Cacti.html/
20220302 Administration usermanagement
Reset the password of a user via the CLI /var/www/MISP/app/Console/cake Password user@domain.cti Password1234
20220302 Administration correlations performance
Correlations aren't cached, this means that they are requested (counted) every time when accessing the event index page. You can get a huge performance increase on the event index page by disabling MISP.showCorrelationsOnIndex.
https://www.vanimpe.eu/2021/03/25/staying-in-control-of-misp-correlations/
{
"timestamp": "20220302",
"category": "Administration",
"tags": ["correlations", "performance"],
"refs": [ "https://www.misp-project.org/" ],
"screenshots": [ "https://raw.githubusercontent.com/MISP/misp-website/new/assets/assets/images/misp-small.png"],
"value": "tip"
}
Each tip as an entry. Most recent entry is the first in the list.
- Timestamp: date in YYYYMMDD
- Category: Administration, Threatintel, Misc
- Tags: list of tags
- Refs: list of external references
- Screenshots: list of screenshots (put the files on Github)
- Entry: text