search

CrowdStrike / MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
MIT License
39 stars 10 forks source link

New Category - Malware Families(?) #118

Closed packet-rat closed 8 months ago

packet-rat commented 1 year ago

We appear to have a new New Category: Malware Families.

We should make Malware Families a 1st Class Citizen with it's own "Tag" and ingestion/deletion command line parameters

i.e. add it to "Actors", "Reports", and "Indicators" as a top level category.

jshcodes commented 1 year ago

Malware Family events are an event type that represents specific groups of indicators, so not exactly a peer to the top level categories but discrete enough that standalone import and delete functionality does seem to make sense.

Import would still have to be time based, as you only create new Malware Family events if the event doesn't already exist when the import sees an indicator for that family. Delete would be able to remove them en masse (exactly the way they are removed now).

Marking this as a potential enhancement.

packet-rat commented 1 year ago

Thanks. Can we at least get the ability to specify our Tag on the ini file like we do for the other categories?

From: Joshua Hiller @.> Sent: Thursday, April 20, 2023 5:19:43 AM To: CrowdStrike/MISP-tools @.> Cc: MARONEY, PATRICK @.>; Author @.> Subject: Re: [CrowdStrike/MISP-tools] New Category - Malware Families(?) (Issue #118)

Malware Family events are an event type that represents specific groups of indicators, so not exactly a peer to the top level categories but discrete enough that standalone import and delete functionality does seem to make sense.

Import would still have to be time based, as you only create new Malware Family events if the event doesn't already exist when the import sees an indicator for that family. Delete would be able to remove them en masse (exactly the way they are removed now).

Marking this as a potential enhancement.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/CrowdStrike/MISP-tools/issues/118*issuecomment-1516000277__;Iw!!BhdT!jNKtKWiMbT6cgyQrYrmM8YztRUrgvuH8W_jin7H67v28MAoKiDRZApFANX-laVRyf3DGwcIJ3XXf2ZHcXPPv60sg-bE$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AAYSFYJEB6QEB65VPMLYSD3XCD5S7ANCNFSM6AAAAAAXDGQTSI__;!!BhdT!jNKtKWiMbT6cgyQrYrmM8YztRUrgvuH8W_jin7H67v28MAoKiDRZApFANX-laVRyf3DGwcIJ3XXf2ZHcXPPvpmfzKNY$. You are receiving this because you authored the thread.Message ID: @.***>

jshcodes commented 1 year ago

Fixes for #116 have already been added to the ver_0.6.9 branch. These will merge to main at the end of this sprint.

jshcodes commented 1 year ago

Merged the 0.6.9 changes (which includes the fix for #116) today. There will be at least one more release as part of this sprint. 😄