Set tags within Source as well as Operator [MISP]

[RatherBland]

The current system of setting hardcoded tags is insufficient when ingesting from variable sources such as Twitter or RSS feeds.

I propose setting tags within the source as well as the operator. This allows for both default tags assigned to all ingested events, as well as tags set specifically for the source.

A great example of this providing value is using a Twitter source to search for emotet and another searching for njrat. Separately tagging these events would significantly improve the intelligence value for operators instead of just generic OSINT or MALWARE tags.

I will investigate the viability of this, but any suggestions would be appreciated.

Thanks.

[RatherBland]

Taking this a step further might include dynamically assigning tags based on keyword matching. Using a different example, if you had a more generic Twitter list that included threat intel on a wide variety of malware strains, you could assign tags from a set of whitelisted strings i.e. ['emotet', 'phishing', 'fancy bear'] etc.

Matching a string within the Tweet body from this list could be used to assign tags.