search

MISP / MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform
https://www.misp-project.org/
GNU Affero General Public License v3.0
5.37k stars 1.4k forks source link

Default tag collection for attributes #5520

Open cudeso opened 4 years ago

cudeso commented 4 years ago

Describe the solution you'd like It's already possible to have a default tag collection for newly created events but it would be great if this is also available for newly added attributes.

The default tag collection should be configurable per attribute type, for example 'filename: cat1,cat2' ; 'md5:cat3,cat4'.

mokaddem commented 4 years ago

The idea would be to have a page where you could describe a set of rules that should automatically be applied on data ingestion. For example, a rule per attribute type could look like that:

Attribute type Tag collection to be attached Users on which this rule applies Request type
ip-src | c2-tag-collection myself API
url | phishing-tag-collection my organisation UI & API

It should also be clearly stated that using these rules is intended for attributes added via the API to avoid users miss-configuring and ending-up over tagging with wrong tags. Does it make sense to you? Do you see something else to add?

Edit: Adapted example to reflect the discussion in the thread

cudeso commented 4 years ago

Yes! It's good to state that it should be done preferably via the API but I would keep the functionality similar to the one as is now with creation of events: the default tag collection there is applied when creating a new event via the UI.

The risk of users over-tagging is partly covered by the fact that you first have to go through the process of creating a tag collection, and to think through what they want to achieve.

The "local tags" would be somewhat different than the situation for the events (or maybe I missed something in the config). In the tag collection part you can not define local/global. If done via the UI, the tags part of the default tag collection for events are added as "global". Local/global in default would be a good addition, also for events.

mokaddem commented 4 years ago

Indeed, it makes a lot of sense. I updated the example

cudeso commented 4 years ago

Looks good!

cudeso commented 3 years ago

@mokaddem was there already work done for this issue?

mokaddem commented 3 years ago

Unfortunately, no development has been done on it as far as I know. Only predicate exclusivity and requirements before publishing have been implemented.