Add Source as Role for Organisation and Person

[JoePJisc]

I'm trying to find a consistent, API friendly, way to record who data came from when my organisation transposes intel into a MISP event. Including it as part of the title isn't very API friendly and sometimes the identity of the source may have a different distribution level to the rest of the event. This could be done with a source tag predicate, however, this would require updating and distributing the taxonomy file for every new source, slowing down adding intel from new sources.

The specific source material can be recorded in things like publication, news-media, blog-post, etc. but I'm talking about a single consistent place to look for the Organisation (or Person) who created the source material - regardless of format.

The best solution I can think of is adding an item to the Role drop down for Organisation (and Person?) for something like: Source, Originator, Informant, or similar.

If there is an existing method for doing this that I'm missing then please do let me know

Thanks Joe

Example

1. An analyst finds a CISA Advisory.
2. The analyst translates it into a MISP event.
3. Our tooling picks up the MISP event and adds the IOCs.
4. Our tooling hits an IOC and reports to our SIEM.
5. Our SIEM correlates the hit back to the MISP event - including showing CISA as the source.

In MISP this event would have this object:

	Date	Org	Category	Type	Value	Tags	Galaxies	Comment	Correlate	Related Events	Feed hits	IDS	Distribution	Sightings	Activity	Actions
	2021-12-14		Object name: organization References: 0			Inherit
	2021-12-14		Other	name:text	Cybersecurity and Infrastructure Security Agency	+  +							Inherit	(0/0/0)
	2021-12-14		Other	role:text	Source	+  +							Inherit	(0/0/0)

 

[adulau]

Thanks a lot for the proposal, it was indeed missing.

It's now fixed in b3b24473f2d29dc2ed29a07b98e1445dcc1c1d90.

If you see anything else missing or any other improvements, let us know.