This playbook queries the enabled OSINT feeds (a suggestion for the playbook is for example to enable the TOR exit node feed) and the local MISP events for matches with a specific IP address or list of IP addresses. All matches are summarised with their event and attribute context (tags, date, sightings). In a second step, the playbook uses MISP modules to query different external services for the reputation of the IP address and summarises the matches. As a final step, the playbook identifies IP registration information via the MISP modules. The summary is then attached to a (new or existing) MISP event as a MISP report and is sent to Mattermost or Slack or added as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
The title of the playbook
Query IP address reputation
Purpose of the playbook
This playbook queries the enabled OSINT feeds (a suggestion for the playbook is for example to enable the TOR exit node feed) and the local MISP events for matches with a specific IP address or list of IP addresses. All matches are summarised with their event and attribute context (tags, date, sightings). In a second step, the playbook uses MISP modules to query different external services for the reputation of the IP address and summarises the matches. As a final step, the playbook identifies IP registration information via the MISP modules. The summary is then attached to a (new or existing) MISP event as a MISP report and is sent to Mattermost or Slack or added as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
Whois, DNS, Shodan, VirusTotal, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
SOC, CSIRT, CTI
Breefly list the execution steps or workflow
No response