This playbook creates different block or filter lists based on MISP search queries. The lists are in text format, and a separate list by type (IP addresses, hashes, domains, URLs). The results can then be sent to Azure Sentinel as Watchlists (with help of msticpy) or sent to a specific index of Elasticsearch. The playbook also includes an option to create a ZIP archive of all exported filter files. The summary is included at the end of the playbook and sent to Mattermost or Slack or as an alert in TheHive or DFIR- IRIS (to be discussed for implementation).
The title of the playbook
Create filter list in various formats
Purpose of the playbook
This playbook creates different block or filter lists based on MISP search queries. The lists are in text format, and a separate list by type (IP addresses, hashes, domains, URLs). The results can then be sent to Azure Sentinel as Watchlists (with help of msticpy) or sent to a specific index of Elasticsearch. The playbook also includes an option to create a ZIP archive of all exported filter files. The summary is included at the end of the playbook and sent to Mattermost or Slack or as an alert in TheHive or DFIR- IRIS (to be discussed for implementation).
External resources used by this playbook
Azure, Elastic, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
SOC, CSIRT
Breefly list the execution steps or workflow
No response