MISP query for inconsistencies in distribution settings, TLP and PAP
Purpose of the playbook
This playbook queries the MISP events and checks for inconsistency for the event distribution setting, the TLP designation and the PAP marking. For example events or attributes with TLP:RED and PAP:CLEAR or events with 'All communities' and 'TLP:RED'. The inconsistencies between TLP and distribution level are already warned in the MISP interface but this playbook does a retroactive check, and also verifies the events that are pulled in via synchronised servers. The results of the query are stored in the playbook and sent to Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
The title of the playbook
MISP query for inconsistencies in distribution settings, TLP and PAP
Purpose of the playbook
This playbook queries the MISP events and checks for inconsistency for the event distribution setting, the TLP designation and the PAP marking. For example events or attributes with TLP:RED and PAP:CLEAR or events with 'All communities' and 'TLP:RED'. The inconsistencies between TLP and distribution level are already warned in the MISP interface but this playbook does a retroactive check, and also verifies the events that are pulled in via synchronised servers. The results of the query are stored in the playbook and sent to Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
CTI
Breefly list the execution steps or workflow
No response