This playbook queries the MISP sightings for all the attributes with the to_ids flag set. The playbook evaluates the balance between false positives and true positives and whenever that balance is above or equal to a threshold value it will set the to_ids flag to false, and re-publish the event. The results are stored in the playbook and sent to Mattermost or Slack or added as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
The title of the playbook
MISP analyse sightings
Purpose of the playbook
This playbook queries the MISP sightings for all the attributes with the to_ids flag set. The playbook evaluates the balance between false positives and true positives and whenever that balance is above or equal to a threshold value it will set the to_ids flag to false, and re-publish the event. The results are stored in the playbook and sent to Mattermost or Slack or added as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
CTI
Breefly list the execution steps or workflow
No response