This playbook queries MISP for specific event IDs, tags, a timestamp or a combination of the previous elements and builds a timeline of attributes / objects enclosed in the combined events. The timeline takes into account the timestamp, first seen and last seen value and creates a chronological overview of the occurrence of the attributes. The context of the events and attributes is included. The results are summarised in the playbook and then notified to Mattermost or Slack or added as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
The title of the playbook
Display timeline between multiple MISP events
Purpose of the playbook
This playbook queries MISP for specific event IDs, tags, a timestamp or a combination of the previous elements and builds a timeline of attributes / objects enclosed in the combined events. The timeline takes into account the timestamp, first seen and last seen value and creates a chronological overview of the occurrence of the attributes. The context of the events and attributes is included. The results are summarised in the playbook and then notified to Mattermost or Slack or added as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
CTI
Breefly list the execution steps or workflow
No response