Closed RichieB2B closed 5 years ago
Thank you very much for the contribution. It's now merged.
I did the following changes:
hide_tag
to make the schema validator happyhide_tag
in the default taxonomy format (@adulau) (and change MISP to take this into account this (@iglocska){'value': 'expired', 'expanded': 'Set when the retention period has expired', 'numerical_value': 0, 'hide_tag': True}: Additional properties are not allowed ('hide_tag' was unexpected)
IMHO, The idea is good if the user is willing to do the tagging by himself, explicitly stating that no matter what, the tagged attribute should be marked as decayed once the elapsed time has been reached.
For an automated integration and support of this taxonomy in MISP, some questions may arise:
I see some huge challenges to support this model automatically.
However, we could only support this taxonomy during the score computation process: We could consider the tag in the computation and filter out expired attributes. That is the easiest way to accomplish this as we will have all the information at hand. In addition, having the possibility to quickly and easily set the expiration time on an IOC via the UI is really great for users!
My only fear with the taxonomy itself, is that users massively start adding automatically these kind of tags and fill up their database instead of using the built-in system (thus bypassing it when trying to do the decay themselves) because it will probably appear simpler.
We can support this taxonomy in the decaying branch by only using it to filter out tagged attributes.
Hello, I did not quite understand how this script worked. I tested to activate the "retention" taxonomy, only I have "retention:1m" and "retention:expired" tags on one and only one event (out of 2000) and I don't know why. From how long does the "expired" tag appear?
@Linow974 When you run the misp_retention.py script it will look for MISP events that are older than their "retention" tag. For example when an event with tag "retention:1m" is older than 1 month it will match. On all matched events the to_ids flag of IP based IOC's will be removed and a new tag "retention:expired" will be added. Both tags will remain on the event until they are manually removed.
I hope that clears things up.
@Linow974 When you run the misp_retention.py script it will look for MISP events that are older than their "retention" tag. For example when an event with tag "retention:1m" is older than 1 month it will match. On all matched events the to_ids flag of IP based IOC's will be removed and a new tag "retention:expired" will be added. Both tags will remain on the event until they are manually removed.
I hope that clears things up.
Ok thanks, I understand better. And is this based on the last modification date or the creation date?
It uses the "date" field of the event. This can be arbitrarily chosen by the creator of the event and usually indicates the day the event occurred.
Ok but the problem is that many of our events are updated, for example added attribute, added comment, etc. So an event may to be expired even though it was updated a few minutes ago.
You can always change the script to use the modification date instead.
This retention taxonomy can be used to tag events and attributes that need to be expired after a certain amount of time. A companion MISP API scipt can clear the appropriate to_ids flags when the tagged IOC's become expired.
See also https://github.com/MISP/MISP/pull/4661