Hi,
I would like to request the support for MISP Decay Models. This can be used in MISP to calculate the freshness and confidence of a indicator. I would argue it would be a better way to handle confidence and freshness of an indicator over time.
Example: I would be highly confident for a fresh URL that links to a phishing attack by day 0 of that phishing attack. After a week I would argue that the confidence of this phishing website still being a problem is lower than day 0 (because of possible take down requests). After two weeks the phishing website might not be present anymore and we do not want alerts for this indicator.
Hi, I would like to request the support for MISP Decay Models. This can be used in MISP to calculate the freshness and confidence of a indicator. I would argue it would be a better way to handle confidence and freshness of an indicator over time.
Example: I would be highly confident for a fresh URL that links to a phishing attack by day 0 of that phishing attack. After a week I would argue that the confidence of this phishing website still being a problem is lower than day 0 (because of possible take down requests). After two weeks the phishing website might not be present anymore and we do not want alerts for this indicator.
Let me know what you think on that issue.
Greetings, David
Link to the models: https://github.com/MISP/misp-decaying-models Link to decay functionality explained: https://www.misp-project.org/2019/09/12/Decaying-Of-Indicators.html/