/
MISP_use_cases.mm
137 lines (136 loc) · 11 KB
/
MISP_use_cases.mm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<map version="1.0.1">
<!-- To view this file, download free mind mapping software FreeMind from http://freemind.sourceforge.net -->
<node CREATED="1526302959276" ID="ID_1775061824" MODIFIED="1526305816801" STYLE="bubble" TEXT="MISP use cases">
<node BACKGROUND_COLOR="#86bc25" CREATED="1526303385894" ID="ID_449204343" MODIFIED="1526490119500" POSITION="right">
<richcontent TYPE="NODE"><html>
<head>
</head>
<body>
<p>
Feed tools (early warning system)
</p>
<p>
Integration and automation
</p>
</body>
</html></richcontent>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526304410839" ID="ID_417228469" MODIFIED="1526310628887" TEXT="For what?">
<node CREATED="1526303435080" ID="ID_318631296" MODIFIED="1526305338390" TEXT="Detect"/>
<node CREATED="1526303437775" ID="ID_1865707227" MODIFIED="1526305338390" TEXT="Block"/>
<node CREATED="1526311713269" ID="ID_1393886511" MODIFIED="1526311714433" TEXT="Hunt"/>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526304415233" ID="ID_731720122" MODIFIED="1526310652279" TEXT="What tools?">
<node CREATED="1526304418082" FOLDED="true" ID="ID_802732095" MODIFIED="1526490152545" TEXT="IDSes / IPSes">
<node CREATED="1526311439426" ID="ID_940439631" MODIFIED="1526311448982" TEXT="What technology?">
<node CREATED="1526308897450" ID="ID_729503749" MODIFIED="1526308899803" TEXT="Suricat"/>
<node CREATED="1526308900254" ID="ID_1873237516" MODIFIED="1526308901771" TEXT="Bro"/>
<node CREATED="1526308902215" ID="ID_1168459938" MODIFIED="1526308904115" TEXT="Snort"/>
</node>
<node CREATED="1526311449674" ID="ID_784526969" MODIFIED="1526311451718" TEXT="How?">
<node CREATED="1526311452660" ID="ID_590273999" MODIFIED="1526311467013" TEXT="Pulling events (via the API) or indicator lists at regular intervals in a given time frame to perform lookups."/>
<node CREATED="1526311452664" ID="ID_1167449249" MODIFIED="1526311478158" TEXT="Subscribing to the MISP ZMQ pub-sub channel to directly get the published events and use these in a lookup process."/>
<node CREATED="1526311452666" ID="ID_1996108194" MODIFIED="1526311493887" TEXT="Lookup expansion module in MISP towards the SIEM to have a direct view of the attributes matched against the SIEM."/>
</node>
</node>
<node CREATED="1526304432031" ID="ID_945060532" MODIFIED="1526311668687" TEXT="SIEMs">
<node CREATED="1526488410281" ID="ID_1918760582" MODIFIED="1526488630480" TEXT="Arcsight, Arcsight Common Event Format (CEF)">
<node CREATED="1526488539328" ID="ID_706053305" LINK="https://github.com/tom8941/MISP-IOC-Validator/blob/master/cef.py" MODIFIED="1526488582577" TEXT="MISP export module for CEF"/>
<node CREATED="1526488555174" ID="ID_450987295" LINK="https://github.com/MISP/MISP/issues/1540" MODIFIED="1526488961231" TEXT="MISP issue on GitHub"/>
</node>
<node CREATED="1526308922134" ID="ID_295491522" MODIFIED="1526488819668" TEXT="SIEM Sigma (Generic Signature Format for SIEM Systems) compatible"/>
<node CREATED="1526308946206" ID="ID_1759508944" MODIFIED="1526489117506" TEXT="IBM QRadar">
<node CREATED="1526488940908" ID="ID_149465301" LINK="https://github.com/MISP/MISP/issues/2915" MODIFIED="1526488966920" TEXT="MISP issue on GitHub"/>
<node CREATED="1526489081639" ID="ID_1344041638" LINK="https://github.com/robertnixon2003/MISP-QRADAR-REFERENCE-SET-BUILDER" MODIFIED="1526489101415" TEXT="Example of scripts to push/pull from MISP to QRadar"/>
<node CREATED="1526489119426" ID="ID_541640160" LINK="https://github.com/ibm-security-intelligence/api-samples" MODIFIED="1526489125192" TEXT="QRadar API"/>
</node>
<node CREATED="1526310603283" ID="ID_363388443" MODIFIED="1526489144482" TEXT="SIEM ZMQ pub-sub compatible"/>
</node>
<node CREATED="1526311659588" ID="ID_1355873088" MODIFIED="1526311662328" TEXT="Anti-virus"/>
<node CREATED="1526311670116" ID="ID_1557299541" MODIFIED="1526311672008" TEXT="Proxy"/>
<node CREATED="1526311673332" ID="ID_665747833" MODIFIED="1526311675344" TEXT="Firewall"/>
<node CREATED="1526304456736" FOLDED="true" ID="ID_1856221667" MODIFIED="1526490155659" TEXT="Host scanners">
<node CREATED="1526311551106" ID="ID_1649158614" MODIFIED="1526311551502" TEXT="OpenIOC"/>
<node CREATED="1526311556483" ID="ID_769472332" MODIFIED="1526311556824" TEXT="STIX"/>
<node CREATED="1526311564339" ID="ID_508547940" MODIFIED="1526311564655" TEXT="yara rule-set"/>
<node CREATED="1526311568898" ID="ID_1721498719" MODIFIED="1526311569176" TEXT="CSV"/>
</node>
<node CREATED="1526311536475" FOLDED="true" ID="ID_1999368447" MODIFIED="1526490156574" TEXT="DNS policies">
<node CREATED="1526311543299" ID="ID_92638444" MODIFIED="1526311545695" TEXT="RPZ"/>
</node>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526310656003" FOLDED="true" ID="ID_716038724" MODIFIED="1526490161898" TEXT="How?">
<node CREATED="1526311595611" ID="ID_1284583961" MODIFIED="1526311606848" TEXT="Downloads selection of data"/>
<node CREATED="1526311595613" ID="ID_1556994437" MODIFIED="1526311618209" TEXT="Full exports"/>
<node CREATED="1526311619339" ID="ID_1173392959" MODIFIED="1526311619720" TEXT="APIs"/>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526558176152" ID="ID_331682254" MODIFIED="1526558227098" TEXT="Who?">
<node CREATED="1526558179585" ID="ID_1032429715" MODIFIED="1526558185293" TEXT="CSIRTs"/>
<node CREATED="1526558185913" ID="ID_697576599" MODIFIED="1526558217187" TEXT="Mature entities (e.g. having a SOC/SIEM/log management/IDS)"/>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526304491599" ID="ID_386649119" MODIFIED="1526305813719" TEXT="Challenges"/>
</node>
<node BACKGROUND_COLOR="#86bc25" CREATED="1526303401126" ID="ID_718064068" MODIFIED="1526310837337" POSITION="right" TEXT="Perform research on TTPs">
<arrowlink DESTINATION="ID_718064068" ENDARROW="Default" ENDINCLINATION="0;0;" ID="Arrow_ID_863413440" STARTARROW="None" STARTINCLINATION="0;0;"/>
<linktarget COLOR="#b0b0b0" DESTINATION="ID_718064068" ENDARROW="Default" ENDINCLINATION="0;0;" ID="Arrow_ID_863413440" SOURCE="ID_718064068" STARTARROW="None" STARTINCLINATION="0;0;"/>
</node>
<node BACKGROUND_COLOR="#86bc25" CREATED="1526303405102" ID="ID_303597230" MODIFIED="1526305675094" POSITION="right" TEXT="Provide situational awareness"/>
<node BACKGROUND_COLOR="#86bc25" CREATED="1526305169057" ID="ID_1234914392" MODIFIED="1526310749696" POSITION="left" STYLE="bubble" TEXT="Collect data">
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526558253747" ID="ID_780739892" MODIFIED="1526558508631" TEXT="From where?">
<node CREATED="1526558257394" ID="ID_383037743" MODIFIED="1526558275863" TEXT="Sandboxes">
<node CREATED="1526556988974" ID="ID_1200001964" MODIFIED="1526556990739" TEXT="Cuckoo"/>
<node CREATED="1526556991127" ID="ID_678875884" MODIFIED="1526556995954" TEXT="GFI sandbox"/>
</node>
<node CREATED="1526558276307" ID="ID_206495397" MODIFIED="1526558280006" TEXT="Honeybots"/>
<node CREATED="1526558511695" ID="ID_683592253" MODIFIED="1526558517548" TEXT="Incident response">
<node CREATED="1526558561109" ID="ID_210243047" MODIFIED="1526558567947" TEXT="TheHive"/>
<node CREATED="1526558576126" ID="ID_937509456" MODIFIED="1526558577452" TEXT="..."/>
</node>
<node CREATED="1526558519052" ID="ID_808715417" MODIFIED="1526558543432" TEXT="Security network equipment"/>
</node>
</node>
<node BACKGROUND_COLOR="#86bc25" CREATED="1526303415198" FOLDED="true" ID="ID_1545778085" MODIFIED="1526490138117" POSITION="left" STYLE="bubble" TEXT="Analyze information">
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526304609033" ID="ID_471702540" MODIFIED="1526305799667" TEXT="What?">
<arrowlink DESTINATION="ID_471702540" ENDARROW="Default" ENDINCLINATION="0;0;" ID="Arrow_ID_476912684" STARTARROW="None" STARTINCLINATION="0;0;"/>
<linktarget COLOR="#b0b0b0" DESTINATION="ID_471702540" ENDARROW="Default" ENDINCLINATION="0;0;" ID="Arrow_ID_476912684" SOURCE="ID_471702540" STARTARROW="None" STARTINCLINATION="0;0;"/>
<node CREATED="1526303421477" ID="ID_1501142077" MODIFIED="1526305372303" TEXT="Malwares"/>
<node CREATED="1526303426231" ID="ID_458397302" MODIFIED="1526305372304" TEXT="Incidents"/>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526304611488" ID="ID_675157025" MODIFIED="1526305813721" TEXT="Who?">
<node CREATED="1526305230923" ID="ID_1730526699" MODIFIED="1526305372304" TEXT="CSIRTs"/>
<node CREATED="1526305233865" ID="ID_349359708" MODIFIED="1526305372304" TEXT="Security specialists"/>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526305158281" ID="ID_584666852" MODIFIED="1526305813721" TEXT="How?"/>
</node>
<node BACKGROUND_COLOR="#86bc25" CREATED="1526303299176" ID="ID_65967886" MODIFIED="1526489652911" POSITION="left" STYLE="bubble" TEXT="Share data and information">
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526304547912" ID="ID_709476686" MODIFIED="1526305813722" TEXT="What?">
<node CREATED="1526304556136" ID="ID_374459508" MODIFIED="1526305372305" TEXT="Indictors of compromise (IOCs)">
<node CREATED="1526306306621" ID="ID_695498968" MODIFIED="1526306308248" TEXT="IPs"/>
<node CREATED="1526306308899" ID="ID_669853380" MODIFIED="1526306311271" TEXT="Domain name"/>
<node CREATED="1526306311772" ID="ID_1950948480" MODIFIED="1526306315999" TEXT="Hashes"/>
<node CREATED="1526310715627" ID="ID_1430767272" MODIFIED="1526310716631" TEXT="..."/>
</node>
<node CREATED="1526303455200" ID="ID_1062689060" MODIFIED="1526305372305" TEXT="New vulnerabilities"/>
<node CREATED="1526303464464" ID="ID_1870568680" MODIFIED="1526305372305" TEXT="Security events"/>
<node CREATED="1526303468216" ID="ID_215813750" MODIFIED="1526305372305" TEXT="Financial indicators"/>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526304543551" ID="ID_1845707538" MODIFIED="1526305813722" TEXT="Who?">
<node CREATED="1526305259681" ID="ID_284049009" MODIFIED="1526305372305" TEXT="CSIRTs"/>
<node CREATED="1526305262890" ID="ID_925992266" MODIFIED="1526310920386" TEXT="Private entities">
<node CREATED="1526305281730" ID="ID_409150230" MODIFIED="1526305372305" TEXT="Banks"/>
<node CREATED="1526305283441" ID="ID_568540099" MODIFIED="1526305372305" TEXT="Telecom operators"/>
<node CREATED="1526310902694" ID="ID_1062686998" MODIFIED="1526310903906" TEXT="..."/>
</node>
<node CREATED="1526310921053" ID="ID_1450149607" MODIFIED="1526310924474" TEXT="Public entities"/>
<node CREATED="1526310930534" ID="ID_149204033" MODIFIED="1526310934650" TEXT="OES/DSPs"/>
<node CREATED="1526310936541" ID="ID_1428986048" MODIFIED="1526310937658" TEXT=".."/>
</node>
</node>
<node BACKGROUND_COLOR="#86bc25" CREATED="1526303493249" FOLDED="true" ID="ID_1347696641" MODIFIED="1526490140449" POSITION="left" STYLE="bubble" TEXT="Collaborate on security events">
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526305294739" ID="ID_1703312794" MODIFIED="1526305813720" TEXT="Who?">
<node CREATED="1526305297723" ID="ID_1397941984" MODIFIED="1526305372306" TEXT="CSIRTs"/>
<node CREATED="1526305300090" ID="ID_779474809" MODIFIED="1526305372306" TEXT="Security specialists"/>
</node>
<node BACKGROUND_COLOR="#53565a" COLOR="#ffffff" CREATED="1526305308243" ID="ID_448422840" MODIFIED="1526310739110" TEXT="How?"/>
</node>
</node>
</map>