Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set tags within Source as well as Operator [MISP] #103

Open
RatherBland opened this issue Nov 3, 2020 · 1 comment
Open

Set tags within Source as well as Operator [MISP] #103

RatherBland opened this issue Nov 3, 2020 · 1 comment

Comments

@RatherBland
Copy link

The current system of setting hardcoded tags is insufficient when ingesting from variable sources such as Twitter or RSS feeds.

I propose setting tags within the source as well as the operator. This allows for both default tags assigned to all ingested events, as well as tags set specifically for the source.

A great example of this providing value is using a Twitter source to search for emotet and another searching for njrat. Separately tagging these events would significantly improve the intelligence value for operators instead of just generic OSINT or MALWARE tags.

I will investigate the viability of this, but any suggestions would be appreciated.

Thanks.

@RatherBland
Copy link
Author

Taking this a step further might include dynamically assigning tags based on keyword matching. Using a different example, if you had a more generic Twitter list that included threat intel on a wide variety of malware strains, you could assign tags from a set of whitelisted strings i.e. ['emotet', 'phishing', 'fancy bear'] etc.

Matching a string within the Tweet body from this list could be used to assign tags.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant