Curate threat events

Fixes #21

README.md

@@ -30,6 +30,7 @@ The repository contains these playbooks
 | **Query IP reputation** |Query for the reputation of one or more IPs. It combines the reputation scores from **VirusTotal**, **Shodan**, **Greynoise** and **AbuseIPDB** into one **MISP report**. The playbook adds the known associated domains, the abuse contacts and the geo information from **MMDB**. All information is added to a MISP event, summarised and send to Mattermost and TheHive.|[MISP Playbook](misp-playbooks/pb_query_ip_reputation.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_query_ip_reputation-with_output.ipynb)|[12](https://github.com/MISP/misp-playbooks/issues/12) |
 | **Query domain reputation** |Query enabled OSINT feeds and MISP events for matches with one or more domain name(s).<br>Query URLscan for historical scans related to these domains and extract screenshots.<br>Use MISP modules to look up the DNS resolutions and query VirusTotal, Shodan and URLhaus for information related to the domains.<br>Results are stored in the playbook, in a MISP event and sent to Mattermost and TheHive.|[MISP Playbook](misp-playbooks/pb_query_domain_reputation.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_query_domain_reputation-with_output.ipynb)|[13](https://github.com/MISP/misp-playbooks/issues/13) |
 | **Query for inconsistencies in MISP events** |This playbook checks for **inconsistencies** in the event **distribution**, the TLP designation and the PAP marking.<br /> The playbook also verifies if events contain sufficient **attributes**, objects, **tags** or galaxies. There are also checks for inconsistencies with the **workflow** tags, a taxonomy that is often used during *threat intelligence curation*. The results are listed in the playbook and sent to Mattermost.<br/> Note that MISP has also built-in checks encoded in [DefaultWarning.php](Defahttps://github.com/MISP/MISP/blob/2.4/app/Lib/EventWarning/DefaultWarning.php)|[MISP Playbook](misp-playbooks/pb_query_for_inconsistencies_misp_events.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_query_for_inconsistencies_misp_events-with_output.ipynb)|[22](https://github.com/MISP/misp-playbooks/issues/22)|
+| **Curate threat events** |This playbook queries for MISP events that require **curation** and addresses the remaining curation tasks. In general you run this playbook *after* your automatic or manual curation process has highlighted the events that require a review but you can also force the playbook to curate all events. This playbook uses the hashlookup and mmdb_lookup MISP modules.<br />The curation tasks include disable to_ids for attributes matching a **warninglist**, disable to_ids for attributes matching **known software** (via hashlookup), add a GalaxyCluster with the **location** of an IP (via mmdb_lookup), add **TTPs**, based on string matches in the event title, tag attributes that are also in **MISP feeds** (tagging allows easier filtering afterwards). The results are summarised and shared with Mattermost.|[MISP Playbook](misp-playbooks/pb_curate_misp_events.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_curate_misp_events-with_output.ipynb.ipynb)|[21](https://github.com/MISP/misp-playbooks/issues/21)|
 | **Create a custom MISP warninglist** |Create a custom MISP warninglist with a set of entries provided by the analyst as input. A check is done if the warninglist already exists. If the warninglist exists then the entries are added to the existing warninglist. When the warninglist is created the MISP events are queried for matches ('retro-search').<br>Query Shodan and VirusTotal for matches with entries in the warninglist. The result of the creation of the warninglist as well as the matches is summarised aand sent to Mattermost and added as an alert in TheHive. |[MISP Playbook](misp-playbooks/pb_create_custom_MISP_warninglist.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_create_custom_MISP_warninglist-with_output.ipynb)|[7](https://github.com/MISP/misp-playbooks/issues/7)|
 | **Retroscan with a MISP warninglist** |This playbook does a **retroscan** to check for attributes matching the values in a warninglist. You can then disable the to_ids flag or add a tag or comment. This playbook is often used for **threat intelligence curation** when you add a new warninglist to MISP.<br />The results are summarised, sent to Mattermost and added as an alert in TheHive.|[MISP Playbook](misp-playbooks/pb_retroscan_with_MISP_warninglist.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_retroscan_with_MISP_warninglist-with_output.ipynb)|[8](https://github.com/MISP/misp-playbooks/issues/8)|
 | **Create MISP objects and relationships** |This playbook walks the analyst through the phases of creating MISP objects and adding a relationship between these objects.<br>The playbook is typically *triggered* when an an analyst wants to add related, contextually linked, attributes to a MISP event.<br>The objects are added to a new or an existing MISP event. The playbook prints out a summary that can be used to notify colleagues via Mattermost.<br>The playbook uses an Emotet sample to demonstrate the functionality, with links from a file object to URL and HTTP request objects. It also creates the victim objects.|[MISP Playbook](misp-playbooks/pb_create_MISP_objects_and_relationship.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_create_MISP_objects_and_relationship-with_output.ipynb)|[11](https://github.com/MISP/misp-playbooks/issues/11) |