Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MISP import filter / filtering of events #86

Closed
derDuffy opened this issue Jan 12, 2017 · 3 comments
Closed

MISP import filter / filtering of events #86

derDuffy opened this issue Jan 12, 2017 · 3 comments
Assignees
@nadouani
Labels
feature request
Milestone
2.11.0

Comments

@derDuffy
Copy link

Request Type

Feature Request

I couldn't find a similar request, so I hope this is no duplicate

Problem Description

After connecting our MISP instance to theHive we quickly ran into the situation where we wanted to filter the events retrieved from MISP or at least filter them in theHive based on fields like severity.

Basically:

  • a) prevent theHive from reading certain events based on Org, Severity or something like that

or / in addition

  • b) filter the events after they have been pulled to theHive based on fields (see below).

While there is the option to filter, this seems only to work for some of the fields. As far as I was able to test it, it is not possible to filter based on values of the severity field or the source. Both would be great however.
Even better would be to have stored views on that data, something like Source=XYZ.
Additionally some date/time related filters would be great too.

Alternatively it might be an option to define and store global searches like the cold cases one for MISP events.

Benefit

Correct me if I'm wrong; I think it would make it so much easier to work with MISP events (especially for very busy MISP instances) and allow the team who uses theHive to narrow down their efforts on the important things.
@nadouani
Copy link
Contributor

Once again, thanks @derDuffy for this feature request. I definitely agree with your feedback.

We will consider adding this feature in the next feature. We will for sure add (b) and think about (a).

Note that in 2.10.0 you will have this type of filtering capabilities in the case list.

@nadouani nadouani self-assigned this Jan 12, 2017
@nadouani nadouani added this to the 2.11.0 milestone Jan 12, 2017
@derDuffy
Copy link
Author

Thanks!

I've read about the upcoming changes for the case list.
Having (b) would most likely be enough. Right now we are refraining from creating cases for every MISP event we get - but this is mainly due to data quality and prioritization.

@nadouani
Copy link
Contributor

@derDuffy BTW, if you want a "workaround" to search via the current "Free text" field, I can give you some hints about how the filtering syntax works. Please create a discussion thread in the user forum and I'll answer.

@nadouani nadouani mentioned this issue Jan 13, 2017
Closed
nadouani added a commit that referenced this issue Mar 13, 2017
@nadouani
#86 Add filtering capabilities to MISP events' list
36d0297
nadouani added a commit that referenced this issue Mar 13, 2017
@nadouani
#86 Add filtering capabilities to MISP event's list
d57d7d8
@nadouani nadouani mentioned this issue Mar 13, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadouani nadouani

Labels
feature request
Projects
None yet
Milestone
2.11.0
Development

No branches or pull requests
2 participants
@nadouani @derDuffy