Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter MISP Events Using MISP Tags & More Before Creating Alerts #370

Closed
saadkadhi opened this issue Nov 8, 2017 · 0 comments
Closed

Filter MISP Events Using MISP Tags & More Before Creating Alerts #370

saadkadhi opened this issue Nov 8, 2017 · 0 comments
Assignees
@nadouani @To-om
Labels
feature request
Milestone
3.0.4

Comments

@saadkadhi
Copy link
Contributor

Request Type

Feature Request

Work Environment

Question Answer
TheHive version / git hash 2.13.2

Problem Description

When an administrator configure TheHive to poll events from one or several MISP instances, TheHive will fetch all the events and analysts end up drowning under new alerts.

Possible Solutions

Add the ability to filter MISP events according multiple criteria, such as tags, before they can make it to TheHive's alerting panel.
@saadkadhi saadkadhi added this to the 3.1.0 milestone Nov 8, 2017
@vacmf vacmf mentioned this issue Nov 14, 2017
Closed
@saadkadhi saadkadhi mentioned this issue Jan 17, 2018
Closed
@To-om To-om modified the milestones: 3.1.0 (Cerana 1), 3.0.4 Jan 31, 2018
@To-om To-om added the wip label Jan 31, 2018
To-om added a commit that referenced this issue Jan 31, 2018
@To-om
#370 Add filter on MISP event during import
317f3ac 
MISP event can be excluded according to the following filters:
 - the maximum number of attributes (max-attributes)
 - the maximum size of the event json message
 - the age of the last publication
 - the organisation is black-listed
 - one of the tags is black-listed

The filters are configurable in each connexion settings:
misp {
  "MISP-SERVER-ID" {
    url = "http://127.0.0.1"
    key = "MISP-KEY"

    # filters:
    max-attributes = 1000
    max-size = 1 MiB
    max-age = 7 days
    exclusion {
     organisation = ["bad organisation", "other orga"]
     tags = ["tag1", "tag2"]
    }
  }
}
@To-om To-om removed the wip label Jan 31, 2018
@To-om To-om closed this as completed Jan 31, 2018
To-om added a commit that referenced this issue Feb 2, 2018
@To-om
#370 Fix max-age unit in message
53341f3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadouani nadouani

@To-om To-om

Labels
feature request
Projects
None yet
Milestone
3.0.4
Development

No branches or pull requests
3 participants
@nadouani @saadkadhi @To-om