Last modified: Wed Oct 02 2024 16:09:21 GMT+0200 (Central European Summer Time)
The process of entering an event can be split into 3 phases, the creation of the event itself, populating it with attributes and attachments and finally publishing it.
During this first step, you will create a basic event without any actual attributes, but storing general information such as a description, time and risk level of the incident. To start creating the event, click on the New Event button on the left and fill out the form you are presented with. The following fields need to be filled out:

The second step of creating an event is to populate it with attributes and attachments. This can be done by adding them manually or importing the attributes from an external format (OpenIOC, ThreatConnect). To import from an external format or to upload an attachment use the options in the menu on the left.

Using the above shown buttons, you can populate an event using various tools that will be explained in the following section. Let's start with the Add Attribute button.
Keep in mind that the system searches for regular expressions in the value field of all attributes when entered, replacing detected strings within it as set up by the server's administrator (for example to enforce standardised capitalisation in paths for event correlation or to bring exact paths to a standardised format). The following fields need to be filled out:

Please have a look at the MISP objects chapter
Sharing groups in MISP are a more granular way to create re-usable distribution lists for events/attributes that allow users to include organisations from their own instance (local organisations) as well as organisations from directly, or indirectly connected instances (external organisations). Sharing groups can be created by any user that has the sharing group editor permission. Additionally, sharing groups can be edited by any user that has the aforementioned permission in addition to being a member of the sharing group's creating organisation, or any organisation that is marked as an "extender" of the sharing group. The main use for the extend feature is delegating the rights to add users to trusted partners. For example, when sharing with a different industry sector, knowing all actors that should receive the information is often not possible, so delegating the rights to extend the event to a trusted representative of said sector would allow for someone with more insight to find and add the proper list of partners for the sharing group.

The most general use-cases for sharing groups are creating re-usable topical subgroups in MISP that share events or for ad-hoc sharing scenarios (such as several organisations involved in a specific incident wanting to work together). Generally sharing groups add a level of complexity for the users involved as well as a performance overhead on the data marked with it.
As a best-practice recommendation, using traditional distribution methods is preferred unless they cannot cover the given use-case. Also, whilst sharing groups can be assigned to both events and attributes, it is highly recommended to use the special "inherit" distribution setting on attributes whenever the attribute's sharing group would match the event's.
Sharing groups consist of the following elements, each of which has its own page in the sharing group creator/editor tool (accessed via the Global actions -> List Sharing Groups and Add Sharing Group functionalities):




Templates allow users to rapidly populate events of a specific type by filling out a series of pre-defined fields. Users with template creation privileges can create new templates for their organisations or for all organisations on their instance. If you are interested in template creation, please refer to the templating section. For users trying to populate an event, after clicking on the populate from template button, you'll be presented with a list of all currently accessible templates. Pick the one that best describes the event that you are creating.

Once you have chosen a template, you'll be presented with the actual form contained within. Make sure you fill out as many fields as possible with the mandatory fields - marked by a star in a bracket such as this: (*) - are filled out. Templates are divided into sections, with each section having a title and a description in addition to a series of fields. Each field can be an attribute or a file attachment field. An attribute field has the following components:


If you have a list of indicators that you would like to quickly generate attributes out of then the Free-text import tool is just what you need. Simply paste a list of indicators (separated by line-breaks into this tool).

Since there are several category / type combinations that can be valid for a lot of values, MISP will suggest the most common settings. You can alter the category / type / IDS fields manually if you disagree with the results. The options will be restricted to valid category/type combinations for the value that you have entered.
If any correlation is already found, these correlations will be displayed in the result page.
If you would like to create and maintain an event with a set of indicators that receives removals and additions over time, then the attribute replace tool might make this task easier for you.

Simply select the desired category / type combination, choose whether the attributes should be marked for IDS exports and paste the new list of indicators into the textarea. Attributes of the same category/type that are present in the event but not the new list will be removed, values in the pasted list that do not yet exist as attributes will be created as attributes and values that already have matching attributes will be left untouched.
You can also upload attachments, such as the malware itself, report files from external analysis or simply artifacts dropped by the malware. Clicking on the add attachment button brings up a form that allows you to quickly attach a file to the event. The following fields need to be filled out:

If you would like to propose a modification to an attribute, or to propose some additional attributes to the creating organisation, you can do this with the buttons that replace the add attribute field on the left and the edit icon on the right end of each listed attribute in the event view. The creating organisation of the event will be able to see any proposals and discard or accept the changes.

If the organisation that has created the event is on another connected server, they will be able to accept the proposal once they initiate a pull and receive your proposal. After this they can republish the event, sending the altered attribute back to your instance.
It is also possible to attempt to import the data contained in a .ioc file, The import tool will attempt to gather as many IndicatorItems within nested logical operators as possible without breaking their validity. After the procedure is done, you'll be presented with a list of successfully created attributes and a list of failed IndicatorItems as well as a graph of the .ioc file.


You can also import the data from a ThreatConnect export csv file. The following columns are used by the import tool (and are thus mandatory fields to select during the export):
The result will be a list of attributes that get added to the currently selected event, each of which will be marked with a comment that indicates that its origin being from a ThreatConnect import.
You can use a generic script called IOC parser or use a script published by Palo Alto to convert IOC parser output to a MISP event: [report_to_misp] (https://github.com/PaloAltoNetworks-BD/report_to_misp/).

Once all the attributes and attachments that you want to include with the event are uploaded / set, it is time to finalise its creation by publishing the event (click on publish event in the event view). This will alert the eligible users of it (based on the private-controls of the event and its attributes/attachments and whether they have auto-alert turned on), push the event to instances that your instance connects to and propagate it further based on the distribution rules. It also readies the network related attributes for NIDS signature creation (through the NIDS signature export feature, for more information, go to the export section.). There is an alternate way of publishing an event without alerting any other users, by using the "publish (no email)" button. This should only be used for minor edits (such as correcting a typo).
If your instance has background jobs enabled then the event might not get published immediately.
The MISP interface allows the user to have an overview over or to search for events and attributes of events that are already stored in the system in various ways.
On the left menu bar, the option "List events" will generate a list of the last 60 events. While the attributes themselves aren't shown in this view, the following pieces of information can be seen:

It is also possible to filter the events shown by clicking on the small magnifying glass icons next to the field names and entering a filter term.

List of Related Events The list of relations is shown on the right hand side of the general event information. Events can be related by having one or more attributes that are exact matches. For example, if two events both contain a source IP attribute of 11.11.11.11 then they are related. The list of events that are related the currently shown one, are listed under "Related Events", as links (titled the related event's date and ID number) to the events themselves.
Data Element Toggles You can control some of the data that is shown on this page using three toggles. The elements that can be disabled are the pivot threads, the attributes (and proposals) and the Discussions. You can collapse these elements and then expand them again using the same button.
Pivot Threads While moving from event to event through the relation links (a process that we refer to as pivoting), you create a path that shows which events you have traversed. This path is reset by leaving the event view and navigating elsewhere in the application or by deleting the root pivot element. Each event visited is represented by a bubble in the pivot thread graph, connected by lines that show how the user has arrived at the next connected event. It is possible to jump back to an earlier relation and pivot to another event through that, creating branches in the graph. The currently selected event is coloured blue in the graph. If you would like to delete an element from the graph (including all of elements that branch off of it) just click on the small x within a pivot bubble. For a deletion to be possible the following conditions have to be met:
Attributes and Proposals A list of all attributes and proposals attached to the event. The fields for each of them only differ in the available actions and the fact that for proposals to attributes all fields are blank that would stay unchanged if the proposal was accepted (for example, proposing a change to an attribute to turn the IDS flag on will have all fields apart from the IDS flag blank in the proposal. Here is a list of what each of the fields represents:
Depending on the colour coding of the row, you can have an attribute, a proposal to the event or a proposal to an attribute:
Using the modify button will bring up the attribute creation view, with all data filled out with the attribute's currently stored data.
Event Discussion Thread
Each event has its own assigned discussion where users (that are eligible to see the event) can participate in an open discussion. The users are anonymised in the messages, all that other users will see is their user ID number and their organisation. To post a message on the Event Discussion, either use the reply button on a previous post or use the quickresponse field at the bottom of the page. Each post is made up of the following:
Here is a list of the various tools you can use while using this feature:
View the logs of the event that show how the event has changed over time, including the contribution from other organisations in the form of proposals. There are two ways to get to this view, either by clicking on View Event History on the side menu of an event view, or by clicking on a contribing organisation's logo on the event view. The latter will show a restricted form of the logs, showing only Proposals created by the selected organisation. The fields shown in this view are as described as follows:
Apart from having a list of all the events, it is also possible to get a list of all the stored attributes in the system by clicking on the list attributes button. The produced list of attributes will include the followings fields:

Apart from being able to list all events, it is also possible to search for data contained in the value field of an attribute, by clicking on the "Search Attributes" button.

This will bring up a form that lets you enter one or several search strings (separate search strings with line breaks) that will be compared to the values of all attributes, along with options to narrow down the search based on category and type. The entered search string has to be an exact match with (the sub-string of) a value. A second text field makes it possible to enter event IDs for events that should be excluded from the search (again, each line represents an event ID to be excluded). The third text field allows the user to restrict the results to attributes from certain organisations or to attributes not created by certain other organisations, using the above described syntax. The list generated by the search will look exactly the same as listing all attributes, except that only the attributes that matched the search criteria will be listed (to find out more about the list attributes view, click here). The search parameters will be shown above the produced list and the search terms will be highlighted. The last option is a checkbox that restricts all of the results to attributes that are marked as IDS signatures.

Every event and attribute can easily be edited. First of all it is important to find the event or attribute that is to be edited, using any of the methods mentioned in the section on browsing past events. Once it is found, the edit button (whether it be under actions when events/attributes get listed or simply on the event view) will bring up the same screen as what is used to create the entry of the same type (for an event it would be the event screen as seen here, for an attribute the attribute screen as described here). You can also simply double-click on the event you wish to edit and enter the edit mode. Keep in mind that editing any event (either directly or indirectly through an attribute) will unpublish it, meaning that you'll have to publish it (through the event view) again once you are done.
As described earlier, users with tagging rights can arbitrarily tag events using tags chosen from a pool of available options. If you have tagging privileges and would like to create a new tag, navigate to Event Actions - Add Tag. You'll be presented with the following form:

Fill out the following fields:
Newer users can easily be overwhelmed by having to manually populate events with attributes without any guidance. What sort of information should go into the event? What should be the category and type of a C2 IP? Templates allow users to use simple forms to populate events. Even though MISP ships with a few default templates, it is possible for users (with the appropriate templating privilege) to create new templates for their users or for all users of the instance. Let's look at how you can create a template. First go to Event Actions - Add Template to go to the event creation view.

The following fields have to be filled out:
Once the skeleton template is created, you can start populating the template with data. There are 3 types of elements that can be used during the creation of a template: attribute, file and text elements. Text elements divide the template into sections with an information field, followed by all of the attribute/file fields until a new text field is read. Don't worry about the order of the elements during creation, they can be re-arranged using drag & drop. Let's look at the 3 element types:
Attribute Element

The following fields have to be filled out:
File Element

The following fields have to be filled out:
Text Element

The following fields have to be filled out:
To get in touch with the reporter of a previously registered event, just find the event for which you would like to contact the reporter by either finding it on the list of events, by finding it through one of its attributes or by finding it through a related event. Once the event is found and the event view opened, click the button titled "Contact Reporter". This will bring up a view where you can enter your message that is to be e-mailed to all members of the reporting organisation that subscribe to receiving such reports or the reporting user himself. Along with your message, the detailed information about the event in question will be included in the e-mail.

By default, the message will be sent to every member of the organisation that posted the event in the first place, but if you tick the check-box below the message field before sending the mail, only the person that reported the event will get e-mailed.
It is possible to quickly and conveniently export the data contained within the system using the automation features located in the main menu on the left (available to users with authentication key access only). There are various sets of data that can be exported, by using the authentication key provided by the system (also shown on the export page). If for whatever reason you would need to invalidate your current key and get a new one instead (for example due to the old one becoming compromised) just hit the reset link next to the authentication key in the export view or in your "my profile" view. To find out about the various export formats and the usage within the automation functions, please read the page on the API's usage.
For users that do not have authentication key access, an alternate export feature is available that relies on your interactive login to the site. To access these, just use the export menu button to the left and you'll be presented with a list of export options. Depending on your server's configuration, you will be presented with one of two possible pages, depending on whether you have background processing enabled or not.
The page will list a set of export formats that you can immediately download as a file. Just click on the desired export format and MISP will start collecting all the data that you will receive in a file. Keep in mind that this can be a lengthy process. To avoid having to wait, consult with your instance's site administrator about enabling the background processing.

If the background jobs are enabled, you'll be redirected to a different version of the export page. Here you will see a table with all of the major export formats and the current status of the cached export files. Keep in mind that these are generated on an organisation by organisation basis, so even though others have generated newer export caches your organisation may have an outdated cache. You can simply issue a generate command (by clicking the "Generate" button) on the desired export type and the background workers will start fetching and assembling your cache. A progress bar will show the progress of the export process. Once done, you can click "Download" to download the freshly generated cache file. If the cache is already up to date from before, then you don't have to regenerate the cache, just click on the "download" button. You may have noticed that the TEXT export only has a generate button - this is because TEXT exports are made up of a lot of types of exports, all of which get generated together. To download any of these files, just click on any of the attribute types at the bottom of the table. A quick description of each of the fields in the table:

Apart from the options offered by the export pages, it's also possible to export all events involved in a search attribute result table, by using the "Download results as XML" button on the left menu bar.

Each event's view has its own export feature, both as an XML export and as a .ioc file. To reach these features, just navigate to an event and use the appropriate buttons on the right side.

Apart from being a self contained repository of attacks/malware, one of the main features of MISP is its ability to connect to other instances and share (parts of) its information. The following options allow you to set up and maintain such connections.
In order to share data with a remote server via pushes and pulls, you need to request a valid authentication key from the hosting organisation of the remote instance. When clicking on List Servers and then on New Server, a form comes up that needs to be filled out in order for your instance to connect to it. The following fields need to be filled out:

If you are an administrator, trying to allow another instance to connect to your own, it is vital that two rules are followed when setting up a synchronisation account:
If you ever need to change the data about the linked servers or remove any connections, you have the following options to view and manipulate the server connections, when clicking on List Servers: (you will be able to see a list of all servers that your server connects to, including the base address, the organisation running the server the last pushed and pulled event IDs and the control buttons.).

The platform is also RESTfull, so this means that you can use structured format (XML or JSON) to access Events data.
Use any HTTP compliant library to perform requests. You can choose which format you would like to use as input/output for the REST calls by specifying the Accept and Content-Type headers.
The following headers are required if you wish to receive / push XML data: Authorization: your authorisation key Accept: application/xml Content-Type: application/xml
The following headers are required if you wish to receive / push JSON data: Authorization: your authorisation key Accept: application/json Content-Type: application/json The following table shows the relation of the request type and the resulting action:
| HTTP format | URL | Controller action invoked |
|---|---|---|
| GET | /events | EventsController::index() |
| GET | /events/123 | EventsController::view(123) |
| POST | /events | EventsController::add() |
| PUT | /events/123 | EventsController::edit(123) |
| DELETE | /events/123 | EventsController::delete(123) |
| POST | /events/123 | EventsController::edit(123) |
*Attachments are included using base64 encoding below the data tag.
In this example we fetch the details of a single Event (and thus also his Attributes). The request should be:
GET https://your_misp_url/events/123
And with the HTTP Headers:
Accept: application/xml
Authorization: your_api_key
The response you're going to get is the following data:
<pre><?xml version="1.0" encoding="UTF-8" standalone="no"?>;
<response>
<Event>
<id>57</id>
<org>NCIRC</org>
<date>2014-03-04</date>
<threat_level_id>1</threat_level_id>
<info>Code monkey doing code monkey stuff</info>
<published>1</published>
<uuid>50aa54aa-f7a0-4d74-910d-10f0ff32448e</uuid>
<attribute_count>1</attribute_count>
<analysis>1</analysis>
<timestamp>1393327600</timestamp>
<distribution>1</distribution>
<proposal_email_lock>0</proposal_email_lock>
<orgc>Iglocska</orgc>
<locked>0</locked>
<publish_timestamp>1393327600</publish_timestamp>
<Attribute>
<id>9577</id>
<type>other</type>
<category>Artifacts dropped</category>
<to_ids>1</to_ids>
<uuid>50aa54bd-adec-4544-b494-10f0ff32448e</uuid>
<event_id>57</event_id>
<distribution>1</distribution>
<timestamp>1393327600</timestamp>
<comment>This is an Attribute</comment>
<value>Some_attribute</value>
<ShadowAttribute />
</Attribute>
<ShadowAttribute />
<RelatedEvent />
</Event>
<xml_version>2.2.0</xml_version>
</response>
In this example we want to add a single Event. The request should be:
POST https://your_misp_url/events
Accept: application/xml
Authorization: your_api_key
And the request body:
<Event>
<date>2014-03-04</date>
<threat_level_id>1</threat_level_id>
<info>Something concise</info>
<published>1</published>
<analysis>1</analysis>
<distribution>1</distribution>
<Attribute>
<type>other</type>
<category>Artifacts dropped</category>
<to_ids>1</to_ids>
<distribution>1</distribution>
<comment>This is an Attribute</comment>
<value>Some_attribute</value>
</Attribute>
</Event>
The response you're going to get is the following data:
HTTP/1.1 100 Continue
HTTP/1.1 200 Continue
Date: Tue, 04-Mar-2014 15:00:00
Server: Apache/2.2.22 (Ubuntu) PHP/5.4.9-4ubuntu2.3
X-Powered-By: PHP/5.4.9-4ubuntu2.3
Set-Cookie: CAKEPHP=deleted; expires=Wed, 05-Mar-2014 15:00:00 GMT; path=/
Set-Cookie: CAKEPHP=a4ok3lr5p9n5drqj27025i4le3; expires Tue, 04-Mar-2014 15:00:00 GMT; path=/; HttpOnly
Content-Length: 1 kB
Content-Type: application/xml
<?xml version = "1.0" encoding = "UTF-8"?>
<response>
<Event>
<id>76</id>
<org>NCIRC</org>
<date>2014-03-04</date>
<threat_level_id>1</threat_level_id>
<info>Something concise</info>
<published>1</published>
<uuid>50aa54aa-f7a0-4d74-920d-10f0ff32448e</uuid>
<attribute_count>1</attribute_count>
<analysis>1</analysis>
<timestamp>1393328991</timestamp>
<distribution>1</distribution>
<proposal_email_lock>0</proposal_email_lock>
<orgc>Iglocska</orgc>
<locked>0</locked>
<publish_timestamp>1393947960</publish_timestamp>
<Attribute>
<id>10462</id>
<type>other</type>
<category>Artifacts dropped</category>
<to_ids>1</to_ids>
<uuid>50aa54bd-adec-4544-b412-10f0ff32448e</uuid>
<event_id>76</event_id>
<distribution>1</distribution>
<timestamp>1393328991</timestamp>
<comment/>
<value>Some_attribute</value>
<ShadowAttribute/>
</Attribute>
<ShadowAttribute/>
<RelatedEvent>
<id>75</id>
<org>NCIRC</org>
<date>2012-11-19</date>
<info>Code monkey doing code monkey stuff</info>
<uuid>50aa54aa-f7a0-4d74-910d-10f0ff32448e</uuid>
<published>1</published>
<analysis>1</analysis>
<attribute_count>1</attribute_count>
<orgc>Iglocska</orgc>
<timestamp>1393327600</timestamp>
<distribution>1</distribution>
<proposal_email_lock>0</proposal_email_lock>
<locked>0</locked>
<threat_level_id>1</threat_level_id>
<publish_timestamp>1393947655</publish_timestamp>
</RelatedEvent>
</Event>
<xml_version>2.2.0</xml_version>
</response>
The response from requesting an invalid page
<?xml version = "1.0" encoding = "UTF-8"?>
<response>
<name>Not Found</name>
<url>/The_meaning_of_life</url>
</response>
MISP 2.4.172 introduced multi-factor authentication (TOTP/HOTP) support. For information on how to enable and configure this feature, please refer to the administration section.
Using the top menu bar, navigate to Global Actions > My Profile. Click the TOTP Generate button.

You can then use your favorite TOTP application (for example: Winauth or Google authenticator) on the next screen. Validate the set up is done correctly by entering a verification code.

Once your set up has been validated, you will get redirected to a page containing your 50 HOTP/paper based tokens.

You can view these tokens again later, by going to your profile and clicking the View paper tokens button.

After setting up TOTP/HOTP for your account, you will be prompted for an OTP on future logins.

Deletion of the TOTP/HOTP setup for your user can only be done by site admins and organisation admins. Reach out to your org admin (preferred), or alternatively to a site admin of your instance, in case you want to set up new tokens.
It is currently not possible to combine multiple forms of multi-factor authentication. As an example: once your user has TOTP/HOTP assigned, you can't use e-mail OTP for it. If you are using a system which has e-mail OTP set up as well, e-mail OTP will be used again when your TOTP/HOTP setup is deleted.