Create an Event Based on a Report

Last modified: Wed Oct 02 2024 16:09:21 GMT+0200 (Central European Summer Time)

Create an event based on a report

[warning] A specific permission is required to create an event.

For this example, we will use a report found on Bleeping Computer, so considered as OSINT.

Report title

Adding an event

First of all, we need to create a new event. To do so, we click the "Add Event" option when on the Events list view.

Add Event Option

Then we get the add event form.

Add Event form

Let's fill it with the data we already have:

Add Event form filled

Then just press the blue "Add" button and here we have a brand new event. Empty.

EMPTY EVENT YAY




(Displayed information can change depending on your role on the MISP instance)

Adding Attributes

Now it is time to populate this event. But before even adding IoC, we are going to add global information about the report itself: the link of the report and a short explanation or introduction. To do so, we need to click on the "Add Attribute" option in the side menu. This will show us this view:

add attribute

add attribute filled

All fields are properly filled ? Then let's press the "submit" button, and Ta-dah !

attribute added YAY

Now we can do a similar procedure to add an introduction to the report (that is to say the first paragraph of the report). We will simply change the type for text. But this time, we will access the add attribute form by clicking on the small + symbol next to the attribute table.

Noooo you found meeeeee

The same form as before will appear in a popup.

add attribute popup

Again, we fill it with the required data.

add attribute popup

Then we submit it by clicking on the blue button Et voilĂ !

MAGIC

Okay, now it is time to add some Indicators of Compromise. In this report, they are mainly listed at the end.

OMG IOC

Let's try to define which category/type those IoC belong to.

First, Windows-TuneUp.exe is without a doubt a filename, and the associated category may be Payload delivery.

Second the registry entries (type regkey) seems to be from Artifacts dropped category

Then the hashes that are already said to be SHA 256, and a quick test on VirusTotal also reveals that they correspond to the filename seen earlier. so we can add both as an association filename|SHA256. Once again, the category will be Payload delivery.

And finally the network communication. No doubt here for the category: Network activity, and the type might be url but for the example, we will let MISP decide for us.

So we begin with the filename. No real change from before for this one, except that we will set the IDS flag to true.

filename

Freetext Import Tool

Then we can add the hashes in a similar way. We will had them both alone and combined with the filename. In order to do it quickly, we are going to use the freetext import tool, hidden there

freetext import step 1

It will open a popup with a text area field where we will paste our IoC, one per line. As said previously, we add both the hashes alone and with the filename.

freetext import step 2

Then when we press the submit button, we are redirected on this page to control the sent data.

freetext import step 3

Here, MISP detected by itself what should be the category and type associated to our IoC and surprise! It matches our suppositions. Plus, it also put the IDS flag, so it is perfect. But before submitting, please double check to be sure all the values are correct and no information was lost (That can happen when the data are not formatted as expected by MISP).

If the results of MISP were not what we expected, we can still modify it, however MISP will only suggest suitable category/type regarding the format of your data. We can change for each attribute individually or all at the same time using the option on the bottom right of the form. The same principle also applies for the comments, individually or for all.

freetext import suggestions




(Yes I have two cursors, MISP is magic!)

We only have the network indicators left, and as said before, we will let MISP determined for us which type is the best for the data we have.

freetext import network

type recognition fail

Oh well, that was unexpected. In fact, it is not that surprising regarding the format of the tor address that look more like a filename than like a url but it is still a problem, since we can't change the type nor the category to a more consistent one. This is indeed one of the limitation of freetext import. To solve this issue, we will use a simple trick: we will add a slash at the end of the tor address so it won't be confused for a filename.

freetext import network

type recognition fail

Thanks to the added character, the first string is recognised as an url which is more consistent with the reality. The second also seems okay, so we can now submit both.

Batch Import

The Freetext Import works properly only with a string of data without any spaces in one line. But if you have lines of text with spaces between values, like e.g.

freetext_with_spaces1

you can still import them at once using the "Add Attribute" option. Click on Add Attribute, copy the data and paste it into the Value box. Choose the right category and type. Now check both checkboxes for Intrusion Detection System and Batch Import. The option Batch Import will import your data line for line just like the Freetext Import option without losing any information. Like this:

addattribute_freetext

And that is all we can get for the main informations and IoC in this report. If we search more carefully, there might still be some information left in it, like the filename of the ransomnote for instance, but we will stop here for this example.

Modify the event

If you want to modify your event from the home page, you can either double click on the event or click the edit symbol located in the column Actions on the right side. You will be redirected to the editing mode of the selected event.