There are some broken links for images into the quick start (the last one, "") and in the General Layout (in event actions, "").

It's a recurring question, the idea isn't to set some hard minimums, but rather to describe usual / recommended requirements and guidance.

Depending on your configuration,you might need to change the base URL in MISP server settings.
This could be documented on the VM part

MISP/MISP#2734

Events, Attributes, Indicators, Observable definition and description how this is used in MISP 2.4

Some topics to add

• Addition of new attributes not currently supported in MISP (like MISP/MISP#800)
• Proposing tools using PyMISP
• Updating documentation

I followed the install guide according, and when I start the process everything appears to start but I am not able to access http://misp/user/login url. I am getting an error 500.
sudo su -s /bin/bash apache -c 'scl enable rh-php56 /var/www/MISP/app/Console/worker/start.sh'
[sudo] password for sjohn345:
Stopping workers
Stopping 12950 ... Done
Stopping the Scheduler Worker ... Done
Stopping 12968 ... Done
Stopping 12986 ... Done
Stopping 13004 ... Done

Creating workers
Starting worker ... Done

Creating workers
Starting worker ... Done

Creating workers
Starting worker ... Done

Creating workers
Starting worker ... Done

Creating the scheduler workers
Starting scheduler worker ... Done
! more misp.local_error.log
[Wed Jul 05 21:28:56.478562 2017] [:error] [pid 11684] [client ::1:51188] PHP Fatal error: Can't use function return value in write context in /var/www/MISP/app/Controller/UsersController.php on line 97
[Wed Jul 05 21:28:56.479803 2017] [:error] [pid 11684] [client ::1:51188] PHP Fatal error: Can't use function return value in write context in /var/www/MISP/app/Controller/AppController.php on line 305
[Wed Jul 05 21:29:02.058256 2017] [:error] [pid 2369] [client ::1:51190] PHP Fatal error: Can't use function return value in write context in /var/www/MISP/app/Controller/AppController.php on line 305

As far as I can see, there is no part that covers how to deal with servers / sharing etc.

Shall I write it?

We should document all the rules in MISP to un-defang URLs and other artifacts.

Quote from a mail, this but better explained:

"our mantra is, keep your data for correlation and exclude it from the exports. What I'd suggest:

a. Set an automatic tag for your feed (such as "expireMeInAMonth") - these tags will be automatically applied to all events coming from the feed hereafter
b. When exporting data from MISP, for example for your SIEM/NIDS/etc use the following rules:

• 1x full data set, but exclude everything tagged "expireMeInAMonth"
• 1x the data set carrying the "expireMeInAMonth" tag, but with the "last":"30d" parameter set
  c. Feed both data sets to your tools

This will get you all your regular data + the past 30 day's worth of data from the feed."

new strict JSON schema to add https://github.com/MISP/PyMISP/blob/master/pymisp/data/schema.json

I am using the api endpoint:

https://<server-name>/events/

and trying to get all the events. The issue I'm having is that this endpoint returns too many events at once. Is there a way to specify start / end in the RESTful api? I saw you could with the /events/xml/download endpoint, but I just want to get the json response rather than a file.

I've tried:

https://<server-name>/events?from=2016-01-01
https://<server-name>/events/null/null/null/2016-01-01

Is MISP compatible with other Threat sharing solutions such as CIFS?

We got a lot of questions regarding the MISP hardware requirements. Maybe we should add a specific section about this.

A note about the PHP session and the recommended Redis session and the config
aspect too:

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-redis-server-as-a-session-handler-for-php-on-ubuntu-14-04

Explain fields such as delta merge

Dears,

Since MISP 2.4.80, we have the possibility to define objects. If you download a sample, the object is automatically created with subsequent attributes (filename, md5, sha1, sha256 and filesize).
However, it seems that this information is not included when publishing the event to ZMQ.

Am I missing something or is it not supported? I am running 2.4.80 on Ubuntu.

Thanks a lot in advance for your help!

BR's
Irving

Mentioning double-click to edit an event

example - convention with example organisations

1. Create a use-case based description of how to deploy MISP in the sense of requirements, topologies, etc
2. Write a tool that calculates optimal provisioning based on desired data/community sizes.

As requested in MISP/MISP#729 , we should better document the threat id.

1 = high
2 = medium
3 = low
4 = undefined

The practical examples of the tool-tip could be used to show the potential interpretation of the threat id.

Include the default example of lifetime of an event (based on the current xmind)

Broken anchor (interface from scheduled task)

via @adulau

Sharing groups explanation and usage to add

Describe role of each worker and their respective interdependencies.

https://misppriv.circl.lu/attributes/describeTypes.json

to add in the doc

Back-up of MISP to be documented

This is to document the open points in the API documentation:

• Describe Error Codes

• make CURL examples for every Endpoint

• document searchtimestamp (see #32)

• POST /events more fields explanation

• remove API keys from sample data

I up to date misp-book/general-layout/

In the menu bar "layout Filter", it seems to be a new tab "Warning List", who is not documented. What is it and for what can I use that? (Yeah, I know that it will shows a list of warnings, but I don't know why it is usefull).

During Hackathon & Training days in Luxembourg in March 2018, we discussed with Andras and Alexandre Dulaunoy about having Sequence Diagrams or other visualization to explain how people work and interact with MISP.

A suggestion is to use Web Sequence Diagrams like markup text to graph / svg / png:

Title: Adding new MISP events

Alice (Org A) -> MISP unpublished: Add event

Note: 
**Any edit/modification on exiting event** puts back the Event in _unpublished mode_.

Alice (Org A) -->> Bob (Org A, Publisher): _Out of band Notification (voice, sms, ...): Please verrify and publish my Event_

MISP unpublished -> Bob (Org A, Publisher): Publish

Bob (Org A, Publisher) -> MISP published: Publish

Note: See **[MISP guide](https://github.com/MISP/MISP/)** for more details

Many tools:
Commercial: https://swimlanes.io/#dVBNa4NAEL3vr3hHI0bvOQgWeughTSC9lSLqjjpUd4M72ubfd42Shn7Asiwz72vfC0tHO2Ras2lg6AP7p9MRNJERp1TWcUUIDkODbINtumxHcx7Ljl1L+kpd4Eo9W/FaKgwzcwFplqS3mmuuCmFr4A99ssxGV0IY4jyKQ1lU75CW8DhPwQb5nQO8BuXxryzbNMWDLddBhONKGDY75IdRYGuvbDR8qu8MwWS9SgTXuwhxHHvwsaPCESYaBq4vmCmrOfrLkilX6ufH5zL+s1/fSv0NuPV41+KNsnR4IkIYvl5Rzcia3oJW5Ox2SdKwtGMZV7ZP5vVybXyXtR18VwNBkxTcOfUF

or Free: https://bramp.github.io/js-sequence-diagrams/

PyMISP documentation in misp-book

add visual for explaining the distribution levels including misp-training slides (usage)

Write a simple documentation about the MISP protocol use for synchronisation along with the distribution of events within the MISP instances. (2.4 protocol)

I tried getting the MISP Book running locally but failed to do so only relying on the notes in the USAGE file.
I'm on Ubuntu (15.10 in this case) and finally got it working after doing these steps on a clean installation:

Install node and npm

sudo apt-get install nodejs nodejs-legacy npm 

Install further requirements

sudo apt-get install libcairo2-dev libjpeg-dev
sudo apt-get install calibre  # for generating PDFs

Might save other people a few minutes if you could include these instructions, what do you think?

https://github.com/MISP/misp-book/blame/master/taxonomy/README.md#L86

It's not clear to me what "Her, we classified Tags." is supposed to mean.

use-case chapter - how to deal with false-positive

Might be incomplete or having outdated screens

• Administration
• Misp Objects
• Quick Start
• General layout
• Managing feeds
• Sightings
• Taxonomies (lists)
• Galaxy (lists)
• Using the system

(Non exaustive list)

Hi

Since misp-book has been exported from main MISP archive, license of miss-book should be GNU Affero GPL v3.
However, since it is a documentation, and I would believe that it is in the interest of the MISP project for such documentation to be licensed under a more "academic" framework, I would suggest the following:

a - IF you can get the formal agreement of all authors (i.e., contributors to the documentation and - if applicable and required, so check with contributors - their employers), relicense the content under a simpler Creative common CC-BY 4.0 license (which in version 4 is compatible with the GNU Affero GPL v3 License). Other option is dual license of documentation (again, if agreement is granted by all contributors or reap. right holders), CC BY 4.0 AND Affero GNU GPL v3.
Attribution-only licenses will allow third parties to use the content of documentation as they please (as long as authors are acknowledged), which shouldn't be an issue since this is a supportive content to the benefit of MISP.
b - IF NOT, license for documentation is solely GNU Affero GPL v3.

Matthieu

Add best-practices for tagging (especially when to tag at event or attribute level)

OSINT feed creation and usage to add (based on Koen blog post)

https://www.vanimpe.eu/2016/03/23/using-open-source-intelligence-osint-with-misp/

Okay, this is super-nitpicky... :-)

The book uses "GPG", "Gpg", "GnuPG", and "PGP". Suggest to use only one term to simplify searching...

Good morning ,

I have an issue with Pymisp.

When I try to change/add/delete the tag of any event via web, the event
goes to unpublished status. But,changing/adding/removing the tag via API
(pymisp) does not change the publishing status of that event.

Is that an error?
What would be the method to make these massive label changes through
Pymisp and change the publication status of each event?

Thank you very much in advance.

I look forward to hearing from you.

Greetings.

There is no documentation about "hover" and "expansion" that is supposed to come with the misp-modules.

Some of our users have pointed out that the thumbs-up/down interface for sightings may be confusing. They understood that the "thumbs-up" button was to be used to signal any kind of sighting (true or false positive), and then the thumbs-down was to be click additionally in case of false positive.

Even though that was not my understanding, by reading the documentation, together with the icon tooltips, I think the wording may be a bit ambiguous.

I open this issue to get confirmation from the developers/designers that the "canonical use" is:

• Thumbs-up for signalling only a true positive.
• Thumbs-down for signalling a false positive.

If confirmed, I can propose a pull-request to clarify this point in the documentation.

Also, a change in the icon tooltips could be considered to clarify this use. I will do a PR for that in the corresponding repo.

Following this discussion MISP/MISP#1015 we should update the documentation about the distribution and what is pulled or not following the distribution level.

Feed section needs to be updated following the new separation (caching versus import)