MISP playbooks address common use-cases encountered by SOCs, CSIRTs or CTI teams to detect, react and analyse specific intelligence received by MISP.
The MISP playbooks are built with Jupyter notebooks and contain
This repository contains the documentation to get started with MISP playbooks.
The repository contains these playbooks
| Title | Purpose | Playbook | Issue |
|---|---|---|---|
| Malware triage | A playbook to provide an analyst sufficient information to do basic malware triage on one or more samples. Samples are attached to a MISP event (with file object relations). VirusTotal and MalwareBazaar are used to get the detection rate, threat classification and sandbox information. Hashlookup is used to check for known hashes. PEfile analysis is done for imports and exports. The results are stored in MISP reports and as MISP objects where relevant. Correlations with MISP events or data feeds are added to a summary. The sample is shared with a local instance of MWDBcore. | MISP Playbook MISP Playbook with output |
2 |
| Malware triage - dynamic malware analysis | This playbook extends the results retrieved with static malware analysis in the malware triage playbook and does the dynamic malware analysis with one or more sandboxes. This playbook uses VMRay, Hybrid-Analysis and VirusTotal as malware sandboxes. The results are stored in a MISP report and sent to Mattermost. |
MISP Playbook MISP Playbook with output |
3 |
| Malware triage - Query file hash | This playbook is complementary to the playbooks for static malware analysis and dynamic malware analysis and investigates file hashes. This way you can discover with which malware a hash corresponds. It checks if the hashes are found on MISP warninglists, in MISP events or in MISP feeds. The playbook uses the information from VirusTotal, Hashlookup and MalwareBazaar to provide context information on hashes. It creates a MISP report for each hash and then sends a report to Mattermost. | MISP Playbook MISP Playbook with output |
15 |
| Threat actor profiling | Query MISP events associated with a specific threat actor. Summarises the galaxies, clusters and tags from the MISP events, lists the vulnerabilities (CVE) and the actionable indicators. Optionally query the MITRE TAXII server to get a list of associated techniques and software. Results are stored in the playbook and sent to Mattermost and TheHive. |
MISP Playbook MISP Playbook with output |
26 |
| Query CVE information | Query MISP events for the use of specific CVEs. List these events with their context (galaxies, focus on MITRE ATT&CK). Query public sources (CVE search, vulners, XForceExchange, exploitdb) for additional CVE information. Results are stored in the playbook, in a MISP event and sent to Mattermost and TheHive. |
MISP Playbook MISP Playbook with output |
25 |
| Query IP reputation | Query for the reputation of one or more IPs. It combines the reputation scores from VirusTotal, Shodan, Greynoise and AbuseIPDB into one MISP report. The playbook adds the known associated domains, the abuse contacts and the geo information from MMDB. All information is added to a MISP event, summarised and send to Mattermost and TheHive. | MISP Playbook MISP Playbook with output |
12 |
| Query domain reputation | Query enabled OSINT feeds and MISP events for matches with one or more domain name(s). Query URLscan for historical scans related to these domains and extract screenshots. Use MISP modules to look up the DNS resolutions and query VirusTotal, Shodan and URLhaus for information related to the domains. Results are stored in the playbook, in a MISP event and sent to Mattermost and TheHive. |
MISP Playbook MISP Playbook with output |
13 |
| Query for inconsistencies in MISP events | This playbook checks for inconsistencies in the event distribution, the TLP designation and the PAP marking. The playbook also verifies if events contain sufficient attributes, objects, tags or galaxies. There are also checks for inconsistencies with the workflow tags, a taxonomy that is often used during threat intelligence curation. The results are listed in the playbook and sent to Mattermost. Note that MISP has also built-in checks encoded in DefaultWarning.php |
MISP Playbook MISP Playbook with output |
22 |
| Curate threat events | This playbook queries for MISP events that require curation and addresses the remaining curation tasks. In general you run this playbook after your automatic or manual curation process has highlighted the events that require a review but you can also force the playbook to curate all events. This playbook uses the hashlookup and mmdb_lookup MISP modules. The curation tasks include disable to_ids for attributes matching a warninglist, disable to_ids for attributes matching known software (via hashlookup), add a GalaxyCluster with the location of an IP (via mmdb_lookup), add TTPs, based on string matches in the event title, tag attributes that are also in MISP feeds (tagging allows easier filtering afterwards). The results are summarised and shared with Mattermost. |
MISP Playbook MISP Playbook with output |
21 |
| Curation: disable decayed indicators | This playbook disables decayed indicators. It uses a custom decaying model defined in this playbook but can also rely on the MISP build-in models. When an indicator is considered decayed, the to_ids flag is set to False and the attribute is tagged. The build-in decaying feature of MISP adds a (decay) score to an indicator but does not automatically disable it. This playbook allows you to do just that. The playbook can exclude or include attributes that are tagged with specific labels. Use this MISP playbook together with the Curate threat events and Query for inconsistencies in MISP events playbook for optimal threat intelligence curation result. The results are summarised at the end of the playbook and shared with Mattermost. |
MISP Playbook MISP Playbook with output |
30 |
| Create a custom MISP warninglist | Create a custom MISP warninglist with a set of entries provided by the analyst as input. A check is done if the warninglist already exists. If the warninglist exists then the entries are added to the existing warninglist. When the warninglist is created the MISP events are queried for matches (‘retro-search’). Query Shodan and VirusTotal for matches with entries in the warninglist. The result of the creation of the warninglist as well as the matches is summarised aand sent to Mattermost and added as an alert in TheHive. |
MISP Playbook MISP Playbook with output |
7 |
| Retroscan with a MISP warninglist | This playbook does a retroscan to check for attributes matching the values in a warninglist. You can then disable the to_ids flag or add a tag or comment. This playbook is often used for threat intelligence curation when you add a new warninglist to MISP. The results are summarised, sent to Mattermost and added as an alert in TheHive. |
MISP Playbook MISP Playbook with output |
8 |
| Create MISP objects and relationships | This playbook walks the analyst through the phases of creating MISP objects and adding a relationship between these objects. The playbook is typically triggered when an an analyst wants to add related, contextually linked, attributes to a MISP event. The objects are added to a new or an existing MISP event. The playbook prints out a summary that can be used to notify colleagues via Mattermost. The playbook uses an Emotet sample to demonstrate the functionality, with links from a file object to URL and HTTP request objects. It also creates the victim objects. |
MISP Playbook MISP Playbook with output |
11 |
| Create or update a MISP event with information from a phishing incident with a link | This playbook creates a MISP event with details of a phishing incident. The playbook requires the phishing indicators such as the links, e-mail body, headers, subject and senders as input. It encodex these values as attributes and objects. It creates relationships between the objects and sets default tags and MISP clusters. Query MISP events and OSINT feeds for matches with the indicators. URLscan is queried for the links in the e-mail and historical scan results and screenshots are imported in the playbook and MISP. Use IP and ASN information of the location where the URL is hosted. Submit URLs to Lookyloo for further analysis. A final report with indicators is summarised in the playbook and sent via chat to Mattermost. The results can also be added as an alert to TheHive. |
MISP Playbook MISP Playbook with output |
1 |
| Using timestamps in MISP | A playbook that documents the different timestamps that are used in MISP. Go through the timestamp for publishing and last changes as well as how these can be used in search queries. Document what changes a timestamp in a MISP event. |
MISP Playbook MISP Playbook with output |
42 |
| Provision users and organisations | This playbook creates users and organisations with PyMISP. It also shows how to reset a password and delete or disable users. It includes an example how to get the user logs and how to create large number of users at once. | MISP Playbook MISP Playbook with output |
43 |
| Bulk delete MISP events | A playbook to assist MISP users in doing bulk deletes of MISP events. Deletes are done for events created by organisations, for events before or after specific dates, published or unpublished events or for events with specific tags. A summary of the actions is printed and published on Mattermost. | MISP Playbook MISP Playbook with output |
29 |
| Jupyterthon 2024 MISP playbook | A playbook to demonstrate MISP playbooks at Jupyterthon 2024 | MISP Playbook | 51 |
| Skeleton MISP playbook | This playbook can be used as a skeleton (or template) to start new MISP playbooks. | Use MISP playbook guidelines to create a new MISP playbook. |
If you identify a missing playbook then submit a New MISP playbook proposal via the GitHub issue tracker.