Managing events in MISP

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:23分

    • You can create events in MISP automatically or manually from the ServiceNow AI Platform. You can also edit the event data in MISP from the ServiceNow AI Platform.

    Verifying automatically created events in MISP

    You can verify the automatically created events after you configure the event creation profile in your ServiceNow AI Platform instance.

    Automatic event creation profile

    Configuring the automatic event creation profile is done by the sn_si.admin or the sn_ti.admin user roles in the MISP Integration > Automatic Event Creation Profiles module.

    Viewing the MISP event data

    You can view the created events in the following ways:

    • View the work notes for the created events. You can view the event details in the ServiceNow AI Platform instance and also as it appears in the MISP server as shown in the following example.
      図 : 1. Work notes for created events
      View the work notes for created events.
    • Click the Associated MISP Events related list. Here, you can view the event in relation to the security incident and the MISP resources as shown in the following example.
      図 : 2. List of associated events
      View the list of associated events
    • View the MISP event data in the form view to review the detailed information about the MISP events as shown in the following example.
      図 : 3. Event data in the form view
      View the event data in the form view to see the detailed MISP event information.

    Manually create an event in MISP

    Manually create events in MISP from the ServiceNow AI Platform to capture contextually related information represented as attributes and objects.

    始める前に

    手順

    1. Navigate to All > Security Incident > Show All Incidents.
    2. Select the security incident that contains the observables that you want to create an event for.
    3. Click Create a new event in MISP.
    4. In the Create a new event in MISP dialog box, fill in the details.
      表 : 1. Create an event in MISP dialog box
      Field Description
      Date Creation date of the event in MISP.
      Event Info Event information that is automatically created from the ServiceNow AI Platform Security Incident Response.
      Threat Level Risk level of the event. You can categorize the incidents into three different threat categories (low, medium, high). This field can also be left as undefined. The following are the options:
      • Low: General mass malware
      • Medium: Advanced Persistent Threats (APT)
      • High: Sophisticated APTs and 0-day attacks
      Source MISP source for the event creation.
      Distribution Option that controls who can view this event after the event is published. This option also controls whether the event is synchronized to other servers. The distribution is inherited by the attributes. The most restrictive setting wins. The distribution options are as follows:
      • Your organization only: Enables only the members of your organization to view this event. The event can be pulled to another instance by one of your organization members where only your organization has the access to view it. Events with this setting are not synchronized.
      • This community only: Enables users that are part of your MISP community to view the event, including your own organization, organizations on this MISP server, and organizations that run MISP servers that synchronize with this server. Any other organizations that are connected to linked servers are restricted from viewing the event.
      • Connected communities: Enables users that are part of your MISP community to view the event, including all organizations on this MISP server, all organizations on MISP servers that synchronize with this server, and the hosting organizations of servers that connect to any server that is two hops away. Any other organizations that are connected to the linked servers that are two hops away from this server are restricted from viewing the event.
      • All communities: Shares the event with all MISP communities.
      Analysis Current stage of the analysis for the event with the following possible options:
      • Initial: The analysis is just beginning
      • Ongoing: The analysis is in progress
      • Completed: The analysis is complete
      Advanced Options Add SIR associated observables as attributes to MISP Event Option to add available observables in a security incident to a MISP event as attributes.

      This option enables the Set attribute IDS flag when observable finding is malicious option.
      Set attribute IDS flag when observable finding is malicious Observable that is marked as malicious in SIR. The corresponding attribute in MISP is also marked as true.
      Filter observables based on security tags Option to filter the observables based on the selected security tags. This option provides the capability to distinguish and manage the MISP events in threat intelligence.

      Security tags: Add tags to filter the observables. For example, if you are adding a tag called 'Block from sharing' or 'TLP: White' then if one of the observables has any of these tags associated then these observables will not be added as an attribute to the MISP event during the MISP event creation.
      Synch Security Incident MITRE ATT&CK techniques as local galaxies to MISP event Option to synchronize the ServiceNow AI Platform SIR security incident MITRE-ATT&CK™ techniques as local galaxies in the MISP event.
      Sync Security Incident MITRE ATT&CK techniques as global galaxies to MISP event Option to synchronize the ServiceNow AI Platform SIR security incident MITRE-ATT&CK™ techniques as global galaxies in the MISP event.
      Add tags to the MISP event Option that allows you to add MISP tags to the events that are created from ServiceNow. This option displays the following options:
      • Local (Tags):The selected tags will be added as local tags to the MISP event.
      • Global (Tags):The selected tags will be added as global tags to the MISP event.
    5. Click Create New MISP Event.

      The following example shows that by creating an event in MISP, you can view the results in the security incident. You also can view the work notes, the event in the ServiceNow AI Platform instance, and the event in the MISP server as shown in the following example.

      図 : 4. Manually create an event in MISP from the ServiceNow AI Platform
      Manually create an event in MISP from the ServiceNow AI Platform.
      You can view the results in the following ways:
      • A success message appears at the top of the security incident page. You can view the event details in the ServiceNow AI Platform instance and also as it appears in the MISP server.
      • In the work notes, you can view the success message with more details. You can also view the event details in the ServiceNow AI Platform instance and also as it appears in the MISP server.
      • In the Associated MISP Events related list, you can view the event in relation to the security incident and the MISP resources.

    Add attributes to a MISP event

    Add attributes to an event, such as the type, category, and other contextual information about the event.

    始める前に

    • Review the MISP user role and permissions for using the MISP bi-directional features.
    • Verify that the event that you are adding or updating the attribute belongs to the same organization as the MISP user.
    • Role required: sn_sec_misp.write

    手順

    1. Navigate to All > MISP > Associated MISP Events.
      You can also navigate to the Associated MISP Event related list in any security incident.
    2. Click the MISP event that you want to add an attribute for.
    3. Click Add Attribute to MISP Event.
    4. In the Add Attribute to Event dialog box, fill in the details.
      表 : 2. Add Attribute to Event dialog box
      Field Description
      Value Actual value of the attribute. Enter data about the value that is based on what is valid for the chosen attribute type. For example, for an attribute of type ip-src (source IP address), 11.11.11.11 is a valid value.
      注:
      You can only select attributes or observables that share context with the event. The observables can't already have an attribute in MISP.
      Category Category of the attribute. The category describes the aspect of the malware for this attribute. An example would be the persistence mechanisms of the malware or network activity.
      Type Type that explains the category. For example, if an attacker uses an IP address for an attack, a source email address or a file sent through an attachment can all describe the payload delivery of a malware. These types of attributes have the category of payload deliver.
      Distribution Users who can view this attribute. The distribution is inherited by attributes. The most restrictive setting wins.
      Use Attribute as an IDS signature Observable that is marked as malicious in SIR. The corresponding attribute in MISP is also marked as true.
      Comments Comments that you add for the attributes.

      The following example shows that by navigating from the Associated MISP Events list, you can view the event record 5627 and add attributes to the event. The attributes include the value (testdomain.com), category as external analysis, type as domain. You can also enable IDS. The success message on the event record shows that the attribute is added to the event as shown in the following example.

      図 : 5. Add attribute to a MISP event
      Adding attribute to a MISP event.
    5. Click Add Attribute to MISP Event.

    タスクの結果

    You can view the added attribute in the Attributes section.

    Add tags to a MISP event

    Add tags in ServiceNow AI Platform MISP to classify events or attributes. You can use tagging globally to enable your classification or use tags locally when you don't want MISP events to be modified during your classification.

    始める前に

    • Review the MISP user role and permissions for using the MISP bi-directional features.
    • Verify that the event you are editing belongs to the same organization as the MISP user.
    • Note that the tags and galaxies that are available to you are based on the MISP source and its distribution permissions.
    • Role required: sn_sec_misp.write

    手順

    1. Navigate to All > Security Incident > Show All Incidents.
    2. Select the security incident that contains the event that you want to add tags for.
    3. Click Show All Related Lists and the MISP Enrichment Results related list.
    4. Click the Event ID from the list of enrichment results.
      You can also navigate from the MISP > Associated MISP Events module.
    5. Review the MISP Event record.
      表 : 3. MISP Event form view
      Field Description
      Event ID Event ID that is assigned by MISP when the event was first created or imported into the MISP server.
      UUID ID that uniquely identifies events and attributes.
      Creator Org Organization that created the event on the MISP instance.
      Owner Org Organization that owns the event on the MISP instance. This field is visible only to administrators.
      Creator User User who created the event in MISP.
      Last Change Date that the event was last modified.
      MISP Source MISP source where the event is created.
      Created date (in MISP) Date that the event was created or first imported in the MISP server.
      Threat Level Risk level of the event. Incidents can be categorized into three different threat categories (low, medium, high). This field can be left as undefined. The following are the options:
      • Low: General mass malware
      • Medium: Advanced Persistent Threats (APT)
      • High: Sophisticated APTs and 0-day attacks
      Analysis Current stage of the analysis for the event with the following possible options:
      • Initial: The analysis is just beginning
      • Ongoing: The analysis is in progress
      • Completed: The analysis is complete
      Distribution Distribution of the individual attribute. An attribute can have a different distribution level than the event.
      Published Status of whether the event has been published or not. Publishing allows the attributes of the event to be used for all eligible exports and notifies users that have subscribed to the event alerts.
      MISP Event Hyperlink Link to the MISP event that is stored on the MISP server.
      Info Short description of the event.
      Tags (Local) Tags that are available on the host organization's MISP instance to enable tagging for synchronization and export filtering. MISP events are not modified when you use local tags. Local tags are always stripped before being synchronized with other MISP instances and sharing communities.
      Tags (Global) Tags that are available globally to be shared and synchronized with other MISP instances and sharing communities. When you add global tags to MISP instances, you can modify events.
      Galaxies (Local) Galaxies that are available on the host organization's MISP instance for synchronization and export filtering. MISP events are not modified when you use local galaxies. These local galaxies are always stripped before being synchronized with other MISP instances and sharing communities.
      Galaxies (Global) Galaxies that are available globally to be shared and synchronized with other MISP instances and sharing communities. When you add global galaxies, MISP you can modify events.
    6. To edit either a local or global tag, click the edit icon Edit icon. in one of the following options:
    • Tags (Local)
    • Tags (Global)
    1. In The MISP Event Tags dialog box, enter the tag name to search and add the tags.
    2. Click Update Tags to MISP Event.

      The following example shows that by clicking the edit icon for the local tags, you can search and add the C3, Adware, C2, and Botnet 3101 tags, and update the MISP server with the tags. The confirmation message shows that all the tags are updated in MISP.

      図 : 6. Updating tags to MISP event
      Updating tags to a MISP event.
    3. Click Reload Form in the success message to view the changes in the record.

    タスクの結果

    The tags are updated successfully in the MISP server.

    Update galaxies to a MISP event or attribute

    Add or remove galaxies in ServiceNow AI Platform MISP so that you can classify these objects as a cluster in the MISP instance and attach them to MISP events or attributes.

    始める前に

    • Review the MISP user role and permissions required for using the MISP bi-directional features.
    • To add local galaxies, the user who has configured the integration should belong to host organization of the corresponding MISP server.
    • The tags and galaxies available to you are based on the MISP source and its distribution permissions.
    • Role required: sn_sec_misp.write

    手順

    1. Click the edit icon Edit icon. in one of the following options.
    • Galaxies (Local)
    • Galaxies (Global)
    1. In The MISP Event Galaxies dialog, type and search to add the tags.
    2. Click Update Galaxies to MISP Event.

      The following example shows how to click the edit icon for the local galaxies, select the deprecated namespace, select the Enterprise Attack - Attack Pattern galaxy, and add cluster information. After the galaxy information is updated, you can view the success message.

      図 : 7. Update galaxy information to MISP event
      Updating galaxy information to MISP event.
      The galaxies are updated successfully in the MISP server.
    3. Click Reload Form in the success message to view the changes in the record.