Managing events in MISP

Verifying automatically created events in MISP

You can verify the automatically created events after you configure the event creation profile in your ServiceNow AI Platform instance.

Automatic event creation profile

Configuring the automatic event creation profile is done by the sn_si.admin or the sn_ti.admin user roles in the MISP Integration > Automatic Event Creation Profiles module.

Viewing the MISP event data

You can view the created events in the following ways:

View the work notes for the created events. You can view the event details in the ServiceNow AI Platform instance and also as it appears in the MISP server as shown in the following example.
Figure 1. Work notes for created events
Click the Associated MISP Events related list. Here, you can view the event in relation to the security incident and the MISP resources as shown in the following example.
Figure 2. List of associated events
View the MISP event data in the form view to review the detailed information about the MISP events as shown in the following example.
Figure 3. Event data in the form view

Manually create an event in MISP

Manually create events in MISP from the ServiceNow AI Platform to capture contextually related information represented as attributes and objects.

Before you begin

Review the MISP user role and permissions for using the MISP bi-directional features.
Role required: sn_sec_misp.write

Procedure

Navigate to All > Security Incident > Show All Incidents.
Select the security incident that contains the observables that you want to create an event for.
Click Create a new event in MISP.

In the Create a new event in MISP dialog box, fill in the details.

Table 1. Create an event in MISP dialog box
Field		Description
Date		Creation date of the event in MISP.
Event Info		Event information that is automatically created from the ServiceNow AI Platform Security Incident Response.
Threat Level		Risk level of the event. You can categorize the incidents into three different threat categories (low, medium, high). This field can also be left as undefined. The following are the options: Low: General mass malware Medium: Advanced Persistent Threats (APT) High: Sophisticated APTs and 0-day attacks
Source		MISP source for the event creation.
Distribution		Option that controls who can view this event after the event is published. This option also controls whether the event is synchronized to other servers. The distribution is inherited by the attributes. The most restrictive setting wins. The distribution options are as follows: Your organization only: Enables only the members of your organization to view this event. The event can be pulled to another instance by one of your organization members where only your organization has the access to view it. Events with this setting are not synchronized. This community only: Enables users that are part of your MISP community to view the event, including your own organization, organizations on this MISP server, and organizations that run MISP servers that synchronize with this server. Any other organizations that are connected to linked servers are restricted from viewing the event. Connected communities: Enables users that are part of your MISP community to view the event, including all organizations on this MISP server, all organizations on MISP servers that synchronize with this server, and the hosting organizations of servers that connect to any server that is two hops away. Any other organizations that are connected to the linked servers that are two hops away from this server are restricted from viewing the event. All communities: Shares the event with all MISP communities.
Analysis		Current stage of the analysis for the event with the following possible options: Initial: The analysis is just beginning Ongoing: The analysis is in progress Completed: The analysis is complete
Advanced Options	Add SIR associated observables as attributes to MISP Event	Option to add available observables in a security incident to a MISP event as attributes. This option enables the Set attribute IDS flag when observable finding is malicious option.
	Set attribute IDS flag when observable finding is malicious	Observable that is marked as malicious in SIR. The corresponding attribute in MISP is also marked as true.
	Filter observables based on security tags	Option to filter the observables based on the selected security tags. This option provides the capability to distinguish and manage the MISP events in threat intelligence. Security tags: Add tags to filter the observables. For example, if you are adding a tag called 'Block from sharing' or 'TLP: White' then if one of the observables has any of these tags associated then these observables will not be added as an attribute to the MISP event during the MISP event creation.
	Synch Security Incident MITRE ATT&CK techniques as local galaxies to MISP event	Option to synchronize the ServiceNow AI Platform SIR security incident MITRE-ATT&CK™ techniques as local galaxies in the MISP event.
	Sync Security Incident MITRE ATT&CK techniques as global galaxies to MISP event	Option to synchronize the ServiceNow AI Platform SIR security incident MITRE-ATT&CK™ techniques as global galaxies in the MISP event.
	Add tags to the MISP event	Option that allows you to add MISP tags to the events that are created from ServiceNow. This option displays the following options: Local (Tags):The selected tags will be added as local tags to the MISP event. Global (Tags):The selected tags will be added as global tags to the MISP event.

Click Create New MISP Event.

The following example shows that by creating an event in MISP, you can view the results in the security incident. You also can view the work notes, the event in the ServiceNow AI Platform instance, and the event in the MISP server as shown in the following example.

Figure 4. Manually create an event in MISP from the ServiceNow AI Platform
You can view the results in the following ways:
- A success message appears at the top of the security incident page. You can view the event details in the ServiceNow AI Platform instance and also as it appears in the MISP server.
- In the work notes, you can view the success message with more details. You can also view the event details in the ServiceNow AI Platform instance and also as it appears in the MISP server.
- In the Associated MISP Events related list, you can view the event in relation to the security incident and the MISP resources.

Add attributes to a MISP event

Add attributes to an event, such as the type, category, and other contextual information about the event.

Before you begin

Review the MISP user role and permissions for using the MISP bi-directional features.
Verify that the event that you are adding or updating the attribute belongs to the same organization as the MISP user.
Role required: sn_sec_misp.write

Procedure

Navigate to All > MISP > Associated MISP Events.
You can also navigate to the Associated MISP Event related list in any security incident.
Click the MISP event that you want to add an attribute for.
Click Add Attribute to MISP Event.

In the Add Attribute to Event dialog box, fill in the details.

Table 2. Add Attribute to Event dialog box
Field	Description
Value	Actual value of the attribute. Enter data about the value that is based on what is valid for the chosen attribute type. For example, for an attribute of type ip-src (source IP address), 11.11.11.11 is a valid value. Note: You can only select attributes or observables that share context with the event. The observables can't already have an attribute in MISP.
Category	Category of the attribute. The category describes the aspect of the malware for this attribute. An example would be the persistence mechanisms of the malware or network activity.
Type	Type that explains the category. For example, if an attacker uses an IP address for an attack, a source email address or a file sent through an attachment can all describe the payload delivery of a malware. These types of attributes have the category of payload deliver.
Distribution	Users who can view this attribute. The distribution is inherited by attributes. The most restrictive setting wins.
Use Attribute as an IDS signature	Observable that is marked as malicious in SIR. The corresponding attribute in MISP is also marked as true.
Comments	Comments that you add for the attributes.

The following example shows that by navigating from the Associated MISP Events list, you can view the event record 5627 and add attributes to the event. The attributes include the value (testdomain.com), category as external analysis, type as domain. You can also enable IDS. The success message on the event record shows that the attribute is added to the event as shown in the following example.

Adding attribute to a MISP event. — Figure 5. Add attribute to a MISP event

Click Add Attribute to MISP Event.

Result

You can view the added attribute in the Attributes section.

Add tags to a MISP event

Add tags in ServiceNow AI Platform MISP to classify events or attributes. You can use tagging globally to enable your classification or use tags locally when you don't want MISP events to be modified during your classification.

Before you begin

Review the MISP user role and permissions for using the MISP bi-directional features.
Verify that the event you are editing belongs to the same organization as the MISP user.
Note that the tags and galaxies that are available to you are based on the MISP source and its distribution permissions.
Role required: sn_sec_misp.write

Procedure

Navigate to All > Security Incident > Show All Incidents.
Select the security incident that contains the event that you want to add tags for.
Click Show All Related Lists and the MISP Enrichment Results related list.
Click the Event ID from the list of enrichment results.
You can also navigate from the MISP > Associated MISP Events module.
Review the MISP Event record.
To edit either a local or global tag, click the edit icon in one of the following options:

Tags (Local)
Tags (Global)

In The MISP Event Tags dialog box, enter the tag name to search and add the tags.
Click Update Tags to MISP Event.

The following example shows that by clicking the edit icon for the local tags, you can search and add the C3, Adware, C2, and Botnet 3101 tags, and update the MISP server with the tags. The confirmation message shows that all the tags are updated in MISP.

Figure 6. Updating tags to MISP event
Click Reload Form in the success message to view the changes in the record.

Result

The tags are updated successfully in the MISP server.

Update galaxies to a MISP event or attribute

Add or remove galaxies in ServiceNow AI Platform MISP so that you can classify these objects as a cluster in the MISP instance and attach them to MISP events or attributes.

Before you begin

Review the MISP user role and permissions required for using the MISP bi-directional features.
To add local galaxies, the user who has configured the integration should belong to host organization of the corresponding MISP server.
The tags and galaxies available to you are based on the MISP source and its distribution permissions.
Role required: sn_sec_misp.write

Procedure

Click the edit icon in one of the following options.

Galaxies (Local)
Galaxies (Global)

In The MISP Event Galaxies dialog, type and search to add the tags.
Click Update Galaxies to MISP Event.

The following example shows how to click the edit icon for the local galaxies, select the deprecated namespace, select the Enterprise Attack - Attack Pattern galaxy, and add cluster information. After the galaxy information is updated, you can view the success message.

Figure 7. Update galaxy information to MISP event

The galaxies are updated successfully in the MISP server.
Click Reload Form in the success message to view the changes in the record.