eCrimeLabs - Helps you mitigate your cyber threats

View Original

MISP auto tagging: In Organizations we trust

When working with MISP we have experienced that in some situations you need to put one or more local tags on events from various organizations typically based on that you trust data created by this and want to add additional automatization based on events from the source.

So we are please to announce a small tool that might assist organizations using MISP to make the feature of automatically adding local tagging to all events from a specific organizations UUID’s.

The tools had the feature of either adding or removing a set of predefined tags.

Examples

# venv/bin/python3 misp-autotagging.py -h
eCrimeLabs MISP autotagging tool
usage: misp-autotagging.py [-h] [-a] [-r] [-d DAYS]

optional arguments:
  -h, --help            show this help message and exit
  -a, --add             Add local tags to Event(s)
  -r, --remove          Remove local tags to Event(s)
  -d DAYS, --days DAYS  Number of days to look back for events (Default: 2)

The below adds as example the tags to organizations for events created within the last 20 days

# venv/bin/python3 misp-autotagging.py -a -d 20
eCrimeLabs MISP autotagging tool
 + Remove local tags to Event(s)
   - 2022-05-10 16:00:51 UTC - Successfully added local tag: ecrimelabs:custom-tag=1 to Event UUID: c303c3c9-8623-45cd-9173-c61de12635b0
   - 2022-05-10 16:00:51 UTC - Successfully added local tag: ecrimelabs:custom-tag=2 to Event UUID: c303c3c9-8623-45cd-9173-c61de12635b0


The event(s) now will have added two tags as local, to not modify any organizations original events.

The source code can be found on GitHub

https://github.com/eCrimeLabs/MISP-autotagging