PyMISP icon indicating copy to clipboard operation
PyMISP copied to clipboard
verified publisher icon MISP

Unpublish or Change Distribution of all events

Open qbolbk59 opened this issue 4 years ago • 5 comments

Hi,

We are syncing events (pull) from multiple external MISP instances to ours. Now we want to create a new org for one of the internal department and give them access to only that org events that they will create. However the events that we are pulling are also getting shared with that org because of the distribution. We want to restrict sharing of those events to the new local org.

I tested manually and if i unpublish all synced events or change the Distribution to "Own Organization only" then those events do not reflect in the new org. But i am not sure if there's a way to automate this as we have too many events to do this manually. Also the unpublish checkbox in the sync setting only works for push ops and not for pull.

Is there a way to achieve this via some sort of automation ?

qbolbk59 avatar Jul 08 '21 07:07 qbolbk59

Would it make more sense to setup a dedicated MISP instance for the new internal organization? If I understand it right, they must only see the events they create (and none of the events you pull from 3rd parties, nor the ones you create internally). You can setup the new MISP instance so it pushes the events they create to your main instance.

Be aware that changing all the events you received to "org only" might be an issue: any update from your sync partners to the event you modified (=changed the distribution) won't be updated on your instance anymore.

Rafiot avatar Jul 08 '21 07:07 Rafiot

@Rafiot : Thanks for your response. Indeed this can be easily achieved if we set up a new MISP, but setting up itself is a complicated process in our org (server delivery, db delivery, connectivity and so on). Setting up a new MISP will take not less than 2 months at least and we need to create new org/ access to MISP urgently.

another option that i could think of is to set a tag automatically in all the events and then using this tag, i can restrict all events in the new org using the Event blocklist rule. Is it possible to set a specific tag in all events ? Will it impact the events that we are pulling ?

qbolbk59 avatar Jul 08 '21 08:07 qbolbk59

No, you cannot use tags to limit what an organization can see, sorry.

Rafiot avatar Jul 08 '21 08:07 Rafiot

@Rafiot : So deploying a new MISP is the only option ?

I find it very strange that these access controls are not available for the local organizations on the same MISP instance. Even user roles are not that fine grained that can provide some options to restrict events based on parameters like tags like TLP values, Event source and so on.

qbolbk59 avatar Jul 08 '21 12:07 qbolbk59

A single MISP instance is meant for sharing across multiple groups. Enforcing access to a subset of events for a dedicated org requires a dedicated MISP instance that does push only to your main instance.

If your sub-team need to only see a subset of events, they can use the following URL: /events/index/searchorg:<ORGID>

Rafiot avatar Jul 09 '21 06:07 Rafiot