misp-book icon indicating copy to clipboard operation
misp-book copied to clipboard

Published 20 hours ago verified publisher icon MISP

Document usage of data filtering strategy

Open iglocska opened this issue 6 years ago • 1 comments

Quote from a mail, this but better explained:

"our mantra is, keep your data for correlation and exclude it from the exports. What I'd suggest:

a. Set an automatic tag for your feed (such as "expireMeInAMonth") - these tags will be automatically applied to all events coming from the feed hereafter b. When exporting data from MISP, for example for your SIEM/NIDS/etc use the following rules:

  • 1x full data set, but exclude everything tagged "expireMeInAMonth"
  • 1x the data set carrying the "expireMeInAMonth" tag, but with the "last":"30d" parameter set c. Feed both data sets to your tools

This will get you all your regular data + the past 30 day's worth of data from the feed."

iglocska avatar Oct 27 '17 08:10 iglocska

I'm guessing this would translate to using the decaying mechanism now?

Wachizungu avatar Feb 28 '21 21:02 Wachizungu