Starting from version 2.4.160, MISP supports the "workflow" feature allowing site-administrator to modify the default behavior of MISP. Action such as the list below are now possible thanks to this feature:
- Prevent the publishing of Event if some criteria are not met
- Prevent queries against third-party services based on tags attached to Attribute/Event (e.g.
PAP:RED) - Post data using webhook for some actions
- Send notifications to chat platform such as Mattermost or Slack
- And much more
MISP comes with some default workflow blueprints which can be added in any MISP. This repository contains all the default blueprints.
For more information about MISP workflows in MISP, the training materials MISP Workflows is a good start.
- Stop workflow based on
tlpandpaptaxonomy - Blueprint that stop a workflow execution if the data being processed is tagged withtlp:redorPAP:RED.
It's very easy. Fork the repository, create a new JSON file with your blueprint and make a pull-request.
The MISP workfows are dual-licensed under CC-0 and a simple 2-clause BSD license.