Playbook create MISP objects and relationships + update documentation

MISP · Apr 18, 2023 · 3b7946b · 3b7946b
1 parent 8aebd9f
commit 3b7946b
Show file tree

Hide file tree

Showing 16 changed files with 3,313 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -21,8 +21,8 @@ The repository contains these playbooks
 
 **Create MISP objects and relationships**
 
-- [MISP Playbook]() started from [issue 11](https://github.com/MISP/misp-playbooks/issues/11)
-- - Use the [MISP Playbook with output]() to get a view on the produced output
+- [MISP Playbook](misp-playbooks/pb_create_MISP_objects_and_relationship.ipynb) started from [issue 11](https://github.com/MISP/misp-playbooks/issues/11)
+- - Use the [MISP Playbook with output](misp-playbooks/pb_create_MISP_objects_and_relationship-with_output.ipynb) to view the output of the notebook (with additional images)
 - This playbook walks the analyst through the phases of creating MISP objects and adding a relationship between these objects. 
 - - The playbook is typically *triggered* when an an analyst wants to add related, contextually linked, attributes to a MISP event.
 - - The objects are added to a new or an existing MISP event. The playbook prints out a summary that can be used to notify colleagues via Mattermost or other channels.
@@ -33,7 +33,7 @@ The repository contains these playbooks
 
 **Create or update a MISP event with information from a phishing incident with a link**
 - [MISP Playbook]() started from [issue 1](https://github.com/MISP/misp-playbooks/issues/1)
-- - Use the [MISP Playbook with output]() to get a view on the produced output
+- - Use the [MISP Playbook with output]() to view the output of the notebook (with additional images)
 - This playbook creates a new MISP event or completes an existing MISP event with details of a **phishing incident**.
 - - The playbook is *triggered* during the investigation of a phishing security incident. The playbook requires the phishing indicators such as the **links**, e-mail body, e-mail **headers**, e-mail **subject** and **senders** as *input*. It will then encode these values as attributes and objects in a MISP event. The playbook creates relationships between the objects and sets default tags (PAP, course-of-action matrix) and MISP clusters on event and attributes (*contextualisation*).
 - - The playbook queries (local) MISP events and OSINT feeds for matches with the indicators. You can use this information for *correlation*. URLscan is queried for the links included in the e-mail. The historical scan results and screenshots are imported in the playbook and MISP. Next to the *enrichment* via the scan results, the query at URLscan also provides IP and ASN information of the location where the URL is hosted. The URLs are submitted to Lookyloo for further analysis. The phishing URLs are also reported (manually) to Google, Microsoft and Phishtank. 

diff --git a/documentation/MISP playbook FAQ.md b/documentation/MISP playbook FAQ.md
@@ -11,6 +11,8 @@
   - [I want to change my password or I have forgotten my password.](#i-want-to-change-my-password-or-i-have-forgotten-my-password)
   - [I get the message "Could not determine jupyterlab build status without nodejs"](#i-get-the-message-could-not-determine-jupyterlab-build-status-without-nodejs)
   - [I want to add an additional Python library](#i-want-to-add-an-additional-python-library)
+- [MISP playbooks on GitHub - FAQ](#misp-playbooks-on-github---faq)
+  - [I don't see the images in my playbook!](#i-dont-see-the-images-in-my-playbook)
 
 
 # MISP playbooks - FAQ
@@ -97,3 +99,13 @@ pip install <mylibrary>
 
 sudo systemctl restart misp-playbook-jupyter.service
 ```
+
+# MISP playbooks on GitHub - FAQ
+
+## I don't see the images in my playbook!
+
+If your GitHub repository is set to **private** then the images will not show up in your uploaded playbooks. 
+
+In order to display the images when browsing the playbooks via GitHub the repository needs to be put publicly accessible.
+
+Note that on initial tests, this is **not** the case with GitLab. A private repository in GitLab can display the images.
diff --git a/documentation/MISP playbook technical documentation.md b/documentation/MISP playbook technical documentation.md
@@ -224,6 +224,8 @@ To copy them directly into your playbooks directory :
 
 ```
 cp -rp misp-playbooks/* playbooks/my-playbooks/
+mkdir playbooks/my-playbooks/helpers
+cp -rp misp-playbooks/helpers/* playbooks/my-playbooks/helpers/
 ```
 
 To copy them into a separate directory `misp-playbooks` :
@@ -246,15 +248,19 @@ pip install -r documentation/requirements.txt
 misp-playbooks:     GitHub repository
 \
 | misp-playbooks:   MISP playbooks in this repository
+  \ 
+  | helpers:       Helper files for the playbook (such as images)
 | config:           Default configuration files
 | documentation:    Documentation
 | tools:            Support tools
 | playbooks:        YOUR playbooks environment
-\ 
-    venv:           Python virtual environment
-    vault:          Vault with keys file
-    config:         Local configuration file
-    my-playbooks:   YOUR playbooks
+  \ 
+  | venv:           Python virtual environment
+  | vault:          Vault with keys file
+  | config:         Local configuration file
+  | my-playbooks:   YOUR playbooks
+    \
+    | helpers:       Helper files for the playbook (such as images)
 ```    
 
 # Resources