Sightings, false positives and IDS
Attributes in MISP have a boolean flag to_ids allowing you to indicate if an attribute should be used for detection or correlation actions. According to the MISP core format data standard, the to_ids flag represents whether the attribute is meant to be actionable. Actionable defined attributes that can be used in automated processes as a pattern for detection in Local or Network Intrusion Detection System, log analysis tools or even filtering mechanisms.
Unfortunately attributes marked with this to_ids flag can sometimes also lead to false positives. Recent work on the decaying of Indicators allows you to guarantee the quality of the indicators but requires some more setup. In the mean time you can use the sightings system to indicate the quality of an indicator and report an indicator as a false or true positive.
PyMISP to track false positives
I wrote a Python script that uses PyMISP to disable the to_ids flag for attributes with a number of false positive reported sightings. The scrip is included in the examples section of PyMISP and has this logic flow
- Based on an incident investigation, an analyst reports the false positive (or true positive) via the sighting mechanism in MISP (via the interface or via the API);
- The script runs regularly from cron, fetching all the attributes with the to_ids flag set;
- Whenever an attribute is found with more than minimal_fp reported false positives, which are all more recent than minimal_date_sighting_date then it evaluates the balance false positive to true positive;
- When the balance false_positive / (true_positive + false_positive) is above or equal to the threshold_to_ids value it will then set the to_ids flag to false;
- As a last step, the event is republished without email notification;
- Depending on the provided options, the script will then send a report of attributes which were changed.
The configuration of the script is inline or can be done via command line options.
- minimal_fp or -b : the minimal number of false positive (default 0);
- threshold_to_ids or -t : the threshold above which the to_ids flag is disabled (default .50);
- minimal_date_sighting_date or -d : Minimal date for sighting (false positive / true positive) (default 1970-01-01 00:00:00);
You can instruct the script to send mail by adding -m or –mail. The mail settings can be supplied via -o or –mailoptions or via inline configuration (smtp_from, smtp_to and smtp_server).
Ideally you run the script from cron every night. You can do this by adding a cronjob
*/5 * * * * mispuser /usr/bin/python3 /home/mispuser/PyMISP/examples/falsepositive_disabletoids.py -m -o 'firstname.lastname@example.org;email@example.com' -b 5
Thank you very much for writing this article.
I’m trying to use MISP as an IOC storage for Zeek, and was not sure about the « to_ids » flag (would it get reset when the indicator get updated ?) to mark false positives on MISP.
I still don’t know if it’s the case, but I know people tried it now. Have a great day.
The “to_ids” flag is set per attribute (indicator). If you update the indicator value, the to_ids flag will not be changed. It’s best not to update the indicator (the value), keep older indicators in your system for correlation and historic reference and just unset the to_ids flag on these indicators, for example with the help of my script. Altering the value of the indicator makes it impossible to correlate indicators from one event with another event.