MISP sharing groups

Sharing groups in MISP are a more granular way to create re-usable distribution lists for events/attributes that allow users to include organisations from their own instance (local organisations) as well as organisations from directly, or indirectly connected instances (external organisations).

For a possible future project I had to document if sharing groups are an answer for a sort of multi-tenancy for sharing threat events within MISP.

Sharing groups certainly provide an answer, as long as you are aware of their limitations. With a sharing group you can

• Reuse the code base or application for different organisations (tenants) in MISP;
• Limit the access to the information based on the organisation (tenant);
• Use the same infrastructure to provide meaningful results.

Sharing groups however do not provide real separate databases, the separation of data is done in software. In practice this is not much different as how cloud providers separate information between different customers, or tenants.

There’s a video that demonstrates sharing groups : https://vimeo.com/710012285.

The video is part of the MISP Tip of the Week repository.