The title of the playbook

MISP query for inconsistencies in distribution settings, TLP and PAP

Purpose of the playbook

This playbook queries the MISP events and checks for inconsistency for the event distribution setting, the TLP designation and the PAP marking. For example events or attributes with TLP:RED and PAP:CLEAR or events with 'All communities' and 'TLP:RED'. The inconsistencies between TLP and distribution level are already warned in the MISP interface but this playbook does a retroactive check, and also verifies the events that are pulled in via synchronised servers. The results of the query are stored in the playbook and sent to Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).

External resources used by this playbook

Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)

Target audience

CTI

Breefly list the execution steps or workflow

No response