{"id":27976507,"url":"https://github.com/misp/misp-workflow-blueprints","last_synced_at":"2025-05-08T01:27:31.424Z","repository":{"id":54405770,"uuid":"520828664","full_name":"MISP/misp-workflow-blueprints","owner":"MISP","description":"Library of blueprints usable in MISP Workflows","archived":false,"fork":false,"pushed_at":"2023-07-31T09:49:59.000Z","size":38,"stargazers_count":12,"open_issues_count":3,"forks_count":5,"subscribers_count":7,"default_branch":"main","last_synced_at":"2024-03-26T04:54:08.156Z","etag":null,"topics":["misp","threat-intelligence","threatintel","workflow"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MISP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-08-03T10:06:36.000Z","updated_at":"2023-09-06T14:57:51.000Z","dependencies_parsed_at":"2023-01-23T13:31:10.995Z","dependency_job_id":null,"html_url":"https://github.com/MISP/misp-workflow-blueprints","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-workflow-blueprints","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-workflow-blueprints/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-workflow-blueprints/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MISP%2Fmisp-workflow-blueprints/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MISP","download_url":"https://codeload.github.com/MISP/misp-workflow-blueprints/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252980674,"owners_count":21835285,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["misp","threat-intelligence","threatintel","workflow"],"created_at":"2025-05-08T01:27:29.907Z","updated_at":"2025-05-08T01:27:31.408Z","avatar_url":"https://github.com/MISP.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# MISP Workflow Blueprints\n\nStarting from version 2.4.160, MISP supports the \"workflow\" feature allowing site-administrator to modify the default behavior of MISP. Action such as the list below are now possible thanks to this feature:\n- Prevent the publishing of Event if some criteria are not met\n- Prevent queries against third-party services based on tags attached to Attribute/Event (e.g. `PAP:RED`)\n- Post data using webhook for some actions\n- Send notifications to chat platform such as Mattermost or Slack\n- And much more\n\n MISP comes with some default workflow blueprints which can be added in any MISP. This repository contains all the default blueprints.\n\nFor more information about MISP workflows in MISP, the training materials [MISP Workflows](https://www.misp-project.org/misp-training/a.12-misp-workflows.pdf) is a good start.\n\n## Blueprints\n\n- [Attach `tlp:clear` on `tlp:white`](./blueprints/blueprint_attach-tlp_clear-on-tlp_white_1661328256.json) - Attach the `tlp:clear` tag on elements having the `tlp:white` tag.\n- [`PAP:RED` and `tlp:red` Blocking](./blueprints/blueprint_pap_red-and-tlp_red-blocking_1661328258.json) - Block actions if any attributes have the `PAP:RED` or `tlp:red` tag.\n- [Remote `to_ids` flag if the indicator appears in known file list](https://github.com/MISP/misp-workflow-blueprints/blob/main/blueprints/blueprint_disable-to_ids-flag-for-existing-hash-in-hashlookup_1667228944.json) - Disable to_ids flag for existing hash in [hashlookup](https://www.hashlookup.io/).\n- [Set tag based on BGP Ranking maliciousness level](https://github.com/MISP/misp-workflow-blueprints/blob/main/blueprints/blueprint_set-tag-based-on-bgp-ranking-maliciousness-level_1668498668.json) - Set tag based on [BGP Ranking](https://bgpranking.circl.lu) maliciousness level.\n\n### Curation blueprints\n- [Curation - Allow curation process](./blueprints/blueprint_curation---allow-curation-process.json)\n- [Curation - Assign threat-level based on enriched location](./blueprints/blueprint_curation---assign-threat-level-based-on-enriched-location.json)\n- [Curation - Assign a country GalaxyCluster on IPs](./blueprints/blueprint_curation---assign-a-country-galaxycluster-on-ips.json)\n- [Curation - Normalize TLP \u0026 PAP Tag](./blueprints/blueprint_curation---normalize-tlp-\u0026-pap-tag.json)\n- [Curation - Remove automation flag from known non-malicious hashes](./blueprints/blueprint_curation---remove-automation-flag-from-known-non-malicious-hashes.json)\n- [Curation - Remove automation flag from false-positive tripping over warninglist](./blueprints/blueprint_curation---remove-automation-flag-from-false-positive-tripping-over-warninglist.json)\n- [Curation - Remove automation flag from data having correlation with predefined feed](./blueprints/blueprint_curation---remove-automation-flag-from-data-having-correlation-with-predefined-feed.json)\n- [Curation - Toggle automation flag from network IoC based on AbuseIPDB](./blueprints/blueprint_curation---toggle-automation-flag-from-network-ioc-based-on-abuseipdb.json)\n- [Curation - Toggle automation flag from URLs based on Google-Safe-Browsing](./blueprints/blueprint_curation---toggle-automation-flag-from-urls-based-on-google-safe-browsing.json)\n\n## How to contribute your workflow blueprints?\n\nIt's very easy. Fork the repository, create a new JSON file with your blueprint and make a pull-request.\n\n## License\n\nThe MISP workfows are [dual-licensed](./LICENSE.md) under CC-0 and a simple 2-clause BSD license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fmisp-workflow-blueprints","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmisp%2Fmisp-workflow-blueprints","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisp%2Fmisp-workflow-blueprints/lists"}