MISP sharing groups
Sharing groups in MISP are a more granular way to create re-usable distribution lists for events/attributes that allow users to include organisations from their own instance (local organisations) as well as organisations from directly, or indirectly connected instances (external organisations).
For a possible future project I had to document if sharing groups are an answer for a sort of multi-tenancy for sharing threat events within MISP.
Sharing groups certainly provide an answer, as long as you are aware of their limitations. With a sharing group you can
- Reuse the code base or application for different organisations (tenants) in MISP;
- Limit the access to the information based on the organisation (tenant);
- Use the same infrastructure to provide meaningful results.
Sharing groups however do not provide real separate databases, the separation of data is done in software. In practice this is not much different as how cloud providers separate information between different customers, or tenants.
There’s a video that demonstrates sharing groups : https://vimeo.com/710012285.
The video is part of the MISP Tip of the Week repository.
Thanks, lets say ORGA created a sharing group “X” to only include ORGB.
ORGB has ORGC in their community and they also created a syncing user for ORGC.
Will ORGC be able to pull events shared by ORGA to ORGB and having the sharing group “X”?