misp-training/a.12-misp-workflows-short/content.tex

524 lines
17 KiB
TeX
Raw Normal View History

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}
\frametitle{Content of the presentation}
\huge
\begin{enumerate}
\item Automation in MISP
\vspace{0.5em}
\item MISP Workflows
\begin{itemize}
\Large
\item Fundamentals
\item Demo with examples
\item Using the system
\item How it can be extended
\end{itemize}
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Automation in MISP: What already exists?}
\includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP}
\hspace*{0.25em}
\begin{itemize}
\small
\item Needs CRON Jobs in place
\item Potentially heavy for the server
\item Not realtime
\end{itemize}
\vspace*{1em}
\includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels}
\hspace*{0.25em}
\begin{itemize}
\small
\item After the actions happen: No feedback to MISP
\item Tougher to put in place \& to share
\item Full integration amounts to develop a new tool
\end{itemize}
\vspace*{1.5em}
\begin{large}
$\rightarrow$ No way to \textbf{prevent} behavior\\
$\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks
\end{large}
\end{frame}
\begin{frame}
\frametitle{Simple automation in MISP made easy}
\begin{center}
\includegraphics[width=0.3\linewidth]{pictures/automation.png}
\end{center}
\begin{itemize}
\item \textbf{Visual} dataflow programming
\item \textbf{Drag \& Drop} editor
\item Flexible \textbf{Plug \& Play} system
\item \textbf{Share} workflows, \textbf{debug} and \textbf{replay}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Example of use-cases}
\begin{itemize}
\item \textbf{Notification} on specifc actions
\begin{itemize}
\item New events matching criteria
\item New users
\item Automated alerts for high-priority IOCs
\end{itemize}
\item \textbf{Extend} existing MISP behavior
\begin{itemize}
\item Push data to another system
\item Automatic enrichment
\item Sanity check to block publishing / sharing
\item Curation pipelines
\end{itemize}
\item \textbf{Hook} capabilities
\begin{itemize}
\item Assign tasks and notify incident response team members
\end{itemize}
\item ...
\end{itemize}
\end{frame}
% \section{Workflow - Fundamentals}
\begin{frame}
\frametitle{
\huge
Workflow - Fundamentals
\vspace{1em}
}
\textbf{Objective:} Start with the foundation to understand the basics
\begin{center}
\includegraphics[width=0.07\linewidth]{pictures/fundation}
\end{center}
\end{frame}
\begin{frame}
\frametitle{How does it work}
\begin{center}
\frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}}
\end{center}
\begin{enumerate}
\item An \textbf{event} happens in MISP
\item \textit{\scriptsize (optional)} Check if all \textbf{conditions} are satisfied
\item Execute all \textbf{actions}
\begin{itemize}
\item May prevent MISP to complete its original event
\end{itemize}
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{What kind of events?}
\includegraphics[width=60px]{pictures/sc-event.png}
\vspace*{0.5em}
\begin{itemize}
\item New MISP Event
\item Attribute has been saved
\item New discussion post
\item New user created
\item Query against third-party services
\item ...
\end{itemize}
\vspace*{1em}
{\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\
{\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow}
\end{frame}
\begin{frame}
\frametitle{Triggers currently available}
Currently 11 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}.
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/triggers.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What kind of conditions?}
\vspace*{0.25em}
\includegraphics[width=70px]{pictures/sc-condition.png}
\vspace*{0.25em}
\begin{itemize}
% \colorbox{red!100}{\textcolor{white}{\texttt{tlp:red}}}
\item A MISP Event is tagged with \texttt{tlp:red}
\item The distribution of an Attribute is a sharing group
\item The creator organisation is \texttt{circl.lu}
\item Or any other \textbf{generic} conditions
\end{itemize}
\vspace*{0.5em}
{\Large \faIcon{question-circle}} These are also called \textbf{Logic modules}
\begin{center}
\includegraphics[width=0.43\textwidth]{pictures/logic-module.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Workflow - Logic modules}
\begin{itemize}
\item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow.
\begin{itemize}
\item IF conditions
\item Delay execution
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What kind of actions?}
\vspace*{0.25em}
\includegraphics[width=60px]{pictures/sc-action.png}
\vspace*{0.25em}
\begin{itemize}
\item Send an email notification
\item Perform enrichments
\item Send a chat message on MS Teams
\item Attach a local tag
\item ...
\end{itemize}
\vspace*{0.5em}
{\Large \faIcon{question-circle}} These are also called \textbf{Action modules}
\begin{center}
\includegraphics[width=0.43\textwidth]{pictures/action-module.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Workflow - Action modules}
\begin{itemize}
\item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations
\begin{itemize}
\item Tag operations
\item Send notifications
\item Webhooks \& Custom scripts
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=0.95\linewidth]{pictures/action-module-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What is a MISP Workflow?}
\begin{itemize}
\item Sequence of all nodes to be executed in a specific order
\item Workflows can be enabled / disabled
\item A Workflow is associated to \textbf{1-and-only-1 trigger}
\end{itemize}
\vspace*{0.5em}
\begin{center}
\frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (0)}
Currently 36 built-in modules.
\vspace{1em}
\begin{itemize}
\item \textbf{Trigger} module (11): built-in \textbf{only}
\begin{itemize}
\item Get in touch if you want more
\end{itemize}
\item \textbf{Logic} module (10): built-in \& \textbf{custom}
\item \textbf{Action} module (20): built-in \& \textbf{custom}
\end{itemize}
\vspace*{2.0em}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (1)}
\begin{itemize}
\item Built-in \textbf{default} modules
\begin{itemize}
\item Part of the MISP codebase
\item Get in touch if you want us to increase the selection (or merge PR!)
\end{itemize}
\end{itemize}
\vspace*{0.5em}
\begin{center}
\includegraphics[width=0.8\linewidth]{pictures/module-buffet.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (2)}
User-defined \textbf{custom} modules
\vspace*{0.5em}
\begin{columns}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item Written in PHP
\item Extend existing modules
\item MISP code reuse
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (3)}
Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service}
\vspace*{0.5em}
\begin{columns}
\begin{column}{0.50\textwidth}
\begin{itemize}
\item Written in Python
\item Can use any python libraries
\item Plug \& Play
\end{itemize}
\end{column}
\begin{column}{0.50\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/python-joke.png}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Demo by examples}
\begin{enumerate}
\item[WF-1.] Send an email to \textbf{all admins} when a new event has been pulled
\vspace*{2em}
\item[WF-2.] Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red}
\begin{itemize}
\item \textbf{tlp:red}: For the eyes and ears of individual recipients only
\item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside
\end{itemize}
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Demo WF-1: Send an email to \textbf{all admins} when a new event has been pulled}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/demo-wf1.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Demo WF-2: Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red}}
\begin{itemize}
\small
\item \textbf{tlp:red}: For the eyes and ears of individual recipients only
\item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside
\end{itemize}
\vspace*{1em}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/demo-wf2.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Getting started with workflows}
\centering
{\Large Everything is ready?}\\
\vspace*{3em}
{\LARGE Let's see how to build a workflow!}
\begin{center}
\includegraphics[width=24px]{pictures/build-icon.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Creating a workflow with the editor}
\begin{enumerate}
\item \underline{Prevent} event publication \texttt{\bf \large if tlp:red} tag
\begin{itemize}
\item \underline{Send a mail} to \texttt{\scriptsize admin@admin.test} about potential data leak
\end{itemize}
\item \texttt{\bf \large else}, \underline{send a notification} on Mattermost
\end{enumerate}
\end{frame}
% \section{Considerations when working with workflows}
\begin{frame}
\frametitle{
\huge
Considerations when working with workflows
\vspace{1em}
}
\textbf{Objective:} Overview of some common pitfalls
\begin{center}
\includegraphics[width=24px]{pictures/radar.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Working with the editor - Operations not allowed}
Execution loop are not authorized
\vspace*{1em}
\begin{columns}
\begin{column}{0.7\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}}
\end{column}
\begin{column}{0.3\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Recursive workflows}
\frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}}
\danger Recursion: If an action re-run the workflow
\end{frame}
\begin{frame}
\frametitle{Working with the editor - Operations not allowed}
Multiple connections from the same output
\vspace*{1em}
\begin{columns}
\begin{column}{0.7\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}}
\end{column}
\begin{column}{0.3\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}}
\end{column}
\end{columns}
\begin{itemize}
\item Execution order not guaranted
\item Confusing for users
\end{itemize}
\end{frame}
% \section{Advanced usage}
\begin{frame}
\frametitle{
\huge
Advanced usage
\vspace{1em}
}
\textbf{Objective:} Overview of Blueprints, Data format and Filtering
\end{frame}
\begin{frame}
\frametitle{Workflow blueprints}
\begin{enumerate}
\item Blueprints allow to \textbf{re-use parts} of a workflow in another one
\item Blueprints can be saved, exported and \textbf{shared}
\end{enumerate}
\begin{center}
\includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png}
\end{center}
Blueprints sources: \texttt{\scriptsize MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints}
\begin{itemize}
\small
\item Block actions if any attributes have the \texttt{PAP:RED} or \texttt{tlp:red} tag
\item Curation pipeline
\item Enrich data from 3rd-party
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Fitlering data on which to apply a module}
What is the outcome of executing this workflow?
\begin{center}
\includegraphics[width=1.0\textwidth]{pictures/remove-ids-1.png}
\end{center}
\pause
\vspace{1em}
All Attributes get their \texttt{to\_ids} turned off.\\
\vspace{1em}
How could we force that action only on Attribute of type \texttt{comment}?
\begin{center}
$\rightarrow$ Hash path filtering!
\end{center}
\end{frame}
\begin{frame}
\frametitle{Fitlering data on which to apply a module}
\begin{center}
\includegraphics[width=0.5\textwidth]{pictures/remove-ids-3.png}
\end{center}
\begin{center}
\includegraphics[width=0.9\textwidth]{pictures/remove-ids-2.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Fitlering data on which to apply a module}
\begin{center}
\includegraphics[width=0.5\textwidth]{pictures/remove-ids-3.png}
\end{center}
\begin{center}
\includegraphics[width=0.9\textwidth]{pictures/remove-ids-2-details.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Fitlering data on which to apply on multiple modules}
New feature as of \textbf{v2.4.171} allows setting filters on a path.
\begin{center}
\includegraphics[width=1.0\textwidth]{pictures/remove-ids-generic.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Should I migrate to MISP Workflows}
I have automation in place using the API/ZMQ. Should I move to Workflows?
\vspace{1em}
\begin{itemize}
\item I have a curation pipeline using the API, should I port it to workflows?
\begin{itemize}
\item \textbf{No} in general, but WF can be used to start the curation process or perform simple pre-processing
\end{itemize}
\item What if I want to \textbf{block} some actions
\begin{itemize}
\item Put the blocking logic in the WF, keep the remaining outside
\end{itemize}
\item Bottom line is \textbf{Keep it simple} for you to maintain
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Future works}
\begin{columns}
\begin{column}{0.55\textwidth}
\begin{itemize}
\item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules
\item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules
\item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers
\item Recursion prevention system
\end{itemize}
\end{column}
\begin{column}{0.45\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Final words}
\begin{columns}
\begin{column}{0.6\textwidth}
\begin{itemize}
\item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines
\item \underline{\textbf{Beta}} Feature unlikely to change. But still..
\item Waiting for feedback!
\begin{itemize}
\item New triggers?
\item New modules?
\end{itemize}
\end{itemize}
\end{column}
\begin{column}{0.4\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg}
\end{column}
\end{columns}
\vspace*{0.5em}
\end{frame}