From 2c352dcbab9d1b1efafc8daa2349b6f34a6eaabe Mon Sep 17 00:00:00 2001
From: Christian Studer <christian.studer@circl.lu>
Date: Tue, 11 Oct 2022 23:59:41 +0200
Subject: [PATCH] wip: [cti-summit] Added slides and content

- Most of the ideas are there
- We'll finish adding the different points
- Then we'll add screenshots to provide examples
  to the different features presented
---
 .../2022/misp-stix/.content.tex.swp           | Bin 16384 -> 0 bytes
 events/misp-summit/2022/misp-stix/content.tex | 117 ++++++++++++------
 2 files changed, 82 insertions(+), 35 deletions(-)
 delete mode 100644 events/misp-summit/2022/misp-stix/.content.tex.swp

diff --git a/events/misp-summit/2022/misp-stix/.content.tex.swp b/events/misp-summit/2022/misp-stix/.content.tex.swp
deleted file mode 100644
index 7eae629c6036e622c125ece3ad52453dc77eff16..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 16384
zcmeI3ONbmr7{@D#@tLUcLBNAld<2Bunca<#5Hu2#)vRW-Lv~FfnV>!0H8W*;x;kCe
zyE|D{MNve&=t1$KBBCCG4-h>F;z1M<^`PKEMZ5?qs0a#zuYXl{Pxnq{XI29uQWJj6
z%yxbC_}BM+)l*%mjqIP8q+3g41g~=mdG)?s?nmcbuzFqfG~zZRE~71;zSQp}V&3m^
z=h|Iah2;iU<;jWZN?An?4|veH(tKmHEKsuC;xZhTajS(=V<Tf@=^qrIFS{a8C{t2w
zzEiFJU=^?m3{oIg_2I4S$(FIv5nc4sOE%H-&%1SymA!5iunJfOtO8a6tAJI&Dqt0`
z3jB{0P~mEFH^#F%9n;bDeO1@{n)LgI^u676J^gCmtO8a6tAJI&Dqt0`3RnfK0#*U5
zfK|XMU={ceD&XMh{z3F>tKI;>^Z)Gk|7YhA@)CFvJPsZP_kg>>Q7{dz2OGf;XA|-%
zcn;hPe6R;x2{wY?))VqIcoQ54PlKnxBS3*Wz;>`1tO8%GBjjE18h8{O16P30&m!a<
z@G5u#JP)1#3!n+g;9_td*Z|gmx6dTxW$+-F0@r}E!0|H(c?{eSroeSz6pVmNz$xIz
z(_s&egZn@QYy)e-&!-XcK8S$}4uJh&H`oAvKb4U0z{lW8unk-WeqBq*SKu-5(<vAe
zcpW?i+TaE-1TF$+gZ1D~Y`%N~-U82phruo2LhvW%?R)SZcm+HF_5wYh*MO_RRp1J6
zF<1xw$ToKfO<z?Ocnf^#H^o}TzZ5TKpYfhp>axe!A}L&;RgS;Xg=(!%_c2$rT4=*j
zTm*~TXc&oE?lCHzR_HU?!)~{jqaOFDYBI{Dj2Ue@VaS3`(Q1t~c(9-wS<-aUY{h4e
zWSw?ArX23)?IeW`9nNbr0(94<hm#a-Diz9YWqoj^8P`e}PI7+599uE{%PY^V%;1+Z
zO-{M!LoJDYu3rD4-DJ9uh>|qgt9-Q{IW4BR^4WscQVANdP(+H>;)d)rnVOoyi-efj
zOuv|6^ps`LoKK2~QN^T^x>;vdU>=#*VAR!fvaDK@m|z?QqP(TugTY@E(Vft*UPCm0
zH%_(_r-FD8i&*wH?m3Fwd^!$|GHxuDXwm7JiG#E*qL!nobs<zB6k8aVA#=Io`)xYc
z<UWSc(l)xkraWBR8A`m}2|VgZ>I+=M`<xzkpv(JaOjM@Li8`+NKJ{3g2h5|hERqNh
zxtM!G-pBEIoO?>bfz6xV)|sPXEi@z!+Vlv=WmKs<LS5ne%+<k0bQSv5U%|a>UeUBh
zNkw4dE)tH{azbM4brmbr5xrpZT;}44+MVbPB;mEli8zzFu05gy$G##~M(=y+U_xr5
zqoqj?W+t-U=SKZUe1KQXz<QM`2G0Qz9icp+l}I!qCMB(IrbexTo61F!R`WLl$#`$Y
zagR8N4rdlQ%BjJ(pns)ZnK)6UupRP}h#F-?h?cZ)GOjT0Jn?2B<q0>|@s#A>d_r}}
zViq)(`!Pj2lyq+EcBjmFnU_~Gz$->e_%}pHOJhTHtTaNiXk$Us3EV<O@UY^dVZv&x
zG@2O{2G}?CXZ0gijTf7Gve+`c9yH~*uy*E6Cpoi1O0FlA<J4j!GV0Sg<Zt*>*j7!<
zvnxE7OKJ2kPRIalD-Im8j&y`HgKCp0yLozQZ<@d8@OIi@h-{s)ObHz@X##;a$3CJG
zozWU~dVy(3=fQY@sjg7plCr&|%<abm<IWD13Q5sHMr1U`5`YAu`?0(P``9e*46<@k
z#F2|Enn~5G(PGH%Mq|Ft%(@Yr7)>WX5x~isO_EW2WufaLcvw_$K_0k%?CD7jo7|O$
zr0e+Xx{=bB!wbBHXqIIu{8(q;QW!K6!?fSUx{BSNL2omomGw%y%hH>l0sdmLXL199
zyD$?O$#RU<N~+8?wQOeUUA>SmyIzkc>yTdVlEttSG)Q1rC-ZzZ%blb`xSXP{&sV;*
zS0V>10mQ}PfrY_@P=2fRx9{V2>D5uSLnxiB!ack`O(2C8xl^c@=jHBxW4a=D_q3N)
zapL#nBm1ZGZW6~1*Tn*55{_0}i#^Sp$Zh8RAK)LxBaoy!2KnI3C6miL7kiDXV2}u$
z%b42@=mnN{eWPkxG|8=Fnb)2=pK;T1b8NhD(^GJezDq?~30Cy9$?OiO)1YxM6E!!)
z+*iZMm4#fsB&?SNV{v*-AJK*$Pv7~in%ngd*<<PL#33~l`Zy<ln2^iqOp_yJ>#S`O
zkVk86ljj7YHlq4qe6k>vP<Gc8-8(fycTP=KCiaZencWl9^hW(@*TlZ@oilrG+eGy5
z|A+9K`&*!Y|7Xwlf5h+l55OBB+Xr|WpXY!JhQXKkZT}&7287^Ra60%Ut?wIMr+rxk
ztO8a6tAJI&Dqt0`3RnfK0#*U5z`v}(3ZLzmorG!}`3u?Byu!vIHowe6ujGGlGw=4R
zw-z_Uun$F-wb8$Sv3suftNYr_&CQj}L$P#o+iZ0Awdi^p*Il-_k$U2=x{M23>3ICW
z$}RlhF8A9vUpnArYfC!SYpbNVM=&GIJ}tHvl!)DCvQ-(M-0t%ZJQb=l=GE|gK|g82
LL(8tMW(f2bhm4(W

diff --git a/events/misp-summit/2022/misp-stix/content.tex b/events/misp-summit/2022/misp-stix/content.tex
index 72196da..517268d 100755
--- a/events/misp-summit/2022/misp-stix/content.tex
+++ b/events/misp-summit/2022/misp-stix/content.tex
@@ -24,19 +24,27 @@
 \end{frame}
 
 \begin{frame}
-    \frametitle{Limitations}
+    \frametitle{STIX conversion usage in MISP}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Feature limitations}
     \begin{itemize}
-        \item Feature limitations
+        \item Supported versions
         \begin{itemize}
-            \item Supported versions
-            \item Data type support
+            \item 1.1.1 XML (\& JSON)
+            \item 2.0
         \end{itemize}
+        \item Data type support
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Practical limitations}
+    \begin{itemize}
+        \item Export and import features only available via MISP rest client
         \item []
-        \item Practical limitations
-        \begin{itemize}
-            \item Export and import features only available via MISP rest client
-            \item {\bf Github}: STIX issues lost within the MISP core issues
-        \end{itemize}
+        \item {\bf Github}: STIX issues lost within the MISP core issues
     \end{itemize}
 \end{frame}
 
@@ -47,20 +55,6 @@
     \end{center}
 \end{frame}
 
-\begin{frame}
-    \frametitle{Handling the conversion with a python library}
-    \begin{itemize}
-        \item Revamp of the source code
-        \item Enable a standalone use of the python code
-        \begin{itemize}
-            \item MISP JSON  format -> STIX
-            \item Pass files with MISP JSON format -> get file with the export results in STIX
-        \end{itemize}
-        \item []
-        \item Possible integration within python code
-    \end{itemize}
-\end{frame}
-
 \begin{frame}
     \frametitle{Key features}
     \begin{itemize}
@@ -72,28 +66,81 @@
         \item Various MISP data collection supported
         \item[]
         \item {\bf Mapping documentation}
-        \item Package available on PyPI\footnote{https://pypi.org/project/misp-stix/}
+        
     \end{itemize}
 \end{frame}
 
 \begin{frame}
-    \frametitle{Work in Progress \& Next improvements}
+    \frametitle{Handling the conversion with a python library}
     \begin{itemize}
-        \item WiP
+        \item Used in MISP built-in export modules
+        \item []
+        \item Enable a {\bf stand-alone} use of the python code (i.e command line)
         \begin{itemize}
-            \item {\bf Implement the import feature}
-            \item Support of existing STIX objects libraries\footnote{https://github.com/mitre/cti}
+            \item Pass filenames \& get the converted content written in 1 or more result file(s)
         \end{itemize}
-        \item Next features on the roadmap
+        \item Possible integration within python code
         \begin{itemize}
-            \item Extend the export feature to any kind of data collection
-            \item Support custom STIX format\footnote{Especially while importing STIX data, {\bf and as long as we can implement support of well defined versions}}
+            \item Give it a list of filenames
+            \item MISP standard format <-> STIX
+            \begin{itemize}
+                \item JSON or PyMISP
+            \end{itemize}
         \end{itemize}
-        \item Continuous improvement
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Library usage}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Mapping documentation}
+    \begin{itemize}
+        \item Mapping overview
         \begin{itemize}
-            \item Mapping improvement
-            \item More tests to avoid edge case issues
+            \item Quick overview on how MISP data structures are mapped with STIX objects
         \end{itemize}
+        \item Detailed mapping
+        \begin{itemize}
+            \item Extended explanation on how each granular data is mapped with STIX objects fields
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Work in Progress}
+    \begin{itemize}
+        \item {\bf STIX 2 -> MISP import feature}
+        \item Better support of Custom Galaxy clusters
+        \item []
+        \item Decisions on how to import non Indicator or Observable data
+        \begin{itemize}
+            \item Attack Patterns, Threat Actors, etc. are contextual data on MISP
+            \item Ongoing discussions to define whether we import those STIX objects as MISP Galaxy clusters or MISP Attribute / Object
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Continuous development}
+    \begin{itemize}
+        \item Better support of existing STIX objects libraries\footnote{https://github.com/mitre/cti}
+        \item Support custom STIX format\footnote{Especially while importing STIX data, {\bf and as long as we can implement support of well defined versions}}
+        \item []
+        \item Mapping improvement
+        \begin{itemize}
+            \item MISP object templates -> STIX
+            \item Improve the STIX 2 patterns \& Observable objects -> MISP
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{Next improvements}
+    \begin{itemize}
+        \item Extend the export feature to any kind of data collection
+        \item Add notes on any data structure
+        \item Sight any data
     \end{itemize}
 \end{frame}
 
@@ -117,7 +164,7 @@
 \end{frame}
 
 \begin{frame}
-    \frametitle{To get in touch with us}
+    \frametitle{Useful links}
     \begin{itemize}
         \item \url{https://github.com/MISP/misp-stix}
         \item \url{https://github.com/MISP/misp-stix/tree/main/documentation}