MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [firstcon23:misp-worflow] Added Should I migrate and more ideas

pull/24/head
Sami Mokaddem 2023-06-03 11:25:18 -04:00
parent 0f2704fc5d
commit 424ecd0b28
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
2 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
events/20230605-FIRSTCON23-Workflows/content.tex
View File

@ -22,7 +22,7 @@
\hspace*{0.25em} \hspace*{0.25em}
\begin{itemize} \begin{itemize}
\item Needs CRON Jobs in place \item Needs CRON Jobs in place
\item Heavy for the server \item Potentially heavy for the server
\item Not realtime \item Not realtime
\end{itemize} \end{itemize}
\vspace*{1em} \vspace*{1em}
@ -1004,13 +1004,32 @@ jq '.[] | select(.meta."module-type"[] | contains("action")) |
\end{center} \end{center}
\end{frame} \end{frame}
\begin{frame}
\frametitle{Should I migrate to MISP Workflows}
I have automation in place using the API / ZMQ. Should I move to Workflows?
\vspace{1em}
\begin{itemize}
\item I (have/am planning to create) a curation pipeline using the API, should I port them to workflows?
\begin{itemize}
\item \textbf{No} in general, but WF can be used to start the curation process
\end{itemize}
\item What if I want to \textbf{block} some actions
\begin{itemize}
\item Put the blocking logic in the WF, the remaining outside
\end{itemize}
\item Currently, workflows with \textbf{ lots of node are not encouraged}
\item Bottom line is \textbf{Keep it simple}
\end{itemize}
\end{frame}
\begin{frame} \begin{frame}
\frametitle{More ideas} \frametitle{More ideas}
\begin{itemize} \begin{itemize}
\item Notification when new users join an instance \item Notification when new users join an instance
\item Trigger on any action generating log entries
\item Extend existing MISP behavior: Push correlation in another system \item Extend existing MISP behavior: Push correlation in another system
\item Sanity check to block publishing \item Sanity check to block publishing
\item Automated alerts for high-priority IOCs
\item Assign tasks and notify incident response team members
\item ... \item ...
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -1045,7 +1064,7 @@ jq '.[] | select(.meta."module-type"[] | contains("action")) |
\begin{itemize} \begin{itemize}
\item New triggers? \item New triggers?
\item New modules? \item New modules?
\item ... \item What's acheivable
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
\end{column} \end{column}

BIN
events/20230605-FIRSTCON23-Workflows/slide.pdf Normal file
View File

Binary file not shown.