MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' of github.com:MISP/misp-training into main

pull/15/head
iglocska 2021-11-18 00:38:00 +01:00
parent ad950e3736 8f27d27551
commit 51bf3e957f
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
14 changed files with 1763 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
cheatsheets/cheatsheet-concept-fr.tex Normal file
View File

@ -0,0 +1,73 @@
\begin{center}{
\huge{\textbf{MISP Concepts Cheat sheet (FR)}}}\\
\end{center}
\begin{multicols*}{2}
\cheatboxlarge{Glossary}{
\boxentry{Correlations}{Relations créées automatiquement depuis un \attribute. Elles permettent l'inter-connexion entre \events basés sur leurs \attributes.}
\boxentry{Correlation engine}{Système utilisé par MISP pour créer des correlations entre la valeur des \attribute. Il supporte actuellement la comparaison stricte de chaines de caractères, SSDEEP et les blocks CDIR.}
\boxentry{Caching}{Processus de récupération de données d'une instance ou d'un feed afin de sauver les hashs des valeurs récupérées servant à la corrélation et la recherche.}
\boxentry{Delegation}{Acte de transférer la propriété d'un event vers une autre organisation tout en cachant le créateur original afin de garantir l'anonymat}
\boxentry{Deletion (hard/soft)}{\textit{Hard deletion} est l'acte de supprimer un element du système; Cela ne va pas révoquer la donnée sur les autres systèmes contrairement à la \textit{Soft deletion} où la révocation est propagée sur le réseau d'instances connectées.}
\boxentry{Extended Event}{\event qui en étend un autre, permetant d'avoir une vue combinée. L'organisation qui a étendu l'\event est le propriétaire de l'extension . Cela permet à n'importe qui d'étendre n'importe quel \events et d'en avoir le contrôle.}
\boxentry{\galaxy Matrix}{Matrice dérivée d'un \clusters appartenant à la même \galaxy. La structure (pages et colones) est définie au niveau de la \galaxy et son contenu provient des méta-données des \clusters.}
\boxentry{Indicators}{\attribute contenant un pattern utile pour détecter une activité suspicieuse ou malveillante. Ils ont souvent la propriété \texttt{to\_ids} activée.}
\boxentry{Orgc / Org}{\textit{L'organisation créatrice} (\textbf{Orgc}) est l'organisation qui a créé les données et qui est la seule à pouvoir les modifier. \textit{L'organisation propriétaire} (\textbf{Org}) est l'organisation qui possède les données et qui peut consulter le contenu. \textbf{Orgc} \& \textbf{Org} ne sont pas nécessairement les mêmes organisations.}
\boxentry{Publishing}{Action de déclarer qu'un \event peut être synchronisé. Ce processus peut aussi envoyer des notifications et permet certains types de format d'export.}
\boxentry{Pulling}{Action d'utiliser un utilisateur depuis une autre instance pour récupérer les données accessibles et les stoquer localement.}
\boxentry{Pushing}{Action d'utiliser une connexion via un \textit{sync. user} pour envoyer des données à une autre instance.}
\boxentry{Synchronisation}{Est l'échange de données entre deux (ou plus) instances MISP par le mécanisme de \textit{pull} ou \textit{push}.}
\boxentry{Sync. filtering rule}{Peuvent être appliquées sur un lien de synchronisation pour le \textit{pull} ou \textit{push} afin de bloquer ou pemettre à des données d'être transférées.}
\boxentry{Sync. User}{Rôle spécial pour un utilisateur donnant des permissions de synchronisation supplémentaires. L'utilisation des \textit{sync users} est la manière recommandée de configurer la synchronisation via \textit{push}.}
\boxentry{Proposals}{Mécanisme pour proposer des modifications à l'organisation créatrice (\textbf{Orgc}). Si un chemin entre les instances existe, le \proposal pourra être synchronisé permetant au créateur de l'accepter ou de le refuser.}
}
\columnbreak
\input{graphs/cheatsheet-concept-distributiongraph.tex}
\cheatboxlarge[Contrôle qui peut voir les données et comment elles doivent être synchronisées.]{Distribution}{
\boxentry{Organisation only}{Seulement les membres de l'organisation}
\boxentry{This community}{Les organisations sur l'instance MISP}
\boxentry{Connected Communities}{Les organisations sur l'instance et celles d'autres instances se synchronisant dessus. Lorsque les données sont reçues, leur distribution est réduite à \texttt{This community} afin d'éviter d'autres propagations. ($n\leq 1$)}
\vspace*{-0.7em}
\begin{center}
\createdistrilegend
\hspace*{1em}
\distrigraph{2}
\end{center}
\boxentry{All Communities}{Tous ceux ayant accès. Les données seront propagées librement dans le réseau d'instances connectées. ($n = \infty$)}
\vspace*{-0.7em}
\begin{center}\distrigraph{3}\end{center}
\boxentry{\linkdest{sharinggroup}Sharing Groups}{Liste de distribution qui énumère la liste des organisations ayant accès aux données et comment celles-ci doivent être synchronisées.}
\begin{multicols*}{2}
\begin{center}
\begin{tabular}{| l | l |}
\hline
\multicolumn{2}{|c|}{\sharinggroup configuration} \\
\hline
\multirow{3}{*}{Organisations} & Org. $\alpha$\\
& Org. $\omega$\\
& Org. $\gamma$\\
\hline
\multirow{3}{*}{Instances*} & MISP 1\\
& MISP 2\\
& MISP 3\\
\hline
\end{tabular}\\
*Ou activé le mode roaming à la place
\end{center}
\columnbreak
\begin{center}
\input{graphs/cheatsheet-concept-sharinggroupgraph.tex}
\end{center}
\end{multicols*}
}
\cheatboxlarge[L'acte de partager où tout le monde peut être un consommateur et/ou un producteur.]{Synchronisation}{
Une synchronisation dans un sens entre deux instances MISP. L'organisation $\alpha$ avait créé un \textit{sync user} \faicon{user-plus} sur MISP 2 et a noté la clé API générée. Un lien de synchronisation peut être créé sur MISP 1 en utilisant cette clé API et l'organisation du \textit{sync user}. Dès lors, MISP 1 peut \textit{pull} des données depuis MISP 2 et \textit{push} des données vers MISP 2.
\begin{center}
\input{graphs/cheatsheet-concept-syncgraph.tex}
\end{center}
}
\end{multicols*}

115
cheatsheets/cheatsheet-fr.tex Normal file
View File

@ -0,0 +1,115 @@
% Template inspired by Drew Ulick
% https://www.overleaf.com/articles/130-cheat-sheet/ntwtkmpxmgrp
\documentclass{article}
\usepackage[landscape]{geometry}
\usepackage{xifthen}
\usepackage{url}
\usepackage{hyperref}
\usepackage{xcolor}
\hypersetup{
colorlinks=true,
linkcolor=black
}
\usepackage{tikz}
\usetikzlibrary{positioning,fit,calc,backgrounds}
\usepackage{xcolor}
\usepackage{enumitem}
\usepackage{amssymb, amsmath,endnotes}
\usepackage{multicol}
\usepackage{multirow}
\usepackage{fontawesome}
\usepackage{xparse}
\usepackage{listings}
\usepackage[utf8]{inputenc}
\usepackage[listings]{tcolorbox}
\tcbuselibrary{listings}
\lstdefinestyle{simple}{ %
basicstyle=\ttfamily,
breaklines = true,
backgroundcolor=\color{gray!30},
}
\lstdefinestyle{bash}{ %
backgroundcolor=\color{gray!30}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
basicstyle=\ttfamily\footnotesize\color{black}, % the size of the fonts that are used for the code
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
breaklines=true, % sets automatic line breaking
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
frame=single % adds a frame around the code
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
language=bash, % the language of the code
keywordstyle=\bfseries,
morekeywords={GET,POST,PUT,DELETE,... }, % if you want to add more keywords to the set
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
numbersep=5pt, % how far the line-numbers are from the code
numberstyle=\tiny\color{black}, % the style that is used for the line-numbers
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
showstringspaces=false, % underline spaces within strings only
showtabs=false, % show tabs within strings adding particular underscores
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
tabsize=2, % sets default tabsize to 2 spaces
}
\lstdefinelanguage{json}{
keywords={GET,POST,PUT,DELETE},
keywordstyle=\color{darkgray!70!black}\bfseries,
identifierstyle=\color{black},
sensitive=false,
comment=[l]{//},
morecomment=[s]{/*}{*/},
commentstyle=\color{purple}\ttfamily,
stringstyle=\color{green!50!black}\ttfamily,
morestring=[b]',
morestring=[b]"
}
\lstdefinestyle{js}{ %
backgroundcolor=\color{gray!30}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
basicstyle=\ttfamily\footnotesize\color{black}, % the size of the fonts that are used for the code
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
breaklines=true, % sets automatic line breaking
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
frame=single % adds a frame around the code
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
language=json, % the language of the code
% keywordstyle=\bfseries,
% morekeywords={GET,POST,PUT,DELETE,... }, % if you want to add more keywords to the set
numbers=none, % where to put the line-numbers; possible values are (none, left, right)
numbersep=5pt, % how far the line-numbers are from the code
numberstyle=\tiny\color{black}, % the style that is used for the line-numbers
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
showstringspaces=false, % underline spaces within strings only
showtabs=false, % show tabs within strings adding particular underscores
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
tabsize=2, % sets default tabsize to 2 spaces
}
\lstset{style=simple}
\title{MISP Cheat Sheet (FR)}
\author{MISP Project}
\date{\today}
\makeatletter
\newcommand{\linkdest}[1]{\Hy@raisedlink{\hypertarget{#1}{}}}
\let\theauthor\@author
\let\thedate\@date
\makeatother
\advance\topmargin-.8in
\advance\textheight3in
\advance\textwidth3in
\advance\oddsidemargin-1.5in
\advance\evensidemargin-1.5in
\parindent0pt
\parskip2pt
\input{utils.tex}
\begin{document}
\input{cheatsheet-concept-fr.tex}
%\newpage
%\input{cheatsheet-data-model.tex}
%\newpage
%\input{cheatsheet-user-admin.tex}
\end{document}

BIN
misp-summit/2021/NVISO - Curating CTI for an MDR service.pdf Normal file
View File

Binary file not shown.

3
misp-summit/2021/misp-stix/build.sh Executable file
View File

@ -0,0 +1,3 @@
export TEXINPUTS=::~/git/misp-training/themes/
echo ${TEXINPUTS}
pdflatex slide.tex

44
misp-summit/2021/misp-stix/content.aux Normal file
View File

@ -0,0 +1,44 @@
\relax
\providecommand\hyper@newdestlabel[2]{}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}}
\@setckpt{content}{
\setcounter{page}{9}
\setcounter{equation}{0}
\setcounter{enumi}{0}
\setcounter{enumii}{0}
\setcounter{enumiii}{0}
\setcounter{enumiv}{0}
\setcounter{footnote}{2}
\setcounter{mpfootnote}{0}
\setcounter{beamerpauses}{1}
\setcounter{bookmark@seq@number}{0}
\setcounter{lecture}{0}
\setcounter{part}{0}
\setcounter{section}{0}
\setcounter{subsection}{0}
\setcounter{subsubsection}{0}
\setcounter{subsectionslide}{8}
\setcounter{framenumber}{7}
\setcounter{figure}{0}
\setcounter{table}{0}
\setcounter{parentequation}{0}
\setcounter{theorem}{0}
\setcounter{lstnumber}{1}
\setcounter{section@level}{0}
\setcounter{lstlisting}{0}
}

115
misp-summit/2021/misp-stix/content.tex Executable file
View File

@ -0,0 +1,115 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}
\frametitle{MISP \& STIX so far}
\begin{itemize}
\item{\bf Built-in integration}
\item Export \& Import features
\begin{itemize}
\item Export MISP Events collections
\item Import STIX files
\end{itemize}
\item Supported version
\begin{itemize}
\item STIX 1.1.1
\item STIX 2.0
\end{itemize}
\item Accessible via restSearch
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Limitations}
\begin{itemize}
\item Feature limitations
\begin{itemize}
\item Supported versions
\item Data type support
\end{itemize}
\item []
\item Practical limitations
\begin{itemize}
\item Export and import features only available via MISP rest client
\item {\bf Github}: STIX issues lost within the MISP core issues
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Handling the conversion with a python library}
\begin{itemize}
\item Revamp of the source code
\item Enable a standalone use of the python code
\begin{itemize}
\item MISP JSON format -> STIX
\item Pass files with MISP JSON format -> get file with the export results in STIX
\end{itemize}
\item []
\item Possible integration within python code
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{New features}
\begin{itemize}
\item Choose the STIX version
\begin{itemize}
\item {\bf STIX 2.1 Support}
\end{itemize}
\item []
\item {\bf Mapping documentation}
\item []
\item Better exceptions handling
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{How to report bugs/issues}
\begin{itemize}
\item Github issues
\begin{itemize}
\item {\bf https://github.com/MISP/misp-stix/issues}
\item https://github.com/MISP/MISP/issues
\end{itemize}
\item []
\item Please provide details
\begin{itemize}
\item How did the issue happen
\item {\bf Recommandation}: provide samples
\end{itemize}
\item[]
\item Any feedback welcome
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Next improvements}
\begin{itemize}
\item {\bf Implement the import feature}
\item Extend the export feature to any kind of data collection
\item Support of existing STIX objects libraries\footnote{https://github.com/mitre/cti}
\item []
\item Support custom STIX format\footnote{Especially while importing STIX data, {\bf and as long as we can implement support of well defined versions}}
\item More tests to avoid edge case issues
\item []
\item Package on PyPI
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{To get in touch with us}
\begin{itemize}
\item \url{https://github.com/MISP/misp-stix}
\item \url{https://github.com/MISP/misp-stix/tree/main/documentation}
\item []
\item \url{https://github.com/MISP}
\item \url{https://www.misp-project.org/}
\item \url{https://twitter.com/MISPProject}
\item \url{https://twitter.com/chrisred_68}
\end{itemize}
\end{frame}

BIN
misp-summit/2021/misp-stix/misp.pdf Normal file
View File

Binary file not shown.

26
misp-summit/2021/misp-stix/slide.aux Normal file
View File

@ -0,0 +1,26 @@
\relax
\providecommand\hyper@newdestlabel[2]{}
\providecommand\BKM@entry[2]{}
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
\global\let\oldcontentsline\contentsline
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
\global\let\oldnewlabel\newlabel
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
\AtEndDocument{\ifx\hyper@anchor\@undefined
\let\contentsline\oldcontentsline
\let\newlabel\oldnewlabel
\fi}
\fi}
\global\let\hyper@last\relax
\gdef\HyperFirstAtBeginDocument#1{#1}
\providecommand\HyField@AuxAddToFields[1]{}
\providecommand\HyField@AuxAddToCoFields[2]{}
\@input{content.aux}
\pgfsyspdfmark {pgfid1}{1398509}{16636717}
\@writefile{nav}{\headcommand {\beamer@partpages {1}{8}}}
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{8}}}
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{8}}}
\@writefile{nav}{\headcommand {\beamer@documentpages {8}}}
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {7}}}

1342
misp-summit/2021/misp-stix/slide.log Normal file
View File

File diff suppressed because it is too large Load Diff

21
misp-summit/2021/misp-stix/slide.nav Normal file
View File

@ -0,0 +1,21 @@
\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
\headcommand {\beamer@framepages {1}{1}}
\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
\headcommand {\beamer@framepages {2}{2}}
\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
\headcommand {\beamer@framepages {3}{3}}
\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
\headcommand {\beamer@framepages {4}{4}}
\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
\headcommand {\beamer@framepages {5}{5}}
\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
\headcommand {\beamer@framepages {6}{6}}
\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}
\headcommand {\beamer@framepages {7}{7}}
\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}
\headcommand {\beamer@framepages {8}{8}}
\headcommand {\beamer@partpages {1}{8}}
\headcommand {\beamer@subsectionpages {1}{8}}
\headcommand {\beamer@sectionpages {1}{8}}
\headcommand {\beamer@documentpages {8}}
\headcommand {\gdef \inserttotalframenumber {7}}

BIN
misp-summit/2021/misp-stix/slide.pdf Normal file
View File

Binary file not shown.

0
misp-summit/2021/misp-stix/slide.snm Normal file
View File

24
misp-summit/2021/misp-stix/slide.tex Normal file
View File

@ -0,0 +1,24 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usepackage{listings}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
\title{MISP-STIX Project}
\subtitle{Python library to convert MISP <-> STIX}
\author{MISP core team}
\date{MISP Summit 0x06 - 21st October 2021}
\titlegraphic{\includegraphics[scale=0.55]{misp.pdf}}
\institute{MISP Project \\ \url{https://www.misp-project.org/}}
\begin{document}
\include{content}
\end{document}

0
misp-summit/2021/misp-stix/slide.toc Normal file
View File