MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [cheatsheets] Usage of hyperref for misp elements

pull/13/head
mokaddem 2021-05-19 16:04:36 +02:00
parent dd526a4a1d
commit 65f3b34cc4
5 changed files with 47 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cheatsheets/cheatsheet-concept.tex
View File

@ -9,7 +9,7 @@
\boxentry{Caching}{Is the process of \textit{fetching} data from a MISP instance or feed but only storing hashes of the collected values for correlations and look-ups purposes.}
\boxentry{Delegation}{Is the act of transfering the ownership of an \event to another organisation and removing any associations with the original creator.}
\boxentry{Deletion (hard/soft)}{\textit{Hard deletion} is the act of removing the element from the database. It will thus do not perform revocation on other MISP instances. \textit{Soft deletion} is the act flagging an element as deleted and thus propagating the revocation among the network of connected MISP instances.}
\boxentry{Extended \event}{Is an \event that extends an existing \event, providing a combined view of the data contained in both \events. The owner of the extending \event is the organisation that created the extension, this allows anyone to extend any \events and have control over them.}
\boxentry{Extended Event}{Is an \event that extends an existing \event, providing a combined view of the data contained in both \events. The owner of the extending \event is the organisation that created the extension, this allows anyone to extend any \events and have control over them.}
\boxentry{\galaxy Matrix}{Is a matrix derived from \clusters belonging to the same \galaxy. The layout (pages and columns) is defined at the \galaxy level and its content comes from the \clusters meta-data themselves.}
\boxentry{Indicators}{contain a pattern that can be used to detect suspicious or malicious cyber activity. They are generally \attributes having their \texttt{to\_ids} flag set.}
\boxentry{Orgc / Org}{\textit{Creator Organisation} (\textbf{Orgc}) is the organisation that created the data and the one allowed to modify it. \textit{Owner Organisation} (\textbf{Org}) is the organisation owning the data on a given instance and is allowed to view it regardless of the distribution level.}
@ -37,7 +37,7 @@
\boxentry{All Communities}{Anyone having access: Will be freely propagated in the network of connected MISP instances.}
\vspace*{-0.7em}
\begin{center}\distrigraph{3}\end{center}
\boxentry{Sharing Groups}{Organisations being part of the distribution list that exhaustively keeps track of who can access the data and how it should be synchronised.}
\boxentry{\linkdest{sharinggroup}Sharing Groups}{Organisations being part of the distribution list that exhaustively keeps track of who can access the data and how it should be synchronised.}
\begin{multicols*}{2}
\begin{center}

20
cheatsheets/cheatsheet-data-model.tex
View File

@ -18,7 +18,7 @@
[Encode incidents, events, reports, …]
[\taggable \distributable \synchronisable]
[Encapsulations for contextually linked information.]
{Event}
{\linkdest{event}Event}
{
$\blacktriangleright$ \events can contain other elements such as \attributes, \objects and \eventreports.\\
$\blacktriangleright$ The distribution level and any context added on an \event (such as \taxonomies) are propagated to its underlying data.
@ -30,7 +30,7 @@
[Domain, IP, link, sha1, attachment, …]
[\taggable \distributable \synchronisable]
[Basic building block to share information.]
{Attribute}
{\linkdest{attribute}Attribute}
{
$\blacktriangleright$ \attributes cannot be duplicated inside the same \event and can have \sightings.\\
$\blacktriangleright$ The difference between an IoC or supporting data is usualy indicated by the state of the attribute's \texttt{to\_ids} flag.
@ -42,7 +42,7 @@
[File, person, credit-card, x509, device, …]
[\distributable \synchronisable]
[Advanced building block providing \attribute compositions via templates.]
{MISP Object}
{\linkdest{object}MISP Object}
{
$\blacktriangleright$ \objects have their attribute compositions described in their respective template. They are instanciated with \attributes and can reference \reference other \attributes or \objects.\\
$\blacktriangleright$ MISP is not required to know the template to save and display the object. However, \textit{edits} will not be possible as the template to validate against is not known.
@ -55,7 +55,7 @@
[Represent behaviours, similarities, affiliation, …]
[\synchronisable]
[Relationships between individual building blocks.]
{Object Reference}
{\linkdest{reference}Object Reference}
{
$\blacktriangleright$ \references can have a textual relationship which can come from MISP or be set freely.
}
@ -66,7 +66,7 @@
[Record activity or occurence, perform IoC expiration, …]
[\synchronisable]
[Means to convey that a data point has been seen.]
{Sightings}
{\linkdest{sighting}Sightings}
{
$\blacktriangleright$ \sightings are the best way to express that something has been seen. They can also be used to mark \textit{false positives}.
}
@ -77,7 +77,7 @@
[Encode reports, provide more information about the \event, …]
[\distributable \synchronisable]
[Advanced building block that can contain text.]
{Event Report}
{\linkdest{eventreport}Event Report}
{
$\blacktriangleright$ \eventreports are markdown-aware and includes a special syntax to reference data points or context.
}
@ -88,7 +88,7 @@
[Disable the IDS flag, Correct errors]
[\synchronisable]
[Clone of an \attribute containing information about modification to be done.]
{Proposals}
{\linkdest{proposal}Proposals}
{
$\blacktriangleright$ As \proposals are sync., if the creator organisation is connected to the MISP instance from where the \proposal has been created, it will be able to either \textit{accept} or \textit{discard} it.
}
@ -100,7 +100,7 @@
[TLP, Confidence, Source, Workflows, Event type, …]
[]
[Machine and human-readable labels standardised on a common set of vocabularies.]
{Taxonomies}
{\linkdest{taxonomy}Taxonomies}
{
$\blacktriangleright$ Even though MISP allows the creation of free-text tags, it's always preferable to use those coming from \taxonomies if they exists.
}
@ -111,7 +111,7 @@
[Exploit-Kit, Preventive Measure, MITRE ATT\&CK, Tools, Threat-actors, …]
[]
[Act as a container to group together context described by \clusters by their type.]
{Galaxies}
{\linkdest{galaxy}Galaxies}
{}
% Galaxy Clusters
@ -120,7 +120,7 @@
[\texttt{threat-actor="APT 29"}, \texttt{country="germany"}, \texttt{mitre-attack-pattern="Disk Wipe - T1561"}]
[\distributable \synchronisable]
[Kownledge base items used as tags with additional complex meta-data aimed for human consumption.]
{Galaxies Clusters}
{\linkdest{cluster}Galaxies Clusters}
{
$\blacktriangleright$ \clusters can be seen as an enhanced \taxonomy as they can have meta-data and relationships with other \clusters.\\
$\blacktriangleright$ Any \clusters can contain the following:

7
cheatsheets/cheatsheet-user-admin.tex
View File

@ -48,6 +48,7 @@ POST /attributes/restSearch
\begin{minipage}{0.46\textwidth}
\lstset{style=js}
\begin{lstlisting}
POST /attributes/restSearch
{
"galaxy.synonyms": "APT29",
"galaxy.cfr-target-category": "Financial sector"
@ -60,7 +61,7 @@ POST /attributes/restSearch
\begin{minipage}{0.46\textwidth}
\lstset{style=js}
\begin{lstlisting}
/tags/attachTagToObject
POST /tags/attachTagToObject
{
"uuid": "[Could be UUID from Event, Attribute, ...]",
"tag": "tlp:amber"
@ -97,8 +98,8 @@ POST /attributes/restSearch
\begin{itemize}[noitemsep,topsep=2pt,parsep=0pt,partopsep=0pt]
\item Usecase: Get events modified in the last $t$
\end{itemize}
\item Usage
\begin{itemize}[noitemsep,topsep=2pt,parsep=0pt,partopsep=0pt]
\item Usage:
\begin{itemize}[noitemsep,topsep=0pt,parsep=0pt,partopsep=0pt]
\item[] \usebox\codeboxD
\end{itemize}
\end{description}

9
cheatsheets/cheatsheet.tex
View File

@ -4,6 +4,12 @@
\usepackage[landscape]{geometry}
\usepackage{xifthen}
\usepackage{url}
\usepackage{hyperref}
\usepackage{xcolor}
\hypersetup{
colorlinks=true,
linkcolor=black
}
\usepackage{tikz}
\usetikzlibrary{positioning,fit,calc,backgrounds}
@ -69,7 +75,7 @@
language=json, % the language of the code
% keywordstyle=\bfseries,
% morekeywords={GET,POST,PUT,DELETE,... }, % if you want to add more keywords to the set
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
numbers=none, % where to put the line-numbers; possible values are (none, left, right)
numbersep=5pt, % how far the line-numbers are from the code
numberstyle=\tiny\color{black}, % the style that is used for the line-numbers
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
@ -86,6 +92,7 @@
\date{\today}
\makeatletter
\newcommand{\linkdest}[1]{\Hy@raisedlink{\hypertarget{#1}{}}}
\let\theauthor\@author
\let\thedate\@date
\makeatother

46
cheatsheets/utils.tex
View File

@ -3,28 +3,28 @@
%
\newcommand{\hr}{\centerline{\rule{3.5in}{1pt}}}
\newcommand{\misp}{\includegraphics[scale=0.2]{misp.pdf}\hspace*{0.5em}}
\newcommand{\events}{\texttt{Events }}
\newcommand{\event}{\texttt{Event }}
\newcommand{\attributes}{\texttt{Attributes }}
\newcommand{\attribute}{\texttt{Attribute }}
\newcommand{\objects}{\texttt{MISP Objects }}
\newcommand{\object}{\texttt{MISP Object }}
\newcommand{\reference}{\texttt{Reference }}
\newcommand{\references}{\texttt{References }}
\newcommand{\proposals}{\texttt{Proposals }}
\newcommand{\proposal}{\texttt{Proposal }}
\newcommand{\eventreports}{\texttt{Event Reports }}
\newcommand{\eventreport}{\texttt{Event Report }}
\newcommand{\sightings}{\texttt{Sightings }}
\newcommand{\sighting}{\texttt{Sighting }}
\newcommand{\events}{\hyperlink{event}{\texttt{Events}} }
\newcommand{\event}{\hyperlink{event}{\texttt{Event}} }
\newcommand{\attributes}{\hyperlink{attribute}{\texttt{Attributes}} }
\newcommand{\attribute}{\hyperlink{attribute}{\texttt{Attribute}} }
\newcommand{\objects}{\hyperlink{object}{\texttt{MISP Objects}} }
\newcommand{\object}{\hyperlink{object}{\texttt{MISP Object}} }
\newcommand{\reference}{\hyperlink{reference}{\texttt{Reference}} }
\newcommand{\references}{\hyperlink{reference}{\texttt{References}} }
\newcommand{\proposals}{\hyperlink{proposal}{\texttt{Proposals}} }
\newcommand{\proposal}{\hyperlink{proposal}{\texttt{Proposal}} }
\newcommand{\eventreports}{\hyperlink{eventreport}{\texttt{Event Reports}} }
\newcommand{\eventreport}{\hyperlink{eventreport}{\texttt{Event Report}} }
\newcommand{\sightings}{\hyperlink{sighting}{\texttt{Sightings}} }
\newcommand{\sighting}{\hyperlink{sighting}{\texttt{Sighting}} }
\newcommand{\taxonomies}{\texttt{Taxonomies }}
\newcommand{\taxonomy}{\texttt{Taxonomy }}
\newcommand{\galaxy}{\texttt{Galaxy }}
\newcommand{\galaxies}{\texttt{Galaxies }}
\newcommand{\clusters}{\texttt{Galaxy Clusters }}
\newcommand{\cluster}{\texttt{Galaxy Cluster }}
\newcommand{\sharinggroups}{\texttt{Sharing Groups }}
\newcommand{\sharinggroup}{\texttt{Sharing Group }}
\newcommand{\galaxy}{\hyperlink{galaxy}{\texttt{Galaxy}} }
\newcommand{\galaxies}{\hyperlink{galaxy}{\texttt{Galaxies}} }
\newcommand{\clusters}{\hyperlink{cluster}{\texttt{Galaxy Clusters}} }
\newcommand{\cluster}{\hyperlink{cluster}{\texttt{Galaxy Cluster}} }
\newcommand{\sharinggroups}{\hyperlink{sharinggroup}{\texttt{Sharing Groups}} }
\newcommand{\sharinggroup}{\hyperlink{sharinggroup}{\texttt{Sharing Group}} }
\newcommand{\taggable}{\faicon{tags}\hspace*{0.3em}}
\newcommand{\distributable}{\faicon{eye-slash}\hspace*{0.3em}}
@ -38,7 +38,7 @@
fill=white,
very thick,
rectangle, rounded corners,
inner sep=10pt, inner ysep=10pt
inner sep=10pt
]
\tikzstyle{boxtitle} = [
% fill=black,
@ -49,8 +49,8 @@
% right=10pt
draw=black,
line width=1pt,
text=black,
fill=gray!70,
text=white,
fill=black!80,
font=\bfseries,
rectangle, rounded corners=2pt,
inner sep=4pt,