From 6cab68944318e7496972efd742a9f1c9a757af53 Mon Sep 17 00:00:00 2001 From: Ben Date: Mon, 7 Feb 2022 00:25:12 +0800 Subject: [PATCH] Completed the subtitles for MISP General Usage Training Part 1 of 2 --- ...P General Usage Training - Part 1 of 2.srt | 13839 ++++------------ 1 file changed, 2952 insertions(+), 10887 deletions(-) diff --git a/x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt b/x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt index f6efa11..e886bc5 100644 --- a/x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt +++ b/x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt @@ -40,7 +40,7 @@ we go 11 00:00:20,800 --> 00:00:23,839 -more deeper tomorrow in that second +more deeper tomorrow in that second 12 00:00:22,800 --> 00:00:26,160 @@ -48,7 +48,7 @@ workshop 13 00:00:23,839 --> 00:00:27,359 -um i'm alexander noah i do work for +um i'm alexander noah I do work for 14 00:00:26,160 --> 00:00:30,640 @@ -128,7 +128,7 @@ hands-on that we will 33 00:01:07,680 --> 00:01:12,240 -we do as i just mentioned we have a +we do as I just mentioned we have a 34 00:01:10,79 --> 00:01:14,158 @@ -212,7 +212,7 @@ also working at CIRCL working on MISP 55 00:01:53,519 --> 00:01:57,280 -um to just kick things off um i think +um to just kick things off um I think 56 00:01:56,799 --> 00:01:58,719 @@ -449,7 +449,7 @@ we are doing 116 00:03:51,919 --> 00:03:56,79 -MISP it uh i think like Andras +MISP it uh I think like Andras 117 00:03:53,840 --> 00:03:56,640 @@ -693,7 +693,7 @@ about that later on 176 00:05:51,439 --> 00:05:55,600 -so the main question and i think it's +so the main question and I think it's 177 00:05:54,160 --> 00:05:58,80 @@ -1000,7 +1000,7 @@ requests on the project and providing code 256 00:08:20,720 --> 00:08:23,759 -for the project so i said before +for the project so I said before 257 00:08:22,639 --> 00:08:26,160 @@ -1738,7 +1738,7 @@ out of the collected data as long as 460 00:14:33,120 --> 00:14:36,720 -data is well contextualized and i think +data is well contextualized and I think 461 00:14:35,120 --> 00:14:38,78 @@ -1775,7 +1775,7 @@ communities using MISP 470 00:14:56,240 --> 00:15:02,159 -and over the time it became i think more +and over the time it became I think more 471 00:15:00,0 --> 00:15:03,759 @@ -1850,7 +1850,7 @@ and we get that feedback from {inaudible} 491 00:15:38,720 --> 00:15:42,879 -one of the {inaudible} one i would say is +one of the {inaudible} one I would say is 492 00:15:40,639 --> 00:15:44,480 @@ -1862,7 +1862,7 @@ the different issue that we receive from 494 00:15:44,480 --> 00:15:48,639 -Github i mean on the if you look at on +Github I mean on the if you look at on 495 00:15:46,399 --> 00:15:50,320 @@ -1906,7 +1906,7 @@ directly during the training and for us 507 00:16:09,39 --> 00:16:12,958 -uh i think really practical and we can +uh I think really practical and we can 508 00:16:10,879 --> 00:16:15,39 @@ -2834,7 +2834,7 @@ information and so on or analysis 790 00:24:57,519 --> 00:25:01,519 -One of the i would say pretty large community too is +One of the I would say pretty large community too is 791 00:24:59,278 --> 00:25:04,960 @@ -3098,7 +3098,7 @@ information with the community 881 00:27:47,679 --> 00:27:52,0 1667.679 --> 1672 -so i really encourage everyone that +so I really encourage everyone that 882 00:27:49,919 --> 00:27:53,360 @@ -3212,7 +3212,7 @@ familiar with the process and why this 920 00:29:00,640 --> 00:29:02,80 -is {inaudiable done/tied} +is {inaudible done/tied} 921 00:29:01,359 --> 00:29:05,759 @@ -3711,7 +3711,7 @@ materials are available online 1096 00:34:30,559 --> 00:34:33,599 -like {inaduiable} mentioned we have a Github +like {inaudible} mentioned we have a Github 1097 00:34:32,320 --> 00:34:35,599 @@ -3811,7 +3811,7 @@ programmatic aspect, API 1130 00:35:37,599 --> 00:35:41,200 -how to integrate with MISP {inaduiable JSON/taxono}, +how to integrate with MISP {inaudible JSON/taxono}, 1131 00:35:40,320 --> 00:35:43,39 @@ -3827,7 +3827,7 @@ so it's really a good reference 1134 00:35:44,800 --> 00:35:48,560 -and thanks to {inaduiable} to share this +and thanks to {inaudible} to share this 1135 00:35:46,800 --> 00:35:50,800 @@ -3851,7 +3851,7 @@ one is obviously the open software itself 1143 00:36:03,199 --> 00:36:08,78 -so the initial version in {inaduaible} it was +so the initial version in {inaudible} it was 1144 00:36:06,239 --> 00:36:10,239 @@ -3936,7 +3936,7 @@ so MISP has a large REST api this one can be quite large but 1173 00:37:05,199 --> 00:37:11,679 -by MISP is really helping you to for example {inaduiable jest/Get} events +by MISP is really helping you to for example {inaudible jest/Get} events 1174 00:37:09,599 --> 00:37:13,200 @@ -3997,7 +3997,7 @@ within MISP then we have different 1191 00:37:40,400 --> 00:37:43,358 -repository i will just mention one which is +repository I will just mention one which is 1193 00:37:43,358 --> 00:37:46,559 @@ -4013,7 +4013,7 @@ so we have a kind of way to have kind of a real-time feed 1198 00:37:54,159 --> 00:37:58,799 -in MISP you can {inaudiable} and +in MISP you can {inaudible} and 1199 00:37:56,400 --> 00:38:00,639 @@ -4073,7 +4073,7 @@ sometimes in some organizations to use a 1218 00:38:29,199 --> 00:38:33,519 -{inaudiable proper/corporate} classification and so on +{inaudible proper/corporate} classification and so on 1219 00:38:31,280 --> 00:38:35,40 @@ -4121,7 +4121,7 @@ in advance we prepare all those taxonomies in 1233 00:38:55,838 --> 00:38:59,599 -possible information {inaudiable} expose MISP +possible information {inaudible} expose MISP 1234 00:38:58,159 --> 00:39:02,399 @@ -4149,7 +4149,7 @@ really useful label and you can just 1241 00:39:12,400 --> 00:39:15,39 -{inaudiable share/pick} the one that you want and we maintain those one +{inaudible share/pick} the one that you want and we maintain those one 1243 00:39:15,39 --> 00:39:18,880 @@ -4261,7 +4261,7 @@ we manage those kind of knowledge base 1280 00:40:23,39 --> 00:40:27,759 -for intelligent {inaudiable} organization +for intelligent {inaudible} organization 1281 00:40:26,79 --> 00:40:29,200 @@ -4346,7 +4346,7 @@ and we do that automatically and we 1313 00:41:27,119 --> 00:41:30,800 -maintain those libraries because one {inaudiable MISP/reason} they're automatically updated regularly +maintain those libraries because one {inaudible MISP/reason} they're automatically updated regularly 1315 00:41:30,800 --> 00:41:34,79 @@ -4372,15 +4372,15 @@ and again it's up to the user to select 1325 00:41:48,0 --> 00:41:53,39 2508 --> 2511.04 -one {inaudiable} warning list or to enable everything depending on the different use case +one {inaudible} warning list or to enable everything depending on the different use case 1328 00:41:52,800 --> 00:41:55,920 -so that's one of those {inaudiable} pillar +so that's one of those {inaudible} pillar 1329 00:41:54,480 --> 00:41:57,519 -knowledge base i mean a lot of +knowledge base I mean a lot of 1330 00:41:55,920 --> 00:41:57,519 @@ -4499,7 +4499,7 @@ and Andras just mentioned the question of the 1380 00:43:31,358 --> 00:43:35,679 -legal aspect and i think maybe some of +legal aspect and I think maybe some of 1381 00:43:33,599 --> 00:43:38,640 @@ -4864,7 +4864,7 @@ how do you summarize it about, for example in easy way you have to see really 1580 00:50:26,318 --> 00:50:29,838 -MISP {inaudiable environment/development} as an envelope and then you +MISP {inaudible environment/development} as an envelope and then you 1581 00:50:28,79 --> 00:50:32,318 @@ -4917,7 +4917,7 @@ if information can be used automatically for detection 1610 00:51:23,599 --> 00:51:29,960 -and that's i think one of the most important aspects when we talk about attribute in MISP +and that's I think one of the most important aspects when we talk about attribute in MISP 1613 00:51:28,880 --> 00:51:34,119 @@ -4937,7 +4937,7 @@ if you plan for example to use the data into a protective systems and so on 1624 00:51:48,39 --> 00:51:54,79 -the IDS flags need to be set so the thing is if i take an example +the IDS flags need to be set so the thing is if I take an example 1626 00:51:54,79 --> 00:51:56,480 @@ -4987,7 +4987,7 @@ In MISP, what we try to do too instead of having just indicators 1657 00:52:52,239 --> 00:52:57,280 -it's very common and i think many of you know about it you might see for example +it's very common and I think many of you know about it you might see for example 1660 00:52:57,280 --> 00:53:01,599 @@ -5015,7 +5015,7 @@ we have plenty of way of seeing those kind of MD5 so we try in MISP to have what 1673 00:53:25,759 --> 00:53:30,318 -kind of i would not say {inaudiable keep shine/kill shine} but at least contextualization a category that +kind of I would not say {inaudible keep shine/kill shine} but at least contextualization a category that 1675 00:53:30,318 --> 00:53:35,279 @@ -5112,7 +5112,7 @@ And that's again what we think that's really important is the contextualization 1738 00:55:45,280 --> 00:55:50,480 -So i mentioned we have the galaxies in MISP and we have plenty of representation +So I mentioned we have the galaxies in MISP and we have plenty of representation 1741 00:55:50,318 --> 00:55:55,838 @@ -5120,11 +5120,11 @@ threat actors and so on and obviously one that is quite important is the MITRE A 1744 00:55:54,719 --> 00:55:57,759 -so MITRE Attack is {inaduiable stored/performed} as a galaxy +so MITRE Attack is {inaudible stored/performed} as a galaxy 1746 00:55:57,760 --> 00:56:01,520 -and we have this flexible {inaduiable mosaic/table} in MISP that you can represent those kind of +and we have this flexible {inaudible mosaic/table} in MISP that you can represent those kind of 748 00:56:01,519 --> 00:56:07,39 @@ -5153,7 +5153,7 @@ it's a separated galaxy, you can even create a custom one directly in the system 1768 00:56:39,440 --> 00:56:46,519 -and then you can filter out your data and so on and that's exactly the thing why we are i would say +and then you can filter out your data and so on and that's exactly the thing why we are I would say 1771 00:56:46,880 --> 00:56:51,480 @@ -5177,7 +5177,7 @@ detect this kind of attacks or things like that so it's really actively using th 1786 00:57:12,239 --> 00:57:15,759 -to show something meaningful with it and i think Attack is one of the way +to show something meaningful with it and I think Attack is one of the way 1788 00:57:15,760 --> 00:57:19,119 @@ -5241,7 +5241,7 @@ so it is incredibly useful for an analyst that is trying to make sense of the da 1828 00:58:27,480 --> 00:58:36,0 -Also, as for the sharing itself i mean one of the main goals with MISP is obviously to share information, +Also, as for the sharing itself I mean one of the main goals with MISP is obviously to share information, 1831 00:58:36,0 --> 00:58:43,280 @@ -5405,7 +5405,7 @@ so if you receive an event from a third party you can say 1931 01:01:42,0 --> 01:01:44,400 -oh i can improve it and {inaudiable listen/discern} this way +oh I can improve it and {inaudible listen/discern} this way 1932 01:01:44,400 --> 01:01:46,8 @@ -5545,7 +5545,7 @@ so very often what we're doing and especially 1998 01:03:53,639 --> 01:03:57,0 -if you were ever signing up for the COVID instance that i mentioned before +if you were ever signing up for the COVID instance that I mentioned before 2000 01:03:57,0 --> 01:04:00,559 @@ -5690,7 +5690,7 @@ By the way, I would just give the mic to Josh that will explain a bit more about 2074 01:06:09,358 --> 01:06:16,0 -the question and answer in zoom, to have directly the ability to answer the question answering the Zoom {inaudiable} +the question and answer in zoom, to have directly the ability to answer the question answering the Zoom {inaudible} 2077 01:06:18,400 --> 01:06:20,639 @@ -6095,7 +6095,7 @@ i would just following the standards what is following the best practices in the 2297 01:13:19,560 --> 01:13:22,640 -is to compare with the {inaudiable} feed +is to compare with the {inaudible} feed 2300 01:13:22,640 --> 01:13:25,198 @@ -6115,7 +6115,7 @@ are those objects linked together by using the relationship to it, 2306 01:13:35,0 --> 01:13:40,199 -are you using galaxies, are those galaxies at the event level, {inaudiable} level, +are you using galaxies, are those galaxies at the event level, {inaudible} level, 2308 01:13:40,198 --> 01:13:46,0 @@ -6123,7 +6123,7 @@ do you have tags, labels on specific objects or specific attributes and so on 2311 01:13:46,0 --> 01:13:52,960 -that's different parameters and i think the question from {inaudiable} is pretty good. +that's different parameters and I think the question from {inaudible} is pretty good. 2315 01:13:52,960 --> 01:14:00,39 @@ -6147,7 +6147,7 @@ there is even a model for sharing such kind of information. 2326 01:14:16,0 --> 01:14:19,0 -So another thing that is i think quite useful and +So another thing that is I think quite useful and 2329 01:14:19,0 --> 01:14:23,520 @@ -6163,7 +6163,7 @@ I mean a lot of tools in the security field exist but they don't do automatic co 2334 01:14:32,800 --> 01:14:35,679 -For example, at the {inaudiable} we are using ticketing system +For example, at the {inaudible} we are using ticketing system 2337 01:14:37,119 --> 01:14:39,0 @@ -6207,7 +6207,7 @@ but you can really spot interesting things there. 2357 01:15:16,0 --> 01:15:19,679 -For example, you see that the third {inaudiable bone/bin} in Germany share indicators, +For example, you see that the third {inaudible bone/bin} in Germany share indicators, 2360 01:15:19,679 --> 01:15:24,0 @@ -6419,11 +6419,11 @@ and we will do a quick demo later regarding that. 2489 01:19:32,238 --> 01:19:37,0 -It's a timeline, i mean when we do analysis and so on, +It's a timeline, I mean when we do analysis and so on, 2490 01:19:37,0 --> 01:19:40,0 -it's really i would say common to have a first seen, last seen +it's really I would say common to have a first seen, last seen 2492 01:19:40,0 --> 01:19:42,159 @@ -6563,7 +6563,7 @@ It's very common, for example, to have models for intrusion detection systems 2571 01:22:09,679 --> 01:22:16,719 -and specific models for i don't know, endpoint, {inaudiable} or endpoint protection device +and specific models for I don't know, endpoint, {inaudible} or endpoint protection device 2574 01:22:16,719 --> 01:22:20,639 @@ -6715,7 +6715,7 @@ You're muted alex. 2657 01:25:08,0 --> 01:25:09,500 -Yeah just discover {inaudiable this/MISP}. +Yeah just discover {inaudible this/MISP}. 2658 01:25:09,500 --> 01:25:12,0 @@ -6739,7 +6739,7 @@ and it's key and based on that we wanted something that works for others too 2667 01:25:28,880 --> 01:25:33,679 -and i mean the tool is evolving over time so you see that we have plenty of functionalities +and I mean the tool is evolving over time so you see that we have plenty of functionalities 2670 01:25:33,679 --> 01:25:37,79 @@ -6823,7 +6823,7 @@ you can just play with MISP modules and we will quickly show you some examples o 2716 01:26:58,800 --> 01:27:02,80 -but that's really simple i mean there's no {inaudiable} +but that's really simple I mean there's no {inaudible} 2719 01:27:02,80 --> 01:27:10,239 @@ -6855,7 +6855,7 @@ We have, I think more than 500 contributors on the MISP project with even more n 2738 01:27:41,500 --> 01:27:45,500 -So if you want to become one of the contributors it's really straightforward i mean +So if you want to become one of the contributors it's really straightforward I mean 2739 01:27:45,500 --> 01:27:48,800 @@ -6879,7 +6879,7 @@ is to have a kind of tool that is supporting the different use cases 2749 01:28:02,0 --> 01:28:06,238 -Okay so before that, we do a break i will share you with you +Okay so before that, we do a break I will share you with you 2750 01:28:06,238 --> 01:28:12,759 @@ -6904,11 +6904,11 @@ So first of all, I will give you some details about how to access the MISP insta 2763 01:28:36,500 --> 01:28:42,500 -S0, first of all we have a {inaudiable acting/active} page +S0, first of all we have a {inaudible acting/active} page 2764 01:28:42,500 --> 01:28:48,500 -which I obviously share at some point in time and i will share it again. +which I obviously share at some point in time and I will share it again. 2766 01:28:48,500 --> 01:28:54,799 @@ -6980,7 +6980,7 @@ and we will use that instance for the hands-on that we will do just after the br 2804 01:30:23,500 --> 01:30:31,0 -So what i propose now is to do a 15 minute break and we start at 45, if it's fine for everyone +So what I propose now is to do a 15 minute break and we start at 45, if it's fine for everyone 2808 01:30:31,0 --> 01:30:39,600 @@ -6988,7 +6988,7 @@ and we will start by with the practical sessions with a specific email 2811 01:30:39,600 --> 01:30:43,600 -that we will share in the {inaudiable} as a practical example +that we will share in the {inaudible} as a practical example 2813 01:30:43,600 --> 01:30:51,300 @@ -7002,1654 +7002,707 @@ to do the hands-on session. Thank you very much. 01:30:55,500 --> 01:30:57,500 Thank you. -TODO 2819 -01:44:10,399 --> 01:44:15,118 -okay and shall we get started +01:44:10,399 --> 01:44:14,0 +Okay and shall we get started. 2820 -01:44:16,238 --> 01:44:22,559 -sure welcome back everyone +01:44:15,0 --> 01:44:18,559 +Sure, welcome back everyone. 2821 -01:44:20,79 --> 01:44:24,399 -okay so now what we're going to be doing - -2822 -01:44:22,560 --> 01:44:26,80 -is we're going to look a little bit - -2823 -01:44:24,399 --> 01:44:27,679 -at miss pizza so we've talked plenty +01:44:19,0 --> 01:44:25,399 +Okay so now what we're going to be doing is we're going to look a little bit at MISP itself 2824 -01:44:26,79 --> 01:44:28,960 -about it but we haven't actually done +01:44:25,399 --> 01:44:28,500 +so we've talked plenty about it but we haven't actually done anything with it yet. 2825 -01:44:27,679 --> 01:44:30,560 -anything with it yet - -2826 -01:44:28,960 --> 01:44:32,560 -so i really encourage everyone that has +01:44:28,500 --> 01:44:34,560 +So I really encourage everyone that has a MISP instance to also play along and to create your own events. 2827 -01:44:30,560 --> 01:44:35,199 -a misfits to also play along - -2828 -01:44:32,560 --> 01:44:36,800 -and to create your own events what we're - -2829 -01:44:35,198 --> 01:44:37,439 -going to be doing is we're going to go +01:44:34,560 --> 01:44:39,199 +What we're going to be doing is we're going to go through a set of fictional little exercise. 2830 -01:44:36,800 --> 01:44:40,639 -through as - -2831 -01:44:37,439 --> 01:44:41,359 -any fictional little exercise assume - -2832 -01:44:40,639 --> 01:44:44,0 -6280.639 --> 6284 -that you - -2833 -01:44:41,359 --> 01:44:44,799 -that you receive an email from uh in - -2834 -01:44:44,0 --> 01:44:46,560 -6284 --> 6286.56 -this case - -2835 -01:44:44,800 --> 01:44:49,840 -luxembourg english telco this is certain +01:44:39,199 --> 01:44:46,560 +Assume that you receive an email from, in this case, luxembourg {inaudible} telecom 2836 -01:44:46,560 --> 01:44:52,80 -of them describing an incident of a very - -2837 -01:44:49,840 --> 01:44:53,520 -simplistic incident +01:44:46,560 --> 01:44:51,80 +the CSIRT of them describing an incident, of a very simplistic incident, 2838 -01:44:52,79 --> 01:44:56,479 -of what happened what we're going to be - -2839 -01:44:53,520 --> 01:44:59,280 -trying to do now is to model this a miss +01:44:51,80 --> 01:44:56,479 +of what happened and what we're going to be trying to do now is to model this in MISP 2840 -01:44:56,479 --> 01:45:00,839 -and to explain how you can further - -2841 -01:44:59,279 --> 01:45:02,800 -improve it and contextualize this - -2842 -01:45:00,840 --> 01:45:05,39 -information +01:44:56,479 --> 01:45:01,839 +and to explain how you can further improve it and contextualize this information 2843 -01:45:02,800 --> 01:45:06,239 -so before we start uh once you're logged - -2844 -01:45:05,39 --> 01:45:08,639 -into the +01:45:01,839 --> 01:45:07,0 +So before we start, once you're logged into the MISP instance, 2845 -01:45:06,238 --> 01:45:09,678 -into miss pinsons such as the hosted - -2846 -01:45:08,639 --> 01:45:11,359 -training instance - -2847 -01:45:09,679 --> 01:45:13,840 -this is what you're going to be seeing +01:45:07,0 --> 01:45:11,0 +such as the hosted training instance. This is what you're going to be seeing. 2848 -01:45:11,359 --> 01:45:15,198 -so it's a it's a little bit squeezed on - -2849 -01:45:13,840 --> 01:45:18,639 -alex's screen +01:45:11,0 --> 01:45:14,500 +So it's a little bit squeezed on Alex's screen 2850 -01:45:15,198 --> 01:45:21,599 -but the idea is that you have a list of - -2851 -01:45:18,639 --> 01:45:23,279 -events that are listed on the main page +01:45:14,500 --> 01:45:21,599 +but the idea is that you have a list of events that are listed on the main page. 2852 -01:45:21,600 --> 01:45:25,280 -so we're in the event index this is our - -2853 -01:45:23,279 --> 01:45:26,719 -landing page when we load up misp +01:45:21,599 --> 01:45:25,280 +So we're in the event index, this is our landing page when we load up MISP 2854 -01:45:25,279 --> 01:45:28,79 -and each of these individual lines - -2855 -01:45:26,719 --> 01:45:30,158 -represents an event so they're - -2856 -01:45:28,79 --> 01:45:33,519 -describing either an attack +01:45:25,280 --> 01:45:29,0 +and each of these individual lines represents an event so they're describing either an attack, 2857 -01:45:30,158 --> 01:45:34,960 -or perhaps a report recurring - -2858 -01:45:33,520 --> 01:45:38,800 -distribution - -2859 -01:45:34,960 --> 01:45:40,0 -6334.96 --> 6340 -or a certain type of of indicator lists - -2860 -01:45:38,800 --> 01:45:41,600 -and so on +01:45:29,0 --> 01:45:39,500 +or perhaps a report, recurring distribution, or a certain type of of indicator lists and so on. 2861 -01:45:40,0 --> 01:45:43,439 -6340 --> 6343.44 -so what you're seeing here is you have - -2862 -01:45:41,600 --> 01:45:45,679 -each of these events having an id +01:45:39,500 --> 01:45:45,0 +So what you're seeing here is, you have each of these events having an ID and some metadata around it 2863 -01:45:43,439 --> 01:45:47,359 -and some metadata around it so these are +01:45:45,0 --> 01:45:50,500 +so these metadata can be either coming from this galaxy cluster system that we mentioned. 2864 -01:45:45,679 --> 01:45:48,960 -this metadata can be either coming from - -2865 -01:45:47,359 --> 01:45:50,719 -this galaxy cluster - -2866 -01:45:48,960 --> 01:45:52,639 -system that we mentioned for example +01:45:50,500 --> 01:45:53,500 +For example describing different attacker techniques, 2867 -01:45:50,719 --> 01:45:55,679 -describing different - -2868 -01:45:52,639 --> 01:45:56,880 -attacker techniques the different types - -2869 -01:45:55,679 --> 01:45:58,560 -of - -2870 -01:45:56,880 --> 01:46:00,560 -ransomwares in this case or attack +01:45:53,500 --> 01:46:00,0 +different types of ransomwares in this case or attack patterns that are leveraged 2871 -01:45:58,560 --> 01:46:02,0 -6358.56 --> 6362 -patterns that are leveraged - -2872 -01:46:00,560 --> 01:46:03,520 -and then if we scroll a bit further - -2873 -01:46:02,0 --> 01:46:04,319 -6362 --> 6364.32 -right so this is a bit lower resolution +01:46:00,0 --> 01:46:04,0 +and then if we scroll a bit further right so this is a bit lower resolution here that we see 2874 -01:46:03,520 --> 01:46:06,800 -there that we see - -2875 -01:46:04,319 --> 01:46:07,920 -but uh you should have it visible on the - -2876 -01:46:06,800 --> 01:46:12,159 -same page +01:46:04,0 --> 01:46:07,500 +but you should have it visible on the same page. 2877 -01:46:07,920 --> 01:46:14,239 -um you see the information about uh - -2878 -01:46:12,158 --> 01:46:15,439 -what this event is trying to describe to - -2879 -01:46:14,238 --> 01:46:17,198 -us +01:46:07,500 --> 01:46:14,239 +You see the information about what this event is trying to describe to us 2880 -01:46:15,439 --> 01:46:19,599 -it's simple to understand text-based +01:46:14,239 --> 01:46:17,500 +it's simple to understand text-based representation. 2881 -01:46:17,198 --> 01:46:21,198 -representation now this instance is used - -2882 -01:46:19,600 --> 01:46:22,719 -for trainings in general so it's going +01:46:17,500 --> 01:46:22,500 +Now this instance is used for trainings in general so it's going to be filled with a lot of junk 2883 -01:46:21,198 --> 01:46:24,559 -to be filled with a lot of junk - -2884 -01:46:22,719 --> 01:46:27,39 -interspersed with real data that is - -2885 -01:46:24,560 --> 01:46:28,800 -coming from our tlp wide feed +01:46:21,198 --> 01:46:26,500 +interspersed with real data that is coming from our TLP white feed. 2886 -01:46:27,39 --> 01:46:31,679 -so you're going to see some obviously - -2887 -01:46:28,800 --> 01:46:33,840 -weird events in there - -2888 -01:46:31,679 --> 01:46:35,840 -these are just there for testing just +01:46:26,500 --> 01:46:31,679 +So you're going to see some obviously weird events in there. 2889 -01:46:33,840 --> 01:46:37,199 -players playing during an exercise and - -2890 -01:46:35,840 --> 01:46:40,159 -so on +01:46:31,679 --> 01:46:37,199 +These are just there for testing, just players playing during an exercise and so on 2891 -01:46:37,198 --> 01:46:41,439 -but also some real events there so what +01:46:37,199 --> 01:46:39,500 +but also some real events there. 2892 -01:46:40,158 --> 01:46:43,118 -we're going to be doing now is we're - -2893 -01:46:41,439 --> 01:46:44,879 -going to create our own event based on +01:46:39,500 --> 01:46:42,500 +So what we're going to be doing now is we're going to create our own event 2894 -01:46:43,118 --> 01:46:45,759 -that email that we received it's also on - -2895 -01:46:44,880 --> 01:46:47,600 -the hackamd +01:46:42,500 --> 01:46:46,0 +based on that email that we received it's also on the hackmd page 2896 -01:46:45,760 --> 01:46:48,880 -page so just have a look at email - -2897 -01:46:47,600 --> 01:46:51,119 -exactly - -2898 -01:46:48,880 --> 01:46:52,239 -and we need to start encoding with that - -2899 -01:46:51,118 --> 01:46:54,319 -event +01:46:46,0 --> 01:46:52,880 +so just have a look at the email itself and we need to start encoding that event. 2900 -01:46:52,238 --> 01:46:55,839 -so before we include anything in misp - -2901 -01:46:54,319 --> 01:46:57,920 -the first thing that we need to do +01:46:52,880 --> 01:46:56,0 +so before we include anything in MISP, the first thing that we need to do 2902 -01:46:55,840 --> 01:47:00,239 -is we need to create a new event so this - -2903 -01:46:57,920 --> 01:47:02,399 -is where everything starts +01:46:56,0 --> 01:46:59,500 +is we need to create a new event so this is where everything starts. 2904 -01:47:00,238 --> 01:47:04,238 -way to do it is to just click on add - -2905 -01:47:02,399 --> 01:47:05,359 -event on the left side of the menu +01:46:59,500 --> 01:47:04,0 +Way to do it is to just click on add event on the left side of the menu 2906 -01:47:04,238 --> 01:47:07,359 -and then you start with a very +01:47:04,0 --> 01:47:07,0 +and then you start with a very simplistic form 2907 -01:47:05,359 --> 01:47:11,198 -simplistic form that where we can - -2908 -01:47:07,359 --> 01:47:13,679 -describe the event in a very high level +01:47:07,0 --> 01:47:10,800 +where we can describe the event in a very high level in MISP. 2909 -01:47:11,198 --> 01:47:15,118 -so here you see it's it's the first step - -2910 -01:47:13,679 --> 01:47:16,399 -is very straightforward +01:47:10,800 --> 01:47:14,500 +so here you see the first step is very straightforward 2911 -01:47:15,118 --> 01:47:17,920 -the import the things that we have to - -2912 -01:47:16,399 --> 01:47:18,479 -watch out for or here is we already - -2913 -01:47:17,920 --> 01:47:20,239 -decide +01:47:14,500 --> 01:47:19,300 +the things that we have to watch out for out here is we have to decide who gets to see the event 2914 -01:47:18,479 --> 01:47:22,638 -who gets to see the event so this is the +01:47:19,300 --> 01:47:21,500 +so this is the distribution level 2915 -01:47:20,238 --> 01:47:23,279 -distribution level and that we need to - -2916 -01:47:22,639 --> 01:47:25,520 -set and - -2917 -01:47:23,279 --> 01:47:27,599 -basically a basic description of it as +01:47:21,500 --> 01:47:25,0 +and that we need to set a basic description of it. 2918 -01:47:25,520 --> 01:47:30,159 -for the distribution itself - -2919 -01:47:27,600 --> 01:47:32,159 -you have different uh ways of - -2920 -01:47:30,158 --> 01:47:33,679 -interacting with the data here already +01:47:25,0 --> 01:47:31,500 +As for the distribution itself, you have different ways of interacting with the data here already 2921 -01:47:32,158 --> 01:47:35,359 -so one of the decisions that you have to +01:47:31,500 --> 01:47:34,400 +so one of the decisions that you have to make, 2922 -01:47:33,679 --> 01:47:35,760 -make even if you're going to share to - -2923 -01:47:35,359 --> 01:47:37,759 -the - -2924 -01:47:35,760 --> 01:47:40,0 -6455.76 --> 6460 -wider community out there is do i keep +01:47:34,400 --> 01:47:37,500 +even if you're going to share to the wider community out there is 2925 -01:47:37,760 --> 01:47:41,119 -this internal until i'm ready to share +01:47:37,500 --> 01:47:41,119 +do I keep this internal until I am ready to share it with the community 2926 -01:47:40,0 --> 01:47:43,118 -6460 --> 6463.119 -it with the community - -2927 -01:47:41,118 --> 01:47:44,719 -or do i already make it visible to - -2928 -01:47:43,118 --> 01:47:46,559 -anyone that has access to the data in - -2929 -01:47:44,719 --> 01:47:48,960 -the community +01:47:41,119 --> 01:47:45,500 +or do I already make it visible to anyone that has access to the data in the community. 2930 -01:47:46,560 --> 01:47:50,800 -now keep in mind that we have a - -2931 -01:47:48,960 --> 01:47:52,79 -publishing process in misp so until an - -2932 -01:47:50,800 --> 01:47:54,320 -event is published +01:47:45,500 --> 01:47:51,500 +Now keep in mind that we have a publishing process in MISP, so until an event is published 2933 -01:47:52,79 --> 01:47:55,118 -it is not propagated out to other missed +01:47:51,500 --> 01:47:55,118 +it is not propagated out to other MISP instances, 2934 -01:47:54,319 --> 01:47:56,639 -instances - -2935 -01:47:55,118 --> 01:47:58,158 -that means anyone on the current miss +01:47:55,118 --> 01:47:58,0 +that means anyone on the current MISP instance can see the data 2936 -01:47:56,639 --> 01:47:59,679 -pencils can see the data - -2937 -01:47:58,158 --> 01:48:02,0 -6478.159 --> 6482 -but it will not jump to a different - -2938 -01:47:59,679 --> 01:48:04,319 -misspen since at this point in any way +01:47:58,0 --> 01:48:01,500 +but it will not jump to a different MISP instance at this point in any way. 2939 -01:48:02,0 --> 01:48:05,439 -6482 --> 6485.44 -but if you if you're creating it on a - -2940 -01:48:04,319 --> 01:48:07,679 -hosted instance +01:48:01,500 --> 01:48:06,0 +but if you are creating it on a hosted instance for example 2941 -01:48:05,439 --> 01:48:08,799 -for example if you if your isak is - -2942 -01:48:07,679 --> 01:48:10,319 -running a miss pinstance and you're - -2943 -01:48:08,800 --> 01:48:11,840 -creating it on that one directly +01:48:05,439 --> 01:48:10,500 +if your ISAC is running a MISP instance and you're creating it on that one directly 2944 -01:48:10,319 --> 01:48:14,0 -6490.32 --> 6494 -then this already has an impact on who - -2945 -01:48:11,840 --> 01:48:16,400 -can see the data +01:48:10,500 --> 01:48:13,0 +then this already has an impact on who can see the data. 2946 -01:48:14,0 --> 01:48:18,0 -6494 --> 6498 -so the option here either go with your +01:48:13,0 --> 01:48:17,500 +So the option here, either go with "Your organization only" 2947 -01:48:16,399 --> 01:48:19,519 -organization only and then - -2948 -01:48:18,0 --> 01:48:21,679 -6498 --> 6501.679 -raise the distribution level once it's +01:48:17,500 --> 01:48:20,500 +and then raise the distribution level once it's ready to be released 2949 -01:48:19,520 --> 01:48:23,840 -ready to be released or you already - -2950 -01:48:21,679 --> 01:48:25,440 -involve addressing the process and you - -2951 -01:48:23,840 --> 01:48:27,279 -pick something like community only where +01:48:20,500 --> 01:48:25,500 +or you already involve addressing the process and you pick something like "This community only" 2952 -01:48:25,439 --> 01:48:28,319 -others can chip in with their ideas from - -2953 -01:48:27,279 --> 01:48:30,960 -the get-go +01:48:25,500 --> 01:48:28,319 +where others can chip in with their ideas from the get-go. 2954 01:48:28,319 --> 01:48:32,559 -so this is up to you it's a risk versus - -2955 -01:48:30,960 --> 01:48:34,719 -efficiency question +So this is up to you, it's a risk versus efficiency question. 2956 -01:48:32,560 --> 01:48:35,600 -do i want to share the information and - -2957 -01:48:34,719 --> 01:48:37,760 -potentially - -2958 -01:48:35,600 --> 01:48:39,199 -overshare a bit by including by +01:48:32,560 --> 01:48:36,500 +Do I want to share the information and potentially overshare a bit 2959 -01:48:37,760 --> 01:48:40,960 -accidentally uploading information that - -2960 -01:48:39,198 --> 01:48:43,198 -is not yet - -2961 -01:48:40,960 --> 01:48:45,679 -confirmed that it can be shared out +01:48:36,500 --> 01:48:43,0 +by accidentally uploading information that is not yet confirmed that it can be shared out 2962 -01:48:43,198 --> 01:48:47,439 -versus losing out on perhaps others +01:48:43,0 --> 01:48:47,439 +versus losing out on perhaps others immediately jumping on board 2963 -01:48:45,679 --> 01:48:49,118 -immediately jumping on board and saying - -2964 -01:48:47,439 --> 01:48:50,399 -okay this is also something we've seen - -2965 -01:48:49,118 --> 01:48:51,599 -we've already done the analysis of it - -2966 -01:48:50,399 --> 01:48:53,599 -here you go +01:48:47,439 --> 01:48:52,0 +and saying okay this is also something we've seen we've already done the analysis of it here you go, 2967 -01:48:51,600 --> 01:48:54,960 -so you have to balance those two things - -2968 -01:48:53,600 --> 01:48:59,39 -out so let's start +01:48:52,0 --> 01:48:54,960 +so you have to balance those two things out. 2969 -01:48:54,960 --> 01:49:01,920 -no for example for example what - -2970 -01:48:59,39 --> 01:49:03,359 -you have is when people are working on a - -2971 -01:49:01,920 --> 01:49:06,960 -case by default they say +01:48:56,0 --> 01:49:02,0 +For example some CSIRT was aware of this, so when people are working on a case 2972 -01:49:03,359 --> 01:49:08,79 -it's organization and at one point in - -2973 -01:49:06,960 --> 01:49:10,79 -time +01:49:03,359 --> 01:49:09,0 +by default it is "Your organization only" {inaudible} and at one point in time the team lead 2974 -01:49:08,79 --> 01:49:11,840 -the team lead for example decide at some - -2975 -01:49:10,79 --> 01:49:13,359 -point it's okay no you can share it - -2976 -01:49:11,840 --> 01:49:16,239 -to a wider community and then you change +01:49:09,0 --> 01:49:13,0 +for example decide at some point it's okay, now you can share it to a wider community 2977 -01:49:13,359 --> 01:49:17,839 -the distribution level +01:49:13,0 --> 01:49:15,0 +and then you change the distribution level. 2978 -01:49:16,238 --> 01:49:19,519 -yeah indeed so let's start with the - -2979 -01:49:17,840 --> 01:49:20,800 -organization only for now uh +01:49:16,0 --> 01:49:19,500 +Yeah, indeed. So let's start with the organization only for now 2980 -01:49:19,520 --> 01:49:22,560 -for different reasons that we'll get +01:49:19,500 --> 01:49:21,500 +for different reasons that we'll get back to later on 2981 -01:49:20,800 --> 01:49:24,0 -6560.8 --> 6564 -back to later on it allows us to show - -2982 -01:49:22,560 --> 01:49:25,119 -off another feature afterwards that is +01:49:21,500 --> 01:49:26,500 +it allows us to show off another feature afterwards that is handy, so we start with that. 2983 -01:49:24,0 --> 01:49:26,800 -6564 --> 6566.8 -handy - -2984 -01:49:25,118 --> 01:49:28,639 -so we start with that then we have to - -2985 -01:49:26,800 --> 01:49:29,199 -describe this the threat level so this - -2986 -01:49:28,639 --> 01:49:31,840 -is +01:49:26,500 --> 01:49:30,500 +Then we have to describe the threat level so this is a very subjective question. 2987 -01:49:29,198 --> 01:49:33,598 -a very subjective question uh threat - -2988 -01:49:31,840 --> 01:49:34,800 -level will depend a lot on what sort of - -2989 -01:49:33,599 --> 01:49:36,560 -an organization you are +01:49:30,500 --> 01:49:36,500 +Threat level will depend a lot on what sort of an organization you are versus who you're sharing it with 2990 -01:49:34,800 --> 01:49:38,0 -6574.8 --> 6578 -versus who you're sharing it with so we - -2991 -01:49:36,560 --> 01:49:40,400 -all have different interpretations of - -2992 -01:49:38,0 --> 01:49:41,760 -6578 --> 6581.76 -what we consider a high threat level +01:49:35,500 --> 01:49:40,500 +so we all have different interpretations of what we consider a high threat level. 2993 -01:49:40,399 --> 01:49:43,679 -we have some descriptions for each of - -2994 -01:49:41,760 --> 01:49:45,520 -these fields uh - -2995 -01:49:43,679 --> 01:49:46,800 -predefined if you click on the little +01:49:40,500 --> 01:49:44,500 +We have some descriptions for each of these fields predefined. 2996 -01:49:45,520 --> 01:49:49,199 -information box +01:49:44,500 --> 01:49:46,500 +If you click on the little information box, 2997 -01:49:46,800 --> 01:49:51,520 -it will tell you that hi is uh - -2998 -01:49:49,198 --> 01:49:53,519 -sophisticated apt malware or zero day - -2999 -01:49:51,520 --> 01:49:55,40 -attack +01:49:46,500 --> 01:49:52,500 +it will tell you that high is sophisticated APT malware or zero day attack. 3000 -01:49:53,520 --> 01:49:57,599 -please just freely disregard this - -3001 -01:49:55,39 --> 01:49:58,479 -because nowadays a lot of information - -3002 -01:49:57,599 --> 01:50:00,159 -sharing +01:49:52,500 --> 01:49:56,0 +Please just freely disregard this because 3003 -01:49:58,479 --> 01:50:02,79 -happens in completely different domains +01:49:56,0 --> 01:50:00,0 +nowadays a lot of information sharing happens in completely different domains, 3004 -01:50:00,158 --> 01:50:03,598 -so if a fraud team is sharing +01:50:00,0 --> 01:50:04,500 +so if a fraud team is sharing information about fraudster 3005 -01:50:02,79 --> 01:50:06,880 -information about - -3006 -01:50:03,599 --> 01:50:08,400 -fraudster their definition of high - -3007 -01:50:06,880 --> 01:50:08,719 -threat level would be very different - -3008 -01:50:08,399 --> 01:50:11,439 -from - -3009 -01:50:08,719 --> 01:50:13,198 -those in cyber security for example so +01:50:04,500 --> 01:50:11,0 +their definition of high threat level would be very different from those in cyber security for example. 3010 -01:50:11,439 --> 01:50:15,519 -generally it's just a subjective +01:50:11,0 --> 01:50:14,500 +So generally it's just a subjective first measure 3011 -01:50:13,198 --> 01:50:17,198 -first measure but a lot of organizations - -3012 -01:50:15,520 --> 01:50:19,40 -users use this to briefly filter out +01:50:14,500 --> 01:50:18,500 +but a lot of organizations users use this to briefly filter out what they should tackle first 3013 -01:50:17,198 --> 01:50:21,439 -what they should tackle first - -3014 -01:50:19,39 --> 01:50:22,960 -so still use it with care if you don't - -3015 -01:50:21,439 --> 01:50:25,759 -want to use this field - -3016 -01:50:22,960 --> 01:50:27,679 -picking undefined is fine too analysis +01:50:18,500 --> 01:50:24,500 +so still use it with care. If you don't want to use this field, picking undefined is fine too. 3017 -01:50:25,760 --> 01:50:30,560 -the next field describes how far along - -3018 -01:50:27,679 --> 01:50:33,39 -you've come with the analysis process - +01:50:25,760 --> 01:50:29,500 +Analysis is the next field, describes how far along you've come with the analysis process. + 3019 -01:50:30,560 --> 01:50:34,480 -so basically uh with this what you're +01:50:29,500 --> 01:50:34,480 +So basically with this what you're telling the community is 3020 -01:50:33,39 --> 01:50:36,158 -telling the communities i'm just - -3021 -01:50:34,479 --> 01:50:39,118 -starting out with the analysis - -3022 -01:50:36,158 --> 01:50:40,719 -these are my initial findings versus for +01:50:34,480 --> 01:50:37,500 +I'm just starting out with the analysis these are my initial findings 3023 -01:50:39,118 --> 01:50:41,839 -example saying that my analysis process +01:50:37,500 --> 01:50:41,839 +versus for example saying that my analysis process is already complete 3024 -01:50:40,719 --> 01:50:44,960 -is already complete - -3025 -01:50:41,840 --> 01:50:48,0 -6641.84 --> 6648 -i'm not going to be digging more for now +01:50:41,839 --> 01:50:46,500 +i'm not going to be digging more for now, I consider this complete, 3026 -01:50:44,960 --> 01:50:50,840 -i consider this complete if you have - -3027 -01:50:48,0 --> 01:50:54,960 -6648 --> 6654.96 -additional information then obviously - -3028 -01:50:50,840 --> 01:50:56,880 -uh already start collaborating with us - +01:50:46,500 --> 01:50:54,500 +if you have additional information then obviously start collaborating with us. + 3029 -01:50:54,960 --> 01:50:58,399 -so just pick whichever is most - -3030 -01:50:56,880 --> 01:50:59,840 -appropriate for you let's just go with - -3031 -01:50:58,399 --> 01:51:01,679 -initial for now +01:50:54,500 --> 01:50:59,500 +So just pick whichever is most appropriate for you. Let's just go with "Initial" for now. 3032 -01:50:59,840 --> 01:51:04,159 -and then comes the most important part - -3033 -01:51:01,679 --> 01:51:06,319 -of this form which is - -3034 -01:51:04,158 --> 01:51:08,319 -describing the event info so this is a +01:50:59,840 --> 01:51:05,500 +and then comes the most important part of this form which is describing the event info, 3035 -01:51:06,319 --> 01:51:10,158 -brief description for analysts that are +01:51:05,500 --> 01:51:09,0 +so this is a brief description for analysts that are looking at the data 3036 -01:51:08,319 --> 01:51:12,79 -looking at the data that describe - -3037 -01:51:10,158 --> 01:51:13,198 -the best described the event that you're - -3038 -01:51:12,79 --> 01:51:16,719 -basically uh +01:51:09,0 --> 01:51:13,500 +that best described the event that you're basically sharing 3039 -01:51:13,198 --> 01:51:17,678 -sharing now be brief here and be careful - -3040 -01:51:16,719 --> 01:51:20,480 -about - -3041 -01:51:17,679 --> 01:51:22,639 -including very domain or organization +01:51:13,500 --> 01:51:21,0 +Now be brief here and be careful about including very domain or organization specific information. 3042 -01:51:20,479 --> 01:51:23,279 -specific information one of the mistakes +01:51:21,0 --> 01:51:25,500 +One of the mistakes that people often make here is 3043 -01:51:22,639 --> 01:51:25,279 -that - -3044 -01:51:23,279 --> 01:51:26,319 -that people often make here is for - -3045 -01:51:25,279 --> 01:51:29,359 -example uh - -3046 -01:51:26,319 --> 01:51:30,479 -typing a ticket number or ticket id in - -3047 -01:51:29,359 --> 01:51:32,158 -there +01:51:25,500 --> 01:51:29,500 +for example typing a ticket number or ticket id in there 3048 -01:51:30,479 --> 01:51:33,759 -so if you have a ticketing system and - -3049 -01:51:32,158 --> 01:51:35,198 -you basically start your investigation - -3050 -01:51:33,760 --> 01:51:36,800 -from your ticketing system +01:51:29,500 --> 01:51:35,500 +so if you have a ticketing system and you basically start your investigation from your ticketing system 3051 -01:51:35,198 --> 01:51:38,719 -sharing out something like what alex has - -3052 -01:51:36,800 --> 01:51:40,239 -typed there is not very handy for anyone +01:51:35,500 --> 01:51:39,500 +sharing out something like what Alex has typed there is not very handy for anyone else 3053 -01:51:38,719 --> 01:51:41,679 -else nobody will have a clue what you - -3054 -01:51:40,238 --> 01:51:43,198 -mean with that +01:51:39,500 --> 01:51:41,500 +nobody will have a clue what you mean with that. 3055 -01:51:41,679 --> 01:51:44,639 -another mistake that can happen here +01:51:41,500 --> 01:51:44,500 +Another mistake that can happen here very often is 3056 -01:51:43,198 --> 01:51:46,0 -6703.199 --> 6706 -very often is especially if you're +01:51:44,500 --> 01:51:49,0 +especially if you're starting out small and in turn initially you're only keeping the events for yourself 3057 -01:51:44,639 --> 01:51:47,840 -starting out small and - -3058 -01:51:46,0 --> 01:51:49,760 -6706 --> 6709.76 -in turn initially you're only keeping - -3059 -01:51:47,840 --> 01:51:51,520 -the events for yourself - -3060 -01:51:49,760 --> 01:51:53,760 -and then perhaps later on you decide - -3061 -01:51:51,520 --> 01:51:56,159 -that you want to maybe perhaps - -3062 -01:51:53,760 --> 01:51:57,520 -after all share it out to a community +01:51:49,0 --> 01:51:56,500 +and then perhaps later on you decide that you want to maybe perhaps after all share it out to a community 3063 -01:51:56,158 --> 01:51:58,960 -then one of the things that can really - -3064 -01:51:57,520 --> 01:52:00,719 -hurt you at that point is if you've +01:51:56,500 --> 01:52:59,500 +then one of the things that can really hurt you at that point is if you've used different language 3065 -01:51:58,960 --> 01:52:02,319 -used different language for example to - -3066 -01:52:00,719 --> 01:52:03,520 -describe the event info so we've seen - -3067 -01:52:02,319 --> 01:52:06,639 -this very often +01:52:59,500 --> 01:52:03,500 +for example to describe the event info so we've seen this very often 3068 -01:52:03,520 --> 01:52:07,360 -we instead of describing the things in - -3069 -01:52:06,639 --> 01:52:10,480 -english we +01:52:03,500 --> 01:52:09,0 +instead of describing the things in English, we choose our own languages 3070 -01:52:07,359 --> 01:52:10,479 -choose our own languages - -3071 -01:52:14,479 --> 01:52:18,79 -and myself is hungarian we are we're - -3072 -01:52:16,719 --> 01:52:21,599 -pretty prone to doing this +01:52:12,0 --> 01:52:19,500 +Both Alex {inaudible} and myself is hungarian, we are pretty prone to doing this in general 3073 -01:52:18,79 --> 01:52:22,639 -in general uh and this is generally - -3074 -01:52:21,599 --> 01:52:24,400 -something that will hurt us - -3075 -01:52:22,639 --> 01:52:25,920 -in the long term because uh once you +01:52:19,500 --> 01:52:23,500 +and this is generally something that will hurt us in the long term 3076 -01:52:24,399 --> 01:52:28,399 -share it out with a more +01:52:23,500 --> 01:52:27,500 +because once you share it out with a more international community 3077 -01:52:25,920 --> 01:52:30,79 -international community you either have +01:52:25,920 --> 01:52:30,500 +you either have to go through the effort of translating it 3078 -01:52:28,399 --> 01:52:32,799 -to go through the effort of translating - -3079 -01:52:30,79 --> 01:52:34,399 -it or basically make it illegible for - -3080 -01:52:32,800 --> 01:52:36,800 -the recipient +01:52:30,500 --> 01:52:34,500 +or basically make it illegible for the recipient 3081 -01:52:34,399 --> 01:52:37,839 -so stick to something simple simple - -3082 -01:52:36,800 --> 01:52:41,199 -phrasing +01:52:34,500 --> 01:52:40,500 +So stick to something simple, simple phrasing, be as concise as possible 3083 -01:52:37,840 --> 01:52:45,840 -be as concise as possible +01:52:40,500 --> 01:52:44,500 +but make sure that it's still understood what you mean. -3084 -01:52:41,198 --> 01:52:45,839 -but make sure that it's still understood +01:52:46,500 --> 01:52:51,500 +Okay, once you are done. In this case we are doing a {inaudible} spearphishing email, 3085 -01:52:51,920 --> 01:52:55,440 -we know that it's targeting the telco - -3086 -01:52:53,359 --> 01:52:57,198 -sector in luxembourg and we know that we +01:52:51,920 --> 01:52:55,800 +we know that it's targeting the telco sector in luxembourg and we know that we have a malware sample 3087 -01:52:55,439 --> 01:52:57,598 -have a malware sample so that's a pretty - -3088 -01:52:57,198 --> 01:52:59,598 -nice - -3089 -01:52:57,599 --> 01:53:01,39 -short explanation of what the event is - -3090 -01:52:59,599 --> 01:53:02,560 -about +01:52:55,800 --> 01:53:00,0 +so that's a pretty nice short explanation of what the event is about. 3091 -01:53:01,39 --> 01:53:04,800 -so once we click submit we have our +01:53:00,0 --> 01:53:05,0 +So once we click submit, we have our event created and we already see that that 3092 -01:53:02,560 --> 01:53:06,480 -event created and we already see that - -3093 -01:53:04,800 --> 01:53:08,400 -that our event suddenly has a lot of +01:53:05,0 --> 01:53:09,500 +our event suddenly has a lot of data that we didn't intentionally put in there yet. 3094 -01:53:06,479 --> 01:53:09,39 -data that we didn't intentionally put in - -3095 -01:53:08,399 --> 01:53:11,39 -there yet - -3096 -01:53:09,39 --> 01:53:13,359 -so we see a bunch of tags that are - -3097 -01:53:11,39 --> 01:53:15,840 -applied to the event we see that +01:53:09,500 --> 01:53:11,500 +So we see a bunch of tags that are applied to the event, 3098 -01:53:13,359 --> 01:53:16,799 -the event already has information about +01:53:11,500 --> 01:53:15,500 +we see that the event already has information about 3099 -01:53:15,840 --> 01:53:18,639 -uh - -3100 -01:53:16,800 --> 01:53:20,0 -6796.8 --> 6800 -who created the information who the +01:53:15,500 --> 01:53:20,500 +who created the information, who the local owners is information and so on. 3101 -01:53:18,639 --> 01:53:22,0 -6798.639 --> 6802 -local owners and - -3102 -01:53:20,0 --> 01:53:24,238 -6800 --> 6804.239 -information and so on so this basically - -3103 -01:53:22,0 --> 01:53:25,439 -6802 --> 6805.44 -takes a lot of local settings from uh - -3104 -01:53:24,238 --> 01:53:27,519 -from the instance +01:53:20,500 --> 01:53:25,500 +So MISP basically takes a lot of {inaudible local/global} settings from the instance 3105 -01:53:25,439 --> 01:53:28,960 -and it uses the event when it is created - -3106 -01:53:27,520 --> 01:53:31,199 -with these basic datasets +01:53:25,500 --> 01:53:29,500 +and it fills in the event when it is created with these basic datasets. 3107 -01:53:28,960 --> 01:53:33,439 -a lot of these also involve the +01:53:29,500 --> 01:53:33,500 +A lot of these also involve the contextualization that we start out with 3108 -01:53:31,198 --> 01:53:35,118 -contextualization that we start out with +01:53:33,500 --> 01:53:37,500 +so it might seem a little bit pointless to immediately label something 3109 -01:53:33,439 --> 01:53:36,559 -so it might seem a little bit pointless +01:53:37,500 --> 01:53:39,500 +that we have not even started working on yet 3110 -01:53:35,118 --> 01:53:38,479 -to immediately +01:53:39,500 --> 01:53:44,200 +but also keep in mind that very often what we do internally in our organizations is 3111 -01:53:36,560 --> 01:53:40,0 -6816.56 --> 6820 -label something that we have not even - -3112 -01:53:38,479 --> 01:53:42,79 -started working on yet - -3113 -01:53:40,0 --> 01:53:43,359 -6820 --> 6823.36 -but also keep in mind that very often - -3114 -01:53:42,79 --> 01:53:45,118 -what we do internally in our - -3115 -01:53:43,359 --> 01:53:46,79 -organizations is we have several missed - -3116 -01:53:45,118 --> 01:53:49,359 -instances - -3117 -01:53:46,79 --> 01:53:51,198 -that are uh that already are domain +01:53:44,200 --> 01:53:50,0 +we have several MISP instances that already are domain specific 3118 -01:53:49,359 --> 01:53:52,799 -specific so for example we have our spam - -3119 -01:53:51,198 --> 01:53:56,0 -6831.199 --> 6836 -collector instance we have our - -3120 -01:53:52,800 --> 01:53:58,639 -our sandboxing ignis vincents and so on +01:53:50,0 --> 01:53:55,500 +So, for example we have our spam collector instance, we have our our sandboxing in MISP instance and so on. 3121 -01:53:56,0 --> 01:54:00,479 -6836 --> 6840.48 -these these already are uh define the - -3122 -01:53:58,639 --> 01:54:00,960 -scope of the information that go into - -3123 -01:54:00,479 --> 01:54:02,879 -them +01:53:55,500 --> 01:54:00,500 +These already define the scope of the information that go into them 3124 -01:54:00,960 --> 01:54:04,960 -so we can already decide okay if we if - -3125 -01:54:02,880 --> 01:54:05,599 -we are on our spam collector miss - -3126 -01:54:04,960 --> 01:54:07,279 -vincent +01:54:00,500 --> 01:54:05,0 +so we can already decide okay if we are on our spam collector MISP instance 3127 -01:54:05,599 --> 01:54:08,880 -anything that goes in there will be +01:54:05,0 --> 01:54:07,500 +anything that goes in there will be related to spam 3128 -01:54:07,279 --> 01:54:10,719 -related to spam so in this case we can - -3129 -01:54:08,880 --> 01:54:12,159 -remove these tags because we don't - -3130 -01:54:10,719 --> 01:54:14,880 -we don't actually want to include those +01:54:07,500 --> 01:54:14,0 +so in this case we can remove these tags because we don't actually want to include those just yet. 3131 -01:54:12,158 --> 01:54:15,679 -just yet maybe we can keep that one +01:54:14,0 --> 01:54:16,0 +Maybe we can keep that one because it's still a draft, 3132 -01:54:14,880 --> 01:54:17,520 -because it's still - -3133 -01:54:15,679 --> 01:54:20,319 -a draft so that means we will do an - -3134 -01:54:17,520 --> 01:54:23,599 -evaluation of this famous email accuracy +01:54:16,0 --> 01:54:20,500 +so that means we will do an evaluation of this spam email accuracy 3135 -01:54:20,319 --> 01:54:24,238 -and then um so we have some defined - -3136 -01:54:23,599 --> 01:54:25,920 -taxonomy - -3137 -01:54:24,238 --> 01:54:27,439 -misplan on this instance we enabled for +01:54:20,500 --> 01:54:25,500 +and then, so we have some defined taxonomy in MISP on this instance we enabled 3138 -01:54:25,920 --> 01:54:29,520 -example the workflow one - -3139 -01:54:27,439 --> 01:54:31,39 -uh this one is maybe of interest from - -3140 -01:54:29,520 --> 01:54:33,280 -different organizations is +01:54:25,500 --> 01:54:30,500 +for example the workflow one, this one is maybe of interest from different organizations 3141 -01:54:31,39 --> 01:54:35,599 -a generic one about workflow uh what is +01:54:31,39 --> 01:54:35,500 +is a generic one about workflow, what is the current state of things. 3142 -01:54:33,279 --> 01:54:37,920 -the current state or other thing so - +01:54:35,500 --> 01:54:39,500 +So don't forget, in the initial event when we created the event + 3143 -01:54:35,599 --> 01:54:39,279 -don't forget uh in the initial event +01:54:39,500 --> 01:54:42,500 +we have information about the state and stuff like that 3144 -01:54:37,920 --> 01:54:40,560 -when we created the event we have - -3145 -01:54:39,279 --> 01:54:42,960 -information about - -3146 -01:54:40,560 --> 01:54:44,639 -uh the state and stuff like that now - -3147 -01:54:42,960 --> 01:54:46,158 -with this what we do is recommend to - -3148 -01:54:44,639 --> 01:54:46,880 -have taxonomies and you can you can - -3149 -01:54:46,158 --> 01:54:49,359 -really +01:54:42,500 --> 01:54:45,0 +Now with this what we do is recommend to have taxonomies 3150 -01:54:46,880 --> 01:54:51,440 -set up whatever you like and in the misp - -3151 -01:54:49,359 --> 01:54:52,319 -event to define the current state of - -3152 -01:54:51,439 --> 01:54:55,839 -this event +01:54:45,0 --> 01:54:49,500 +and you can really set up whatever you like in the misp event 3153 -01:54:52,319 --> 01:54:55,840 -so we keep draft from this case +01:54:49,500 --> 01:54:55,500 +to define the current state of this event so we keep "Draft" for this case. 3154 -01:54:57,39 --> 01:55:01,840 -yeah indeed so we keep it at this and we +01:54:57,0 --> 01:55:00,500 +Yup indeed, so we keep it at this 3155 -01:55:00,238 --> 01:55:03,598 -scroll further down and we see that miss +01:55:00,500 --> 01:55:03,500 +and we scroll further down and we see that MISP warns us about a few things, 3156 -01:55:01,840 --> 01:55:05,119 -warns us about a few things first of all - -3157 -01:55:03,599 --> 01:55:06,639 -data is not published +01:55:03,500 --> 01:55:05,500 +first of all, data is not published 3158 -01:55:05,118 --> 01:55:08,639 -and second of all if we scroll a bit +01:55:05,500 --> 01:55:07,500 +and second of all if we scroll a bit further down 3159 -01:55:06,639 --> 01:55:10,239 -further down we see that mispo also +01:55:07,500 --> 01:55:11,0 +we see that MISP also tells us that there are no attributes in here. 3160 -01:55:08,639 --> 01:55:11,920 -tells us that there are no attributes in - -3161 -01:55:10,238 --> 01:55:12,399 -here so this is still an empty envelope +01:55:11,0 --> 01:55:13,0 +So this is still an empty envelope that we are about to share 3162 -01:55:11,920 --> 01:55:14,319 -that we - -3163 -01:55:12,399 --> 01:55:15,519 -are about to share so list tells us - -3164 -01:55:14,319 --> 01:55:18,719 -don't share this just yet +01:55:13,0 --> 01:55:16,500 +so MISP tells us, don't share this just yet, fill it up with data first. 3165 -01:55:15,520 --> 01:55:19,119 -fill it up with data first so at this - -3166 -01:55:18,719 --> 01:55:22,319 -point - -3167 -01:55:19,118 --> 01:55:26,0 -6919.119 --> 6926 -we can start populating the information +01:55:16,500 --> 01:55:23,0 +So at this point, we can start populating the information 3168 -01:55:22,319 --> 01:55:26,0 -6922.32 --> 6926 -so if you if you look at the - -3169 -01:55:27,439 --> 01:55:31,919 -initial document that we that we use as - -3170 -01:55:29,840 --> 01:55:32,800 -a starting point we see in there that we +01:55:23,0 --> 01:55:30,0 +So if you look at the initial document that we use as a starting point, 3171 -01:55:31,920 --> 01:55:35,760 -have a lot of - -3172 -01:55:32,800 --> 01:55:37,679 -information in there described we see +01:55:30,0 --> 01:55:35,0 +we see in there that we have a lot of information in there described 3173 -01:55:35,760 --> 01:55:38,400 -for example that we are dealing with - -3174 -01:55:37,679 --> 01:55:40,319 -spearfishing +01:55:35,0 --> 01:55:38,500 +we see for example that we are dealing with spearphishing, 3175 -01:55:38,399 --> 01:55:41,598 -we see that we have an email that was - -3176 -01:55:40,319 --> 01:55:44,880 -received at a certain +01:55:38,500 --> 01:55:42,500 +we see that we have an email that was received at a certain point in time 3177 -01:55:41,599 --> 01:55:47,199 -point in time and we also see that - -3178 -01:55:44,880 --> 01:55:48,319 -we have an attacker that pretends to be - -3179 -01:55:47,198 --> 01:55:51,678 -um - -3180 -01:55:48,319 --> 01:55:54,0 -6948.32 --> 6954 -working at the ceo's uh uh daughter +01:55:42,500 --> 01:55:51,0 +and we also see that we have an attacker that pretends to be working at the CEO's daughter school 3181 -01:55:51,679 --> 01:55:55,440 -and sending the email address from - -3182 -01:55:54,0 --> 01:55:57,198 -6954 --> 6957.199 -spoofed uh - -3183 -01:55:55,439 --> 01:55:59,359 -the email from a spoofed email address +01:55:51,0 --> 01:55:57,500 +and sending the email from a spoofed email address. 3184 -01:55:57,198 --> 01:56:00,719 -so we can start by by describing this - -3185 -01:55:59,359 --> 01:56:01,759 -information by including this - -3186 -01:56:00,719 --> 01:56:03,279 -information +01:55:57,500 --> 01:56:01,500 +So we can start by describing this information, by including this information. 3187 -01:56:01,760 --> 01:56:04,800 -so perhaps one of the things that we can +01:56:01,500 --> 01:56:04,500 +So perhaps one of the things that we can take here is, 3188 -01:56:03,279 --> 01:56:06,880 -take here is let's start with the most - -3189 -01:56:04,800 --> 01:56:09,119 -basic thing we're describing an email - -3190 -01:56:06,880 --> 01:56:10,880 -so let's start with an email object so +01:56:04,500 --> 01:56:08,500 +let's start with the most basic thing we're describing, an email, so let's start with an email object. 3191 -01:56:09,118 --> 01:56:15,839 -we're going to add an object - -3192 -01:56:10,880 --> 01:56:15,840 -and we're going to select email +01:56:08,500 --> 01:56:16,0 +So we're going to add an object and we're going to select email 3193 -01:56:18,479 --> 01:56:22,479 -so here we see that this is coming from +01:56:18,479 --> 01:56:21,0 +So here we see that this is coming from the templating system 3194 -01:56:20,639 --> 01:56:26,400 -the templating system where you can - -3195 -01:56:22,479 --> 01:56:28,79 -define uh pre different concepts with - -3196 -01:56:26,399 --> 01:56:30,79 -different fields that have to be then +01:56:21,0 --> 01:56:27,500 +where you can define different concepts with different fields 3197 -01:56:28,79 --> 01:56:31,760 -populated using this object templating - -3198 -01:56:30,79 --> 01:56:33,359 -system +01:56:27,500 --> 01:56:30,500 +that have to be then populated using this object templating system. 3199 -01:56:31,760 --> 01:56:35,440 -so we have a bunch of information that +01:56:31,760 --> 01:56:34,500 +So we have a bunch of information that we can fill out here 3200 -01:56:33,359 --> 01:56:37,39 -we can fill out here we see the spoofed - -3201 -01:56:35,439 --> 01:56:43,839 -address so we see a from address that we - -3202 -01:56:37,39 --> 01:56:43,840 -can encode +01:56:34,500 --> 01:56:40,0 +we see the spoofed address so we see a "From" address that we can encode 3203 -01:56:45,439 --> 01:56:52,879 -okay we also have um - -3204 -01:56:50,399 --> 01:56:55,118 -a sample that i don't know if you if +01:56:45,439 --> 01:56:54,500 +Okay. we also have a sample that I don't know if I've uploaded it anywhere. Alex? 3205 -01:56:52,880 --> 01:56:58,960 -i've uploaded anywhere alex if not just - -3206 -01:56:55,118 --> 01:57:00,880 -pick any file for now because - -3207 -01:56:58,960 --> 01:57:02,319 -i think that's something i forgot to do +01:56:54,500 --> 01:56:57,500 +If not just pick any file for now because I think that's something I forgot to do. 3208 -01:57:00,880 --> 01:57:03,679 -yeah i don't know where the sample is - -3209 -01:57:02,319 --> 01:57:06,719 -yeah maybe we should add it +01:57:00,880 --> 01:57:03,500 +Yeah I don't know where the sample is. Yeah maybe we should add it. 3210 -01:57:03,679 --> 01:57:11,840 -yeah just put putty dot x or something - -3211 -01:57:06,719 --> 01:57:11,840 -if you have it +01:57:03,500 --> 01:57:08,0 +Yeah just put putty.x or something if you have it 3212 -01:57:12,800 --> 01:57:15,119 -oops +01:57:12,800 --> 01:57:14,500 +Oops 3213 -01:57:16,639 --> 01:57:19,599 -or we can do it as a separate object we - -3214 -01:57:18,158 --> 01:57:21,39 -can we can just do this separately yeah +01:57:16,639 --> 01:57:19,500 +or we can do it as a separate object, we can just do this separately 3215 -01:57:19,599 --> 01:57:24,400 -we can do a separate objective +01:57:19,500 --> 01:57:21,0 +Yeah, we can do a separate object. 3216 -01:57:21,39 --> 01:57:25,118 -yeah indeed indeed okay so what we can - -3217 -01:57:24,399 --> 01:57:27,118 -already - -3218 -01:57:25,118 --> 01:57:28,238 -describe here is we can we can still add +01:57:21,0 --> 01:57:26,0 +Yeah, indeed, indeed. Okay so what we can already describe here is 3219 -01:57:27,118 --> 01:57:31,839 -the name of the - -3220 -01:57:28,238 --> 01:57:34,158 -uh attachment that we had in there - -3221 -01:57:31,840 --> 01:57:34,159 -um +01:57:26,0 --> 01:57:31,500 +we can still add the name of the attachment that we had in there 3222 -01:57:35,359 --> 01:57:39,839 +01:57:35,500 --> 01:57:38,500 just to fast track it a bit 3223 @@ -8657,12045 +7710,5057 @@ just to fast track it a bit good 3224 -01:57:46,79 --> 01:57:49,760 -so we have a timestamp too which is +01:57:46,79 --> 01:57:48,500 +so we have a timestamp too which is interesting 3225 01:57:47,679 --> 01:57:52,319 -interesting so um + um 3226 01:57:49,760 --> 01:57:54,239 -this one has been received as a specific + 3227 -01:57:52,319 --> 01:57:56,639 -so it was a third +01:57:52,319 --> 01:57:55,500 +so this one has been received at a specific date so it was the third of.... 3228 -01:57:54,238 --> 01:57:58,479 -of so the first scene is basically - -3229 -01:57:56,639 --> 01:58:03,440 -something that you can you can really uh +01:57:54,238 --> 01:57:59,0 +so the "First Seen" is basically something that you can already set up 3230 -01:57:58,479 --> 01:58:03,439 -set up so it was the third of february +01:57:59,0 --> 01:58:07,500 +so it was the third of February, we had a specific time if i'm not mistaken. 3231 01:58:03,920 --> 01:58:10,158 -we had a specific time if i'm misleading + 3232 -01:58:07,198 --> 01:58:11,39 -um so in this one we have uh this one - -3233 -01:58:10,158 --> 01:58:14,349 -has been - -3234 -01:58:11,39 --> 01:58:16,880 -sent on received on - -3235 -01:58:14,350 --> 01:58:21,840 -[Music] - -3236 -01:58:16,880 --> 01:58:21,840 -16 so i can +01:58:07,198 --> 01:58:20,500 +So in this one has been sent on, received on 15, 16, 3237 -01:58:27,439 --> 01:58:34,158 -we also see that that basically +01:58:27,0 --> 01:58:35,500 +we also see that that basically the attachment was spoofing the document 3238 -01:58:30,639 --> 01:58:37,199 -the attachment was spoofing - -3239 -01:58:34,158 --> 01:58:39,598 -the document uh - -3240 -01:58:37,198 --> 01:58:40,638 -about the report about the ceo's - -3241 -01:58:39,599 --> 01:58:42,719 -daughter's +01:58:30,639 --> 01:58:41,0 +about the report about the CEO's daughter's progress in school. 3242 -01:58:40,639 --> 01:58:44,79 -progress in school so we can pick the - -3243 -01:58:42,719 --> 01:58:47,279 -file name for the - -3244 -01:58:44,79 --> 01:58:50,639 -uh attachment and that is under the +01:58:41,0 --> 01:58:48,500 +So we can pick the file name for the attachment and that is under the attachment section in the object 3245 -01:58:47,279 --> 01:58:50,639 -attachment section in the object +01:58:55,500 --> 01:58:57,500 +Good. 3246 -01:58:54,560 --> 01:59:01,199 -good i'm just clicking it +01:58:57,500 --> 01:58:59,0 +I'm just clicking it. Yeah 3247 -01:58:58,158 --> 01:59:02,960 -yeah it is called report.x attacks i +01:58:59,0 --> 01:59:03,500 +It is called report.doc.exe, I mean maybe it's not in the text right now. 3248 -01:59:01,198 --> 01:59:04,319 -mean maybe it's not in the text right - -3249 -01:59:02,960 --> 01:59:06,639 -now okay it might not be in the text - -3250 -01:59:04,319 --> 01:59:12,319 -might be just the original file +01:59:03,500 --> 01:59:06,500 +Ah okay, it might not be in the text, might be just in the original file. 3251 -01:59:06,639 --> 01:59:12,319 -about that so yeah report.x dot x +01:59:06,500 --> 01:59:12,500 +Sorry about that. So yeah report.doc.exe 3252 -01:59:12,800 --> 01:59:15,360 -attachment +01:59:18,0 --> 01:59:19,500 +Ok yeah perfect. 3253 -01:59:21,198 --> 01:59:24,879 -and then we also know that it was +01:59:19,500 --> 01:59:26,500 +And then we also know that it was received, that we have the received header ip -3254 -01:59:22,399 --> 01:59:24,879 -received - -3255 -01:59:25,39 --> 01:59:28,800 -that we have received header ip so we - -3256 -01:59:27,279 --> 01:59:29,198 -can include that as well that's also in - -3257 -01:59:28,800 --> 01:59:33,440 -the - -3258 -01:59:29,198 --> 01:59:33,439 -stated email it's 137.221 +325 6 +01:59:26,500 --> 01:59:34,0 +so we can include that as well that's also stated in the email. It's 137.221.106.104 3259 -01:59:41,599 --> 01:59:44,639 -and we even have the hostname if you - -3260 -01:59:42,960 --> 01:59:47,198 -want to include that that was also - -3261 -01:59:44,639 --> 01:59:47,199 -included in - -3262 -01:59:48,880 --> 01:59:51,679 -or in the report +01:59:41,500 --> 01:59:50,500 +and we even have the hostname ,if you want to include that, that was also included in the email/report 3263 -01:59:54,960 --> 01:59:59,679 -perfect so this is as you can see here +01:59:54,0 --> 01:59:59,500 +Perfect, so as you can see here we did not fill everything out 3264 -01:59:58,79 --> 02:00:01,198 -we did not fill everything out because - -3265 -01:59:59,679 --> 02:00:03,118 -we don't know everything based on the - -3266 -02:00:01,198 --> 02:00:04,158 -report but we knew some of the fields we +01:59:59,500 --> 02:00:02,500 +because we don't know everything based on the report but we knew some of the fields. 3267 -02:00:03,118 --> 02:00:05,839 -also see that - -3268 -02:00:04,158 --> 02:00:07,839 -each of these objects basically have - -3269 -02:00:05,840 --> 02:00:08,639 -some requirements and we satisfy those - -3270 -02:00:07,840 --> 02:00:10,560 -in this case +02:00:02,500 --> 02:00:08,500 +We also see that each of these objects basically have some requirements and we satisfy those in this case. 3271 -02:00:08,639 --> 02:00:12,239 -so if you scroll all the way to the top - -3272 -02:00:10,560 --> 02:00:12,880 -you will see that that this object had a - -3273 -02:00:12,238 --> 02:00:14,559 -requirement +02:00:08,500 --> 02:00:13,0 +So if you scroll all the way to the top you will see that that this object had a requirement 3274 -02:00:12,880 --> 02:00:16,0 -7212.88 --> 7216 -any of those fields have to be filled - -3275 -02:00:14,560 --> 02:00:18,80 -we've definitely met that +02:00:13,0 --> 02:00:17,500 +any of those fields have to be filled, we've definitely met that so we can just click submit 3276 -02:00:16,0 --> 02:00:21,359 -7216 --> 7221.36 -so we can just click submit and we can - -3277 -02:00:18,79 --> 02:00:21,359 -create our object in this case +02:00:16,0 --> 02:00:20,500 +and we can create our object in this case 3278 -02:00:23,198 --> 02:00:26,799 -so here we see mrs telling us if we - -3279 -02:00:25,359 --> 02:00:27,519 -create this object that's what it will - -3280 -02:00:26,800 --> 02:00:28,880 -look like +02:00:23,0 --> 02:00:27,500 +so here we see MISP telling us if we create this object that's what it will look like. 3281 -02:00:27,520 --> 02:00:30,719 -so we have in this case created our - -3282 -02:00:28,880 --> 02:00:31,359 -object and now it is attached to the - -3283 -02:00:30,719 --> 02:00:33,840 -event and +02:00:27,500 --> 02:00:31,0 +So we have in this case created our object and now it is attached to the event 3284 -02:00:31,359 --> 02:00:34,960 -suddenly stuff happened here so we see +02:00:31,359 --> 02:00:33,0 +and suddenly stuff happened here 3285 -02:00:33,840 --> 02:00:37,119 -that each of these - -3286 -02:00:34,960 --> 02:00:38,480 -attributes already start correlating - -3287 -02:00:37,118 --> 02:00:40,799 -with existing events +02:00:33,0 --> 02:00:38,500 +so we see that each of these attributes already start correlating with existing events. 3288 -02:00:38,479 --> 02:00:42,718 -now we read this uh this little exercise - -3289 -02:00:40,800 --> 02:00:44,159 -before we didn't correlate with some of - -3290 -02:00:42,719 --> 02:00:46,880 -those previous events +02:00:38,500 --> 02:00:43,500 +Now we ran this little exercise before so it correlate with some of those previous events 3291 -02:00:44,158 --> 02:00:50,238 -but normally uh if this was a real case - -3292 -02:00:46,880 --> 02:00:50,239 -if you get a correlation - +02:00:43,500 --> 02:00:48,500 +but normally if this was a real case if you get a correlation + 3293 -02:00:50,319 --> 02:00:54,399 -that is either something very similar +02:00:48,500 --> 02:00:53,500 +there is either something very similar that already happened before 3294 -02:00:52,319 --> 02:00:56,639 -that already happened before or is it +02:00:53,500 --> 02:00:58,0 +or is it something that simply might be a coincidence 3295 -02:00:54,399 --> 02:00:58,719 -something that simply +02:00:58,0 --> 02:01:01,500 +but it's still cause for investigation to check 3296 -02:00:56,639 --> 02:01:00,400 -might be a coincidence but it's still - -3297 -02:00:58,719 --> 02:01:02,239 -close for investigation - -3298 -02:01:00,399 --> 02:01:04,559 -to check is this something that might - -3299 -02:01:02,238 --> 02:01:07,439 -help me bootstrap my investigation +02:01:01,500 --> 02:01:06,500 +is this something that might help me bootstrap my investigation or is it just noise that is not relevant. 3300 -02:01:04,560 --> 02:01:08,719 -or is it just noise that is not maybe a +02:01:06,500 --> 02:01:09,0 +Maybe a side note because we have often the questions 3301 -02:01:07,439 --> 02:01:09,279 -side note because we have often the +02:01:09,0 --> 02:01:15,500 +when you create such object in MISP, you see that can be cumbersome to create it manually 3302 -02:01:08,719 --> 02:01:12,560 -questions - -3303 -02:01:09,279 --> 02:01:14,319 -um when you create such object in - -3304 -02:01:12,560 --> 02:01:15,840 -you see that can be cumbersome to create - -3305 -02:01:14,319 --> 02:01:17,439 -it manually - -3306 -02:01:15,840 --> 02:01:20,79 -so don't forget that everything that we - -3307 -02:01:17,439 --> 02:01:22,479 -do right now can be done through the api +02:01:15,500 --> 02:01:19,500 +so don't forget that everything that we do right now can be done through the API 3308 -02:01:20,79 --> 02:01:23,519 -so you can use pymisp automatically do - -3309 -02:01:22,479 --> 02:01:26,319 -it and so on so +02:01:19,500 --> 02:01:23,0 +so you can use PyMISP, automatically do it and so on. 3310 -02:01:23,520 --> 02:01:27,840 -what we show there um i think if you - -3311 -02:01:26,319 --> 02:01:29,599 -think on the api level +02:01:23,0 --> 02:01:29,500 +So what we show there, if you think on the API level it can be done automatically 3312 -02:01:27,840 --> 02:01:31,119 -it can be done automatically so if you - -3313 -02:01:29,599 --> 02:01:33,119 -have two that are extracting emails - -3314 -02:01:31,118 --> 02:01:35,39 -automatically from the +02:01:27,840 --> 02:01:34,500 +so if you have tool that are extracting emails automatically from the PC mailbox, whatever 3315 -02:01:33,118 --> 02:01:36,559 -pc mailbox whatever you can - -3316 -02:01:35,39 --> 02:01:37,760 -automatically do it in mist +02:01:34,500 --> 02:01:36,500 +you can automatically do it in MISP. 3317 -02:01:36,560 --> 02:01:39,679 -we just show the complete process - -3318 -02:01:37,760 --> 02:01:41,39 -manually but you can never mix things - -3319 -02:01:39,679 --> 02:01:42,399 -for some event +02:01:36,560 --> 02:01:40,500 +We just show the complete process manually but you can have a mix for some event 3320 -02:01:41,39 --> 02:01:44,158 -maybe some might be created - -3321 -02:01:42,399 --> 02:01:46,638 -automatically and then update it - -3322 -02:01:44,158 --> 02:01:47,839 -manually and so on +02:01:40,500 --> 02:01:45,500 +maybe some might be created automatically and then update it manually and so on. 3323 -02:01:46,639 --> 02:01:49,520 -something else that might be interesting - -3324 -02:01:47,840 --> 02:01:50,960 -here at this point is we've encoded this +02:01:45,500 --> 02:01:49,500 +Something else that might be interesting here at this point is we've encoded this object 3325 -02:01:49,520 --> 02:01:54,560 -object and we look at it - -3326 -02:01:50,960 --> 02:01:56,880 -and perhaps we we might want to - -3327 -02:01:54,560 --> 02:01:58,400 -to change the distribution settings +02:01:49,520 --> 02:01:57,0 +and we look at it and perhaps we might want to change the distribution settings 3328 -02:01:56,880 --> 02:01:59,279 -based on the different data points that - -3329 -02:01:58,399 --> 02:02:02,238 -we have in there +02:01:57,0 --> 02:01:59,500 +based on the different data points that we have in there 3330 -02:01:59,279 --> 02:02:04,79 -so most of these such as the malicious +02:01:59,279 --> 02:02:04,500 +so most of these such as the malicious host that email is sent from 3331 -02:02:02,238 --> 02:02:05,759 -host that email is sent from - -3332 -02:02:04,79 --> 02:02:07,279 -are technical information that we can - -3333 -02:02:05,760 --> 02:02:10,320 -share with the broader community +02:02:04,500 --> 02:02:05,759 +are technical information that we can share with the broader community 3334 -02:02:07,279 --> 02:02:12,399 -but perhaps the name of the +02:02:07,279 --> 02:02:12,500 +but perhaps the name of the school that our CEO's daughter attends 3335 -02:02:10,319 --> 02:02:13,599 -school that our ceo's daughter attends - -3336 -02:02:12,399 --> 02:02:15,118 -is something that we don't need to share - -3337 -02:02:13,599 --> 02:02:17,679 -with the entire community +02:02:12,500 --> 02:02:13,599 +is something that we don't need to share with the entire community 3338 02:02:15,118 --> 02:02:20,0 -7335.119 --> 7340 -so we could reduce the distribution of - -3339 -02:02:17,679 --> 02:02:21,760 -that individual attribute in this object +so we could reduce the distribution of that individual attribute in this object 3340 -02:02:20,0 --> 02:02:23,520 -7340 --> 7343.52 -so that we keep that for example only - -3341 -02:02:21,760 --> 02:02:24,639 -for our own organization and for our own - -3342 -02:02:23,520 --> 02:02:26,0 -7343.52 --> 7346 -internal records +02:02:20,0 --> 02:02:24,500 +so that we keep that, for example only for our own organization and for our own internal records. 3343 -02:02:24,639 --> 02:02:27,599 -so one of the things you can do in this - -3344 -02:02:26,0 --> 02:02:28,158 -7346 --> 7348.159 -case is you can edit that individual - -3345 -02:02:27,599 --> 02:02:32,960 -attribute +02:02:24,500 --> 02:02:28,500 +So one of the things you can do in this case is you can edit that individual attribute 3346 -02:02:28,158 --> 02:02:34,799 -so the from address in the object - -3347 -02:02:32,960 --> 02:02:36,399 -and you can set a distribution level to - -3348 -02:02:34,800 --> 02:02:38,560 -your organization only +02:02:28,158 --> 02:02:36,500 +so the from address in the object and you can set a distribution level to "Your organization only". 3349 -02:02:36,399 --> 02:02:40,479 -in this case once we release the uh the - -3350 -02:02:38,560 --> 02:02:43,440 -event to a broader audience +02:02:36,500 --> 02:02:40,500 +In this case, once we release the event to a broader audience 3351 -02:02:40,479 --> 02:02:45,198 -it will keep this individual attribute +02:02:40,500 --> 02:02:44,0 +it will keep this individual attribute for an organization 3352 -02:02:43,439 --> 02:02:46,0 -7363.44 --> 7366 -for an organization and it will not - -3353 -02:02:45,198 --> 02:02:49,598 -share it out with +02:02:44,0 --> 02:02:48,500 +and it will not share it out with with other constituencies 3354 -02:02:46,0 --> 02:02:51,279 -7366 --> 7371.28 -uh with other constituencies okay +02:02:48,500 --> 02:02:51,500 +Okay, so some other stuff that happened at this point 3355 -02:02:49,599 --> 02:02:53,39 -so some other stuff that happened at - -3356 -02:02:51,279 --> 02:02:54,479 -this point we see that - -3357 -02:02:53,39 --> 02:02:55,679 -several of you are creating events so +02:02:51,500 --> 02:02:55,500 +we see that several of you are creating events so that's great. 3358 -02:02:54,479 --> 02:02:57,359 -that's great the correlation account - -3359 -02:02:55,679 --> 02:02:59,440 -really went up all of the sudden +02:02:55,500 --> 02:02:58,0 +The correlation count really went up all of the sudden so it's good to see. 3360 -02:02:57,359 --> 02:03:00,479 -so it's good to see something else that +02:02:57,359 --> 02:03:04,0 +Something else that happened at this point is the event itself got correlated to other events as well 3361 -02:02:59,439 --> 02:03:03,439 -happened at this point - -3362 -02:03:00,479 --> 02:03:05,198 -is uh is the event itself got correlated - -3363 -02:03:03,439 --> 02:03:06,158 -to other events as well so if you scroll - -3364 -02:03:05,198 --> 02:03:07,598 -up all the way - -3365 -02:03:06,158 --> 02:03:09,519 -we see that the attributes that we've +02:03:04,0 --> 02:03:08,500 +So if you scroll up all the way, we see that the attributes that we've added 3366 -02:03:07,599 --> 02:03:11,360 -added are also showing us what other - -3367 -02:03:09,520 --> 02:03:12,159 -events we're correlating in so this is a +02:03:07,599 --> 02:03:10,0 +are also showing us what other events we're correlating in. 3368 -02:03:11,359 --> 02:03:13,598 -summary of +02:03:10,0 --> 02:03:15,500 +So this is a summary of all the individual attributes, correlations from the event 3369 -02:03:12,158 --> 02:03:15,359 -all the individual attributes +02:03:15,500 --> 02:03:18,500 +that means that if this object is correlating 3370 -02:03:13,599 --> 02:03:17,119 -correlations from the event - -3371 -02:03:15,359 --> 02:03:18,639 -that means that if you have if this - -3372 -02:03:17,118 --> 02:03:20,79 -object is correlating or - -3373 -02:03:18,639 --> 02:03:21,920 -these attributes within the object are - -3374 -02:03:20,79 --> 02:03:23,840 -correlating to it with a certain event +02:03:18,500 --> 02:03:22,500 +or these attributes within the object are correlating to it with a certain event 3375 -02:03:21,920 --> 02:03:25,359 -and certain other objects are - -3376 -02:03:23,840 --> 02:03:27,119 -correlating with other events +02:03:22,500 --> 02:03:25,500 +and certain other objects are correlating with other events 3377 -02:03:25,359 --> 02:03:29,359 -then this would be a full summary of all - -3378 -02:03:27,118 --> 02:03:31,920 -the events that you're correlating with +02:03:25,500 --> 02:03:29,500 +then this would be a full summary of all the events that you're correlating with. 3379 -02:03:29,359 --> 02:03:33,198 -you can also draw a graph out of that if +02:03:29,500 --> 02:03:31,500 +You can also draw a graph out of that. 3380 -02:03:31,920 --> 02:03:35,199 -you click on the correlation graph you - -3381 -02:03:33,198 --> 02:03:37,118 -will see how the events are interlinked +02:03:31,920 --> 02:03:34,500 +If you click on the correlation graph you will see how the events are interlinked 3382 -02:03:35,198 --> 02:03:38,719 -and you can further explore this by - -3383 -02:03:37,118 --> 02:03:41,519 -selecting any of the notes +02:03:35,198 --> 02:03:38,500 +and you can further explore this by selecting any of the nodes 3384 -02:03:38,719 --> 02:03:42,639 -and pressing x on that to further expand - -3385 -02:03:41,520 --> 02:03:46,159 -it with - -3386 -02:03:42,639 --> 02:03:46,159 -with it with its own correlations +02:03:38,500 --> 02:03:44,0 +and pressing x on that to further expand it with its own correlations. 3387 -02:03:46,960 --> 02:03:52,78 -okay let's go back to event +02:03:46,500 --> 02:03:50,500 +Okay. Let's go back to the event 3388 -02:03:52,238 --> 02:03:56,399 -yeah i don't think we have a lot of - -3389 -02:03:55,679 --> 02:03:58,399 -correlations - -3390 -02:03:56,399 --> 02:03:59,679 -there for the other events they're all - -3391 -02:03:58,399 --> 02:04:02,960 -the same +02:03:52,0 --> 02:03:57,0 +Yeah I don't think we have a lot of correlations there, for the other events they're all the same 3392 -02:03:59,679 --> 02:04:03,920 -uh okay now going back to a little - -3393 -02:04:02,960 --> 02:04:06,319 -example uh - -3394 -02:04:03,920 --> 02:04:07,440 -we have now created four attributes all +02:03:59,679 --> 02:04:06,500 +Okay now going back to our little example we have now created four attributes all together 3395 -02:04:06,319 --> 02:04:10,319 -together out of - -3396 -02:04:07,439 --> 02:04:11,759 -uh of the object template but we could +02:04:06,500 --> 02:04:11,0 +out of the object template but we could have done this differently as well 3397 -02:04:10,319 --> 02:04:12,880 -have done this differently as well what +02:04:11,0 --> 02:04:16,0 +what we could have done is we could also have created those attributes individually 3398 -02:04:11,760 --> 02:04:14,800 -we could have done - -3399 -02:04:12,880 --> 02:04:16,480 -is we could also have created those - -3400 -02:04:14,800 --> 02:04:17,39 -attributes individually and added those - -3401 -02:04:16,479 --> 02:04:20,319 -to the - -3402 -02:04:17,39 --> 02:04:21,920 -uh to the um event directly - -3403 -02:04:20,319 --> 02:04:24,319 -so one of the things that we can do now +02:04:16,0 --> 02:04:20,500 +and added those to the event directly. 3404 -02:04:21,920 --> 02:04:25,920 -is we can go back to our report and +02:04:20,500 --> 02:04:22,500 +So one of the things that we can do now 3405 -02:04:24,319 --> 02:04:27,359 -tackle the next thing that is described +02:04:24,319 --> 02:04:26,500 +is we can go back to our report and tackle the next thing that is described there 3406 -02:04:25,920 --> 02:04:28,480 -there and let's do it slightly +02:04:25,920 --> 02:04:27,500 +and let's do it slightly differently. 3407 -02:04:27,359 --> 02:04:31,198 -differently - -3408 -02:04:28,479 --> 02:04:31,759 -so we also see that basically uh the - -3409 -02:04:31,198 --> 02:04:34,479 -person +02:04:27,359 --> 02:04:35,500 +So we also see that basically the person that is impersonated is also described 3410 -02:04:31,760 --> 02:04:36,840 -uh that this is impersonated is also +02:04:31,760 --> 02:04:43,500 +so that is basically, in this case John Doe the teacher of the student 3411 -02:04:34,479 --> 02:04:40,959 -described so that is basically - -3412 -02:04:36,840 --> 02:04:40,960 -um in this case - -3413 -02:04:41,118 --> 02:04:45,359 -john doe the teacher of the student so - -3414 -02:04:43,520 --> 02:04:47,40 -let's just create a personal object and - -3415 -02:04:45,359 --> 02:04:50,78 -describe that +02:04:43,500 --> 02:04:46,500 +So let's just create a person object and describe that. 3416 -02:04:47,39 --> 02:04:53,519 -so what we can do now is instead of - -3417 -02:04:50,78 --> 02:04:54,158 -directly describing it as an object we +02:04:46,500 --> 02:04:53,0 +So what we can do now is instead of directly describing it as an object, 3418 -02:04:53,520 --> 02:04:57,520 -can first - -3419 -02:04:54,158 --> 02:04:58,78 -add those different fields at least a - -3420 -02:04:57,520 --> 02:05:00,0 -7497.52 --> 7500 -name - +02:04:53,0 --> 02:04:59,500 +we can first add those different fields, at least a name as individual attributes. + 3421 -02:04:58,78 --> 02:05:01,599 -as individual attributes so let's let's +02:04:59,500 --> 02:05:02,500 +So let's see how adding individual attributes work 3422 -02:05:00,0 --> 02:05:03,279 -7500 --> 7503.28 -see how adding individual attributes - -3423 -02:05:01,599 --> 02:05:05,39 -work so we click on the little plus icon - -3424 -02:05:03,279 --> 02:05:08,880 -above the attribute list +02:05:00,0 --> 02:05:04,500 +so we click on the little plus icon above the attribute list 3425 -02:05:05,39 --> 02:05:08,880 -and we simply select category person +02:05:04,500 --> 02:05:08,500 +and we simply select category "Person" 3426 -02:05:09,439 --> 02:05:13,598 -and from person we select first name - -3427 -02:05:11,439 --> 02:05:15,39 -first name is john +02:05:08,500 --> 02:05:13,500 +and from "Person" we select "first-name", "first-name" is John. 3428 -02:05:13,599 --> 02:05:17,39 -and here we can already define is this +02:05:13,500 --> 02:05:16,0 +and here we can already define, is this an indicator? 3429 -02:05:15,39 --> 02:05:19,198 -an indicator do we want to - -3430 -02:05:17,39 --> 02:05:21,599 -set the for intrusion detection system +02:05:15,39 --> 02:05:20,0 +Do we want to set it for intrusion detection system flag? 3431 -02:05:19,198 --> 02:05:22,879 -flag no definitely not this in itself is - -3432 -02:05:21,599 --> 02:05:24,880 -not an indicator +02:05:20,0 --> 02:05:23,0 +No, definitely not, this in itself is not an indicator 3433 -02:05:22,880 --> 02:05:26,719 -in fact we want to also disable - -3434 -02:05:24,880 --> 02:05:27,679 -correlation on this as this is a pretty - -3435 -02:05:26,719 --> 02:05:31,840 -common +02:05:23,0 --> 02:05:29,0 +In fact we want to also disable correlation on this as this is a pretty common name 3436 -02:05:27,679 --> 02:05:34,719 -uh name that is definitely not something +02:05:29,0 --> 02:05:33,0 +that is definitely not something to... 3437 -02:05:31,840 --> 02:05:36,0 -7531.84 --> 7536 -to we don't need a comment for enough - -3438 -02:05:34,719 --> 02:05:38,800 -but now we're going to convert it into - -3439 -02:05:36,0 --> 02:05:41,439 -7536 --> 7541.44 -an object anyway +02:05:33,0 --> 02:05:37,500 +We don't need a comment for now, we're going to convert it into an object anyway 3440 -02:05:38,800 --> 02:05:42,880 -uh so what we can do is we can also - -3441 -02:05:41,439 --> 02:05:44,158 -disable correlation on this we don't - -3442 -02:05:42,880 --> 02:05:47,520 -want to correlate on john +02:05:40,0 --> 02:05:44,500 +So what we can do is we can also disable correlation on this we don't want to correlate on John. 3443 -02:05:44,158 --> 02:05:51,39 -okay okay doesn't matter +02:05:44,0 --> 02:05:48,500 +Okay, doesn't matter. 3444 -02:05:47,520 --> 02:05:53,360 -actually we can do it uh - -3445 -02:05:51,39 --> 02:05:55,279 -the same thing for the last name though - -3446 -02:05:53,359 --> 02:05:57,198 -and we can basically say that this is +02:05:48,500 --> 02:05:58,500 +We can do the same thing for the last name Doe and we can basically say that this is now "last-name". 3447 -02:05:55,279 --> 02:05:58,960 -now +02:05:58,500 --> 02:05:06,500 +Now we've added these two things in there now the problem with this is 3448 -02:05:57,198 --> 02:06:00,399 -last name now we've added these two +02:05:06,500 --> 02:06:04,500 +if we just had attributes instead of objects is we don't really see that 3449 -02:05:58,960 --> 02:06:01,599 -things in there now the problem with - -3450 -02:06:00,399 --> 02:06:03,679 -this is if we just had - -3451 -02:06:01,599 --> 02:06:04,719 -attributes instead of objects is we - -3452 -02:06:03,679 --> 02:06:06,399 -don't really see that - -3453 -02:06:04,719 --> 02:06:08,78 -john and do in this case are the first - -3454 -02:06:06,399 --> 02:06:10,559 -name and last name belong together +02:06:04,500 --> 02:06:07,500 +"John" and "Doe" in this case are the first name and last name belong together. 3455 -02:06:08,78 --> 02:06:12,238 -so if i were to describe several people +02:06:07,500 --> 02:06:11,500 +So if I were to describe several people in the same event 3456 -02:06:10,560 --> 02:06:13,599 -in the same event you would have a list +02:06:11,500 --> 02:06:18,500 +you would have a list of first names and a list of last names with no connection between the two things 3457 -02:06:12,238 --> 02:06:17,118 -of first names and a list of - -3458 -02:06:13,599 --> 02:06:17,520 -last names with no connection between - -3459 -02:06:17,118 --> 02:06:20,399 -the - -3460 -02:06:17,520 --> 02:06:21,920 -two things so it's better to use objects - -3461 -02:06:20,399 --> 02:06:24,399 -in general whenever you're describing - -3462 -02:06:21,920 --> 02:06:26,158 -multiple aspects of the same thing +02:06:18,500 --> 02:06:24,500 +so it's better to use objects in general whenever you're describing multiple aspects of the same thing. 3463 -02:06:24,399 --> 02:06:27,920 -obviously if you just have a list of +02:06:24,500 --> 02:06:27,500 +Obviously if you just have a list of file hashes that you got from a feed 3464 -02:06:26,158 --> 02:06:29,359 -file hashes that you got from a feed and +02:06:27,500 --> 02:06:30,500 +and you just encode those and you don't have any other information with them 3465 -02:06:27,920 --> 02:06:30,719 -you just encode those and you don't have +02:06:30,500 --> 02:06:33,500 +you might as well just create flat attributes out of them 3466 -02:06:29,359 --> 02:06:32,0 -7589.36 --> 7592 -any other information with them you - -3467 -02:06:30,719 --> 02:06:33,279 -might as well just create flat - -3468 -02:06:32,0 --> 02:06:34,479 -7592 --> 7594.48 -attributes out of them - -3469 -02:06:33,279 --> 02:06:36,880 -because there is nothing else to - -3470 -02:06:34,479 --> 02:06:38,399 -describe from your perspective +02:06:33,500 --> 02:06:36,500 +because there is nothing else to describe from your perspective. 3471 -02:06:36,880 --> 02:06:39,679 -but even in that case it's arguable - -3472 -02:06:38,399 --> 02:06:40,799 -whether you don't want to start an - -3473 -02:06:39,679 --> 02:06:42,399 -object +02:06:36,880 --> 02:06:40,500 +But even in that case it's arguable whether you don't want to start with an object 3474 -02:06:40,800 --> 02:06:44,0 -7600.8 --> 7604 -from the get go but what we can do in - -3475 -02:06:42,399 --> 02:06:45,598 -this case if we did start with this way +02:06:40,500 --> 02:06:44,0 +from the get go but what we can do in this case if we did start with this way 3476 -02:06:44,0 --> 02:06:47,520 -7604 --> 7607.52 -or if you receive information in this - -3477 -02:06:45,599 --> 02:06:48,719 -format or your tools parse the data out - -3478 -02:06:47,520 --> 02:06:50,560 -in this format is +02:06:44,0 --> 02:06:48,500 +or if you receive information in this format or your tools parse the data out in this format is 3479 -02:06:48,719 --> 02:06:51,920 -you can select those two attributes by +02:06:48,500 --> 02:06:51,500 +you can select those two attributes by clicking the little check marks next 3480 -02:06:50,560 --> 02:06:52,960 -clicking the little check marks next - -3481 -02:06:51,920 --> 02:06:54,800 -there are little - -3482 -02:06:52,960 --> 02:06:56,560 -tick boxes next to them and then - -3483 -02:06:54,800 --> 02:06:58,79 -clicking on group selected attributes - -3484 -02:06:56,560 --> 02:06:59,920 -into an object +02:06:51,500 --> 02:06:57,500 +or little tick boxes next to them and then clicking on "Group selected Attributes into an Object" 3485 -02:06:58,78 --> 02:07:01,599 -and here miss will propose okay these +02:06:56,500 --> 02:07:01,500 +and here MISP will propose, okay these are the different object templates 3486 -02:06:59,920 --> 02:07:03,440 -are the different object templates that - -3487 -02:07:01,599 --> 02:07:04,719 -satisfy +02:07:01,500 --> 02:07:05,500 +that satisfy the list of attributes that you've selected, 3488 -02:07:03,439 --> 02:07:06,960 -the list of attributes that you've - -3489 -02:07:04,719 --> 02:07:07,920 -selected there's a person object that we - -3490 -02:07:06,960 --> 02:07:11,118 -can use so let's - -3491 -02:07:07,920 --> 02:07:11,118 -just pick that one for now +02:07:05,500 --> 02:07:09,500 +there's a person object that we can use so let's just pick that one for now. 3492 -02:07:11,599 --> 02:07:15,199 -so here we see if we were to combine - -3493 -02:07:13,679 --> 02:07:16,800 -these two things they would be merged - -3494 -02:07:15,198 --> 02:07:19,198 -into an object +02:07:09,500 --> 02:07:16,500 +So here we see if we were to combine these two things they would be merged into an object 3495 -02:07:16,800 --> 02:07:20,560 -uh that is fine with us we see first - -3496 -02:07:19,198 --> 02:07:23,359 -name will become - -3497 -02:07:20,560 --> 02:07:24,480 -the the first name of the object last - -3498 -02:07:23,359 --> 02:07:27,839 -name the last name +02:07:16,500 --> 02:07:24,500 +that is fine with us we see first name will become the first name of the object,last name, the last name 3499 -02:07:24,479 --> 02:07:27,839 -so let's merge it +02:07:24,500 --> 02:07:25,500 +so let's merge it, 3500 -02:07:28,960 --> 02:07:34,239 -now we basically have a personality now +02:07:28,960 --> 02:07:35,0 +Now we basically have a person object, now we also know that this person that we're dealing with here 3501 -02:07:32,238 --> 02:07:36,718 -we also know that this person that we're - -3502 -02:07:34,238 --> 02:07:38,638 -dealing with here is impersonating uh +02:07:35,0 --> 02:07:38,0 +is impersonating the teacher of the CEO's daughter 3503 -02:07:36,719 --> 02:07:40,560 -the teacher of the ceo's or daughter so - -3504 -02:07:38,639 --> 02:07:42,400 -the same person impersonated person is a - -3505 -02:07:40,560 --> 02:07:44,480 -teacher of the of the ceo's author +02:07:38,0 --> 02:07:42,500 +so the impersonated person is a teacher of the CEO's daughter 3506 -02:07:42,399 --> 02:07:45,679 -so we added the object and we also see - -3507 -02:07:44,479 --> 02:07:48,78 -that there is a um - -3508 -02:07:45,679 --> 02:07:50,239 -that we can add just another text field +02:07:42,500 --> 02:07:48,0 +so we added the object and we also see that we can add just another text field. 3509 -02:07:48,78 --> 02:07:53,439 -yeah just text field works +02:07:48,0 --> 02:07:51,500 +Yeah, just text field works, where we can describe it. 3510 -02:07:50,238 --> 02:07:54,879 -where we can describe it i just want to - -3511 -02:07:53,439 --> 02:07:57,598 -first disable the correlation because - -3512 -02:07:54,880 --> 02:07:57,599 -different means +02:07:51,500 --> 02:07:55,500 +i just want to first disable the correlation because different {inaudible} 3513 -02:08:06,840 --> 02:08:10,800 -okay +02:07:55,500 --> 02:07:56,500 +Okay yeah sure. 3514 -02:08:08,238 --> 02:08:12,319 -yeah that works and we just add a text - -3515 -02:08:10,800 --> 02:08:13,440 -description of the identity of the +02:08:08,238 --> 02:08:12,500 +Yeah that works and we just add a text, description of the identity of the person 3516 -02:08:12,319 --> 02:08:22,319 -person we can just say - -3517 -02:08:13,439 --> 02:08:26,0 -7693.44 --> 7706 -teacher of the ceo's daughter +02:08:12,500 --> 02:08:14,500 +we can just say teacher of the ceo's daughter. 3518 -02:08:22,319 --> 02:08:27,439 -okay now we're done we have now added - -3519 -02:08:26,0 --> 02:08:28,960 -7706 --> 7708.96 -the additional attribute and now now we +02:08:14,500 --> 02:08:27,0 +Okay, now we're done. We have now added the additional attribute 3520 -02:08:27,439 --> 02:08:31,118 -know what this object is actually about - -3521 -02:08:28,960 --> 02:08:32,880 -without having a description in there +02:08:27,0 --> 02:08:30,500 +and now we know what this object is actually about without having a description in there 3522 -02:08:31,118 --> 02:08:34,960 -but we still just have an email and a - -3523 -02:08:32,880 --> 02:08:36,239 -person described in here but we don't +02:08:30,500 --> 02:08:34,500 +but we still just have an email and a person described in here 3524 -02:08:34,960 --> 02:08:37,760 -know anything else we - -3525 -02:08:36,238 --> 02:08:39,279 -don't know that this email is proofing +02:08:34,500 --> 02:08:38,500 +but we don't know anything else, we don't know that this email is spoofing to be that person 3526 -02:08:37,760 --> 02:08:41,119 -to be that person so we should add a - -3527 -02:08:39,279 --> 02:08:43,118 -relationship between the two +02:08:38,500 --> 02:08:40,500 +so we should add a relationship between the two. 3528 -02:08:41,118 --> 02:08:44,639 -now for this we can switch over to the - -3529 -02:08:43,118 --> 02:08:46,719 -event graph view - -3530 -02:08:44,639 --> 02:08:48,400 -so that is a little bit further up this +02:08:40,500 --> 02:08:46,500 +Mow for this we can switch over to the event graph view so that is a little bit further up. 3531 -02:08:46,719 --> 02:08:50,239 -one allows us to create - -3532 -02:08:48,399 --> 02:08:52,0 -7728.4 --> 7732 -connected graphs out of our individual +02:08:46,719 --> 02:08:50,500 +This one allows us to create connected graphs out of our individual data points 3533 -02:08:50,238 --> 02:08:54,559 -data points so we see that we have - -3534 -02:08:52,0 --> 02:08:55,279 -7732 --> 7735.28 -two unreferenced objects so we explode - -3535 -02:08:54,560 --> 02:08:58,639 -that mode +02:08:50,500 --> 02:08:56,500 +so we see that we have two unreferenced objects, so we explode that node by pressing x. 3536 -02:08:55,279 --> 02:09:00,719 -by pressing x and we can we can draw - -3537 -02:08:58,639 --> 02:09:02,639 -an edge between those two nodes by - -3538 -02:09:00,719 --> 02:09:04,319 -clicking edit and add reference - +02:08:56,500 --> 02:09:03,0 +and we can draw an edge between those two nodes by clicking edit and add reference + 3539 -02:09:02,639 --> 02:09:05,760 -and drawing a line between the two from - -3540 -02:09:04,319 --> 02:09:08,880 -the - -3541 -02:09:05,760 --> 02:09:08,880 -email to the person +02:09:03,0 --> 02:09:07,500 +and drawing a line between the two from the email to the person. 3542 -02:09:09,39 --> 02:09:12,880 -when you do that miss will propose a - -3543 -02:09:11,118 --> 02:09:15,39 -list of relationship - -3544 -02:09:12,880 --> 02:09:16,480 -types between these two two different - -3545 -02:09:15,39 --> 02:09:18,158 -nodes +02:09:07,500 --> 02:09:15,500 +When you do, that MISP will propose a list of relationship types between these two different nodes. 3546 -02:09:16,479 --> 02:09:19,439 -there is also a custom one there so if - -3547 -02:09:18,158 --> 02:09:21,198 -you don't want to select anything from +02:09:15,500 --> 02:09:20,500 +There is also a custom one there so if you don't want to select anything from the list that is fine too 3548 -02:09:19,439 --> 02:09:24,559 -the list that is fine too but for now - -3549 -02:09:21,198 --> 02:09:26,238 -we can just use the impersonates - -3550 -02:09:24,560 --> 02:09:28,79 -relationship which already exists in the - -3551 -02:09:26,238 --> 02:09:31,39 -default library +02:09:20,500 --> 02:09:26,500 +but for now we can just use the "impersonates" relationship which already exists in the default library. 3552 -02:09:28,78 --> 02:09:31,39 -just click on submit - -3553 -02:09:31,760 --> 02:09:34,880 -and now we have a relationship set +02:09:26,500 --> 02:09:33,500 +Just click on submit and now we have a relationship set between those two. 3554 -02:09:33,198 --> 02:09:36,78 -between those two so we started telling - -3555 -02:09:34,880 --> 02:09:37,520 -our story by basically having a - -3556 -02:09:36,78 --> 02:09:40,399 -connected graph between the +02:09:33,500 --> 02:09:38,500 +So we started telling our story by basically having a connected graph between these two points. 3557 -02:09:37,520 --> 02:09:40,880 -these two points now let's further look - -3558 -02:09:40,399 --> 02:09:43,920 -at our - -3559 -02:09:40,880 --> 02:09:47,520 -original email and see what else we can - -3560 -02:09:43,920 --> 02:09:49,520 -get out of the text from there +02:09:37,520 --> 02:09:46,500 +Now let's further look at our original email and see what else we can get out of the text from there. 3561 -02:09:47,520 --> 02:09:51,199 -we also see that the malicious file was - -3562 -02:09:49,520 --> 02:09:54,0 -7789.52 --> 7794 -contained in the email as +02:09:47,520 --> 02:09:52,500 +We also see that the malicious file was contained in the email as well as an attachment 3563 -02:09:51,198 --> 02:09:55,519 -well as an attachment so let's upload an +02:09:52,500 --> 02:09:55,500 +So let's upload an attachment now to MISP. 3564 -02:09:54,0 --> 02:09:57,198 -7794 --> 7797.199 -attachment now to ms +02:09:54,0 --> 02:09:59,500 +I hope you have put in the text there or something because I forgot to {inaudible} it. 3565 -02:09:55,520 --> 02:09:58,880 -i hope you have put in the text there or - -3566 -02:09:57,198 --> 02:10:01,359 -something because i forgot to clearly +02:09:59,500 --> 02:10:02,500 +{inaudible} Perfect . 3567 -02:09:58,880 --> 02:10:01,359 -i've +02:10:02,500 --> 02:10:07,500 +So as an attachment and this is where things become a little bit tricky. 3568 -02:10:02,880 --> 02:10:07,279 -so as an attachment and this is where - -3569 -02:10:05,439 --> 02:10:08,719 -things become a little bit tricky - -3570 -02:10:07,279 --> 02:10:10,158 -uh there's there's a quick question - -3571 -02:10:08,719 --> 02:10:11,920 -there on the chat i'll just quickly - -3572 -02:10:10,158 --> 02:10:14,78 -answer that then we can get back to this +02:10:07,500 --> 02:10:12,500 +There's a quick question there on the chat i'll just quickly answer that then we can get back to this. 3573 -02:10:11,920 --> 02:10:15,679 -where can i create a reference if you go +02:10:12,500 --> 02:10:13,500 +Where can I create reference? 3574 -02:10:14,78 --> 02:10:17,519 -above the attribute list there is an +02:10:13,500 --> 02:10:18,0 +If you go above the attribute list there is an event graph button if you click on that 3575 -02:10:15,679 --> 02:10:18,960 -event graph button if you click on that - -3576 -02:10:17,520 --> 02:10:20,719 -you get the event graph +02:10:18,0 --> 02:10:23,0 +you get the event graph and on the top left side you click on edit and then add reference 3577 -02:10:18,960 --> 02:10:22,800 -and on the top left side you click on - -3578 -02:10:20,719 --> 02:10:24,239 -edit and then add reference - -3579 -02:10:22,800 --> 02:10:26,639 -like i can show it again nowadays oh +02:10:23,0 --> 02:10:24,0 +Like I can show it again now. 3580 -02:10:24,238 --> 02:10:29,279 -yeah that's a bit better here +02:10:24,0 --> 02:10:26,500 +Yeah that's a bit better, yeah. 3581 -02:10:26,639 --> 02:10:30,319 -so have this kind of gray bar there with - -3582 -02:10:29,279 --> 02:10:32,719 -even graph +02:10:26,500 --> 02:10:33,500 +So you have this kind of gray bar there with event graph so you can basically collapse or expand it 3583 -02:10:30,319 --> 02:10:33,679 -so you can basically collapse or expand - -3584 -02:10:32,719 --> 02:10:36,880 -it - -3585 -02:10:33,679 --> 02:10:37,359 -uh and then there you can select one of - -3586 -02:10:36,880 --> 02:10:40,480 -those - -3587 -02:10:37,359 --> 02:10:41,39 -reference objects you press x to expand - -3588 -02:10:40,479 --> 02:10:44,638 -all those +02:10:33,500 --> 02:10:39,500 +and then there you can select one of those reference objects you press x 3589 -02:10:41,39 --> 02:10:47,679 -reference objects then you can just - -3590 -02:10:44,639 --> 02:10:51,39 -select one object that you want +02:10:39,500 --> 02:10:49,500 +to expand all those reference objects then you can just select one object that you want to add 3591 -02:10:47,679 --> 02:10:53,39 -to add and then you can edit add the - -3592 -02:10:51,39 --> 02:10:54,78 -references and then you can add specific - -3593 -02:10:53,39 --> 02:10:55,599 -references +02:10:49,500 --> 02:10:53,500 +and then you can edit, add the references and then you can add specific references. 3594 -02:10:54,78 --> 02:10:56,960 -in case it doesn't make sense to make a - -3595 -02:10:55,599 --> 02:10:57,760 -second reference but that's basically - -3596 -02:10:56,960 --> 02:10:59,279 -how you do it +02:10:53,500 --> 02:10:57,500 +In this case it doesn't make sense to make a second reference but that's basically how you do it 3597 -02:10:57,760 --> 02:11:01,280 -then you select your relationship type - -3598 -02:10:59,279 --> 02:11:03,759 -and you can add your reference +02:10:57,500 --> 02:11:01,500 +then you select your relationship type and you can add your reference. 3599 02:11:01,279 --> 02:11:04,479 -uh it's not the only way to do it - -3600 -02:11:03,760 --> 02:11:06,79 -there's a - -3601 -02:11:04,479 --> 02:11:07,198 -i would say current-based representation +It's not the only way to do it, there's a, I would say current-based representation 3602 -02:11:06,78 --> 02:11:09,118 -where you can do it because we can't - -3603 -02:11:07,198 --> 02:11:11,519 -even show it +02:11:06,78 --> 02:11:11,500 +where you can do it, we can even show it so you have to go 3604 -02:11:09,118 --> 02:11:13,39 -so you have to go it's it's much more - -3605 -02:11:11,520 --> 02:11:16,480 -difficult to understand what happens +02:11:11,500 --> 02:11:13,0 +It's much more difficult to understand what happens. 3606 -02:11:13,39 --> 02:11:18,238 -yeah so so there the referendum that you - -3607 -02:11:16,479 --> 02:11:20,959 -created through the even graph +02:11:13,0 --> 02:11:19,0 +Yeah, so so there the reference that you created through the event graph is represented here 3608 -02:11:18,238 --> 02:11:22,479 -is represented here so you see that this - -3609 -02:11:20,960 --> 02:11:24,399 -object - -3610 -02:11:22,479 --> 02:11:25,598 -has a reference so from email to - -3611 -02:11:24,399 --> 02:11:27,39 -impersonate +02:11:19,0 --> 02:11:25,500 +so you see that this object has a reference so from email to impersonate 3612 -02:11:25,599 --> 02:11:28,960 -and here's the opposite relationship +02:11:25,500 --> 02:11:29,0 +and here's the opposite relationship that even describes the "Referenced by" 3613 -02:11:27,39 --> 02:11:30,399 -that you can describe the reference buy +02:11:29,0 --> 02:11:31,0 +and you have the "Referenced by" on this object 3614 -02:11:28,960 --> 02:11:32,560 -and you have the reference buy - -3615 -02:11:30,399 --> 02:11:33,679 -on this object so another niche mention - -3616 -02:11:32,560 --> 02:11:37,840 -is i think - -3617 -02:11:33,679 --> 02:11:40,0 -7893.679 --> 7900 -less uh i would say 54 for +02:11:28,960 --> 02:11:38,500 +so another just mention is I think less, I would say {inaudible} and so on 3618 -02:11:37,840 --> 02:11:41,199 -and so on but sometimes you just when +02:11:38,500 --> 02:11:40,0 +but sometimes you just when you are in the object 3619 -02:11:40,0 --> 02:11:43,39 -7900 --> 7903.04 -you are in the object you just want to - -3620 -02:11:41,198 --> 02:11:47,39 -see if you have any reference or - -3621 -02:11:43,39 --> 02:11:47,39 -a sign and you can quickly see that +02:11:40,0 --> 02:11:45,500 +you just want to see if you have any reference or a sign and you can quickly see that. 3622 -02:11:48,639 --> 02:11:54,880 -so let's add an attachment now - -3623 -02:11:53,39 --> 02:11:56,319 -and upload the sample that was uh - -3624 -02:11:54,880 --> 02:11:59,118 -included in the +02:11:48,500 --> 02:11:58,500 +So let's add an attachment now and upload the sample that was included in the original email. 3625 -02:11:56,319 --> 02:12:00,559 -original uh email so we just click on - -3626 -02:11:59,118 --> 02:12:01,839 -add attachment - -3627 -02:12:00,560 --> 02:12:04,880 -we select the file that you want to +02:11:58,500 --> 02:12:03,0 +Sso we just click on add attachment we select the file that you want to upload. 3628 -02:12:01,840 --> 02:12:05,599 -upload yeah so for the attachment uh in - -3629 -02:12:04,880 --> 02:12:07,279 -this you have +02:12:03,0 --> 02:12:06,500 + yeah so for the attachment in MISP you have really two models, 3630 -02:12:05,599 --> 02:12:08,400 -really two models you have the model +02:12:06,500 --> 02:12:08,0 +you have the model that an attachment is basically something 3631 -02:12:07,279 --> 02:12:09,679 -that an attachment is basically - -3632 -02:12:08,399 --> 02:12:12,479 -something completely - -3633 -02:12:09,679 --> 02:12:13,118 -uh being safe and you can basically - -3634 -02:12:12,479 --> 02:12:16,479 -share it +02:12:08,0 --> 02:12:15,500 +completely benign, safe and you can basically share it directly. 3635 -02:12:13,118 --> 02:12:17,359 -uh directly so for example you have - -3636 -02:12:16,479 --> 02:12:20,399 -attachment like +02:12:13,118 --> 02:12:19,0 +So for example you have attachment like reports and stuff like that. 3637 -02:12:17,359 --> 02:12:21,920 -reports and stuff in our case um +02:12:19,0 --> 02:12:21,500 +In our case what we want to share here, 3638 -02:12:20,399 --> 02:12:23,598 -what we want to share here it's a - -3639 -02:12:21,920 --> 02:12:25,760 -malicious number um - -3640 -02:12:23,599 --> 02:12:27,199 -so and that's i will take i will take - -3641 -02:12:25,760 --> 02:12:30,560 -which one - -3642 -02:12:27,198 --> 02:12:30,559 -take a sample somewhere - -3643 -02:12:32,840 --> 02:12:36,560 -um +02:12:21,500 --> 02:12:30,500 +it's a malicious sample so and that's I will take a sample somewhere. 3644 -02:12:34,639 --> 02:12:38,78 -press on one what we are interesting - -3645 -02:12:36,560 --> 02:12:42,320 -there - -3646 -02:12:38,78 --> 02:12:44,158 -uh by the windows executables +02:12:34,0 --> 02:12:42,500 +Press on one {inaudible} interesting there {inaudible} windows executables 3647 -02:12:42,319 --> 02:12:45,599 -and then you have to select if the +02:12:42,500 --> 02:12:45,0 +and then you have to select if the sample is malicious 3648 -02:12:44,158 --> 02:12:46,799 -sample is malicious if you don't do +02:12:44,158 --> 02:12:48,0 +if you don't do anything, what it will be, it will be something 3649 -02:12:45,599 --> 02:12:48,239 -anything - -3650 -02:12:46,800 --> 02:12:50,880 -what it will be it will be something - -3651 -02:12:48,238 --> 02:12:51,519 -like same uh report a pdf report - -3652 -02:12:50,880 --> 02:12:54,78 -something that's - -3653 -02:12:51,520 --> 02:12:55,599 -like supporting you in contextualization +02:12:48,0 --> 02:12:54,0 +like saving report, a pdf report, something that's like supporting you in contextualization 3654 -02:12:54,78 --> 02:12:56,238 -could be a screenshot for example things - -3655 -02:12:55,599 --> 02:12:58,400 -like that +02:12:54,0 --> 02:12:56,600 +could be a screenshot for example things like that. 3656 -02:12:56,238 --> 02:12:59,279 -but if you share a sample you have to +02:12:56,600 --> 02:13:00,500 +But if you share a sample you have to select "Is a malware sample" 3657 -02:12:58,399 --> 02:13:02,158 -select +02:13:00,500 --> 02:13:05,0 +because like that MISP will encrypt and hash a file 3658 -02:12:59,279 --> 02:13:03,920 -uh it's a sample because like that mist - -3659 -02:13:02,158 --> 02:13:05,679 -will encrypt - -3660 -02:13:03,920 --> 02:13:07,679 -and hash a file so that means you have a - -3661 -02:13:05,679 --> 02:13:08,719 -zip file encrypted with a default - -3662 -02:13:07,679 --> 02:13:11,679 -password +02:13:05,0 --> 02:13:09,500 +so that means you have a zip file encrypted with a default password "infected" 3663 -02:13:08,719 --> 02:13:12,560 -infected but i got to avoid classical +02:13:08,719 --> 02:13:13,500 +but I got to avoid classical mistake of clicking on a link 3664 -02:13:11,679 --> 02:13:15,359 -mistake of - -3665 -02:13:12,560 --> 02:13:17,360 -clicking on a link executing binaries on - -3666 -02:13:15,359 --> 02:13:18,799 -your analysis machines and so on and so +02:13:13,500 --> 02:13:17,0 +executing binaries on your analysis machines and so on. 3667 -02:13:17,359 --> 02:13:20,639 -on you don't want to do that so - -3668 -02:13:18,800 --> 02:13:22,0 -7998.8 --> 8002 -if it's malicious always click malware - -3669 -02:13:20,639 --> 02:13:23,440 -samples +02:13:17,0 --> 02:13:21,500 +you don't want to do that, so if it's malicious always click malware samples 3670 -02:13:22,0 --> 02:13:25,599 -8002 --> 8005.599 -then you have one below which will - -3671 -02:13:23,439 --> 02:13:27,919 -advance the extraction - -3672 -02:13:25,599 --> 02:13:30,0 -8005.599 --> 8010 -uh mist can do a lot of things behind +02:13:21,500 --> 02:13:38,500 +then you have one below "Advanced extraction", MISP can do a lot of things behind the scene 3673 -02:13:27,920 --> 02:13:31,599 -the scene when you receive a file in - -3674 -02:13:30,0 --> 02:13:34,800 -8010 --> 8014.8 -this case it's a window - -3675 -02:13:31,599 --> 02:13:36,480 -of windows portable executable files so +02:13:38,500 --> 02:13:33,500 +when you receive a file, in this case it's a window portable executable files 3676 -02:13:34,800 --> 02:13:37,920 -we have particular advanced extraction +02:13:33,500 --> 02:13:37,500 +so we have particular advanced extraction for those files 3677 -02:13:36,479 --> 02:13:40,158 -for those files and we can - -3678 -02:13:37,920 --> 02:13:41,199 -expand completely the files including +02:13:37,500 --> 02:13:43,500 +and we can expand completely the files including resources, code segment, and stuff like that. 3679 -02:13:40,158 --> 02:13:44,799 -resources - -3680 -02:13:41,198 --> 02:13:48,0 -8021.199 --> 8028 -code segment and stuff again - -3681 -02:13:44,800 --> 02:13:48,0 -8024.8 --> 8028 -so i will upload the files - +02:13:44,0 --> 02:13:45,500 +So I will upload the files. + 3682 -02:13:53,359 --> 02:13:57,439 -okay in this case this one was just like - -3683 -02:13:55,39 --> 02:14:00,78 -a very simple one +02:13:53,0 --> 02:13:57,0 +Okay in this case this one was just like a very simple one. 3684 -02:13:57,439 --> 02:14:01,279 -so in this case what do we have we have +02:13:57,0 --> 02:14:00,500 +So in this case, what do we have? We have an object 3685 -02:14:00,78 --> 02:14:04,319 -an object +02:14:00,500 --> 02:14:05,500 +with the file name, the size-in-bytes and then the hash file, 3686 -02:14:01,279 --> 02:14:06,559 -with the file names the size invite and - -3687 -02:14:04,319 --> 02:14:08,158 -then the hash file so automatically miss - -3688 -02:14:06,560 --> 02:14:08,880 -will do the hashing of the different - -3689 -02:14:08,158 --> 02:14:11,519 -files +02:14:01,279 --> 02:14:08,500 +so automatically MISP will do the hashing of the different files 3690 -02:14:08,880 --> 02:14:12,0 -8048.88 --> 8052 -the sample itself is attached so you can +02:14:08,500 --> 02:14:12,0 +the sample itself is attached so you can basically use it 3691 -02:14:11,520 --> 02:14:14,880 -basically - -3692 -02:14:12,0 --> 02:14:16,880 -8052 --> 8056.88 -use it and some additional ones like ssd - -3693 -02:14:14,880 --> 02:14:18,880 -for example my type are automatically - -3694 -02:14:16,880 --> 02:14:20,480 -extracted +02:14:12,0 --> 02:14:14,880 +and some additional ones like ssdeep for example, mimetype are automatically extracted 3695 -02:14:18,880 --> 02:14:22,239 -just maybe for the sake of it i will +02:14:18,880 --> 02:14:22,0 +just maybe for the sake of it I will just take maybe another binary 3696 -02:14:20,479 --> 02:14:25,359 -just take maybe another +02:14:22,0 --> 02:14:27,500 +just for showing you what could happen with other binaries. 3697 -02:14:22,238 --> 02:14:25,839 -binary just for showing you what could - -3698 -02:14:25,359 --> 02:14:28,479 -happen - -3699 -02:14:25,840 --> 02:14:30,0 -8065.84 --> 8070 -with other binaries maybe that's for - -3700 -02:14:28,479 --> 02:14:32,559 -later for different events so +02:14:27,500 --> 02:14:32,500 +Maybe that's for later for different events so we don't have the objects in this one 3701 -02:14:30,0 --> 02:14:33,439 -8070 --> 8073.44 -okay the objectives because it's easier - -3702 -02:14:32,560 --> 02:14:35,360 -to see for the +02:14:32,500 --> 02:14:34,500 +because it's easier to see for the graph 3703 -02:14:33,439 --> 02:14:37,359 -photograph that's fine too you can show +02:14:34,500 --> 02:14:35,0 +That's fine too. 3704 -02:14:35,359 --> 02:14:39,39 -it afterwards yeah +02:14:35,0 --> 02:14:37,0 +You can show it afterwards 3705 -02:14:37,359 --> 02:14:41,39 -okay so now we have this again this kind - -3706 -02:14:39,39 --> 02:14:42,719 -of object attached and there's a +02:14:37,0 --> 02:14:41,0 +Yeah, okay so now we have this again this kind of object attached 3707 -02:14:41,39 --> 02:14:46,238 -relationship to create objections +02:14:41,0 --> 02:14:43,0 +and there's a relationship to create obviously. 3708 -02:14:42,719 --> 02:14:48,0 -8082.719 --> 8088 -indeed so so in this case the - -3709 -02:14:46,238 --> 02:14:50,158 -relationship is to the email itself so - -3710 -02:14:48,0 --> 02:14:52,319 -8088 --> 8092.32 -we know that the email contained +02:14:43,0 --> 02:14:48,0 +Indeed. So in this case the relationship is to the email itself so we know that the email contained 3711 -02:14:50,158 --> 02:14:53,920 -this file so what we can do is we can - -3712 -02:14:52,319 --> 02:14:54,479 -just create relationship between the - -3713 -02:14:53,920 --> 02:14:56,158 -email +02:14:48,0 --> 02:14:55,500 +this file so what we can do is we can just create relationship between the email and the file 3714 -02:14:54,479 --> 02:14:58,718 -and the file and see that email contain - -3715 -02:14:56,158 --> 02:14:58,719 -that file +02:14:54,479 --> 02:14:57,500 +and see that email contain that file 3716 -02:15:00,719 --> 02:15:04,800 -do you see it it's again the same model +02:15:00,500 --> 02:15:03,500 +So you see, it it's again the same model. 3717 -02:15:02,639 --> 02:15:04,800 -so - -3718 -02:15:06,880 --> 02:15:09,840 +02:15:06,500 --> 02:15:08,500 contains 3719 -02:15:15,439 --> 02:15:19,839 -there we go so now what we can do is if +02:15:15,0 --> 02:15:16,500 +There we go. 3720 -02:15:18,319 --> 02:15:21,39 -you look further in the email we see +02:15:16,500 --> 02:15:19,500 +So now what we can do is if you look further in the email 3721 -02:15:19,840 --> 02:15:22,480 -that there is a bunch of other stuff +02:15:19,500 --> 02:15:21,0 +we see that there is a bunch of other stuff still described 3722 -02:15:21,39 --> 02:15:23,198 -still described so what we can do is we +02:15:21,0 --> 02:15:25,500 +so what we can do is we can just, now for exercise sake, just take 3723 -02:15:22,479 --> 02:15:27,598 -can just +02:15:25,500 --> 02:15:31,0 +at least the next few lines or the next paragraph 3724 -02:15:23,198 --> 02:15:30,238 -now for exercise sake just take um - -3725 -02:15:27,599 --> 02:15:30,880 -at least a next few lines or the next - -3726 -02:15:30,238 --> 02:15:33,198 -paragraph - -3727 -02:15:30,880 --> 02:15:35,118 -and drop the entire paragraph into - -3728 -02:15:33,198 --> 02:15:37,118 -something called the free text importer +02:15:31,0 --> 02:15:35,500 +and drop the entire paragraph into something called the free text importer. 3729 -02:15:35,118 --> 02:15:38,319 -what this will do is it will try to +02:15:35,500 --> 02:15:39,500 +What this will do is it will try to parse this text blob 3730 -02:15:37,118 --> 02:15:40,238 -parse this uh - -3731 -02:15:38,319 --> 02:15:41,679 -this text blob and it will try to - -3732 -02:15:40,238 --> 02:15:43,678 -extract anything that looks like an +02:15:39,500 --> 02:15:43,0 +and it will try to extract anything that looks like an indicator out of that 3733 -02:15:41,679 --> 02:15:44,319 -indicator out of that so this is another - -3734 -02:15:43,679 --> 02:15:46,78 -method of - -3735 -02:15:44,319 --> 02:15:49,39 -of basically entering attribute - -3736 -02:15:46,78 --> 02:15:51,679 -synthesis so free text import +02:15:43,0 --> 02:15:47,500 +So this is another method of basically entering attribute into MISP. 3737 -02:15:49,39 --> 02:15:54,319 -we just paste it in there and we just - -3738 -02:15:51,679 --> 02:15:54,319 -hit submit +02:15:47,500 --> 02:15:52,500 +So "Freetext Import", we just paste it in there and we just hit "Submit". 3739 -02:15:54,399 --> 02:15:57,679 -so this will tell us in this case it - -3740 -02:15:55,760 --> 02:15:59,280 -didn't extract everything actually so we +02:15:54,000 --> 02:15:57,500 +So MISP will tell us in this case it didn't extract everything actually, 3741 -02:15:57,679 --> 02:16:00,158 -need to still go back to it and refined +02:15:57,679 --> 02:16:00,500 +so we need to still go back to it and refined a bit more 3742 -02:15:59,279 --> 02:16:01,920 -a bit more - -3743 -02:16:00,158 --> 02:16:03,118 -but it extracted some of those things - -3744 -02:16:01,920 --> 02:16:05,39 -that were in there already so that's +02:16:00,500 --> 02:16:02,500 +but it extracted some of those things that were in there already. 3745 -02:16:03,118 --> 02:16:07,598 -fine we can just already add those - -3746 -02:16:05,39 --> 02:16:07,599 -to the event +02:16:03,118 --> 02:16:05,500 +So that's fine, we can just already add those to the event 3747 -02:16:08,238 --> 02:16:12,479 -so how does it work in in behind the +02:16:08,0 --> 02:16:13,500 +so how does it work behind the scenes is we have a bunch of regex in MISP 3748 -02:16:10,238 --> 02:16:13,519 -scenes uh we have a bunch of regex - -3749 -02:16:12,479 --> 02:16:15,198 -images - -3750 -02:16:13,520 --> 02:16:17,199 -automatically extracting information - -3751 -02:16:15,198 --> 02:16:18,719 -from from natural text +02:16:13,500 --> 02:16:18,0 +automatically extracting information from natural text, it's one way to do it. 3752 -02:16:17,198 --> 02:16:20,559 -it's one way to do it there's another - -3753 -02:16:18,719 --> 02:16:21,760 -tool for doing it which is part of the - -3754 -02:16:20,560 --> 02:16:24,639 -even report +02:16:18,0 --> 02:16:21,500 +There's another tool for doing it which is part of the event report 3755 -02:16:21,760 --> 02:16:26,159 -um but it's usually it's a quick way to +02:16:21,500 --> 02:16:26,500 +but it's usually a quick way to automatically extract information 3756 -02:16:24,639 --> 02:16:28,880 -automatically extract information and to - -3757 -02:16:26,158 --> 02:16:31,198 -see if it's already known for example +02:16:26,500 --> 02:16:27,500 +and to see if it's already known for example. 3758 -02:16:28,880 --> 02:16:32,318 -so what we see here already is that evil +02:16:28,500 --> 02:16:34,500 +So what we see here already is that evil provider was basically, 3759 -02:16:31,198 --> 02:16:35,119 -provider +02:16:31,198 --> 02:16:40,500 +according to the email text, the place that was used to download the secondary payload from 3760 -02:16:32,318 --> 02:16:36,79 -was basically according to the email - -3761 -02:16:35,120 --> 02:16:38,800 -text - -3762 -02:16:36,79 --> 02:16:40,959 -and the place that was uh used to - -3763 -02:16:38,799 --> 02:16:43,920 -download the secondary payload from - -3764 -02:16:40,959 --> 02:16:44,558 -so we can take evil provider and we also - -3765 -02:16:43,920 --> 02:16:46,719 -know that +02:16:40,500 --> 02:16:46,0 +so we can take evil provider and we also know that we got an IPv6 address to it. 3766 -02:16:44,558 --> 02:16:47,920 -we got an ipv6 address to it so we're - -3767 -02:16:46,718 --> 02:16:51,39 -going to add that to it as well and - -3768 -02:16:47,920 --> 02:16:52,879 -convert this into an object again +02:16:44,558 --> 02:16:49,500 +So we're going to add that to it as well and convert this into an object again. 3769 -02:16:51,40 --> 02:16:54,880 -so we're going to to just select that +02:16:51,0 --> 02:16:54,500 +So we're going to to just select that one convert to object 3770 -02:16:52,879 --> 02:16:55,438 -one convert to object and the object - -3771 -02:16:54,879 --> 02:16:58,159 -that we're - -3772 -02:16:55,439 --> 02:17:01,599 -going to convert it to is going to be a - -3773 -02:16:58,159 --> 02:17:04,799 -url object +02:16:54,500 --> 02:17:00,0 +and the object that we're going to convert it to is going to be a "URL" object. 3774 -02:17:01,599 --> 02:17:07,120 -yep all the way down there perfect +02:17:01,599 --> 02:17:04,500 +Yep. all the way down there. Perfect. 3775 -02:17:04,799 --> 02:17:08,558 -let's just do the conversion and then we +02:17:04,799 --> 02:17:08,0 +Let's just do the conversion and then we edit the object afterwards 3776 -02:17:07,120 --> 02:17:09,920 -edit the object afterwards and we add - -3777 -02:17:08,558 --> 02:17:12,318 -the additional information that we have - -3778 -02:17:09,920 --> 02:17:12,318 -about it +02:17:08,0 --> 02:17:10,500 +and we add the additional information that we have about it. 3779 -02:17:12,638 --> 02:17:18,318 -so we have an ipv6 that we can that it +02:17:11,500 --> 02:17:25,500 +So we have an IPv6 that it resolves to. We also have a port. 3780 -02:17:15,840 --> 02:17:18,318 -resolves to - -3781 -02:17:24,239 --> 02:17:29,840 -we also have a port so once we're done - -3782 -02:17:26,959 --> 02:17:29,839 -with that - -3783 -02:17:31,280 --> 02:17:34,639 -happy destination perfect +02:17:25,500 --> 02:17:32,500 +So once we're done with that IP destination, perfect. 3784 -02:17:36,159 --> 02:17:43,840 -we can also add the port it was - -3785 -02:17:38,799 --> 02:17:43,840 -communicating on port 443 +02:17:32,500 --> 02:17:41,500 +We can also add the port. It was communicating on port 443. 3786 -02:17:46,558 --> 02:17:50,239 -and again everything i'm currently doing - -3787 -02:17:48,799 --> 02:17:53,920 -there can be done through +02:17:41,500 --> 02:17:51,500 +and again everything i'm currently doing there can be done through the API obviously. 3788 -02:17:50,239 --> 02:17:57,840 -api obviously yeah and and finally we - -3789 -02:17:53,920 --> 02:17:57,840 -also have a domain evilprovider.com +02:17:51,500 --> 02:17:56,500 +Yeah and and finally we also have a domain evilprovider.com 3790 -02:18:02,638 --> 02:18:08,79 -now let's deal with with referencing the - -3791 -02:18:05,840 --> 02:18:09,40 -this to the other objects later on we +02:18:03,0 --> 02:18:07,500 +now let's deal with referencing this to the other objects later on. 3792 -02:18:08,79 --> 02:18:11,280 -can still - -3793 -02:18:09,40 --> 02:18:12,960 -still add the additional information - -3794 -02:18:11,280 --> 02:18:15,439 -that we have in there and then we do the +02:18:07,500 --> 02:18:12,500 +We can still still add the additional information that we have in there 3795 -02:18:12,959 --> 02:18:17,358 -linking afterwards again we we have the +02:18:12,500 --> 02:18:14,500 +and then we do the linking afterwards. 3796 -02:18:15,439 --> 02:18:20,159 -same problem here on this one because +02:18:14,500 --> 02:18:16,500 +Again, we have the same problem here on this 3797 -02:18:17,359 --> 02:18:21,760 -you see that the command has a the part - -3798 -02:18:20,159 --> 02:18:23,679 -it has a command so that means we can +02:18:16,500 --> 02:18:20,500 +because for example you see that the comment has the port 3799 -02:18:21,760 --> 02:18:25,359 -just convert it as an object again +02:18:20,500 --> 02:18:24,0 +so that means we can just convert it as an object again. 3800 -02:18:23,679 --> 02:18:27,679 -yeah and the ip belongs to that one as +02:18:24,0 --> 02:18:26,500 +Yeah and the IP belongs to that one as well by the way 3801 -02:18:25,359 --> 02:18:30,719 -well by the way okay great +02:18:26,500 --> 02:18:28,500 +Okay great, it's even better. 3802 -02:18:27,679 --> 02:18:31,679 -it's even better yeah exactly just my +02:18:28,500 --> 02:18:30,500 +Yeah exactly. 3803 -02:18:30,718 --> 02:18:39,839 -screen that is a bit - -3804 -02:18:31,679 --> 02:18:39,840 -smaller okay +02:18:30,500 --> 02:18:33,500 +Just my screen that is a bit small. Okay. 3805 -02:18:40,318 --> 02:18:43,920 -so in this case it's again a url +02:18:40,0 --> 02:18:42,500 +So in this case, it's again a url. 3806 -02:18:49,359 --> 02:18:54,719 -and the things that we have this time - -3807 -02:18:52,718 --> 02:18:56,239 -the port is actually a high port so +02:18:48,0 --> 02:18:54,500 +And the things that we have this time the port is actually a high port. 3808 -02:18:54,718 --> 02:18:58,79 -while in the other one we do not - -3809 -02:18:56,239 --> 02:18:59,519 -correlate on on the port because port - -3810 -02:18:58,79 --> 02:19:01,359 -443 is common +02:18:54,500 --> 02:18:59,500 +So while in the other one we do not correlate on on the port because port 443 is common 3811 -02:18:59,519 --> 02:19:03,40 -this is one of those ports that we might - -3812 -02:19:01,359 --> 02:19:04,639 -want to correlate on already +02:18:59,500 --> 02:19:03,500 +this is one of those ports that we might want to correlate on already. 3813 -02:19:03,40 --> 02:19:07,840 -so we want we don't want to disable - -3814 -02:19:04,638 --> 02:19:07,839 -correlation for this one +02:19:03,500 --> 02:19:06,500 +So we don't want to disable correlation for this one. 3815 -02:19:09,840 --> 02:19:13,120 -once for the other one we we should - -3816 -02:19:11,679 --> 02:19:15,439 -disable the correlation for the other - -3817 -02:19:13,120 --> 02:19:15,439 -part - -3818 -02:19:18,840 --> 02:19:25,280 -443 +02:19:09,840 --> 02:19:15,500 +Where as for the other one we we should disable the correlation for the other port 443. 3819 -02:19:21,280 --> 02:19:27,280 -okay now the other thing that we have at - -3820 -02:19:25,280 --> 02:19:28,719 -this point is we have a secondary sample +02:19:21,0 --> 02:19:26,500 +Okay. Now the other thing that we have at this point is we have a secondary sample 3821 -02:19:27,280 --> 02:19:30,719 -so if you can you have a second one that +02:19:26,500 --> 02:19:30,0 +so if you have a second one that you can upload now. 3822 -02:19:28,718 --> 02:19:34,959 -you can upload yeah i just just add the - -3823 -02:19:30,718 --> 02:19:39,279 -domain so i get it +02:19:30,0 --> 02:19:36,500 +Yeah I just just add the domain so I get {inaudible}. Okay. 3824 -02:19:34,959 --> 02:19:41,358 -okay so what do you want +02:19:36,500 --> 02:19:39,500 +so what do you want {inaudible} 3825 -02:19:39,280 --> 02:19:42,479 -so we still have another file to update - -3826 -02:19:41,359 --> 02:19:45,359 -and we have a cv - -3827 -02:19:42,478 --> 02:19:48,318 -that was also mentioned in the okay cv +02:19:39,500 --> 02:19:44,500 +So we still have another file to update and we have a CVE that was also mentioned in the email. 3828 -02:19:45,359 --> 02:19:50,559 -it's an interesting one um - -3829 -02:19:48,318 --> 02:19:51,519 -we have we have single attributes for cd +02:19:44,500 --> 02:19:51,0 +Okay. CVE is an interesting one, we have single attributes for CVE 3830 -02:19:50,559 --> 02:19:53,119 -but +02:19:51,0 --> 02:19:53,500 +but sometimes you want to have some more information 3831 -02:19:51,520 --> 02:19:55,680 -sometimes you want to have some more +02:19:53,500 --> 02:19:57,500 +so what you could do there is to create a simple attribute 3832 -02:19:53,120 --> 02:19:56,160 -information so what you could do there - -3833 -02:19:55,680 --> 02:19:58,960 -is - -3834 -02:19:56,159 --> 02:20:02,719 -to create a simple attribute um so the - -3835 -02:19:58,959 --> 02:20:05,438 -cv is much better delivery in this case +02:19:57,500 --> 02:20:01,500 +so the CVE is "Payload delivery" in this case. 3836 -02:20:02,719 --> 02:20:08,79 -we have type which is vulnerability and - -3837 -02:20:05,439 --> 02:20:11,200 -usually a venerability is defined by cv +02:20:02,719 --> 02:20:07,500 +We have "Type" which is "Vulnerability" and usually a "Vulnerability" is defined by CVE 3838 -02:20:08,79 --> 02:20:12,719 -you can you can use other value but - -3839 -02:20:11,200 --> 02:20:14,880 -the best practice is the obviously to - -3840 -02:20:12,719 --> 02:20:17,119 -use cd +02:20:07,500 --> 02:20:13,500 +you can use other value but the best practice is the obviously to use CVE. 3841 -02:20:14,879 --> 02:20:19,39 -it's very old cv those kind of attackers - -3842 -02:20:17,120 --> 02:20:21,120 -are always reusing those kind of old +02:20:13,500 --> 02:20:19,500 +It's a very old CVE, those kind of attackers are always reusing those kind of old things 3843 -02:20:19,40 --> 02:20:22,640 -things but you know it works you know - -3844 -02:20:21,120 --> 02:20:25,439 -never people never patch i - -3845 -02:20:22,639 --> 02:20:26,799 -know this one is interesting because you +02:20:19,500 --> 02:20:23,500 +but you know, it works. You know people never patch their Windows. 3846 -02:20:25,439 --> 02:20:29,439 -know it was exploited +02:20:23,500 --> 02:20:26,0 +This one is interesting because you know it was exploited 3847 -02:20:26,799 --> 02:20:31,199 -so i would add the ideas flag because it - -3848 -02:20:29,439 --> 02:20:32,159 -may be interesting to look into your - -3849 -02:20:31,200 --> 02:20:35,40 -system for - -3850 -02:20:32,159 --> 02:20:36,398 -additional ones so in this case what do +02:20:26,0 --> 02:20:33,500 +so I would add the IDS flag because it may be interesting to look into your system for additional ones. 3851 -02:20:35,40 --> 02:20:39,439 -we have we have again +02:20:33,500 --> 02:20:35,0 +So in this case, what do we have? 3852 -02:20:36,398 --> 02:20:41,358 -a single attribute which is not the nice +02:20:35,0 --> 02:20:41,500 +We have again, a single attribute, which is not the nice thing that you want to have 3853 -02:20:39,439 --> 02:20:43,520 -thing that you want to have is basically - -3854 -02:20:41,359 --> 02:20:44,318 -you want to have as much context as you - -3855 -02:20:43,520 --> 02:20:47,600 -want - -3856 -02:20:44,318 --> 02:20:48,0 -8444.319 --> 8448 -for such kind of investigation luckily +02:20:41,500 --> 02:20:45,500 +is basically you want to have as much context as you want for those kind of investigation. 3857 -02:20:47,600 --> 02:20:51,40 -on - -3858 -02:20:48,0 --> 02:20:53,359 -8448 --> 8453.359 -this instance we have one of those - -3859 -02:20:51,40 --> 02:20:58,479 -expansion modules +02:20:45,500 --> 02:20:52,500 +Luckily on this instance, we have one of those expansion modules 3860 -02:20:53,359 --> 02:21:00,559 -and why the cv advantage is okay +02:20:52,500 --> 02:20:56,500 +and why the "CVE Advanced" is empty, that is quite interesting. 3861 -02:20:58,478 --> 02:21:02,79 -great so and then you have some +02:20:56,500 --> 02:21:01,500 +Ok, great. So and then you have some additional information 3862 -02:21:00,559 --> 02:21:03,840 -additional information in this case we - -3863 -02:21:02,79 --> 02:21:06,959 -have some some description - -3864 -02:21:03,840 --> 02:21:07,920 -um so what i can do in this in this one - -3865 -02:21:06,959 --> 02:21:11,358 -is +02:21:01,500 --> 02:21:07,500 +in this case we have some description, so what I can do in this in this one is 3866 -02:21:07,920 --> 02:21:14,639 -so you see that we have either the +02:21:07,500 --> 02:21:13,0 +so you see that we have either the overlay thing 3867 -02:21:11,359 --> 02:21:16,318 -overlay uh thing so in these modules uh - -3868 -02:21:14,639 --> 02:21:16,959 -someone was asking about extension of - -3869 -02:21:16,318 --> 02:21:18,719 -this +02:21:13,0 --> 02:21:17,0 +so in MISP modules, someone was asking about extension of MISP. 3870 -02:21:16,959 --> 02:21:19,759 -is one way you have this overlay things - -3871 -02:21:18,719 --> 02:21:20,639 -where you can basically just do - -3872 -02:21:19,760 --> 02:21:23,680 -expansions +02:21:17,0 --> 02:21:20,500 +This is one way. You have this overlay things where you can basically just do expansions 3873 -02:21:20,639 --> 02:21:25,119 -and see okay contextual information but +02:21:20,500 --> 02:21:23,500 +and see okay contextual information 3874 -02:21:23,680 --> 02:21:26,960 -sometimes you just want to be - -3875 -02:21:25,120 --> 02:21:29,190 -to have a bit more than just contextual +02:21:23,500 --> 02:21:27,500 +but sometimes you just want to have a bit more than just contextual information. 3876 -02:21:26,959 --> 02:21:31,199 -information uh you want to have - -3877 -02:21:29,190 --> 02:21:33,920 -[Music] +02:21:27,500 --> 02:21:33,500 +You want to have the associated object there 3878 -02:21:31,200 --> 02:21:36,240 -the uh associated object then so there - -3879 -02:21:33,920 --> 02:21:38,159 -you have this this kind of - -3880 -02:21:36,239 --> 02:21:40,879 -kind of explosion there and you can add +02:21:31,200 --> 02:21:39,500 +so there you have this kind of explosion there and you can add the enrichment 3881 -02:21:38,159 --> 02:21:42,79 -the enrichment i'll give a try on that - -3882 -02:21:40,879 --> 02:21:44,79 -one +02:21:39,500 --> 02:21:41,500 +I'll give a try on that one 3883 -02:21:42,79 --> 02:21:45,920 -okay great so there's something wrong on +02:21:41,500 --> 02:21:45,500 +Okay great. So there's something wrong on this machine 3884 -02:21:44,79 --> 02:21:48,478 -this machine that's great - -3885 -02:21:45,920 --> 02:21:49,840 -i'll take the other one but this this - -3886 -02:21:48,478 --> 02:21:53,199 -it's not an object for that +02:21:45,500 --> 02:21:51,500 +That's great. I'll take the other one but this is not an object but that's fine we can just like... 3887 -02:21:49,840 --> 02:21:55,120 -that's fine we can just like yeah can - -3888 -02:21:53,200 --> 02:21:56,399 -summon the attribute in this case - -3889 -02:21:55,120 --> 02:21:58,560 -so we have basically the description +02:21:51,500 --> 02:21:57,0 +Yeah, we got some attribute in this case so we have basically the description 3890 -02:21:56,398 --> 02:22:01,599 -then coming from the enrichment - -3891 -02:21:58,559 --> 02:22:04,239 -and what we can do is to uh - -3892 -02:22:01,600 --> 02:22:05,520 -then make an object called vulnerability - -3893 -02:22:04,239 --> 02:22:07,920 -then +02:21:57,0 --> 02:22:04,500 +that coming from the enrichment and what we can do is to then make an object called "Vulnerability" 3894 -02:22:05,520 --> 02:22:09,359 -id credit in this case is the - -3895 -02:22:07,920 --> 02:22:12,398 -descriptions +02:22:05,520 --> 02:22:09,500 +and "id", it's not a "credit" in this case is the "description" 3896 -02:22:09,359 --> 02:22:14,559 -and make an object of it usually you - -3897 -02:22:12,398 --> 02:22:16,639 -should have a full +02:22:09,500 --> 02:22:15,500 +and make an object of it. Usually you should have a full expansion there 3898 -02:22:14,559 --> 02:22:19,39 -expansion there but i didn't test it on - -3899 -02:22:16,639 --> 02:22:22,559 -the training instance maybe something is - -3900 -02:22:19,40 --> 02:22:23,280 -broken on that instance okay so now what +02:22:15,500 --> 02:22:20,500 +but I didn't test it on the training instance maybe something is broken on that instance. 3901 -02:22:22,559 --> 02:22:25,920 -do we have is - -3902 -02:22:23,280 --> 02:22:27,840 -it's more contextual information we we - -3903 -02:22:25,920 --> 02:22:29,520 -start with a story and there +02:22:20,500 --> 02:22:25,500 +Okay so now what do we have is more contextual information. 3904 -02:22:27,840 --> 02:22:31,920 -we see that we have an emails we have a +02:22:27,500 --> 02:22:30,500 +We start with a story and we see that we have an email we have a first url, 3905 -02:22:29,520 --> 02:22:34,640 -first url a second one which is a - -3906 -02:22:31,920 --> 02:22:36,239 -download and a specific cv so maybe no +02:22:30,500 --> 02:22:33,500 +a second one which is a download and a specific CVE. 3907 -02:22:34,639 --> 02:22:38,79 -we can go back to the uh +02:22:33,500 --> 02:22:36,0 +So maybe now we can go back to the... 3908 -02:22:36,239 --> 02:22:39,280 -we still miss one thing which was a +02:22:36,0 --> 02:22:40,500 +We still miss one thing which was a secondary file that was downloaded. 3909 02:22:38,79 --> 02:22:42,239 -secondary file that was 3910 -02:22:39,280 --> 02:22:43,40 -downloaded oh okay from the secondary - -3911 -02:22:42,239 --> 02:22:46,799 -files yes +02:22:40,500 --> 02:22:43,500 +Oh okay. The secondary files, yes. 3912 -02:22:43,40 --> 02:22:47,280 -yeah so according to story what happens - -3913 -02:22:46,799 --> 02:22:50,318 -was - -3914 -02:22:47,280 --> 02:22:52,319 -uh the initial sample was uh +02:22:43,500 --> 02:22:51,500 +Yeah. So according to story what happens was the initial sample was when executed 3915 -02:22:50,318 --> 02:22:54,239 -when executed was downloading a - -3916 -02:22:52,318 --> 02:22:56,559 -secondary - -3917 -02:22:54,239 --> 02:22:57,680 -sample and that one was basically then - -3918 -02:22:56,559 --> 02:23:00,719 -used to +02:22:51,500 --> 02:22:55,500 +was downloading a secondary sample and that one was basically 3919 -02:22:57,680 --> 02:23:01,40 -exfiltrate data from from the system yes +02:22:55,500 --> 02:23:00,500 +then used to exfiltrate data from from the system. 3920 -02:23:00,719 --> 02:23:03,519 -so +02:23:00,719 --> 02:23:07,0 +Yes, so this was a {inaudible} malicious file okay then I will add... -3921 -02:23:01,40 --> 02:23:05,200 -this was a new railway download the - -3922 -02:23:03,520 --> 02:23:08,479 -interest files okay 3923 -02:23:05,200 --> 02:23:09,600 -then i will add a yeah just another file - -3924 -02:23:08,478 --> 02:23:11,599 -and we just - -3925 -02:23:09,600 --> 02:23:13,200 -pretend it's the one that we were +02:23:07,0 --> 02:23:12,0 +Yeah just another file and we just pretend it's the one that we were supposed to use. 3926 -02:23:11,600 --> 02:23:14,239 -supposed to use why is this one it makes - -3927 -02:23:13,200 --> 02:23:17,280 -sense it's an emote that's one - -3928 -02:23:14,239 --> 02:23:17,280 -downloaded form in your eyes - -3929 -02:23:17,439 --> 02:23:20,159 -that makes sense +02:23:12,0 --> 02:23:19,0 +Why is this one makes sense, it's an Emotet one {inaudible}, that makes sense. 3930 -02:23:21,359 --> 02:23:24,399 -so now we have all these different +02:23:21,0 --> 02:23:24,0 +so now we have all these different objects in our event 3931 -02:23:22,959 --> 02:23:25,919 -objects in our event and it's time to +02:23:24,0 --> 02:23:26,0 +and it's time to build the story out of it as Alex has mentioned. 3932 -02:23:24,398 --> 02:23:27,439 -build the story out of it as alex has - -3933 -02:23:25,920 --> 02:23:33,840 -mentioned so it's time to go back to our - -3934 -02:23:27,439 --> 02:23:33,840 -event graph +02:23:26,0 --> 02:23:29,500 +So it's time to go back to our event graph. 3935 -02:23:34,879 --> 02:23:38,0 -8614.88 --> 8618 -and basically uh so far the story is - -3936 -02:23:37,200 --> 02:23:39,920 -that we got - -3937 -02:23:38,0 --> 02:23:42,559 -8618 --> 8622.56 -an email the email was impersonating a +02:23:34,0 --> 02:23:38,500 +And basically so far the story is that we got an email. 3938 -02:23:39,920 --> 02:23:44,799 -person and we basically got +02:23:38,500 --> 02:23:44,500 +The email was impersonating a person and we basically got a primary sample out of it. 3939 -02:23:42,559 --> 02:23:45,840 -a primary sample out of the that primary - -3940 -02:23:44,799 --> 02:23:50,398 -sample then reaches - -3941 -02:23:45,840 --> 02:23:50,398 -out to evilprovider.com +02:23:44,500 --> 02:23:52,500 +That primary sample then reaches out to evilprovider.com to download a secondary sample. 3942 -02:23:50,559 --> 02:23:55,600 -to download a secondary sample so we - -3943 -02:23:53,680 --> 02:23:59,120 -have a relationship - -3944 -02:23:55,600 --> 02:24:02,239 -between the file - -3945 -02:23:59,120 --> 02:24:02,240 -which downloads from +02:23:52,500 --> 02:24:03,500 +So we have a relationship between the file which "downloads-from". "downloads-from" yeah. 3946 -02:24:02,318 --> 02:24:09,119 -downloads from yeah perfect +02:24:03,500 --> 02:24:05,500 +Perfect. 3947 -02:24:06,959 --> 02:24:10,799 -from evil provider and then evil - -3948 -02:24:09,120 --> 02:24:15,840 -provider downloads - -3949 -02:24:10,799 --> 02:24:15,840 -the secondary sample +02:24:05,500 --> 02:24:12,500 +from "evilprovider" and then "evilprovider" downloads the secondary sample 3950 -02:24:19,200 --> 02:24:29,840 -which is in this case index dot html one - -3951 -02:24:33,359 --> 02:24:43,840 -and this one then exfiltrates to the - -3952 -02:24:36,398 --> 02:24:43,840 -another evil provider url +02:24:19,0 --> 02:24:40,0 +which is in this case "index.html.1" and this one then exfiltrates to another evilprovider url. 3953 -02:24:52,239 --> 02:24:55,600 -now there's one thing we missed in the - -3954 -02:24:53,520 --> 02:24:57,40 -story here is that the first one try so +02:24:51,0 --> 02:24:55,500 +Now there's one thing we missed in the story here is that the first one try 3955 -02:24:55,600 --> 02:25:00,159 -in this case trilogy +02:24:55,500 --> 02:25:59,0 +so in this case "trilog.exe" was actually abusing the CVE that 3956 -02:24:57,40 --> 02:25:03,40 -was actually abusing the cve that uh - -3957 -02:25:00,159 --> 02:25:04,398 -that alex has already expanded so we - -3958 -02:25:03,40 --> 02:25:08,560 -have an abuser's - -3959 -02:25:04,398 --> 02:25:08,559 -relationship from trilogothexa to - -3960 -02:25:08,840 --> 02:25:11,840 -vulnerability +02:25:59,0 --> 02:25:08,500 +that Alex has already expanded so we have an abuser's relationship from "trilog.exe" to vulnerability. 3961 -02:25:13,680 --> 02:25:17,359 -so and once we're done with this we - -3962 -02:25:15,760 --> 02:25:19,439 -already see the entire store in this car +02:25:14,0 --> 02:25:17,0 +So and once we're done with this we already see the entire story in this graph. 3963 -02:25:17,359 --> 02:25:20,800 -so even if you if you have no idea about - -3964 -02:25:19,439 --> 02:25:22,800 -what happened in the report and you - -3965 -02:25:20,799 --> 02:25:24,318 -don't read the original report +02:25:17,0 --> 02:25:22,500 +So even if you have no idea about what happened in the report and you don't read the original report 3966 -02:25:22,799 --> 02:25:26,478 -by just looking at this graph you can - -3967 -02:25:24,318 --> 02:25:29,519 -clearly read it out - -3968 -02:25:26,478 --> 02:25:31,519 -in in in simple sentences we see email +02:25:22,500 --> 02:25:29,0 +by just looking at this graph you can clearly read it out in simple sentences. 3969 -02:25:29,520 --> 02:25:34,960 -in person later first and john +02:25:29,0 --> 02:25:33,500 +We see email impersonator a person, John. Email contains "trilog.exe" 3970 -02:25:31,520 --> 02:25:36,159 -email contains trilogy exploits - -3971 -02:25:34,959 --> 02:25:39,159 -vulnerability - -3972 -02:25:36,159 --> 02:25:40,318 -downloads from evoprovider.com - -3973 -02:25:39,159 --> 02:25:43,680 -index.html1 +02:25:31,520 --> 02:25:40,500 +and that exploits the vulnerability. Downloads from evilprovider.com, "index.html.1". 3974 -02:25:40,318 --> 02:25:45,760 -which exfiltrates to a url so it's a +02:25:40,500 --> 02:25:43,0 +which exfiltrates to a url. 3975 -02:25:43,680 --> 02:25:46,79 -very simple story to comprehend without - -3976 -02:25:45,760 --> 02:25:48,239 -us - -3977 -02:25:46,79 --> 02:25:50,0 -8746.08 --> 8750 -knowing the original data information +02:25:43,0 --> 02:25:48,500 +So it's a very simple story to comprehend without us knowing the original data information 3978 -02:25:48,239 --> 02:25:50,318 -and without us having even having to - -3979 -02:25:50,0 --> 02:25:52,0 -8750 --> 8752 -look - -3980 -02:25:50,318 --> 02:25:53,359 -at the individual indicators further - -3981 -02:25:52,0 --> 02:25:55,760 -8752 --> 8755.76 -below +02:25:48,500 --> 02:25:53,500 +and without us having even having to look at the individual indicators further below. 3982 -02:25:53,359 --> 02:25:56,800 -so this is when we're talking about - -3983 -02:25:55,760 --> 02:25:59,40 -information sharing - -3984 -02:25:56,799 --> 02:26:00,478 -we're basically sharing on two layers +02:25:53,500 --> 02:25:58,500 +So this is when we're talking about information sharing we're basically sharing on two layers. 3985 -02:25:59,40 --> 02:26:02,640 -one of the layers is sharing with - -3986 -02:26:00,478 --> 02:26:04,79 -machines so informing an ids about - -3987 -02:26:02,639 --> 02:26:05,599 -things to alert on +02:25:59,40 --> 02:26:03,500 +One of the layers is sharing with machines so informing an IDS about things to alert on 3988 -02:26:04,79 --> 02:26:07,280 -and at the same time we're sharing with +02:26:04,79 --> 02:26:06,500 +and at the same time we're sharing with analysts 3989 -02:26:05,600 --> 02:26:09,40 -analysts that want to really understand - -3990 -02:26:07,280 --> 02:26:09,600 -what the introductory was doing in this - -3991 -02:26:09,40 --> 02:26:11,760 -case +02:26:06,500 --> 02:26:09,500 +that want to really understand what the threat actor was doing in this case 3992 -02:26:09,600 --> 02:26:13,120 -and what happened during the incident +02:26:09,500 --> 02:26:11,500 +and what happened during the incident. 3993 -02:26:11,760 --> 02:26:15,600 -however at this stage - -3994 -02:26:13,120 --> 02:26:17,520 -we have described our event but we're - -3995 -02:26:15,600 --> 02:26:20,479 -still missing something at this point +02:26:11,500 --> 02:26:17,500 +However at this stage, we have described our event but we're still missing something at this point. 3996 -02:26:17,520 --> 02:26:21,760 -we still haven't actually contextualized - -3997 -02:26:20,478 --> 02:26:23,39 -the information with everything else - -3998 -02:26:21,760 --> 02:26:26,159 -that we know about it +02:26:17,500 --> 02:26:23,0 +We still haven't actually contextualized the information with everything else that we know about it. 3999 -02:26:23,40 --> 02:26:27,40 -so we have we have vocabularies at our - -4000 -02:26:26,159 --> 02:26:28,879 -disposal - -4001 -02:26:27,40 --> 02:26:30,399 -we have at the attack matrix at our +02:26:23,0 --> 02:26:30,0 +So we have vocabularies at our disposal, we have the ATTACK matrix at our disposal 4002 -02:26:28,879 --> 02:26:31,679 -disposal so let's - -4003 -02:26:30,398 --> 02:26:33,760 -start going through the individual +02:26:30,0 --> 02:26:32,0 +So let's start going through the individual attributes 4004 -02:26:31,680 --> 02:26:34,559 -attributes and let's start to attach - -4005 -02:26:33,760 --> 02:26:37,520 -those different - -4006 -02:26:34,559 --> 02:26:38,79 -labels to the data so first of all if we +02:26:32,0 --> 02:26:35,500 +and let's start to attach those different labels to the data 4007 -02:26:37,520 --> 02:26:41,120 -look at - -4008 -02:26:38,79 --> 02:26:42,318 -uh perhaps which one which one should we - -4009 -02:26:41,120 --> 02:26:44,79 -start with +02:26:35,500 --> 02:26:42,500 +so first of all if we look at perhaps, which one should we start with? 4010 -02:26:42,318 --> 02:26:45,760 -let's not do everything let's look at - -4011 -02:26:44,79 --> 02:26:47,520 -the original email for example +02:26:42,500 --> 02:26:45,500 +Let's not do everything. Let's look at the original email for example. 4012 -02:26:45,760 --> 02:26:49,120 -we know that the original email deals - -4013 -02:26:47,520 --> 02:26:51,120 -with fishing now +02:26:45,500 --> 02:26:48,500 +We know that the original email deals with phishing. 4014 -02:26:49,120 --> 02:26:52,720 -attack has a pattern that describes +02:26:48,500 --> 02:26:51,500 +Now ATTACK has a pattern that describes phishing 4015 -02:26:51,120 --> 02:26:55,760 -fishing so we can just attach - -4016 -02:26:52,719 --> 02:26:59,279 -the galaxy cluster of attack to - -4017 -02:26:55,760 --> 02:27:02,960 -and to the attributes in there so +02:26:51,500 --> 02:26:57,500 +so we can just attach the galaxy cluster of attack to the attributes in there. 4018 -02:26:59,280 --> 02:27:04,800 -we use cluster yeah and we can just use +02:26:57,500 --> 02:27:01,500 +So we use cluster yeah. 4019 -02:27:02,959 --> 02:27:07,759 -the text +02:27:01,500 --> 02:27:06,0 +and we can just use ATTACK. mitre-attack, perfect. 4020 -02:27:04,799 --> 02:27:08,318 -magic perfect and we can click on attack - -4021 -02:27:07,760 --> 02:27:11,200 -pattern - -4022 -02:27:08,318 --> 02:27:12,79 -then we get the attack matrix and here +02:27:06,0 --> 02:27:09,500 +and we can click on "Attack Pattern" then we get the attack matrix 4023 -02:27:11,200 --> 02:27:16,290 -we can select - -4024 -02:27:12,79 --> 02:27:19,120 -uh phishing it should be in - -4025 -02:27:16,290 --> 02:27:20,880 -[Music] +02:27:11,200 --> 02:27:17,500 +and here we can select "Phishing". It should be in... 4026 -02:27:19,120 --> 02:27:23,359 -you see yeah there it is perfect so we +02:27:18,500 --> 02:27:20,500 +Yeah there it is perfect. 4027 -02:27:20,879 --> 02:27:23,358 -attach it - -4028 -02:27:23,840 --> 02:27:27,359 -we refresh and there we see it is now - -4029 -02:27:26,318 --> 02:27:30,0 -8846.319 --> 8850 -attached to the +02:27:20,500 --> 02:27:28,500 +So we attach it. We refresh and there we see it is now attached to the attribute 4030 -02:27:27,359 --> 02:27:31,680 -attribute and if we if we generate a - -4031 -02:27:30,0 --> 02:27:32,879 -8850 --> 8852.88 -heat pack now out of the events if we - -4032 -02:27:31,680 --> 02:27:35,680 -scroll up +02:27:28,500 --> 02:27:32,500 +and if we generate a heat map now out of the events if we scroll up. 4033 -02:27:32,879 --> 02:27:37,39 -we have an attack matrix view next to - -4034 -02:27:35,680 --> 02:27:39,520 -the event graph +02:27:32,500 --> 02:27:36,500 +We have an attack matrix view next to the event graph. 4035 -02:27:37,40 --> 02:27:40,399 -if we click on that one now we now see +02:27:36,500 --> 02:27:43,0 +If we click on that one now we now see that as a first overview already we know 4036 -02:27:39,520 --> 02:27:43,200 -that - -4037 -02:27:40,398 --> 02:27:44,0 -8860.399 --> 8864 -as a first overview already we know - -4038 -02:27:43,200 --> 02:27:45,520 -without looking - -4039 -02:27:44,0 --> 02:27:47,359 -8864 --> 8867.359 -at any of the details we see that we're +02:27:43,0 --> 02:27:46,500 +without looking at any of the details we see that we're dealing with phishing here. 4040 -02:27:45,520 --> 02:27:48,800 -dealing with positioning here so this is +02:27:46,500 --> 02:27:49,500 +So this is one of the attack patterns that we've described. 4041 -02:27:47,359 --> 02:27:49,600 -one of the attack patterns that we've - -4042 -02:27:48,799 --> 02:27:50,879 -described +02:27:49,500 --> 02:27:52,0 +let's see what other attack patterns from attack we can describe 4043 -02:27:49,600 --> 02:27:52,399 -let's see what other attack patterns - -4044 -02:27:50,879 --> 02:27:53,920 -from attack we can describe you also see - -4045 -02:27:52,398 --> 02:27:55,599 -that there is automated +02:27:52,0 --> 02:27:55,0 +You also see that there is automated exfiltration happening. 4046 -02:27:53,920 --> 02:27:57,520 -exfiltration happening so if we go to - -4047 -02:27:55,600 --> 02:28:01,840 -the secondary url - -4048 -02:27:57,520 --> 02:28:01,840 -so another evilprovider.com +02:27:55,0 --> 02:28:00,0 +So if we go to the secondary url, so another evilprovider.com. 4049 -02:28:03,280 --> 02:28:06,960 -we can attach the pattern there as well +02:28:03,0 --> 02:28:05,500 +We can attach the pattern there as well. 4050 -02:28:05,520 --> 02:28:08,560 -now we can choose to do +02:28:05,500 --> 02:28:10,500 +now we can choose to do a single attribute what we're doing or we can just select all 4 -4051 -02:28:06,959 --> 02:28:10,159 -a single attribute what we're doing or - -4052 -02:28:08,559 --> 02:28:11,760 -we can just select all four and attach 4053 -02:28:10,159 --> 02:28:12,0 -8890.16 --> 8892 -the cluster tool for let's just do one - -4054 -02:28:11,760 --> 02:28:15,120 -for - -4055 -02:28:12,0 --> 02:28:19,760 -8892 --> 8899.76 -now it's it's it's enough +02:28:10,500 --> 02:28:13,500 +and attach the cluster to all 4 for let's just do one for now, it's enough. 4056 -02:28:15,120 --> 02:28:19,760 -uh watch out it's uh yeah perfect - -4057 -02:28:21,40 --> 02:28:24,399 -and just pick automated exfiltration +02:28:15,500 --> 02:28:24,0 +Watch out it's... Yeah, perfect. And just pick "Automated Exfiltration". 4058 -02:28:23,600 --> 02:28:27,840 -it's the - -4059 -02:28:24,398 --> 02:28:27,840 -first one on the yeah +02:28:24,0 --> 02:28:27,0 +It's the first one on the... Yeah. 4060 -02:28:30,79 --> 02:28:33,120 -okay so now we've attached some attack - -4061 -02:28:32,0 --> 02:28:35,280 -8912 --> 8915.28 -patterns uh - -4062 -02:28:33,120 --> 02:28:36,720 -we we could attach it to the sample as +02:28:30,0 --> 02:28:35,500 +Okay so now we've attached some attack patterns, we could attach it to the sample as well. 4063 -02:28:35,280 --> 02:28:38,479 -well what the sample is doing but we're - -4064 -02:28:36,719 --> 02:28:40,478 -not going to go through +02:28:35,500 --> 02:28:39,0 +What the sample is doing but we're not going to go through all that effort 4065 -02:28:38,478 --> 02:28:42,239 -all that effort let's look at some type - -4066 -02:28:40,478 --> 02:28:45,679 -of contextualization - -4067 -02:28:42,239 --> 02:28:47,119 -for example maybe this - -4068 -02:28:45,680 --> 02:28:49,200 -then it's a matter of test again +02:28:39,0 --> 02:28:43,500 +Let's look at some type of contextualization for example... 4069 -02:28:47,120 --> 02:28:50,560 -regarding the at which level you want to - -4070 -02:28:49,200 --> 02:28:53,840 -attach - -4071 -02:28:50,559 --> 02:28:54,959 -the galaxy there is the topic is a - -4072 -02:28:53,840 --> 02:28:57,439 -matter of fishing +02:28:47,120 --> 02:28:47,500 +maybe this then it's a matter of taste again regarding 4073 -02:28:54,959 --> 02:29:00,398 -at a global level usually we can add a +02:28:47,500 --> 02:28:51,500 +at which level you want to attach the galaxy 4074 -02:28:57,439 --> 02:29:04,239 -galaxy there and then for example +02:28:51,500 --> 02:28:58,500 +there is really the topic is a matter of phishing at a global level, usually we can add a galaxy there 4075 -02:29:00,398 --> 02:29:07,519 -add my tray attack directly there +02:28:58,500 --> 02:29:03,500 +and then for example add MITRE ATTACK directly there 4076 -02:29:04,239 --> 02:29:09,840 -and select the pattern fishing then - -4077 -02:29:07,520 --> 02:29:11,600 -the techniques there directly so you +02:29:03,500 --> 02:29:09,500 +and select the pattern phishing then the techniques there directly. 4078 -02:29:09,840 --> 02:29:13,760 -have different options - -4079 -02:29:11,600 --> 02:29:15,760 -usually we recommend to make it as - -4080 -02:29:13,760 --> 02:29:17,200 -attribute level +02:29:09,500 --> 02:29:14,500 +so you have different options usually we recommend to make it at attribute level 4081 -02:29:15,760 --> 02:29:18,880 -but in some case you don't even know - -4082 -02:29:17,200 --> 02:29:22,79 -which attribute level it applies - -4083 -02:29:18,879 --> 02:29:24,318 -then you select the even level exactly +02:29:14,500 --> 02:29:21,500 +but in some case you don't even know which attribute level it applies then you select the event level. 4084 -02:29:22,79 --> 02:29:25,840 -so so that's indeed a good point if you - -4085 -02:29:24,318 --> 02:29:26,959 -know that the entire chain of what - -4086 -02:29:25,840 --> 02:29:29,680 -you're describing +02:29:21,500 --> 02:29:26,500 +Exactly. So that's indeed a good point if you know that the entire chain of what you're describing 4087 -02:29:26,959 --> 02:29:32,0 -8966.96 --> 8972 -referring to the single uh - -4088 -02:29:29,680 --> 02:29:34,559 -contextualization beta label be it a - -4089 -02:29:32,0 --> 02:29:36,398 -8972 --> 8976.399 -galaxy cluster then indeed what we +02:29:26,500 --> 02:29:34,500 +references to a single contextualization, be it label, be it a galaxy cluster then indeed 4090 -02:29:34,559 --> 02:29:38,719 -assume is anything that you label on the +02:29:34,500 --> 02:29:39,500 +what we assume is anything that you label on the event level is inherited by all 4091 -02:29:36,398 --> 02:29:41,439 -event level is inherited by all - -4092 -02:29:38,719 --> 02:29:42,398 -uh data contained in unless explicitly - -4093 -02:29:41,439 --> 02:29:45,760 -overwritten by - -4094 -02:29:42,398 --> 02:29:48,478 -the opposite tag basically so +02:29:39,500 --> 02:29:43,500 +data contained within unless explicitly overwritten by the opposite tag basically. 4095 -02:29:45,760 --> 02:29:49,439 -so indeed that's the case uh in this +02:29:43,500 --> 02:29:51,500 +So indeed that's the case. In this case we're kind of in a weird situation 4096 -02:29:48,478 --> 02:29:51,39 -case - -4097 -02:29:49,439 --> 02:29:52,720 -we're kind of in a weird situation - -4098 -02:29:51,40 --> 02:29:54,560 -because we're describing the full chain - -4099 -02:29:52,719 --> 02:29:56,719 -of the attack which includes initial +02:29:51,500 --> 02:29:55,500 +because we're describing the full chain of the attack which includes initial phishing attempt 4100 -02:29:54,559 --> 02:29:58,559 -phishing attempt but also includes the - -4101 -02:29:56,719 --> 02:29:59,358 -secondary payload and the exfiltration - -4102 -02:29:58,559 --> 02:30:00,959 -and so on +02:29:55,500 --> 02:29:59,500 +but also includes the secondary payload and the exfiltration and so on 4103 -02:29:59,359 --> 02:30:02,479 -and if we if you do this on the - -4104 -02:30:00,959 --> 02:30:03,39 -attribute level i suppose the event - -4105 -02:30:02,478 --> 02:30:05,519 -level - +02:29:59,500 --> 02:30:03,500 +and if we do this on the attribute level as oppose to the event level + 4106 -02:30:03,40 --> 02:30:06,560 -then you're really really only +02:30:03,500 --> 02:30:08,0 +then you're really only describing which part deals with the phishing 4107 -02:30:05,520 --> 02:30:08,479 -describing - -4108 -02:30:06,559 --> 02:30:10,398 -which part deals with the fishing which - -4109 -02:30:08,478 --> 02:30:11,39 -part deals with the actual exfiltration - -4110 -02:30:10,398 --> 02:30:12,799 -and so on +02:30:08,0 --> 02:30:11,500 +which part deals with the actual exfiltration and so on. 4111 -02:30:11,40 --> 02:30:14,640 -so this is really up to you what we - -4112 -02:30:12,799 --> 02:30:16,398 -generally recommend is - -4113 -02:30:14,639 --> 02:30:18,398 -don't just do it on the event level so +02:30:11,500 --> 02:30:16,0 +So this is really up to you. What we generally recommend is don't just do it on the event level. 4114 -02:30:16,398 --> 02:30:19,439 -if you're describing more concepts in a +02:30:16,0 --> 02:30:19,500 +So if you're describing more concepts in a single event 4115 -02:30:18,398 --> 02:30:20,719 -single event - -4116 -02:30:19,439 --> 02:30:22,559 -make sure that you contextualize - -4117 -02:30:20,719 --> 02:30:23,920 -individual parts of it +02:30:19,500 --> 02:30:22,0 +make sure that you contextualize individual parts of it 4118 -02:30:22,559 --> 02:30:25,840 -because one of one of the things that we +02:30:22,0 --> 02:30:26,500 +because one of one of the things that we use these labels for as well is Searches. -4119 -02:30:23,920 --> 02:30:27,359 -use these labels for as well is searches 4120 -02:30:25,840 --> 02:30:28,318 -so if i were to search for all +02:30:26,500 --> 02:30:29,500 +so if I were to search for all indicators that relate to phishing 4121 -02:30:27,359 --> 02:30:30,800 -indicators - -4122 -02:30:28,318 --> 02:30:32,159 -that relate to phishing i might not want - -4123 -02:30:30,799 --> 02:30:35,920 -to get the secondary - -4124 -02:30:32,159 --> 02:30:37,760 -payloads effects uh included in that +02:30:29,500 --> 02:30:36,500 +I might not want to get the secondary payloads artifacts included in that response. 4125 -02:30:35,920 --> 02:30:39,359 -response because that was just the - -4126 -02:30:37,760 --> 02:30:41,200 -initial vector of getting into the - -4127 -02:30:39,359 --> 02:30:42,880 -network of the victim +02:30:35,920 --> 02:30:40,500 +because that was just the initial vector of getting into the network of the victim 4128 -02:30:41,200 --> 02:30:44,720 -whatever happens afterwards is not - -4129 -02:30:42,879 --> 02:30:46,959 -directly related to the phishing +02:30:40,500 --> 02:30:44,500 +whatever happens afterwards is not directly related to the phishing. 4130 -02:30:44,719 --> 02:30:48,478 -so keep that in mind as well something - -4131 -02:30:46,959 --> 02:30:50,559 -else +02:30:44,500 --> 02:30:47,500 +So keep that in mind as well. something else... 4132 -02:30:48,478 --> 02:30:52,799 -yeah so some just just something that +02:30:47,500 --> 02:30:52,500 +Yeah so just something that you have to keep in mind too it's about 4133 -02:30:50,559 --> 02:30:54,639 -you have to keep in mind too it's about - -4134 -02:30:52,799 --> 02:30:56,79 -which classification to choose or which - -4135 -02:30:54,639 --> 02:30:56,799 -contractualization source you have to - -4136 -02:30:56,79 --> 02:30:59,600 -want to - -4137 -02:30:56,799 --> 02:31:00,79 -to use um on this instance we have +02:30:52,500 --> 02:30:58,500 +which classification to choose or which contextualization source you want to use. 4138 -02:30:59,600 --> 02:31:02,800 -already +02:30:58,500 --> 02:31:01,500 +On this instance, we have already a lot of things enabled 4139 -02:31:00,79 --> 02:31:04,639 -a lot of things enabled and if for - -4140 -02:31:02,799 --> 02:31:06,79 -example you go for taxonomy - -4141 -02:31:04,639 --> 02:31:08,478 -you have a lot of taxonomy that is - -4142 -02:31:06,79 --> 02:31:10,719 -describing fishing +02:31:01,500 --> 02:31:07,500 +and if for example you go for taxonomy. You have a lot of taxonomy that is describing phishing. 4143 -02:31:08,478 --> 02:31:11,760 -for for example you have even a complete - -4144 -02:31:10,719 --> 02:31:14,959 -taxonomy - -4145 -02:31:11,760 --> 02:31:15,680 -about the kind of fishing you have and - -4146 -02:31:14,959 --> 02:31:18,639 -so on +02:31:07,500 --> 02:31:15,500 +For example you have even a complete taxonomy about the kind of phishing you have and so on. 4147 -02:31:15,680 --> 02:31:21,280 -so when you install your miss pinstance - -4148 -02:31:18,639 --> 02:31:23,358 -and you start to make it operational +02:31:15,500 --> 02:31:20,500 +So when you install your MISP instance and you start to make it operational 4149 -02:31:21,280 --> 02:31:24,800 -you really have to decide what kind of - -4150 -02:31:23,359 --> 02:31:26,720 -taxonomy you want to use +02:31:20,500 --> 02:31:24,500 +you really have to decide what kind of taxonomy you want to use 4151 -02:31:24,799 --> 02:31:29,920 -in this case we have already a lot of - -4152 -02:31:26,719 --> 02:31:32,478 -things are available by default +02:31:24,500 --> 02:31:29,500 +in this case we have already a lot of things are available by default 4153 -02:31:29,920 --> 02:31:35,200 -so the fishing taxonomy itself is a - -4154 -02:31:32,478 --> 02:31:37,358 -complete one coming from a finger +02:31:29,920 --> 02:31:36,500 +so the phishing taxonomy itself is a complete one coming from I think {inaudible} academic paper 4155 -02:31:35,200 --> 02:31:39,840 -towards academic paper where we have all - -4156 -02:31:37,359 --> 02:31:41,600 -the techniques that are used so +02:31:35,200 --> 02:31:38,0 +where we have all the techniques that are used. 4157 -02:31:39,840 --> 02:31:44,239 -for example you can say that this one is - -4158 -02:31:41,600 --> 02:31:44,239 -coming from a +02:31:38,0 --> 02:31:45,500 +So for example you can say that this one is coming from a spearphishing 4159 -02:31:44,559 --> 02:31:51,439 -spearfishing which was described there - -4160 -02:31:48,318 --> 02:31:54,0 -9108.319 --> 9114 -and you have the different techniques +02:31:45,500 --> 02:31:51,500 +which was described there and you have the different techniques. 4161 -02:31:51,439 --> 02:31:55,520 -so in this case it's email spoofing and +02:31:51,500 --> 02:31:53,500 +So in this case it's email spoofing 4162 -02:31:54,0 --> 02:31:57,760 -9114 --> 9117.76 -you can go deeper there - -4163 -02:31:55,520 --> 02:31:58,720 -into the description of what is exactly - -4164 -02:31:57,760 --> 02:32:01,840 -the decision +02:31:53,500 --> 02:31:57,760 +and you can go deeper there into the description of what is exactly the phishing. 4165 -02:31:58,719 --> 02:32:04,0 -9118.72 --> 9124 -and you can mix match both i mean under - -4166 -02:32:01,840 --> 02:32:06,478 -selectively attack +02:31:58,719 --> 02:32:05,500 +and you can mix match both. I mean Andras selected the ATTACK phishing techniques 4167 -02:32:04,0 --> 02:32:07,200 -9124 --> 9127.2 -fishing techniques at specific indicator - -4168 -02:32:06,478 --> 02:32:09,438 -level +02:32:05,500 --> 02:32:07,0 +at specific indicator level 4169 -02:32:07,200 --> 02:32:10,560 -maybe another analyst would want to - -4170 -02:32:09,439 --> 02:32:12,239 -classify it - -4171 -02:32:10,559 --> 02:32:14,559 -and and maybe the objectives might be +02:32:07,0 --> 02:32:12,500 +Maybe another analyst would want to classify it and maybe the objectives might be different. 4172 -02:32:12,239 --> 02:32:16,719 -different maybe on one for example - -4173 -02:32:14,559 --> 02:32:18,719 -it's more specific for tools but if you +02:32:12,500 --> 02:32:16,500 +Maybe on one, for example it's more specific for tools. 4174 -02:32:16,719 --> 02:32:20,639 -want to run out statistics - -4175 -02:32:18,719 --> 02:32:22,0 -9138.72 --> 9142 -at the end of i don't know quite early - -4176 -02:32:20,639 --> 02:32:23,840 -meetings and say okay +02:32:16,719 --> 02:32:21,500 +But if you want to run out statistics at the end of, I don't know, quarterly meetings 4177 -02:32:22,0 --> 02:32:25,600 -9142 --> 9145.6 -how many spearfishing that you receive - -4178 -02:32:23,840 --> 02:32:27,200 -or many emails proofing +02:32:21,500 --> 02:32:25,500 +and say okay, how many spearfishing that you receive or maybe emails spoofing. 4179 -02:32:25,600 --> 02:32:29,840 -for example if you can control better - -4180 -02:32:27,200 --> 02:32:30,720 -emails proofing uh the spf record and so +02:32:25,600 --> 02:32:30,0 +For example if you can control better emails spoofing, the SPF record and so on 4181 -02:32:29,840 --> 02:32:32,960 -on you can +02:32:30,0 --> 02:32:34,0 +you can just look at the current technique that are used by by the attacker. -4182 -02:32:30,719 --> 02:32:34,719 -just look at the current uh technique - -4183 -02:32:32,959 --> 02:32:35,599 -that are used by by the attacker so you 4184 -02:32:34,719 --> 02:32:38,239 -see that - -4185 -02:32:35,600 --> 02:32:40,79 -those kind of it's full of taxonomies - -4186 -02:32:38,239 --> 02:32:42,799 -that are can be used +02:32:34,0 --> 02:32:39,500 +So you see that those kind of, it's full of taxonomies that can be used 4187 -02:32:40,79 --> 02:32:44,559 -and obviously we usually recommend to - -4188 -02:32:42,799 --> 02:32:46,639 -not enable everything but just +02:32:39,500 --> 02:32:44,0 +and obviously we usually recommend to not enable everything 4189 -02:32:44,559 --> 02:32:47,680 -pick what you really want and some are - -4190 -02:32:46,639 --> 02:32:50,79 -very generic +02:32:44,0 --> 02:32:47,500 +but just pick what you really want and some are very generic, 4191 -02:32:47,680 --> 02:32:51,40 -some are more advanced but that's maybe - -4192 -02:32:50,79 --> 02:32:54,559 -something that you +02:32:47,500 --> 02:32:53,0 +some are more advanced but that's maybe something that we dig into more afterwards 4193 -02:32:51,40 --> 02:32:56,319 -we dig into more afterwards but - -4194 -02:32:54,559 --> 02:32:57,840 -just be careful of which kind of - -4195 -02:32:56,318 --> 02:32:58,799 -taxonomy you want to use because it will +02:32:53,0 --> 02:32:58,500 +but just be careful of which kind of taxonomy you want to use because it will be the language 4196 -02:32:57,840 --> 02:33:01,280 -be the language - -4197 -02:32:58,799 --> 02:33:02,478 -that you use with the community and your - -4198 -02:33:01,280 --> 02:33:07,840 -partners - -4199 -02:33:02,478 --> 02:33:07,840 -for sharing this information +02:32:58,500 --> 02:33:05,500 +that you use with the community and your partners for sharing this information. 4200 -02:33:09,200 --> 02:33:12,640 -maybe something interesting to look into - -4201 -02:33:10,879 --> 02:33:14,478 -the email and that's linked to +02:33:09,0 --> 02:33:13,500 +Maybe something interesting to look into the email and that's linked to classifications 4202 -02:33:12,639 --> 02:33:16,0 -9192.64 --> 9196 -classifications but there's this comment - -4203 -02:33:14,478 --> 02:33:17,840 -there please +02:33:13,500 --> 02:33:15,500 +but there's this comment there 4204 -02:33:16,0 --> 02:33:19,520 -9196 --> 9199.52 -please be mindful that this is an - -4205 -02:33:17,840 --> 02:33:22,0 -9197.84 --> 9202 -ongoing investigation and we would like +02:33:16,0 --> 02:33:19,0 +"Please be mindful that this is an ongoing investigation 4206 -02:33:19,520 --> 02:33:23,920 -to avoid +02:33:19,0 --> 02:33:24,0 +and we would like to avoid informing the attacker of the detection 4207 -02:33:22,0 --> 02:33:25,439 -9202 --> 9205.439 -informing the attacker or the detection - -4208 -02:33:23,920 --> 02:33:28,478 -and can we ask you to - -4209 -02:33:25,439 --> 02:33:32,318 -to only use the content information - -4210 -02:33:28,478 --> 02:33:34,0 -9208.479 --> 9214 -to to protect your constituents so +02:33:24,0 --> 02:33:30,0 +and kindly ask you to to only use the contained information to protect your constituents". 4211 -02:33:32,318 --> 02:33:35,519 -this is kind of that you are language - -4212 -02:33:34,0 --> 02:33:37,600 -9214 --> 9217.6 -describing to you what kind of - -4213 -02:33:35,520 --> 02:33:40,640 -classification it is +02:33:30,0 --> 02:33:37,500 +So this is kind of your language describing to you what kind of classification it is. 4214 -02:33:37,600 --> 02:33:44,479 -um and so no - -4215 -02:33:40,639 --> 02:33:46,799 -which one should we use so um if we are - -4216 -02:33:44,478 --> 02:33:48,639 -first members if we are using the first +02:33:37,500 --> 02:33:47,0 +And so now which one should we use so if we are FIRST members, if we are using the FIRST community 4217 -02:33:46,799 --> 02:33:50,159 -community obviously the classification +02:33:47,0 --> 02:33:51,500 +obviously the classification that we will use is not the NATO one, 4218 -02:33:48,639 --> 02:33:52,398 -that we will use - -4219 -02:33:50,159 --> 02:33:53,600 -is not the nato one or the ministry of - -4220 -02:33:52,398 --> 02:33:57,920 -defense in whatever - -4221 -02:33:53,600 --> 02:34:01,840 -country it's really tlp so then again +02:33:48,639 --> 02:33:55,0 +or the Ministry of Defense in whatever country, it's really TLP. 4222 -02:33:57,920 --> 02:34:05,920 -based on that we will look into +02:33:55,0 --> 02:34:05,500 +So then again based on that, we will look into different taxonomy that we have 4223 02:34:01,840 --> 02:34:09,200 -different taxonomy that we have + 4224 -02:34:05,920 --> 02:34:12,719 -we can look for for tlp - -4225 -02:34:09,200 --> 02:34:15,280 -and i should not do that like that +02:34:05,500 --> 02:34:11,500 +we can look for TLP and I should not do that like that. 4226 -02:34:12,719 --> 02:34:17,39 -i go for the tlp library and then i have +02:34:12,0 --> 02:34:20,0 +I go for the TLP library and then I have the specific taxonomy TLP 4227 -02:34:15,280 --> 02:34:21,120 -the - -4228 -02:34:17,40 --> 02:34:22,240 -specific taxonomy tlp and then you have - -4229 -02:34:21,120 --> 02:34:24,560 -the different one +02:34:20,0 --> 02:34:22,500 +and then you have the different one. 4230 -02:34:22,239 --> 02:34:27,280 -in this case they say you have to share +02:34:22,500 --> 02:34:26,0 +In this case they say you have to share it with your constituents only 4231 -02:34:24,559 --> 02:34:29,840 -it with your confusion only so - -4232 -02:34:27,280 --> 02:34:30,800 -tlp amber seems to be the most - -4233 -02:34:29,840 --> 02:34:33,280 -appropriate +02:34:26,0 --> 02:34:31,500 +so TLP amber seems to be the most appropriate one. 4234 -02:34:30,799 --> 02:34:34,879 -one we say that the lpm bill information - -4235 -02:34:33,280 --> 02:34:36,399 -is given to organization +02:34:31,500 --> 02:34:34,500 +We say that the TLP Amber information is given to organization 4236 -02:34:34,879 --> 02:34:38,0 -9274.88 --> 9278 -sharing limited within organization to - -4237 -02:34:36,398 --> 02:34:40,639 -basically act upon +02:34:34,500 --> 02:34:37,500 +sharing limited within organization to basically act upon. 4238 -02:34:38,0 --> 02:34:41,439 -9278 --> 9281.439 -if we have the extended classifications - -4239 -02:34:40,639 --> 02:34:44,478 -from first - -4240 -02:34:41,439 --> 02:34:47,200 -it includes the constituent +02:34:38,0 --> 02:34:45,0 +If we have the extended classifications from FIRST it includes the constituent too. 4241 -02:34:44,478 --> 02:34:48,559 -too so i will just use a tmp but i - -4242 -02:34:47,200 --> 02:34:50,159 -mentioned something else that is - -4243 -02:34:48,559 --> 02:34:52,959 -interesting +02:34:45,0 --> 02:34:49,500 +So I will just use a TLP but I mentioned something else that is interesting. 4244 -02:34:50,159 --> 02:34:53,600 -in the email they mentioned that this is +02:34:49,500 --> 02:34:59,500 +In the email they mentioned that this is an ongoing investigation, to avoid informing the attacker. 4245 -02:34:52,959 --> 02:34:57,199 -an ongoing - -4246 -02:34:53,600 --> 02:35:00,479 -association to avoid - -4247 -02:34:57,200 --> 02:35:02,479 -informing the attacker in this case - -4248 -02:35:00,478 --> 02:35:03,760 -or would you inform the attacker but if - -4249 -02:35:02,478 --> 02:35:06,79 -you do actions - -4250 -02:35:03,760 --> 02:35:08,79 -on specific indicators and attributes +02:34:59,500 --> 02:35:06,0 +In this case, how would you inform the attacker but if you do actions on specific indicators and attributes 4251 -02:35:06,79 --> 02:35:10,239 -you might want to restrict that +02:35:06,0 --> 02:35:10,0 +you might want to restrict that so there is another classification, 4252 -02:35:08,79 --> 02:35:13,200 -so there is a another classification i - -4253 -02:35:10,239 --> 02:35:16,398 -don't know if this one is enabled +02:35:10,0 --> 02:35:11,500 +I don't know if this one is enabled. 4254 -02:35:13,200 --> 02:35:19,840 -it's called pap which is exactly that - -4255 -02:35:16,398 --> 02:35:22,559 -it's similar to tlp but describing +02:35:11,500 --> 02:35:18,500 +It's called PAP which is exactly that, it's similar to TLP 4256 -02:35:19,840 --> 02:35:24,159 -what you can do with this information if +02:35:18,500 --> 02:35:21,500 +but describing what you can do with this information. 4257 -02:35:22,559 --> 02:35:26,799 -we don't want to - -4258 -02:35:24,159 --> 02:35:27,439 -at least notify the attacker that we are - -4259 -02:35:26,799 --> 02:35:29,679 -doing some +02:35:21,500 --> 02:35:28,500 +If we don't want to at least notify the attacker that we are doing some further investigations. 4260 -02:35:27,439 --> 02:35:31,40 -further investigations maybe we want to +02:35:27,439 --> 02:35:34,0 +Maybe we want to restrict that and the PAP is really telling you 4261 -02:35:29,680 --> 02:35:34,0 -9329.68 --> 9334 -restrict that - -4262 -02:35:31,40 --> 02:35:35,840 -and the prp is really telling you what - -4263 -02:35:34,0 --> 02:35:37,200 -9334 --> 9337.2 -are the permissive action that you can - -4264 -02:35:35,840 --> 02:35:40,239 -do +02:35:34,0 --> 02:35:36,500 +what are the permissive action that you can do. 4265 -02:35:37,200 --> 02:35:42,479 -in our case for example - -4266 -02:35:40,239 --> 02:35:43,520 -non-detectable actions only and that's - -4267 -02:35:42,478 --> 02:35:46,398 -really what he wants +02:35:36,500 --> 02:35:43,500 +In our case, "PAP: RED" for example, non-detectable actions only and that's really what we wants 4268 -02:35:43,520 --> 02:35:48,239 -because the supporters say okay we have +02:35:43,500 --> 02:35:48,500 +because the reporter say okay we have an ongoing investigation 4269 -02:35:46,398 --> 02:35:49,519 -an ongoing investigation so you don't - -4270 -02:35:48,239 --> 02:35:51,600 -want to be here - -4271 -02:35:49,520 --> 02:35:53,120 -um other parties are informed so in this +02:35:48,500 --> 02:35:51,500 +so you don't want the other parties are informed. 4272 -02:35:51,600 --> 02:35:56,800 -case i will use - -4273 -02:35:53,120 --> 02:35:58,800 -red and again this is used at even level +02:35:51,500 --> 02:35:56,500 +So in this case, I will use RED and again this is used at event level 4274 -02:35:56,799 --> 02:36:00,478 -and that's something quite important - -4275 -02:35:58,799 --> 02:36:02,719 -because myth will take care of that +02:35:56,500 --> 02:36:00,500 +and that's something quite important because MISP will take care of that. 4276 -02:36:00,478 --> 02:36:04,639 -um you don't need to set pp rate on - -4277 -02:36:02,719 --> 02:36:07,920 -every single attribute +02:36:00,478 --> 02:36:04,500 +You don't need to set "PAP: RED" on every single attribute. 4278 -02:36:04,639 --> 02:36:09,279 -behind it's really at even level so it's - -4279 -02:36:07,920 --> 02:36:12,239 -automatically - -4280 -02:36:09,280 --> 02:36:14,0 -9369.28 --> 9374 -irritating on all attributes we don't +02:36:04,639 --> 02:36:11,500 +Behind, it's really at event level so it's automatically allocating on all attributes 4281 -02:36:12,239 --> 02:36:16,0 -9372.24 --> 9376 -show it on the interface - -4282 -02:36:14,0 --> 02:36:18,239 -9374 --> 9378.24 -because it will be two clamps to you +02:36:11,500 --> 02:36:15,500 +We don't show it on the interface because it will be too cramp. 4283 -02:36:16,0 --> 02:36:21,600 -9376 --> 9381.6 -know overload it with information - -4284 -02:36:18,239 --> 02:36:23,280 -but we do it in a way that's on the api +02:36:16,0 --> 02:36:21,500 +You know, overloaded with information but we do it in a way that's on the API level. 4285 -02:36:21,600 --> 02:36:26,0 -9381.6 --> 9386 -level if you do section of search for - -4286 -02:36:23,280 --> 02:36:28,319 -example on even level or attribute level +02:36:21,600 --> 02:36:25,500 +If you do {inaudible} search. for example on event level or attribute level 4287 -02:36:26,0 --> 02:36:30,318 -9386 --> 9390.319 -pip red will be included there if you +02:36:25,500 --> 02:36:32,500 +"PAP: RED" will be included there if you have an attribute containing some information 4288 -02:36:28,318 --> 02:36:32,318 -have an attribute - -4289 -02:36:30,318 --> 02:36:34,799 -containing some information - -4290 -02:36:32,318 --> 02:36:38,559 -automatically tags like papers will be - -4291 -02:36:34,799 --> 02:36:40,0 -9394.8 --> 9400 -then included into the information so +02:36:32,500 --> 02:36:38,500 +automatically tags like "PAP: RED" will be then included into the information. 4292 -02:36:38,559 --> 02:36:41,840 -that's something to keep in mind when we - -4293 -02:36:40,0 --> 02:36:43,359 -9400 --> 9403.359 -have information from third party +02:36:38,500 --> 02:36:41,500 +So that's something to keep in mind when we have information from third party 4294 -02:36:41,840 --> 02:36:45,439 -is to to wonder okay what is a +02:36:41,500 --> 02:36:45,0 +is to to wonder okay what is the classification scheme 4295 -02:36:43,359 --> 02:36:46,559 -classification scheme so sometimes they - -4296 -02:36:45,439 --> 02:36:48,398 -don't say - -4297 -02:36:46,559 --> 02:36:50,478 -a specific classification to use that - -4298 -02:36:48,398 --> 02:36:53,439 -you just use natural language or +02:36:45,0 --> 02:36:49,500 +so sometimes they don't say a specific classification to use that you just use natural language 4299 -02:36:50,478 --> 02:36:56,159 -just a normal sentence to describe all +02:36:49,500 --> 02:36:54,500 +or just a normal sentence to describe all the information should be shared. 4300 -02:36:53,439 --> 02:36:57,760 -the information should be shared - -4301 -02:36:56,159 --> 02:36:59,200 -so the interesting thing here is that - -4302 -02:36:57,760 --> 02:37:00,800 -what we've seen now is we've +02:36:54,500 --> 02:36:58,500 +So the interesting thing here is that what we've seen now is 4303 -02:36:59,200 --> 02:37:02,399 -contextualized information in many - -4304 -02:37:00,799 --> 02:37:05,519 -different aspects and this is just - -4305 -02:37:02,398 --> 02:37:08,159 -scraping the uh +02:36:58,500 --> 02:37:01,0 +we've contextualized information in many different aspects 4306 -02:37:05,520 --> 02:37:09,760 -the top layer basically we could go much +02:37:01,0 --> 02:37:07,500 +and this is just scraping the top layer basically 4307 -02:37:08,159 --> 02:37:11,680 -much further with contextualization +02:37:07,500 --> 02:37:09,0 +we could go much much further with contextualization. 4308 -02:37:09,760 --> 02:37:13,359 -imagine for example describing - -4309 -02:37:11,680 --> 02:37:15,120 -how this information is relevant to - -4310 -02:37:13,359 --> 02:37:16,239 -whether it's used what sort of +02:37:09,0 --> 02:37:14,500 +Imagine for example describing how this information is relevant to whether it's used. 4311 -02:37:15,120 --> 02:37:17,920 -mechanisms they should - -4312 -02:37:16,239 --> 02:37:19,760 -have in place to be able to block this +02:37:14,500 --> 02:37:18,0 +What sort of mechanisms they should have in place to be able to block this information? 4313 -02:37:17,920 --> 02:37:20,879 -information how can you make this useful - -4314 -02:37:19,760 --> 02:37:22,159 -think of different maturity - -4315 -02:37:20,879 --> 02:37:23,679 -organizations as well when you're +02:37:18,0 --> 02:37:21,500 +How can you make this useful? Think of different maturity organizations as well 4316 -02:37:22,159 --> 02:37:25,280 -sharing information - -4317 -02:37:23,680 --> 02:37:26,639 -you could also describe information +02:37:21,500 --> 02:37:26,500 +when you're sharing information. You could also describe information about who's behind it, 4318 -02:37:25,280 --> 02:37:27,840 -about who's behind it what the - -4319 -02:37:26,639 --> 02:37:29,920 -motivations are - -4320 -02:37:27,840 --> 02:37:31,760 -so we did not describe the threat actor +02:37:26,500 --> 02:37:29,0 +what the motivations are? So we did not describe the threat actor 4321 -02:37:29,920 --> 02:37:33,359 -because we we haven't done any analysis - -4322 -02:37:31,760 --> 02:37:34,318 -yet this is the initial information we +02:37:29,0 --> 02:37:32,0 +because we haven't done any analysis yet. 4323 -02:37:33,359 --> 02:37:36,640 -got from - -4324 -02:37:34,318 --> 02:37:38,959 -a cser that just reported an incident to +02:37:32,0 --> 02:37:36,500 +This is the initial information we got from a CSIRT that just reported an incident to us 4325 -02:37:36,639 --> 02:37:41,39 -us but we could go further and we - -4326 -02:37:38,959 --> 02:37:42,799 -if we did our analysis we would find +02:37:36,500 --> 02:37:41,500 +but we could go further and if we did our analysis we would find who's behind this 4327 -02:37:41,40 --> 02:37:44,960 -who's behind this we could go for it - -4328 -02:37:42,799 --> 02:37:47,119 -for uh for information with threat actor - -4329 -02:37:44,959 --> 02:37:49,279 -we could look at target sectors +02:37:41,500 --> 02:37:46,500 +we could go for information with the threat actor, we could look at target sectors 4330 -02:37:47,120 --> 02:37:51,600 -we could look at a lot of different - -4331 -02:37:49,280 --> 02:37:52,960 -information in regards to - -4332 -02:37:51,600 --> 02:37:55,439 -to further contextualizing the - -4333 -02:37:52,959 --> 02:37:55,438 -information +02:37:46,500 --> 02:37:53,500 +we could look at a lot of different information in regards to to further contextualizing the information. 4334 -02:37:58,239 --> 02:38:01,439 -so in this case we could also for - -4335 -02:37:59,600 --> 02:38:02,479 -example say that's in the truth where +02:37:58,0 --> 02:38:00,500 +So in this case we could also, for example say that's in the {inaudible} where 4336 -02:38:01,439 --> 02:38:03,680 -because we we know that this is - -4337 -02:38:02,478 --> 02:38:05,119 -something that was targeting an - -4338 -02:38:03,680 --> 02:38:07,760 -organization luxembourg +02:38:00,500 --> 02:38:04,500 +because we know that this is something that was targeting an organization in Luxembourg. 4339 -02:38:05,120 --> 02:38:08,720 -we know it was there is also a sector uh +02:38:04,500 --> 02:38:09,500 +We know there is also a sector taxonomy that you can use 4340 -02:38:07,760 --> 02:38:11,359 -taxonomy - -4341 -02:38:08,719 --> 02:38:12,639 -that you can use so that's not a galaxy - -4342 -02:38:11,359 --> 02:38:14,720 -but the taxonomy +02:38:09,500 --> 02:38:12,500 +so that's not a galaxy but the taxonomy. 4343 -02:38:12,639 --> 02:38:16,398 -so we can also add uh for example - -4344 -02:38:14,719 --> 02:38:17,438 -information about the financial sector +02:38:12,500 --> 02:38:16,0 +So we can also add for example information about the financial sector 4345 -02:38:16,398 --> 02:38:20,79 -we know the ceo - -4346 -02:38:17,439 --> 02:38:21,600 -is a ceo financial sector organization +02:38:16,0 --> 02:38:19,500 +We know the CEO is a CEO of a financial sector organization. 4347 -02:38:20,79 --> 02:38:23,760 -so we could also say that it's - -4348 -02:38:21,600 --> 02:38:25,120 -it probably has to do with that as well +02:38:20,79 --> 02:38:23,500 +So we could also say that it's probably has to do with that as well. 4349 -02:38:23,760 --> 02:38:29,840 -maybe it's not enabled +02:38:23,760 --> 02:38:25,500 +Maybe it's not enabled, sorry about that. 4350 -02:38:25,120 --> 02:38:29,840 -sorry about that yeah this is +02:38:25,500 --> 02:38:32,0 +Yeah this one never. But if you search... Yeah, exactly, there. 4351 -02:38:31,200 --> 02:38:35,200 -exactly there if you just search for - -4352 -02:38:33,840 --> 02:38:37,680 -sector it should be there +02:38:32,0 --> 02:38:34,500 +If you just search for "sector", it should be there. 4353 -02:38:35,200 --> 02:38:38,319 -yeah but i'm i'm yeah there's something - -4354 -02:38:37,680 --> 02:38:41,600 -that you can do +02:38:34,500 --> 02:38:40,500 +Yeah but I'm... Yeah there's something that you can do talk about it later but it's... 4355 -02:38:38,318 --> 02:38:46,79 -talk about about later but it's uh - -4356 -02:38:41,600 --> 02:38:48,159 -just a sector so we have different one +02:38:40,500 --> 02:38:45,0 +"sector" so we have different one. 4357 -02:38:46,79 --> 02:38:49,680 -you did find that so if you there was - -4358 -02:38:48,159 --> 02:38:51,840 -one for finance you can just pick that - -4359 -02:38:49,680 --> 02:38:51,840 -yeah +02:38:45,0 --> 02:38:50,500 +Maybe you find that so if... there was one for finance you can just pick that, yeah. 4360 -02:38:52,639 --> 02:38:57,519 -something else you can you can do and +02:38:50,500 --> 02:38:56,500 +Yeah, something else you can do and this one is important too, 4361 -02:38:54,879 --> 02:38:59,39 -this one is important too it's it's - -4362 -02:38:57,520 --> 02:39:01,280 -going a bit further than the email so +02:38:56,500 --> 02:39:00,500 +it's going a bit further than the email. So for example, as a source 4363 -02:38:59,40 --> 02:39:02,560 -for example as a source we receive - -4364 -02:39:01,280 --> 02:39:04,79 -emails from various people - -4365 -02:39:02,559 --> 02:39:05,359 -i mean if i receive an email from i +02:38:59,40 --> 02:39:04,0 +we receive emails from various people, I mean if I receive an email from, 4366 -02:39:04,79 --> 02:39:05,920 -don't know from an analyst from i don't +02:39:04,0 --> 02:39:07,000 +I don't know, from an analyst from, I don't know, he is at Mcafee and so on, 4367 -02:39:05,359 --> 02:39:08,720 -know - -4368 -02:39:05,920 --> 02:39:10,478 -he set mcafee and found that i'm working - -4369 -02:39:08,719 --> 02:39:12,719 -with them for years - -4370 -02:39:10,478 --> 02:39:13,679 -my confidence on this information is - -4371 -02:39:12,719 --> 02:39:16,79 -quite high +02:39:07,000 --> 02:39:13,500 +that I'm working with them for years my confidence on this information is quite high. 4372 -02:39:13,680 --> 02:39:17,600 -on the other hand if i receive an email - -4373 -02:39:16,79 --> 02:39:19,39 -from someone unknown - -4374 -02:39:17,600 --> 02:39:20,880 -maybe my confidence will be a bit - -4375 -02:39:19,40 --> 02:39:22,479 -different so +02:39:13,500 --> 02:39:19,0 +On the other hand, if I receive an email from someone unknown maybe my confidence will be a bit different. 4376 -02:39:20,879 --> 02:39:24,478 -in myths you have plenty of taxonomies - -4377 -02:39:22,478 --> 02:39:26,239 -to express confidence +02:39:19,0 --> 02:39:23,500 +So in MISP, you have plenty of taxonomies to express confidence. 4378 -02:39:24,478 --> 02:39:28,799 -for example the one that is actively - -4379 -02:39:26,239 --> 02:39:32,0 -9566.24 --> 9572 -used for empowering the military - -4380 -02:39:28,799 --> 02:39:34,799 -network is scale or nato scale +02:39:23,500 --> 02:39:31,500 +For example, the one that is actively used, for example, the military network is Admiralty Scale or NATO scale 4381 -02:39:32,0 --> 02:39:35,920 -9572 --> 9575.92 -where you can basically define the - -4382 -02:39:34,799 --> 02:39:37,438 -credibility of the +02:39:31,500 --> 02:39:36,500 +where you can basically define the credibility of the source. 4383 -02:39:35,920 --> 02:39:39,600 -of the source in this case we can say - -4384 -02:39:37,439 --> 02:39:40,639 -that we are we know the source and is - -4385 -02:39:39,600 --> 02:39:43,40 -usually really - -4386 -02:39:40,639 --> 02:39:45,358 -reliable so that's the source itself and +02:39:36,500 --> 02:39:43,500 +In this case, we can say that we know the source and is usually reliable so that's the source itself. 4387 -02:39:43,40 --> 02:39:46,80 -we can say for this specific information - -4388 -02:39:45,359 --> 02:39:49,280 -that is - -4389 -02:39:46,79 --> 02:39:51,39 -um probably true - -4390 -02:39:49,280 --> 02:39:53,439 -because they send us some evidence now +02:39:43,500 --> 02:39:51,500 +and we can say for this specific information that is probably true because they send us some evidence. 4391 -02:39:51,40 --> 02:39:53,760 -if i have like three emails taking about - -4392 -02:39:53,439 --> 02:39:57,840 -this - -4393 -02:39:53,760 --> 02:39:59,760 -talking about the same case maybe my - -4394 -02:39:57,840 --> 02:40:01,120 -level of credibility will increase +02:39:51,500 --> 02:39:59,500 +Now if I have like three emails talking about the same case maybe my level of credibility will increase 4395 -02:39:59,760 --> 02:40:03,359 -because we have multiple people that - -4396 -02:40:01,120 --> 02:40:04,640 -have seen exactly the same kind of thing +02:39:59,500 --> 02:40:03,500 +because we have multiple people that have seen exactly the same kind of thing 4397 -02:40:03,359 --> 02:40:07,120 -so in this case i will have those kind +02:40:03,500 --> 02:40:06,500 +So in this case I will have those kind of information there 4398 -02:40:04,639 --> 02:40:07,920 -of information there again it's it's a - -4399 -02:40:07,120 --> 02:40:10,0 -9607.12 --> 9610 -way to - -4400 -02:40:07,920 --> 02:40:12,639 -really contextualize information and the - -4401 -02:40:10,0 --> 02:40:15,760 -9610 --> 9615.76 -quality of the information +02:40:06,500 --> 02:40:11,500 +Again it's a way to really contextualize information and the quality of the information 4402 -02:40:12,639 --> 02:40:17,599 -and you have for example +02:40:11,500 --> 02:40:19,500 +and you have, for example, additional one like, for example, we have one called "estimative-language". 4403 -02:40:15,760 --> 02:40:19,760 -additional one like for example we have - -4404 -02:40:17,600 --> 02:40:22,720 -one called estimative language - -4405 -02:40:19,760 --> 02:40:23,520 -so this one is more coming from dna and - -4406 -02:40:22,719 --> 02:40:25,599 -the cias +02:40:19,760 --> 02:40:23,500 +so this one is more coming from DNI and the CIA. 4407 -02:40:23,520 --> 02:40:27,439 -it's like the likelihood of probability - -4408 -02:40:25,600 --> 02:40:28,960 -that this happen +02:40:23,500 --> 02:40:26,500 +It's like the likelihood of probability that this happen. 4409 -02:40:27,439 --> 02:40:30,720 -so we can say that this one has been - -4410 -02:40:28,959 --> 02:40:31,599 -almost certain and then we can even - -4411 -02:40:30,719 --> 02:40:34,639 -qualify +02:40:27,439 --> 02:40:31,0 +So we can say that this one has been almost certain and then we can even qualify 4412 -02:40:31,600 --> 02:40:36,880 -or own an analytic judgment on this - -4413 -02:40:34,639 --> 02:40:37,680 -and i can say that it was like quickly +02:40:31,0 --> 02:40:37,0 +or own analysis judgment on this and I can say that it was like quickly done 4414 -02:40:36,879 --> 02:40:39,920 -done and it's - -4415 -02:40:37,680 --> 02:40:40,880 -not perfect i will just say low for - -4416 -02:40:39,920 --> 02:40:42,318 -example +02:40:37,0 --> 02:40:40,500 +and it's not perfect, I will just say low for example. 4417 -02:40:40,879 --> 02:40:43,920 -so then you can have this kind of +02:40:40,500 --> 02:40:43,500 +So then you can have this kind of information. 4418 -02:40:42,318 --> 02:40:46,318 -information and you can - -4419 -02:40:43,920 --> 02:40:48,159 -either use it as an even level again or +02:40:42,318 --> 02:40:47,500 +And you can either use it as an event level again or a specific attribute. 4420 -02:40:46,318 --> 02:40:50,0 -9646.319 --> 9650 -a specific review so for example if one - -4421 -02:40:48,159 --> 02:40:52,239 -of the emails it was like - -4422 -02:40:50,0 --> 02:40:54,159 -9650 --> 9654.16 -not properly collected or it was skirts +02:40:46,318 --> 02:40:52,500 +So for example, if one of the emails it was like, not properly collected or it was skirts, 4423 -02:40:52,239 --> 02:40:55,840 -or someone modified leather and so on - -4424 -02:40:54,159 --> 02:40:58,959 -maybe you can reduce +02:40:52,500 --> 02:40:55,500 +or someone modified the headers and so on, maybe you can reduce 4425 -02:40:55,840 --> 02:41:00,0 -9655.84 --> 9660 -the summative language of the confidence - -4426 -02:40:58,959 --> 02:41:02,0 -9658.96 --> 9662 -level that you have - -4427 -02:41:00,0 --> 02:41:03,359 -9660 --> 9663.359 -in the analytic judgment of the specific - -4428 -02:41:02,0 --> 02:41:06,79 -9662 --> 9666.08 -evidence or element +02:40:55,500 --> 02:40:59,500 +the summative language of the confidence level that you have 4429 -02:41:03,359 --> 02:41:06,960 -by tagging that at attribute level so - -4430 -02:41:06,79 --> 02:41:08,239 -again +02:40:59,500 --> 02:41:06,500 +in the analytic judgment of the specific evidence or element by tagging that at the attribute level. 4431 -02:41:06,959 --> 02:41:10,0 -9666.96 --> 9670 -those kind of information that we are - -4432 -02:41:08,239 --> 02:41:10,639 -putting there are factors and so on are - -4433 -02:41:10,0 --> 02:41:12,799 -9670 --> 9672.8 -more like +02:41:06,500 --> 02:41:11,500 +So again, those kind of information that we are putting there are factors and so on and more like event level. 4434 -02:41:10,639 --> 02:41:15,199 -even level but if you have really - -4435 -02:41:12,799 --> 02:41:17,278 -specific things that need to be changed +02:41:11,500 --> 02:41:15,500 +But if you have really specific things that need to be changed 4436 -02:41:15,200 --> 02:41:19,439 -or that are specific to the attribute or - -4437 -02:41:17,279 --> 02:41:24,239 -object then you can - -4438 -02:41:19,439 --> 02:41:24,239 -change it in the at the absolute level +02:41:15,500 --> 02:41:22,500 +or that are specific to the attribute or object then you can change it at the attribute level. 4439 -02:41:26,79 --> 02:41:29,200 -just some other thing on the user - -4440 -02:41:27,520 --> 02:41:31,120 -interface that might be useful too that - -4441 -02:41:29,200 --> 02:41:33,520 -we skipped +02:41:26,0 --> 02:41:29,500 +Just some other thing on the user interface that might be useful too that we skipped. 4442 -02:41:31,120 --> 02:41:35,840 -on the metadata of the event you have - -4443 -02:41:33,520 --> 02:41:37,359 -plenty of information there +02:41:29,500 --> 02:41:34,500 +On the metadata of the event you have plenty of information there. 4444 -02:41:35,840 --> 02:41:39,359 -why that is interesting regarding - -4445 -02:41:37,359 --> 02:41:40,960 -organization only and distribution +02:41:35,840 --> 02:41:39,0 +Why that is interesting regarding "organization only" and "distribution", 4446 -02:41:39,359 --> 02:41:42,399 -in this case we just distribute to the - -4447 -02:41:40,959 --> 02:41:44,239 -organization but - -4448 -02:41:42,398 --> 02:41:45,920 -if you have pretty large even at some +02:41:39,0 --> 02:41:41,500 +In this case, we just distribute to the organization 4449 -02:41:44,239 --> 02:41:47,760 -point in time and you want to distribute +02:41:41,500 --> 02:41:45,500 +but if you have pretty large event at some point in time and you want to distribute. 4450 -02:41:45,920 --> 02:41:49,359 -you have this kind of overview there - -4451 -02:41:47,760 --> 02:41:51,40 -which is helping you to - -4452 -02:41:49,359 --> 02:41:53,359 -see at which level you share this +02:41:45,500 --> 02:41:51,500 +You have this kind of overview there which is helping you to see at which level you share this information 4453 -02:41:51,40 --> 02:41:55,200 -information in this case it's super easy - -4454 -02:41:53,359 --> 02:41:56,960 -we just distribute it to the training - -4455 -02:41:55,200 --> 02:41:58,960 -organization that's fine +02:41:51,500 --> 02:41:56,500 +In this case, it's super easy. We just distribute it to the training organization, that's fine. 4456 -02:41:56,959 --> 02:42:00,879 -but if you have a pretty large instance - -4457 -02:41:58,959 --> 02:42:02,959 -with a lot of organization and so on +02:41:56,500 --> 02:42:00,500 +But if you have a pretty large instance with a lot of organization and so on 4458 -02:42:00,879 --> 02:42:04,719 -it will display you a full graph of - -4459 -02:42:02,959 --> 02:42:07,759 -where the information will flow - -4460 -02:42:04,719 --> 02:42:07,760 -and will be distributed +02:42:00,500 --> 02:42:06,500 +It will display you a full graph of where the information will flow and will be distributed. 4461 -02:42:08,478 --> 02:42:12,239 -okay now going back to our event uh - -4462 -02:42:11,439 --> 02:42:13,840 -basically - -4463 -02:42:12,239 --> 02:42:15,520 -the reason why we went so deeply into +02:42:08,0 --> 02:42:14,500 +Okay. Now going back to our event, basically the reason why we went so deeply into the contextualization part 4464 -02:42:13,840 --> 02:42:16,318 -the contextualization part is looking at - -4465 -02:42:15,520 --> 02:42:20,0 -9735.52 --> 9740 -this event - -4466 -02:42:16,318 --> 02:42:21,680 -we can already uh use this right away +02:42:14,500 --> 02:42:21,500 +is looking at this event we can already use this right away when feeding our tools, 4467 -02:42:20,0 --> 02:42:22,639 -9740 --> 9742.64 -when feeding our tools when doing our - -4468 -02:42:21,680 --> 02:42:24,159 -searches - -4469 -02:42:22,639 --> 02:42:25,760 -to basically search for anything - -4470 -02:42:24,159 --> 02:42:26,478 -targeting the financial sector for - -4471 -02:42:25,760 --> 02:42:29,439 -example +02:42:20,0 --> 02:42:26,500 +when doing our searches, to basically search for anything targeting the financial sector for example. 4472 -02:42:26,478 --> 02:42:30,159 -we can search for anything related to - -4473 -02:42:29,439 --> 02:42:33,359 -phishing - -4474 -02:42:30,159 --> 02:42:35,119 -and find the data contained in this +02:42:26,500 --> 02:42:34,0 +we can search for anything related to phishing and find the data contained in this particular event 4475 -02:42:33,359 --> 02:42:37,600 -particular event so this already helps +02:42:34,0 --> 02:42:46,500 +So this already helps us with our filtering mechanisms. 4476 -02:42:35,120 --> 02:42:41,40 -us with our filtering mechanisms - -4477 -02:42:37,600 --> 02:42:42,960 -as for pap and tlp those - -4478 -02:42:41,40 --> 02:42:45,120 -tags we can use when we make decisions - -4479 -02:42:42,959 --> 02:42:47,438 -on which tools we feed +02:42:46,500 --> 02:42:46,500 +As for PAP and TLP, those tags we can use when we make decisions on which tools we feed the data to 4480 -02:42:45,120 --> 02:42:49,279 -the data to or which partners we share - -4481 -02:42:47,439 --> 02:42:49,840 -the information within the case of tlp +02:42:46,500 --> 02:42:49,500 +or which partners we share the information within the case of TLP. 4482 -02:42:49,279 --> 02:42:51,200 -so - -4483 -02:42:49,840 --> 02:42:52,719 -we're going to see that more tomorrow - -4484 -02:42:51,200 --> 02:42:54,319 -when we're creating synchronization - -4485 -02:42:52,719 --> 02:42:57,278 -links with other instances +02:42:49,500 --> 02:42:54,500 +So we're going to see that more tomorrow when we're creating synchronization links with other instances. 4486 -02:42:54,318 --> 02:42:57,920 -we can for example set restrictions on - -4487 -02:42:57,279 --> 02:43:00,79 -tlp - -4488 -02:42:57,920 --> 02:43:01,600 -when we're pushing data to another node +02:42:54,500 --> 02:43:01,0 +We can for example set restrictions on TLP when we're pushing data to another node and we can say 4489 -02:43:00,79 --> 02:43:04,159 -and we can say okay - -4490 -02:43:01,600 --> 02:43:06,0 -9781.6 --> 9786 -no matter what distribution setting - -4491 -02:43:04,159 --> 02:43:07,520 -don't send anything tlp amber in this - -4492 -02:43:06,0 --> 02:43:09,439 -9786 --> 9789.439 -direction for example +02:43:01,0 --> 02:43:07,500 +okay, no matter what distribution setting don't send anything TLP Amber in this direction for example. 4493 -02:43:07,520 --> 02:43:11,279 -yeah as an example as an example there's - -4494 -02:43:09,439 --> 02:43:12,398 -a very good open source tool um called - -4495 -02:43:11,279 --> 02:43:15,520 -the hive - -4496 -02:43:12,398 --> 02:43:17,119 -for serending and they use pap to +02:43:07,500 --> 02:43:13,500 +Yeah, as an example there's a very good open source tool called TheHive for threat hunting 4497 -02:43:15,520 --> 02:43:19,120 -know which kind of actions they can do +02:43:13,500 --> 02:43:17,0 +and they use PAP to know which kind of actions they can do on the data. 4498 -02:43:17,120 --> 02:43:22,560 -on the data so if you synchronize them - -4499 -02:43:19,120 --> 02:43:25,680 -with the hive instance you can - -4500 -02:43:22,559 --> 02:43:28,318 -really be sure that what you set +02:43:17,00 --> 02:43:24,0 +So if you synchronize MISP with TheHive instance you can really be sure that 4501 -02:43:25,680 --> 02:43:29,120 -as pep for example red on the lisp - -4502 -02:43:28,318 --> 02:43:30,959 -instance +02:43:24,0 --> 02:43:30,0 +what you set as PAP for example "RED" on the MISP instance will not generate issues 4503 -02:43:29,120 --> 02:43:33,120 -will not generate issues when you are - -4504 -02:43:30,959 --> 02:43:35,438 -starting to expansion within - -4505 -02:43:33,120 --> 02:43:37,359 -cortex on the ice to be sure that the +02:43:30,0 --> 02:43:34,500 +when you are starting to expansion within Cortex on TheHive 4506 -02:43:35,439 --> 02:43:40,559 -information is not basically flowing - -4507 -02:43:37,359 --> 02:43:42,880 -somewhere else so at this point +02:43:34,500 --> 02:43:38,500 +to be sure that the information is not basically flowing somewhere else. 4508 -02:43:40,559 --> 02:43:43,840 -something that we didn't do so far is we - -4509 -02:43:42,879 --> 02:43:45,839 -did not include the +02:43:38,500 --> 02:43:45,500 +So at this point something that we didn't do so far is we did not include the initial email. 4510 -02:43:43,840 --> 02:43:47,680 -on the initial email so what we're going - -4511 -02:43:45,840 --> 02:43:48,960 -to do now is we're going to use another - -4512 -02:43:47,680 --> 02:43:51,200 -functionality of this that we haven't +02:43:45,500 --> 02:43:48,0 +So what we're going to do now is we're going to use another functionality of MISP 4513 -02:43:48,959 --> 02:43:54,79 -talked much about called the report +02:43:48,0 --> 02:43:52,500 +that we haven't talked much about called the report, the event report. 4514 -02:43:51,200 --> 02:43:55,760 -the event report we can also include - -4515 -02:43:54,79 --> 02:43:58,639 -clear text - -4516 -02:43:55,760 --> 02:44:00,398 -information such as a report description - -4517 -02:43:58,639 --> 02:44:01,599 -and so on together with the event +02:43:51,200 --> 02:44:00,0 +We can also include clear text information such as a report description and so on together with the event. 4518 -02:44:00,398 --> 02:44:03,439 -so what we're going to do now is - -4519 -02:44:01,600 --> 02:44:05,200 -something very simple we're not going to +02:44:00,398 --> 02:44:04,500 +So what we're going to do now is something very simple, we're not going to write our own report. 4520 -02:44:03,439 --> 02:44:06,720 -write our own report we have a report - -4521 -02:44:05,200 --> 02:44:07,439 -already available from the original - -4522 -02:44:06,719 --> 02:44:09,119 -source +02:44:04,500 --> 02:44:07,500 +We have a report already available from the original source 4523 -02:44:07,439 --> 02:44:11,439 -so we're just going to paste that entire - -4524 -02:44:09,120 --> 02:44:11,439 -email +02:44:07,500 --> 02:44:11,0 +so we're just going to paste that entire email in. 4525 -02:44:14,398 --> 02:44:19,840 -okay just submit for now - -4526 -02:44:21,579 --> 02:44:24,770 -[Music] +02:44:14,0 --> 02:44:17,0 +Okay. Just submit for now. 4527 -02:44:26,239 --> 02:44:29,920 -so now if you look at our email - -4528 -02:44:30,318 --> 02:44:34,0 -9870.319 --> 9874 -report we just have a simple report +02:44:26,0 --> 02:44:33,500 +So now if you look at our email report we just have a simple report here in clear text. 4529 -02:44:31,920 --> 02:44:35,359 -during gear text we're going to see an - -4530 -02:44:34,0 --> 02:44:36,879 -9874 --> 9876.88 -example what you can do with this so +02:44:33,500 --> 02:44:36,500 +We're going to see an example what you can do with this. So this is all in markdown 4531 -02:44:35,359 --> 02:44:39,359 -this is all in markdown - -4532 -02:44:36,879 --> 02:44:41,438 -so you could go into edit mode and - -4533 -02:44:39,359 --> 02:44:41,920 -pretty it up add additional information - -4534 -02:44:41,439 --> 02:44:43,600 -there - +02:44:36,500 --> 02:44:41,500 +so you could go into edit mode and pretty it up, add additional information there. + 4535 -02:44:41,920 --> 02:44:45,40 -we're not going to do that now because - -4536 -02:44:43,600 --> 02:44:46,0 -9883.6 --> 9886 -we're going to just look at an example - -4537 -02:44:45,40 --> 02:44:47,920 -that already has that +02:44:41,500 --> 02:44:46,0 +We're not going to do that now because we're going to just look at an example that already has that 4538 -02:44:46,0 --> 02:44:49,520 -9886 --> 9889.52 -but before we do that let's get back to - -4539 -02:44:47,920 --> 02:44:51,279 -our event and let's assume that we're - -4540 -02:44:49,520 --> 02:44:51,680 -done with it with this entire process we +02:44:46,0 --> 02:44:51,0 +but before we do that let's get back to our event and let's assume that we're done this entire process. 4541 -02:44:51,279 --> 02:44:53,520 -have our +02:44:51,0 --> 02:44:55,500 +We have our report, we have our event we have contextualized all our data 4542 -02:44:51,680 --> 02:44:54,800 -report we have our event we have - -4543 -02:44:53,520 --> 02:44:56,560 -contextualized all - -4544 -02:44:54,799 --> 02:44:57,920 -our data and let's publish it now to the - -4545 -02:44:56,559 --> 02:44:59,840 -community +02:44:55,500 --> 02:44:57,500 +and let's publish it now to the community. 4546 -02:44:57,920 --> 02:45:01,520 -so when it comes to publishing we have - -4547 -02:44:59,840 --> 02:45:05,120 -different uh - -4548 -02:45:01,520 --> 02:45:06,720 -uh ways of achieving that ms by default +02:44:57,500 --> 02:45:04,500 +So when it comes to publishing we have different ways of achieving that in MISP. 4549 -02:45:05,120 --> 02:45:08,640 -when we create an event like this at +02:45:04,500 --> 02:45:07,500 +By default, when we create an event like this, at this stage 4550 -02:45:06,719 --> 02:45:10,159 -this stage we have all the data - -4551 -02:45:08,639 --> 02:45:11,439 -contained that we want to share out and - -4552 -02:45:10,159 --> 02:45:13,520 -that we want to use +02:45:07,500 --> 02:45:11,500 +we have all the data contained that we want to share out and that we want to use 4553 -02:45:11,439 --> 02:45:14,639 -however misconsiders this to be - -4554 -02:45:13,520 --> 02:45:17,279 -non-final - -4555 -02:45:14,639 --> 02:45:19,358 -it is not to be used by automation tools - -4556 -02:45:17,279 --> 02:45:20,960 -connected to this +02:45:11,500 --> 02:45:18,500 +however MISP considers this to be non-final, it is not to be used by automation tools connected to MISP, 4557 -02:45:19,359 --> 02:45:22,479 -it is not going to be synchronized out - -4558 -02:45:20,959 --> 02:45:25,759 -to other instances - -4559 -02:45:22,478 --> 02:45:28,959 -and uh and so on +02:45:18,500 --> 02:45:24,500 +it is not going to be synchronized out to other instances and so on. 4560 -02:45:25,760 --> 02:45:31,279 -what we can do now is first of all - -4561 -02:45:28,959 --> 02:45:34,318 -we need to decide how we shared it out +02:45:25,500 --> 02:45:31,500 +And what we can do now is first of all we need to decide how we shared it out 4562 -02:45:31,279 --> 02:45:35,840 -it is the organization only for now - -4563 -02:45:34,318 --> 02:45:38,639 -so even if we were to publish it it +02:45:31,500 --> 02:45:35,500 +it is the organization only for now so even if we were to publish it 4564 -02:45:35,840 --> 02:45:40,719 -would still only be pushed to our own +02:45:35,500 --> 02:45:40,500 +would still only be pushed to our own tools that connect to our MISP 4565 -02:45:38,639 --> 02:45:42,239 -tools that connect to our miss but it - -4566 -02:45:40,719 --> 02:45:44,159 -would not be made visible to other - -4567 -02:45:42,239 --> 02:45:45,119 -organizations but we want to change this - -4568 -02:45:44,159 --> 02:45:48,0 -9944.16 --> 9948 -in this case +02:45:40,500 --> 02:45:45,500 +but it would not be made visible to other organizations but we want to change this, in this case. 4569 -02:45:45,120 --> 02:45:49,520 -however let's assume that uh that when - -4570 -02:45:48,0 --> 02:45:52,398 -9948 --> 9952.399 -we're an organization - -4571 -02:45:49,520 --> 02:45:53,840 -that does not wish to reveal who we uh +02:45:45,500 --> 02:45:51,500 +However, let's assume that we are an organization that does not wish to reveal 4572 -02:45:52,398 --> 02:45:56,159 -that we were involved in - -4573 -02:45:53,840 --> 02:45:58,239 -in this entire incident we just want to - -4574 -02:45:56,159 --> 02:46:00,318 -entrust the third party with doing it +02:45:51,500 --> 02:45:58,500 +that we were involved in this entire incident. We just want to entrust the third party with doing it. 4575 -02:45:58,239 --> 02:46:01,600 -so as you see there where alex is - -4576 -02:46:00,318 --> 02:46:02,318 -hovering we basically have several - -4577 -02:46:01,600 --> 02:46:03,840 -options here +02:45:58,500 --> 02:46:02,500 +So as you see there, where Alex is hovering. We basically have several options here. 4578 -02:46:02,318 --> 02:46:06,559 -we can either publish the event which - -4579 -02:46:03,840 --> 02:46:08,79 -means we initiate the entire exchange +02:46:02,500 --> 02:46:07,0 +We can either publish the event which means we initiate the entire exchange with other instances 4580 -02:46:06,559 --> 02:46:10,559 -with other instances if the - -4581 -02:46:08,79 --> 02:46:12,159 -distribution allows it it will it will - -4582 -02:46:10,559 --> 02:46:12,719 -alert everyone that we have published - -4583 -02:46:12,159 --> 02:46:14,799 -this +02:46:07,0 --> 02:46:12,500 +if the distribution allows it. It will alert everyone that we have published this 4584 -02:46:12,719 --> 02:46:16,478 -or alternatively we can we can delegate - -4585 -02:46:14,799 --> 02:46:18,159 -the publishing to third party and stay +02:46:12,500 --> 02:46:17,0 +or alternatively we can delegate the publishing to third party and stay anonymous ourselves 4586 -02:46:16,478 --> 02:46:20,879 -anonymous ourselves so let's do that - -4587 -02:46:18,159 --> 02:46:22,159 -option for now - -4588 -02:46:20,879 --> 02:46:24,0 -9980.88 --> 9984 -so what we're doing now is we're - -4589 -02:46:22,159 --> 02:46:26,478 -entrusting a third party to take over +02:46:17,0 --> 02:46:22,0 +So let's do that option for now. So what we're doing now is 4590 -02:46:24,0 --> 02:46:28,559 -9984 --> 9988.56 -this event for us so let's say that we +02:46:22,0 --> 02:46:25,500 +we're entrusting a third party to take over this event for us 4591 -02:46:26,478 --> 02:46:30,478 -would entrust for example circle to take - -4592 -02:46:28,559 --> 02:46:32,398 -over this event +02:46:25,500 --> 02:46:29,500 +so let's say that we would entrust, say for example CIRCL, to take over this event 4593 -02:46:30,478 --> 02:46:34,79 -and we tell circle that we want to share - -4594 -02:46:32,398 --> 02:46:36,840 -this event to be shared with - -4595 -02:46:34,79 --> 02:46:39,840 -uh the entire community so we've +02:46:29,500 --> 02:46:35,0 +and we tell CIRCL that we want to share this event, to be shared with the entire community. 4596 -02:46:36,840 --> 02:46:39,840 -collected +02:46:35,0 --> 02:46:37,500 +so we've collected.. 4597 -02:46:45,600 --> 02:46:49,359 -yeah you can see this community only for - -4598 -02:46:47,359 --> 02:46:50,840 -example or a sharing group whatever you - -4599 -02:46:49,359 --> 02:46:53,520 -prefer +02:46:45,0 --> 02:46:50,500 +Yeah and you can see "This community only" for example or a sharing group whatever you prefer. 4600 -02:46:50,840 --> 02:46:55,279 -okay so this is again a suggestion to - -4601 -02:46:53,520 --> 02:46:56,960 -the other organization saying okay we +02:46:50,500 --> 02:46:55,0 +Okay, so this is again a suggestion to the other organization saying 4602 -02:46:55,279 --> 02:46:57,760 -want you to share this out and we want - -4603 -02:46:56,959 --> 02:47:00,959 -you to share this - -4604 -02:46:57,760 --> 02:47:02,0 -10017.76 --> 10022 -to this community once we click yes +02:46:55,0 --> 02:46:59,500 +okay, we want you to share this out and we want you to share this to this community. 4605 -02:47:00,959 --> 02:47:04,0 -10020.96 --> 10024 -even though the event was your - -4606 -02:47:02,0 --> 02:47:05,439 -10022 --> 10025.439 -organizational and only visible to us +02:46:59,500 --> 02:47:04,0 +Once we click "Yes", even though the event was your organizationa and only visible to us. 4607 -02:47:04,0 --> 02:47:07,680 -10024 --> 10027.68 -it now becomes visible to two +02:47:04,0 --> 02:47:08,500 +It now becomes visible to two organizations, ourselves and the other organization 4608 -02:47:05,439 --> 02:47:08,960 -organizations ourselves - -4609 -02:47:07,680 --> 02:47:10,720 -and the other organization that we +02:47:08,500 --> 02:47:12,500 +that we entrust in this case CIRCL. So CIRCL would get an email saying 4610 -02:47:08,959 --> 02:47:12,0 -10028.96 --> 10032 -entrust in this case circle so circle - -4611 -02:47:10,719 --> 02:47:14,318 -would get an email - -4612 -02:47:12,0 --> 02:47:16,79 -10032 --> 10036.08 -saying okay there's this delegation +02:47:12,500 --> 02:47:17,500 +Okay, there's this delegation request someone wants you to take over their event 4613 -02:47:14,318 --> 02:47:17,119 -request someone wants you to take over - -4614 -02:47:16,79 --> 02:47:18,398 -their event - -4615 -02:47:17,120 --> 02:47:19,920 -are you willing to take it over and +02:47:17,500 --> 02:47:19,500 +are you willing to take it over and publish it under your name. 4616 -02:47:18,398 --> 02:47:21,199 -publish it under your name this will - -4617 -02:47:19,920 --> 02:47:23,120 -look something like this with slightly - -4618 -02:47:21,200 --> 02:47:25,920 -different text we're cheating here now +02:47:19,500 --> 02:47:23,0 +This will look something like this with slightly different text we're cheating here now 4619 -02:47:23,120 --> 02:47:27,600 -since we're doing a training we're site - -4620 -02:47:25,920 --> 02:47:28,478 -administrators and we see both sides of - -4621 -02:47:27,600 --> 02:47:30,239 -the story +02:47:23,0 --> 02:47:28,500 +since we're doing a training, we're site administrators so we see both sides of the story, 4622 -02:47:28,478 --> 02:47:31,599 -so we can either accept or discard this - -4623 -02:47:30,239 --> 02:47:33,920 -request keep in mind +02:47:28,500 --> 02:47:33,500 +so we can either accept or discard this request. Keep in mind if you accept such a request, 4624 -02:47:31,600 --> 02:47:35,200 -if you accept such a request the event - -4625 -02:47:33,920 --> 02:47:38,559 -becomes your event - -4626 -02:47:35,200 --> 02:47:40,960 -a copy of it is created under your name - -4627 -02:47:38,559 --> 02:47:42,639 -and basically you are taking +02:47:33,500 --> 02:47:37,500 +the event becomes your event a copy of it is created under your name 4628 -02:47:40,959 --> 02:47:44,239 -responsibility for the event from down +02:47:37,500 --> 02:47:42,500 +and basically you are taking responsibility for the event from now on, 4629 -02:47:42,639 --> 02:47:46,719 -so also make sure that you're not - +02:47:42,500 --> 02:47:45,500 +so also make sure that you're not pushing junk under your name. + 4630 -02:47:44,239 --> 02:47:49,39 -pushing junk under your name so in this +02:47:45,500 --> 02:47:48,500 +So in this case let's just discard it 4631 -02:47:46,719 --> 02:47:50,799 -case let's just discard it - -4632 -02:47:49,40 --> 02:47:53,920 -but we could have accepted it and then - -4633 -02:47:50,799 --> 02:47:57,358 -it would have become our event +02:47:48,500 --> 02:47:52,500 +but we could have accepted it and then it would have become our event. 4634 -02:47:53,920 --> 02:47:57,359 -okay let's go back to the event +02:47:52,500 --> 02:47:56,500 +Okay. Let's go back to the event. 4635 -02:48:00,79 --> 02:48:04,719 -okay so now the other alternative is if - -4636 -02:48:03,200 --> 02:48:06,240 -you want to publish it under our name +02:48:00,0 --> 02:48:04,0 +Okay, so now the other alternative is if you want to publish it under our name, 4637 -02:48:04,719 --> 02:48:07,840 -what you would need to do is you would - -4638 -02:48:06,239 --> 02:48:08,398 -need to raise the distribution level - -4639 -02:48:07,840 --> 02:48:10,639 -first +02:48:04,0 --> 02:48:08,500 +what you would need to do is you would need to raise the distribution level first 4640 -02:48:08,398 --> 02:48:11,599 -if you wanted to uh to involve any other - -4641 -02:48:10,639 --> 02:48:13,39 -parties +02:48:08,500 --> 02:48:12,0 +if you wanted to involve any other parties 4642 -02:48:11,600 --> 02:48:15,680 -so we need to edit the event in that - -4643 -02:48:13,40 --> 02:48:18,240 -case and raise the distribution level to - -4644 -02:48:15,680 --> 02:48:19,439 -say this community or connected +02:48:12,0 --> 02:48:15,500 +So we need to edit the event in that case and raise the distribution level 4645 -02:48:18,239 --> 02:48:20,318 -communities let's go with connected - -4646 -02:48:19,439 --> 02:48:22,639 -communities +02:48:15,500 --> 02:48:20,500 +to say "This Community" or "Connected Communities". Let's go with "Connected Communities". 4647 -02:48:20,318 --> 02:48:24,639 -connected communities means anyone that +02:48:20,500 --> 02:48:24,500 +connected communities means anyone that has access to my MISP instance 4648 -02:48:22,639 --> 02:48:26,478 -has access to my miss pinsons - -4649 -02:48:24,639 --> 02:48:28,478 -and all the directly interconnected - -4650 -02:48:26,478 --> 02:48:29,199 -instances including all their members as - -4651 -02:48:28,478 --> 02:48:32,478 -well +02:48:24,500 --> 02:48:29,500 +and all the directly interconnected instances including all their members as well. 4652 -02:48:29,200 --> 02:48:33,920 -so in the case for example - -4653 -02:48:32,478 --> 02:48:36,239 -of us publishing something like this in +02:48:29,500 --> 02:48:34,500 +So in the case, for example, of us publishing something like this in the FIRST instance 4654 -02:48:33,920 --> 02:48:37,439 -the first instance we as circle have our +02:48:34,500 --> 02:48:37,0 +we as CIRCL have our instance connected to it 4655 -02:48:36,239 --> 02:48:39,439 -instance connected to it - -4656 -02:48:37,439 --> 02:48:40,960 -so all the members of the circle - -4657 -02:48:39,439 --> 02:48:42,800 -instance will automatically also be +02:48:37,0 --> 02:48:42,0 +so all the members of the CIRCL instance will automatically also be included in the exchange. 4658 -02:48:40,959 --> 02:48:46,79 -included in the exchange here we see a +02:48:42,0 --> 02:48:45,500 +Here we see a graph of that so we see the event would 4659 -02:48:42,799 --> 02:48:47,759 -graph of that so we see the event would - -4660 -02:48:46,79 --> 02:48:49,279 -be also visible to all the directly - -4661 -02:48:47,760 --> 02:48:51,120 -connected instances - -4662 -02:48:49,279 --> 02:48:53,40 -which we only have one of which is a - -4663 -02:48:51,120 --> 02:48:56,640 -loopback +02:48:45,500 --> 02:48:50,0 +be also visible to all the directly connected instances which we only have one of 4664 -02:48:53,40 --> 02:48:57,520 -connection to exchange so not that - -4665 -02:48:56,639 --> 02:48:59,119 -interesting +02:48:50,0 --> 02:48:57,0 +which is a loopback connection to "iglocska.eu" so not that interesting 4666 -02:48:57,520 --> 02:49:00,960 -and to everyone that has access to this - -4667 -02:48:59,120 --> 02:49:04,160 -current instance +02:48:57,0 --> 02:49:00,500 +and to everyone that has access to this current instance 4668 -02:49:00,959 --> 02:49:04,639 -okay once we're done we can click - -4669 -02:49:04,159 --> 02:49:08,159 -publish - -4670 -02:49:04,639 --> 02:49:08,159 -and then the event gets synchronized +02:49:00,500 --> 02:49:07,0 +Okay. Once we're done we can click publish and then the event gets synchronized. 4671 -02:49:08,639 --> 02:49:12,0 -10148.64 --> 10152 -so what happens at this stage is first - -4672 -02:49:10,639 --> 02:49:14,799 -of all the event will jump - -4673 -02:49:12,0 --> 02:49:16,559 -10152 --> 10156.56 -over to directly connected instances +02:49:08,0 --> 02:49:14,500 +So what happens at this stage is first of all the event will jump over to directly connected instances. 4674 -02:49:14,799 --> 02:49:18,239 -miss will send out a bunch of emails to +02:49:14,500 --> 02:49:19,500 +MISP will send out a bunch of emails to everyone that subscribes to publish alerts 4675 -02:49:16,559 --> 02:49:20,559 -everyone that subscribes to - -4676 -02:49:18,239 --> 02:49:22,959 -publish alerts that there is a new event - -4677 -02:49:20,559 --> 02:49:25,760 -with all the data contained within +02:49:19,500 --> 02:49:22,500 +that there is a new event with all the data contained within. 4678 -02:49:22,959 --> 02:49:27,759 -it will push the event down various - -4679 -02:49:25,760 --> 02:49:32,478 -local channels to other tools - -4680 -02:49:27,760 --> 02:49:34,0 -10167.76 --> 10174 -using xeromq kafka and so on and syslog +02:49:22,500 --> 02:49:30,500 +it will push the event down various local channels to other tools using ZeroMQ, Kafka and so on and syslog. 4681 -02:49:32,478 --> 02:49:35,679 -so if you have any tools that are - -4682 -02:49:34,0 --> 02:49:37,600 -10174 --> 10177.6 -subscribed to these - -4683 -02:49:35,680 --> 02:49:38,800 -published feeds and they will ingest the +02:49:30,500 --> 02:49:36,200 +So if you have any tools that are subscribed to these published feeds 4684 -02:49:37,600 --> 02:49:40,559 -data - -4685 -02:49:38,799 --> 02:49:42,478 -and it will also make it available to +02:49:36,200 --> 02:49:41,500 +and they will ingest the data and it will also make it available to the API 4686 -02:49:40,559 --> 02:49:44,0 -10180.56 --> 10184 -the api and to make it available to all - -4687 -02:49:42,478 --> 02:49:47,119 -the integration - -4688 -02:49:44,0 --> 02:49:49,359 -10184 --> 10189.359 -tools out there so if you have your +02:49:41,500 --> 02:49:44,500 +and to make it available to all the integration tools out there. 4689 -02:49:47,120 --> 02:49:51,359 -your scene connected to miss it will now - -4690 -02:49:49,359 --> 02:49:54,559 -be able to fetch the data +02:49:44,500 --> 02:49:52,500 +so if you have your SIEM connected to MISP, it will now be able to fetch the data contained in this event 4691 -02:49:51,359 --> 02:49:55,200 -contained in this event so this is - -4692 -02:49:54,559 --> 02:49:57,600 -basically - -4693 -02:49:55,200 --> 02:49:58,319 -the publishing process however there is - -4694 -02:49:57,600 --> 02:50:00,79 -uh - -4695 -02:49:58,318 --> 02:50:01,840 -if at this point we noticed that okay +02:49:52,500 --> 02:50:00,0 +So this is basically the publishing process however if at this point we noticed that 4696 -02:50:00,79 --> 02:50:03,600 -we've now shared this event out - -4697 -02:50:01,840 --> 02:50:06,840 -but we've actually made a typo in the - -4698 -02:50:03,600 --> 02:50:10,0 -10203.6 --> 10210 -title we we wanted to include +02:50:00,0 --> 02:50:06,500 +okay we've now shared this event out but we've actually made a typo in the title we wanted to include 4699 -02:50:06,840 --> 02:50:13,760 -uh um i don't know - -4700 -02:50:10,0 --> 02:50:16,239 -10210 --> 10216.24 -a trailing period at the end of the - -4701 -02:50:13,760 --> 02:50:16,239 -sentence - +02:50:06,500 --> 02:50:17,500 +I don't know, a trailing period at the end of the sentence {inaudible} something like that. + 4702 -02:50:19,279 --> 02:50:23,279 -in the title and we edit the event what +02:50:17,500 --> 02:50:23,500 +in the title and we edit the event. wWat happens now is, there is a modification to the event 4703 -02:50:21,439 --> 02:50:24,639 -happens now is there is a modification - -4704 -02:50:23,279 --> 02:50:26,800 -to the event so even though it was - -4705 -02:50:24,639 --> 02:50:30,79 -published it becomes unpublished again - -4706 -02:50:26,799 --> 02:50:31,920 -and it needs to be to be republished now +02:50:23,500 --> 02:50:29,500 +so even though it was published, it becomes unpublished again and it needs to be to be republished. 4707 -02:50:30,79 --> 02:50:33,760 -the reason why we do this is +02:50:29,500 --> 02:50:33,500 +now the reason why we do this is whenever there is a change 4708 -02:50:31,920 --> 02:50:37,680 -uh whenever there is a change we need to - -4709 -02:50:33,760 --> 02:50:39,920 -synchronize it out to +02:50:33,500 --> 02:50:36,500 +we need to synchronize it out to the other instances out there 4710 -02:50:37,680 --> 02:50:40,720 -and if you have a publishing process in +02:50:36,500 --> 02:50:40,0 +and if you have a publishing process in place 4711 -02:50:39,920 --> 02:50:42,478 -place where - -4712 -02:50:40,719 --> 02:50:44,159 -so only certain users have access to - -4713 -02:50:42,478 --> 02:50:45,760 -publishing rights for example +02:50:40,0 --> 02:50:44,500 +where so only certain users have access to publishing rights for example 4714 -02:50:44,159 --> 02:50:47,359 -then anytime your organization is +02:50:44,500 --> 02:50:47,500 +then anytime your organization is pushing out information 4715 -02:50:45,760 --> 02:50:49,120 -pushing out information - -4716 -02:50:47,359 --> 02:50:50,800 -it can go through the irregular vetting - -4717 -02:50:49,120 --> 02:50:52,319 -process so any change will unset the - -4718 -02:50:50,799 --> 02:50:54,318 -publishing of the event +02:50:47,500 --> 02:50:52,500 +it can go through the irregular vetting process so any change will unset the publishing of the event 4719 -02:50:52,318 --> 02:50:55,840 -now in this case this is a very small +02:50:52,500 --> 02:50:55,500 +now in this case this is a very small change that we've made 4720 -02:50:54,318 --> 02:50:57,519 -change that we've made so we don't want - -4721 -02:50:55,840 --> 02:50:59,920 -to actually send out events to all their +02:50:55,500 --> 02:50:58,500 +so we don't want to actually send out emails to all the other users. 4722 -02:50:57,520 --> 02:51:03,40 -users we don't want to spam them with +02:50:58,500 --> 02:51:02,500 +We don't want to spam them with data that is pretty irrelevant for them 4723 -02:50:59,920 --> 02:51:03,920 -data that is pretty relevant for them so - -4724 -02:51:03,40 --> 02:51:05,520 -we can publish - -4725 -02:51:03,920 --> 02:51:09,279 -do the publishing again but this time - -4726 -02:51:05,520 --> 02:51:11,40 -using the publish no email option +02:51:02,500 --> 02:51:08,0 +so we can do the publishing again but this time using the "Publish (no email) option. 4727 -02:51:09,279 --> 02:51:12,640 -so it will also synchronize the data it +02:51:09,0 --> 02:51:11,500 +So it will also synchronize the data 4728 -02:51:11,40 --> 02:51:13,439 -will again make it available to all - -4729 -02:51:12,639 --> 02:51:16,318 -different +02:51:11,500 --> 02:51:15,500 +it will again make it available to all different means of ingesting the data 4730 -02:51:13,439 --> 02:51:19,600 -means of ingesting the data but it will - -4731 -02:51:16,318 --> 02:51:22,159 -not spam our users with emails +02:51:15,500 --> 02:51:18,500 +but it will not spam our users with emails. 4732 -02:51:19,600 --> 02:51:23,120 -okay so that's basically it for the - -4733 -02:51:22,159 --> 02:51:24,398 -publishing - -4734 -02:51:23,120 --> 02:51:26,399 -and perhaps one thing that is +02:51:18,500 --> 02:51:24,500 +Okay so that's basically it for the publishing and perhaps one thing that is interesting 4735 -02:51:24,398 --> 02:51:27,680 -interesting and that we didn't talk much +02:51:24,500 --> 02:51:26,500 +and that we didn't talk much about is 4736 -02:51:26,398 --> 02:51:29,119 -about is - -4737 -02:51:27,680 --> 02:51:30,479 -we have now raised the distribution - -4738 -02:51:29,120 --> 02:51:31,520 -level of this event to connected - -4739 -02:51:30,478 --> 02:51:34,79 -communities +02:51:26,500 --> 02:51:31,500 +we have now raised the distribution level of this event to "Connected Communities". 4740 -02:51:31,520 --> 02:51:35,439 -so the event is synchronized out but we - -4741 -02:51:34,79 --> 02:51:36,398 -actually had an attribute if you look - -4742 -02:51:35,439 --> 02:51:37,760 -further down +02:51:31,500 --> 02:51:36,500 +So the event is synchronized out but we actually had an attribute if you look further down 4743 -02:51:36,398 --> 02:51:40,398 -that's had a different distribution - -4744 -02:51:37,760 --> 02:51:41,840 -level uh so that one is actually going +02:51:36,500 --> 02:51:41,500 +that's had a different distribution level. So that one is actually going to be removed 4745 -02:51:40,398 --> 02:51:43,39 -to be removed from the synchronized - -4746 -02:51:41,840 --> 02:51:45,520 -button +02:51:41,500 --> 02:51:42,500 +from the synchronized button. 4747 -02:51:43,40 --> 02:51:49,279 -uh so we had one that the the - -4748 -02:51:45,520 --> 02:51:49,279 -impersonated person's email address - -4749 -02:51:49,359 --> 02:51:52,0 -10309.359 --> 10312 -that was set to organization only so +02:51:42,500 --> 02:51:51,0 +So we had one that the impersonated person's email address that was set to organization only. 4750 -02:51:51,40 --> 02:51:53,120 -whenever we're talking about - -4751 -02:51:52,0 --> 02:51:54,639 -10312 --> 10314.64 -synchronization - -4752 -02:51:53,120 --> 02:51:56,479 -that thing will in this case not +02:51:51,0 --> 02:51:54,500 +So whenever we're talking about synchronization that thing will, 4753 -02:51:54,639 --> 02:51:59,39 -synchronize out so that will be redacted - -4754 -02:51:56,478 --> 02:51:59,39 -from the event +02:51:54,500 --> 02:51:57,500 +in this case, not synchronize out. So that will be redacted from the event. 4755 -02:51:59,279 --> 02:52:03,680 -okay something else that we can do at - -4756 -02:52:02,239 --> 02:52:05,520 -this point once we have created our +02:51:59,0 --> 02:52:04,0 +Okay something else that we can do at this point once we have created our event is 4757 -02:52:03,680 --> 02:52:06,960 -event is we can also extract it in - -4758 -02:52:05,520 --> 02:52:09,40 -different formats so if you click on - -4759 -02:52:06,959 --> 02:52:10,398 -download s on the left side +02:52:04,0 --> 02:52:08,500 +we can also extract it in different formats, so if you click on "Download as..." on the left side. 4760 -02:52:09,40 --> 02:52:12,80 -you will see that we can basically - -4761 -02:52:10,398 --> 02:52:13,519 -convert this automatically to a bunch of +02:52:09,40 --> 02:52:13,0 +You will see that we can basically convert this automatically to a bunch of different formats 4762 -02:52:12,79 --> 02:52:14,799 -different formats and extract it in - -4763 -02:52:13,520 --> 02:52:16,560 -those formats directly - -4764 -02:52:14,799 --> 02:52:18,639 -this is also what we would be accessing +02:52:12,79 --> 02:52:17,500 +and extract it in those formats directly. This is also what we would be accessing by the API 4765 -02:52:16,559 --> 02:52:20,959 -by the api if you were to search for - -4766 -02:52:18,639 --> 02:52:23,519 -this event we can also mark whatever - -4767 -02:52:20,959 --> 02:52:25,199 -response format we want just very +02:52:16,559 --> 02:52:22,500 +if you were to search for this event. We can also mark whatever response format we want. 4768 -02:52:23,520 --> 02:52:26,560 -briefly we won't go very deeply into - -4769 -02:52:25,200 --> 02:52:30,0 -10345.2 --> 10350 -this these formats +02:52:23,520 --> 02:52:27,500 +just very briefly we won't go very deeply into this. These formats are coming partially 4770 -02:52:26,559 --> 02:52:31,600 -are coming partially from our predefined - -4771 -02:52:30,0 --> 02:52:33,520 -10350 --> 10353.52 -hard-coded list of formats that we - -4772 -02:52:31,600 --> 02:52:35,600 -support in miss +02:52:26,559 --> 02:52:32,500 +from our predefined hard-coded list of formats that we support in MISP 4773 -02:52:33,520 --> 02:52:36,800 -but some of these formats also come from - -4774 -02:52:35,600 --> 02:52:40,0 -10355.6 --> 10360 -the different exp - -4775 -02:52:36,799 --> 02:52:41,920 -export modules that we have so if you +02:52:32,500 --> 02:52:38,500 +but some of these formats also come from the different export modules that we have 4776 -02:52:40,0 --> 02:52:43,439 -10360 --> 10363.439 -want you can either build your own - -4777 -02:52:41,920 --> 02:52:44,799 -native modules for exporting and - -4778 -02:52:43,439 --> 02:52:47,840 -converting data +02:52:40,0 --> 02:52:44,500 +So if you want you can either build your own native modules for exporting and converting data 4779 -02:52:44,799 --> 02:52:50,159 -or you can build modules - -4780 -02:52:47,840 --> 02:52:51,279 -that are sitting in another tool called - -4781 -02:52:50,159 --> 02:52:53,39 -miss modules +02:52:44,500 --> 02:52:51,500 +or you can build modules that are sitting in another tool called MISP modules, 4782 -02:52:51,279 --> 02:52:54,560 -side by side with mist that will ingest - -4783 -02:52:53,40 --> 02:52:55,439 -the data and then convert it to other - -4784 -02:52:54,559 --> 02:52:58,159 -formats +02:52:51,500 --> 02:52:55,500 +side by side with MISP that will ingest the data and then convert it to other formats. 4785 -02:52:55,439 --> 02:53:00,0 -10375.439 --> 10380 -so here's a pdf report that was created +02:52:55,500 --> 02:52:59,500 +So here's a PDF report that was created directly out of the event 4786 -02:52:58,159 --> 02:53:03,439 -directly out of the event - -4787 -02:53:00,0 --> 02:53:05,680 -10380 --> 10385.68 -uh and that you can just - -4788 -02:53:03,439 --> 02:53:07,40 -share out directly from the event +02:52:59,500 --> 02:53:05,500 +and that you can just share out directly for the event. 4789 -02:53:05,680 --> 02:53:09,600 -something else that you can do - -4790 -02:53:07,40 --> 02:53:11,520 -is uh anything that we do in misp so all - -4791 -02:53:09,600 --> 02:53:13,760 -the process of adding attributes +02:53:05,500 --> 02:53:11,500 +Something else that you can do is anything that we do in MISP, so all the process of adding attributes, 4792 -02:53:11,520 --> 02:53:14,720 -all the process of viewing data you can +02:53:11,500 --> 02:53:16,500 +all the process of viewing data, you can also do that in a machine {inaudible} way 4793 -02:53:13,760 --> 02:53:16,478 -also do uh - -4794 -02:53:14,719 --> 02:53:18,318 -so do that in a machine partial way by - -4795 -02:53:16,478 --> 02:53:19,920 -just spending.json at the end of any of - -4796 -02:53:18,318 --> 02:53:21,278 -the url +02:53:16,500 --> 02:53:19,500 +by just appending .json at the end of any of the url. 4797 -02:53:19,920 --> 02:53:23,120 -so in that case in this event we're - -4798 -02:53:21,279 --> 02:53:23,680 -going to get the json representation of - -4799 -02:53:23,120 --> 02:53:27,760 -the +02:53:19,500 --> 02:53:24,500 +So in that case in this event we're going to get the json representation of the event 4800 -02:53:23,680 --> 02:53:27,760 -event okay +02:53:24,500 --> 02:53:26,500 +Okay. 4801 -02:53:28,79 --> 02:53:32,318 -so that's basically for creating an - -4802 -02:53:30,0 --> 02:53:32,318 -10410 --> 10412.319 -event - -4803 -02:53:33,359 --> 02:53:36,720 -just maybe one thing that is interesting +02:53:28,0 --> 02:53:32,500 +So that's basically for creating an event. 4804 -02:53:35,40 --> 02:53:40,80 -we have a very good question from - -4805 -02:53:36,719 --> 02:53:43,119 -martin it's a +02:53:32,500 --> 02:53:37,500 +Just maybe one thing that is interesting we have a very good question from Martin {inaudible}. 4806 -02:53:40,79 --> 02:53:46,239 -quite complex one but maybe we can - -4807 -02:53:43,120 --> 02:53:49,520 -already partially answer it +02:53:37,500 --> 02:53:44,500 +It's a quite complex one but maybe we can already partially answer it. 4808 -02:53:46,239 --> 02:53:50,959 -so when you create an event and in this - -4809 -02:53:49,520 --> 02:53:54,79 -case a creator or - -4810 -02:53:50,959 --> 02:53:55,199 -is the training people can contribute on +02:53:44,500 --> 02:53:51,500 +So when you create an event and in this case the creator of the training. 4811 -02:53:54,79 --> 02:53:57,680 -that one - -4812 -02:53:55,200 --> 02:53:59,520 -but if you have an isaac and you want to - -4813 -02:53:57,680 --> 02:54:00,318 -distribute back the information and so - -4814 -02:53:59,520 --> 02:54:02,560 -on - +02:53:51,500 --> 02:53:59,500 +People can contribute on that one but if you have an ISAC and you want to distribute back the information and so on, + 4815 -02:54:00,318 --> 02:54:04,559 -one of the options that you have is to - -4816 -02:54:02,559 --> 02:54:05,760 -try to create extended events for - -4817 -02:54:04,559 --> 02:54:08,879 -example out of it +02:53:59,500 --> 02:54:05,500 +one of the options that you have is to try to create extended events for example out of it. 4818 -02:54:05,760 --> 02:54:10,398 -so you can um out of an event you can - -4819 -02:54:08,879 --> 02:54:13,358 -create a new one - -4820 -02:54:10,398 --> 02:54:14,478 -um which would be for example with - -4821 -02:54:13,359 --> 02:54:18,0 -10453.359 --> 10458 -additional information +02:54:05,500 --> 02:54:14,0 +So you can out of an event, you can create a new one which would be for example with additional information 4822 -02:54:14,478 --> 02:54:18,959 -like validations uh additional things - -4823 -02:54:18,0 --> 02:54:21,520 -10458 --> 10461.52 -that you want you - -4824 -02:54:18,959 --> 02:54:22,799 -you want to add so you have this kind of +02:54:14,0 --> 02:54:22,0 +like validations, additional things that you want to add. So you have this kind of extend event 4825 -02:54:21,520 --> 02:54:24,159 -extend even and you will create +02:54:22,0 --> 02:54:27,0 +and you will create automatically a new event based on that. 4826 -02:54:22,799 --> 02:54:27,358 -automatically a - -4827 -02:54:24,159 --> 02:54:33,920 -new event based on that - -4828 -02:54:27,359 --> 02:54:34,800 -um thing that is interesting there um - -4829 -02:54:33,920 --> 02:54:36,559 -the - -4830 -02:54:34,799 --> 02:54:38,398 -the thing is you can really create - -4831 -02:54:36,559 --> 02:54:40,398 -something completely new +02:54:27,0 --> 02:54:39,0 +A thing that is interesting there, the thing is you can really create something completely new out of it 4832 -02:54:38,398 --> 02:54:42,239 -out of it and then see so for example - -4833 -02:54:40,398 --> 02:54:45,358 -for this case i can say that we - -4834 -02:54:42,239 --> 02:54:47,279 -uh we did a kind of session with - -4835 -02:54:45,359 --> 02:54:50,0 -10485.359 --> 10490 -additional information +02:54:39,0 --> 02:54:46,500 +and then see, so for example, for this case I can say that we did a kind of session with additional information. 4836 -02:54:47,279 --> 02:54:52,960 -um there the distribution is your - -4837 -02:54:50,0 --> 02:54:52,959 -10490 --> 10492.96 -organization only +02:54:46,500 --> 02:54:51,500 +There the distribution is "Your organization only" 4838 -02:54:53,120 --> 02:54:57,680 -and i would add for example a specific - -4839 -02:54:55,600 --> 02:55:02,159 -attribute - -4840 -02:54:57,680 --> 02:55:05,600 -which is for example targeting data +02:54:51,500 --> 02:55:01,500 +and I would add for example a specific attribute which is for example "Targeting data" 4841 -02:55:02,159 --> 02:55:09,359 -and i can say target user uh the son - -4842 -02:55:05,600 --> 02:55:11,439 -of the prime minister +02:55:01,500 --> 02:55:08,500 +and I can say "target-user", the son of the prime minister. 4843 -02:55:09,359 --> 02:55:12,479 -so it may be information that you really +02:55:08,500 --> 02:55:13,500 +So it may be information that you really don't want to share with others. 4844 -02:55:11,439 --> 02:55:16,159 -don't want to share +02:55:13,500 --> 02:55:19,500 +So this one is basically a normal event with additional information there 4845 -02:55:12,478 --> 02:55:18,159 -with others so this one is basically - -4846 -02:55:16,159 --> 02:55:19,200 -a normal event with additional - -4847 -02:55:18,159 --> 02:55:21,760 -information there - -4848 -02:55:19,200 --> 02:55:24,79 -and it's only shared within your - -4849 -02:55:21,760 --> 02:55:26,239 -organization +02:55:19,500 --> 02:55:23,500 +and it's only shared within your organization. 4850 -02:55:24,79 --> 02:55:27,600 -nevertheless if you go to the original - -4851 -02:55:26,239 --> 02:55:29,119 -event - -4852 -02:55:27,600 --> 02:55:31,279 -you have this kind of extended view +02:55:23,500 --> 02:55:29,500 +Nevertheless, if you go to the original event, you have this kind of extended view there 4853 -02:55:29,120 --> 02:55:35,279 -there and we can have - -4854 -02:55:31,279 --> 02:55:38,560 -what we call an extended view and not an +02:55:29,500 --> 02:55:36,500 +and we can have what we call an extended view and not an atomic view 4855 -02:55:35,279 --> 02:55:41,600 -atomic view and the two information +02:55:36,500 --> 02:55:41,500 +and the two information is combined and you can see there 4856 -02:55:38,559 --> 02:55:43,760 -so the is combined and you can see there - -4857 -02:55:41,600 --> 02:55:46,159 -that we have one with the information - -4858 -02:55:43,760 --> 02:55:49,760 -about the son of the prime minister +02:55:41,500 --> 02:55:46,500 +that we have one with the information about the son of the prime minister 4859 -02:55:46,159 --> 02:55:52,478 -which is the extended event there so - -4860 -02:55:49,760 --> 02:55:53,200 -just to answer the question of martin +02:55:46,500 --> 02:55:52,500 +which is the extended event there. So just to answer the question of Martin 4861 -02:55:52,478 --> 02:55:56,559 -about - -4862 -02:55:53,200 --> 02:55:58,880 -the question about - -4863 -02:55:56,559 --> 02:56:00,239 -adding information on existing event is - -4864 -02:55:58,879 --> 02:56:03,278 -one way of doing it +02:55:52,500 --> 02:55:59,500 +about the question about adding information on existing event, this is one way of doing it. 4865 -02:56:00,239 --> 02:56:05,840 -so using extended event is a way to - -4866 -02:56:03,279 --> 02:56:07,200 -qualify or extend even with additional - -4867 -02:56:05,840 --> 02:56:09,600 -information and so on +02:55:59,500 --> 02:56:07,500 +So using extended event is a way to qualify or extend event with additional information and so on. 4868 -02:56:07,200 --> 02:56:10,479 -um it's actively used for example for - -4869 -02:56:09,600 --> 02:56:12,559 -when you have - -4870 -02:56:10,478 --> 02:56:14,318 -two different view of the information +02:56:07,500 --> 02:56:12,500 +It's actively used, for example, for when you have two different view of the information 4871 -02:56:12,559 --> 02:56:15,519 -because one is distributed and another +02:56:12,500 --> 02:56:17,500 +because one is distributed and another one is like the private information 4872 -02:56:14,318 --> 02:56:17,920 -one is like +02:56:17,500 --> 02:56:20,500 +like the forensic evidence that you cannot share for example, 4873 -02:56:15,520 --> 02:56:19,120 -likely like the private information like - -4874 -02:56:17,920 --> 02:56:21,120 -the forensic evidence - -4875 -02:56:19,120 --> 02:56:22,800 -that you cannot share for example you - -4876 -02:56:21,120 --> 02:56:24,399 -can create this kind of thing +02:56:20,500 --> 02:56:24,500 +you can create this kind of thing. It's one way of doing it. 4877 -02:56:22,799 --> 02:56:25,599 -it's one way of doing it it's not +02:56:24,500 --> 02:56:28,500 +It's not answering completely the question of Martin but we can even go deeper later on that 4878 -02:56:24,398 --> 02:56:26,959 -answering companies the question of - -4879 -02:56:25,600 --> 02:56:29,439 -martin but we can - -4880 -02:56:26,959 --> 02:56:31,358 -even go deeper later on that but it's - -4881 -02:56:29,439 --> 02:56:32,559 -it's one way of - -4882 -02:56:31,359 --> 02:56:34,559 -because tomorrow we talk about +02:56:28,500 --> 02:56:33,500 +but it's one way of... because tomorrow we talk about synchronization 4883 -02:56:32,559 --> 02:56:36,0 -10592.56 --> 10596 -synchronization there are some specific - -4884 -02:56:34,559 --> 02:56:37,920 -options for isaac like - -4885 -02:56:36,0 --> 02:56:39,359 -10596 --> 10599.359 -and publishing events if we do - -4886 -02:56:37,920 --> 02:56:41,439 -synchronization and so on +02:56:33,500 --> 02:56:39,500 +there are some specific options for ISAC like unpublishing events if we do synchronization and so on 4887 -02:56:39,359 --> 02:56:43,200 -that can be used in some some cases for - -4888 -02:56:41,439 --> 02:56:45,520 -isaac's - -4889 -02:56:43,200 --> 02:56:47,760 -there are many options but that's one +02:56:39,500 --> 02:56:46,500 +that can be used in some some cases for ISAC. There are many options but that's one way of 4890 -02:56:45,520 --> 02:56:50,319 -way of of partially solving - -4891 -02:56:47,760 --> 02:56:51,279 -this kind of issues of not owning the - -4892 -02:56:50,318 --> 02:56:55,600 -data - -4893 -02:56:51,279 --> 02:56:57,359 -is to extend the information +02:56:46,500 --> 02:56:54,500 +partially solving this kind of issues of not owning the data. It is to extend the information. 4894 -02:56:55,600 --> 02:56:59,200 -so i know you have something you want to - -4895 -02:56:57,359 --> 02:57:02,640 -add on rashford +02:56:54,500 --> 02:56:58,500 +So I know you have something you want to add on Alexandre. 4896 -02:56:59,200 --> 02:57:02,640 -no no that makes sense - -4897 -02:57:04,239 --> 02:57:08,639 -again for the collaboration on this one +02:56:58,500 --> 02:57:02,0 +No, no, that makes sense. 4898 -02:57:07,40 --> 02:57:11,279 -we can do various things so +02:57:03,0 --> 02:57:08,500 +Again for the collaboration on this one, we can do various things so 4899 -02:57:08,639 --> 02:57:13,760 -in the case of um you have a typo for - -4900 -02:57:11,279 --> 02:57:15,920 -example in the specifications and so on +02:57:08,500 --> 02:57:13,500 +in the case of, you have a typo for example in the specifications and so on. 4901 -02:57:13,760 --> 02:57:17,439 -you can make proposal another thing with - -4902 -02:57:15,920 --> 02:57:19,920 -uh - -4903 -02:57:17,439 --> 02:57:21,120 -on the interface here you see that you - -4904 -02:57:19,920 --> 02:57:23,680 -can +02:57:13,500 --> 02:57:19,500 +you can make proposal, another thing with on the interface here you see that 4905 -02:57:21,120 --> 02:57:24,880 -basically make either an edit or you see - -4906 -02:57:23,680 --> 02:57:28,398 -that you can make +02:57:19,500 --> 02:57:26,500 +you can basically make either an edit or you see that you can make a proposed edit. 4907 -02:57:24,879 --> 02:57:28,879 -a proposed edit so what is the use case - -4908 -02:57:28,398 --> 02:57:30,719 -of that - -4909 -02:57:28,879 --> 02:57:32,398 -it's it's not like for fundamental - -4910 -02:57:30,719 --> 02:57:34,959 -changes but for i would say minor +02:57:26,500 --> 02:57:31,500 +So what is the use case for that? It's not like for fundamental changes 4911 -02:57:32,398 --> 02:57:37,119 -challenges on a specific import +02:57:31,500 --> 02:57:34,500 +but for I would say minor challenges on a specific report. 4912 -02:57:34,959 --> 02:57:38,879 -imagine that you don't agree on this one - -4913 -02:57:37,120 --> 02:57:42,720 -on this idea of season - -4914 -02:57:38,879 --> 02:57:46,398 -there's a typo and it's not d5 but e5 +02:57:34,500 --> 02:57:40,0 +Imagine that you don't agree on this IP Address, there's a typo 4915 -02:57:42,719 --> 02:57:48,639 -in the ipv6 rs so you propose the change +02:57:40,0 --> 02:57:46,500 +and it's not D5 but E5 in the ipv6 address, so you propose the change. 4916 -02:57:46,398 --> 02:57:49,680 -in this case i'm playing both holes here - -4917 -02:57:48,639 --> 02:57:51,920 -but - -4918 -02:57:49,680 --> 02:57:53,120 -what do i have here it's basically an - -4919 -02:57:51,920 --> 02:57:55,520 -attribute +02:57:46,500 --> 02:57:50,500 +in this case i'm playing both roles here but what do I have here, 4920 -02:57:53,120 --> 02:57:56,800 -with a proposal of the church and i'm - -4921 -02:57:55,520 --> 02:57:59,439 -playing the boss roles for the +02:57:50,500 --> 02:57:56,500 +it's basically an attribute with a proposal of the change and I'm playing the both roles 4922 -02:57:56,799 --> 02:58:02,799 -contributor roles and - -4923 -02:57:59,439 --> 02:58:05,760 -the original creator then i can say okay - -4924 -02:58:02,799 --> 02:58:07,679 -i accept the change indeed this this +02:57:56,500 --> 02:58:04,500 +contributor roles and the original creator then I can say, okay I accept the change there indeed, 4925 -02:58:05,760 --> 02:58:10,960 -proposal makes sense +02:58:04,500 --> 02:58:12,500 +this proposal makes sense or basically discard and this is a way to get updates 4926 -02:58:07,680 --> 02:58:14,0 -10687.68 --> 10694 -or are basically discounted and this is - -4927 -02:58:10,959 --> 02:58:18,0 -10690.96 --> 10698 -a way to get updates from - -4928 -02:58:14,0 --> 02:58:19,439 -10694 --> 10699.439 -um from supportive other members other - -4929 -02:58:18,0 --> 02:58:21,40 -10698 --> 10701.04 -organizations and so on +02:58:12,500 --> 02:58:19,500 +from supportive other members, other organizations and so on. 4930 -02:58:19,439 --> 02:58:22,880 -it's one way to to update the - -4931 -02:58:21,40 --> 02:58:26,960 -information in this case i will - -4932 -02:58:22,879 --> 02:58:28,879 -discuss it because it's not correct +02:58:19,500 --> 02:58:25,500 +It's one way to to update the information in this case I will discard it because it's not correct. 4933 -02:58:26,959 --> 02:58:30,879 -we were talking about contributions this - -4934 -02:58:28,879 --> 02:58:32,79 -another way of contributing is the site - -4935 -02:58:30,879 --> 02:58:35,679 -things itself +02:58:25,500 --> 02:58:31,500 +We were talking about contributions, this is another way of contributing is the sighting itself. 4936 -02:58:32,79 --> 02:58:37,39 -so for example for this specifications +02:58:31,500 --> 02:58:37,0 +So for example for this indicator if for example we have an intrusion detection system 4937 -02:58:35,680 --> 02:58:38,398 -if for example we have an expression - -4938 -02:58:37,40 --> 02:58:39,40 -detection system and we have seen it +02:58:37,0 --> 02:58:40,500 +and we have seen it like three times in a row 4939 -02:58:38,398 --> 02:58:42,719 -like - -4940 -02:58:39,40 --> 02:58:47,279 -three times in a row we can add - -4941 -02:58:42,719 --> 02:58:48,639 -on on the interface with the api - -4942 -02:58:47,279 --> 02:58:50,640 -through the user interface and so on +02:58:40,500 --> 02:58:49,0 +we can add on the interface, with the API, through the user interface, and so on 4943 -02:58:48,639 --> 02:58:53,920 -that you have seen that um - -4944 -02:58:50,639 --> 02:58:55,920 -multiple times and like that you can - -4945 -02:58:53,920 --> 02:58:59,200 -share this kind of details about - -4946 -02:58:55,920 --> 02:59:01,200 -the sharing aspect +02:58:49,0 --> 02:58:59,500 +that you have seen that multiple times and like that you can share this kind of details about the sharing aspect 4947 -02:58:59,200 --> 02:59:02,800 -so we what we have seen that at this +02:58:59,500 --> 02:59:03,500 +So what we have seen that at this specific amount of times we have the three counts 4948 -02:59:01,200 --> 02:59:05,359 -specific amount of times we have +02:59:01,200 --> 02:59:09,500 +saying this is a sighting and you have seen it and you can do it per organization 4949 -02:59:02,799 --> 02:59:06,239 -the three counts saying this uh this is - -4950 -02:59:05,359 --> 02:59:07,920 -a site - -4951 -02:59:06,239 --> 02:59:09,520 -and you have seen it and you can do it - -4952 -02:59:07,920 --> 02:59:11,840 -per organization - -4953 -02:59:09,520 --> 02:59:13,439 -or it could be even anonymously you get - -4954 -02:59:11,840 --> 02:59:15,439 -different configuration in the model of - -4955 -02:59:13,439 --> 02:59:18,159 -cycling in mist +02:59:02,799 --> 02:59:14,500 +or it could be even anonymously you get different configuration in the model of sighting in MISP 4956 -02:59:15,439 --> 02:59:19,279 -but it's a way to see that an indicator +02:59:15,439 --> 02:59:20,0 +but it's a way to see that an indicator has been seen or not. 4957 -02:59:18,159 --> 02:59:22,799 -has been seen - -4958 -02:59:19,279 --> 02:59:23,680 -or not if one specific are generating - -4959 -02:59:22,799 --> 02:59:25,599 -for example a - -4960 -02:59:23,680 --> 02:59:28,318 -false positive you can see the negative +02:59:18,159 --> 02:59:26,500 +If one specific {inaudible} for example a false positive you can see the negative one, 4961 -02:59:25,600 --> 02:59:30,960 -one negative sightings which +02:59:25,600 --> 02:59:33,500 +negative sightings which basically tell others that okay this one is generating a lot of false positives 4962 -02:59:28,318 --> 02:59:33,840 -basically tell others that okay this one - -4963 -02:59:30,959 --> 02:59:35,839 -is generating a lot of false positives - -4964 -02:59:33,840 --> 02:59:37,200 -sometimes not every organization agrees +02:59:33,840 --> 02:59:36,500 +sometimes not every organization agrees on the false positive 4965 -02:59:35,840 --> 02:59:38,719 -on the first positive because they have - -4966 -02:59:37,200 --> 02:59:40,800 -different views - -4967 -02:59:38,719 --> 02:59:42,799 -coming from different networks and so on +02:59:35,840 --> 02:59:40,500 +because they have different views coming from different networks and so on. 4968 -02:59:40,799 --> 02:59:46,318 -that's a way to - -4969 -02:59:42,799 --> 02:59:49,358 -provide feedback so one is delegations - -4970 -02:59:46,318 --> 02:59:57,519 -proposals or another way is to - -4971 -02:59:49,359 --> 02:59:59,760 -basically get affected +02:59:40,799 --> 02:59:51,500 +That's a way to provide feedback, so one is delegations proposals or another way is to basically get sighting. 4972 -02:59:57,520 --> 02:59:59,760 -okay +02:59:57,0 --> 02:59:59,0 +Okay. 4973 -03:00:01,439 --> 03:00:04,479 -i'm just trying to go through the +03:00:01,0 --> 03:00:04,0 +I'm just trying to go through the questions 4974 -03:00:02,719 --> 03:00:07,278 -questions yeah - -4975 -03:00:04,478 --> 03:00:08,478 -maybe yes maybe there are some yeah +03:00:04,0 --> 03:00:06,500 +yeah maybe there are some... 4976 -03:00:07,279 --> 03:00:10,560 -there are some that are repeating so - -4977 -03:00:08,478 --> 03:00:12,799 -perhaps it's good to call them out +03:00:07,279 --> 03:00:10,500 +Yeah there are some that are repeating so perhaps it's good to call them out 4978 -03:00:10,559 --> 03:00:13,680 -uh so there was a bit of confusion about - -4979 -03:00:12,799 --> 03:00:16,0 -10812.8 --> 10816 -how to add the - -4980 -03:00:13,680 --> 03:00:17,40 -uh the email object so it uh checked it +03:00:10,559 --> 03:00:14,500 +So there was a bit of confusion about how to add the email object. 4981 -03:00:16,0 --> 03:00:19,200 -10816 --> 10819.2 -is a little bit - -4982 -03:00:17,40 --> 03:00:20,880 -uh confusing so when you're in an event - -4983 -03:00:19,200 --> 03:00:22,960 -and you click on add objects first you +03:00:16,0 --> 03:00:20,0 +So it is a little bit confusing so when you're in an event and you click on add objects, 4984 -03:00:20,879 --> 03:00:24,559 -need to select the scope +03:00:20,0 --> 03:00:24,0 +first you need to select the scope from which you choose from 4985 -03:00:22,959 --> 03:00:26,478 -from which you choose from so it's going +03:00:24,0 --> 03:00:26,0 +So it's going to be climate file and so on. 4986 -03:00:24,559 --> 03:00:28,559 -to be climate file and so on just click - -4987 -03:00:26,478 --> 03:00:30,159 -on all objects if you're unsure - -4988 -03:00:28,559 --> 03:00:31,680 -and then you can search for whatever so +03:00:26,0 --> 03:00:30,500 +Just click on all objects if you're unsure and then you can search for whatever. 4989 -03:00:30,159 --> 03:00:32,398 -after you click on all objects and you - -4990 -03:00:31,680 --> 03:00:35,920 -type email - -4991 -03:00:32,398 --> 03:00:38,0 -10832.399 --> 10838 -it's going to show your email object +03:00:30,500 --> 03:00:35,500 +So after you click on all objects and you type email, it's going to show email object. 4992 -03:00:35,920 --> 03:00:39,520 -here the first step is more like finding +03:00:35,500 --> 03:00:39,500 +Here the first step is more like finding out the category of an object -4993 -03:00:38,0 --> 03:00:41,680 -10838 --> 10841.68 -out the category of an object - -4994 -03:00:39,520 --> 03:00:43,200 -yeah so so some sometimes you just know - -4995 -03:00:41,680 --> 03:00:44,880 -the category but you don't know what is - -4996 -03:00:43,200 --> 03:00:46,800 -really available there for you + 4994 +03:00:39,500 --> 03:00:44,500 +Yeah so some sometimes you just know the category but you don't know what is really available there for you 4997 -03:00:44,879 --> 03:00:48,719 -so you you want to see okay what sort of - -4998 -03:00:46,799 --> 03:00:50,398 -objects can i use in network contacts +03:00:44,500 --> 03:00:49,500 +So you want to see okay what sort of objects can I use in network contacts 4999 -03:00:48,719 --> 03:00:52,799 -and i would click on network first +03:00:49,500 --> 03:00:50,500 +and I would click on network first 5000 -03:00:50,398 --> 03:00:54,159 -and then you get a list of of all - -5001 -03:00:52,799 --> 03:00:55,438 -tangently related +03:00:50,500 --> 03:00:54,500 +and then you get a list of of all tangently related objects 5002 -03:00:54,159 --> 03:00:57,279 -objects that will have to do with - -5003 -03:00:55,439 --> 03:01:00,159 -network connectivity but - -5004 -03:00:57,279 --> 03:01:01,520 -not necessarily describing the same - -5005 -03:01:00,159 --> 03:01:04,639 -concept at all +03:00:54,500 --> 03:01:01,500 +that will have to do with network connectivity but not necessarily describing the same concept at all 5006 -03:01:01,520 --> 03:01:06,319 -uh but if you don't know or +03:01:01,500 --> 03:01:06,500 +but if you don't know which domain you want to pick it from 5007 -03:01:04,639 --> 03:01:08,239 -which the domain you want to pick it - -5008 -03:01:06,318 --> 03:01:10,0 -10866.319 --> 10870 -from or if you know - -5009 -03:01:08,239 --> 03:01:11,600 -exactly already what you want and you +03:01:06,500 --> 03:01:11,500 +or if you know exactly already what you want and you just want to search by name 5010 -03:01:10,0 --> 03:01:13,120 -10870 --> 10873.12 -just want to search by name just click - -5011 -03:01:11,600 --> 03:01:14,159 -on all objects first - -5012 -03:01:13,120 --> 03:01:17,680 -and then you will find what you're +03:01:11,500 --> 03:01:14,500 +Just click on all objects first and then you will find what you're looking for 5013 -03:01:14,159 --> 03:01:20,879 -looking for by just typing it so email - -5014 -03:01:17,680 --> 03:01:25,40 -is easy to find that way +03:01:14,500 --> 03:01:19,500 +by just typing it. So email is easy to find that way. 5015 -03:01:20,879 --> 03:01:25,39 -okay so just type email and that's it +03:01:19,500 --> 03:01:24,0 +Okay so just type email and that's it. 5016 -03:01:25,359 --> 03:01:33,359 -okay um other questions - -5017 -03:01:28,639 --> 03:01:35,920 -that were there okay perfect +03:01:24,0 --> 03:01:32,500 +Okay, other questions that were there. Okay perfect. 5018 -03:01:33,359 --> 03:01:37,359 -and there there were a few other - -5019 -03:01:35,920 --> 03:01:38,398 -questions that i answered in the +03:01:33,0 --> 03:01:37,0 +And there there were a few other questions that I answered in the ... 5020 -03:01:37,359 --> 03:01:41,40 -meanwhile maybe it's +03:01:37,0 --> 03:01:40,500 +Meanwhile, maybe it's a good idea to read some of them out. 5021 -03:01:38,398 --> 03:01:42,318 -a good idea to read soft about yeah - -5022 -03:01:41,40 --> 03:01:44,240 -indeed there was a good one - -5023 -03:01:42,318 --> 03:01:45,680 -about correlation graph and and - -5024 -03:01:44,239 --> 03:01:47,199 -filtering on it +03:01:40,500 --> 03:01:45,500 +Yeah, indeed there was a good one about correlation graph and filtering on it. 5025 -03:01:45,680 --> 03:01:49,40 -indeed we don't have a way to filter the +03:01:45,500 --> 03:01:48,500 +Indeed, we don't have a way to filter the correlation graph 5026 -03:01:47,200 --> 03:01:50,479 -correlation graph but it's something - -5027 -03:01:49,40 --> 03:01:52,0 -10909.04 --> 10912 -that we that we've discussed for a while - -5028 -03:01:50,478 --> 03:01:52,398 -already and we want to do it at one - -5029 -03:01:52,0 --> 03:01:54,79 -10912 --> 10914.08 -point +03:01:48,500 --> 03:01:52,500 +but it's something that we've discussed for a while already and we want to do it at one point 5030 -03:01:52,398 --> 03:01:56,0 -10912.399 --> 10916 -so that you can add some filter rules in - -5031 -03:01:54,79 --> 03:01:58,79 -there yes +03:01:52,500 --> 03:01:54,500 +so that you can add some filter rules in there. 5032 -03:01:56,0 --> 03:01:59,760 -10916 --> 10919.76 -the only way to to do it here at least - -5033 -03:01:58,79 --> 03:02:01,39 -through the api so that means you you +03:01:54,500 --> 03:01:59,00 +Yes, the only way to to do it here is through the api 5034 -03:01:59,760 --> 03:02:03,840 -done the - -5035 -03:02:01,40 --> 03:02:04,640 -decorating one and then you have to do a - -5036 -03:02:03,840 --> 03:02:07,279 -filtering +03:01:59,00 --> 03:02:05,500 +so that means you done creating one and then you have to do a filtering {inaudible priority/proactively} 5037 -03:02:04,639 --> 03:02:07,920 -priority but it needs something that's - -5038 -03:02:07,279 --> 03:02:11,279 -uh +03:02:05,500 --> 03:02:10,500 +but it needs something there to be added 5039 -03:02:07,920 --> 03:02:12,719 -yeah it will be to be added i don't know - -5040 -03:02:11,279 --> 03:02:17,40 -if you have an issue on that one +03:02:10,500 --> 03:02:13,500 +I don't know if you have an issue on that one. 5041 -03:02:12,719 --> 03:02:19,199 -um yeah i think we do yes yes +03:02:13,500 --> 03:02:16,500 +Yeah I think we do. Yes, yes, I think we should be good. 5042 -03:02:17,40 --> 03:02:21,760 -so maybe you know what sometimes what we - -5043 -03:02:19,200 --> 03:02:21,760 -do is - -5044 -03:02:21,840 --> 03:02:26,159 -just just to add the one on this one um +03:02:16,500 --> 03:02:23,500 +So maybe you know what sometimes what we do is just to add the one on this one 5045 -03:02:24,559 --> 03:02:27,359 -if i'm finding his back - -5046 -03:02:26,159 --> 03:02:29,359 -so i guess you can see what kind of - -5047 -03:02:27,359 --> 03:02:31,40 -issue that we have and so on +03:02:23,500 --> 03:02:28,500 +If i can find it back so I guess you can see what kind of issue that we have and so on. 5048 -03:02:29,359 --> 03:02:32,880 -a lot of the issue that we have is more +03:02:28,500 --> 03:02:32,0 +A lot of the issue that we have is more like 5049 -03:02:31,40 --> 03:02:34,960 -like i mean - -5050 -03:02:32,879 --> 03:02:36,318 -around 25 percent 30 percent our basic - -5051 -03:02:34,959 --> 03:02:38,719 -installation problem +03:02:32,0 --> 03:02:26,500 +I mean around 25 percent, 30 percent are basically installation problem. 5052 -03:02:36,318 --> 03:02:39,920 -um that's something that you can discuss - -5053 -03:02:38,719 --> 03:02:42,559 -maybe tomorrow about - -5054 -03:02:39,920 --> 03:02:43,359 -about recommendation on on on the - -5055 -03:02:42,559 --> 03:02:45,199 -systems +03:02:26,500 --> 03:02:43,500 +That's something that you can discuss maybe tomorrow about recommendation on the system 5056 -03:02:43,359 --> 03:02:46,559 -we don't need a lot of requirements but - -5057 -03:02:45,200 --> 03:02:48,240 -at least um - -5058 -03:02:46,559 --> 03:02:49,760 -you need to have a lamp system working +03:02:43,500 --> 03:02:48,0 +We don't need a lot of requirements but at least you need to have a LAMP system working 5059 -03:02:48,239 --> 03:02:52,879 -for mariadb - -5060 -03:02:49,760 --> 03:02:56,318 -linux systems and ready running +03:02:48,0 --> 03:02:51,500 +So MariaDB, linux systems and Redis running. 5061 -03:02:52,879 --> 03:02:57,759 -so obviously for example an ubuntu - -5062 -03:02:56,318 --> 03:02:59,439 -distribution out of the box is working - -5063 -03:02:57,760 --> 03:03:02,79 -without any problems +03:02:51,500 --> 03:02:59,500 +So obviously, for example, an Ubuntu distribution out of the box is working without any problems. 5064 -03:02:59,439 --> 03:03:02,800 -now if you try to install a missponder - -5065 -03:03:02,79 --> 03:03:05,359 -mac os - -5066 -03:03:02,799 --> 03:03:05,920 -you might turn into troubles obviously +03:02:59,500 --> 03:03:04,500 +Now if you try to install a MISP on the MAC OS, you might run into problems obviously. 5067 -03:03:05,359 --> 03:03:07,920 -but - -5068 -03:03:05,920 --> 03:03:09,840 -what we recommend is we have install - -5069 -03:03:07,920 --> 03:03:12,159 -automatic install script for +03:03:04,500 --> 03:03:11,500 +But what we recommend is we have automatic install script for ubuntu for example 5070 -03:03:09,840 --> 03:03:14,239 -for ubuntu for example and this one - -5071 -03:03:12,159 --> 03:03:18,239 -works works quite well +03:03:11,500 --> 03:03:13,500 +and this one works works quite well. 5072 -03:03:14,239 --> 03:03:18,239 -i wanted to search the issue for +03:03:13,500 --> 03:03:19,0 +I wanted to search the issue for... 5073 -03:03:18,398 --> 03:03:22,559 -you just search your correlation for +03:03:19,0 --> 03:03:21,500 +You can just search the correlation graph, for correlation. 5074 -03:03:20,79 --> 03:03:25,840 -correlation yeah +03:03:21,500 --> 03:03:24,500 +Yeah. correlation filtering. 5075 -03:03:22,559 --> 03:03:26,239 -creation filtering now that will be a - -5076 -03:03:25,840 --> 03:03:29,279 -bit - -5077 -03:03:26,239 --> 03:03:31,439 -too specific i think no really not +03:03:24,500 --> 03:03:30,500 +Nah, that will be a bit too specific I think. No maybe not. Maybe yes. 5078 -03:03:29,279 --> 03:03:40,640 -maybe yes we're filtering by correlation - -5079 -03:03:31,439 --> 03:03:43,520 -on feedback - -5080 -03:03:40,639 --> 03:03:43,519 -yeah that's easy +03:03:30,500 --> 03:03:32,500 +We're filtering by correlation on {inaudible}. 5081 -03:03:44,719 --> 03:03:55,840 -oh this one maybe yes yeah yeah okay +03:03:32,500 --> 03:03:51,500 +Oh this one maybe. Yes. Yeah, yeah okay, this one, okay. So... One sec. 5082 -03:03:47,840 --> 03:03:55,840 -this one okay so - -5083 -03:04:03,200 --> 03:04:06,960 -so that's how we work so if you see a - -5084 -03:04:05,200 --> 03:04:08,560 -component issue that - -5085 -03:04:06,959 --> 03:04:10,239 -or a feature that is really interesting +03:03:51,500 --> 03:04:07,500 +So that's how it works so if you see a component issue that 5086 -03:04:08,559 --> 03:04:11,359 -for you don't hesitate to take an +03:04:07,500 --> 03:04:09,500 +or a feature that is really interesting for you 5087 -03:04:10,239 --> 03:04:13,600 -existing issue - -5088 -03:04:11,359 --> 03:04:14,479 -about specific requests and add some - -5089 -03:04:13,600 --> 03:04:16,318 -comments there +03:04:09,500 --> 03:04:14,500 +don't hesitate to take an existing issue about specific requests and add some comments there. 5090 -03:04:14,478 --> 03:04:18,0 -11054.479 --> 11058 -like for example it's really the issue - -5091 -03:04:16,318 --> 03:04:20,159 -the feature that you want - -5092 -03:04:18,0 --> 03:04:22,79 -11058 --> 11062.08 -uh is it important for you why and so on +03:04:14,500 --> 03:04:20,500 +Like for example, it's really the feature that you want, is it important for you, why and so on 5093 -03:04:20,159 --> 03:04:25,200 -and then we use that as a source of - -5094 -03:04:22,79 --> 03:04:26,959 -of doing a pd request as an example we +03:04:20,500 --> 03:04:23,500 +and then we use that as a source of of doing a feature request 5095 -03:04:25,200 --> 03:04:29,40 -do - -5096 -03:04:26,959 --> 03:04:30,559 -a release of miss every three weeks - -5097 -03:04:29,40 --> 03:04:34,560 -usually +03:04:23,500 --> 03:04:29,500 +As an example, we do a release of MISP every three weeks usually 5098 -03:04:30,559 --> 03:04:35,359 -and there are many new features on each - -5099 -03:04:34,559 --> 03:04:38,398 -release +03:04:29,500 --> 03:04:35,0 +and there are many new features on each release 5100 -03:04:35,359 --> 03:04:40,318 -as an example we had a request like that - -5101 -03:04:38,398 --> 03:04:43,599 -sami just fixed uh +03:04:35,0 --> 03:04:43,0 +As an example we had a request like that someone just fixed two days ago about the events... 5102 -03:04:40,318 --> 03:04:44,559 -two days ago about the events oh we +03:04:43,0 --> 03:04:49,500 +Oh we didn't even show it. Event timeline and then 5103 -03:04:43,600 --> 03:04:48,640 -didn't even show it +03:04:49,500 --> 03:04:51,500 +we wanted to have something that is easy to set the number of days 5104 -03:04:44,559 --> 03:04:50,398 -even timeline and then +03:04:51,500 --> 03:04:55,500 +and then he added the new feature. So sometimes it makes a lot of sense 5105 -03:04:48,639 --> 03:04:52,159 -we wanted to have something that is easy - -5106 -03:04:50,398 --> 03:04:52,478 -to set the number of days and then he - -5107 -03:04:52,159 --> 03:04:54,719 -has - -5108 -03:04:52,478 --> 03:04:56,318 -the new feature so sometimes it makes a - -5109 -03:04:54,719 --> 03:04:57,39 -lot of sense so don't hesitate to create - -5110 -03:04:56,318 --> 03:05:00,79 -a - -5111 -03:04:57,40 --> 03:05:01,359 -an issue and and propose a new new - -5112 -03:05:00,79 --> 03:05:05,600 -feature +03:04:55,500 --> 03:05:00,500 +so don't hesitate to create an issue and and propose a new feature. 5113 -03:05:01,359 --> 03:05:08,79 -which remind me of showing you the even - -5114 -03:05:05,600 --> 03:05:09,520 -timeline because we didn't really show - -5115 -03:05:08,79 --> 03:05:13,359 -it +03:05:00,500 --> 03:05:08,500 +Which remind me of showing you the event timeline because we didn't really show it. 5116 -03:05:09,520 --> 03:05:17,840 -so you see that on on this one - -5117 -03:05:13,359 --> 03:05:20,239 -we we have nearly everything +03:05:08,500 --> 03:05:18,500 +So you see that on this one we have nearly everything on the same time 5118 -03:05:17,840 --> 03:05:21,120 -same time which is basically the time - -5119 -03:05:20,239 --> 03:05:24,79 -when we +03:05:18,500 --> 03:05:28,500 +which is basically the time when we create the different object we just set the time for one so... 5120 -03:05:21,120 --> 03:05:27,760 -create a different object we just set - -5121 -03:05:24,79 --> 03:05:31,439 -the time for four for one - -5122 -03:05:27,760 --> 03:05:33,120 -so and then i can - -5123 -03:05:31,439 --> 03:05:35,120 -basically look at this one and this one - -5124 -03:05:33,120 --> 03:05:37,760 -is like the +03:05:28,500 --> 03:05:34,500 +and then I can basically look at this one and this one is like the.. 5125 -03:05:35,120 --> 03:05:40,319 -yeah i don't know why we don't have the - -5126 -03:05:37,760 --> 03:05:41,600 -expansion on that one +03:05:34,500 --> 03:05:38,500 +Yeah, I don't know why we don't have the expansion on that one. 5127 -03:05:40,318 --> 03:05:43,359 -so for you for example if you have a - -5128 -03:05:41,600 --> 03:05:44,960 -specific time we can - -5129 -03:05:43,359 --> 03:05:46,318 -expand it and even change it in the +03:05:38,500 --> 03:05:45,0 +so for example if you have a specific time we can expand it and even change it in the graph 5130 -03:05:44,959 --> 03:05:47,679 -graph so that means if we have for - -5131 -03:05:46,318 --> 03:05:50,559 -example this email - -5132 -03:05:47,680 --> 03:05:51,120 -a thing with that we can we can expand - -5133 -03:05:50,559 --> 03:05:54,0 -11150.56 --> 11154 -it +03:05:45,0 --> 03:05:47,500 +so that means if we have for example this email, 5134 -03:05:51,120 --> 03:05:56,240 -and change when when this has been seen +03:05:47,500 --> 03:05:54,0 +a thing that we can do is expand it and change when this has been seen 5135 -03:05:54,0 --> 03:05:58,559 -11154 --> 11158.56 -and we can even uh - -5136 -03:05:56,239 --> 03:06:00,239 -change at which time this specific - -5137 -03:05:58,559 --> 03:06:04,79 -specifically +03:05:54,0 --> 03:06:00,0 +and we can even change at which time this specific model has been seen. 5138 -03:06:00,239 --> 03:06:07,439 -but that's again a good point to do - -5139 -03:06:04,79 --> 03:06:10,959 -is to automatically create - -5140 -03:06:07,439 --> 03:06:13,200 -a first thing last scene on your element +03:06:00,0 --> 03:06:10,500 +But that's again a good point to do is to automatically create a first thing last seen on your element. 5141 -03:06:10,959 --> 03:06:14,959 -because every time you do that you will +03:06:10,500 --> 03:06:16,0 +Because every time you do that you will get an automatic timeline and actually a quick 5142 -03:06:13,200 --> 03:06:16,880 -get an automatic timeline - -5143 -03:06:14,959 --> 03:06:20,478 -and actually a quick i would say quick - -5144 -03:06:16,879 --> 03:06:20,478 -win when you do analysis - -5145 -03:06:21,510 --> 03:06:25,439 -[Music] +03:06:16,0 --> 03:06:19,500 +I would say quick win when you do analysis. 5146 -03:06:23,760 --> 03:06:27,120 -so if there are no more questions about - -5147 -03:06:25,439 --> 03:06:28,800 -event creation perhaps one of the things - -5148 -03:06:27,120 --> 03:06:33,200 -we can do is show the searching +03:06:23,0 --> 03:06:28,500 +So if there are no more questions about event creation perhaps one of the things we can do is show the searching. 5149 -03:06:28,799 --> 03:06:33,199 -how to search for stuff in your risk +03:06:28,500 --> 03:06:33,0 +How to search for stuff in your MISP. 5150 -03:06:36,398 --> 03:06:40,239 -okay so this is something that we're - -5151 -03:06:38,799 --> 03:06:42,398 -going to show very briefly now and we're +03:06:36,0 --> 03:06:40,0 +okay so this is something that we're going to show very briefly now 5152 -03:06:40,239 --> 03:06:43,199 -going to go a bit more detail into this - -5153 -03:06:42,398 --> 03:06:44,959 -tomorrow +03:06:40,0 --> 03:06:42,500 +and we're going to go in a bit more detail into this tomorrow 5154 -03:06:43,200 --> 03:06:47,40 -when we're also going to look at the api - -5155 -03:06:44,959 --> 03:06:47,679 -but generally whenever you're searching - -5156 -03:06:47,40 --> 03:06:49,40 -in miss +03:06:42,500 --> 03:06:47,500 +when we're also going to look at the api but generally whenever you're searching in MISP 5157 -03:06:47,680 --> 03:06:50,800 -the main question you need to ask - -5158 -03:06:49,40 --> 03:06:52,960 -yourself is +03:06:47,500 --> 03:06:52,500 +the main question you need to ask yourself is what scope am I searching on? 5159 -03:06:50,799 --> 03:06:54,719 -what scope am i searching on am i - +03:06:52,500 --> 03:06:56,500 +Am i searching for individual attributes or am I searching for events? + 5160 -03:06:52,959 --> 03:06:56,879 -searching for individual attributes - -5161 -03:06:54,719 --> 03:06:58,559 -or am i searching for events the search - -5162 -03:06:56,879 --> 03:07:01,278 -filters very often overlapping - -5163 -03:06:58,559 --> 03:07:02,318 -or aren't necessarily almost the same +03:06:56,500 --> 03:07:01,500 +The search filters very often overlapping or are almost the same 5164 -03:07:01,279 --> 03:07:04,79 -but one of the things you need to keep +03:07:01,500 --> 03:07:03.500 +but one of the things you need to keep in mind is for example 5165 -03:07:02,318 --> 03:07:04,398 -in mind is for example if i'm searching - -5166 -03:07:04,79 --> 03:07:06,879 -for - -5167 -03:07:04,398 --> 03:07:09,39 -bitcoin addresses in my miss vincent's - -5168 -03:07:06,879 --> 03:07:11,278 -bitcoin wallets +03:07:03.500 --> 03:07:08,500 +if i'm searching for bitcoin addresses in my MISP instance, bitcoin wallets. 5169 -03:07:09,40 --> 03:07:12,640 -am i searching for any event that - -5170 -03:07:11,279 --> 03:07:16,0 -11231.279 --> 11236 -contains at least one +03:07:08,500 --> 03:07:14,500 +Am I searching for any event that contains at least one bitcoin address 5171 -03:07:12,639 --> 03:07:18,239 -bitcoin address or am i searching for - -5172 -03:07:16,0 --> 03:07:19,920 -11236 --> 11239.92 -just the bitcoin addresses themselves +03:07:14,500 --> 03:07:18,500 +or am I searching for just the bitcoin addresses themselves? 5173 -03:07:18,239 --> 03:07:21,439 -so this is when we decide between +03:07:18,500 --> 03:07:21,0 +So this is when we decide between different scopes 5174 -03:07:19,920 --> 03:07:23,520 -different scopes so - -5175 -03:07:21,439 --> 03:07:25,200 -generally attribute scope will only give - -5176 -03:07:23,520 --> 03:07:26,399 -you the individual attributes that match - -5177 -03:07:25,200 --> 03:07:27,840 -the criteria +03:07:21,0 --> 03:07:26,500 +so generally attribute scope will only give you the individual attributes that match the criteria 5178 -03:07:26,398 --> 03:07:29,439 -and the event scope will give you - -5179 -03:07:27,840 --> 03:07:32,239 -everything that contains +03:07:26,500 --> 03:07:31,500 +and the event scope will give you everything that contains at least one matching value. 5180 -03:07:29,439 --> 03:07:34,318 -at least one matching value so here what - -5181 -03:07:32,239 --> 03:07:36,639 -what alex did he just searched - -5182 -03:07:34,318 --> 03:07:37,760 -using the attribute search for all the - -5183 -03:07:36,639 --> 03:07:39,519 -bitcoin addresses +03:07:31,500 --> 03:07:39,0 +So here what Alex did, he just searched using the attribute search for all the bitcoin addresses in the instance 5184 -03:07:37,760 --> 03:07:40,880 -in the air in the instance and we see we - -5185 -03:07:39,520 --> 03:07:42,560 -get a bunch of them from different +03:07:39,0 --> 03:07:41,500 +and we see we get a bunch of them from different sources, 5186 -03:07:40,879 --> 03:07:44,559 -sources we see which events there - -5187 -03:07:42,559 --> 03:07:46,239 -they're from which organization has - -5188 -03:07:44,559 --> 03:07:47,439 -created that information and so on and - -5189 -03:07:46,239 --> 03:07:49,199 -so forth +03:07:41,500 --> 03:07:47,500 +we see which events they're from which organization has created that information and so on and so forth 5190 -03:07:47,439 --> 03:07:51,520 -uh if we're happy with the search - -5191 -03:07:49,200 --> 03:07:53,600 -results and we've set up all our +03:07:47,500 --> 03:07:54,500 +If we're happy with the search results and we've set up all our features and we're getting exactly what we were looking for 5192 -03:07:51,520 --> 03:07:55,120 -features and we're getting exactly what - -5193 -03:07:53,600 --> 03:07:57,279 -we were looking for - -5194 -03:07:55,120 --> 03:07:59,120 -maybe even several pages of it like here +03:07:54,500 --> 03:07:57,500 +maybe even several pages of it like here. 5195 -03:07:57,279 --> 03:08:01,200 -we can download the results in any of +03:07:57,500 --> 03:08:00,500 +We can download the results in any of these supported formats 5196 -03:07:59,120 --> 03:08:02,640 -these supported formats so we could say +03:08:00,500 --> 03:08:03,0 +so we could say okay now we have all these bitcoin addresses out there 5197 -03:08:01,200 --> 03:08:04,560 -okay now we have all these bitcoin - -5198 -03:08:02,639 --> 03:08:05,278 -addresses out there generate the csv out - -5199 -03:08:04,559 --> 03:08:08,398 -of it +03:08:03,0 --> 03:08:07,500 +generate the csv out of it and it will generate a massive csv 5200 -03:08:05,279 --> 03:08:10,640 -and it will generate a massive csv - -5201 -03:08:08,398 --> 03:08:13,199 -with all the attribute information for - -5202 -03:08:10,639 --> 03:08:13,199 -each of these +03:08:07,500 --> 03:08:11,500 +with all the attribute information for each of these. 5203 -03:08:13,840 --> 03:08:18,559 -i hope you're not running my timings - -5204 -03:08:15,760 --> 03:08:18,559 -inside of memory +03:08:13,0 --> 03:08:17,500 +I hope you're not running my time instance out of memory. 5205 -03:08:19,520 --> 03:08:23,120 -there it is - -5206 -03:08:21,760 --> 03:08:26,159 -[Music] +03:08:19,0 --> 03:08:20,500 +There it is. 5207 -03:08:23,120 --> 03:08:28,0 -11303.12 --> 11308 -so if you open it just to see the - -5208 -03:08:26,159 --> 03:08:31,279 -results quickly +03:08:20,500 --> 03:08:28,500 +So if you open it. Just to see the results quickly. There we go. 5209 -03:08:28,0 --> 03:08:34,159 -11308 --> 11314.16 -there we go so in this case uh - -5210 -03:08:31,279 --> 03:08:34,960 -we now downloaded our search results as - -5211 -03:08:34,159 --> 03:08:36,559 -csv +03:08:28,500 --> 03:08:35,500 +So in this case, we now downloaded our search results as csv. 5212 -03:08:34,959 --> 03:08:39,119 -now keep in mind whenever you're dealing +03:08:35,500 --> 03:08:38,500 +Now keep in mind whenever you're dealing with integration of MISP 5213 -03:08:36,559 --> 03:08:39,439 -with integration of mis with other tools - -5214 -03:08:39,120 --> 03:08:41,439 -or - -5215 -03:08:39,439 --> 03:08:43,680 -exports keep in mind that certain +03:08:38,500 --> 03:08:42,500 +with other tools or exports keep in mind that certain formats don't really cater 5216 -03:08:41,439 --> 03:08:45,200 -formats don't really cater to exporting - -5217 -03:08:43,680 --> 03:08:47,600 -certain types of data so +03:08:42,500 --> 03:08:44,0 +to exporting certain types of data. 5218 -03:08:45,200 --> 03:08:49,439 -if you're searching for ransomware - -5219 -03:08:47,600 --> 03:08:51,920 -payout +03:08:44,0 --> 03:08:50,500 +So if you're searching for ransomware payout wallets. 5220 -03:08:49,439 --> 03:08:52,800 -wallets you could for example specify as - -5221 -03:08:51,920 --> 03:08:55,120 -a tag - -5222 -03:08:52,799 --> 03:08:56,398 -all the different ransomware related - -5223 -03:08:55,120 --> 03:08:58,880 -tags that you have +03:08:50,500 --> 03:08:55,500 +you could, for example, specify as a tag, all the different ransomware related tags that you have 5224 -03:08:56,398 --> 03:09:00,559 -and uh as a type select btc like what - -5225 -03:08:58,879 --> 03:09:02,239 -alex has done here and exported +03:08:55,500 --> 03:09:01,0 +and as a type select BTC like what Alex has done here and export the information. 5226 -03:09:00,559 --> 03:09:03,920 -information now when you're deciding - -5227 -03:09:02,239 --> 03:09:05,760 -what format to download in +03:09:01,0 --> 03:09:03,500 +Now when you're deciding what format to download in, 5228 -03:09:03,920 --> 03:09:07,920 -again some don't make any sense so don't +03:09:03,500 --> 03:09:08,500 +again, some don't make any sense so don't download bitcoin addresses in STIX format 5229 -03:09:05,760 --> 03:09:10,239 -download bitcoin addresses in sticks - -5230 -03:09:07,920 --> 03:09:11,920 -format because sticks doesn't have a - -5231 -03:09:10,239 --> 03:09:13,359 -way to express bitcoin addresses for - -5232 -03:09:11,920 --> 03:09:15,439 -example +03:09:08,500 --> 03:09:12,500 +because STIX doesn't have a way to express bitcoin addresses for example. 5233 -03:09:13,359 --> 03:09:17,120 -so just make sure that you also take - -5234 -03:09:15,439 --> 03:09:19,760 -that into consideration and exporting +03:09:12,500 --> 03:09:17,0 +So just make sure that you also take that into consideration when exporting data 5235 -03:09:17,120 --> 03:09:22,160 -data so that it's not wasting +03:09:17,0 --> 03:09:18,500 +so that it's not {inaudible}. 5236 -03:09:19,760 --> 03:09:23,680 -uh besides that we can do the same on - -5237 -03:09:22,159 --> 03:09:24,559 -the event level we can also do searches - -5238 -03:09:23,680 --> 03:09:26,800 -on the event level +03:09:18,500 --> 03:09:24,500 +Besides that we can do the same on the event level, we can also do searches on the event level. 5239 -03:09:24,559 --> 03:09:29,39 -if we go back to our event index we have +03:09:24,500 --> 03:09:28,500 +If we go back to our event index, we have a little magnifying glass icon 5240 -03:09:26,799 --> 03:09:29,358 -a little magnifying glass icon where you - -5241 -03:09:29,40 --> 03:09:31,600 -can - -5242 -03:09:29,359 --> 03:09:32,479 -add additional filter options to the - -5243 -03:09:31,600 --> 03:09:34,720 -index - -5244 -03:09:32,478 --> 03:09:35,519 -and filter the database on that so let's +03:09:28,500 --> 03:09:34,500 +where you can add additional filter options to the index and filter the database on that. 5245 -03:09:34,719 --> 03:09:38,159 -just do - -5246 -03:09:35,520 --> 03:09:39,520 -simple we're going to just filter on - -5247 -03:09:38,159 --> 03:09:41,200 -events coming from circle +03:09:34,500 --> 03:09:39,500 +So let's just do "CIRCL", we're going to just filter on events coming from CIRCL 5248 -03:09:39,520 --> 03:09:42,960 -and we can also add for example events - -5249 -03:09:41,200 --> 03:09:45,439 -that are not published +03:09:39,500 --> 03:09:42,500 +and we can also add, for example, events that are not published. 5250 -03:09:42,959 --> 03:09:47,358 -if you wanted to do some final checks on +03:09:42,500 --> 03:09:46,500 +If you wanted to do some final checks on whether... 5251 -03:09:45,439 --> 03:09:50,960 -whether - -5252 -03:09:47,359 --> 03:09:52,399 -uh we need to add the organization again +03:09:46,500 --> 03:09:49,500 +We need to add the organization again. 5253 -03:09:50,959 --> 03:09:54,79 -whether we have any events that need to +03:09:49,500 --> 03:09:52,500 +whether we have any events that need to be vetted. 5254 -03:09:52,398 --> 03:09:55,840 -be vetted for example for our own - -5255 -03:09:54,79 --> 03:09:57,39 -organization then we could use this - -5256 -03:09:55,840 --> 03:09:58,799 -filter for it +03:09:52,500 --> 03:09:56,500 +For example for our own organization, then we could use this filter for it. 5257 -03:09:57,40 --> 03:10:00,479 -on the event index all of these search - -5258 -03:09:58,799 --> 03:10:02,559 -filters that you apply +03:09:56,500 --> 03:10:02,0 +On the event index, all of these search filters that you apply generate a specific url 5259 -03:10:00,478 --> 03:10:03,519 -generate a specific url and you can - -5260 -03:10:02,559 --> 03:10:05,359 -bookmark it - -5261 -03:10:03,520 --> 03:10:06,560 -so if you have recurring queries that - -5262 -03:10:05,359 --> 03:10:08,399 -you want to monitor +03:10:02,0 --> 03:10:06,500 +and you can bookmark it, so if you have recurring queries that you want to monitor 5263 -03:10:06,559 --> 03:10:09,680 -then you can just bookmark the url and - -5264 -03:10:08,398 --> 03:10:11,358 -you can go back to it +03:10:06,500 --> 03:10:10,0 +then you can just bookmark the url and you can go back to it later on 5265 -03:10:09,680 --> 03:10:12,960 -later on and see if there is anything - -5266 -03:10:11,359 --> 03:10:16,880 -that popped up that matches your +03:10:10,0 --> 03:10:13,500 +and see if there is anything that popped up that matches your search criteria. 5267 -03:10:12,959 --> 03:10:19,839 -search criteria now generally - -5268 -03:10:16,879 --> 03:10:21,199 -like i think 90 of our searches do not - -5269 -03:10:19,840 --> 03:10:23,600 -actually happen via the ui +03:10:14,0 --> 03:10:21,0 +now generally like I think 90% of our searches do not actually happen via the UI 5270 -03:10:21,200 --> 03:10:25,200 -they happen via the api so very often - -5271 -03:10:23,600 --> 03:10:26,79 -you have tools that you search through +03:10:21,0 --> 03:10:25,500 +they happen via the API, so very often you have tools that you search through 5272 -03:10:25,200 --> 03:10:28,479 -so if you have a - -5273 -03:10:26,79 --> 03:10:30,238 -tool that acts as a front-end for your - -5274 -03:10:28,478 --> 03:10:32,0 -11428.479 --> 11432 -miss for certain searches that works as - -5275 -03:10:30,238 --> 03:10:33,439 -well +03:10:25,500 --> 03:10:30,500 +So if you have a tool that acts as a front-end for your MISP for certain searches that works as well. 5276 -03:10:32,0 --> 03:10:34,959 -11432 --> 11434.96 -we're going to talk more about those - -5277 -03:10:33,439 --> 03:10:37,120 -type of searches and how you integrate - -5278 -03:10:34,959 --> 03:10:39,599 -with other tools tomorrow more +03:10:32,0 --> 03:10:36,500 +We're going to talk more about those type of searches and how you integrate with other tools tomorrow more 5279 -03:10:37,120 --> 03:10:41,279 -when we go into the api a bit is a +03:10:36,500 --> 03:10:39,0 +When we go into the api 5280 -03:10:39,600 --> 03:10:42,960 -question about soft delete attribute - -5281 -03:10:41,279 --> 03:10:45,600 -search +03:10:39,0 --> 03:10:42,500 +There is a question about soft delete attribute search 5282 -03:10:42,959 --> 03:10:47,199 -i just lost the q and a so some martin +03:10:42,500 --> 03:10:44,0 +I just lost the Q&A page. 5283 -03:10:45,600 --> 03:10:48,559 -asks is there a way to do a global - -5284 -03:10:47,200 --> 03:10:51,840 -search for software +03:10:44,0 --> 03:10:49,500 +So Martin asks "is there a way to do a global search for soft delete attributes?" 5285 -03:10:48,559 --> 03:10:54,318 -attributes yes sorry where is it - -5286 -03:10:51,840 --> 03:10:56,478 -there for software attachments yes there - -5287 -03:10:54,318 --> 03:10:59,359 -is +03:10:49,500 --> 03:10:54,500 +Yes, sorry, where is it? For soft delete attributes? Yes there is. 5288 -03:10:56,478 --> 03:11:00,879 -uh so not via the ui but via the api uh - -5289 -03:10:59,359 --> 03:11:02,238 -which you can also access +03:10:54,500 --> 03:11:01,0 +So not via the UI but via the API which you can also access via the UI by the way. 5290 -03:11:00,879 --> 03:11:03,759 -by the way we have two we have a +03:11:01,0 --> 03:11:04,500 +We have a tool. We have a built-in tool. We can even show this example there. 5291 -03:11:02,238 --> 03:11:04,799 -built-in tool we can even show it show - -5292 -03:11:03,760 --> 03:11:08,639 -this example there - -5293 -03:11:04,799 --> 03:11:08,639 -we didn't show the delete i +03:11:04,500 --> 03:11:07,500 +we didn't show the delete 5294 -03:11:10,639 --> 03:11:15,39 -and let's start with the question first +03:11:07,500 --> 03:11:08,500 +Haha, that's a good point. -5295 -03:11:12,639 --> 03:11:16,639 -and then we go to the delete +5294 +03:11:08,500 --> 03:11:14,500 +Let's start with the question first and then we go to the delete -5296 -03:11:15,40 --> 03:11:18,560 -so we have this built-in tool called the - -5297 -03:11:16,639 --> 03:11:22,478 -rest client that allows us to run - -5298 -03:11:18,559 --> 03:11:24,318 -searches directly from the interface so +S296 +03:11:14,500 --> 03:11:20,500 +so we have this built-in tool called the "REST client" that allows us to run searches directly from the interface. 5299 -03:11:22,478 --> 03:11:26,0 -11482.479 --> 11486 -generally indeed we have a software +03:11:20,500 --> 03:11:25,500 +So generally indeed we have a soft delete mechanism in MISP 5300 -03:11:24,318 --> 03:11:29,119 -delete mechanism in bisp - -5301 -03:11:26,0 --> 03:11:30,79 -11486 --> 11490.08 -that allows you to to not fully remove - -5302 -03:11:29,120 --> 03:11:32,239 -an attribute but - -5303 -03:11:30,79 --> 03:11:33,920 -mark is for it for deletion the reason +03:11:25,500 --> 03:11:31,500 +that allows you to to not fully remove an attribute but mark it for deletion. 5304 -03:11:32,238 --> 03:11:36,159 -why we do this in general is - -5305 -03:11:33,920 --> 03:11:37,439 -whenever we're synchronizing information +03:11:32,238 --> 03:11:36,500 +The reason why we do this in general is whenever we're synchronizing information 5306 03:11:36,159 --> 03:11:38,799 -and we delete an attribute +and we delete an attribute we want to inform all the other instances 5307 -03:11:37,439 --> 03:11:40,880 -we want to inform all the leather - -5308 -03:11:38,799 --> 03:11:42,159 -instances attribute needs to be removed - -5309 -03:11:40,879 --> 03:11:44,238 -it is revoked +03:11:37,439 --> 03:11:41,500 +that an attribute needs to be removed, it is revoked. 5310 -03:11:42,159 --> 03:11:45,680 -so this is why we do the soft delete - -5311 -03:11:44,238 --> 03:11:48,478 -when we hide it from the interface - -5312 -03:11:45,680 --> 03:11:50,639 -behind it from the exports +03:11:42,159 --> 03:11:47,500 +So this is why we do the soft delete where we hide it from the interface, we hide it from the exports 5313 -03:11:48,478 --> 03:11:52,0 -11508.479 --> 11512 -but we still keep the data and we inform - -5314 -03:11:50,639 --> 03:11:54,0 -11510.64 --> 11514 -the other instances that they need to - -5315 -03:11:52,0 --> 03:11:57,120 -11512 --> 11517.12 -also market for deletion +03:11:48,478 --> 03:11:53,500 +but we still keep the data and we inform the other instances that they need to also mark it for deletion. 5316 -03:11:54,0 --> 03:11:58,799 -11514 --> 11518.8 -now if the question is how do we do a - -5317 -03:11:57,120 --> 03:12:00,319 -global search for all the soft deleted +03:11:54,0 --> 03:11:59,500 +Now if the question is how do we do a global search for all the soft deleted attributes. 5318 -03:11:58,799 --> 03:12:00,799 -attributes so first of all what we need - -5319 -03:12:00,318 --> 03:12:04,478 -to do - -5320 -03:12:00,799 --> 03:12:06,799 -yeah using our little research too +03:11:58,799 --> 03:12:04,500 +So first of all what we need to do using our little REST search tool is 5321 -03:12:04,478 --> 03:12:08,719 -is by the way we have the modern apis - -5322 -03:12:06,799 --> 03:12:11,438 -here to create a new api unless you know - -5323 -03:12:08,719 --> 03:12:11,438 -yours by heart +03:12:04,478 --> 03:12:09,500 +by the way we have the Modern APIs here, so to create a new API unless you know yours by heart 5324 -03:12:12,0 --> 03:12:17,200 -11532 --> 11537.2 -so alex because you it's very good - -5325 -03:12:17,359 --> 03:12:20,479 -so so just quickly that's so uh so in - -5326 -03:12:19,439 --> 03:12:22,318 -the meanwhile what +03:12:12,0 --> 03:12:22,500 +so alex because... So just quickly, so in the meanwhile what Alex is doing now is 5327 -03:12:20,478 --> 03:12:24,238 -alex is doing now is uh he's going to - -5328 -03:12:22,318 --> 03:12:26,959 -generate a new api key for himself - -5329 -03:12:24,238 --> 03:12:29,359 -so that we can actually test the api uh - -5330 -03:12:26,959 --> 03:12:33,839 -queries +03:12:20,478 --> 03:12:28,500 +he's going to generate a new api key for himself so that we can actually test the api queries. 5331 -03:12:29,359 --> 03:12:33,840 -oh that's one word yeah +03:12:28,500 --> 03:12:31,500 +Oh that won't work. 5332 -03:12:35,279 --> 03:12:47,840 -yeah you can add enough key from here as +03:12:31,500 --> 03:12:37,500 +Yeah you can add another key from here as well, this will work. 5333 -03:12:36,719 --> 03:12:47,840 -well this will work yeah that works - -5334 -03:12:54,129 --> 03:12:57,279 -[Music] +03:12:37,500 --> 03:12:39,500 +Yeah that works. 5335 -03:12:59,680 --> 03:13:16,238 -a global action my profile by the way if - -5336 -03:13:01,520 --> 03:13:16,238 -you want to find your profile okay +03:12:59,0 --> 03:13:02,500 +Global action, my profile, by the way if you want to find your profile. 5337 -03:13:17,359 --> 03:13:21,760 -so now we have our api key now we go to +03:13:17,0 --> 03:13:19,500 +Okay, so now we have our api key. 5338 -03:13:20,159 --> 03:13:22,398 -rest client we just paste it in there - -5339 -03:13:21,760 --> 03:13:25,680 -now - -5340 -03:13:22,398 --> 03:13:25,680 -in the authorization field +03:13:19,500 --> 03:13:23,500 +Now we go to REST client we just paste it in there now in the authorization field. 5341 -03:13:27,439 --> 03:13:30,639 -here we go and now what we're going to - -5342 -03:13:28,799 --> 03:13:32,79 -do is we're going to uh to run a search +03:13:27,0 --> 03:13:30,0 +Here we go and now what we're going to do is we're going to run a search 5343 -03:13:30,639 --> 03:13:32,478 -for all software attributes so we're - -5344 -03:13:32,79 --> 03:13:35,680 -going to +03:13:30,0 --> 03:13:34,500 +for all soft delete attributes so we're going to search for attribute restSearch. 5345 -03:13:32,478 --> 03:13:37,519 -search for attribute rest search so that - -5346 -03:13:35,680 --> 03:13:38,960 -is a scope that allows us to search on - +03:13:34,500 --> 03:13:38,500 +So that is a scope that allows us to search on the attribute level. + 5347 -03:13:37,520 --> 03:13:41,120 -the attribute level we'll do we'll see - -5348 -03:13:38,959 --> 03:13:44,0 -11618.96 --> 11624 -more of this tomorrow +03:13:38,500 --> 03:13:42,500 +we'll see more of this tomorrow, just a small example. 5349 -03:13:41,120 --> 03:13:47,600 -just a small example for return format +03:13:42,500 --> 03:13:47,0 +For return format, let's pick something like JSON 5350 -03:13:44,0 --> 03:13:47,600 -11624 --> 11627.6 -let's pick something like json - -5351 -03:13:53,520 --> 03:13:59,520 -and perhaps set a page under limit or - -5352 -03:13:56,719 --> 03:14:01,119 -date one limit 100 or something like - -5353 -03:13:59,520 --> 03:14:02,479 -that +03:13:54,0 --> 03:14:00,0 +and perhaps set a page under limit or take one limit 100 or something like that 5354 -03:14:01,120 --> 03:14:04,640 -i don't know how much was deleted here - -5355 -03:14:02,478 --> 03:14:07,199 -but it might be a lot and uh +03:14:01,120 --> 03:14:03,500 +I don't know how much was deleted here but it might be a lot 5356 -03:14:04,639 --> 03:14:11,840 -then just uh add another key deleted - -5357 -03:14:07,200 --> 03:14:11,840 -there we go +03:14:04,639 --> 03:14:07,500 +and then just add another key deleted, there we go 5358 -03:14:12,159 --> 03:14:15,439 -and then deleted september +03:14:07,500 --> 03:14:16,0 +and then deleted set to 1 5359 -03:14:16,398 --> 03:14:19,680 +03:14:16,0 --> 03:14:19,0 and we don't need anything else 5360 -03:14:20,318 --> 03:14:24,478 -and this will return the first 100 hits - -5361 -03:14:23,279 --> 03:14:28,238 -from the instance - -5362 -03:14:24,478 --> 03:14:28,238 -of attributes that are deleted +03:14:19,0 --> 03:14:26,500 +and this will return the first 100 hits from the instance of attributes that are deleted. 5363 -03:14:30,398 --> 03:14:35,278 -there we go and now if you if you wanted +03:14:30,0 --> 03:14:35,0 +There we go And now if you wanted to paginate through all these attributes 5364 -03:14:33,600 --> 03:14:36,720 -to paginate through all these attributes - -5365 -03:14:35,279 --> 03:14:37,359 -you would have to just raise the page - -5366 -03:14:36,719 --> 03:14:40,0 -11676.72 --> 11680 -number +03:14:33,600 --> 03:14:37,500 +you would have to just raise the page number. 5367 -03:14:37,359 --> 03:14:40,800 -go back and and get page 2 page 3 page 4 - -5368 -03:14:40,0 --> 03:14:42,799 -11680 --> 11682.8 -and so on +03:14:37,500 --> 03:14:40,500 +Go back and and get page 2, page 3, page 4, and so on 5369 -03:14:40,799 --> 03:14:44,959 -or if we have enough memory certainly my - -5370 -03:14:42,799 --> 03:14:46,318 -training instance definitely doesn't +03:14:40,500 --> 03:14:44,500 +or if we have enough memory certainly my training instance definitely doesn't 5371 -03:14:44,959 --> 03:14:49,278 -then we could just say give us - -5372 -03:14:46,318 --> 03:14:49,278 -everything in one shot +03:14:44,500 --> 03:14:47,500 +then we could just say give us everything in one shot. 5373 -03:14:49,600 --> 03:14:53,840 -okay so i hope that answers your - -5374 -03:14:52,79 --> 03:14:56,559 -question martin +03:14:49,0 --> 03:14:53,500 +Okay so I hope that answers your question Martin. 5375 -03:14:53,840 --> 03:14:58,559 -um there is also a question is there an - -5376 -03:14:56,559 --> 03:15:01,600 -official miss docker image +03:14:53,500 --> 03:14:58,500 +There is also a question, is there an official MISP docker image? 5377 -03:14:58,559 --> 03:15:04,318 -um and there are actually several uh - -5378 -03:15:01,600 --> 03:15:05,439 -they're not maintained by us but by - -5379 -03:15:04,318 --> 03:15:08,0 -11704.319 --> 11708 -contributors +03:14:58,500 --> 03:15:04,500 +There are actually several, they're not maintained by us but by contributors 5380 -03:15:05,439 --> 03:15:09,200 -that are very active and working closely - -5381 -03:15:08,0 --> 03:15:11,680 -11708 --> 11711.68 -with us +03:15:04,500 --> 03:15:08,500 +that are very active and working closely with us. 5382 -03:15:09,200 --> 03:15:13,279 -so i've pasted one example in the zoom - -5383 -03:15:11,680 --> 03:15:14,960 -group chat +03:15:08,500 --> 03:15:12,500 +So I've pasted one example in the zoom group chat. 5384 -03:15:13,279 --> 03:15:16,560 -i don't know if maybe it's not visible - -5385 -03:15:14,959 --> 03:15:19,119 -to everyone - -5386 -03:15:16,559 --> 03:15:20,719 -i can just drop it as an answer here +03:15:12,500 --> 03:15:18,500 +I don't know if maybe it's not visible to everyone. I can just drop it as an answer here. 5387 -03:15:19,120 --> 03:15:24,160 -yeah it's better +03:15:18,500 --> 03:15:20,500 +Yeah, it's better. 5388 -03:15:20,719 --> 03:15:26,79 -so this one is done by cool acid so why - -5389 -03:15:24,159 --> 03:15:29,600 -there are so many docker myths +03:15:20,500 --> 03:15:25,500 +So this one is done by coolacid, so why are there are so many docker MISP? 5390 -03:15:26,79 --> 03:15:32,398 -that's i think the the - -5391 -03:15:29,600 --> 03:15:35,200 -speciality of docker not everyone agrees +03:15:25,500 --> 03:15:34,0 +That's I think the specialty of docker, not everyone agrees on a model with docker 5392 -03:15:32,398 --> 03:15:37,760 -on a model with docker so there are - -5393 -03:15:35,200 --> 03:15:39,520 -at least as far as i know four or five +03:15:34,0 --> 03:15:38,0 +so there are at least as far as I know four or five different dockers 5394 -03:15:37,760 --> 03:15:41,760 -different dockers there's one managed by - -5395 -03:15:39,520 --> 03:15:45,40 -dcso one by cool assist - -5396 -03:15:41,760 --> 03:15:47,359 -one by xavier mcpens and one by +03:15:38,0 --> 03:15:43,500 +there's one managed by DCSO, one by CoolAcid, one by Xavier Mertens and 5397 -03:15:45,40 --> 03:15:48,479 -harvard security and i'm sure i'm - -5398 -03:15:47,359 --> 03:15:51,520 -missing some +03:15:43,500 --> 03:15:47,00 +one by HarvardSecurity and I'm sure I'm missing some. 5399 -03:15:48,478 --> 03:15:54,159 -um so the thing is um for - -5400 -03:15:51,520 --> 03:15:55,840 -for the docker images it's depending of - -5401 -03:15:54,159 --> 03:15:57,600 -i would say your test +03:15:47,00 --> 03:15:55,500 +So the thing is for the docker images it's depending on I would say your taste 5402 -03:15:55,840 --> 03:15:59,439 -so have a look at what the different - -5403 -03:15:57,600 --> 03:16:02,0 -11757.6 --> 11762 -contributors are doing +03:15:55,500 --> 03:15:59,500 +so have a look at what the different contributors are doing 5404 -03:15:59,439 --> 03:16:02,800 -and you'll see that you pick the one - -5405 -03:16:02,0 --> 03:16:05,200 -11762 --> 11765.2 -that is - -5406 -03:16:02,799 --> 03:16:06,159 -matching what you really want to do with - -5407 -03:16:05,200 --> 03:16:08,720 -docker +03:15:59,500 --> 03:16:05,500 +and you'll see that you pick the one that is matching what you really want to do with docker. 5408 -03:16:06,159 --> 03:16:09,359 -some are really more separated container - -5409 -03:16:08,719 --> 03:16:11,199 -wise - -5410 -03:16:09,359 --> 03:16:12,800 -some are more like one single container - -5411 -03:16:11,200 --> 03:16:14,399 -with everything um +03:16:05,500 --> 03:16:12,500 +Some are really more separated container wise some are more like one single container with everything 5412 -03:16:12,799 --> 03:16:16,79 -again it's a maker of taste and all you - -5413 -03:16:14,398 --> 03:16:18,398 -want to to operate one +03:16:12,500 --> 03:16:16,500 +Again it's a maker of taste and how you want to operate one 5414 -03:16:16,79 --> 03:16:19,359 -we don't maintain one as this project +03:16:16,500 --> 03:16:18,500 +we don't maintain one as MISP project 5415 -03:16:18,398 --> 03:16:21,519 -but there are - -5416 -03:16:19,359 --> 03:16:24,399 -some that are under our missed project - -5417 -03:16:21,520 --> 03:16:24,399 -guitar position +03:16:18,500 --> 03:16:22,00 +but there are some that are under our MISP project {inaudible} position. 5418 -03:16:27,200 --> 03:16:33,120 -someone is asking about api key to - -5419 -03:16:29,920 --> 03:16:33,120 -invoke cortex analyzer +03:16:27,0 --> 03:16:32,0 +Someone is asking about API key to invoke cortex analyzer. 5420 -03:16:33,520 --> 03:16:37,40 -for the cortex analyzer it's a separate - -5421 -03:16:36,398 --> 03:16:40,398 -tool set - -5422 -03:16:37,40 --> 03:16:44,319 -of part of of the i've project +03:16:32,0 --> 03:16:39,500 +For the cortex analyzer, it's a separate toolset part of the HIVE project 5423 -03:16:40,398 --> 03:16:46,799 -and then you have specific api keys +03:16:39,500 --> 03:16:42,500 +and then you have specific API keys. 5424 -03:16:44,318 --> 03:16:48,879 -cortex extension is like this module so - -5425 -03:16:46,799 --> 03:16:51,39 -it works for the expansion services +03:16:42,500 --> 03:16:48,500 +Cortex extension is like MISP module so it works for the expansion services 5426 -03:16:48,879 --> 03:16:52,238 -uh beaker full cortex analyzer are not - -5427 -03:16:51,40 --> 03:16:53,840 -supporting +03:16:48,500 --> 03:16:53,500 +Be careful, cortex analyzer are not supporting objects and stuff like that 5428 -03:16:52,238 --> 03:16:55,600 -objects and stuff like that which is the - -5429 -03:16:53,840 --> 03:16:57,600 -case for its modules - -5430 -03:16:55,600 --> 03:16:59,120 -so you might have expansion on the +03:16:53,500 --> 03:16:58,500 +which is the case for MISP modules so you might have expansion on the interface 5431 -03:16:57,600 --> 03:17:01,120 -interface but if you want full-blown - -5432 -03:16:59,120 --> 03:17:03,520 -expansion with relationship and so on +03:16:58,500 --> 03:17:00,500 +but if you want full-blown expansion with relationship and so on 5433 -03:17:01,120 --> 03:17:05,359 -then you can use these modules a lot of +03:17:00,500 --> 03:17:04,500 +then you can use MISP modules. A lot of organizations are mixing both 5434 -03:17:03,520 --> 03:17:06,800 -organizations are mixing both so you can - -5435 -03:17:05,359 --> 03:17:09,359 -have cortex-enabled and - -5436 -03:17:06,799 --> 03:17:10,238 -it's modulus enabled on the same missed - -5437 -03:17:09,359 --> 03:17:11,680 -instance +03:17:04,500 --> 03:17:09,500 +so you can have cortex-enabled and MISP modulus enabled on the same MISP instance 5438 -03:17:10,238 --> 03:17:13,920 -but going back to the question if you - -5439 -03:17:11,680 --> 03:17:16,159 -already have the cortex api encoded in +03:17:09,500 --> 03:17:14,500 +But going back to the question if you already have the Cortex API encoded in your MISP 5440 -03:17:13,920 --> 03:17:18,960 -your misspen you want to invoke - -5441 -03:17:16,159 --> 03:17:20,959 -a lookup uh through the api through misp +03:17:14,500 --> 03:17:19,0 +and you want to invoke a lookup through the API through MISP 5442 -03:17:18,959 --> 03:17:22,238 -then you can use your misspik to tell - -5443 -03:17:20,959 --> 03:17:27,438 -your misp to - -5444 -03:17:22,238 --> 03:17:29,520 -run a query against cortex +03:17:19,0 --> 03:17:24,500 +then you can use your MISP API to tell your MISP to run a query against Cortex. 5445 -03:17:27,439 --> 03:17:33,200 -but with the new api key models usually - -5446 -03:17:29,520 --> 03:17:33,200 -it's better to have dedicated api +03:17:27,0 --> 03:17:33,500 +But with the new api key models usually it's better to have dedicated API key per {inaudible}. 5447 -03:17:35,600 --> 03:17:42,569 -okay um there is something else easy - -5448 -03:17:39,680 --> 03:17:44,479 -you know that we had it already um - -5449 -03:17:42,569 --> 03:17:46,159 -[Music] +03:17:35,0 --> 03:17:41,500 +Okay, there is something else, is there a way.. we had that already 5450 -03:17:44,478 --> 03:17:48,159 -could you touch on how we could use one +03:17:44,0 --> 03:17:47,500 +Could you touch on how we could use one event to add multiple attributes 5451 -03:17:46,159 --> 03:17:50,639 -event to add multiple attributes and how - -5452 -03:17:48,159 --> 03:17:52,398 -would correlation work here uh configure +03:17:47,500 --> 03:17:50,500 +and how would correlation work here? 5453 -03:17:50,639 --> 03:17:53,358 -event one to fetch all records from a - -5454 -03:17:52,398 --> 03:17:54,799 -fishing feed +03:17:50,500 --> 03:17:53,500 +Configure event one to fetch all records from a feed 5455 -03:17:53,359 --> 03:17:56,800 -would this work with correlation show +03:17:53,500 --> 03:17:55,0 +Would this work with correlation? 5456 -03:17:54,799 --> 03:17:58,719 -all instances where any of those - -5457 -03:17:56,799 --> 03:17:59,759 -attributes match with other events from - -5458 -03:17:58,719 --> 03:18:02,799 -other organization +03:17:55,0 --> 03:17:59,500 +Show all instances where any of those attributes match with other events from other organization events 5459 -03:17:59,760 --> 03:18:03,760 -events well okay if i understand it - -5460 -03:18:02,799 --> 03:18:06,318 -correctly indeed +03:17:59,500 --> 03:18:05,500 +Well okay if I understand it correctly, indeed so if you do that 5461 -03:18:03,760 --> 03:18:08,318 -so if you if you do that you create an - -5462 -03:18:06,318 --> 03:18:09,920 -event for a fishing feed - -5463 -03:18:08,318 --> 03:18:11,920 -and you have those attributes in there +03:18:05,500 --> 03:18:10,0 +you create an event for a phishing feed and you have those attributes in there 5464 -03:18:09,920 --> 03:18:14,879 -and you have cross you have cached - -5465 -03:18:11,920 --> 03:18:16,879 -other instances then within that that +03:18:10,0 --> 03:18:15,500 +and you have cached other instances, then within that that feed's event 5466 -03:18:14,879 --> 03:18:17,519 -feeds event you will see correlations - -5467 -03:18:16,879 --> 03:18:19,278 -both to - -5468 -03:18:17,520 --> 03:18:21,359 -other events created locally on your - -5469 -03:18:19,279 --> 03:18:23,359 -instance by other organizations +03:18:15,500 --> 03:18:21,500 +you will see correlations both to other events created locally on your instance by other organizations 5470 -03:18:21,359 --> 03:18:24,720 -as well as links to other instances that - -5471 -03:18:23,359 --> 03:18:26,960 -have the - -5472 -03:18:24,719 --> 03:18:27,760 -data as long as you have cached those - -5473 -03:18:26,959 --> 03:18:29,438 -events +03:18:21,500 --> 03:18:27,500 +as well as links to other instances that have the data as long as you have cached those events 5474 -03:18:27,760 --> 03:18:31,120 -so we're going to talk more about that +03:18:27,500 --> 03:18:31,500 +so we're going to talk more about that tomorrow about the synchronization 5475 -03:18:29,439 --> 03:18:31,840 -tomorrow about the synchronization but - -5476 -03:18:31,120 --> 03:18:33,439 -when you're - -5477 -03:18:31,840 --> 03:18:34,880 -interconnecting with another instance - -5478 -03:18:33,439 --> 03:18:36,639 -you can do it in two ways +03:18:31,500 --> 03:18:34,500 +but when you're interconnecting with another instance you can do it in two ways, 5479 -03:18:34,879 --> 03:18:38,398 -one i want to start exchanging data - -5480 -03:18:36,639 --> 03:18:40,639 -pushing data pooling data +03:18:34,500 --> 03:18:37,500 +one I want to start exchanging data, pushing data, pooling data 5481 -03:18:38,398 --> 03:18:42,318 -or two i can just tell my mist to go - -5482 -03:18:40,639 --> 03:18:44,799 -crawl that other instance - -5483 -03:18:42,318 --> 03:18:46,559 -uh hash all the values that they have +03:18:37,500 --> 03:18:41,500 +or two I can just tell my MISP to go crawl that other instance 5484 -03:18:44,799 --> 03:18:48,559 -and if i ever get the correlation - -5485 -03:18:46,559 --> 03:18:50,79 -then it flags it for me that it shows me +03:18:41,500 --> 03:18:46,500 +hash all the values that they have and if I ever get the correlation 5486 -03:18:48,559 --> 03:18:52,79 -and then that the - -5487 -03:18:50,79 --> 03:18:54,238 -instance already knows about this value +03:18:46,500 --> 03:18:51,500 +then it flags it for me then it shows me that the instance already knows about this value 5488 -03:18:52,79 --> 03:18:55,920 -and i can pivot over to previewing the +03:18:51,500 --> 03:18:57,500 +and I can pivot over to previewing the data. So I hope that answers that. 5489 -03:18:54,238 --> 03:18:58,398 -data - -5490 -03:18:55,920 --> 03:19:00,79 -so i hope that answers that yeah and - -5491 -03:18:58,398 --> 03:19:01,358 -then the correlation of - -5492 -03:19:00,79 --> 03:19:03,600 -for example if you just enable the +03:18:57,500 --> 03:19:02,500 +Yeah, and then the correlation of feeds for example if you just enable the caching 5493 -03:19:01,359 --> 03:19:05,760 -caching you just see that it's - -5494 -03:19:03,600 --> 03:19:08,479 -correlating with specific values without +03:19:02,500 --> 03:19:07,500 +you just see that it's correlating with specific values without providing the full feed 5495 -03:19:05,760 --> 03:19:09,279 -providing the full fit sometimes it's - -5496 -03:19:08,478 --> 03:19:11,519 -it's quite - -5497 -03:19:09,279 --> 03:19:13,40 -handy when you have for example see that - -5498 -03:19:11,520 --> 03:19:15,920 -you cannot show the data but you can +03:19:07,500 --> 03:19:11,0 +sometimes it's quite handy when you have for example feed that 5499 -03:19:13,40 --> 03:19:15,920 -show the correlation +03:19:11,0 --> 03:19:14,500 +you cannot show the data but you can show the correlation, 5500 -03:19:16,159 --> 03:19:19,680 -there's another one do you recommend +03:19:16,0 --> 03:19:18,500 +There's another one, do you recommend using MISP alone 5501 -03:19:17,439 --> 03:19:22,398 -using miss palone or using the hive +03:19:18,500 --> 03:19:21,500 +or using the Hive MISP Cortex integration 5502 -03:19:19,680 --> 03:19:22,800 -miss cortex integration i mean generally - -5503 -03:19:22,398 --> 03:19:24,478 -yeah - -5504 -03:19:22,799 --> 03:19:26,318 -if you need a case management tool then - -5505 -03:19:24,478 --> 03:19:29,920 -then using the hive for that is great +03:19:21,500 --> 03:19:26,500 +I mean generally if you need a case management tool then using the Hive for that is great 5506 -03:19:26,318 --> 03:19:31,439 -and so it makes absolute sense to you to - -5507 -03:19:29,920 --> 03:19:33,920 -use them together - -5508 -03:19:31,439 --> 03:19:34,880 -and integration is really smoothly done +03:19:26,500 --> 03:19:34,500 +So it makes absolute sense to use them together and integration is really smoothly done 5509 -03:19:33,920 --> 03:19:36,639 -so that means that +03:19:34,500 --> 03:19:37,500 +so that means that no matter where you start your process, 5510 -03:19:34,879 --> 03:19:38,238 -that no matter where you start your your +03:19:37,500 --> 03:19:39,500 +whether you start by creating an event in MISP 5511 -03:19:36,639 --> 03:19:40,398 -process whether you start +03:19:39,500 --> 03:19:42,500 +or whether you start by creating a case in the Hive 5512 -03:19:38,238 --> 03:19:41,840 -by creating an event in misp or whether +03:19:42,500 --> 03:19:45,500 +you can basically propagate the data to the other tool 5513 -03:19:40,398 --> 03:19:44,79 -you start by creating a - -5514 -03:19:41,840 --> 03:19:46,0 -11981.84 --> 11986 -case in the hive you can basically - -5515 -03:19:44,79 --> 03:19:46,639 -propagate the data to the other tool and - -5516 -03:19:46,0 --> 03:19:49,200 -11986 --> 11989.2 -work on - -5517 -03:19:46,639 --> 03:19:50,79 -on both tools and data so so yeah - -5518 -03:19:49,200 --> 03:19:52,79 -absolutely +03:19:45,500 --> 03:19:50,0 +and work on both tools and data. So yeah, so absolutely 5519 -03:19:50,79 --> 03:19:54,559 -yeah absolutely it's pretty smooth just - -5520 -03:19:52,79 --> 03:19:56,159 -just be careful if you use the expansion +03:19:50,0 --> 03:19:55,0 +Yeah, absolutely it's pretty smooth, just be careful if you use the expansion on MISP 5521 -03:19:54,559 --> 03:19:58,799 -on mist and you have miss modules - -5522 -03:19:56,159 --> 03:20:00,318 -enabled i would prefer to have +03:19:55,0 --> 03:19:59,0 +and you have MISP modules enabled I would prefer to have MISP modules enabled 5523 -03:19:58,799 --> 03:20:03,199 -modules enabled because you you - -5524 -03:20:00,318 --> 03:20:06,318 -basically have all the features of mixed - -5525 -03:20:03,200 --> 03:20:08,159 -like relationship objects and so on +03:19:59,0 --> 03:20:05,500 +because you basically have all the features of MISP like relationship, objects and so on 5526 -03:20:06,318 --> 03:20:09,439 -with the cortex integration is basically - -5527 -03:20:08,159 --> 03:20:11,600 -just the over with +03:20:05,500 --> 03:20:10,500 +with the cortex integration is basically just a layover with the Cortex 5528 -03:20:09,439 --> 03:20:12,559 -the vortex yeah but one of the things - -5529 -03:20:11,600 --> 03:20:14,79 -that you can do is - -5530 -03:20:12,559 --> 03:20:16,0 -12012.56 --> 12016 -if you start for example from the hive +03:20:10,500 --> 03:20:12,500 +Yeah but one of the things that you can do is 5531 -03:20:14,79 --> 03:20:17,279 -perspective and you push the data - -5532 -03:20:16,0 --> 03:20:18,799 -12016 --> 12018.8 -afterwards to misp +03:20:12,500 --> 03:20:16,500 +if you start for example from the Hive perspective and you push the data afterwards to misp 5533 -03:20:17,279 --> 03:20:20,640 -you can then go through this process - -5534 -03:20:18,799 --> 03:20:21,759 -like what we've done here with enriching - -5535 -03:20:20,639 --> 03:20:24,159 -the information +03:20:16,500 --> 03:20:21,500 +you can then go through this process like what we've done here with enriching the information 5536 -03:20:21,760 --> 03:20:25,760 -creating objects that affect attributes - -5537 -03:20:24,159 --> 03:20:27,200 -so you can do it as a secondary step +03:20:21,500 --> 03:20:25,500 +creating objects that affect attributes so you can do it as a secondary step 5538 -03:20:25,760 --> 03:20:28,0 -12025.76 --> 12028 -before you share it out to community to +03:20:25,500 --> 03:20:28,500 +before you share it out to community to refine the data in MISP 5539 -03:20:27,200 --> 03:20:30,79 -refine the data +03:20:28,500 --> 03:20:30,500 +that you've created in the Hive for example 5540 -03:20:28,0 --> 03:20:31,920 -12028 --> 12031.92 -in mis that you've created in the i for - -5541 -03:20:30,79 --> 03:20:33,439 -example and the same thing if you've - -5542 -03:20:31,920 --> 03:20:34,719 -used cortex to fetch additional - -5543 -03:20:33,439 --> 03:20:36,398 -information in the hive +03:20:30,500 --> 03:20:34,500 +and the same thing if you've used cortex to fetch additional information in the Hive 5544 -03:20:34,719 --> 03:20:38,0 -12034.72 --> 12038 -you can then take that data and further - -5545 -03:20:36,398 --> 03:20:38,959 -enrich it with miss modules once it's a - -5546 -03:20:38,0 --> 03:20:40,959 -12038 --> 12040.96 -message +03:20:34,500 --> 03:20:38,500 +you can then take that data and further enrich it with MISP modules once it's in MISP. 5547 -03:20:38,959 --> 03:20:42,79 -yeah this is a good question from - -5548 -03:20:40,959 --> 03:20:45,278 -muammar +03:20:38,500 --> 03:20:43,500 +Yeah this is a good question from Muhamad Junaid about 5549 -03:20:42,79 --> 03:20:47,120 -junaid about when i try to import the - -5550 -03:20:45,279 --> 03:20:49,40 -data from six to five it's called +03:20:43,500 --> 03:20:47,500 +when I try to import the data from STIX to MISP it's called lossy 5551 -03:20:47,120 --> 03:20:50,880 -lazy like can you please explain that a - -5552 -03:20:49,40 --> 03:20:52,640 -bit and this one is interesting +03:20:47,500 --> 03:20:50,500 +like can you please explain that a bit and this one is interesting 5553 -03:20:50,879 --> 03:20:54,398 -because it's it's i was saying a long +03:20:50,500 --> 03:20:54,0 +because it's... I was saying a long long long discussion 5554 -03:20:52,639 --> 03:20:57,358 -long long discussion and that - -5555 -03:20:54,398 --> 03:21:00,0 -12054.399 --> 12060 -that's even influence or miss people - -5556 -03:20:57,359 --> 03:21:03,40 -than the standard behind missed +03:20:54,0 --> 03:20:59,500 +and that even influence how MISP evolved and the standard behind MISP 5557 -03:21:00,0 --> 03:21:04,0 -12060 --> 12064 -so sticks is really uh focusing on cyber +03:20:59,500 --> 03:21:05,500 +so STIX is really focusing on cybersecurity and cyber threat intelligence 5558 -03:21:03,40 --> 03:21:07,279 -security and +03:21:05,500 --> 03:21:11,500 +and the problem is you might have at some point in time 5559 -03:21:04,0 --> 03:21:10,318 -12064 --> 12070.319 -cyber studies religion and - -5560 -03:21:07,279 --> 03:21:11,920 -the the problem is you might have at - -5561 -03:21:10,318 --> 03:21:13,760 -some point in time - -5562 -03:21:11,920 --> 03:21:15,120 -data that are basically not defined - -5563 -03:21:13,760 --> 03:21:17,760 -anywhere +03:21:11,500 --> 03:21:14,500 +data that are basically not defined anywhere 5564 -03:21:15,120 --> 03:21:20,160 -so it's more for the export of data so - -5565 -03:21:17,760 --> 03:21:23,40 -for example if you export in a mixed +03:21:14,500 --> 03:21:20,500 +so it's more for the export of data so for example if you export in a MISP event 5566 -03:21:20,159 --> 03:21:23,439 -event and you have for example an object - -5567 -03:21:23,40 --> 03:21:25,520 -with +03:21:20,500 --> 03:21:25,0 +and you have for example an object with the person and stuff like that 5568 -03:21:23,439 --> 03:21:28,479 -the person and stuff like that it won't - -5569 -03:21:25,520 --> 03:21:31,600 -be in the sticks to export for example +03:21:25,0 --> 03:21:27,500 +it won't be in the STIX to export for example. 5570 -03:21:28,478 --> 03:21:33,519 -so it means that in misprevent you get +03:21:27,500 --> 03:21:32,500 +So it means that in MISP even if you get all the information 5571 -03:21:31,600 --> 03:21:35,200 -all the information but it's bound to - -5572 -03:21:33,520 --> 03:21:36,238 -the limitation of the standards and the - -5573 -03:21:35,200 --> 03:21:37,600 -format +03:21:32,500 --> 03:21:35,500 +but it's bound to the limitation of the standards and the format 5574 -03:21:36,238 --> 03:21:39,520 -where you export and it's exactly the +03:21:35,500 --> 03:21:38,500 +where you export and it's exactly the same for any format 5575 -03:21:37,600 --> 03:21:42,238 -same for any format i mean if you +03:21:38,500 --> 03:21:42,500 +I mean if you export a person in Suricata format 5576 -03:21:39,520 --> 03:21:43,760 -um export a person in theory cata format - -5577 -03:21:42,238 --> 03:21:46,799 -obviously you don't have any - -5578 -03:21:43,760 --> 03:21:47,600 -um field or things like that with person - -5579 -03:21:46,799 --> 03:21:49,438 -and so on so +03:21:42,500 --> 03:21:47,500 +obviously you don't have any field or things like that with person and so on 5580 -03:21:47,600 --> 03:21:51,439 -that's why we call it losing because uh - -5581 -03:21:49,439 --> 03:21:55,840 -sometimes when you import data +03:21:47,500 --> 03:21:50,500 +so that's why we call it lossy because sometimes when you import data 5582 -03:21:51,439 --> 03:21:55,840 -it's bound to a specific set of - -5583 -03:21:55,920 --> 03:21:58,960 -fields that are supported and so on +03:21:50,500 --> 03:21:57,500 +it's bound to a specific set of fields that are supported and so on 5584 -03:21:58,0 --> 03:22:01,359 -12118 --> 12121.359 -another thing that is +03:21:57,500 --> 03:22:00,500 +Another thing that is quite important with STIX, 5585 -03:21:58,959 --> 03:22:02,719 -quite important with sticks you might - -5586 -03:22:01,359 --> 03:22:05,279 -have a lot of - -5587 -03:22:02,719 --> 03:22:06,639 -peculiarities or specialities depending - -5588 -03:22:05,279 --> 03:22:08,479 -on the vendor +03:22:00,500 --> 03:22:06,500 +you might have a lot of peculiarities or specialities depending on the vendor 5589 -03:22:06,639 --> 03:22:09,840 -some vendors are adding some some - -5590 -03:22:08,478 --> 03:22:11,679 -specific custom objects +03:22:06,500 --> 03:22:10,500 +some vendors are adding some specific custom objects things like that 5591 -03:22:09,840 --> 03:22:13,359 -things like that that are not bound to - -5592 -03:22:11,680 --> 03:22:15,600 -any existing one +03:22:10,500 --> 03:22:13,500 +that are not bound to any existing one 5593 -03:22:13,359 --> 03:22:16,960 -so we are importing them as kind of you - -5594 -03:22:15,600 --> 03:22:20,238 -know generic one but - -5595 -03:22:16,959 --> 03:22:22,238 -it is basically like uh lucy again so +03:22:13,500 --> 03:22:19,500 +so we are importing them as kind of you know generic one but it is basically like lossy again 5596 -03:22:20,238 --> 03:22:23,760 -you have to be careful when you you use - -5597 -03:22:22,238 --> 03:22:26,318 -a specific format +03:22:19,500 --> 03:22:23,500 +so you have to be careful when you use a specific format 5598 -03:22:23,760 --> 03:22:27,40 -to be sure that you properly uh map an - -5599 -03:22:26,318 --> 03:22:29,199 -existing +03:22:23,500 --> 03:22:27,500 +to be sure that you properly map an existing different one. 5600 -03:22:27,40 --> 03:22:31,200 -different one so it's more for the +03:22:27,500 --> 03:22:31,200 +So it's more for the export, MISP quite flexible on that 5601 -03:22:29,200 --> 03:22:33,520 -export is quite flexible on that so you - -5602 -03:22:31,200 --> 03:22:36,239 -can basically have any object you like +03:22:31,200 --> 03:22:36,500 +so you can basically have any object you like but when we export for example in STIX one 5603 -03:22:33,520 --> 03:22:36,880 -but when we explore for example in 61 we - -5604 -03:22:36,238 --> 03:22:39,840 -just - -5605 -03:22:36,879 --> 03:22:41,39 -support what is existing in sticks even - -5606 -03:22:39,840 --> 03:22:43,359 -if we start we add +03:22:36,500 --> 03:22:42,00 +we just export what is existing in STIX even if we start we added some custom objects too 5607 -03:22:41,40 --> 03:22:45,840 -some some custom objects too which are - -5608 -03:22:43,359 --> 03:22:47,840 -on to the missed object - -5609 -03:22:45,840 --> 03:22:49,680 -but some tools will not recognize +03:22:42,00 --> 03:22:49,500 +some which are on to the MISP object but some tools will not recognize obviously the custom object 5610 -03:22:47,840 --> 03:22:50,79 -obviously the custom object because they - -5611 -03:22:49,680 --> 03:22:52,79 -are - -5612 -03:22:50,79 --> 03:22:53,840 -just having a profile for a specific set - -5613 -03:22:52,79 --> 03:22:56,398 -of known uh updates +03:22:49,500 --> 03:22:53,500 +because they are just having a profile for a specific set of known objects. 5614 -03:22:53,840 --> 03:22:56,960 -yeah i think that's exactly the point uh +03:22:53,500 --> 03:22:58,500 +Yeah I think that's exactly the point that maybe is different from 5615 -03:22:56,398 --> 03:22:58,238 -that - -5616 -03:22:56,959 --> 03:23:00,959 -maybe is different from when we - -5617 -03:22:58,238 --> 03:23:02,0 -12178.239 --> 12182 -described the text in those import and - -5618 -03:23:00,959 --> 03:23:04,159 -export fields +03:22:58,500 --> 03:23:01,500 +when we described the text in those import and export fields. 5619 -03:23:02,0 --> 03:23:06,159 -12182 --> 12186.16 -we say lossy but in reality what we do +03:23:01,500 --> 03:23:06,500 +we say lossy but in reality what we do is we do try to capture everything 5620 -03:23:04,159 --> 03:23:07,119 -is we do try to capture everything and - -5621 -03:23:06,159 --> 03:23:08,959 -we do try to map - -5622 -03:23:07,120 --> 03:23:10,479 -everything but a lot of it will end up - -5623 -03:23:08,959 --> 03:23:13,39 -in custom objects now +03:23:06,500 --> 03:23:09,500 +and we do try to map everything but a lot of it will end up in custom objects. 5624 -03:23:10,478 --> 03:23:14,959 -now what alex mentioned is the problem - -5625 -03:23:13,40 --> 03:23:16,399 -even if we export bitcoin +03:23:09,500 --> 03:23:16,500 +Now what Alex mentioned is the problem even if we export bitcoin addresses for example 5626 -03:23:14,959 --> 03:23:18,238 -addresses for example whenever we're +03:23:16,500 --> 03:23:19,500 +whenever we're pushing in STIX2 format as custom objects 5627 -03:23:16,398 --> 03:23:20,478 -pushing in sticks to format +03:23:19,500 --> 03:23:23,500 +no other tool will pick up on it because we're just using custom objects 5628 -03:23:18,238 --> 03:23:21,359 -as custom objects no other two will pick +03:23:23,500 --> 03:23:26,500 +unless the other tool specifically looks for them 5629 -03:23:20,478 --> 03:23:23,840 -up on it because +03:23:26,500 --> 03:23:30,500 +they will just either store it as is or not know what to do with it. 5630 -03:23:21,359 --> 03:23:25,439 -it's if we're just using custom objects - -5631 -03:23:23,840 --> 03:23:27,40 -that unless the other two - -5632 -03:23:25,439 --> 03:23:28,720 -specifically looks for them they will - -5633 -03:23:27,40 --> 03:23:31,120 -just either store it as is - -5634 -03:23:28,719 --> 03:23:32,238 -or not know what to do with it yeah and - -5635 -03:23:31,120 --> 03:23:35,439 -that - -5636 -03:23:32,238 --> 03:23:35,680 -that's why we recommend a feed provider +03:23:30,500 --> 03:23:38,500 +Yeah and that that's why we recommend a feed provider or vendors and so on to actively support the MISP format 5637 -03:23:35,439 --> 03:23:38,79 -of +03:23:38,500 --> 03:23:42,500 +then they can they can really import a full set of objects 5638 -03:23:35,680 --> 03:23:39,40 -anderson son to actively support the - -5639 -03:23:38,79 --> 03:23:41,39 -misformat - -5640 -03:23:39,40 --> 03:23:42,840 -then they can they can really impose a - -5641 -03:23:41,40 --> 03:23:44,239 -full set of objects and so that already - -5642 -03:23:42,840 --> 03:23:46,159 -exists +03:23:42,500 --> 03:23:44,500 +and {inauidble, either some already exist in MISP/some are resisting it}. 5643 -03:23:44,238 --> 03:23:47,760 -yeah in some cases however you don't - -5644 -03:23:46,159 --> 03:23:49,439 -really care about having the full set +03:23:44,500 --> 03:23:47,500 +Yeah in some cases however you don't really care about having the full set 5645 -03:23:47,760 --> 03:23:50,960 -and that's where for example specialized - -5646 -03:23:49,439 --> 03:23:53,40 -formats are really cool +03:23:47,500 --> 03:23:50,500 +and that's where for example specialized formats are really cool 5647 -03:23:50,959 --> 03:23:55,199 -so whenever we're feeding for example an - -5648 -03:23:53,40 --> 03:23:56,560 -ids for example we don't care about +03:23:50,500 --> 03:23:56,500 +so whenever we're feeding for example an ids for example we don't care about bitcoin addresses. 5649 -03:23:55,200 --> 03:23:59,359 -bitcoin addresses - -5650 -03:23:56,559 --> 03:23:59,760 -so in those cases uh so sticks and misp - -5651 -03:23:59,359 --> 03:24:04,79 -both - -5652 -03:23:59,760 --> 03:24:05,760 -are very expressive uh exchange formats +03:23:56,500 --> 03:24:03,500 +So in those cases STIX and MISP both are very expressive exchange formats 5653 -03:24:04,79 --> 03:24:07,920 -but whenever you're dealing with feeding +03:24:03,500 --> 03:24:06,500 +but whenever you're dealing with feeding tools for example 5654 -03:24:05,760 --> 03:24:10,238 -tools for example you don't care about +03:24:06,500 --> 03:24:10,500 +you don't care about about losing, 90% even, of the data set 5655 -03:24:07,920 --> 03:24:11,200 -uh about losing ninety percent even of - -5656 -03:24:10,238 --> 03:24:13,680 -the data set - -5657 -03:24:11,200 --> 03:24:15,120 -as long as you capture those type of - -5658 -03:24:13,680 --> 03:24:17,680 -data points that your tool can +03:24:10,500 --> 03:24:16,500 +as long as you capture those type of data points that your tool can process in the end. 5659 -03:24:15,120 --> 03:24:19,40 -process in the end so this is why +03:24:16,500 --> 03:24:19,500 +So this is why generally what we recommend is 5660 -03:24:17,680 --> 03:24:20,559 -generally what we recommend is if you - -5661 -03:24:19,40 --> 03:24:21,200 -have the option for example to export - -5662 -03:24:20,559 --> 03:24:23,39 -data from +03:24:19,500 --> 03:24:21,500 +if you have the option for example to export data from MISP 5663 -03:24:21,200 --> 03:24:24,800 -is for your ideas for your scene and so - -5664 -03:24:23,40 --> 03:24:27,359 -on and you have the option between for +03:24:21,500 --> 03:24:24,500 +is for your IDS for your SIEM and so on and you have the option between 5665 -03:24:24,799 --> 03:24:29,519 -example sticks or snort or surikata +03:24:24,500 --> 03:24:28,500 +for example STIX or Snort or Surikata go with Snort or Surikata 5666 -03:24:27,359 --> 03:24:31,279 -go with snorter sturikata because - -5667 -03:24:29,520 --> 03:24:33,760 -because those are much more - -5668 -03:24:31,279 --> 03:24:35,40 -uh catering to what your two can - -5669 -03:24:33,760 --> 03:24:37,200 -actually understand +03:24:28,500 --> 03:24:34,500 +because those are much more catering to what your tools can actually understand 5670 -03:24:35,40 --> 03:24:40,80 -yeah for example for yards the same you +03:24:34,500 --> 03:24:38,500 +Yeah, for example for Yara the same you prefer to have like a 5671 -03:24:37,200 --> 03:24:41,680 -prefer to have like a good yara who will - -5672 -03:24:40,79 --> 03:24:43,279 -say that you can run into another - -5673 -03:24:41,680 --> 03:24:44,0 -12281.68 --> 12284 -barista or your endpoint protection - -5674 -03:24:43,279 --> 03:24:46,159 -device +03:24:38,500 --> 03:24:44,500 +good Yara rule set that you can run into another anti-virus or your endpoint protection device 5675 -03:24:44,0 --> 03:24:49,840 -12284 --> 12289.84 -and having a generic one that will not - -5676 -03:24:46,159 --> 03:24:49,840 -help you to lose the detection +03:24:44,500 --> 03:24:48,500 +and having a generic one that will not help you to lose the detection. 5677 -03:24:52,559 --> 03:24:55,840 -other questions +03:24:52,0 --> 03:24:55,0 +Are there any other questions? 5678 -03:24:56,79 --> 03:24:59,120 -you already took that one that is there - -5679 -03:24:58,639 --> 03:25:00,879 -it is - -5680 -03:24:59,120 --> 03:25:03,920 -longer i think we took most of them +03:24:56,0 --> 03:24:59,500 +You already took that one that is there that is longer. 5681 -03:25:00,879 --> 03:25:06,238 -unless they missed one +03:24:59,500 --> 03:25:02,500 +I think we took most of them unless they missed one. 5682 -03:25:03,920 --> 03:25:08,398 -and yeah perhaps we should show the - -5683 -03:25:06,238 --> 03:25:09,199 -deletions because we we didn't actually - -5684 -03:25:08,398 --> 03:25:11,760 -show it indeed +03:25:03,500 --> 03:25:09,500 +Yeah, perhaps we should show the deletions because we we didn't actually show it, indeed. 5685 -03:25:09,200 --> 03:25:11,760 -yeah exactly +03:25:09,500 --> 03:25:10,500 +Yeah, exactly. -5686 -03:25:13,760 --> 03:25:17,40 -okay oh and now we have some more - -5687 -03:25:16,79 --> 03:25:20,159 -questions +5686 +03:25:13,0 --> 03:25:18,500 +Okay, oh and now we have some more questions but we can take those after. 5688 -03:25:17,40 --> 03:25:22,479 -but we can take those after yeah let's - -5689 -03:25:20,159 --> 03:25:23,920 -quickly show the deletions so if we go - -5690 -03:25:22,478 --> 03:25:25,199 -to an event +03:25:18,500 --> 03:25:23,500 +Yeah let's quickly show the deletions so if we go to an event. 5691 -03:25:23,920 --> 03:25:27,279 -yeah i'll take i'll take a hundred +03:25:23,500 --> 03:25:25,500 +yeah I'll take a hundred events. 5692 -03:25:25,200 --> 03:25:30,800 -members so this is a massive - -5693 -03:25:27,279 --> 03:25:32,319 -gotcha basic basically missed +03:25:25,500 --> 03:25:29,500 +So this is a massive gotcha basically in MISP 5694 -03:25:30,799 --> 03:25:33,840 -uh which we have some protective +03:25:29,500 --> 03:25:33,500 +which we have some protective measures in place to avoid this 5695 -03:25:32,318 --> 03:25:34,799 -measures in place to avoid this but one - -5696 -03:25:33,840 --> 03:25:37,439 -of the things that you really need to - -5697 -03:25:34,799 --> 03:25:39,759 -watch out for is +03:25:33,500 --> 03:25:37,500 +but one of the things that you really need to watch out for is 5698 -03:25:37,439 --> 03:25:40,479 -when you when you add data to misspen - -5699 -03:25:39,760 --> 03:25:42,398 -you notice +03:25:37,500 --> 03:25:40,500 +when you when you add data to MISP and you noticed 5700 -03:25:40,478 --> 03:25:44,238 -oh crap i should not have added a piece - -5701 -03:25:42,398 --> 03:25:45,920 -of information that is +03:25:40,500 --> 03:25:45,500 +oh crap I should not have added a piece of information that is either confidential information, 5702 -03:25:44,238 --> 03:25:47,359 -either confidential information - -5703 -03:25:45,920 --> 03:25:49,520 -information about the victim that i - -5704 -03:25:47,359 --> 03:25:51,760 -should share and so on +03:25:45,500 --> 03:25:48,500 +information about the victim that I shouldn't share and so on. 5705 -03:25:49,520 --> 03:25:53,279 -the attribute that attribute might still - -5706 -03:25:51,760 --> 03:25:55,200 -be contained in the event in a +03:25:48,500 --> 03:25:53,500 +First delete the attribute, that attribute might still be contained in the event 5707 -03:25:53,279 --> 03:25:57,200 -in a soft deleted format you can always - -5708 -03:25:55,200 --> 03:26:00,319 -toggle and see the deleted attributes - -5709 -03:25:57,200 --> 03:26:00,319 -uh within an event +03:25:53,500 --> 03:25:58,500 +in a soft deleted format. You can always toggle and see the deleted attributes within an event 5710 -03:26:00,879 --> 03:26:05,39 -so i will create i will create an even - -5711 -03:26:02,559 --> 03:26:05,39 -from scratch +03:25:58,500 --> 03:26:04,500 +So I will create an event from scratch as you can see 5712 -03:26:05,840 --> 03:26:10,799 -okay so before i move forward on that so - -5713 -03:26:09,200 --> 03:26:13,120 -we have two protective measures in place +03:26:04,500 --> 03:26:10,0 +Okay so before I move forward on that so we have two protective measures in place 5714 -03:26:10,799 --> 03:26:16,799 -to avoid accidental information leakage +03:26:10,0 --> 03:26:14,500 +to avoid accidental information leakage violation. 5715 -03:26:13,120 --> 03:26:18,479 -violation one is basically that - -5716 -03:26:16,799 --> 03:26:20,318 -that by default we do not use the +03:26:14,500 --> 03:26:19,500 +One is basically that by default we do not use the soft delete method for 5717 -03:26:18,478 --> 03:26:21,519 -software method for anything that was - -5718 -03:26:20,318 --> 03:26:23,519 -unpublished uh - -5719 -03:26:21,520 --> 03:26:24,960 -at first so we're going to show it as an +03:26:19,500 --> 03:26:24,500 +anything that was unpublished at first so we're going to show it as an example 5720 -03:26:23,520 --> 03:26:25,760 -example so here's some sensitive - -5721 -03:26:24,959 --> 03:26:27,599 -information - -5722 -03:26:25,760 --> 03:26:30,559 -if alex were to delete this now this +03:26:24,500 --> 03:26:27,500 +so here's some sensitive information, if Alex were to delete this now 5723 -03:26:27,600 --> 03:26:32,720 -attribute this would get our deleted +03:26:27,500 --> 03:26:29,500 +this attribute, this would get hard deleted, 5724 -03:26:30,559 --> 03:26:33,920 -so this will not create a soft deletion +03:26:29,500 --> 03:26:34,500 +So this will not create a soft deletion, MISP already tells us 5725 -03:26:32,719 --> 03:26:35,760 -uh miss pareto - -5726 -03:26:33,920 --> 03:26:37,200 -tells us are you sure you want to hard - -5727 -03:26:35,760 --> 03:26:38,318 -delete the attribute so when you read +03:26:34,500 --> 03:26:37,500 +are you sure you want to hard delete the attribute? So when you read the text 5728 -03:26:37,200 --> 03:26:40,79 -the text you will see the see the +03:26:37,500 --> 03:26:39,500 +you will see the difference there in the wording. 5729 -03:26:38,318 --> 03:26:42,0 -12398.319 --> 12402 -difference there in the wording +03:26:39,500 --> 03:26:43,500 +The reason for that is the event has not been published yet 5730 -03:26:40,79 --> 03:26:43,520 -uh the reason for that is the event it - -5731 -03:26:42,0 --> 03:26:44,879 -12402 --> 12404.88 -has not been published yet we know that - -5732 -03:26:43,520 --> 03:26:46,79 -it has not probably been propagated to - -5733 -03:26:44,879 --> 03:26:48,0 -12404.88 --> 12408 -other instances +03:26:43,500 --> 03:26:45,500 +we know that it has not probably been propagated to other instances. 5734 -03:26:46,79 --> 03:26:50,318 -there is absolutely no reason to inform - -5735 -03:26:48,0 --> 03:26:52,159 -12408 --> 12412.16 -anyone that this has been deleted +03:26:45,500 --> 03:26:49,500 +There is absolutely no reason to inform anyone that this has been deleted 5736 -03:26:50,318 --> 03:26:54,559 -so we can immediately just hard delete - -5737 -03:26:52,159 --> 03:26:56,559 -it so when we do that +03:26:49,500 --> 03:26:52,500 +so we can immediately just hard delete it. 5738 -03:26:54,559 --> 03:26:58,238 -it will get hard deleted however if the +03:26:52,500 --> 03:26:56,0 +So when we do that, it will get hard deleted. 5739 -03:26:56,559 --> 03:26:59,840 -event has already been published +03:26:56,0 --> 03:26:58,500 +However, if the event has already been published 5740 -03:26:58,238 --> 03:27:01,760 -this has already been shared out to - -5741 -03:26:59,840 --> 03:27:03,920 -other instances potentially +03:26:58,500 --> 03:27:01,500 +this has already been shared out to other instances potentially. 5742 -03:27:01,760 --> 03:27:05,439 -so in this case if we were to delete it +03:27:01,500 --> 03:27:04,0 +So in this case, if we were to delete it, MISP will tell us 5743 -03:27:03,920 --> 03:27:06,799 -miss will tell us oh +03:27:04,0 --> 03:27:07,500 +oh are you sure you want to soft delete this attribute 5744 -03:27:05,439 --> 03:27:08,720 -are you sure you want to soft delete - -5745 -03:27:06,799 --> 03:27:10,79 -this attribute because this is already a - -5746 -03:27:08,719 --> 03:27:12,639 -published event +03:27:07,500 --> 03:27:09,500 +because this is already a published event. 5747 -03:27:10,79 --> 03:27:14,159 -now it looks like our event is empty but +03:27:09,500 --> 03:27:14,0 +Now it looks like our event is empty but if you look at the deleted flag 5748 -03:27:12,639 --> 03:27:15,519 -if you look at the deleted flag you will - -5749 -03:27:14,159 --> 03:27:16,318 -see that the sensitive attribute is - -5750 -03:27:15,520 --> 03:27:18,479 -still there +03:27:14,0 --> 03:27:16,500 +you will see that the sensitive attribute is still there 5751 -03:27:16,318 --> 03:27:20,478 -and if i were to publish the event now - -5752 -03:27:18,478 --> 03:27:22,0 -12438.479 --> 12442 -this sensitive attribute would +03:27:16,500 --> 03:27:19,500 +and if I were to publish the event now, this sensitive attribute 5753 -03:27:20,478 --> 03:27:25,39 -it would get propagated along with the +03:27:19,500 --> 03:27:23,500 +would get propagated along with the event. 5754 -03:27:22,0 --> 03:27:27,359 -12442 --> 12447.359 -event if you want to avoid this - -5755 -03:27:25,40 --> 03:27:29,200 -altogether there is a way to mangle any - -5756 -03:27:27,359 --> 03:27:31,680 -attribute that gets self-deleted +03:27:23,500 --> 03:27:29,500 +If you want to avoid this altogether, there is a way to mangle any attribute that gets self-deleted. 5757 -03:27:29,200 --> 03:27:32,800 -what happens in that case is a category - -5758 -03:27:31,680 --> 03:27:34,800 -will be set to other +03:27:29,500 --> 03:27:32,500 +What happens in that case is a category will be set to Other 5759 -03:27:32,799 --> 03:27:36,639 -type will be set to other and value will - -5760 -03:27:34,799 --> 03:27:38,639 -be set to redacted +03:27:32,500 --> 03:27:36,500 +type will be set to Other and value will be set to Redacted. 5761 -03:27:36,639 --> 03:27:39,920 -this is a server-wide setting so your +03:27:36,500 --> 03:27:40,500 +This is a server-wide setting so your administrator or if you are the administrator 5762 -03:27:38,639 --> 03:27:41,519 -administrator or if you are the - -5763 -03:27:39,920 --> 03:27:44,318 -administrator and yourself can set this - -5764 -03:27:41,520 --> 03:27:46,159 -setting in the server settings +03:27:40,500 --> 03:27:43,500 +then you yourself can set this setting in the server settings. 5765 -03:27:44,318 --> 03:27:47,519 -the downside of that is if you are - -5766 -03:27:46,159 --> 03:27:49,200 -mangling attributes that you're soft +03:27:43,500 --> 03:27:48,0 +The downside of that is if you are mangling attributes that you're soft deleting 5767 -03:27:47,520 --> 03:27:51,279 -deleting it will still inform the other +03:27:48,0 --> 03:27:52,0 +it will still inform the other instances, they will still remove the data 5768 -03:27:49,200 --> 03:27:52,880 -instances they will still - -5769 -03:27:51,279 --> 03:27:55,40 -remove the data software the data - -5770 -03:27:52,879 --> 03:27:57,278 -because the uid is reserved +03:27:52,0 --> 03:27:54,500 +soft delete the data because the uid is reserved. 5771 -03:27:55,40 --> 03:27:58,239 -however you cannot recover the attribute +03:27:54,500 --> 03:27:57,500 +However, you cannot recover the attribute anymore. 5772 -03:27:57,279 --> 03:28:00,238 -anymore so if - -5773 -03:27:58,238 --> 03:28:01,760 -so in this case right now we deleted - -5774 -03:28:00,238 --> 03:28:02,799 -attribute alex could now click on the - -5775 -03:28:01,760 --> 03:28:04,639 -recover button +03:27:57,500 --> 03:28:02,500 +So in this case right now we deleted attribute, Alex could now click on the recover button 5776 -03:28:02,799 --> 03:28:06,79 -and the attribute will be recovered as a - -5777 -03:28:04,639 --> 03:28:07,920 -normal attribute so if you made a - -5778 -03:28:06,79 --> 03:28:11,39 -mistake you can recover it +03:28:02,500 --> 03:28:07,500 +and the attribute will be recovered as a normal attribute so if you made a mistake you can recover it. 5779 -03:28:07,920 --> 03:28:12,879 -so there are two different mindsets i - -5780 -03:28:11,40 --> 03:28:14,960 -want to make my data recoverable +03:28:07,500 --> 03:28:12,500 +So there are two different mindsets, I want to make my data recoverable 5781 -03:28:12,879 --> 03:28:17,278 -versus and i want to always inform - -5782 -03:28:14,959 --> 03:28:20,79 -others versus i want to always +03:28:12,500 --> 03:28:15,500 +and that I want to always inform others 5783 -03:28:17,279 --> 03:28:21,359 -hard delete data that i delete both of +03:28:15,500 --> 03:28:19,500 +versus I want to always hard delete data that I delete. 5784 -03:28:20,79 --> 03:28:23,520 -them have a setting - -5785 -03:28:21,359 --> 03:28:25,40 -so just pick and choose which whichever - -5786 -03:28:23,520 --> 03:28:27,680 -makes sense for your community +03:28:19,500 --> 03:28:25,500 +Both of them have a setting so just pick and choose whichever makes sense for your community. 5787 -03:28:25,40 --> 03:28:28,479 -whether you prefer secrecy or prefer - -5788 -03:28:27,680 --> 03:28:32,79 -convenience - -5789 -03:28:28,478 --> 03:28:34,159 -uh basically so it's basically +03:28:25,500 --> 03:28:31,500 +Whether you prefer secrecy or prefer convenience basically so that's it's basically. 5790 -03:28:32,79 --> 03:28:35,200 -yeah that's delete for that review so if - -5791 -03:28:34,159 --> 03:28:38,318 -we delete an +03:28:31,500 --> 03:28:37,0 +-Yeah that's delete for attribute so if we delete an event that's another story. +-Yeah 5792 -03:28:35,200 --> 03:28:41,120 -event that's another story yeah and this - -5793 -03:28:38,318 --> 03:28:42,398 -this one is interesting because now we - -5794 -03:28:41,120 --> 03:28:44,640 -have these options where we say +03:28:37,0 --> 03:28:42,500 +And this one is interesting because now we have these options where we say 5795 -03:28:42,398 --> 03:28:46,79 -i want to delete this event and - -5796 -03:28:44,639 --> 03:28:46,799 -obviously it will be deleted on your - -5797 -03:28:46,79 --> 03:28:49,200 -instance +03:28:42,500 --> 03:28:46,500 +I want to delete this event and obviously it will be deleted on your instance. 5798 -03:28:46,799 --> 03:28:50,159 -nevertheless this even has been already - -5799 -03:28:49,200 --> 03:28:52,159 -synchronized - -5800 -03:28:50,159 --> 03:28:53,200 -copy and develop different misc - -5801 -03:28:52,159 --> 03:28:54,398 -instances +03:28:46,500 --> 03:28:53,500 +Nevertheless this even has been already synchronized, copy on different MISP instances 5802 -03:28:53,200 --> 03:28:56,239 -so that means as the next - -5803 -03:28:54,398 --> 03:28:57,39 -synchronizations the event should be - -5804 -03:28:56,238 --> 03:28:59,920 -pulled +03:28:53,500 --> 03:28:56,500 +so that means at the next synchronizations the event should be pulled 5805 -03:28:57,40 --> 03:29:01,680 -but to avoid such kind of of issue mist +03:28:56,500 --> 03:28:59,500 +but to avoid such kind of of issue 5806 -03:28:59,920 --> 03:29:05,520 -is automatically generating - -5807 -03:29:01,680 --> 03:29:07,359 -a block list of all those elite events +03:28:59,500 --> 03:29:04,500 +MISP is automatically generating a block list of all those deleted events 5808 -03:29:05,520 --> 03:29:09,600 -so if you are the administrator you can - -5809 -03:29:07,359 --> 03:29:12,238 -see at the block list of events +03:29:04,500 --> 03:29:09,500 +so if you are the administrator you can see at the "Blocklist events", 5810 -03:29:09,600 --> 03:29:13,120 -you can see the the one that i just - -5811 -03:29:12,238 --> 03:29:16,238 -deleted +03:29:09,500 --> 03:29:14,500 +you can see the the one that I just deleted. So why we do that? 5812 -03:29:13,120 --> 03:29:18,720 -so why we do that it's very simple - -5813 -03:29:16,238 --> 03:29:20,238 -we don't want to re-import the event +03:29:14,500 --> 03:29:19,500 +It's very simple. We don't want to re-import the event that has been deleted 5814 -03:29:18,719 --> 03:29:21,358 -that has been deleted because luckily we - -5815 -03:29:20,238 --> 03:29:23,680 -don't want this event +03:29:19,500 --> 03:29:21,500 +because locally we don't want this event. 5816 -03:29:21,359 --> 03:29:25,520 -so it's a it's a block list of all the - -5817 -03:29:23,680 --> 03:29:28,720 -cgas +03:29:21,500 --> 03:29:27,500 +So it's a blocklist of all the {inaudible} but there is a catch there. 5818 -03:29:25,520 --> 03:29:30,399 -but this this catch there uh sometimes - -5819 -03:29:28,719 --> 03:29:31,760 -we have people oh i'm doing some tests +03:29:27,500 --> 03:29:31,500 +Sometimes we have people, oh i'm doing some tests and so on 5820 -03:29:30,398 --> 03:29:33,439 -and so on i'm synchronizing with miss - -5821 -03:29:31,760 --> 03:29:35,439 -but i can't see my even back +03:29:31,500 --> 03:29:33,500 +I'm synchronizing with MISP but I can't seem to get my event back 5822 -03:29:33,439 --> 03:29:36,479 -and obviously yes because it's there in - -5823 -03:29:35,439 --> 03:29:37,840 -this block list +03:29:33,500 --> 03:29:36,500 +and obviously yes because it's there in this block list. 5824 -03:29:36,478 --> 03:29:39,358 -so if you have some tests and you're - -5825 -03:29:37,840 --> 03:29:40,398 -running some tests don't forget to look +03:29:36,500 --> 03:29:40,500 +So if you have some tests and you're running some tests, don't forget to look at the block list 5826 -03:29:39,359 --> 03:29:44,159 -at the block list +03:29:40,500 --> 03:29:46,0 +and maybe you want to just remove the event from the blocklist 5827 -03:29:40,398 --> 03:29:46,318 -and maybe you want to just remove - -5828 -03:29:44,159 --> 03:29:48,719 -the event for the block keys and then - -5829 -03:29:46,318 --> 03:29:50,478 -you can synchronize back the event +03:29:46,0 --> 03:29:48,500 +and then you can synchronize back the event. 5830 -03:29:48,719 --> 03:29:52,559 -there's something to keep in mind it's +03:29:48,500 --> 03:29:52,0 +there's something to keep in mind it's there, it's done automatically 5831 -03:29:50,478 --> 03:29:54,79 -there it's done automatically but in - -5832 -03:29:52,559 --> 03:29:54,799 -some cases you want to manage the - -5833 -03:29:54,79 --> 03:29:58,0 -12594.08 --> 12598 -blockly - -5834 -03:29:54,799 --> 03:30:01,519 -so that's something to keep in mind +03:29:52,0 --> 03:29:56,500 +but in some cases you want to manage the blocklist so that's something to keep in mind. 5835 -03:29:58,0 --> 03:30:04,478 -12598 --> 12604.479 -yep something else - -5836 -03:30:01,520 --> 03:30:06,79 -that we perhaps should uh touch on here - -5837 -03:30:04,478 --> 03:30:08,799 -is is +03:29:56,500 --> 03:30:05,500 +Yep something else that we perhaps should touch on here is 5838 -03:30:06,79 --> 03:30:09,760 -for the event deletions besides just a - -5839 -03:30:08,799 --> 03:30:11,119 -blockless part +03:30:05,500 --> 03:30:09,500 +for the event deletions besides just a blocklist part 5840 -03:30:09,760 --> 03:30:12,800 -there is one thing that comes up as a +03:30:09,500 --> 03:30:12,0 +there is one thing that comes up as a question very often is. 5841 -03:30:11,120 --> 03:30:15,40 -question very often is how do i inform - -5842 -03:30:12,799 --> 03:30:16,639 -others that an event needs to be removed +03:30:12,0 --> 03:30:14,500 +how do I inform others that an event needs to be removed? 5843 -03:30:15,40 --> 03:30:19,40 -we don't have a mechanism in place for - -5844 -03:30:16,639 --> 03:30:21,519 -that so while we can revoke attributes +03:30:14,500 --> 03:30:19,500 +We don't have a mechanism in place for that so while we can revoke attributes for events 5845 -03:30:19,40 --> 03:30:23,120 -for events uh we don't have that and - -5846 -03:30:21,520 --> 03:30:25,279 -there's a reason for that +03:30:19,500 --> 03:30:22,500 +We don't have that and there's a reason for that. 5847 -03:30:23,120 --> 03:30:26,239 -in general uh whenever it comes to +03:30:22,500 --> 03:30:27,500 +In general whenever it comes to events we don't want to give the power 5848 -03:30:25,279 --> 03:30:29,200 -events uh - -5849 -03:30:26,238 --> 03:30:30,639 -we don't want to give the power to just - -5850 -03:30:29,200 --> 03:30:33,439 -outright delete - -5851 -03:30:30,639 --> 03:30:34,719 -events uh remotely this way so this - -5852 -03:30:33,439 --> 03:30:36,238 -might change in the future +03:30:27,500 --> 03:30:34,500 +to just outright delete events remotely this way so this might change in the future. 5853 -03:30:34,719 --> 03:30:37,920 -we we're having discussions on that - -5854 -03:30:36,238 --> 03:30:40,79 -whether we want to enable that or not +03:30:34,500 --> 03:30:39,500 +We're having discussions on that whether we want to enable that or not but currently that's not the case. 5855 -03:30:37,920 --> 03:30:41,840 -but currently that's not the case yeah - -5856 -03:30:40,79 --> 03:30:44,398 -and usually we take as an example - -5857 -03:30:41,840 --> 03:30:46,0 -12641.84 --> 12646 -emails i mean you can remove emails from +03:30:39,500 --> 03:30:45,500 +Yeah and usually we take as an example emails I mean you can remove emails from your personal mailbox 5858 -03:30:44,398 --> 03:30:47,358 -your personal mailbox but from the - -5859 -03:30:46,0 --> 03:30:49,120 -12646 --> 12649.12 -remote mailbox if someone already - -5860 -03:30:47,359 --> 03:30:51,279 -receives the emails +03:30:45,500 --> 03:30:48,500 +but from the remote mailbox if someone already receives the emails 5861 -03:30:49,120 --> 03:30:53,120 -you want to have the control over third +03:30:48,500 --> 03:30:52,500 +you want to have the control over third parties on the mailbox 5862 -03:30:51,279 --> 03:30:58,79 -parties on the mailbox that - -5863 -03:30:53,120 --> 03:31:00,239 -might be one of the drawback i would say +03:30:52,500 --> 03:30:56,0 +that might be one of the drawback I would say. 5864 -03:30:58,79 --> 03:31:01,760 -so there are two two new questions one - -5865 -03:31:00,238 --> 03:31:03,439 -of them is basically can you demonstrate +03:30:56,0 --> 03:31:01,500 +So there are two new questions one of them is basically can you demonstrate 5866 -03:31:01,760 --> 03:31:05,200 -the progressive enrichments of events - -5867 -03:31:03,439 --> 03:31:06,559 -by the shared communities over time with - -5868 -03:31:05,200 --> 03:31:08,960 -correlations +03:31:01,500 --> 03:31:06,500 +the progressive enrichments of events by the shared communities over time with correlations. 5869 -03:31:06,559 --> 03:31:10,398 -this one is tough i mean i'm not sure - -5870 -03:31:08,959 --> 03:31:11,278 -how we could demonstrate that because +03:31:06,500 --> 03:31:10,500 +This one is tough I mean i'm not sure how we could demonstrate that because 5871 -03:31:10,398 --> 03:31:14,159 -we're not dealing with - -5872 -03:31:11,279 --> 03:31:14,560 -live instances with live data sets and - -5873 -03:31:14,159 --> 03:31:17,279 -act - -5874 -03:31:14,559 --> 03:31:17,278 -active sharing +03:31:10,500 --> 03:31:15,500 +we're not dealing with live instances with live data sets and active sharing 5875 -03:31:17,840 --> 03:31:23,40 -but perhaps for tomorrow we will prepare - -5876 -03:31:19,680 --> 03:31:25,520 -an example where we can show it off +03:31:15,500 --> 03:31:21,500 +but perhaps for tomorrow we will prepare an example where we can show it off 5877 -03:31:23,40 --> 03:31:28,640 -when and choose an event that we can - -5878 -03:31:25,520 --> 03:31:31,120 -show on one of the operational instances +03:31:21,500 --> 03:31:28,500 +and choose an event that we can show on one of the operational instances 5879 -03:31:28,639 --> 03:31:33,119 -but i i can't show one on uh you know +03:31:28,500 --> 03:31:34,500 +but I can show one on, you know what I can go on just one second 5880 -03:31:31,120 --> 03:31:36,560 -what i can't go on +03:31:34,500 --> 03:31:42,500 +I'm going on an instance. So it was.. oh we are flexible 5881 -03:31:33,120 --> 03:31:38,79 -just one thing i'm i'm going on an - -5882 -03:31:36,559 --> 03:31:41,760 -instance - -5883 -03:31:38,79 --> 03:31:43,760 -okay so so it was - -5884 -03:31:41,760 --> 03:31:45,200 -oh we are flexible so it's not super fun - -5885 -03:31:43,760 --> 03:31:48,318 -to do it no but - -5886 -03:31:45,200 --> 03:31:49,359 -um so it's maybe some some something - -5887 -03:31:48,318 --> 03:31:52,0 -12708.319 --> 12712 -interesting there - +03:31:42,500 --> 03:31:49,500 +So it's not simple to do it no but so it's maybe something interesting there. + 5888 -03:31:49,359 --> 03:31:52,720 -um so um i'm connecting an instance - -5889 -03:31:52,0 --> 03:31:55,760 -12712 --> 12715.76 -where i have - -5890 -03:31:52,719 --> 03:31:57,278 -more expansion services uh active and so - -5891 -03:31:55,760 --> 03:31:59,200 -on +03:31:49,500 --> 03:31:56,500 +So I'm connecting an instance where I have more expansion services active and so on. 5892 -03:31:57,279 --> 03:32:01,40 -i'll just keep it for my organization - -5893 -03:31:59,200 --> 03:32:05,520 -only so i'm creating +03:31:56,500 --> 03:32:01,500 +I'll just keep it for "My Organization Only" so i'm creating an event there 5894 -03:32:01,40 --> 03:32:07,600 -an event there so what happens on - -5895 -03:32:05,520 --> 03:32:08,960 -progressively enriching even by shared +03:32:01,500 --> 03:32:08,500 +so what happens on progressively enriching event by shared communities 5896 -03:32:07,600 --> 03:32:10,479 -communities i mean - -5897 -03:32:08,959 --> 03:32:12,159 -it's going back and forth to different - +03:32:08,500 --> 03:32:11,0 +I mean it's going back and forth to different communities + 5898 -03:32:10,478 --> 03:32:14,559 -communities but i can i can imitate what - -5899 -03:32:12,159 --> 03:32:18,159 -the community is doing usually +03:32:11,0 --> 03:32:14,500 +but I can imitate what the community is doing usually. 5900 -03:32:14,559 --> 03:32:21,600 -so if i'm facing an attribute - -5901 -03:32:18,159 --> 03:32:26,398 -for example i will i will say it - -5902 -03:32:21,600 --> 03:32:26,399 -hostname with some network activity +03:32:14,500 --> 03:32:24,500 +so if I'm creating an attribute for example I will create a hostname with some network activity. 5903 -03:32:32,959 --> 03:32:36,879 -so we have specifically a test that we - -5904 -03:32:35,680 --> 03:32:39,439 -created with this +03:32:24,500 --> 03:32:37,500 +So we have specifically a test that we created with this kind of... 5905 -03:32:36,879 --> 03:32:40,559 -kind of thing so what would be your - -5906 -03:32:39,439 --> 03:32:41,920 -community and +03:32:37,500 --> 03:32:41,0 +so what would be your community and sharing? 5907 -03:32:40,559 --> 03:32:43,600 -sharing so it could be for example in +03:32:41,0 --> 03:32:42,500 +So it could be for example in the same organization 5908 -03:32:41,920 --> 03:32:45,680 -the same organization in my case it's - -5909 -03:32:43,600 --> 03:32:48,800 -just clear to the organization so +03:32:42,500 --> 03:32:47,500 +in my case it's just shared to the organization so if I publish event here 5910 -03:32:45,680 --> 03:32:50,0 -12765.68 --> 12770 -if i publish event here it will be - -5911 -03:32:48,799 --> 03:32:51,519 -shared with - -5912 -03:32:50,0 --> 03:32:53,520 -12770 --> 12773.52 -all different instances maybe the - -5913 -03:32:51,520 --> 03:32:57,680 -different members of circle +03:32:47,500 --> 03:32:53,500 +it will be shared with all different instances maybe the different members of CIRCL 5914 -03:32:53,520 --> 03:33:01,840 -uh and um one of my colleagues - -5915 -03:32:57,680 --> 03:33:04,720 -is taking one of the indicators +03:32:53,500 --> 03:33:01,500 +and one of my colleagues is taking one of the indicators there 5916 -03:33:01,840 --> 03:33:05,760 -and then he's going on the far side +03:33:01,500 --> 03:33:07,500 +and then he's going on the Faresight database doing a full-blown expansion 5917 -03:33:04,719 --> 03:33:07,599 -database - -5918 -03:33:05,760 --> 03:33:09,120 -doing a full-blown expansion so that - -5919 -03:33:07,600 --> 03:33:10,159 -means he's basically doing a full-bone - -5920 -03:33:09,120 --> 03:33:13,760 -extension +03:33:07,500 --> 03:33:09,500 +so that means he's basically doing a full-blown expansion. 5921 -03:33:10,159 --> 03:33:16,959 -um what do i have here i have a +03:33:09,500 --> 03:33:17,500 +What do I have here? I have a a complete set of objects for a specific domain 5922 -03:33:13,760 --> 03:33:18,719 -a complete set of objects for a specific +03:33:17,500 --> 03:33:24,500 +so you see again I'm going to the event graph now I enter my domain name 5923 -03:33:16,959 --> 03:33:22,318 -domain so you see again - -5924 -03:33:18,719 --> 03:33:25,39 -i'm going to the event graph - -5925 -03:33:22,318 --> 03:33:25,680 -now i enter my domain name and i have - -5926 -03:33:25,40 --> 03:33:27,359 -all the - -5927 -03:33:25,680 --> 03:33:28,960 -passive dns free curve associated to - -5928 -03:33:27,359 --> 03:33:31,760 -that one +03:33:24,500 --> 03:33:27,500 +and I have all the passive DNS records associated to that one 5929 -03:33:28,959 --> 03:33:33,199 -and in this one i think i will have the +03:33:27,500 --> 03:33:32,500 +and in this one I think I will have the event timeline 5930 -03:33:31,760 --> 03:33:35,520 -even timeline i have a completely - -5931 -03:33:33,200 --> 03:33:38,960 -different timeline of the different uh +03:33:32,500 --> 03:33:36,0 +I have a completely different timeline of the different expansion and so on. 5932 -03:33:35,520 --> 03:33:42,238 -expansion and so on so then i will have - -5933 -03:33:38,959 --> 03:33:42,879 -one of my i will it will be published - -5934 -03:33:42,238 --> 03:33:45,209 -again - -5935 -03:33:42,879 --> 03:33:46,719 -with the uh with the data - -5936 -03:33:45,209 --> 03:33:48,879 -[Music] +03:33:36,0 --> 03:33:44,500 +So then I will have one of my... it will be published again with the data. 5937 -03:33:46,719 --> 03:33:50,79 -if it's a collaboration i would say in - -5938 -03:33:48,879 --> 03:33:52,799 -the same team +03:33:44,500 --> 03:33:51,0 +If it's a collaboration I would say in the same team that's a thing 5939 -03:33:50,79 --> 03:33:53,359 -that's a thing so it's sometimes it's - -5940 -03:33:52,799 --> 03:33:55,119 -it's - -5941 -03:33:53,359 --> 03:33:57,439 -people are working on the same event and +03:33:51,0 --> 03:33:56,500 +so it's sometimes people are working on the same event and publishing it 5942 -03:33:55,120 --> 03:33:59,359 -publishing it sometimes they are - -5943 -03:33:57,439 --> 03:34:01,359 -sharing it and doing additional - -5944 -03:33:59,359 --> 03:34:04,880 -expansion on the uh +03:33:56,500 --> 03:34:03,500 +Sometimes they are sharing it and doing additional expansion on the things 5945 -03:34:01,359 --> 03:34:08,79 -on the um things until to reach a +03:34:03,500 --> 03:34:07,500 +until to reach a specific point that is like I would say 5946 -03:34:04,879 --> 03:34:11,39 -specific point that is like i would say - -5947 -03:34:08,79 --> 03:34:12,398 -accessible or at least publishable in a - -5948 -03:34:11,40 --> 03:34:16,0 -12851.04 --> 12856 -publishing state that is - -5949 -03:34:12,398 --> 03:34:18,318 -acceptable by various people +03:34:07,500 --> 03:34:15,500 +accessible or at least publishable in a publishing state that is acceptable by various people. 5950 -03:34:16,0 --> 03:34:19,520 -12856 --> 12859.52 -now we can make proposal too so that - -5951 -03:34:18,318 --> 03:34:22,79 -means +03:34:16,0 --> 03:34:23,500 +Now we can make proposal too. So that means if we are again with a different organization, 5952 -03:34:19,520 --> 03:34:24,880 -if we are again on a different with a - -5953 -03:34:22,79 --> 03:34:26,478 -different organization - -5954 -03:34:24,879 --> 03:34:28,79 -i don't know if in this example it will - -5955 -03:34:26,478 --> 03:34:30,719 -work but i can +03:34:23,500 --> 03:34:28,500 +i don't know if in this example it will work but I can take... 5956 -03:34:28,79 --> 03:34:32,879 -take do i have something interesting - -5957 -03:34:30,719 --> 03:34:32,879 -there +03:34:28,500 --> 03:34:31,500 +do I have something interesting there 5958 -03:34:33,760 --> 03:34:37,680 -yeah for example i see an interesting - -5959 -03:34:35,359 --> 03:34:37,680 -ipl +03:34:33,760 --> 03:34:38,500 +Yeah, for example I see an interesting IP address, this one. 5960 -03:34:37,840 --> 03:34:43,840 -this one so what i could do is +03:34:38,500 --> 03:34:46,500 +So what I could do is i could add.. 5961 -03:34:41,279 --> 03:34:43,840 -i could - -5962 -03:34:44,398 --> 03:34:46,719 -add - -5963 -03:34:49,600 --> 03:34:52,479 -what's going on here +03:34:46,500 --> 03:34:52,500 +What's going on here? 5964 -03:34:53,40 --> 03:34:57,40 -i will add what +03:34:52,500 --> 03:34:57,500 +{inaudible} 5965 -03:35:04,159 --> 03:35:14,0 -12904.16 --> 12914 -okay just a demo effect - -5966 -03:35:10,799 --> 03:35:18,238 -it's a great typical +03:35:04,0 --> 03:35:13,500 +Okay just a demo effect, typical. 5967 -03:35:14,0 --> 03:35:18,238 -12914 --> 12918.239 -what's going on here okay - -5968 -03:35:19,439 --> 03:35:25,40 -just going back to this one i just want - -5969 -03:35:21,600 --> 03:35:28,0 -12921.6 --> 12928 -to add a proposal +03:35:13,500 --> 03:35:22,500 +What's going on? Okay, just going back to this one I just want to add a proposal. 5970 -03:35:25,40 --> 03:35:28,0 -12925.04 --> 12928 -yes i cannot just +03:35:22,500 --> 03:35:27,500 +Yes I cannot just... 5971 -03:35:28,959 --> 03:35:35,839 -you wanted but your admin yeah +03:35:27,500 --> 03:35:30,500 +you wanted but you're admin. 5972 -03:35:33,200 --> 03:35:36,479 -yeah then i don't you can cheat whether - -5973 -03:35:35,840 --> 03:35:38,478 -you +03:35:30,500 --> 03:35:37,500 +You can cheat if you really want, you can do it. 5974 -03:35:36,478 --> 03:35:40,0 -12936.479 --> 12940 -really want you can do it yeah wait fine - -5975 -03:35:38,478 --> 03:35:43,39 -it's just like okay so - -5976 -03:35:40,0 --> 03:35:44,799 -12940 --> 12944.8 -i i don't know for for hong kong if we +03:35:37,500 --> 03:35:44,0 +Yeah, wait, fine. It's just like okay so I don't know for {inaudible} if we answered your question 5977 -03:35:43,40 --> 03:35:47,840 -answer your question but i mean - -5978 -03:35:44,799 --> 03:35:49,519 -a full-blown step would be like that if - -5979 -03:35:47,840 --> 03:35:50,559 -you work on an event it's not a single +03:35:44,0 --> 03:35:50,500 +but I mean a full-blown step would be like that, if you work on an event it's not a single person obviously. 5980 -03:35:49,520 --> 03:35:52,399 -person obviously - -5981 -03:35:50,559 --> 03:35:54,238 -when you do an investigation you do like - -5982 -03:35:52,398 --> 03:35:54,799 -multiple steps but the question is more - -5983 -03:35:54,238 --> 03:35:56,879 -like +03:35:50,500 --> 03:35:54,500 +When you do an investigation, you do like multiple steps but the question is more like 5984 -03:35:54,799 --> 03:35:58,799 -if you do it within a team usually you - -5985 -03:35:56,879 --> 03:36:00,0 -12956.88 --> 12960 -edit the current even the same - -5986 -03:35:58,799 --> 03:36:03,519 -organizations +03:35:54,500 --> 03:35:59,500 +if you do it within a team usually you edit the current event in the same organizations 5987 -03:36:00,0 --> 03:36:05,760 -12960 --> 12965.76 -if you do enter team you do proposal +03:35:59,500 --> 03:36:05,500 +if you do inter-team, you do proposal, extend it even like we showed before 5988 -03:36:03,520 --> 03:36:07,680 -extend it even like we showed before and - -5989 -03:36:05,760 --> 03:36:09,359 -then you start to work on this uh - -5990 -03:36:07,680 --> 03:36:11,279 -thing so it's here depending on the case - -5991 -03:36:09,359 --> 03:36:13,600 -so uh +03:36:05,500 --> 03:36:09,500 +and then you start to work on this thing, so it's really depending on the case. 5992 -03:36:11,279 --> 03:36:15,680 -so i hope you can you can you can see +03:36:09,500 --> 03:36:15,0 +so I hope you can see what are the capabilities there 5993 -03:36:13,600 --> 03:36:18,318 -what are the capabilities there but it's +03:36:15,0 --> 03:36:22,500 +but it's really the progressive approach of collaboration usually depends on how people are working together. 5994 -03:36:15,680 --> 03:36:20,398 -really uh the progressive approach of - -5995 -03:36:18,318 --> 03:36:22,559 -collaboration usually depends of - -5996 -03:36:20,398 --> 03:36:24,478 -how people are working together if they - -5997 -03:36:22,559 --> 03:36:25,680 -are really external it's more proposal - -5998 -03:36:24,478 --> 03:36:28,79 -extended event +03:36:22,500 --> 03:36:25,500 +If they are really external it's more proposal, extended event. 5999 -03:36:25,680 --> 03:36:29,279 -if it's within the same team it could be - -6000 -03:36:28,79 --> 03:36:31,439 -extended event +03:36:25,500 --> 03:36:30,500 +If it's within the same team it could be extended event or within the same event, 6001 -03:36:29,279 --> 03:36:33,920 -or within the same event that's usually - -6002 -03:36:31,439 --> 03:36:37,120 -the two way of working +03:36:30,500 --> 03:36:35,500 +that's usually the two way of working. Andras, if you want to add something on that? 6003 -03:36:33,920 --> 03:36:39,680 -if you want to add something no yeah - -6004 -03:36:37,120 --> 03:36:39,680 -that's perfect - -6005 -03:36:39,760 --> 03:36:43,279 -perhaps another question if you're okay - -6006 -03:36:42,639 --> 03:36:46,719 -with +03:36:35,500 --> 03:36:43,500 +No yeah, that's perfect. Perhaps another question if you're okay with switching. 6007 -03:36:43,279 --> 03:36:48,0 -13003.279 --> 13008 -switching yeah when speaking of feeding - -6008 -03:36:46,719 --> 03:36:49,840 -tools what would be the automatic +03:36:43,500 --> 03:36:49,0 +Yeah when speaking of feeding tools what would be the automatic way of doing it? 6009 -03:36:48,0 --> 03:36:51,120 -13008 --> 13011.12 -way of doing it so normally when we're - -6010 -03:36:49,840 --> 03:36:52,639 -talking about feeding tools there are +03:36:49,0 --> 03:36:52,500 +So normally when we're talking about feeding tools there are two separate ways of doing it 6011 -03:36:51,120 --> 03:36:54,720 -two separate ways of doing it and we'll - -6012 -03:36:52,639 --> 03:36:56,159 -go way way deeper into this tomorrow +03:36:52,500 --> 03:36:56,500 +and we'll go way way deeper into this tomorrow when we talk about integration 6013 -03:36:54,719 --> 03:36:58,238 -when we talk about integration but +03:36:56,500 --> 03:36:58,500 +but generally tools can either fetch data from MISP 6014 -03:36:56,159 --> 03:36:58,959 -generally tools can either fetch data +03:36:58,500 --> 03:37:02,500 +so this is a more common way where a tool would use REST search API 6015 -03:36:58,238 --> 03:37:00,559 -from miss +03:37:02,500 --> 03:37:06,0 +that we mentioned before where you define your search patterns 6016 -03:36:58,959 --> 03:37:02,799 -so this is a more common way where a +03:37:06,0 --> 03:37:10,500 +for example give me everything that is newer than 30 days, 6017 -03:37:00,559 --> 03:37:05,119 -tool would use rest search api that we - -6018 -03:37:02,799 --> 03:37:07,278 -mentioned before where you define yours - -6019 -03:37:05,120 --> 03:37:09,40 -your search patterns for example give me - -6020 -03:37:07,279 --> 03:37:12,159 -everything that is newer than - -6021 -03:37:09,40 --> 03:37:12,880 -30 days everything that uh that contains - -6022 -03:37:12,159 --> 03:37:15,760 -at least - -6023 -03:37:12,879 --> 03:37:16,398 -that is not coming from say oh since the - -6024 -03:37:15,760 --> 03:37:18,719 -sources +03:37:10,500 --> 03:37:16,500 +everything that is not coming from say OSINT sources 6025 -03:37:16,398 --> 03:37:19,599 -or perhaps not something nothing that - -6026 -03:37:18,719 --> 03:37:21,760 -comes +03:37:16,500 --> 03:37:21,500 +or perhaps not something, nothing that comes related to a certain topic 6027 -03:37:19,600 --> 03:37:23,520 -uh related to a certain topic for - -6028 -03:37:21,760 --> 03:37:25,600 -example i'm not interested in ransomware - -6029 -03:37:23,520 --> 03:37:26,399 -when feeding my tools just a stupid - -6030 -03:37:25,600 --> 03:37:28,640 -example +03:37:21,500 --> 03:37:26,500 +for example I'm not interested in Ransomware when feeding my tools, just a stupid example. 6031 -03:37:26,398 --> 03:37:30,159 -so you set up your filter options and +03:37:26,500 --> 03:37:28,500 +So you set up your filter options 6032 -03:37:28,639 --> 03:37:32,318 -then your tool would fetch - -6033 -03:37:30,159 --> 03:37:33,680 -data from misp every 60 minutes for - -6034 -03:37:32,318 --> 03:37:36,159 -example +03:37:28,500 --> 03:37:32,500 +and then your tool would fetch data from MISP every 60 minutes, for example. 6035 -03:37:33,680 --> 03:37:37,359 -and then replace the data set there you - -6036 -03:37:36,159 --> 03:37:40,318 -can also do +03:37:32,500 --> 03:37:40,500 +and then replace the data set there. You can also do sliding time window searches 6037 -03:37:37,359 --> 03:37:42,79 -sliding time window searches where you - -6038 -03:37:40,318 --> 03:37:43,760 -say give me everything from the past 60 - -6039 -03:37:42,79 --> 03:37:45,359 -minutes that is new +03:37:40,500 --> 03:37:43,500 +where you say give me everything from the past 60 minutes that is new 6040 -03:37:43,760 --> 03:37:48,0 -13063.76 --> 13068 -and then you keep concatenating your - -6041 -03:37:45,359 --> 03:37:49,40 -data set on the seam side ids side - -6042 -03:37:48,0 --> 03:37:51,200 -13068 --> 13071.2 -whatever tool you're +03:37:43,760 --> 03:37:50,500 +and then you keep concatenating your dataset on the SIEM side, IDS side, whatever tool you're feeding. 6043 -03:37:49,40 --> 03:37:52,880 -feeding the alternative if you want to - -6044 -03:37:51,200 --> 03:37:53,680 -have the data push automatically as it - -6045 -03:37:52,879 --> 03:37:55,199 -comes in +03:37:50,500 --> 03:37:53,500 +the alternative, if you want to have the data push automatically as it comes in 6046 -03:37:53,680 --> 03:37:57,40 -you have different channels and mist - -6047 -03:37:55,200 --> 03:37:58,560 -that your tools can latch on to +03:37:53,500 --> 03:37:56,500 +you have different channels in MISP that your tools can latch on to. 6048 -03:37:57,40 --> 03:38:00,720 -the downside being that you still need - -6049 -03:37:58,559 --> 03:38:03,199 -to do the conversion +03:37:56,500 --> 03:38:01,500 +The downside being that you still need to do the conversion in those cases. 6050 -03:38:00,719 --> 03:38:04,959 -in those cases so if you were not using - -6051 -03:38:03,200 --> 03:38:08,159 -the - -6052 -03:38:04,959 --> 03:38:11,199 -the apis to fetch the data from bisp +03:38:01,500 --> 03:38:08,500 +So if you were not using the APIs to fetch the data from MISP 6053 -03:38:08,159 --> 03:38:11,680 -then mis can push using the miss json +03:38:08,500 --> 03:38:12,0 +then MISP can push using the MISP JSON format data down 6054 -03:38:11,200 --> 03:38:13,680 -format - -6055 -03:38:11,680 --> 03:38:16,0 -13091.68 --> 13096 -data down via different channels serum - -6056 -03:38:13,680 --> 03:38:16,0 -13093.68 --> 13096 -queue - -6057 -03:38:16,79 --> 03:38:19,760 -or the kafka channel or this blog and so - -6058 -03:38:19,279 --> 03:38:21,279 -on +03:38:12,0 --> 03:38:19,500 +via different channels ZeroMQ or the Kafka channel or this blog and so on 6059 -03:38:19,760 --> 03:38:23,40 -and then your tools automatically feed - -6060 -03:38:21,279 --> 03:38:24,0 -13101.279 --> 13104 -on that data so you have these two - -6061 -03:38:23,40 --> 03:38:26,399 -different +03:38:19,500 --> 03:38:25,500 +and then your tools automatically feed on that data so you have these two different ways of interacting with it 6062 -03:38:24,0 --> 03:38:27,520 -13104 --> 13107.52 -ways of interacting with it there's also +03:38:25,500 --> 03:38:28,0 +There's also a third way where you can basically 6063 -03:38:26,398 --> 03:38:28,959 -a third way +03:38:28,0 --> 03:38:33,500 +either build an export module or an enrichment module where an analyst can trigger 6064 -03:38:27,520 --> 03:38:31,760 -where you can basically either build an - -6065 -03:38:28,959 --> 03:38:34,0 -13108.96 --> 13114 -export module or an enrichment module - -6066 -03:38:31,760 --> 03:38:35,760 -where an analyst can trigger a direct - -6067 -03:38:34,0 --> 03:38:38,559 -13114 --> 13118.56 -push of a certain data point - -6068 -03:38:35,760 --> 03:38:39,920 -to another tool so that's another option +03:38:33,500 --> 03:38:38,500 +a direct push of a certain data point to another tool, so that's another option. 6069 -03:38:38,559 --> 03:38:41,840 -we'll talk about these different - -6070 -03:38:39,920 --> 03:38:45,199 -strategies when to use which - -6071 -03:38:41,840 --> 03:38:49,199 -which and how to mix those tomorrow more +03:38:38,500 --> 03:38:44,500 +We'll talk about these different strategies when to use which and how to mix those tomorrow more. 6072 -03:38:45,199 --> 03:38:52,399 -so i hope that answers it in a +03:38:44,500 --> 03:38:50,0 +So I hope that answers it in a brief fashion. 6073 -03:38:49,199 --> 03:38:54,159 -brief fashion yeah what i'm showing here - -6074 -03:38:52,398 --> 03:38:57,840 -is it's just like - -6075 -03:38:54,159 --> 03:38:59,359 -on the on the rest uh search client +03:38:50,0 --> 03:38:57,500 +Yeah what i'm showing here is it's just like on the REST search client 6076 -03:38:57,840 --> 03:39:01,760 -for example you want to feed your your - -6077 -03:38:59,359 --> 03:39:04,800 -storikata and so on uh just +03:38:57,500 --> 03:39:01,500 +for example you want to feed your Suricata and so on. 6078 -03:39:01,760 --> 03:39:09,840 -take page um +03:39:01,500 --> 03:39:15,500 +Just take page and a specific limit. So what you can do is 6079 -03:39:04,799 --> 03:39:09,840 -on a specific limit +03:39:15,500 --> 03:39:18,0 +if you have a python script and so on you can pull directly the data. 6080 -03:39:13,359 --> 03:39:17,199 -so what you can do is if you have a +03:39:18,0 --> 03:39:24,500 +So the rest client, so you see in this case I have the Suricata rule set 6081 -03:39:15,600 --> 03:39:19,120 -python script and so on you can pull - -6082 -03:39:17,199 --> 03:39:22,159 -directly the data so - -6083 -03:39:19,120 --> 03:39:23,199 -the rest client so you see in this case - -6084 -03:39:22,159 --> 03:39:26,159 -i have the - -6085 -03:39:23,199 --> 03:39:26,880 -shurikata rule set but if you want to - -6086 -03:39:26,159 --> 03:39:29,359 -feed your - -6087 -03:39:26,879 --> 03:39:31,358 -specific tools and and so on uh +03:39:24,500 --> 03:39:28,500 +but if you want to feed your specific tools and and so on, 6088 -03:39:29,359 --> 03:39:34,960 -automatically we are generating - -6089 -03:39:31,359 --> 03:39:36,399 -uh curl and python card so it could be a +03:39:28,500 --> 03:39:36,500 +automatically we are generating curl and python card so it could be a bootstrap to see okay, 6090 -03:39:34,959 --> 03:39:38,639 -bootstrap to see okay - -6091 -03:39:36,398 --> 03:39:41,119 -how should i create my own tool for +03:39:36,500 --> 03:39:40,500 +how should I create my own tool for feeding my IDS and so on. 6092 -03:39:38,639 --> 03:39:42,639 -feeding my ideas and so on uh for for - -6093 -03:39:41,120 --> 03:39:44,399 -study cata for example - -6094 -03:39:42,639 --> 03:39:45,840 -a lot of management interface have - -6095 -03:39:44,398 --> 03:39:47,760 -already missed connector +03:39:40,500 --> 03:39:45,500 +For Suricata, for example a lot of management interface have already MISP connector 6096 -03:39:45,840 --> 03:39:49,120 -so you can even like feed the data - -6097 -03:39:47,760 --> 03:39:51,600 -directly from - -6098 -03:39:49,120 --> 03:39:52,319 -the from the interface if they have the - -6099 -03:39:51,600 --> 03:39:54,720 -ability +03:39:45,500 --> 03:39:52,500 +So you can even like feed the data directly from the interface if they have the ability 6100 -03:39:52,318 --> 03:39:56,639 -splunk for example there's a specific +03:39:52,500 --> 03:39:55,500 +Splunk for example, there's a specific application 6101 -03:39:54,719 --> 03:40:00,79 -application +03:39:55,500 --> 03:40:01,500 +which is an external tools part of the app store of Splunk 6102 -03:39:56,639 --> 03:40:02,799 -which is an external tools part of the - -6103 -03:40:00,79 --> 03:40:04,79 -app store of splunk that you can install - -6104 -03:40:02,799 --> 03:40:05,759 -for doing the connection +03:40:01,500 --> 03:40:03,500 +that you can install for doing the connection 6105 -03:40:04,79 --> 03:40:08,639 -and some other people are using their - -6106 -03:40:05,760 --> 03:40:12,159 -own python script to feed other cm +03:40:03,500 --> 03:40:08,500 +and some other people are using their own python script to feed other SIEM. 6107 -03:40:08,639 --> 03:40:14,238 -so again it's a matter of taste - -6108 -03:40:12,159 --> 03:40:16,0 -13212.16 --> 13216 -if you are curious about the different - -6109 -03:40:14,238 --> 03:40:18,79 -kind of integrations +03:40:08,500 --> 03:40:15,500 +So again it's a matter of taste if you are curious about the different kind of integrations 6110 -03:40:16,0 --> 03:40:20,79 -13216 --> 13220.08 -or you can do it in python for example - -6111 -03:40:18,79 --> 03:40:24,79 -in on payments - -6112 -03:40:20,79 --> 03:40:26,478 -itself there are plenty of examples +03:40:15,500 --> 03:40:22,500 +or you can do it in Python for example on PyMISP itself there are plenty of examples. 6113 -03:40:24,79 --> 03:40:28,959 -so if you go in the example directory of - -6114 -03:40:26,478 --> 03:40:28,959 -palmist +03:40:22,500 --> 03:40:29,0 +So if you go in the example directory of PyMISP 6115 -03:40:30,799 --> 03:40:38,0 -13230.8 --> 13238 -you have a quite significant +03:40:29,0 --> 03:40:38,500 +you have quite significant set of default scripts that you can use 6116 -03:40:34,799 --> 03:40:41,438 -set of default scripts +03:40:38,500 --> 03:40:42,500 +and that's I think usually a good basis 6117 -03:40:38,0 --> 03:40:43,40 -13238 --> 13243.04 -that you can use uh and that's uh +03:40:42,500 --> 03:40:47,500 +if you want to start to write your own custom custom tool set for 6118 -03:40:41,439 --> 03:40:46,159 -i think usually a good basis if you want - -6119 -03:40:43,40 --> 03:40:48,720 -to start to to write your own custom - -6120 -03:40:46,159 --> 03:40:49,520 -custom tool set for for feeding your - -6121 -03:40:48,719 --> 03:40:51,278 -feeding - -6122 -03:40:49,520 --> 03:40:53,920 -systems or existing software in your - -6123 -03:40:51,279 --> 03:40:53,920 -infrastructure +03:40:47,500 --> 03:40:52,500 +feeding your systems or existing software in your infrastructure. 6124 -03:40:57,199 --> 03:41:03,760 -yep um +03:40:52,500 --> 03:41:04,500 +Yep, I don't know if we should jump on a new topic 6125 -03:41:01,680 --> 03:41:05,359 -i don't know if it's if we should jump - -6126 -03:41:03,760 --> 03:41:07,600 -on a new topic or we just push the - -6127 -03:41:05,359 --> 03:41:10,479 -copalos example for tomorrow +03:41:04,500 --> 03:41:07,500 +or we just push the Copalos example for tomorrow? 6128 -03:41:07,600 --> 03:41:12,79 -yeah i think i think uh we can we can do - -6129 -03:41:10,478 --> 03:41:14,398 -it maybe tomorrow i think +03:41:07,500 --> 03:41:11,500 +yeah I think we can do maybe tomorrow. 6130 -03:41:12,79 --> 03:41:15,920 -if we can i think that would be - -6131 -03:41:14,398 --> 03:41:17,519 -stretching it a little bit if we were to - -6132 -03:41:15,920 --> 03:41:21,40 -start with that yeah +03:41:11,500 --> 03:41:16,500 +I think that would be stretching it a little bit if we were to start with that 6133 -03:41:17,520 --> 03:41:22,0 -13277.52 --> 13282 -so um quick quick summary of today so +03:41:16,500 --> 03:41:24,500 +So quick summary of today, so today we showed how to create an event 6134 -03:41:21,40 --> 03:41:25,40 -today we we - -6135 -03:41:22,0 --> 03:41:26,79 -13282 --> 13286.08 -show uh how to create an event the basis - -6136 -03:41:25,40 --> 03:41:28,319 -of misplay - -6137 -03:41:26,79 --> 03:41:29,840 -what is an attribute an object and so on +03:41:24,500 --> 03:41:28,500 +the basis of MISP like what is an attribute, an object and so on. 6138 -03:41:28,318 --> 03:41:32,959 -how to create it so to - -6139 -03:41:29,840 --> 03:41:34,79 -make proposal delete uh and and and - -6140 -03:41:32,959 --> 03:41:36,238 -stuff like that - -6141 -03:41:34,79 --> 03:41:37,840 -so it's really a simple example tomorrow - +03:41:28,500 --> 03:41:35,500 +How to create it, how to make proposal, delete and stuff like that, so it's really a simple example. + 6142 -03:41:36,238 --> 03:41:40,639 -we want to show you - -6143 -03:41:37,840 --> 03:41:42,639 -more the uh even report aspect and the +03:41:35,500 --> 03:41:40,500 +Tomorrow, we want to show you more the event report aspect 6144 -03:41:40,639 --> 03:41:45,439 -automatic imports into - -6145 -03:41:42,639 --> 03:41:46,879 -into mist with a practical example of an - -6146 -03:41:45,439 --> 03:41:49,920 -ocean report - +03:41:40,500 --> 03:41:46,500 +and automatic imports into into MISP with a practical example of an original report. + 6147 -03:41:46,879 --> 03:41:51,438 -and we will discuss tomorrow about +03:41:46,500 --> 03:41:51,500 +and we will discuss tomorrow about how to build sharing communities 6148 -03:41:49,920 --> 03:41:53,40 -how to build sharing communities and +03:41:51,500 --> 03:41:55,500 +and especially we will share our experience of things that worked 6149 -03:41:51,439 --> 03:41:55,840 -especially we will share - -6150 -03:41:53,40 --> 03:41:57,279 -our experience of things that worked and - -6151 -03:41:55,840 --> 03:41:59,520 -things that didn't work - -6152 -03:41:57,279 --> 03:42:01,359 -uh in the past years when creating +03:41:55,500 --> 03:42:00,0 +and things that didn't work in the past years when creating sharing communities. 6153 -03:41:59,520 --> 03:42:03,40 -sharing communities so if you are - -6154 -03:42:01,359 --> 03:42:04,479 -isaac members or creating your own - -6155 -03:42:03,40 --> 03:42:05,600 -sharing community even within your - -6156 -03:42:04,478 --> 03:42:07,39 -organization +03:42:00,0 --> 03:42:05,500 +So if you are ISAC members or creating your own sharing community even within your organization 6157 -03:42:05,600 --> 03:42:09,40 -uh it's it's something good to +03:42:05,500 --> 03:42:09,500 +It's something good to participate because we will share with you 6158 -03:42:07,40 --> 03:42:10,560 -participate because you we will share - -6159 -03:42:09,40 --> 03:42:12,479 -with you some some of the things that - -6160 -03:42:10,559 --> 03:42:14,238 -are interesting of building a - -6161 -03:42:12,478 --> 03:42:17,519 -bootstrapping such kind of - -6162 -03:42:14,238 --> 03:42:19,279 -of community um +03:42:09,5000 --> 03:42:15,500 +some of the things that are interesting of building and bootstrapping such kind of of community. 6163 -03:42:17,520 --> 03:42:20,800 -i don't know honestly you want to add +03:42:15,500 --> 03:42:20,500 +I don't know Andras if you want to add something 6164 -03:42:19,279 --> 03:42:24,319 -something no - -6165 -03:42:20,799 --> 03:42:25,920 -and that's basically it thanks for - -6166 -03:42:24,318 --> 03:42:27,278 -everyone for sticking through +03:42:20,500 --> 03:42:26,500 +No and that's basically it thanks for everyone for sticking through this 6167 -03:42:25,920 --> 03:42:29,120 -through this it's a very condensed - -6168 -03:42:27,279 --> 03:42:30,880 -session so - -6169 -03:42:29,120 --> 03:42:32,560 -we said we didn't make as much progress +03:42:26,500 --> 03:42:30,500 +through it's a very condensed session so we said we didn't make as much progress 6170 -03:42:30,879 --> 03:42:33,920 -as we hoped so we have quite a bit left - -6171 -03:42:32,559 --> 03:42:37,198 -for tomorrow +03:42:30,500 --> 03:42:33,500 +as we hoped so we have quite a bit left for tomorrow 6172 -03:42:33,920 --> 03:42:39,120 -and hope to see you all here tomorrow +03:42:33,500 --> 03:42:35,500 +and hope to see you all here tomorrow. 6173 -03:42:37,199 --> 03:42:40,800 -thank you very much uh take care and - -6174 -03:42:39,120 --> 03:42:43,279 -don't hesitate to ask questions +03:42:35,500 --> 03:42:40,500 +Thank you very much, take care and don't hesitate to ask questions 6175 -03:42:40,799 --> 03:42:44,318 -uh either later on directly contact us - -6176 -03:42:43,279 --> 03:42:48,79 -thank you very much +03:42:40,500 --> 03:42:45,0 +either later on directly contact us, thank you very much, see you tomorrow. 6177 -03:42:44,318 --> 03:42:48,79 -see you tomorrow thank you all see you - -6178 -03:42:49,318 --> 03:42:52,318 -tomorrow \ No newline at end of file +03:42:45,0 --> 03:42:49,500 +Thank you all see you tomorrow \ No newline at end of file