diff --git a/0-intro-shorter/content_es.tex b/0-intro-shorter/content_es.tex new file mode 100755 index 0000000..631355f --- /dev/null +++ b/0-intro-shorter/content_es.tex @@ -0,0 +1,165 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{MISP, comenzando desde un caso práctico} + \begin{itemize} + \item Durante un taller de análisis de malware en 2012, descubrimos que habíamos estado trabajando analizando el mismo malware. + \item Quisimos compartir información de forma fácil y automatizada para así {\bf evitar la duplicación de trabajo}. + \item Christophe Vandeplas (trabajando en el CERT del MINDEF Belga en aquel entonces) nos mostró su trabajo en una plataforma que luego se convertiría en MISP. + \item Una primera versión de MISP fue utilizada por el MALWG y {\bf los comentarios de los usuarios} nos ayudaron a realizar mejoras en la plataforma. + \item Actualmente MISP es {\bf un desarrollo impulsado por la comunidad}. + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Acerca de CIRCL} +El Centro de Respuesta ante Emergencias Informáticas de Luxemburgo (CIRCL) es una iniciativa impulsada por el gobierno, diseñada para proveer una respuesta sistemática a incidentes y amenazas de seguridad informática. +\linebreak +\linebreak +CIRCL es el CERT del sector privado, municipios y entidades no gubernamentales en Luxemburgo y es operado por LHC g.i.e. +\end{frame} + +\begin{frame} +\frametitle{MISP y CIRCL} +\begin{itemize} +\item CIRCL es conducido por el Ministerio de Economía y actúa como el CERT Nacional para el sector privado. +\item CIRCL lidera el desarrollo de MISP, la plataforma de código abierto de inteligencia de amenazas, que es utilizada por muchas comunidades militares o de inteligencia, empresas privadas, sector financiero, CERTs nacionales y fuerzas de seguridad (LEAs) en todo el mundo. +\item {\bf CIRCL opera múltiples comunidades de MISP, que a diario comparten información de inteligencia de amenazas (threat-intelligence)}. +\end{itemize} + \includegraphics{en_cef.png} +\end{frame} + +\begin{frame} +\frametitle{¿Qué es MISP?} +\begin{itemize} + \item MISP es una plataforma libre y de código abierto para el {\bf intercambio de información de amenazas}. + \item Es una herramienta que {\bf recolecta} información proveniente de diferentes participantes, sus analistas, sus herramientas, fuentes de inteligencia, etc. + \item Normaliza, {\bf correlaciona} y {\bf enriquece} la información. + \item Permite {\bf colaborar} a los diferentes equipos y comunidades. + \item {\bf Alimenta} las herramientas de seguridad y de los analistas con sus resultados. +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Desarrollo basado en comentarios de los usuarios} +\begin{itemize} +\item Existen muchos diferentes tipos de usuarios de plataformas de intercambio de información como MISP: + \begin{itemize} + \item {\bf Analistas de Malware} dispuestos a compartir indicadores de compromiso con sus respectivos colegas. + \item {\bf Analistas de Seguridad} buscando, validando y utilizando indicadores en seguridad operacional. + \item {\bf Analistas de Inteligencia} recopilando información acerca de ciertos grupos de adversarios. + \item {\bf Fuerzas de Seguridad} utilizando indicadores para dar soporte a casos de análisis forense digital (DFIR). + \item {\bf Equipos de Análisis de Riesgos} dispuestos a saber más sobre nuevas amenazas, probabilidades e incidencias. + \item {\bf Analistas de Fraude} dispuestos a compartir indicadores financieros para detectar fraudes. + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Modelo de gobernabilidad de MISP} +\begin{center} +\includegraphics[scale=0.2]{governance.png} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{Múltiples objetivos según diferentes grupos de usuarios} + \begin{itemize} + \item Compartiendo indicadores para la {\bf detección}. + \begin{itemize} + \item '¿Existen sistemas infectados en mi infraestructura o en las redes que opero?' + \end{itemize} + \item Compartiendo indicadores para {\bf bloquear}. + \begin{itemize} + \item 'Utilizo estos indicadores para bloquear el acceso o redireccionar el tráfico.' + \end{itemize} + \item Compartiendo indicadores para {\bf realizar actividades de inteligencia}. + \begin{itemize} + \item 'Recopilando información acerca de campañas y ataques. ¿Están relacionados? ¿Quién me tiene como objetivo? ¿Quiénes son los adversarios?' + \end{itemize} + \item $\rightarrow$ Estos objetivos pueden ser contradictorios (p. ej. Los falsos-positivos tienen diferentes impactos) + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Comunidades utilizando MISP} + \begin{itemize} + \item Las comunidades son grupos de usuarios que comparten un conjunto objetivos o valores comunes. + \item CIRCL opera múltiples instancias de MISP con una gran cantidad de usuarios (más de 1200 organizaciones con más de 4000 usuarios). + \item {\bf Grupos de confianza} operando comunidades de MISP en modo aislado (air-gapped) o parcialmente conectados. + \item {\bf Sector financiero} (bancos, Centros de Análisis e Intercambio de Información (ISACs), organizaciones de procesamiento de pagos) utilizan MISP como mecanismo de intercambio. + \item {\bf Organizaciones internacionales y militares} OTAN, CSIRTs militares, CERTs, ... + \item {\bf Proveedores de Seguridad} operando sus propias comunidades o interconectados con otras comunidades. + \item {\bf Comunidades temáticas} creadas para abordar problemáticas específicas (COVID-19 MISP) + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Las dificultades de compartir información} + \begin{itemize} + \item Las dificultades de compartir información no suelen ser problemas de índole tecnológico, en general se deben a las {\bf interacciones sociales} (p. ej. {\bf confianza}). + \item Restricciones legales\footnote{\url{https://www.misp-project.org/compliance/}} + \begin{itemize} + \item "Nuestro marco legal no nos permite compartir información." + \item "El riesgo de filtraciones de información es muy alto y riesgoso para nuestra organización y nuestros socios." + \end{itemize} + \item Restricciones prácticas + \begin{itemize} + \item "No tenemos información para compartir." + \item "No tenemos tiempo para procesar o contribuir con indicadores." + \item "Nuestro modelo de clasificación no se ajusta al modelo de MISP." + \item "Las herramientas para intercambio de información están asociadas a un formato específico, nosotros utilizamos otro." + \end{itemize} + \end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Vista general del Proyecto MISP} + \includegraphics[scale=0.35]{misp-overview-simplified.pdf} +\end{frame} + +\begin{frame} +\frametitle{Compartiendo en MISP} + \begin{itemize} + \item Compartiendo vía listas de distribución - {\bf Grupos de intercambio} (sharing groups) + \item {\bf Delegación} para intercambio de información pseudo-anonimizada + \item {\bf Propuestas} y {\bf Eventos extendidos} para compartir información en forma colaborativa + \item Sincronización, Fuentes (feeds), intercambio aislado (air-gapped) + \item {\bf Filtros de intercambio } definidos por el usuario para todos los métodos mencionados anteriormente + \item {\bf Almacenamiento en caché} para búsquedas rápidas en grandes volúmenes de datos + \item Soporte de múltiples instancias de MISP para enclaves internas + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Gestión de la calidad de la Información} + \begin{itemize} + \item Información correlacionada + \item Ciclo de retroalimentación de detecciones vía {\bf Avistamientos} (Sightings) + \item {\bf Gestión de falsos positivos} vía el sistema de alertas (warninglists) + \item Sistema de {\bf enriquecimiento} vía MISP-modules + \item Sistema de {\bf flujos de trabajo} para revisar y controlar la información que se publica + \item {\bf Integraciones} con un gran número de herramientas y formatos + \item {\bf API} flexible y soporte de {\bf librerías} tales como PyMISP para facilitar la integración + \item {\bf Líneas de tiempo} (timelines) para dotar a la información de un marco temporal + \item Cadena completa de la {\bf gestión del ciclo de vida de indicadores} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Conclusión} + \begin{itemize} + \item {\bf Las prácticas de intercambio de información vienen con su uso} y con el ejemplo (p. ej. aprender mediante la imitación de la información compartida). + \item MISP es sólo una herramienta. Lo que importa son sus prácticas de intercambio. La herramienta debería darle soporte de la manera más transparente posible. + \item Permitir a los usuarios customizar MISP para satisfacer las necesidad de los casos de uso de su comunidad. + \item El proyecto MISP combina código abierto, estándares abiertos, mejores prácticas y comunidades para convertir el intercambio de información en una realidad. + \end{itemize} +\end{frame} + + diff --git a/0-intro-shorter/slide.tex b/0-intro-shorter/slide.tex index 7a39169..93cc560 100644 --- a/0-intro-shorter/slide.tex +++ b/0-intro-shorter/slide.tex @@ -1,3 +1,4 @@ +% !TEX program = XeLaTeX \documentclass{beamer} \usetheme[numbering=progressbar]{focus} \definecolor{main}{RGB}{47, 161, 219} diff --git a/0-intro-shorter/slide_es.tex b/0-intro-shorter/slide_es.tex new file mode 100644 index 0000000..a713361 --- /dev/null +++ b/0-intro-shorter/slide_es.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + + +\title{Una introducción al Intercambio de Información de Ciberseguridad} +\subtitle{MISP - Threat Sharing} +\author{\small{\input{../includes/authors.txt}}} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content_es} +\end{document} + diff --git a/1-misp-usage/content_es.tex b/1-misp-usage/content_es.tex new file mode 100644 index 0000000..f7cf90b --- /dev/null +++ b/1-misp-usage/content_es.tex @@ -0,0 +1,244 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +%\colorlet{punct}{red!60!black} +%\definecolor{background}{HTML}{EEEEEE} +%\definecolor{delim}{RGB}{20,105,176} +%\colorlet{numb}{magenta!60!black} + +\lstdefinelanguage{json}{ + basicstyle=\ttfamily\footnotesize, + numbers=left, + numberstyle=\ttfamily\footnotesize, + stepnumber=1, + numbersep=8pt, + showstringspaces=false, + breaklines=true, + frame=lines, + backgroundcolor=\color{background}, + literate= + *{0}{{{\color{numb}0}}}{1} + {1}{{{\color{numb}1}}}{1} + {2}{{{\color{numb}2}}}{1} + {3}{{{\color{numb}3}}}{1} + {4}{{{\color{numb}4}}}{1} + {5}{{{\color{numb}5}}}{1} + {6}{{{\color{numb}6}}}{1} + {7}{{{\color{numb}7}}}{1} + {8}{{{\color{numb}8}}}{1} + {9}{{{\color{numb}9}}}{1} + {:}{{{\color{punct}{:}}}}{1} + {,}{{{\color{punct}{,}}}}{1} + {\{}{{{\color{delim}{\{}}}}{1} + {\}}{{{\color{delim}{\}}}}}{1} + {[}{{{\color{delim}{[}}}}{1} + {]}{{{\color{delim}{]}}}}{1}, +} + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{MISP - VM} + \begin{itemize} + \item Credenciales + \begin{itemize} + \item MISP admin: admin@admin.test/admin + \item SSH: misp/Password1234 + \end{itemize} + \item Disponible para descargar aquí (VirtualBox and VMWare): + \begin{itemize} + \item \url{https://www.circl.lu/misp-images/latest/} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Uso Básico} + Plan para esta parte de la capacitación + \begin{itemize} + \item Modelo de datos + \item Visualizando datos + \item Alta de datos + \item Cooperación + \item Distribución + \item Exportando datos + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (El componente fundamental de MISP)} + \includegraphics[scale=0.45]{screenshots/datamodel1.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (Atributos, dando significado a los eventos)} + \includegraphics[scale=0.45]{screenshots/datamodel2.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (Correlaciones entre atributos similares)} + \includegraphics[scale=0.45]{screenshots/datamodel3.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (Propuestas)} + \includegraphics[scale=0.45]{screenshots/datamodel4.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (Etiquetas)} + \includegraphics[scale=0.45]{screenshots/datamodel5.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (Discusiones)} + \includegraphics[scale=0.45]{screenshots/datamodel6.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (Taxonomías y propuestas de correlaciones)} + \includegraphics[scale=0.35]{screenshots/datamodel7.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Eventos (El estado del arte del modelo de datos de MISP)} + \includegraphics[scale=0.25]{screenshots/datamodel8.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Visualizando el listado de Eventos} + \begin{itemize} + \item Listar Eventos + \begin{itemize} + \item Contexto del Evento + \item Etiquetas + \item Distribución + \item Correlaciones + \end{itemize} + \item Filtros + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Visualizando un Evento} + \begin{itemize} + \item Ver Evento + \begin{itemize} + \item Contexto del Evento + \item Atributos + \begin{itemize} + \item Categoría/tipo, IDS, Correlaciones + \end{itemize} + \item Objetos + \item Galáxias + \item Propuestas + \item Discusiones + \end{itemize} + \item Herramientas para encontrar lo que buscas + \item Grafos de correlaciones + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Alta y carga de eventos en diferentes formas (demo)} + \begin{itemize} + \item Las principales formas de cargar eventos + \begin{itemize} + \item Añadir atributos / Añadir en lotes + \item Añadir objetos y cómo funcionan las plantillas de objetos + \item Importar texto libre + \item Importar + \item Plantillas + \item Añadir archivos adjuntos / capturas de pantalla + \item API + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Diferentes funcionalidades para añadir información} + \begin{itemize} + \item ¿Qué sucede automáticamente cuando agregamos información? + \begin{itemize} + \item Correlación automática + \item Modificación de la carga vía validación y filtros (regex) + \item Etiquetado / Cúmulos de galaxias + \end{itemize} + \item Diferentes formas de publicar información + \begin{itemize} + \item Publicar con/sin enviar un e-mail + \item Publicar vía la API + \item Delegación + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Utilizando la información} + \begin{itemize} + \item Grafos de correlaciones + \item Descargando la información en diferentes formatos + \item API (más detalles luego) + \item Colaborando con usuarios (propuestas, discusiones, emails) + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Sincronización en detalle} + \begin{itemize} + \item Conexiones de sincronización + \item Modelo pull/push + \item Previsualización de instancias + \item Filtrado de la sincronización + \item Herramienta de prueba de conexión + \item Modo de selección manual + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Fuentes (feeds) en detalle} + \begin{itemize} + \item Tipos de fuentes (MISP, texto libre, CSV) + \item Alta/edición de fuentes + \item Previzualización de fuentes + \item Fuentes Locales vs. Remotas + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Distribuciones en detalle} + \begin{itemize} + \item Solo Mi Organización + \item Solo Esta Comunidad + \item Comunidades Conectadas + \item Todas las Comunidades + \item Grupo de Intercambio + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Distribución y Topología} + \includegraphics[scale=0.45]{screenshots/sync.png} +\end{frame} + +\begin{frame} + \frametitle{MISP - Exportar y API} + \begin{itemize} + \item Descargar un evento + \item Un vistazo a las APIs + \item Descargar resultados de una búsqueda + \item API REST y generador de consultas + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Tareas administrativas} + \begin{itemize} + \item Configuración + \item Resolución de problemas + \item Trabajadores (workers) + \item Registros (logs) + \end{itemize} +\end{frame} diff --git a/1-misp-usage/slide_es.tex b/1-misp-usage/slide_es.tex new file mode 100644 index 0000000..60f814e --- /dev/null +++ b/1-misp-usage/slide_es.tex @@ -0,0 +1,28 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} + +\author{\small{\input{../includes/authors.txt}}} + +\title{Capacitación de Usuario de MISP - Uso básico de MISP} +\subtitle{MISP - Threat Sharing} +\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + + +\begin{document} +\include{content_es} +\end{document} + diff --git a/20220615-NATO-MUG-UPDATE/Sightings2.PNG b/20220615-NATO-MUG-UPDATE/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/Sightings2.PNG differ diff --git a/20220615-NATO-MUG-UPDATE/attack-screenshot.png b/20220615-NATO-MUG-UPDATE/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/attack-screenshot.png differ diff --git a/20220615-NATO-MUG-UPDATE/b.4-turning-data-into-actionable-intelligence-short.pdf b/20220615-NATO-MUG-UPDATE/b.4-turning-data-into-actionable-intelligence-short.pdf new file mode 100644 index 0000000..2bdf2e6 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/b.4-turning-data-into-actionable-intelligence-short.pdf differ diff --git a/20220615-NATO-MUG-UPDATE/bankaccount.png b/20220615-NATO-MUG-UPDATE/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/bankaccount.png differ diff --git a/20220615-NATO-MUG-UPDATE/bankview.png b/20220615-NATO-MUG-UPDATE/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/bankview.png differ diff --git a/20220615-NATO-MUG-UPDATE/circl.png b/20220615-NATO-MUG-UPDATE/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/circl.png differ diff --git a/20220615-NATO-MUG-UPDATE/content.tex b/20220615-NATO-MUG-UPDATE/content.tex new file mode 100644 index 0000000..c598bfc --- /dev/null +++ b/20220615-NATO-MUG-UPDATE/content.tex @@ -0,0 +1,312 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item A small update on the state of MISP's ongoing development + \item Some highlights of the changes that were introduced + \item Upcoming changes + \item Cerebrate update + \item Workflows + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP's evolution since the last MUG} + \begin{itemize} + \item Since the last MUG (18/11/2021) we've had: + \begin{itemize} + \item 9 releases + \item 1775 commits + \item 74 contributors contributing to the core software and its components + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Main focus was securing our data and tooling} + \begin{itemize} + \item Current {\bf geo-political situation} lead to new challenges + \item It has been an interesting time period with quite some activity + \item Our goal was to {\bf shore up the security} aspects of MISP and Cerebrate + \item Build new functionalities and tools to allow users to {\bf protect their data} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sharing group blueprints} + \begin{itemize} + \item Solving the issue of {\bf sharing group lifecycle management} + \item Build SG blueprints for reusable, maintainable sharing groups + \item Abstract sharing groups, organisation metadata as building blocks + \item Solve newly arising sharing challenges + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Sharing group blueprints} +\includegraphics[scale=0.6]{images/blueprints2.png} +\end{frame} + +\begin{frame} + \frametitle{Cryptographic signing and tamper protection} + \begin{itemize} + \item Need to be able to share and ensure the {\bf veracity of critical events} + \item Tampering by {\bf malicious intermediaries}, even in closed networks became a new fear + \item We came up with a solution that allows us to {\bf lock down critical events} + \item Limits the distribution, but {\bf increases the resilience} of MISP immensely + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Cryptographic signing and tamper protection} +\includegraphics[scale=0.5]{images/signing1.png} +\end{frame} + +\begin{frame} +\frametitle{Cryptographic signing and tamper protection} +\includegraphics[scale=0.5]{images/signing2.png} +\end{frame} + +\begin{frame} +\frametitle{Cryptographic signing and tamper protection} +\includegraphics[scale=0.6]{images/signing3.png} +\includegraphics[scale=0.6]{images/signing4.png} +\end{frame} + +\begin{frame} + \frametitle{Other major improvements} + \begin{itemize} + \item Various other new functionalities that improve our day to day use of the tool + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Long list of security fixes} + \begin{itemize} + \item Partially from user reports + \item Partially by an exhaustive pentest series + \item Massive thank you to {\bf Zigrin Security} for conducting the tests... + \item ...and to the {\bf Luxembourgish Army} for financing it + \item Multiple {\bf CVEs} resolved, including a {\bf critical one that required a silent release} + \item Make sure you stay up to date! + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Long list of security fixes} +\includegraphics[scale=0.4]{images/security.png} +\end{frame} + + +\begin{frame} + \frametitle{Event warning system} + \begin{itemize} + \item Build a rule based tool that analyses an event and {\bf recommends improvements} + \item Typical issues easily caught (missing TLP, lack of context, etc) + \item Simple to extend, flexible + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Event warning system} +\includegraphics[scale=0.3]{images/warnings.png} +\end{frame} + + +\begin{frame} + \frametitle{Massive rework of the STIX integrations} + \begin{itemize} + \item Our resident STIX guru (Christian Studer) has become {\bf co-chair of the STIX commitee} at OASIS + \item Massive rework of how we handle {\bf STIX ingestion / generation} + \item Continuous work with {\bf Mitre/CISA} to improve the integration + \item STIX subsystem spun off as a standalone system + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Further synchronisation filtering methods} + \begin{itemize} + \item The ability to {\bf exclude} certain attribute {\bf types from the synchronisation} + \item Comes with some risks, but solves some issues + \item An example: {\bf Exclusion of malware samples when sharing towards classified networks} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Advanced timelining} + \begin{itemize} + \item Rework of the timelining in MISP + \item Inclusion of images, sightings + \item Various other improvements + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Timelining} +\includegraphics[scale=0.2]{images/timelining.png} +\end{frame} + +\begin{frame} + \frametitle{New background processor} + \begin{itemize} + \item Since late November last year we have had a {\bf new background processing engine} + \item Fully optional for now + \item Lean, closer to an OS native implementation via {\bf Supervisor} + \item Gets rid of a lot of the baggage of our previous system (scheduling) + \item Implemetation by @righel (Luciano Righetti) + \end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Long list of other fixes} + \begin{itemize} + \item Usability fixes + \item Performance improvements + \item Bug fixes + \item Too many improvements to the galaxies, taxonomies, object templates to list! + \item Huge thank you to {\bf Jakub Onderka} for the {\bf constant stream of improvements} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{What do we have planned for the (near) future?} +\end{frame} + +\begin{frame} + \frametitle{Workflows in MISP} + \begin{itemize} + \item Outcome of our initial work from GeekWeek 7.5\footnote{\href{https://cyber.gc.ca/en/events/geekweek-75}{Workshop organized by the Canadian Cyber Center}} + \item Goal: Modifying the execution of certain {\bf core functionalities} + \item Basically a {\bf hooking mechanism} + \item Modular approach using {\bf MISP-modules} or {\bf PHP modules} + \item Build and execute admin defined tasks on various actions + \item Modify data in place, block, fire-and-forget + \item All exposed via a {\bf completely new GUI} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Workflows in MISP} + \begin{itemize} + \item {\bf Branching} codebase + \item Context sensitive, per-module filters + \item Implemented by our UI expert Sami "GraphMan" Mokaddem + \end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Workflows in MISP} +\includegraphics[scale=0.2]{images/workflows1.png} +\end{frame} + +\begin{frame} +\frametitle{Workflows in MISP} +\includegraphics[scale=0.2]{images/workflows2.png} +\end{frame} + + +\begin{frame} + \frametitle{External data guard} + \begin{itemize} + \item Work in {\bf collaboration with BICES} + \item Proxy server that {\bf inspects and blocks potential data leaks} during synchronisation + \item Standalone + \item Simplistic design and {\bf easy to audit} + \item Modular {\bf rule based} system + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Various reworks to support STIX mappings} + \begin{itemize} + \item {\bf Relationships for tags/galaxies} + \item {\bf Templating} for galaxy cluster creation + \item Dot notation {\bf deep cluster elements} + \item Built in {\bf TAXII support} with the help of Mitre/CISA (currently not merged yet) + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Quick Cerebrate update} +\begin{center} +\includegraphics[scale=0.4]{images/cerebrate.png} +\end{center} +\end{frame} + +\begin{frame} + \frametitle{Quick Cerebrate update} + \begin{itemize} + \item 5 new releases + \item Deployment for the {\bf CSIRT network} ongoing + \item A host of new functionalities to solve day to day issues we have in the CSIRT community + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{User management} + \begin{itemize} + \item Reworked completely + \item Tight integration with {\bf KeyCloak} + \item Full user provisioning / maintaining via Cerebrate + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Reworked meta information system} + \begin{itemize} + \item Introduction of {\bf context specific custom fields} + \item Custom {\bf search algorithms} (for example CIDR block lookups for constituency information) + \item Customisable and {\bf blueprint-able data model} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{API along with its documentation fleshed out} + \begin{itemize} + \item {\bf OpenAPI integration} similarly to MISP + \item Integration tests and introduction of a {\bf CI pipeline} + \item Documentation and API examples available in Cerebrate directly + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Security fixes} + \begin{itemize} + \item Cerebrate, similarly to MISP received an in-depth pentest by {\bf Zigrin Security} + \item Likewise funded by the {\bf Luxembourgish Army} + \item Besides fixes to vulnerabilities, a host of usability findings and fixes + \item {\bf 5 CVEs} published + \item \url{https://www.cerebrate-project.org/security.html} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Cerebrate project + \begin{itemize} + \item \url{https://github.com/cerebrate-project} + \item \url{https://github.com/cerebrate-project/cerebrate} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/20220615-NATO-MUG-UPDATE/covid.png b/20220615-NATO-MUG-UPDATE/covid.png new file mode 100644 index 0000000..e6e869f Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/covid.png differ diff --git a/20220615-NATO-MUG-UPDATE/creativity.png b/20220615-NATO-MUG-UPDATE/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/creativity.png differ diff --git a/20220615-NATO-MUG-UPDATE/dashboard-trendings.png b/20220615-NATO-MUG-UPDATE/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/dashboard-trendings.png differ diff --git a/20220615-NATO-MUG-UPDATE/decaying-basescore.png b/20220615-NATO-MUG-UPDATE/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/decaying-basescore.png differ diff --git a/20220615-NATO-MUG-UPDATE/decaying-event.png b/20220615-NATO-MUG-UPDATE/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/decaying-event.png differ diff --git a/20220615-NATO-MUG-UPDATE/decaying-index.png b/20220615-NATO-MUG-UPDATE/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/decaying-index.png differ diff --git a/20220615-NATO-MUG-UPDATE/decaying-simulation.png b/20220615-NATO-MUG-UPDATE/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/decaying-simulation.png differ diff --git a/20220615-NATO-MUG-UPDATE/decaying-tool.png b/20220615-NATO-MUG-UPDATE/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/decaying-tool.png differ diff --git a/20220615-NATO-MUG-UPDATE/en_cef.png b/20220615-NATO-MUG-UPDATE/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/en_cef.png differ diff --git a/20220615-NATO-MUG-UPDATE/galaxy-ransomware.png b/20220615-NATO-MUG-UPDATE/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/galaxy-ransomware.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/SoD.png b/20220615-NATO-MUG-UPDATE/images/SoD.png new file mode 100644 index 0000000..b95a9ec Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/SoD.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/authkey.png b/20220615-NATO-MUG-UPDATE/images/authkey.png new file mode 100644 index 0000000..46174b9 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/authkey.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/blueprints1.png b/20220615-NATO-MUG-UPDATE/images/blueprints1.png new file mode 100644 index 0000000..edaedcb Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/blueprints1.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/blueprints2.png b/20220615-NATO-MUG-UPDATE/images/blueprints2.png new file mode 100644 index 0000000..b2d73cb Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/blueprints2.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/cerebrate.png b/20220615-NATO-MUG-UPDATE/images/cerebrate.png new file mode 100644 index 0000000..82bcaab Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/cerebrate.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/dashboard.png b/20220615-NATO-MUG-UPDATE/images/dashboard.png new file mode 100644 index 0000000..d163f4d Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/dashboard.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/eventreport.png b/20220615-NATO-MUG-UPDATE/images/eventreport.png new file mode 100644 index 0000000..6f74bbe Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/eventreport.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/galaxy20.png b/20220615-NATO-MUG-UPDATE/images/galaxy20.png new file mode 100644 index 0000000..97911ac Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/galaxy20.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/mispcerebrate.png b/20220615-NATO-MUG-UPDATE/images/mispcerebrate.png new file mode 100644 index 0000000..d58796f Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/mispcerebrate.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/openapi.png b/20220615-NATO-MUG-UPDATE/images/openapi.png new file mode 100644 index 0000000..44726ea Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/openapi.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/security.png b/20220615-NATO-MUG-UPDATE/images/security.png new file mode 100644 index 0000000..8b51dd8 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/security.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/signing1.png b/20220615-NATO-MUG-UPDATE/images/signing1.png new file mode 100644 index 0000000..d378f7b Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/signing1.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/signing2.png b/20220615-NATO-MUG-UPDATE/images/signing2.png new file mode 100644 index 0000000..450e7d6 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/signing2.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/signing3.png b/20220615-NATO-MUG-UPDATE/images/signing3.png new file mode 100644 index 0000000..68e7ced Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/signing3.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/signing4.png b/20220615-NATO-MUG-UPDATE/images/signing4.png new file mode 100644 index 0000000..3a42468 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/signing4.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/stix.png b/20220615-NATO-MUG-UPDATE/images/stix.png new file mode 100644 index 0000000..c0b59bb Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/stix.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/timelining.png b/20220615-NATO-MUG-UPDATE/images/timelining.png new file mode 100644 index 0000000..7753ba5 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/timelining.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/warnings.png b/20220615-NATO-MUG-UPDATE/images/warnings.png new file mode 100644 index 0000000..86e16a3 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/warnings.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/workflows1.png b/20220615-NATO-MUG-UPDATE/images/workflows1.png new file mode 100644 index 0000000..2790cfb Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/workflows1.png differ diff --git a/20220615-NATO-MUG-UPDATE/images/workflows2.png b/20220615-NATO-MUG-UPDATE/images/workflows2.png new file mode 100644 index 0000000..5b5ad1a Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/images/workflows2.png differ diff --git a/20220615-NATO-MUG-UPDATE/logo-circl.pdf b/20220615-NATO-MUG-UPDATE/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/logo-circl.pdf differ diff --git a/20220615-NATO-MUG-UPDATE/makefile b/20220615-NATO-MUG-UPDATE/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/20220615-NATO-MUG-UPDATE/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/20220615-NATO-MUG-UPDATE/misp.pdf b/20220615-NATO-MUG-UPDATE/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/misp.pdf differ diff --git a/20220615-NATO-MUG-UPDATE/misplogo.pdf b/20220615-NATO-MUG-UPDATE/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/misplogo.pdf differ diff --git a/20220615-NATO-MUG-UPDATE/object.png b/20220615-NATO-MUG-UPDATE/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/object.png differ diff --git a/20220615-NATO-MUG-UPDATE/sighting-n.png b/20220615-NATO-MUG-UPDATE/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/sighting-n.png differ diff --git a/20220615-NATO-MUG-UPDATE/slide.tex b/20220615-NATO-MUG-UPDATE/slide.tex new file mode 100644 index 0000000..4d5c0f7 --- /dev/null +++ b/20220615-NATO-MUG-UPDATE/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP status update} +\subtitle{News since the last MUG} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/20220615-NATO-MUG-UPDATE/taxonomy-workflow.png b/20220615-NATO-MUG-UPDATE/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/taxonomy-workflow.png differ diff --git a/20220615-NATO-MUG-UPDATE/timeline-misp-overview.png b/20220615-NATO-MUG-UPDATE/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/timeline-misp-overview.png differ diff --git a/20220615-NATO-MUG-UPDATE/timeline.jpeg b/20220615-NATO-MUG-UPDATE/timeline.jpeg new file mode 100644 index 0000000..d60db13 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/timeline.jpeg differ diff --git a/20220615-NATO-MUG-UPDATE/warning-list-event.png b/20220615-NATO-MUG-UPDATE/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/warning-list-event.png differ diff --git a/20220615-NATO-MUG-UPDATE/warning-list.png b/20220615-NATO-MUG-UPDATE/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/warning-list.png differ diff --git a/20220615-NATO-MUG-UPDATE/workflow_initial.png b/20220615-NATO-MUG-UPDATE/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/workflow_initial.png differ diff --git a/20220615-NATO-MUG-UPDATE/workflow_initial2.png b/20220615-NATO-MUG-UPDATE/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/workflow_initial2.png differ diff --git a/20220615-NATO-MUG-UPDATE/x-isac-logo.png b/20220615-NATO-MUG-UPDATE/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/20220615-NATO-MUG-UPDATE/x-isac-logo.png differ diff --git a/20221116-NATO-MUG/content.tex b/20221116-NATO-MUG/content.tex new file mode 100755 index 0000000..cd28581 --- /dev/null +++ b/20221116-NATO-MUG/content.tex @@ -0,0 +1,599 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Automation in MISP: What already exists?} + \includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} + \vspace*{0.5em} + $\rightarrow$ No way to \textbf{prevent} behavior\\ + $\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks +\end{frame} + +\begin{frame} + \frametitle{What type of use-cases are we trying to support?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \begin{itemize} + \item Prevent \textbf{publication of events} not passing sanity checks + \item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information + \item $\cdots$ + \end{itemize} + \vspace*{1.0em} + \item \textbf{Hook} specific actions to run callbacks + \begin{itemize} + \item \textbf{Automatically run} enrichment services + \item Modify data on-the-fly: False positives, enable CTI-Pipeline + \item Send notifications in a chat rooms + \item $\cdots$ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation in MISP made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Using the system + \item How it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + {\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\ + {\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \vspace*{0.25em} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.25em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Logic modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/logic-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \vspace*{0.25em} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.25em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Action modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/action-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \item Custom scripts + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in a specific order + \item Workflows can be enabled / disabled + \item A Workflow is associated to \textbf{1-and-only-1 trigger} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \begin{itemize} + \item They might change the path taken during the execution + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact + \begin{itemize} + \item No way to prevent something that happened in the past + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (0)} + \begin{itemize} + \item \textbf{Trigger} module: MISP Source code \textbf{only} + \begin{itemize} + \item Get in touch if you want more + \end{itemize} + \item \textbf{Logic} module: MISP Source code \& \textbf{custom} + \item \textbf{Action} module: MISP Source code \& \textbf{custom} + \end{itemize} + \vspace*{2.0em} + \begin{itemize} + \item MISP Source code $\rightarrow$ Built-in \textbf{text} module + \item Custom $\rightarrow$ Write your own at 2 places + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.8\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\section{Demo by examples} +\begin{frame} + \frametitle{Demo 1: Block if Event.distribution < "Community"} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/simple-workflow.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo 2: Send to ZMQ if any Attribute is tagged with `tlp:white`} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/example-1a.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo 3: Block publish if *:red and email, else notify on Mattermost} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/example-4.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo 4: Remove IDS flag \& add tag for known false-negative file hashes} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/example-3.png} + \end{center} +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \item But has \textbf{additional properties} + \begin{itemize} + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow \textbf{execution and outcome} + \item Module \textbf{execution and outcome} + \item \textbf{Live} workflow debugging with module inspection + \item \textbf{Re-running/testing} workflows with custom data + \item \textbf{Stateless} module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[scale=0.07]{pictures/PHP-logo.png} + \end{center} + \vspace*{2em} + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Fast + \item Re-use existing functionalities + \item No need for misp-modules + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[scale=0.03]{pictures/python-logo.png} + \end{center} + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Easier than PHP + \item Lots of libraries for integration + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{More ideas} + \begin{itemize} + \item Notification when new users join an instance + \item Trigger on any action generating log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Under development} + Ease data manipulation with \textbf{filtering modules} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines + \item \underline{\textbf{Beta}} Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New modules? + \item ... + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/20221116-NATO-MUG/misp.pdf b/20221116-NATO-MUG/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20221116-NATO-MUG/misp.pdf differ diff --git a/20221116-NATO-MUG/pictures/PHP-logo.png b/20221116-NATO-MUG/pictures/PHP-logo.png new file mode 100644 index 0000000..296dfe2 Binary files /dev/null and b/20221116-NATO-MUG/pictures/PHP-logo.png differ diff --git a/20221116-NATO-MUG/pictures/action-module-index.png b/20221116-NATO-MUG/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/20221116-NATO-MUG/pictures/action-module-index.png differ diff --git a/20221116-NATO-MUG/pictures/action-module.png b/20221116-NATO-MUG/pictures/action-module.png new file mode 100644 index 0000000..6b622e8 Binary files /dev/null and b/20221116-NATO-MUG/pictures/action-module.png differ diff --git a/20221116-NATO-MUG/pictures/attribute-json.png b/20221116-NATO-MUG/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/20221116-NATO-MUG/pictures/attribute-json.png differ diff --git a/20221116-NATO-MUG/pictures/automation.png b/20221116-NATO-MUG/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/20221116-NATO-MUG/pictures/automation.png differ diff --git a/20221116-NATO-MUG/pictures/belgian-joke.jpeg b/20221116-NATO-MUG/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/20221116-NATO-MUG/pictures/belgian-joke.jpeg differ diff --git a/20221116-NATO-MUG/pictures/blocking-module.png b/20221116-NATO-MUG/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/20221116-NATO-MUG/pictures/blocking-module.png differ diff --git a/20221116-NATO-MUG/pictures/blocking-workflow.png b/20221116-NATO-MUG/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/20221116-NATO-MUG/pictures/blocking-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/blueprint-1.png b/20221116-NATO-MUG/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/20221116-NATO-MUG/pictures/blueprint-1.png differ diff --git a/20221116-NATO-MUG/pictures/blueprint-32.png b/20221116-NATO-MUG/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/20221116-NATO-MUG/pictures/blueprint-32.png differ diff --git a/20221116-NATO-MUG/pictures/blueprint-debugging.png b/20221116-NATO-MUG/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/20221116-NATO-MUG/pictures/blueprint-debugging.png differ diff --git a/20221116-NATO-MUG/pictures/ctis.png b/20221116-NATO-MUG/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/20221116-NATO-MUG/pictures/ctis.png differ diff --git a/20221116-NATO-MUG/pictures/custom-1.png b/20221116-NATO-MUG/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/20221116-NATO-MUG/pictures/custom-1.png differ diff --git a/20221116-NATO-MUG/pictures/custom-2.png b/20221116-NATO-MUG/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/20221116-NATO-MUG/pictures/custom-2.png differ diff --git a/20221116-NATO-MUG/pictures/debug-mode.png b/20221116-NATO-MUG/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/20221116-NATO-MUG/pictures/debug-mode.png differ diff --git a/20221116-NATO-MUG/pictures/editor-1.png b/20221116-NATO-MUG/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-1.png differ diff --git a/20221116-NATO-MUG/pictures/editor-not-allowed-1.png b/20221116-NATO-MUG/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-not-allowed-1.png differ diff --git a/20221116-NATO-MUG/pictures/editor-not-allowed-2.png b/20221116-NATO-MUG/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-not-allowed-2.png differ diff --git a/20221116-NATO-MUG/pictures/editor-warning-1.png b/20221116-NATO-MUG/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-warning-1.png differ diff --git a/20221116-NATO-MUG/pictures/enough-debugging.jpg b/20221116-NATO-MUG/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/20221116-NATO-MUG/pictures/enough-debugging.jpg differ diff --git a/20221116-NATO-MUG/pictures/event-condition-action.png b/20221116-NATO-MUG/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/20221116-NATO-MUG/pictures/event-condition-action.png differ diff --git a/20221116-NATO-MUG/pictures/example-1a.png b/20221116-NATO-MUG/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-1a.png differ diff --git a/20221116-NATO-MUG/pictures/example-2.png b/20221116-NATO-MUG/pictures/example-2.png new file mode 100644 index 0000000..51eef7e Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-2.png differ diff --git a/20221116-NATO-MUG/pictures/example-2a.png b/20221116-NATO-MUG/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-2a.png differ diff --git a/20221116-NATO-MUG/pictures/example-3.png b/20221116-NATO-MUG/pictures/example-3.png new file mode 100644 index 0000000..54602ac Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-3.png differ diff --git a/20221116-NATO-MUG/pictures/example-4.png b/20221116-NATO-MUG/pictures/example-4.png new file mode 100644 index 0000000..cca5687 Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-4.png differ diff --git a/20221116-NATO-MUG/pictures/feeling-of-power.jpg b/20221116-NATO-MUG/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/20221116-NATO-MUG/pictures/feeling-of-power.jpg differ diff --git a/20221116-NATO-MUG/pictures/filtering-modules.png b/20221116-NATO-MUG/pictures/filtering-modules.png new file mode 100644 index 0000000..9ca53e3 Binary files /dev/null and b/20221116-NATO-MUG/pictures/filtering-modules.png differ diff --git a/20221116-NATO-MUG/pictures/first-cti.png b/20221116-NATO-MUG/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/20221116-NATO-MUG/pictures/first-cti.png differ diff --git a/20221116-NATO-MUG/pictures/future-works.jpeg b/20221116-NATO-MUG/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/20221116-NATO-MUG/pictures/future-works.jpeg differ diff --git a/20221116-NATO-MUG/pictures/geekweek75.jpg b/20221116-NATO-MUG/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/20221116-NATO-MUG/pictures/geekweek75.jpg differ diff --git a/20221116-NATO-MUG/pictures/infinite-loop.jpg b/20221116-NATO-MUG/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/20221116-NATO-MUG/pictures/infinite-loop.jpg differ diff --git a/20221116-NATO-MUG/pictures/log-entry-publish-blocked.png b/20221116-NATO-MUG/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/20221116-NATO-MUG/pictures/log-entry-publish-blocked.png differ diff --git a/20221116-NATO-MUG/pictures/log-entry-publish-success.png b/20221116-NATO-MUG/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/20221116-NATO-MUG/pictures/log-entry-publish-success.png differ diff --git a/20221116-NATO-MUG/pictures/logic-module-index.png b/20221116-NATO-MUG/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/20221116-NATO-MUG/pictures/logic-module-index.png differ diff --git a/20221116-NATO-MUG/pictures/logic-module.png b/20221116-NATO-MUG/pictures/logic-module.png new file mode 100644 index 0000000..6a48ce6 Binary files /dev/null and b/20221116-NATO-MUG/pictures/logic-module.png differ diff --git a/20221116-NATO-MUG/pictures/misp-module-icon.png b/20221116-NATO-MUG/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/20221116-NATO-MUG/pictures/misp-module-icon.png differ diff --git a/20221116-NATO-MUG/pictures/module-buffet.png b/20221116-NATO-MUG/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-buffet.png differ diff --git a/20221116-NATO-MUG/pictures/module-concurrent.png b/20221116-NATO-MUG/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-concurrent.png differ diff --git a/20221116-NATO-MUG/pictures/module-filtering.png b/20221116-NATO-MUG/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-filtering.png differ diff --git a/20221116-NATO-MUG/pictures/module-if-generic.png b/20221116-NATO-MUG/pictures/module-if-generic.png new file mode 100644 index 0000000..973ab23 Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-if-generic.png differ diff --git a/20221116-NATO-MUG/pictures/module-type.png b/20221116-NATO-MUG/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-type.png differ diff --git a/20221116-NATO-MUG/pictures/no-slides-if-demo.jpg b/20221116-NATO-MUG/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/20221116-NATO-MUG/pictures/no-slides-if-demo.jpg differ diff --git a/20221116-NATO-MUG/pictures/no-slides-if-demo2.jpg b/20221116-NATO-MUG/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/20221116-NATO-MUG/pictures/no-slides-if-demo2.jpg differ diff --git a/20221116-NATO-MUG/pictures/no-slides-if-demo3.jpg b/20221116-NATO-MUG/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/20221116-NATO-MUG/pictures/no-slides-if-demo3.jpg differ diff --git a/20221116-NATO-MUG/pictures/non-blocking-workflow.png b/20221116-NATO-MUG/pictures/non-blocking-workflow.png new file mode 100644 index 0000000..4ae1495 Binary files /dev/null and b/20221116-NATO-MUG/pictures/non-blocking-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/overview.png b/20221116-NATO-MUG/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/20221116-NATO-MUG/pictures/overview.png differ diff --git a/20221116-NATO-MUG/pictures/php-joke.jpg b/20221116-NATO-MUG/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/20221116-NATO-MUG/pictures/php-joke.jpg differ diff --git a/20221116-NATO-MUG/pictures/psyduck.jpeg b/20221116-NATO-MUG/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/20221116-NATO-MUG/pictures/psyduck.jpeg differ diff --git a/20221116-NATO-MUG/pictures/python-joke.png b/20221116-NATO-MUG/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/20221116-NATO-MUG/pictures/python-joke.png differ diff --git a/20221116-NATO-MUG/pictures/python-logo.png b/20221116-NATO-MUG/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/20221116-NATO-MUG/pictures/python-logo.png differ diff --git a/20221116-NATO-MUG/pictures/recursive-workflow.png b/20221116-NATO-MUG/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/20221116-NATO-MUG/pictures/recursive-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/request-bin.png b/20221116-NATO-MUG/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/20221116-NATO-MUG/pictures/request-bin.png differ diff --git a/20221116-NATO-MUG/pictures/running-workflows.png b/20221116-NATO-MUG/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/20221116-NATO-MUG/pictures/running-workflows.png differ diff --git a/20221116-NATO-MUG/pictures/sc-action-icon.png b/20221116-NATO-MUG/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-action-icon.png differ diff --git a/20221116-NATO-MUG/pictures/sc-action.png b/20221116-NATO-MUG/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-action.png differ diff --git a/20221116-NATO-MUG/pictures/sc-condition-icon.png b/20221116-NATO-MUG/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-condition-icon.png differ diff --git a/20221116-NATO-MUG/pictures/sc-condition.png b/20221116-NATO-MUG/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-condition.png differ diff --git a/20221116-NATO-MUG/pictures/sc-event-icon.png b/20221116-NATO-MUG/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-event-icon.png differ diff --git a/20221116-NATO-MUG/pictures/sc-event.png b/20221116-NATO-MUG/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-event.png differ diff --git a/20221116-NATO-MUG/pictures/settings-1.png b/20221116-NATO-MUG/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/20221116-NATO-MUG/pictures/settings-1.png differ diff --git a/20221116-NATO-MUG/pictures/settings-2.png b/20221116-NATO-MUG/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/20221116-NATO-MUG/pictures/settings-2.png differ diff --git a/20221116-NATO-MUG/pictures/simple-workflow.png b/20221116-NATO-MUG/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/20221116-NATO-MUG/pictures/simple-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/stateless-execution.png b/20221116-NATO-MUG/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/20221116-NATO-MUG/pictures/stateless-execution.png differ diff --git a/20221116-NATO-MUG/pictures/time-machine.png b/20221116-NATO-MUG/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/20221116-NATO-MUG/pictures/time-machine.png differ diff --git a/20221116-NATO-MUG/pictures/triggers.png b/20221116-NATO-MUG/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/20221116-NATO-MUG/pictures/triggers.png differ diff --git a/20221116-NATO-MUG/pictures/two-paths.jpeg b/20221116-NATO-MUG/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/20221116-NATO-MUG/pictures/two-paths.jpeg differ diff --git a/20221116-NATO-MUG/pictures/upgrade-people.jpeg b/20221116-NATO-MUG/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/20221116-NATO-MUG/pictures/upgrade-people.jpeg differ diff --git a/20221116-NATO-MUG/pictures/whoami.png b/20221116-NATO-MUG/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/20221116-NATO-MUG/pictures/whoami.png differ diff --git a/20221116-NATO-MUG/pictures/whoami2.png b/20221116-NATO-MUG/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/20221116-NATO-MUG/pictures/whoami2.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-debug.png b/20221116-NATO-MUG/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-debug.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-experimental.png b/20221116-NATO-MUG/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-experimental.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-release.png b/20221116-NATO-MUG/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-release.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-trigger.png b/20221116-NATO-MUG/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-trigger.png differ diff --git a/20221116-NATO-MUG/pictures/zeromq.png b/20221116-NATO-MUG/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/20221116-NATO-MUG/pictures/zeromq.png differ diff --git a/20221116-NATO-MUG/slide.tex b/20221116-NATO-MUG/slide.tex new file mode 100644 index 0000000..c2d6508 --- /dev/null +++ b/20221116-NATO-MUG/slide.tex @@ -0,0 +1,65 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Andras Iklody} +\date{MUG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/20221116-NATO-MUG/slide.upa b/20221116-NATO-MUG/slide.upa new file mode 100644 index 0000000..e69de29 diff --git a/20221116-NATO-MUG/slide_handout.tex b/20221116-NATO-MUG/slide_handout.tex new file mode 100644 index 0000000..9e1211a --- /dev/null +++ b/20221116-NATO-MUG/slide_handout.tex @@ -0,0 +1,67 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Andras Iklody} +\date{MUG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/20221116-NATO-MUG/slide_handout.upa b/20221116-NATO-MUG/slide_handout.upa new file mode 100644 index 0000000..e69de29 diff --git a/202305-NATO-MUG-update/Sightings2.PNG b/202305-NATO-MUG-update/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/202305-NATO-MUG-update/Sightings2.PNG differ diff --git a/202305-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf b/202305-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf new file mode 100644 index 0000000..2bdf2e6 Binary files /dev/null and b/202305-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf differ diff --git a/202305-NATO-MUG-update/content.tex b/202305-NATO-MUG-update/content.tex new file mode 100644 index 0000000..0befd32 --- /dev/null +++ b/202305-NATO-MUG-update/content.tex @@ -0,0 +1,402 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item MISP Project + \begin{itemize} + \item What has happened since the last MUG + \item Give you a brief update over the highlights + \item Ongoing rework + \end{itemize} + \item Cerebrate + \begin{itemize} + \item Update on Cerebrate + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{MISP update} +\begin{center} +\includegraphics[scale=0.3]{images/misp.png} +\end{center} +\end{frame} + +\section{What has happened since the last MUG} + +\begin{frame} + \frametitle{Statistics} + \begin{itemize} + \item Since the last MISP summit (16/11/2022) we've had: + \begin{itemize} + \item {\bf 6} releases + \item {\bf 871} commits + \item {\bf 40} contributors contributing to the core software and its components + \item {\bf 102} pull-requests on MISP components (MISP objects, taxonomies, galaxy, modules, warning-lists) + \end{itemize} + \end{itemize} +\end{frame} + +\section{Give you a brief update over the highlights} + +\begin{frame} + \frametitle{A topical listing of the new major features} + \begin{itemize} + \item {\bf Workflow} improvements + \item {\bf STIX 2.1} improvements along with TAXII integration + \item {\bf Freetext} import modernisation + \item {\bf Logging} and {\bf security} improvements + \item {\bf Dashboard} rework + \item {\bf Security fixes} and other improvements + \end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Workflows} + \begin{itemize} + \item Continuous ongoing work + \item Further addition of {\bf logic nodes} for more advanced {\bf branching} decision trees + \item Additional {\bf action nodes} (such as e-mailing improvements) + \item The inclusion of new {\bf triggers} based on community feedback + \item {\bf Filtered data} paths within workflows (e.g. Only execute this set of actions on a subset of the workflow's input data) + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Workflows} +\begin{center} +\includegraphics[scale=0.17]{images/workflows_filtered.png} +\end{center} +\end{frame} + +\begin{frame} + \frametitle{Freetext import improvements} + \begin{itemize} + \item The {\bf freetext import} has been a powerful way of creating {\bf attributes} parsed out of text + \item Since 2.4.167, it can also be used to {\bf create MISP objects } + \item {\bf Proposes} valid object {\bf templates} for the given data-points + \item New UI elements and parsing logic added + \item Objects in general encouraged over flat attributes + \item Goes hand-in-hand with new {\bf object template} development + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Freetext import improvements} +\begin{center} +\includegraphics[scale=0.40]{images/freetext_objects.png} +\end{center} +\end{frame} + + +\begin{frame} + \frametitle{Logging rework} + \begin{itemize} + \item {\bf Logging concerns separated} into optional separate mechanisms + \begin{itemize} + \item Separate Application, Audit, Access logs (thanks to Jakub Onderka) + \end{itemize} + \item New user sanity checks on {\bf prior authentications} and {\bf associated IPs} (thanks to Christophe Vandeplas) + \begin{itemize} + \item Allows users to audit their accounts' actions to catch abuse + \end{itemize} + \item New internal logging of {\bf authentication frequency} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Dashboard rework} + \begin{itemize} + \item {\bf Overhaul} of the {\bf widget toolkit} for instance visibility + \item New widgets to highlight {\bf trends, community interactions and statistics} + \item Focus on {\bf customisation} and {\bf bucketing} of organisation groups + \begin{itemize} + \item Use Organisation meta-data, such as country, sector, org type + \end{itemize} + \item Better defined {\bf reporting periods} + \begin{itemize} + \item Show data of current day, month, year or since an arbitrary date + \end{itemize} + \item Rework of some existing widgets to be much more {\bf performant} + \end{itemize} +\end{frame} + +\begin{frame} + +\frametitle{Dashboard example} +\begin{center} +\includegraphics[scale=0.14]{images/dashboard_example.png} +\end{center} +\end{frame} + +\begin{frame} + \frametitle{Security fixes and other improvements} + \begin{itemize} + \item Long list of security fixes based on multiple external penetration tests + \item {\bf CVEs}\footnote{\url{https://www.misp-project.org/security/}} continuously reported for issues small and large + \begin{itemize} + \item Make sure you're up to date! + \end{itemize} + \item {\bf Zigrin security}'s research funded by the {\bf Luxembourg army} has been a massive help + \item Long list of other improvements, quality of life changes, performance tuning + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Taxonomy highlight} +\begin{itemize} + \item Many different taxonomies are used frequently in various organisations + \item A new feature to highlight the important taxonomy in a MISP instance (community) is available + \item Site admin user can select the {\bf highlighted taxonomies} + \item The taxonomy namespace will be highlight in a box on the index/event views +\end{itemize} + \includegraphics[scale=0.2]{./images/highlight.png} + \includegraphics[scale=0.2]{./images/highlight2.png} +\end{frame} + +\begin{frame} +\frametitle{MISP modules} + \begin{itemize} + \item MISP modules are companion to expansion, export, import for external services or tooling + \item Extended to support the {\bf MISP workflow actions} + \item New modules include new import {\bf extract\_url\_components} + \item New expansion modules include {\bf Crowdsec}, {\bf ipinfo.io} + \item Improved expansion modules {\bf greynoise}, {\bf VarIOT} + \item Improved modules to support the MISP standard format + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP taxonomies} + \begin{itemize} + \item 149 ready-to-use are now available in MISP taxonomies (used in MISP and many other tools) + \item New {\bf information-origin} taxonomy to classify AI-generated content with LLMs + \item New {\bf aviation} taxonomy developed by Eurocontrol to support labelling in the aviation sector + \item New Microsoft {\bf sentinel} taxonomy to support the MISP sentinel integration developed by Koen Van Impe + \item Various fixes and improvement to taxonomies (e.g. the dark-web taxonomy due to updates in AIL 5.0) + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP warning-lists} + \begin{itemize} + \item New {\bf captive-portal} warning-list added + \item New known {\bf parking page infrastructure} warning-list added + \item New {\bf google-chrome-crux-1million} warning-list added + \item New {\bf microsoft-azure-appid} warning-list added + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP galaxy} + \begin{itemize} + \item New {\bf sigma} galaxy added including relationships + \item Latest MITRE ATT\&CK version 13 updated for the MISP galaxy + \item New microsoft threat actor taxonomy added including relationships with previous activity group and {\bf threat-actor galaxy} + \item Alignment of {\bf ransomware galaxy} with the {\bf ransomlook.io} project + \item Major improvements in threat-actor galaxy including relationships with other galaxy clusters + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP objects} + \begin{itemize} + \item New {\bf ai-chat-prompt} to share AI chat prompt in MISP + \item New {\bf greynoise-intelligence}, {\bf risk-assessment-report}, {\bf transport-ticket}, {\bf AIS}, {\bf typosquatting}, {\bf telegram-bot} objects + \item Many improvements to existing objets to align with STIX 2.1 and updates + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP stix} + \begin{itemize} + \item misp-stix\footnote{\url{https://github.com/MISP/misp-stix}} is standalone Python library support MISP standard format and all the STIX version (1.1.1, 1.2, 2.0 and 2.1) + \item Two people from CIRCL are {\bf co-sharing the OASIS Cyber Threat Intelligence (CTI) TC and CTI STIX subcommittee} + \item Ensuring alignment between the standards, interoperability and an open source standard library + \item Improvement in misp-stix such as STIX 2.0 and 2.1 patterning and {\bf generic way to support observable objects} + \item Import in MISP added for STIX 2 + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Cerebrate} + \begin{itemize} + \item New documentation for Cerebrate\footnote{\url{https://doc.cerebrate-project.org/}} + \item Many {\bf improvements and bugs fixed} following the feedback of different organisations deploying Cerebrate + \item Deployment of the {\bf PoC for NATO users is ongoing} + \item Software stack of MISP 3 is tested on Cerebrate + \end{itemize} + +\end{frame} + +\section{Ongoing rework} + +\begin{frame} + \frametitle{MISP 3} + \begin{itemize} + \item Largest ongoing work is the work on {\bf MISP3} + \item Already announced long ago, development is now underway\footnote{\url{https://github.com/MISP/MISP/tree/3.x}} + \item New {\bf tech stack} based on Cerebrate's advances (CakePHP 4.x+, PHP 8.2+, Bootstrap 5+) + \item Longer project, will bring long needed improvements + \end{itemize} +\end{frame} + +\section{MISP 3 Objective} + +\begin{frame} + \frametitle{Ensuring compatibility} + \begin{itemize} + \item Full {\bf API compatibility} with MISP 2.4 + \item {\bf Synchronisation compatibility} with MISP 2.4 + \item At least the same {\bf feature set as MISP 2.4} + \begin{itemize} + \item Except for culling unused, unmaintained functionalities + \item We are collecting usage data on CIRCL's platforms about legacy functionalities + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{What we expect from the upgrade process} + \begin{itemize} + \item The first update since 2.4 in 2015 that requires manual intervention + \item Burden on administrators: + \begin{itemize} + \item We will include scripts that will install MISP3 side-by-side of MISP2 and ingest all of your MISP 2 data + \item The process will not be automatic and will need administrator intervention + \item Some {\bf new requirements} (more modern PHP for example, new framework version's requirements) + \item Database migration is included in the process + \end{itemize} + \item Versions following 3.0 will go back to a similar one-click update process for the lifecycle of 3.x + \item This will allow us to make some changes that we've held back for too long + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Improvements to the database structure} + \begin{itemize} + \item Rework of schema for more performance + \item {\bf Relational constraints moved to the database} for consistency and performance + \item Modernised {\bf unicode handling} + \item Fixes of some legacy mistakes (reserved keyword field use for example) + \item {\bf DB improvements} that were outcomes of research from Cerebrate incorporated (tags, metadata) + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Better file structure} + \begin{itemize} + \item {\bf Clearer separation} of concerns (software codebase vs data vs logs) + \begin{itemize} + \item Easier containerisation of MISP + \item Saner file permission management + \item Simpler log collection + \end{itemize} + \item Reduced complexity of installation and package management + \item Use of framework features rather than custom features for upgrade management + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{UX rework} + \begin{itemize} + \item More harmonised UI + \item {\bf Modern look and feel} + \item Easier to use interactions + \item Menues and actions reworked to be more use-case focused + \item UI customisation for users including custom themes + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{MISP 3 UI} +\begin{center} +\includegraphics[scale=0.18]{images/misp3.png} +\end{center} +\end{frame} + +\begin{frame} + \frametitle{Performance tuning and software quality management} + \begin{itemize} + \item New framework provides better tools for performant queries + \item New, tighter integrated testing framework used for CI + \item The new framework version is compliant with PHP framework standards allowing us to use a wide range tools + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Plenty of work ahead of us to achieve our goals} + \begin{itemize} + \item If you, or colleagues of yours want to get involved, let us know! + \item We're also looking for discussions on what the user-base would like to see in a reworked, modernised MISP + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP playbooks} + \begin{itemize} + \item A new project called MISP playbooks\footnote{\url{https://www.github.com/MISP/misp-playbooks}} has started + \item MISP playbooks address {\bf common use-cases} encountereted by {\bf SOCs, CSIRTs and CTI teams} + \item Covering all the activity such {\bf detecting, reacting and analysing} + \item Documentation in Markdown format and code in Python all in {\bf Jupyter notebooks} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP guard} + \begin{itemize} + \item misp-guard\footnote{\url{https://github.com/MISP/misp-guard}} is a mitmproxy addon that inspects the synchronization traffic (via PUSH or PULL) between different MISP instances and applies a set of customizable rules defined in a JSON file + \item {\bf Simple code base for doing complementary filtering} between different MISPs for sensitive or classified networks + \item misp-guard doesn't depend on MISP to apply the filtering + \item Next step code review and evaluate the different option for certification (ideas are welcome) + \end{itemize} +\end{frame} + +\section{Conclusions} + +\begin{frame} + \frametitle{To sum it all up...} + \begin{itemize} + \item The MISP {\bf developer/contributor community} continues to grow and is very active + \item The main focus the past year was on the following + \begin{itemize} + \item Performance, security, UX improvements + \item Customisations of workflow processes + \item Better operationalisation of MISP (community management, integration, monitoring) + \item Fleshing out the documentation and supporting materials + \end{itemize} + \item Cerebrate is aiming to fill the void of community/fleet management that we currently have + \item Definitely no lack of new ideas and improvements, if you want to participate, it's easy to {\bf get involved} + \item Prioritisation is hard. {\bf Let us know what you think we should focus on}! + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Cerebrate project + \begin{itemize} + \item \url{https://github.com/cerebrate-project} + \item \url{https://github.com/cerebrate-project/cerebrate} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/202305-NATO-MUG-update/images/SoD.png b/202305-NATO-MUG-update/images/SoD.png new file mode 100644 index 0000000..b95a9ec Binary files /dev/null and b/202305-NATO-MUG-update/images/SoD.png differ diff --git a/202305-NATO-MUG-update/images/attack-screenshot.png b/202305-NATO-MUG-update/images/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/202305-NATO-MUG-update/images/attack-screenshot.png differ diff --git a/202305-NATO-MUG-update/images/authkey.png b/202305-NATO-MUG-update/images/authkey.png new file mode 100644 index 0000000..46174b9 Binary files /dev/null and b/202305-NATO-MUG-update/images/authkey.png differ diff --git a/202305-NATO-MUG-update/images/bankaccount.png b/202305-NATO-MUG-update/images/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/202305-NATO-MUG-update/images/bankaccount.png differ diff --git a/202305-NATO-MUG-update/images/bankview.png b/202305-NATO-MUG-update/images/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/202305-NATO-MUG-update/images/bankview.png differ diff --git a/202305-NATO-MUG-update/images/blueprints1.png b/202305-NATO-MUG-update/images/blueprints1.png new file mode 100644 index 0000000..edaedcb Binary files /dev/null and b/202305-NATO-MUG-update/images/blueprints1.png differ diff --git a/202305-NATO-MUG-update/images/blueprints2.png b/202305-NATO-MUG-update/images/blueprints2.png new file mode 100644 index 0000000..b2d73cb Binary files /dev/null and b/202305-NATO-MUG-update/images/blueprints2.png differ diff --git a/202305-NATO-MUG-update/images/cerebrate-github.png b/202305-NATO-MUG-update/images/cerebrate-github.png new file mode 100644 index 0000000..af85229 Binary files /dev/null and b/202305-NATO-MUG-update/images/cerebrate-github.png differ diff --git a/202305-NATO-MUG-update/images/cerebrate-logo.png b/202305-NATO-MUG-update/images/cerebrate-logo.png new file mode 100644 index 0000000..82bcaab Binary files /dev/null and b/202305-NATO-MUG-update/images/cerebrate-logo.png differ diff --git a/202305-NATO-MUG-update/images/cerebrate.png b/202305-NATO-MUG-update/images/cerebrate.png new file mode 100644 index 0000000..82bcaab Binary files /dev/null and b/202305-NATO-MUG-update/images/cerebrate.png differ diff --git a/202305-NATO-MUG-update/images/circl.png b/202305-NATO-MUG-update/images/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/202305-NATO-MUG-update/images/circl.png differ diff --git a/202305-NATO-MUG-update/images/clippy-hint.png b/202305-NATO-MUG-update/images/clippy-hint.png new file mode 100644 index 0000000..ef4415e Binary files /dev/null and b/202305-NATO-MUG-update/images/clippy-hint.png differ diff --git a/202305-NATO-MUG-update/images/clippy-hint.xcf b/202305-NATO-MUG-update/images/clippy-hint.xcf new file mode 100644 index 0000000..f4ddbb1 Binary files /dev/null and b/202305-NATO-MUG-update/images/clippy-hint.xcf differ diff --git a/202305-NATO-MUG-update/images/clippy-solo.png b/202305-NATO-MUG-update/images/clippy-solo.png new file mode 100644 index 0000000..4c67fd1 Binary files /dev/null and b/202305-NATO-MUG-update/images/clippy-solo.png differ diff --git a/202305-NATO-MUG-update/images/covid.png b/202305-NATO-MUG-update/images/covid.png new file mode 100644 index 0000000..e6e869f Binary files /dev/null and b/202305-NATO-MUG-update/images/covid.png differ diff --git a/202305-NATO-MUG-update/images/creativity.png b/202305-NATO-MUG-update/images/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/202305-NATO-MUG-update/images/creativity.png differ diff --git a/202305-NATO-MUG-update/images/dashboard-trendings.png b/202305-NATO-MUG-update/images/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/202305-NATO-MUG-update/images/dashboard-trendings.png differ diff --git a/202305-NATO-MUG-update/images/dashboard.png b/202305-NATO-MUG-update/images/dashboard.png new file mode 100644 index 0000000..d163f4d Binary files /dev/null and b/202305-NATO-MUG-update/images/dashboard.png differ diff --git a/202305-NATO-MUG-update/images/dashboard_example.png b/202305-NATO-MUG-update/images/dashboard_example.png new file mode 100644 index 0000000..24cb024 Binary files /dev/null and b/202305-NATO-MUG-update/images/dashboard_example.png differ diff --git a/202305-NATO-MUG-update/images/decaying-basescore.png b/202305-NATO-MUG-update/images/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/202305-NATO-MUG-update/images/decaying-basescore.png differ diff --git a/202305-NATO-MUG-update/images/decaying-event.png b/202305-NATO-MUG-update/images/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/202305-NATO-MUG-update/images/decaying-event.png differ diff --git a/202305-NATO-MUG-update/images/decaying-index.png b/202305-NATO-MUG-update/images/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/202305-NATO-MUG-update/images/decaying-index.png differ diff --git a/202305-NATO-MUG-update/images/decaying-simulation.png b/202305-NATO-MUG-update/images/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/202305-NATO-MUG-update/images/decaying-simulation.png differ diff --git a/202305-NATO-MUG-update/images/decaying-tool.png b/202305-NATO-MUG-update/images/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/202305-NATO-MUG-update/images/decaying-tool.png differ diff --git a/202305-NATO-MUG-update/images/en_cef.png b/202305-NATO-MUG-update/images/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/202305-NATO-MUG-update/images/en_cef.png differ diff --git a/202305-NATO-MUG-update/images/eventreport.png b/202305-NATO-MUG-update/images/eventreport.png new file mode 100644 index 0000000..6f74bbe Binary files /dev/null and b/202305-NATO-MUG-update/images/eventreport.png differ diff --git a/202305-NATO-MUG-update/images/freetext_objects.png b/202305-NATO-MUG-update/images/freetext_objects.png new file mode 100644 index 0000000..dae314f Binary files /dev/null and b/202305-NATO-MUG-update/images/freetext_objects.png differ diff --git a/202305-NATO-MUG-update/images/galaxy-ransomware.png b/202305-NATO-MUG-update/images/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/202305-NATO-MUG-update/images/galaxy-ransomware.png differ diff --git a/202305-NATO-MUG-update/images/galaxy20.png b/202305-NATO-MUG-update/images/galaxy20.png new file mode 100644 index 0000000..97911ac Binary files /dev/null and b/202305-NATO-MUG-update/images/galaxy20.png differ diff --git a/202305-NATO-MUG-update/images/highlight.png b/202305-NATO-MUG-update/images/highlight.png new file mode 100644 index 0000000..97a4220 Binary files /dev/null and b/202305-NATO-MUG-update/images/highlight.png differ diff --git a/202305-NATO-MUG-update/images/highlight2.png b/202305-NATO-MUG-update/images/highlight2.png new file mode 100644 index 0000000..b3d765d Binary files /dev/null and b/202305-NATO-MUG-update/images/highlight2.png differ diff --git a/202305-NATO-MUG-update/images/logo.png b/202305-NATO-MUG-update/images/logo.png new file mode 100644 index 0000000..82bcaab Binary files /dev/null and b/202305-NATO-MUG-update/images/logo.png differ diff --git a/202305-NATO-MUG-update/images/misp.png b/202305-NATO-MUG-update/images/misp.png new file mode 100644 index 0000000..fa8583a Binary files /dev/null and b/202305-NATO-MUG-update/images/misp.png differ diff --git a/202305-NATO-MUG-update/images/misp3.png b/202305-NATO-MUG-update/images/misp3.png new file mode 100644 index 0000000..72b5ee7 Binary files /dev/null and b/202305-NATO-MUG-update/images/misp3.png differ diff --git a/202305-NATO-MUG-update/images/mispcerebrate.png b/202305-NATO-MUG-update/images/mispcerebrate.png new file mode 100644 index 0000000..d58796f Binary files /dev/null and b/202305-NATO-MUG-update/images/mispcerebrate.png differ diff --git a/202305-NATO-MUG-update/images/object.png b/202305-NATO-MUG-update/images/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/202305-NATO-MUG-update/images/object.png differ diff --git a/202305-NATO-MUG-update/images/openapi.png b/202305-NATO-MUG-update/images/openapi.png new file mode 100644 index 0000000..44726ea Binary files /dev/null and b/202305-NATO-MUG-update/images/openapi.png differ diff --git a/202305-NATO-MUG-update/images/openapi_page.png b/202305-NATO-MUG-update/images/openapi_page.png new file mode 100644 index 0000000..44726ea Binary files /dev/null and b/202305-NATO-MUG-update/images/openapi_page.png differ diff --git a/202305-NATO-MUG-update/images/over.png b/202305-NATO-MUG-update/images/over.png new file mode 100644 index 0000000..2f95420 Binary files /dev/null and b/202305-NATO-MUG-update/images/over.png differ diff --git a/202305-NATO-MUG-update/images/periodic.png b/202305-NATO-MUG-update/images/periodic.png new file mode 100644 index 0000000..3cb4db3 Binary files /dev/null and b/202305-NATO-MUG-update/images/periodic.png differ diff --git a/202305-NATO-MUG-update/images/security.png b/202305-NATO-MUG-update/images/security.png new file mode 100644 index 0000000..8b51dd8 Binary files /dev/null and b/202305-NATO-MUG-update/images/security.png differ diff --git a/202305-NATO-MUG-update/images/sighting-n.png b/202305-NATO-MUG-update/images/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/202305-NATO-MUG-update/images/sighting-n.png differ diff --git a/202305-NATO-MUG-update/images/signing1.png b/202305-NATO-MUG-update/images/signing1.png new file mode 100644 index 0000000..d378f7b Binary files /dev/null and b/202305-NATO-MUG-update/images/signing1.png differ diff --git a/202305-NATO-MUG-update/images/signing2.png b/202305-NATO-MUG-update/images/signing2.png new file mode 100644 index 0000000..450e7d6 Binary files /dev/null and b/202305-NATO-MUG-update/images/signing2.png differ diff --git a/202305-NATO-MUG-update/images/signing3.png b/202305-NATO-MUG-update/images/signing3.png new file mode 100644 index 0000000..68e7ced Binary files /dev/null and b/202305-NATO-MUG-update/images/signing3.png differ diff --git a/202305-NATO-MUG-update/images/signing4.png b/202305-NATO-MUG-update/images/signing4.png new file mode 100644 index 0000000..3a42468 Binary files /dev/null and b/202305-NATO-MUG-update/images/signing4.png differ diff --git a/202305-NATO-MUG-update/images/stix.png b/202305-NATO-MUG-update/images/stix.png new file mode 100644 index 0000000..c0b59bb Binary files /dev/null and b/202305-NATO-MUG-update/images/stix.png differ diff --git a/202305-NATO-MUG-update/images/switching_engines.png b/202305-NATO-MUG-update/images/switching_engines.png new file mode 100755 index 0000000..18dbfd9 Binary files /dev/null and b/202305-NATO-MUG-update/images/switching_engines.png differ diff --git a/202305-NATO-MUG-update/images/tag_relations.png b/202305-NATO-MUG-update/images/tag_relations.png new file mode 100644 index 0000000..a594649 Binary files /dev/null and b/202305-NATO-MUG-update/images/tag_relations.png differ diff --git a/202305-NATO-MUG-update/images/taxonomy-workflow.png b/202305-NATO-MUG-update/images/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/202305-NATO-MUG-update/images/taxonomy-workflow.png differ diff --git a/202305-NATO-MUG-update/images/timeline-misp-overview.png b/202305-NATO-MUG-update/images/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/202305-NATO-MUG-update/images/timeline-misp-overview.png differ diff --git a/202305-NATO-MUG-update/images/timeline.png b/202305-NATO-MUG-update/images/timeline.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/202305-NATO-MUG-update/images/timeline.png differ diff --git a/202305-NATO-MUG-update/images/timelining.png b/202305-NATO-MUG-update/images/timelining.png new file mode 100644 index 0000000..7753ba5 Binary files /dev/null and b/202305-NATO-MUG-update/images/timelining.png differ diff --git a/202305-NATO-MUG-update/images/warning-list-event.png b/202305-NATO-MUG-update/images/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/202305-NATO-MUG-update/images/warning-list-event.png differ diff --git a/202305-NATO-MUG-update/images/warning-list.png b/202305-NATO-MUG-update/images/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/202305-NATO-MUG-update/images/warning-list.png differ diff --git a/202305-NATO-MUG-update/images/warnings.png b/202305-NATO-MUG-update/images/warnings.png new file mode 100644 index 0000000..86e16a3 Binary files /dev/null and b/202305-NATO-MUG-update/images/warnings.png differ diff --git a/202305-NATO-MUG-update/images/workflow_initial.png b/202305-NATO-MUG-update/images/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/202305-NATO-MUG-update/images/workflow_initial.png differ diff --git a/202305-NATO-MUG-update/images/workflow_initial2.png b/202305-NATO-MUG-update/images/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/202305-NATO-MUG-update/images/workflow_initial2.png differ diff --git a/202305-NATO-MUG-update/images/workflows.png b/202305-NATO-MUG-update/images/workflows.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/202305-NATO-MUG-update/images/workflows.png differ diff --git a/202305-NATO-MUG-update/images/workflows1.png b/202305-NATO-MUG-update/images/workflows1.png new file mode 100644 index 0000000..2790cfb Binary files /dev/null and b/202305-NATO-MUG-update/images/workflows1.png differ diff --git a/202305-NATO-MUG-update/images/workflows2.png b/202305-NATO-MUG-update/images/workflows2.png new file mode 100644 index 0000000..5b5ad1a Binary files /dev/null and b/202305-NATO-MUG-update/images/workflows2.png differ diff --git a/202305-NATO-MUG-update/images/workflows_filtered.png b/202305-NATO-MUG-update/images/workflows_filtered.png new file mode 100644 index 0000000..8c44ce8 Binary files /dev/null and b/202305-NATO-MUG-update/images/workflows_filtered.png differ diff --git a/202305-NATO-MUG-update/images/x-isac-logo.png b/202305-NATO-MUG-update/images/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/202305-NATO-MUG-update/images/x-isac-logo.png differ diff --git a/202305-NATO-MUG-update/logo-circl.pdf b/202305-NATO-MUG-update/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/202305-NATO-MUG-update/logo-circl.pdf differ diff --git a/202305-NATO-MUG-update/makefile b/202305-NATO-MUG-update/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/202305-NATO-MUG-update/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/202305-NATO-MUG-update/misp.pdf b/202305-NATO-MUG-update/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/202305-NATO-MUG-update/misp.pdf differ diff --git a/202305-NATO-MUG-update/misplogo.pdf b/202305-NATO-MUG-update/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/202305-NATO-MUG-update/misplogo.pdf differ diff --git a/202305-NATO-MUG-update/slide.tex b/202305-NATO-MUG-update/slide.tex new file mode 100644 index 0000000..7230998 --- /dev/null +++ b/202305-NATO-MUG-update/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{CIRCL team} +\title{MISP project \& Cerebrate update} +\subtitle{Update of the features \& development efforts } +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{2023-05-23 NATO MUG} +\begin{document} +\include{content} +\end{document} + diff --git a/202305-NATO-MUG-update/timeline.jpeg b/202305-NATO-MUG-update/timeline.jpeg new file mode 100644 index 0000000..d60db13 Binary files /dev/null and b/202305-NATO-MUG-update/timeline.jpeg differ diff --git a/README.md b/README.md index 2427eea..04e9779 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ given to the materials. We welcome contributions in order to improve the trainin | ------------ | ----------- | | [0-misp-introduction-to-information-sharing](https://www.misp-project.org/misp-training/0-misp-introduction-to-information-sharing.pdf) | [source](https://github.com/MISP/misp-training/tree/main/0-misp-introduction-to-information-sharing) | | [MISP Data model overview (quick)](https://raw.githubusercontent.com/MISP/misp-training/477bdc9c71f77abd572f11c98f3ac8ecabe54310/complementary/other-slides/a.11.a-misp-data-model-overview.pdf) | | +| [MISP Ten Commandments](https://github.com/MISP/misp-training/blob/main/complementary/other-slides/MISP%2010%20Commandments%20-%20Recommendations%20and%20Best%20Practices%20when%20encoding%20data.pdf)|| | [1-misp-usage](https://www.misp-project.org/misp-training/1-misp-usage.pdf) | [source](https://github.com/MISP/misp-training/tree/main/1-misp-usage) | | [1.2-misp-integration](https://www.misp-project.org/misp-training/1.2-misp-integration.pdf) | [source](https://github.com/MISP/misp-training/tree/main/1.2-misp-integration) | | [1.1-misp-viper-integration](https://www.misp-project.org/misp-training/1.1-misp-viper-integration.pdf) | [source](https://github.com/MISP/misp-training/tree/main/1.1-misp-viper-integration) | @@ -72,6 +73,8 @@ given to the materials. We welcome contributions in order to improve the trainin Sample videos which can be used to understand how the training materials are used in companion with a live MISP demo instance. +- [MISP Workflow](https://www.youtube.com/watch?v=OyLE2g4zii0) - 16th December 2022 +- [MISP Best Practices for encoding threat intelligence (3 hours - online)](https://www.youtube.com/watch?v=JIeiwzY7Fvs) - 15th December 2022 - [MISP Training Administration and Deployment of MISP software](https://youtu.be/sIHTRIwF-Mk) - 14th September 2022 - [MISP Training Threat Intelligence Introduction for Analysts and Security Professional](https://youtu.be/sb36MMRTtLM) - 13th September 2022 - [Fundamentals MISP given FIRSTdotOrg 2021 Virtual Symposium African and Arab regions](https://www.youtube.com/watch?v=00jq7Gbqdz8) - 18th December 2021 diff --git a/a.4-best-practices/content.tex b/a.4-best-practices/content.tex index 7345b04..dde9d78 100644 --- a/a.4-best-practices/content.tex +++ b/a.4-best-practices/content.tex @@ -26,7 +26,7 @@ \begin{frame} \frametitle{Communities operated by CIRCL} \begin{itemize} - \item Private sector community + \item Private sector community (fall-back community) \begin{itemize} \item Our largest sharing community \item Over {\bf +1500 organisations} @@ -53,8 +53,8 @@ \item X-ISAC\footnote{\url{https://www.x-isac.org/}} \begin{itemize} \item {\bf Bridging the gap} between the various sectorial and geographical ISACs - \item New, but ambitious initiative \item Goal is to {\bf bootstrap the cross-sectorial sharing} along with building the infrastructure to enable sharing when needed + \item Provide a basic set of threat intelligence for new ISACs \end{itemize} \end{itemize} \end{frame} @@ -62,12 +62,13 @@ \begin{frame} \frametitle{Communities operated by CIRCL} \begin{itemize} - \item the ATT\&CK EU community\footnote{\url{https://www.attack-community.org/}} + \item The ATT\&CK EU community\footnote{\url{https://www.attack-community.org/}} \begin{itemize} \item Work on attacker modelling \item With the assistance of MITRE themselves \item Unique opportunity to {\bf standardise on TTPs} - \item Looking for organisations that want to get involved! + \item Increasing the use of TTPs\footnote{Tactics, Techniques and Procedures} especially in sharing community like MITRE ATT\&CK + \item Major increase of MITRE ATT\&CK context in sharing communities \end{itemize} \end{itemize} \end{frame} @@ -78,15 +79,15 @@ \item ISAC / specialised community MISPs \begin{itemize} \item Topical or community specific instances hosted or co-managed by CIRCL - \item Examples, GSMA, FIRST.org, CSIRT network, etc + \item Examples, GSMA, FIRST.org, CSIRTs network, etc \item Often come with their {\bf own taxonomies and domain specific object definitions} \end{itemize} \item FIRST.org's MISP community \item Telecom and Mobile operators' such as GSMA T-ISAC community - \item Various ad-hoc communities for exercises for example + \item Various ad-hoc communities for cyber security exercises \begin{itemize} - \item The ENISA exercise for example - \item Locked Shields exercise + \item The ENISA exercise (Cyber Europe) + \item NATO Locked Shields exercise \end{itemize} \end{itemize} \end{frame} @@ -118,7 +119,7 @@ \item {\bf Co-ordination} and collaboration \item {\bf Takedown} requests \end{itemize} - \item Alerting of information leaks (integration with {\bf AIL}\footnote{\url{https://github.com/CIRCL/AIL-framework}}) + \item Alerting of information leaks (integration with {\bf AIL}\footnote{\url{https://www.ail-project.org/}}) \end{itemize} \end{frame} @@ -177,13 +178,13 @@ \begin{frame} \frametitle{A quick note on compliance...} \begin{itemize} - \item Collaboration with Deloitte as part of a CEF project for creating compliance documents + \item Collaboration with Deloitte and legal advisors as part of a CEF project for creating compliance documents \begin{itemize} \item Information sharing and cooperation {\bf enabled by GDPR} \item How MISP enables stakeholders identified by the {\bf NISD} to perform key activities \item {\bf AIL} and MISP \end{itemize} - \item For more information: https://github.com/CIRCL/compliance +\item For more information: \url{https://github.com/CIRCL/compliance} \end{itemize} \end{frame} @@ -238,7 +239,7 @@ \begin{itemize} \item Estimating requirements \item Deciding early on common vocabularies - \item Offering services through MISP + \item Offering expansion,analysis and intelligence services through MISP \end{itemize} \end{itemize} \end{frame} @@ -263,10 +264,10 @@ \begin{itemize} \item Sharing comes in many shapes and sizes \begin{itemize} - \item Sharing results / reports is the classical example - \item Sharing enhancements to existing data - \item Validating data / flagging false positives - \item Asking for support from the community + \item Sharing {\bf results} / reports is the classical example + \item Sharing {\bf enhancements} to existing data/intelligence + \item Validating data / flagging false positives ({\bf sighting}) + \item Asking for {\bf support and collaboration} from the community \end{itemize} \item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy... \end{itemize} diff --git a/a.7-rest-API/query-misp.ipynb b/a.7-rest-API/query-misp.ipynb new file mode 100644 index 0000000..7e0fbc4 --- /dev/null +++ b/a.7-rest-API/query-misp.ipynb @@ -0,0 +1,1614 @@ +{ + "cells": [ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Extracting data from MISP using PyMISP" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Recovering the API KEY" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "- Go to `Global Actions` then `My Profile`\n", + "- Access the `/users/view/me` URL" + ] + }, + { + "cell_type": "code", + "execution_count": 491, + "metadata": {}, + "outputs": [], + "source": [ + "from pymisp import PyMISP\n", + "import urllib3\n", + "urllib3.disable_warnings()\n", + "\n", + "misp_url = 'https://localhost:8443/'\n", + "misp_key = 'GqfuZo444EFlylND0XaKZsEXgWgkPgguUZ6KVRuq'\n", + "# Should PyMISP verify the MISP certificate\n", + "misp_verifycert = False\n", + "\n", + "misp = PyMISP(misp_url, misp_key, misp_verifycert)" + ] + }, + { + "cell_type": "code", + "execution_count": 492, + "metadata": {}, + "outputs": [], + "source": [ + "import datetime\n", + "from pprint import pprint\n", + "import base64\n", + "import subprocess" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Retreiving an Event" + ] + }, + { + "cell_type": "code", + "execution_count": 493, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "\n" + ] + } + ], + "source": [ + "r1 = misp.get_event('7907c4a9-a15c-4c60-a1b4-1d214cf8cf41', pythonify=True)\n", + "print(r1)\n", + "r2 = misp.get_event(2, pythonify=False)\n", + "print(type(r2))" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Searching the Event index" + ] + }, + { + "cell_type": "code", + "execution_count": 494, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "7907c4a9-a15c-4c60-a1b4-1d214cf8cf41\n" + ] + } + ], + "source": [ + "r = misp.search_index(pythonify=True)\n", + "print(r[1].uuid)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Only published Events" + ] + }, + { + "cell_type": "code", + "execution_count": 495, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "[ ip-port), ]\n", + "List of tags: 18\n", + "\tThird Attribute [, ]\n" + ] + } + ], + "source": [ + "r1 = misp.search(controller='attributes', tags='tlp:red', pythonify=True)\n", + "print('Simple tag:', len(r1))\n", + "print('\\tFirst Attribute', r1[0].Tag)\n", + "\n", + "r2 = misp.search(controller='attributes', tags=['PAP:RED', 'tlp:red'], pythonify=True)\n", + "print('List of tags:', len(r2))\n", + "print('\\tThird Attribute', r2[2].Tag)" + ] + }, + { + "cell_type": "code", + "execution_count": 502, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Wildcard: 22\n", + "\tTags of all Attributes: [[], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], []]\n", + "\n", + "Open question: Why do we have Attributes despite them not having the correct tag attached?\n", + "\n" + ] + } + ], + "source": [ + "r3 = misp.search(controller='attributes', tags=['misp-galaxy:target-information=%'], pythonify=True)\n", + "print('Wildcard:', len(r3))\n", + "print('\\tTags of all Attributes:', [attr.Tag for attr in r3])\n", + "print()\n", + "print(base64.b64decode('T3BlbiBxdWVzdGlvbjogV2h5IGRvIHdlIGhhdmUgQXR0cmlidXRlcyBkZXNwaXRlIHRoZW0gbm90IGhhdmluZyB0aGUgY29ycmVjdCB0YWcgYXR0YWNoZWQ/Cg==').decode())" + ] + }, + { + "cell_type": "code", + "execution_count": 503, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "All unique Event tags: {'misp-galaxy:target-information=\"Canada\"', 'misp-galaxy:target-information=\"China\"', 'misp-galaxy:target-information=\"Germany\"', 'misp-galaxy:target-information=\"Luxembourg\"'}\n" + ] + } + ], + "source": [ + "allEventTags = [\n", + " [tag.name for tag in misp.get_event(attr.event_id, pythonify=True).Tag if tag.name.startswith('misp-galaxy:target-information=')]\n", + " for attr in r3\n", + "]\n", + "allUniqueEventTag = set()\n", + "for tags in allEventTags:\n", + " for tag in tags:\n", + " allUniqueEventTag.add(tag)\n", + "print('All unique Event tags:', allUniqueEventTag)" + ] + }, + { + "cell_type": "code", + "execution_count": 504, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Negation: 17\n", + "All unique Event tags: {'misp-galaxy:target-information=\"Canada\"', 'misp-galaxy:target-information=\"China\"', 'misp-galaxy:target-information=\"Germany\"'}\n" + ] + } + ], + "source": [ + "r4 = misp.search(\n", + " controller='attributes',\n", + " tags=['misp-galaxy:target-information=%', '!misp-galaxy:target-information=\"Luxembourg\"'],\n", + " pythonify=True)\n", + "print('Negation:', len(r4))\n", + "\n", + "\n", + "# Showing unique Event tags\n", + "allEventTags = [\n", + " [tag.name for tag in misp.get_event(attr.event_id, pythonify=True).Tag if tag.name.startswith('misp-galaxy:target-information=')]\n", + " for attr in r4\n", + "]\n", + "allUniqueEventTag = set()\n", + "for tags in allEventTags:\n", + " for tag in tags:\n", + " allUniqueEventTag.add(tag)\n", + "print('All unique Event tags:', allUniqueEventTag)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "**Want to also have the Event tags included**?" + ] + }, + { + "cell_type": "code", + "execution_count": 505, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Tags of first attibute: []\n", + "Tags of first attibute: ['tlp:white', 'osint:lifetime=\"perpetual\"', 'osint:certainty=\"50\"', 'workflow:state=\"draft\"', 'misp-galaxy:threat-actor=\"APT 29\"', 'smo:sync', 'misp-galaxy:target-information=\"Canada\"', 'misp-galaxy:target-information=\"China\"', 'misp-galaxy:sector=\"Defense\"', 'misp-galaxy:sector=\"Infrastructure\"', 'misp-galaxy:malpedia=\"Kobalos\"', 'misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"', 'misp-galaxy:mitre-attack-pattern=\"Software - T1592.002\"']\n" + ] + } + ], + "source": [ + "r5 = misp.search(\n", + " controller='attributes',\n", + " tags='misp-galaxy:target-information=%',\n", + " pythonify=True)\n", + "print('Tags of first attibute:', [tag.name for tag in r5[0].Tag])\n", + "\n", + "r6 = misp.search(\n", + " controller='attributes',\n", + " tags='misp-galaxy:target-information=%',\n", + " includeEventTags=True,\n", + " pythonify=True)\n", + "print('Tags of first attibute:', [tag.name for tag in r6[0].Tag])" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "**Complex query**" + ] + }, + { + "cell_type": "code", + "execution_count": 506, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Or: 1056\n", + "[['tlp:amber'], ['tlp:amber'], ['tlp:amber'], ['tlp:amber'], ['tlp:amber']]\n", + "\n", + "And: 5\n", + "[['adversary:infrastructure-type=\"c2\"', 'tlp:amber'],\n", + " ['adversary:infrastructure-type=\"c2\"', 'tlp:amber'],\n", + " ['adversary:infrastructure-type=\"c2\"', 'tlp:amber'],\n", + " ['adversary:infrastructure-type=\"c2\"', 'tlp:amber'],\n", + " ['adversary:infrastructure-type=\"c2\"', 'tlp:amber']]\n" + ] + } + ], + "source": [ + "complex_query = misp.build_complex_query(or_parameters=['tlp:amber', 'adversary:infrastructure-type=\"c2\"'])\n", + "r7 = misp.search(\n", + " controller='attributes',\n", + " tags=complex_query,\n", + " includeEventTags=True,\n", + " pythonify=True)\n", + "print('Or:', len(r7))\n", + "pprint([\n", + " [tag.name for tag in attr.Tag if (tag.name == 'tlp:amber' or tag.name == 'adversary:infrastructure-type=\"c2\"')] for attr in r7[:5]\n", + "])\n", + "print()\n", + "\n", + "complex_query = misp.build_complex_query(and_parameters=['tlp:amber', 'adversary:infrastructure-type=\"c2\"'])\n", + "r8 = misp.search(\n", + " controller='attributes',\n", + " tags=complex_query,\n", + " includeEventTags=True,\n", + " pythonify=True)\n", + "print('And:', len(r8))\n", + "pprint([\n", + " [tag.name for tag in attr.Tag if (tag.name == 'tlp:amber' or tag.name == 'adversary:infrastructure-type=\"c2\"')] for attr in r8\n", + "])" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Searching on GalaxyCluster metadata" + ] + }, + { + "cell_type": "code", + "execution_count": 507, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Events: 2\n", + "[['misp-galaxy:target-information=\"Canada\"',\n", + " 'misp-galaxy:target-information=\"China\"'],\n", + " ['misp-galaxy:target-information=\"Luxembourg\"']]\n" + ] + } + ], + "source": [ + "body = {\n", + " 'galaxy.member-of': 'NATO',\n", + " 'galaxy.official-languages': 'French',\n", + "}\n", + "\n", + "events = misp.direct_call('/events/restSearch', body)\n", + "print('Events: ', len(events))\n", + "pprint([\n", + " [tag['name'] for tag in event['Event']['Tag'] if tag['name'].startswith('misp-galaxy:target-information')] for event in events\n", + "])" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "- **Note 1**: The `galaxy.*` instructions are not supported by PyMISP\n", + "- **Note 2**: Each `galaxy.*` instructions are **AND**ed and are applied for the same cluster\n", + " - Cannot combine from different clusters\n", + " - Combining `Galaxy.official-languages` and `Galaxy.synonyms` would likely gives no result" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Searching on creator Organisation metadata" + ] + }, + { + "cell_type": "code", + "execution_count": 508, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "Organisation nationality: {'admin_org': '', 'CIRCL': '', 'ORGNAME': '', 'Training': 'Luxembourg'}\n", + "Events: 4\n", + "Org for each Event: ['Training', 'Training', 'Training', 'Training']\n" + ] + } + ], + "source": [ + "all_orgs = misp.organisations()\n", + "print('Organisation nationality:', {org['Organisation']['name']: org['Organisation']['nationality'] for org in all_orgs})\n", + "\n", + "body = {\n", + " 'org.nationality': ['Luxembourg'],\n", + " 'org.sector': ['financial'],\n", + "}\n", + "\n", + "events = misp.direct_call('/events/restSearch', body)\n", + "print('Events: ', len(events))\n", + "print('Org for each Event:', [event['Event']['Orgc']['name'] for event in events])" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "- **Note 1**: The `org.*` instructions are not supported by PyMISP" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### ReturnFormat" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "**CSV**" + ] + }, + { + "cell_type": "code", + "execution_count": 509, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category\n", + "\"724d5417-41e6-40a5-b368-bdfbe652302a\",2,\"Network activity\",\"ip-dst\",\"4.3.2.1\",\"Hello all!\",0,1639127173,\"\",\"\",\"\",\"\",\"\"\n", + "\"ba8e1a5a-6bb6-4ae5-9872-0a01b6b05cad\",2,\"Network activity\",\"ip-dst\",\"5.3.1.2\",\"\",1,1639060465,\"ip\",\"\",\"\",\"\",\"\"\n", + "\"8c16cf20-d5bd-4ed3-b243-98c00c16e591\",2,\"Network activity\",\"ip-dst\",\"23.1.4.2\",\"\",1,1639126626,\"ip\",\"\",\"\",\"\",\"\"\n", + "\"25a7bbb0-31f6-4525-94c0-89af86030201\",16,\"Network activity\",\"ip-dst\",\"127.0.0.1\",\"\",1,1645191487,\"ip-dst\",\"\",\"\",\"\",\"\"\n", + "\"f3eb2f37-d08d-4dbb-be0c-346ac508693f\",16,\"Network activity\",\"ip-dst\",\"127.0.0.1\",\"\",1,1645191487,\"ip-dst\",\"\",\"\",\"\",\"\"\n", + "\"f0a002d8-38a5-40f9-9a62-7e975cc8f987\",16,\"Network activity\",\"ip-dst\",\"127.0.0.1\",\"\",1,1645191487,\"ip-dst\",\"\",\"\",\"\",\"\"\n", + "\"61bfb8e3-20e3-4f37-905d-9d4e14f2564a\",20,\"Network activity\",\"ip-dst\",\"8.231.77.176\",\"\",1,1665471239,\"ip\",\"PAP:RED,adversary:infrastructure-type=\"\"exploit-distribution-point\"\"\",\"\",\"\",\"\"\n", + "\"1ac08260-a5d6-4bee-bdcd-1525685ea07d\",20,\"Network activity\",\"ip-dst\",\"226.140.183.77\",\"\",1,1665471204,\"ip\",\"PAP:RED,adversary:infrastructure-type=\"\"c2\"\"\",\"\",\"\",\"\"\n", + "\"78ce291d-241b-4162-8d6b-6a85964a31b8\",20,\"Network activity\",\"ip-dst\",\"2efe:65b4:7533:4f5f:1081:995:ff87:348f\",\"\",1,1665471204,\"ip\",\"PAP:RED,adversary:infrastructure-type=\"\"c2\"\"\",\"\",\"\",\"\"\n", + "\"b760f7a7-0d96-4b47-86b2-d5524cd2eff0\",26,\"Network activity\",\"ip-dst\",\"8.8.8.8\",\"\",1,1663321650,\"ip\",\"\",\"\",\"\",\"\"\n", + "\"9023deba-1ba0-4ab3-a0bf-64a2d5c90520\",29,\"Network activity\",\"ip-dst\",\"81.177.170.166\",\"\",1,1665472920,\"ip\",\"adversary:infrastructure-type=\"\"c2\"\",misp-galaxy:mitre-attack-pattern=\"\"Botnet - T1583.005\"\"\",\"\",\"\",\"\"\n", + "\"c9d681ad-4087-4847-8f93-aef2e54452f2\",42,\"Network activity\",\"ip-dst\",\"2.2.2.2\",\"\",0,1671095982,\"ip\",\"\",\"\",\"\",\"\"\n", + "\"60950f6a-b3bf-4a0a-b901-43308e2f761a\",2,\"Network activity\",\"ip-src\",\"1.2.3.4\",\"\",0,1639060409,\"\",\"\",\"\",\"\",\"\"\n", + "\"f2a6eb8c-7a3e-4524-8036-1b90cb18fe75\",7,\"Payload delivery\",\"ip-src\",\"149.23.54.0\",\"today\",1,1622184577,\"\",\"\",\"\",\"\",\"\"\n", + "\"93bc9e55-20e9-4be1-b3e5-057e56a3b82e\",7,\"Payload delivery\",\"ip-src\",\"149.23.54.1\",\"today - 1 days\",1,1622184577,\"\",\"\",\"\",\"\",\"\"\n", + "\"f7771a53-fbdf-4980-822d-9a2339ce9076\",7,\"Payload delivery\",\"ip-src\",\"149.23.54.2\",\"today - 2 days\",1,1622184577,\"\",\"\",\"\",\"\",\"\"\n", + "\"4972022a-26fd-4270-b614-506a9c951be6\",7,\"Payload delivery\",\"ip-src\",\"149.23.54.3\",\"today - 3 days\",1,1622184578,\"\",\"admiralty-scale:information-credibility=\"\"1\"\",admiralty-scale:source-reliability=\"\"a\"\"\",\"\",\"\",\"\"\n", + "\"c661cd4b-0474-48eb-b4ed-eb02f6b569ea\",7,\"Payload delivery\",\"ip-src\",\"149.23.54.4\",\"today - 4 days\",1,1622184578,\"\",\"\",\"\",\"\",\"\"\n", + "\"42f68239-a794-492c-8fed-7520677824b0\",7,\"Payload delivery\",\"ip-src\",\"149.23.54.5\",\"today - 5 days\",1,1622184578,\"\",\"\",\"\",\"\",\"\"\n", + "\"d6404ba7-c847-49b8-8748-3029ce62e2b0\",7,\"Payload delivery\",\"ip-src\",\"149.23.54.6\",\"today - 6 days\",1,1622184578,\"\",\"\",\"\",\"\",\"\"\n", + "\"f04de340-ec63-471e-b5a2-66c3fe0676b6\",9,\"Network activity\",\"ip-src\",\"5.4.2.1\",\"\",0,1650956697,\"\",\"misp-galaxy:mitre-course-of-action=\"\"Access Token Manipulation Mitigation - T1134\"\"\",\"\",\"\",\"\"\n", + "\"7bb5432f-3d67-4d59-8a43-04e57e0dcc3f\",16,\"Network activity\",\"ip-src\",\"127.0.0.1\",\"\",1,1645191487,\"ip-src\",\"\",\"\",\"\",\"\"\n", + "\"b663b3b3-92af-41bf-a18f-8582bd0983b1\",16,\"Network activity\",\"ip-src\",\"127.0.0.1\",\"\",1,1645191487,\"ip-src\",\"\",\"\",\"\",\"\"\n", + "\"0ee4a946-d826-4884-aa28-e1b9da8cbbcb\",16,\"Network activity\",\"ip-src\",\"127.0.0.1\",\"\",1,1645191487,\"ip-src\",\"\",\"\",\"\",\"\"\n", + "\"1f4b0f6b-6cf9-47bf-acd4-f15b33e7d588\",21,\"Network activity\",\"ip-src\",\"185.194.93.14\",\"Attribute #281 enriched by dns.\",0,1668077578,\"\",\"\",\"\",\"\",\"\"\n", + "\"9f7f2d28-bcc8-466e-847f-3cf2a1ec4070\",21,\"Network activity\",\"ip-src\",\"31.22.121.122\",\"Attribute #291 enriched by dns.\",0,1663922175,\"\",\"\",\"\",\"\",\"\"\n", + "\"8153e053-c7c3-4a34-ae1c-b5cd3c80ba06\",22,\"Network activity\",\"ip-src\",\"8.231.77.176\",\"\",0,1659602097,\"\",\"\",\"\",\"\",\"\"\n", + "\"a57f70a2-70dd-4ea4-b879-fbcd03d465df\",24,\"Network activity\",\"ip-src\",\"8.231.77.176\",\"\",0,1662025545,\"\",\"another:tag\",\"\",\"\",\"\"\n", + "\"af044e10-5549-4018-bc6b-162cde1a1016\",21,\"Network activity\",\"ip-src\",\"8.231.77.176\",\"\",0,1661517935,\"\",\"\",\"\",\"\",\"\"\n", + "\"fbb12142-0f82-4430-b0bc-2b1f9e26af67\",23,\"Network activity\",\"ip-src\",\"8.231.77.176\",\"\",0,1661518277,\"\",\"\",\"\",\"\",\"\"\n", + "\"a783c55f-ac52-44b4-8be1-74d52bc2c4c3\",17,\"Network activity\",\"ip-src\",\"8.231.77.176\",\"\",0,1661517997,\"\",\"\",\"\",\"\",\"\"\n", + "\"90f6fd39-a426-43b3-9157-0c48bf0710fb\",22,\"Network activity\",\"ip-src\",\"31.22.121.122\",\"\",0,1661762437,\"\",\"\",\"\",\"\",\"\"\n", + "\"bc0a1ba5-d337-42b3-81fe-9d4b75a17bec\",26,\"Network activity\",\"ip-src\",\"185.194.93.14\",\"\",0,1663137408,\"\",\"\",\"\",\"\",\"\"\n", + "\"93931645-c86c-4dcf-aa4e-591edab44c4e\",26,\"Network activity\",\"ip-src\",\"8.8.8.8\",\"\",1,1663320641,\"\",\"\",\"\",\"\",\"\"\n", + "\n", + "\n" + ] + } + ], + "source": [ + "r1 = misp.search(\n", + " controller='attributes',\n", + " type_attribute=['ip-src', 'ip-dst'],\n", + " return_format='csv')\n", + "print(r1)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "**Aggregated context** with `context-markdown`, `context` and `attack`" + ] + }, + { + "cell_type": "code", + "execution_count": 510, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "# Aggregated context data\n", + "## Tags and Taxonomies\n", + "#### admiralty-scale\n", + "*The Admiralty Scale or Ranking (also called the NATO System) is used to rank the reliability of a source and the credibility of an information. Reference based on FM 2-22.3 (FM 34-52) HUMAN INTELLIGENCE COLLECTOR OPERATIONS and NATO documents.*\n", + "- admiralty-scale:information-credibility="1"\n", + "\n", + " - **information-credibility**: Information Credibility\n", + " - **1**: Confirmed by other sources\n", + "- admiralty-scale:information-credibility="2"\n", + "\n", + " - **information-credibility**: Information Credibility\n", + " - **2**: Probably true\n", + "- admiralty-scale:source-reliability="a"\n", + "\n", + " - **source-reliability**: Source Reliability\n", + " - **a**: Completely reliable\n", + "#### economical-impact\n", + "*Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information (e.g. data exfiltration loss, a positive gain for an adversary).*\n", + "- economical-impact:loss="less-than-1B-euro"\n", + "\n", + " - **loss**: Loss\n", + " - **less-than-1B-euro**: Less than 1 billion EUR\n", + "#### osint\n", + "*Open Source Intelligence - Classification (MISP taxonomies)*\n", + "- osint:certainty="50"\n", + "\n", + " - **certainty**: Certainty of the elements mentioned in this Open Source Intelligence\n", + " - **50**: Chances about even (probability equals 0.50 - 50%)\n", + "- osint:lifetime="perpetual"\n", + "\n", + " - **lifetime**: Lifetime of the information as Open Source Intelligence\n", + " - **perpetual**: Perpetual\n", + "#### tlp\n", + "*The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.*\n", + "- tlp:red\n", + "\n", + " - **red**: (TLP:RED) Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate.\n", + "- tlp:white\n", + "\n", + " - **white**: (TLP:WHITE) Information can be shared publicly in accordance with the law.\n", + "#### workflow\n", + "*Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.*\n", + "- workflow:state="draft"\n", + "\n", + " - **state**: State\n", + " - **draft**: Draft means the information tagged can be released as a preliminary version or outline\n", + "## Galaxy Clusters\n", + "#### Misinformation Pattern\n", + "*AM!TT Tactic*\n", + "- *[Adapt existing narratives](https://localhost:8443/galaxy_clusters/view/2712)*\n", + "Adapting existing narratives to current operational goals is the tactical sweet-spot for an effective misinformation campaign. Leveraging existing narratives is not only more effective, it requires substantially less resourcing, as the promotion of new master narratives operates on a much larger sca...\n", + "#### Malpedia\n", + "*Malware galaxy based on Malpedia archive.*\n", + "- *[Kobalos](https://localhost:8443/galaxy_clusters/view/4530)*\n", + "\n", + "#### Attack Pattern\n", + "*ATT&CK Tactic*\n", + "- *[SSH - T1021.004](https://localhost:8443/galaxy_clusters/view/9691)*\n", + "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n", + "\n", + "SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and...\n", + "- *[Software - T1592.002](https://localhost:8443/galaxy_clusters/view/9721)*\n", + "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of...\n", + "#### Course of Action\n", + "*ATT&CK Mitigation*\n", + "- *[Access Token Manipulation Mitigation - T1134](https://localhost:8443/galaxy_clusters/view/8213)*\n", + "Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to ...\n", + "#### Sector\n", + "*Activity sectors*\n", + "- *[Defense](https://localhost:8443/galaxy_clusters/view/2762)*\n", + "\n", + "- *[Infrastructure](https://localhost:8443/galaxy_clusters/view/2780)*\n", + "\n", + "#### Target Information\n", + "*Description of targets of threat actors.*\n", + "- *[Canada](https://localhost:8443/galaxy_clusters/view/1994)*\n", + "\n", + "- *[China](https://localhost:8443/galaxy_clusters/view/2000)*\n", + "\n", + "#### Threat Actor\n", + "*Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.*\n", + "- *[APT 29](https://localhost:8443/galaxy_clusters/view/7251)*\n", + "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. Th...\n" + ] + } + ], + "source": [ + "# Get the context of Events that were created by organisations from the financial sector\n", + "\n", + "body = {\n", + " 'returnFormat': 'context-markdown',\n", + " 'org.sector': ['financial'],\n", + "}\n", + "\n", + "r2 = misp.direct_call('/events/restSearch', body)\n", + "print(r2)" + ] + }, + { + "cell_type": "code", + "execution_count": 511, + "metadata": {}, + "outputs": [], + "source": [ + "# Get the context of Events that had the threat actor APT-29 attached\n", + "\n", + "body = {\n", + " 'returnFormat': 'context',\n", + " 'tags': ['misp-galaxy:threat-actor=\\\"APT 29\\\"'],\n", + " 'staticHtml': 1, # If you want a JS-free HTML\n", + "}\n", + "\n", + "r2 = misp.direct_call('/events/restSearch', body)\n", + "with open('/tmp/attackOutput.html', 'w') as f:\n", + " f.write(r2)\n", + " # subprocess.run(['google-chrome', '--incognito', '/tmp/attackOutput.html'])\n" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Be carefull with the amount of data you ask, use `pagination` if needed\n", + "\n", + "- `limit`: Specify the amount of data to be returned\n", + "- `page`: Specify the start of the rolling window. Is **not** zero-indexed\n", + "\n", + "If the size of the returned data is larger than the memory enveloppe you might get a different behavior based on your MISP setting:\n", + "- Nothing returned. Allowed memeory by PHP process exausted\n", + "- Data returned but slow. MISP will concatenante the returned data in a temporary file on disk\n", + " - This behavior is only applicable for `/*/restSearch` endpoints" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "r1 = misp.search(controller='attributes', pythonify=True)\n", + "print('Amount of Attributes', len(r1))\n", + "\n", + "r2 = misp.search(\n", + " controller='attributes',\n", + " page=1,\n", + " limit=5,\n", + " pythonify=True)\n", + "print('Amount of paginated Attributes', len(r2))" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Searching for Sightings" + ] + }, + { + "cell_type": "code", + "execution_count": 513, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "[{'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1441',\n", + " 'date_sighting': '1670924035',\n", + " 'event_id': '40',\n", + " 'id': '12',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': '65bd7539-29eb-46eb-bf7b-4c02473062c7',\n", + " 'value': '398324'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1441',\n", + " 'date_sighting': '1670924430',\n", + " 'event_id': '40',\n", + " 'id': '13',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': '10857410-0033-4457-8a1d-c8331ee55d72',\n", + " 'value': '398324'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1441',\n", + " 'date_sighting': '1670924454',\n", + " 'event_id': '40',\n", + " 'id': '14',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '1',\n", + " 'uuid': '1639fe60-0458-40f3-961b-7dc14eee9a7b',\n", + " 'value': '398324'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1441',\n", + " 'date_sighting': '1670924455',\n", + " 'event_id': '40',\n", + " 'id': '15',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '1',\n", + " 'uuid': 'ee54ec70-3597-4455-bce9-c889202d533e',\n", + " 'value': '398324'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1441',\n", + " 'date_sighting': '1670924456',\n", + " 'event_id': '40',\n", + " 'id': '16',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '1',\n", + " 'uuid': '2c1cf4d1-a6ce-474b-8878-0251ee2b6bc5',\n", + " 'value': '398324'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1448',\n", + " 'date_sighting': '1671027299',\n", + " 'event_id': '41',\n", + " 'id': '17',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': '39dff1d2-7082-48a9-8d30-ce29d412879b',\n", + " 'value': 'testtest'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1448',\n", + " 'date_sighting': '1671027301',\n", + " 'event_id': '41',\n", + " 'id': '18',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': '84a8e7d0-715b-453f-8cdb-07db0c208185',\n", + " 'value': 'testtest'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '77',\n", + " 'date_sighting': '1671027307',\n", + " 'event_id': '9',\n", + " 'id': '19',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': '264e4a25-e072-46e5-8460-b8df72e3115c',\n", + " 'value': '5.4.2.1'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '77',\n", + " 'date_sighting': '1671027308',\n", + " 'event_id': '9',\n", + " 'id': '20',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': 'b9f15aeb-54ea-44e5-90b8-22a418b973df',\n", + " 'value': '5.4.2.1'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '243',\n", + " 'date_sighting': '1671027309',\n", + " 'event_id': '9',\n", + " 'id': '21',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': '4ef355f8-1cd3-476c-bccf-90a23b4eebfe',\n", + " 'value': 'test'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1342',\n", + " 'date_sighting': '1671029412',\n", + " 'event_id': '29',\n", + " 'id': '22',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': 'f0e76bec-2e04-4e88-a976-df831257c856',\n", + " 'value': 'malware.exe|70f3bc193dfa56b78f3e6e4f800f701f'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1342',\n", + " 'date_sighting': '1671029413',\n", + " 'event_id': '29',\n", + " 'id': '23',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': '803bb696-ae86-4a04-9793-5f54a45c99b7',\n", + " 'value': 'malware.exe|70f3bc193dfa56b78f3e6e4f800f701f'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1342',\n", + " 'date_sighting': '1671029414',\n", + " 'event_id': '29',\n", + " 'id': '24',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': 'fd8c4c0f-ebbb-4294-ade1-57493f1edc9a',\n", + " 'value': 'malware.exe|70f3bc193dfa56b78f3e6e4f800f701f'}},\n", + " {'Sighting': {'Organisation': {'id': '1',\n", + " 'name': 'ORGNAME',\n", + " 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n", + " 'attribute_id': '1441',\n", + " 'date_sighting': '1671030274',\n", + " 'event_id': '40',\n", + " 'id': '25',\n", + " 'org_id': '1',\n", + " 'source': '',\n", + " 'type': '0',\n", + " 'uuid': 'c84dd497-ad48-4b82-8203-6135a9a924fc',\n", + " 'value': '398324'}}]\n" + ] + } + ], + "source": [ + "body = {\n", + " 'last': '7d'\n", + "}\n", + "\n", + "sightings = misp.direct_call('/sightings/restSearch', body)\n", + "pprint(sightings)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Plotting data" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "#### Sightings over time" + ] + }, + { + "cell_type": "code", + "execution_count": 512, + "metadata": {}, + "outputs": [], + "source": [ + "import pandas as pd\n", + "import matplotlib.pyplot as plt" + ] + }, + { + "cell_type": "code", + "execution_count": 514, + "metadata": {}, + "outputs": [ + { + "data": { + "text/html": [ + "
\n", + "\n", + "\n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + " \n", + "
idattribute_idevent_idorg_iddate_sightinguuidsourcetypevalueOrganisationone
01214414012022-12-13 09:33:5565bd7539-29eb-46eb-bf7b-4c02473062c70398324{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
11314414012022-12-13 09:40:3010857410-0033-4457-8a1d-c8331ee55d720398324{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
21414414012022-12-13 09:40:541639fe60-0458-40f3-961b-7dc14eee9a7b1398324{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
31514414012022-12-13 09:40:55ee54ec70-3597-4455-bce9-c889202d533e1398324{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
41614414012022-12-13 09:40:562c1cf4d1-a6ce-474b-8878-0251ee2b6bc51398324{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
51714484112022-12-14 14:14:5939dff1d2-7082-48a9-8d30-ce29d412879b0testtest{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
61814484112022-12-14 14:15:0184a8e7d0-715b-453f-8cdb-07db0c2081850testtest{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
71977912022-12-14 14:15:07264e4a25-e072-46e5-8460-b8df72e3115c05.4.2.1{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
82077912022-12-14 14:15:08b9f15aeb-54ea-44e5-90b8-22a418b973df05.4.2.1{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
921243912022-12-14 14:15:094ef355f8-1cd3-476c-bccf-90a23b4eebfe0test{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
102213422912022-12-14 14:50:12f0e76bec-2e04-4e88-a976-df831257c8560malware.exe|70f3bc193dfa56b78f3e6e4f800f701f{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
112313422912022-12-14 14:50:13803bb696-ae86-4a04-9793-5f54a45c99b70malware.exe|70f3bc193dfa56b78f3e6e4f800f701f{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
122413422912022-12-14 14:50:14fd8c4c0f-ebbb-4294-ade1-57493f1edc9a0malware.exe|70f3bc193dfa56b78f3e6e4f800f701f{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
132514414012022-12-14 15:04:34c84dd497-ad48-4b82-8203-6135a9a924fc0398324{'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2...1
\n", + "
" + ], + "text/plain": [ + " id attribute_id event_id org_id date_sighting \\\n", + "0 12 1441 40 1 2022-12-13 09:33:55 \n", + "1 13 1441 40 1 2022-12-13 09:40:30 \n", + "2 14 1441 40 1 2022-12-13 09:40:54 \n", + "3 15 1441 40 1 2022-12-13 09:40:55 \n", + "4 16 1441 40 1 2022-12-13 09:40:56 \n", + "5 17 1448 41 1 2022-12-14 14:14:59 \n", + "6 18 1448 41 1 2022-12-14 14:15:01 \n", + "7 19 77 9 1 2022-12-14 14:15:07 \n", + "8 20 77 9 1 2022-12-14 14:15:08 \n", + "9 21 243 9 1 2022-12-14 14:15:09 \n", + "10 22 1342 29 1 2022-12-14 14:50:12 \n", + "11 23 1342 29 1 2022-12-14 14:50:13 \n", + "12 24 1342 29 1 2022-12-14 14:50:14 \n", + "13 25 1441 40 1 2022-12-14 15:04:34 \n", + "\n", + " uuid source type \\\n", + "0 65bd7539-29eb-46eb-bf7b-4c02473062c7 0 \n", + "1 10857410-0033-4457-8a1d-c8331ee55d72 0 \n", + "2 1639fe60-0458-40f3-961b-7dc14eee9a7b 1 \n", + "3 ee54ec70-3597-4455-bce9-c889202d533e 1 \n", + "4 2c1cf4d1-a6ce-474b-8878-0251ee2b6bc5 1 \n", + "5 39dff1d2-7082-48a9-8d30-ce29d412879b 0 \n", + "6 84a8e7d0-715b-453f-8cdb-07db0c208185 0 \n", + "7 264e4a25-e072-46e5-8460-b8df72e3115c 0 \n", + "8 b9f15aeb-54ea-44e5-90b8-22a418b973df 0 \n", + "9 4ef355f8-1cd3-476c-bccf-90a23b4eebfe 0 \n", + "10 f0e76bec-2e04-4e88-a976-df831257c856 0 \n", + "11 803bb696-ae86-4a04-9793-5f54a45c99b7 0 \n", + "12 fd8c4c0f-ebbb-4294-ade1-57493f1edc9a 0 \n", + "13 c84dd497-ad48-4b82-8203-6135a9a924fc 0 \n", + "\n", + " value \\\n", + "0 398324 \n", + "1 398324 \n", + "2 398324 \n", + "3 398324 \n", + "4 398324 \n", + "5 testtest \n", + "6 testtest \n", + "7 5.4.2.1 \n", + "8 5.4.2.1 \n", + "9 test \n", + "10 malware.exe|70f3bc193dfa56b78f3e6e4f800f701f \n", + "11 malware.exe|70f3bc193dfa56b78f3e6e4f800f701f \n", + "12 malware.exe|70f3bc193dfa56b78f3e6e4f800f701f \n", + "13 398324 \n", + "\n", + " Organisation one \n", + "0 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "1 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "2 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "3 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "4 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "5 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "6 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "7 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "8 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "9 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "10 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "11 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "12 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 \n", + "13 {'id': '1', 'uuid': 'c5de83b4-36ba-49d6-9530-2... 1 " + ] + }, + "execution_count": 514, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "# Converting our data to Panda DataFrame\n", + "sighting_rearranged = [sighting['Sighting'] for sighting in sightings]\n", + "df = pd.DataFrame.from_dict(sighting_rearranged)\n", + "df[\"date_sighting\"] = pd.to_datetime(df[\"date_sighting\"], unit='s')\n", + "df['one'] = 1\n", + "df" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "print('Min and Max:', df['date_sighting'].min(), df['date_sighting'].max())\n", + "print('Time delta:', df['date_sighting'].max() - df['date_sighting'].min())\n", + "print('Unique Event IDs:', df.event_id.unique())" + ] + }, + { + "cell_type": "code", + "execution_count": 515, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "1441 6\n", + "1342 3\n", + "1448 2\n", + "77 2\n", + "243 1\n", + "Name: attribute_id, dtype: int64\n" + ] + }, + { + "data": { + "text/plain": [ + "" + ] + }, + "execution_count": 515, + "metadata": {}, + "output_type": "execute_result" + }, + { + "data": { + "image/png": "iVBORw0KGgoAAAANSUhEUgAAAhYAAAGyCAYAAAC4Io22AAAAOXRFWHRTb2Z0d2FyZQBNYXRwbG90bGliIHZlcnNpb24zLjYuMiwgaHR0cHM6Ly9tYXRwbG90bGliLm9yZy8o6BhiAAAACXBIWXMAAA9hAAAPYQGoP6dpAAAhQUlEQVR4nO3de1TUdf7H8dcAMmICKt6DVdrKBG/lLTLdLNNF87RtlrmWZrtdNS+UJZqarYa15SHbMu3mntZba2tlpXbZzDpo3kItjxomiGLaYjKKOQLz+f3hz1lJUQc/wzDD83HOnNMM32He9mGYJ9/5zozDGGMEAABgQVigBwAAAKGDsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1EVV9gx6PRwUFBYqOjpbD4ajqmwcAAJVgjNHhw4fVvHlzhYVVvF+iysOioKBACQkJVX2zAADAgvz8fMXHx1f49SoPi+joaEknBouJianqmwcAAJXgcrmUkJDgfRyvSJWHxcmnP2JiYggLAACCzLkOY+DgTQAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArPE5LPbu3as777xTcXFxioqKUtu2bbV+/Xp/zAYAAIKMT58V8vPPP6tbt27q2bOnli1bpkaNGun7779X/fr1/TUfAAAIIj6FxTPPPKOEhAS9+eab3ssSExOtDwUAAIKTT0+FvP/+++rUqZNuu+02NW7cWFdeeaVeffXVs17H7XbL5XKVOwEAgNDk0x6LH374QbNmzVJaWprGjx+vdevWaeTIkYqMjNTQoUPPeJ2MjAxNmTLFyrDnq+W4D6v09vwld3q/QI8AAIBPHMYYc74bR0ZGqlOnTsrKyvJeNnLkSK1bt06rV68+43Xcbrfcbrf3vMvlUkJCgoqKihQTE3MBo1eMsAAAwC6Xy6XY2NhzPn779FRIs2bNlJSUVO6y1q1ba/fu3RVex+l0KiYmptwJAACEJp/Colu3btq+fXu5y3bs2KEWLVpYHQoAAAQnn8JizJgxWrNmjZ5++mnl5ORo/vz5mjNnjoYPH+6v+QAAQBDxKSw6d+6sJUuWaMGCBWrTpo3++te/KjMzU4MHD/bXfAAAIIj49KoQSbrpppt00003+WMWAAAQ5PisEAAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGt8Cosnn3xSDoej3OmKK67w12wAACDIRPh6heTkZH366af/+wYRPn8LAAAQonyugoiICDVt2tQfswAAgCDn8zEW33//vZo3b65LLrlEgwcP1u7du8+6vdvtlsvlKncCAAChyaew6Nq1q+bOnavly5dr1qxZ2rVrl7p3767Dhw9XeJ2MjAzFxsZ6TwkJCRc8NAAAqJ4cxhhT2SsfOnRILVq00IwZM/TnP//5jNu43W653W7veZfLpYSEBBUVFSkmJqayN31WLcd96JfvW9Vyp/cL9AgAAEg68fgdGxt7zsfvCzrysl69err88suVk5NT4TZOp1NOp/NCbgYAAASJC3ofiyNHjmjnzp1q1qyZrXkAAEAQ8yksHn30UX3xxRfKzc1VVlaWbrnlFoWHh2vQoEH+mg8AAAQRn54K2bNnjwYNGqTCwkI1atRI1157rdasWaNGjRr5az4AABBEfAqLhQsX+msOAAAQAvisEAAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhzQWExffp0ORwOjR492tI4AAAgmFU6LNatW6fZs2erXbt2NucBAABBrFJhceTIEQ0ePFivvvqq6tevb3smAAAQpCoVFsOHD1e/fv3Uq1cv2/MAAIAgFuHrFRYuXKiNGzdq3bp157W92+2W2+32nne5XL7eJAAACBI+7bHIz8/XqFGjNG/ePNWuXfu8rpORkaHY2FjvKSEhoVKDAgCA6s9hjDHnu/G7776rW265ReHh4d7LysrK5HA4FBYWJrfbXe5r0pn3WCQkJKioqEgxMTEW/gmnaznuQ79836qWO71foEcAAEDSicfv2NjYcz5++/RUyA033KAtW7aUu2zYsGG64oor9Pjjj58WFZLkdDrldDp9uRkAABCkfAqL6OhotWnTptxlF110keLi4k67HAAA1Dy88yYAALDG51eF/NrKlSstjAEAAEIBeywAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACs8SksZs2apXbt2ikmJkYxMTFKSUnRsmXL/DUbAAAIMj6FRXx8vKZPn64NGzZo/fr1uv7663XzzTfru+++89d8AAAgiET4snH//v3LnZ82bZpmzZqlNWvWKDk52epgAAAg+PgUFqcqKyvTv/71LxUXFyslJaXC7dxut9xut/e8y+Wq7E0CAIBqzuew2LJli1JSUnTs2DHVrVtXS5YsUVJSUoXbZ2RkaMqUKRc0JIJby3EfBnqEC5Y7vV+gRwCAoODzq0JatWql7Oxsff3113rwwQc1dOhQbd26tcLt09PTVVRU5D3l5+df0MAAAKD68nmPRWRkpC699FJJUseOHbVu3Tq98MILmj179hm3dzqdcjqdFzYlAAAIChf8PhYej6fcMRQAAKDm8mmPRXp6ulJTU/Wb3/xGhw8f1vz587Vy5UqtWLHCX/MBAIAg4lNYHDhwQEOGDNG+ffsUGxurdu3aacWKFbrxxhv9NR8AAAgiPoXF66+/7q85AABACOCzQgAAgDWEBQAAsIawAAAA1hAWAADAGsICAABYQ1gAAABrCAsAAGANYQEAAKwhLAAAgDWEBQAAsIawAAAA1hAWAADAGsICAABYQ1gAAABrCAsAAGANYQEAAKwhLAAAgDWEBQAAsIawAAAA1hAWAADAGsICAABYQ1gAAABrCAsAAGANYQEAAKwhLAAAgDWEBQAAsIawAAAA1hAWAADAGsICAABYQ1gAAABrCAsAAGANYQEAAKwhLAAAgDWEBQAAsIawAAAA1hAWAADAGsICAABYQ1gAAABrCAsAAGANYQEAAKwhLAAAgDWEBQAAsIawAAAA1hAWAADAGsICAABYQ1gAAABrCAsAAGANYQEAAKzxKSwyMjLUuXNnRUdHq3HjxvrDH/6g7du3+2s2AAAQZHwKiy+++ELDhw/XmjVr9Mknn6ikpES9e/dWcXGxv+YDAABBJMKXjZcvX17u/Ny5c9W4cWNt2LBBPXr0sDoYAAAIPj6Fxa8VFRVJkho0aFDhNm63W26323ve5XJdyE0CAIBqrNJh4fF4NHr0aHXr1k1t2rSpcLuMjAxNmTKlsjcDwKKW4z4M9AgXLHd6v0CPYEUorIUUOusBeyr9qpDhw4fr22+/1cKFC8+6XXp6uoqKiryn/Pz8yt4kAACo5iq1x2LEiBH64IMPtGrVKsXHx591W6fTKafTWanhAABAcPEpLIwxevjhh7VkyRKtXLlSiYmJ/poLAAAEIZ/CYvjw4Zo/f77ee+89RUdH68cff5QkxcbGKioqyi8DAgCA4OHTMRazZs1SUVGRrrvuOjVr1sx7WrRokb/mAwAAQcTnp0IAAAAqwmeFAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBqfw2LVqlXq37+/mjdvLofDoXfffdcPYwEAgGDkc1gUFxerffv2eumll/wxDwAACGIRvl4hNTVVqamp/pgFAAAEOY6xAAAA1vi8x8JXbrdbbrfbe97lcvn7JgEAQID4PSwyMjI0ZcoUf98MAACV0nLch4EewYrc6f0CPYKkKngqJD09XUVFRd5Tfn6+v28SAAAEiN/3WDidTjmdTn/fDAAAqAZ8DosjR44oJyfHe37Xrl3Kzs5WgwYN9Jvf/MbqcAAAILj4HBbr169Xz549vefT0tIkSUOHDtXcuXOtDQYAAIKPz2Fx3XXXyRjjj1kAAECQ430sAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArCEsAACANYQFAACwhrAAAADWEBYAAMAawgIAAFhDWAAAAGsICwAAYA1hAQAArKlUWLz00ktq2bKlateura5du2rt2rW25wIAAEHI57BYtGiR0tLSNHnyZG3cuFHt27dXnz59dODAAX/MBwAAgojPYTFjxgzde++9GjZsmJKSkvTKK6+oTp06euONN/wxHwAACCIRvmx8/PhxbdiwQenp6d7LwsLC1KtXL61evfqM13G73XK73d7zRUVFkiSXy1WZec+Lx33Ub9+7Kvnz/1FVCoX1YC2qD9aiegmF9WAtfPv+xpizb2h8sHfvXiPJZGVllbt87NixpkuXLme8zuTJk40kTpw4ceLEiVMInPLz88/aCj7tsaiM9PR0paWlec97PB4dPHhQcXFxcjgc/r55v3C5XEpISFB+fr5iYmICPU6NxlpUL6xH9cFaVB+hshbGGB0+fFjNmzc/63Y+hUXDhg0VHh6u/fv3l7t8//79atq06Rmv43Q65XQ6y11Wr149X2622oqJiQnqH5JQwlpUL6xH9cFaVB+hsBaxsbHn3MangzcjIyPVsWNHffbZZ97LPB6PPvvsM6WkpPg+IQAACCk+PxWSlpamoUOHqlOnTurSpYsyMzNVXFysYcOG+WM+AAAQRHwOi4EDB+qnn37SpEmT9OOPP6pDhw5avny5mjRp4o/5qiWn06nJkyef9hQPqh5rUb2wHtUHa1F91LS1cJhzvm4EAADg/PBZIQAAwBrCAgAAWENYAAAAawgLAABgDWEBAACsISwAIESd+gGQQFUhLFAj8Krq6sXj8QR6hJC3fft2TZgwQSUlJYEeBecQar+f/P4hZDWRx+NRWBjNFkjHjh3T8ePHvZ9V43A4ZIwJ2g++C3YFBQXatm2bCgsLddtttyksLIz7iR9t3rxZXbt2ldvtVs+ePdWvX79Aj4T/l5ubqyVLlujIkSNq1aqVbr/99pD7vcQbZFmSk5OjefPmaezYsapTpw6/NANo69ateuKJJ7Rjxw61aNFC/fv31wMPPBDosWqsLVu2aMCAAYqMjFReXp7atWunr776KtBjhaxNmzYpJSVF99xzjwoLCxUeHq45c+YoKioq5B7Ags3mzZuVmpqq1q1bq7i4WLm5ucrMzNTAgQMDPZpVPPJZkJOTo27duunFF1/UxIkTdfToUe9fZKhaW7duVY8ePdSsWTM99NBDio2N1bx587Rx48ZAj1Yj7dq1S3369NHgwYP1/vvva9myZcrLy9P69esDPVpI2rhxo7p37660tDT9/e9/19VXX62lS5eqoKDAu9cOgbFjxw717dtXQ4YM0YoVK/T222+rbdu2OnLkSKBHs449FheoqKhId999tyIiIpSYmKhVq1YpJSVF06ZNY89FFSssLNStt96qDh06KDMzU5J08OBBXXXVVRo+fLjGjh0b2AFroNmzZ+vf//63li5dqsjISJWWlurGG2/UQw89pEOHDql///5q2rRpoMcMCS6XS82bN9d9992nGTNmSJJKSkp0zTXXKCkpSXPnzmWPRYCUlJTogQceUGlpqV5//XVFRJw4CuH2229XVFSU6tevrxYtWmjMmDEBntQOHvEuUN26dZWUlKQBAwZo6tSp6tevn1avXq3x48efcc8FHec/eXl5atKkiW699VZJUmlpqRo0aKC+ffuqsLBQkliLKpafn69t27YpMjJSkpSZmamsrCxlZmZq+vTpuuqqq7x7L1iPytuzZ492796tjRs3eqPCGKOwsDD17t1bGzZs0H//+1/v5ahatWrV0iOPPKJ7773XGxUZGRlavHixysrK9Msvv+ixxx4LnadsDS5YSUmJ97+PHj1qpkyZYrp27WpGjRpljh49aowx5tixY4Ear8bYv3+/WbBggfe8x+MxxhjzwAMPmGHDhgVqrBpt8+bNpmnTpua3v/2tue2220ytWrXMihUrTFFRkTHGmJ49e5oePXoEeMrgtmXLFpOQkGDS0tKMMcaUlpYaY/73879//34THR1tnnrqqYDNWFOd+thwquzsbJOSkmI+/PBD72Vvv/22qVu3rvn222+rajy/YY9FJRQUFGjfvn3e8ycLtLS0VFFRUXr88cfVt29fff311xo/frwOHTqk4cOHe/+Shj0FBQUqKCiQJDVu3Fh33HGHJJ32CpBTX8//zDPPaOrUqVU7aA3x6/tGq1at9Omnn2rUqFG6/PLLdffdd6t3797ej4/u06ePSkpKdPz48UCNHNQ2bdqkrl27KiIiQvPnz9eBAwcUHh4uSXI4HCorK1Pjxo11//33a/ny5dq9e3eAJ645tm/frieeeEI5OTmnfa19+/ZavHix+vbt673M4/EoMTFRzZo1q8ox/YKw8FFeXp4SEhJ05513eh/QToqIiJDH45HT6dTjjz+u1NRUrV27Vl26dNGiRYt4jt+yk2tx1113ae/eveW+dmpUNGzYUNHR0ZKk8ePHa9KkSerfv3+VzloTnOm+ERkZqeTkZD388MM6duyY9uzZI0nesNi5c6eaN2/O7vlKOPnqj9GjR2vt2rWKi4vTq6++KmOM9//nycjo3bu3tmzZwkHMVcAYo19++UV33XWXnn32WT3//PPKz8/3fr20tFSSTguIDRs2qEWLFqpVq1aVzusXAd1fEoQ2bdpkWrRoYRo1amRSUlJMQUGB92sndz2e3P1VVFRk2rZta+rXr282b94ckHlD2fmshTHGjB071owYMcI89dRTpnbt2mb9+vWBGDfk/Xo99u7dW+7rS5cuNcnJyWbSpElm5cqVJi0tzcTFxYXErt+qtmnTJuN0Os348eONMcaUlZWZAQMGmM6dO3u3OfU+YIwxqamppnv37qasrOy0r8G+8ePHm2HDhpmoqCgzaNAgs2vXrjNut2/fPjNhwgRTr169kHmcICx84PF4zM6dO03fvn3Ntm3bTFJSkunWrZspLCw0xhizbds277Zut9uMHj3a1KlTJ2R+WKoTX9ZizJgxxuFwmIsuuoio8JNzrccPP/xgXC6XGTdunImPjzeXXnqp6dKli8nOzg7w5MFp7dq1ZuLEicaYE1FhzImf+djYWPPyyy+f8TpLliwxOTk5VTZjTXVyPUaNGmVeeukl89133xmn02mGDBliiouLzd/+9jeTm5trjDFm9erV5i9/+Ytp2bKl+eabbwI4tV283LQSevXqpRkzZqh27drq16+f4uPj1aRJE0nS66+/rosuukiSNHLkSA0dOlQdO3YM5Lgh7Wxr8dprr6lu3bqaOXOmZs6cqffee0/JyckBnji0VbQeHo9Hb7/9to4ePaqff/5ZR48eVaNGjVSvXr1AjxwSjDFyuVy6++67FRkZqfnz5yssLIyXlwbQ8uXLtXjxYr322mtat26dunfvrmbNmqmkpERffvmlEhMTlZubq+zsbLVv316JiYmBHtmeAIdNUPF4PKa0tNRcf/315pVXXjHGnHi6IzY21oSFhZmPP/44wBPWHGVlZee9Fvn5+SY/Pz9Qo9YI57pvrFixIsAT1gzvvPOOcTgc5quvvgr0KDXSqU8xffbZZ6ZVq1beVwampqaasLAwk5qaavbt23fG64QKDt48i4MHD+qnn34qd1l4eLh69uypY8eOSZJGjBghp9Op+Ph4Pf30096D02CXMUZlZWXe82FhYedci5MHTMXHxys+Pj4gc4cqX+8bGRkZ3DeqwE033aQbb7xRs2bN0i+//BLocWqE4uJiHT58WC6Xq9weotatW+uyyy5TVFSU7rnnHm3ZskVvvPGGvvzyS91///3e+0Mo7lUiLCrwww8/qHPnznrxxRe9R7if/AFo3LixsrKyNGTIEH388cf6/PPPlZWVpc2bN+vee+8t9wCIC7djxw6NGTNGN998s5566invm11JZ1+L++67z3sENuzhvlF9RUZGqmfPnlq6dKmKiooCPU7I27p1q/74xz/qd7/7nVq3bq158+Z5v9a4cWMdPnxYzZs310cffaQlS5Zo6NCh+uijj/T111+H9Dsy8+mmFfjkk0+0a9cuffDBB6pdu7buuece71sPJyUlacKECWrQoIE++ugjJSUlSZK++eYbHT9+3PsSL1y4LVu2qFevXurRo4fi4+M1bdo0GWM0efJkSVJycrImTpyoevXqnXEtTr7HCOzhvlE9mf9/75b7779fixcv9u45gn+c/FyiIUOGqFOnTtqwYYOGDRum5ORkdejQQcYYde/eXQ6HQ88//7yuuuoqlZWVqXv37srNzVXt2rUD/U/wGw7erMDmzZs1Y8YMXXbZZXr55Zf14IMPasSIEd6DzebMmaNrrrlGbdq0CeygIWzXrl26/vrrNWjQID399NOSpClTpujAgQPKzMxUrVq1VFZWptmzZ+vaa69Vu3btAjxxzcB9o3ozxujo0aPeg8hh38GDBzVo0CBdccUVeuGFF7yX9+zZU23bttXMmTMlST/++KOMMae9Z4X51Rv4hRr+nKuAMUZZWVl68803VVZWpjlz5ig6Olr/+c9/1KVLF02YMCHQI4a0srIyvfPOO0pNTdW4ceO8l+/Zs0ffffedunXrpg4dOmjgwIF66KGHAjhpzcN9o3pzOBxEhZ+VlJTo0KFDGjBggCR5P2wyMTFRBw8e9F5W0QfshXJUSIRFhU6+/CcvL0+TJk1SVFSUJkyYoIiICB7IqkB4eLjuuOMO7dmzRzExMZKkqVOn6s0339S4cePUpEkTvfXWW9q5c6eSk5P5hMwqxH0DNV2TJk30z3/+U5dddpmkE38IhYWF6eKLL1ZeXp4keY+hOHLkiOrWrRuwWQMhdI8e8UFFB5QdP35cq1atknTifd/Dw8MVFRWlzZs3n/Z23rDj1LWIj4/X1VdfLenER6IXFhbqgw8+0NSpU/Xwww/rH//4hz7//HNlZ2cHaNrQx30DOLOTUeHxeLxvw22M0YEDB7zbZGRkaM6cOTXuIPIaHxY7duxQZmZmuQ9OKikpkSR17dpVYWFhGjlypJYtW6bs7GyNHDlSTz75pBYuXMgR7padaS1OiouL07Rp0/T73/9exhh5PB6Vlpbqyiuv1MUXXxyAaUMf9w3g3MLCwsp91s3JPRWTJk3ShAkTdMMNN9S4g8hr1r/2V3JycpSSkqKff/5ZhYWFSktLU8OGDb312apVKw0ZMkRNmzbV+++/r8TERKWnpys8PFz9+/fnCHeLKloL6X8HOkVFRUk68fykw+HQwoULVatWLZ4G8QPuG8D5O/k7KiIiQgkJCXruuef07LPPav369Wrfvn2gx6tyNfZVIcXFxRo5cqQ8Ho86d+6sESNG6NFHH9Vjjz3mfUDbsWOH3nrrLd16663q0KGD9wAd2HU+a3GqrVu3asGCBZo5c6a+/PJLXg1iGfcNoHKmTZumiRMnKiYmRp9++qk6deoU6JECosbusQgLC1PHjh0VFxengQMHqmHDhrrjjjskyfsL9PLLL1d6errq1KkjKfSP5A2U81mLk3bv3q0nnnhC27Zt06pVq4gKP+C+AVROnz59NHHiRGVlZXnfw6UmqrF7LKQTf5md+rKsRYsWadCgQXrkkUf02GOPqVGjRvJ4PMrLywutD4iphs62FuPGjVNcXJzKyspUWFio48ePSxJv0+1H3DeAyvn1facmqrF7LCR5F//kS4UGDhwoY4z+9Kc/yeFwaPTo0XruueeUl5ent956y/vXGew737XYtWuXFixYENLvWlcdcN8AKqemR4VUw/dYnMoYI2OMwsLCtGjRIt1111265JJLtHPnTq1bt04dOnQI9Ig1xtnWYu3atbryyisDPWKNwn0DgC8Ii1Oc/F/hcDh0ww03KDs7WytXrlTbtm0DPFnNw1pUL6wHgPNVo58K+TWHw6GysjKNHTvW+8ZL/OIMDNaiemE9AJwvXh92BsnJydq4cSOvOKgGWIvqhfUAcC48FXIGof7Jc8GEtaheWA8A50JYAAAAa3gqBAAAWENYAAAAawgLAABgDWEBAACsISwAAIA1hAUAALCGsAAAANYQFgAAwBrCAgAAWENYAAAAa/4PFusAbA7eHkYAAAAASUVORK5CYII=", + "text/plain": [ + "
" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "# Grouping by Attribute value\n", + "value_count = df['attribute_id'].value_counts()\n", + "print(value_count)\n", + "value_count.plot(kind='bar', rot=45)" + ] + }, + { + "cell_type": "code", + "execution_count": 516, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "2 9\n", + "1 5\n", + "Name: date_sighting, dtype: int64\n" + ] + }, + { + "data": { + "text/plain": [ + "" + ] + }, + "execution_count": 516, + "metadata": {}, + "output_type": "execute_result" + }, + { + "data": { + "image/png": "iVBORw0KGgoAAAANSUhEUgAAAhYAAAGdCAYAAABO2DpVAAAAOXRFWHRTb2Z0d2FyZQBNYXRwbG90bGliIHZlcnNpb24zLjYuMiwgaHR0cHM6Ly9tYXRwbG90bGliLm9yZy8o6BhiAAAACXBIWXMAAA9hAAAPYQGoP6dpAAAQG0lEQVR4nO3dX2jVdR/A8c9UOlnMPWrNFFdKBOafytKihCiKIizyJgoMzCCiZmZC5C4shtQSQgYl9geqXaTWjRU9ZIgwRUoqrciLNKmnRmEaxWYLTuL2XDw02KOrfvNzth19veB3cb7+fvw+QafefH/neGp6e3t7AwAgwajhHgAAOH0ICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgzZihvmFPT0/8+OOPUVtbGzU1NUN9ewBgEHp7e+Po0aMxZcqUGDVq4H2JIQ+LH3/8MRoaGob6tgBAgo6Ojpg6deqAfz7kYVFbWxsR/xts3LhxQ317AGAQurq6oqGhoe//4wMZ8rD48/HHuHHjhAUAVJm/+xiDD28CAGmEBQCQRlgAAGmEBQCQRlgAAGmEBQCQRlgAAGmEBQCQRlgAAGmEBQCQRlgAAGmEBQCQRlgAAGmEBQCQZsh/Nv1MNm3Vv4d7BIbQf55dONwjAAw5OxYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkKRQWx48fj9WrV8f06dNj7NixcfHFF8eaNWuit7e3UvMBAFVkTJGT165dGxs2bIi2traYNWtWfPrpp7F06dKoq6uL5cuXV2pGAKBKFAqLDz/8MO68885YuHBhRERMmzYtNm3aFB9//HFFhgMAqkuhRyHXXXddbN++PQ4cOBAREV988UXs2rUrbrvttgGvKZfL0dXV1e8AAE5PhXYsVq1aFV1dXTFjxowYPXp0HD9+PJ5++ulYvHjxgNe0tLREc3PzKQ8KAIx8hXYs3nrrrXjjjTdi48aNsXfv3mhra4vnnnsu2traBrymqakpOjs7+46Ojo5THhoAGJkK7Vg8/vjjsWrVqrjnnnsiImLOnDnx3XffRUtLSyxZsuSk15RKpSiVSqc+KQAw4hXasfj9999j1Kj+l4wePTp6enpShwIAqlOhHYs77rgjnn766bjwwgtj1qxZ8dlnn8W6devi/vvvr9R8AEAVKRQWzz//fKxevToefvjhOHz4cEyZMiUefPDBePLJJys1HwBQRQqFRW1tbbS2tkZra2uFxgEAqpnfCgEA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0ggLACCNsAAA0hQOix9++CHuvffemDhxYowdOzbmzJkTn376aSVmAwCqzJgiJ//666+xYMGCuPHGG+P999+P888/P77++usYP358peYDAKpIobBYu3ZtNDQ0xGuvvda3Nn369PShAIDqVOhRyLvvvhvz5s2Lu+66K+rr62Pu3LnxyiuvVGo2AKDKFAqLb775JjZs2BCXXHJJfPDBB/HQQw/F8uXLo62tbcBryuVydHV19TsAgNNToUchPT09MW/evHjmmWciImLu3Lmxb9++ePHFF2PJkiUnvaalpSWam5tPfVIAYMQrtGMxefLkmDlzZr+1Sy+9NL7//vsBr2lqaorOzs6+o6OjY3CTAgAjXqEdiwULFsT+/fv7rR04cCAuuuiiAa8plUpRKpUGNx0AUFUK7Vg89thjsXv37njmmWfi4MGDsXHjxnj55ZejsbGxUvMBAFWkUFjMnz8/tmzZEps2bYrZs2fHmjVrorW1NRYvXlyp+QCAKlLoUUhExO233x633357JWYBAKqc3woBANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANIICwAgjbAAANKMGe4BAE4H01b9e7hHYAj959mFwz3CiGXHAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDTCAgBIIywAgDSnFBbPPvts1NTUxIoVK5LGAQCq2aDD4pNPPomXXnopLrvsssx5AIAqNqiw+O2332Lx4sXxyiuvxPjx47NnAgCq1KDCorGxMRYuXBg333zz355bLpejq6ur3wEAnJ7GFL1g8+bNsXfv3vjkk0/+0fktLS3R3NxceDAAoPoU2rHo6OiIRx99NN544404++yz/9E1TU1N0dnZ2Xd0dHQMalAAYOQrtGOxZ8+eOHz4cFx55ZV9a8ePH4+dO3fGCy+8EOVyOUaPHt3vmlKpFKVSKWdaAGBEKxQWN910U3z55Zf91pYuXRozZsyIJ5544oSoAADOLIXCora2NmbPnt1v7dxzz42JEyeesA4AnHn8zZsAQJrC3wr5f+3t7QljAACnAzsWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAEAaYQEApBEWAECaQmHR0tIS8+fPj9ra2qivr49FixbF/v37KzUbAFBlCoXFjh07orGxMXbv3h3btm2LY8eOxS233BLd3d2Vmg8AqCJjipy8devWfq9ff/31qK+vjz179sT111+fOhgAUH0KhcX/6+zsjIiICRMmDHhOuVyOcrnc97qrq+tUbgkAjGCD/vBmT09PrFixIhYsWBCzZ88e8LyWlpaoq6vrOxoaGgZ7SwBghBt0WDQ2Nsa+ffti8+bNf3leU1NTdHZ29h0dHR2DvSUAMMIN6lHIsmXL4r333oudO3fG1KlT//LcUqkUpVJpUMMBANWlUFj09vbGI488Elu2bIn29vaYPn16peYCAKpQobBobGyMjRs3xjvvvBO1tbVx6NChiIioq6uLsWPHVmRAAKB6FPqMxYYNG6KzszNuuOGGmDx5ct/x5ptvVmo+AKCKFH4UAgAwEL8VAgCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkERYAQBphAQCkGVRYrF+/PqZNmxZnn312XHPNNfHxxx9nzwUAVKHCYfHmm2/GypUr46mnnoq9e/fG5ZdfHrfeemscPny4EvMBAFWkcFisW7cuHnjggVi6dGnMnDkzXnzxxTjnnHPi1VdfrcR8AEAVGVPk5D/++CP27NkTTU1NfWujRo2Km2++OT766KOTXlMul6NcLve97uzsjIiIrq6uwcxb1XrKvw/3CAyhM/Hf8TOZ9/eZ5Ux8f//5z9zb2/uX5xUKi59//jmOHz8ekyZN6rc+adKk+Oqrr056TUtLSzQ3N5+w3tDQUOTWUHXqWod7AqBSzuT399GjR6Ourm7APy8UFoPR1NQUK1eu7Hvd09MTv/zyS0ycODFqamoqfXuGWVdXVzQ0NERHR0eMGzduuMcBEnl/n1l6e3vj6NGjMWXKlL88r1BYnHfeeTF69Oj46aef+q3/9NNPccEFF5z0mlKpFKVSqd/av/71ryK35TQwbtw4/+GB05T395njr3Yq/lTow5tnnXVWXHXVVbF9+/a+tZ6enti+fXtce+21xScEAE4rhR+FrFy5MpYsWRLz5s2Lq6++OlpbW6O7uzuWLl1aifkAgCpSOCzuvvvuOHLkSDz55JNx6NChuOKKK2Lr1q0nfKATIv73KOypp5464XEYUP28vzmZmt6/+94IAMA/5LdCAIA0wgIASCMsAIA0wgIASCMsSNfS0hLz58+P2traqK+vj0WLFsX+/fuHeywgyc6dO+OOO+6IKVOmRE1NTbz99tvDPRIjiLAg3Y4dO6KxsTF2794d27Zti2PHjsUtt9wS3d3dwz0akKC7uzsuv/zyWL9+/XCPwgjk66ZU3JEjR6K+vj527NgR119//XCPAySqqamJLVu2xKJFi4Z7FEYIOxZUXGdnZ0RETJgwYZgnAaDShAUV1dPTEytWrIgFCxbE7Nmzh3scACqs4j+bzpmtsbEx9u3bF7t27RruUQAYAsKCilm2bFm89957sXPnzpg6depwjwPAEBAWpOvt7Y1HHnkktmzZEu3t7TF9+vThHgmAISIsSNfY2BgbN26Md955J2pra+PQoUMREVFXVxdjx44d5umAU/Xbb7/FwYMH+15/++238fnnn8eECRPiwgsvHMbJGAl83ZR0NTU1J11/7bXX4r777hvaYYB07e3tceONN56wvmTJknj99deHfiBGFGEBAKTxdVMAII2wAADSCAsAII2wAADSCAsAII2wAADSCAsAII2wAADSCAsAII2wAADSCAsAII2wAADS/BfCDdsjZARtJAAAAABJRU5ErkJggg==", + "text/plain": [ + "
" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "# Grouping by weekday (0-indexed)\n", + "amount_per_weekday = df['date_sighting'].dt.weekday.value_counts()\n", + "print(amount_per_weekday)\n", + "amount_per_weekday.plot(kind='bar', rot=0)" + ] + }, + { + "cell_type": "code", + "execution_count": 517, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "date_sighting\n", + "9 5\n", + "14 8\n", + "15 1\n", + "Name: one, dtype: int64\n" + ] + }, + { + "data": { + "text/plain": [ + "" + ] + }, + "execution_count": 517, + "metadata": {}, + "output_type": "execute_result" + }, + { + "data": { + "image/png": "iVBORw0KGgoAAAANSUhEUgAAAhYAAAGxCAYAAAA+tv8YAAAAOXRFWHRTb2Z0d2FyZQBNYXRwbG90bGliIHZlcnNpb24zLjYuMiwgaHR0cHM6Ly9tYXRwbG90bGliLm9yZy8o6BhiAAAACXBIWXMAAA9hAAAPYQGoP6dpAAAeUklEQVR4nO3dfZBV9XnA8ee6KxeU3VUQBHQRRAsCASMYRnyJVhS2hNFOmraWmAXUUYsaJBjZcTQySBaaxMFm7NJkUkB8QROrJhpDhQnYaIiAwUhSUSzKqiS0FHcBk9Xu3v6RceOW17v8lt0Ln8/MmfGce849z05O9Ms5d7mZXC6XCwCABI5p7wEAgCOHsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSKD/cJm5qa4r333ouSkpLIZDKH+/QAQCvkcrnYuXNn9OnTJ445Zt/3JQ57WLz33ntRXl5+uE8LACRQW1sbp5566j5fP+xhUVJSEhF/HKy0tPRwnx4AaIX6+vooLy9v/u/4vhz2sPj48UdpaamwAIACc6CPMfjwJgCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSySssGhsb484774z+/ftHly5dYsCAATF79uzI5XJtNR8AUEDy+q6QefPmRU1NTSxevDiGDBkSa9eujcmTJ0dZWVnccsstbTUjAFAg8gqLF198Ma644ooYP358RET069cvHnnkkXjppZfaZDgAoLDk9Shk9OjRsWLFinj99dcjIuKVV16Jn/3sZ1FRUdEmwwEAhSWvOxYzZ86M+vr6GDRoUBQVFUVjY2PMmTMnJk6cuM9jGhoaoqGhoXm9vr6+9dMCAB1aXmHx2GOPxUMPPRQPP/xwDBkyJNavXx/Tpk2LPn36RGVl5V6Pqa6ujlmzZiUZFo5m/WY+094jHDHemju+vUeAI1Yml8evdJSXl8fMmTNj6tSpzdvuueeeePDBB+O1117b6zF7u2NRXl4edXV1UVpaegijw9FFWKQjLCB/9fX1UVZWdsD/fud1x+KDDz6IY45p+bGMoqKiaGpq2ucx2Ww2stlsPqcBAApUXmExYcKEmDNnTvTt2zeGDBkSv/zlL+Pee++NKVOmtNV8AEABySssvv3tb8edd94Zf//3fx/btm2LPn36xPXXXx933XVXW80HABSQvMKipKQk5s+fH/Pnz2+jcQCAQua7QgCAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGTyCot+/fpFJpPZY5k6dWpbzQcAFJDifHZes2ZNNDY2Nq9v2LAhLrvssvjCF76QfDAAoPDkFRY9evRosT537twYMGBAfPazn006FABQmFr9GYsPP/wwHnzwwZgyZUpkMpmUMwEABSqvOxaf9OSTT8b7778fkyZN2u9+DQ0N0dDQ0LxeX1/f2lMCAB1cq+9YfO9734uKioro06fPfverrq6OsrKy5qW8vLy1pwQAOrhWhcXbb78dy5cvj2uvvfaA+1ZVVUVdXV3zUltb25pTAgAFoFWPQhYuXBg9e/aM8ePHH3DfbDYb2Wy2NacBAApM3ncsmpqaYuHChVFZWRnFxa3+iAYAcATKOyyWL18eW7ZsiSlTprTFPABAAcv7lsPll18euVyuLWYBAAqc7woBAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSyTss3n333fjiF78Y3bt3jy5dusSnPvWpWLt2bVvMBgAUmOJ8dt6xY0ecf/75cckll8Szzz4bPXr0iDfeeCNOPPHEtpoPACggeYXFvHnzory8PBYuXNi8rX///smHAgAKU16PQn74wx/GyJEj4wtf+EL07NkzPv3pT8d3v/vdtpoNACgweYXFf/7nf0ZNTU2ceeaZsWzZsrjxxhvjlltuicWLF+/zmIaGhqivr2+xAABHprwehTQ1NcXIkSPj61//ekREfPrTn44NGzbEggULorKycq/HVFdXx6xZsw59UgCgw8vrjkXv3r1j8ODBLbadddZZsWXLln0eU1VVFXV1dc1LbW1t6yYFADq8vO5YnH/++bFx48YW215//fU47bTT9nlMNpuNbDbbuukAgIKS1x2LW2+9NVavXh1f//rXY9OmTfHwww/Hd77znZg6dWpbzQcAFJC8wuLcc8+NJ554Ih555JEYOnRozJ49O+bPnx8TJ05sq/kAgAKS16OQiIjPfe5z8bnPfa4tZgEACpzvCgEAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJLJKyzuvvvuyGQyLZZBgwa11WwAQIEpzveAIUOGxPLly//0BsV5vwUAcITKuwqKi4ujV69ebTELAFDg8v6MxRtvvBF9+vSJ008/PSZOnBhbtmxpi7kAgAKU1x2LUaNGxaJFi2LgwIGxdevWmDVrVlx44YWxYcOGKCkp2esxDQ0N0dDQ0LxeX19/aBMDAB1WXmFRUVHR/M/Dhg2LUaNGxWmnnRaPPfZYXHPNNXs9prq6OmbNmnVoU7aDfjOfae8RjhhvzR3f3iMAcJgc0q+bnnDCCfFnf/ZnsWnTpn3uU1VVFXV1dc1LbW3toZwSAOjADiksdu3aFW+++Wb07t17n/tks9koLS1tsQAAR6a8wmLGjBmxatWqeOutt+LFF1+Mv/zLv4yioqK46qqr2mo+AKCA5PUZi3feeSeuuuqq2L59e/To0SMuuOCCWL16dfTo0aOt5gMACkheYbF06dK2mgMAOAL4rhAAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACCZQwqLuXPnRiaTiWnTpiUaBwAoZK0OizVr1sQ///M/x7Bhw1LOAwAUsFaFxa5du2LixInx3e9+N0488cTUMwEABapVYTF16tQYP358jBkzJvU8AEABK873gKVLl8bLL78ca9asOaj9GxoaoqGhoXm9vr4+31MCAAUirzsWtbW18eUvfzkeeuih6Ny580EdU11dHWVlZc1LeXl5qwYFADq+vMJi3bp1sW3btjjnnHOiuLg4iouLY9WqVfGP//iPUVxcHI2NjXscU1VVFXV1dc1LbW1tsuEBgI4lr0chl156abz66qsttk2ePDkGDRoUt99+exQVFe1xTDabjWw2e2hTAgAFIa+wKCkpiaFDh7bYdvzxx0f37t332A4AHH38zZsAQDJ5/1bI/7dy5coEYwAARwJ3LACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGTyCouampoYNmxYlJaWRmlpaZx33nnx7LPPttVsAECBySssTj311Jg7d26sW7cu1q5dG3/+538eV1xxRfz6179uq/kAgAJSnM/OEyZMaLE+Z86cqKmpidWrV8eQIUOSDgYAFJ68wuKTGhsb4/vf/37s3r07zjvvvJQzAQAFKu+wePXVV+O8886LP/zhD9G1a9d44oknYvDgwfvcv6GhIRoaGprX6+vrWzcpANDh5f1bIQMHDoz169fHL37xi7jxxhujsrIyfvOb3+xz/+rq6igrK2teysvLD2lgAKDjyjssOnXqFGeccUaMGDEiqqurY/jw4XHfffftc/+qqqqoq6trXmpraw9pYACg42r1Zyw+1tTU1OJRx/+XzWYjm80e6mkAgAKQV1hUVVVFRUVF9O3bN3bu3BkPP/xwrFy5MpYtW9ZW8wEABSSvsNi2bVt86Utfiq1bt0ZZWVkMGzYsli1bFpdddllbzQcAFJC8wuJ73/teW80BABwBfFcIAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQTF5hUV1dHeeee26UlJREz54948orr4yNGze21WwAQIHJKyxWrVoVU6dOjdWrV8dzzz0XH330UVx++eWxe/futpoPACggxfns/JOf/KTF+qJFi6Jnz56xbt26uOiii5IOBgAUnkP6jEVdXV1ERHTr1i3JMABAYcvrjsUnNTU1xbRp0+L888+PoUOH7nO/hoaGaGhoaF6vr69v7SkBgA6u1Xcspk6dGhs2bIilS5fud7/q6uooKytrXsrLy1t7SgCgg2tVWNx0003x9NNPx09/+tM49dRT97tvVVVV1NXVNS+1tbWtGhQA6PjyehSSy+Xi5ptvjieeeCJWrlwZ/fv3P+Ax2Ww2stlsqwcEAApHXmExderUePjhh+Opp56KkpKS+O1vfxsREWVlZdGlS5c2GRAAKBx5PQqpqamJurq6uPjii6N3797Ny6OPPtpW8wEABSTvRyEAAPviu0IAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBk8g6L559/PiZMmBB9+vSJTCYTTz75ZBuMBQAUorzDYvfu3TF8+PC4//7722IeAKCAFed7QEVFRVRUVLTFLABAgfMZCwAgmbzvWOSroaEhGhoamtfr6+vb+pQAQDtp87Corq6OWbNmtfVpAGgH/WY+094jHBHemju+vUdIps0fhVRVVUVdXV3zUltb29anBADaSZvfschms5HNZtv6NABAB5B3WOzatSs2bdrUvL558+ZYv359dOvWLfr27Zt0OACgsOQdFmvXro1LLrmkeX369OkREVFZWRmLFi1KNhgAUHjyDouLL744crlcW8wCABQ4f48FAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQjLAAAJIRFgBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERYAQDLCAgBIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAywgIASEZYAADJCAsAIBlhAQAkIywAgGSEBQCQTKvC4v77749+/fpF586dY9SoUfHSSy+lngsAKEB5h8Wjjz4a06dPj6997Wvx8ssvx/Dhw2Ps2LGxbdu2tpgPACggeYfFvffeG9ddd11Mnjw5Bg8eHAsWLIjjjjsu/uVf/qUt5gMACkheYfHhhx/GunXrYsyYMX96g2OOiTFjxsTPf/7z5MMBAIWlOJ+d//u//zsaGxvj5JNPbrH95JNPjtdee22vxzQ0NERDQ0Pzel1dXURE1NfX5zvrYdXU8EF7j3DE6Oj/WxcK12Q6rsl0XJdpFMI1+fGMuVxuv/vlFRatUV1dHbNmzdpje3l5eVufmg6ibH57TwAtuSbpaArpmty5c2eUlZXt8/W8wuKkk06KoqKi+N3vftdi++9+97vo1avXXo+pqqqK6dOnN683NTXF//zP/0T37t0jk8nkc3o+ob6+PsrLy6O2tjZKS0vbexyICNclHY9rMp1cLhc7d+6MPn367He/vMKiU6dOMWLEiFixYkVceeWVEfHHUFixYkXcdNNNez0mm81GNpttse2EE07I57TsR2lpqf+z0OG4LuloXJNp7O9OxcfyfhQyffr0qKysjJEjR8ZnPvOZmD9/fuzevTsmT57cqiEBgCNH3mHxN3/zN/Ff//Vfcdddd8Vvf/vbOPvss+MnP/nJHh/oBACOPq368OZNN920z0cfHB7ZbDa+9rWv7fGYCdqT65KOxjV5+GVyB/q9EQCAg+RLyACAZIQFAJCMsAAAkhEWBWjnzp0xbdq0OO2006JLly4xevToWLNmTXuPxVHi+eefjwkTJkSfPn0ik8nEk08+uc99b7jhhshkMjF//vzDNh9HpwNdl5MmTYpMJtNiGTduXPsMe4QTFgXo2muvjeeeey6WLFkSr776alx++eUxZsyYePfdd9t7NI4Cu3fvjuHDh8f999+/3/2eeOKJWL169QH/lj5I4WCuy3HjxsXWrVubl0ceeeQwTnj0aPPvCiGt3//+9/H444/HU089FRdddFFERNx9993xox/9KGpqauKee+5p5wk50lVUVERFRcV+93n33Xfj5ptvjmXLlsX48eMP02QczQ7musxms/v8+gnScceiwPzv//5vNDY2RufOnVts79KlS/zsZz9rp6ngT5qamuLqq6+O2267LYYMGdLe40CzlStXRs+ePWPgwIFx4403xvbt29t7pCOSsCgwJSUlcd5558Xs2bPjvffei8bGxnjwwQfj5z//eWzdurW9x4OYN29eFBcXxy233NLeo0CzcePGxQMPPBArVqyIefPmxapVq6KioiIaGxvbe7QjjkchBWjJkiUxZcqUOOWUU6KoqCjOOeecuOqqq2LdunXtPRpHuXXr1sV9990XL7/8sm8vpkP527/92+Z//tSnPhXDhg2LAQMGxMqVK+PSSy9tx8mOPO5YFKABAwbEqlWrYteuXVFbWxsvvfRSfPTRR3H66ae392gc5f793/89tm3bFn379o3i4uIoLi6Ot99+O77yla9Ev3792ns8aHb66afHSSedFJs2bWrvUY447lgUsOOPPz6OP/742LFjRyxbtiz+4R/+ob1H4ih39dVXx5gxY1psGzt2bFx99dW+AZkO5Z133ont27dH796923uUI46wKEDLli2LXC4XAwcOjE2bNsVtt90WgwYN8i9uDotdu3a1+FPe5s2bY/369dGtW7fo27dvdO/evcX+xx57bPTq1SsGDhx4uEflKLK/67Jbt24xa9as+PznPx+9evWKN998M7761a/GGWecEWPHjm3HqY9MwqIA1dXVRVVVVbzzzjvRrVu3+PznPx9z5syJY489tr1H4yiwdu3auOSSS5rXp0+fHhERlZWVsWjRonaaiqPd/q7Lmpqa+NWvfhWLFy+O999/P/r06ROXX355zJ4927eetgHfbgoAJOPDmwBAMsICAEhGWAAAyQgLACAZYQEAJCMsAIBkhAUAkIywAACSERZQQC6++OKYNm1ae4+xV2+99VZkMplYv379QR+zaNGiOOGEEw7LuYDDQ1jAEWrlypWRyWTi/fffPyznKy8vj61bt8bQoUOTvu+kSZPiyiuvPCznAg6d7woBkigqKopevXodcecC8uOOBXRQu3fvji996UvRtWvX6N27d3zrW99q8fqSJUti5MiRUVJSEr169Yq/+7u/i23btkXEHx8VfPyFTCeeeGJkMpmYNGlSREQ0NTVFdXV19O/fP7p06RLDhw+PH/zgBwc1044dO2LixInRo0eP6NKlS5x55pmxcOHC5nP+/8cTP/zhD+PMM8+Mzp07xyWXXBKLFy/e612UZcuWxVlnnRVdu3aNcePGxdatWyMi4u67747FixfHU089FZlMJjKZTKxcuXKPc318d2bFihUxcuTIOO6442L06NGxcePGFue55557omfPnlFSUhLXXnttzJw5M84+++yD+tmBgyMsoIO67bbbYtWqVfHUU0/Fv/3bv8XKlSvj5Zdfbn79o48+itmzZ8crr7wSTz75ZLz11lvN8VBeXh6PP/54RERs3Lgxtm7dGvfdd19ERFRXV8cDDzwQCxYsiF//+tdx6623xhe/+MVYtWrVAWe688474ze/+U08++yz8R//8R9RU1MTJ5100l733bx5c/zVX/1VXHnllfHKK6/E9ddfH3fcccce+33wwQfxzW9+M5YsWRLPP/98bNmyJWbMmBERETNmzIi//uu/bo6NrVu3xujRo/c53x133BHf+ta3Yu3atVFcXBxTpkxpfu2hhx6KOXPmxLx582LdunXRt2/fqKmpOeDPDOQpB3Q4O3fuzHXq1Cn32GOPNW/bvn17rkuXLrkvf/nLez1mzZo1uYjI7dy5M5fL5XI//elPcxGR27FjR/M+f/jDH3LHHXdc7sUXX2xx7DXXXJO76qqrDjjXhAkTcpMnT97ra5s3b85FRO6Xv/xlLpfL5W6//fbc0KFDW+xzxx13tJhp4cKFuYjIbdq0qXmf+++/P3fyySc3r1dWVuauuOKK/Z7r4591+fLlzfs888wzuYjI/f73v8/lcrncqFGjclOnTm3xPueff35u+PDhB/y5gYPnjgV0QG+++WZ8+OGHMWrUqOZt3bp1i4EDBzavr1u3LiZMmBB9+/aNkpKS+OxnPxsREVu2bNnn+27atCk++OCDuOyyy6Jr167NywMPPBBvvvnmAee68cYbY+nSpXH22WfHV7/61XjxxRf3ue/GjRvj3HPPbbHtM5/5zB77HXfccTFgwIDm9d69ezc/0snXsGHDWrxPRDS/18aNG/c4/97mAQ6ND29CAdq9e3eMHTs2xo4dGw899FD06NEjtmzZEmPHjo0PP/xwn8ft2rUrIiKeeeaZOOWUU1q8ls1mD3jeioqKePvtt+PHP/5xPPfcc3HppZfG1KlT45vf/Garf5Zjjz22xXomk4lcLnfI75XJZCLij58pAQ4fdyygAxowYEAce+yx8Ytf/KJ5244dO+L111+PiIjXXnsttm/fHnPnzo0LL7wwBg0atMef8jt16hQREY2Njc3bBg8eHNlsNrZs2RJnnHFGi6W8vPygZuvRo0dUVlbGgw8+GPPnz4/vfOc7e91v4MCBsXbt2hbb1qxZc1Dn+P8/xyd/htYaOHDgHudvzTzA/rljAR1Q165d45prronbbrstunfvHj179ow77rgjjjnmj38W6Nu3b3Tq1Cm+/e1vxw033BAbNmyI2bNnt3iP0047LTKZTDz99NPxF3/xF9GlS5coKSmJGTNmxK233hpNTU1xwQUXRF1dXbzwwgtRWloalZWV+53rrrvuihEjRsSQIUOioaEhnn766TjrrLP2uu/1118f9957b9x+++1xzTXXxPr162PRokUR8ae7CQejX79+sWzZsti4cWN07949ysrKDvrYT7r55pvjuuuui5EjR8bo0aPj0UcfjV/96ldx+umnt+r9gL1zxwI6qG984xtx4YUXxoQJE2LMmDFxwQUXxIgRIyLij3cNFi1aFN///vdj8ODBMXfu3D0eR5xyyikxa9asmDlzZpx88slx0003RUTE7Nmz484774zq6uo466yzYty4cfHMM89E//79DzhTp06doqqqKoYNGxYXXXRRFBUVxdKlS/e6b//+/eMHP/hB/Ou//msMGzYsampqmn8r5GAeu3zsuuuui4EDB8bIkSOjR48e8cILLxz0sZ80ceLEqKqqihkzZsQ555wTmzdvjkmTJkXnzp1b9X7A3mVyrX2YCZCnOXPmxIIFC6K2tra9R4mIiMsuuyx69eoVS5Ysae9R4IjhUQjQZv7pn/4pzj333OjevXu88MIL8Y1vfKP5zsnh9sEHH8SCBQti7NixUVRUFI888kgsX748nnvuuXaZB45UHoUAzW644YYWv4b6yeWGG27I+/3eeOONuOKKK2Lw4MExe/bs+MpXvhJ33313+sEPQiaTiR//+Mdx0UUXxYgRI+JHP/pRPP744zFmzJh2mQeOVB6FAM22bdsW9fX1e32ttLQ0evbseZgnAgqNsAAAkvEoBABIRlgAAMkICwAgGWEBACQjLACAZIQFAJCMsAAAkhEWAEAy/weQUvStHTG7NQAAAABJRU5ErkJggg==", + "text/plain": [ + "
" + ] + }, + "metadata": {}, + "output_type": "display_data" + } + ], + "source": [ + "amount_per_weekday_for_each_attribute = df.groupby([df['date_sighting'].dt.hour])['one'].sum()\n", + "print(amount_per_weekday_for_each_attribute)\n", + "amount_per_weekday_for_each_attribute.plot(kind='bar', rot=0)" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3.8.10 ('venv': venv)", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.8.10" + }, + "orig_nbformat": 4, + "vscode": { + "interpreter": { + "hash": "99e19f785595e5572f3a0434505ffd496bc893a60c3b4501be593ee9ddcf6bde" + } + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/build.sh b/build.sh index b71b4fd..cd5aa83 100755 --- a/build.sh +++ b/build.sh @@ -13,7 +13,9 @@ for slide in ${slidedecks[@]}; do cd ${slide} if test -f "slide_nl.tex"; then pdflatex slide_nl.tex - pdflatex slide_nl.tex + fi + if test -f "slide_es.tex"; then + pdflatex slide_es.tex fi pdflatex slide.tex pdflatex slide.tex @@ -30,6 +32,10 @@ for slide in ${slidedecks[@]}; do cp slide_nl.pdf ../output/${slide}_nl.pdf rm slide_nl.pdf fi + if test -f "slide_es.tex"; then + cp slide_es.pdf ../output/${slide}_es.pdf + rm slide_es.pdf + fi cd .. echo "--- Finished building ${slide}" done diff --git a/complementary/other-slides/MISP 10 Commandments - Recommendations and Best Practices when encoding data.pdf b/complementary/other-slides/MISP 10 Commandments - Recommendations and Best Practices when encoding data.pdf new file mode 100644 index 0000000..eee8536 Binary files /dev/null and b/complementary/other-slides/MISP 10 Commandments - Recommendations and Best Practices when encoding data.pdf differ diff --git a/complementary/other-slides/MISP 10 Mandamientos ES.pdf b/complementary/other-slides/MISP 10 Mandamientos ES.pdf new file mode 100644 index 0000000..ccd5a1d Binary files /dev/null and b/complementary/other-slides/MISP 10 Mandamientos ES.pdf differ diff --git a/complementary/other-slides/a.11.a-misp-data-model-overview-es.pdf b/complementary/other-slides/a.11.a-misp-data-model-overview-es.pdf new file mode 100644 index 0000000..9c49183 Binary files /dev/null and b/complementary/other-slides/a.11.a-misp-data-model-overview-es.pdf differ diff --git a/events/20220630-FIRSTCON22/content.tex b/events/20220630-FIRSTCON22/content.tex new file mode 100644 index 0000000..561702f --- /dev/null +++ b/events/20220630-FIRSTCON22/content.tex @@ -0,0 +1,44 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} +\frametitle{Agenda} + \begin{itemize} + \item 09:30 -> 10:50: MISP Intro + Usage %(1h30) + \item 30min break + \item 11:20 -> 12:40: Usage + Exercise I %(1h20) + \item Lunch break + \item 14:15 -> 15:35: Excercise I + Excercise II %(1h20) + \item 10min break + \item 16:05 -> 17:25: Excrcise II %(1h20) + \end{itemize} + \vspace{0.5cm} + \textbf{Hybrid session}: Hands-on \& Open bar for questions +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Cerebrate project + \begin{itemize} + \item \url{https://github.com/cerebrate-project} + \item \url{https://github.com/cerebrate-project/cerebrate} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/events/20220630-FIRSTCON22/images/FIRSTCON22-Speaker-Horizontal.png b/events/20220630-FIRSTCON22/images/FIRSTCON22-Speaker-Horizontal.png new file mode 100644 index 0000000..ec4329d Binary files /dev/null and b/events/20220630-FIRSTCON22/images/FIRSTCON22-Speaker-Horizontal.png differ diff --git a/events/20220630-FIRSTCON22/logo-circl.pdf b/events/20220630-FIRSTCON22/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/events/20220630-FIRSTCON22/logo-circl.pdf differ diff --git a/events/20220630-FIRSTCON22/makefile b/events/20220630-FIRSTCON22/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/events/20220630-FIRSTCON22/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/events/20220630-FIRSTCON22/misp.pdf b/events/20220630-FIRSTCON22/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20220630-FIRSTCON22/misp.pdf differ diff --git a/events/20220630-FIRSTCON22/misplogo.pdf b/events/20220630-FIRSTCON22/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/events/20220630-FIRSTCON22/misplogo.pdf differ diff --git a/events/20220630-FIRSTCON22/slide.tex b/events/20220630-FIRSTCON22/slide.tex new file mode 100644 index 0000000..f390b50 --- /dev/null +++ b/events/20220630-FIRSTCON22/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP CTI Analyst Training} +\subtitle{Hands-on workshop} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\vspace{1cm}\includegraphics[scale=0.65]{misp.pdf}\linebreak\includegraphics[scale=0.6]{images/FIRSTCON22-Speaker-Horizontal.png}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/events/20220630-FIRSTCON22/slide_handout.tex b/events/20220630-FIRSTCON22/slide_handout.tex new file mode 100644 index 0000000..a4af0c3 --- /dev/null +++ b/events/20220630-FIRSTCON22/slide_handout.tex @@ -0,0 +1,27 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP CTI Analyst Training} +\subtitle{Hands-on workshop} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\vspace{1cm}\includegraphics[scale=0.65]{misp.pdf}\linebreak\includegraphics[scale=0.6]{images/FIRSTCON22-Speaker-Horizontal.png}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221017-CTIS-2022-Workflows/content.tex b/events/20221017-CTIS-2022-Workflows/content.tex new file mode 100755 index 0000000..9bf8b68 --- /dev/null +++ b/events/20221017-CTIS-2022-Workflows/content.tex @@ -0,0 +1,685 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{\texttt{\$ whoami}} + \begin{columns} + \begin{column}{0.7\textwidth} + \begin{itemize} + \item Working @ circl.lu + \item Part of the MISP-Project team + \item Adding easter eggs for the past 4 years + \end{itemize} + \end{column} + \begin{column}{0.3\textwidth} + \includegraphics[width=0.9\linewidth]{pictures/whoami.png} + \end{column} + \end{columns} + \vspace*{0.75em} + \begin{columns} + \begin{column}{0.65\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/whoami2.png}} + \end{column} + \begin{column}{0.35\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/belgian-joke.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{What problems are we trying to tackle?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \item \textbf{Hook} specific actions to run callbacks + \item Use-cases: + \begin{itemize} + \item Prevent publication of events not passing sanity checks + \item Prevent querying thrid-party services with sensitive information + \item Send notifications in a chat rooms + \item And much much more... + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{What already exists in MISP?} + \includegraphics[width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Get started + \item Using the system \& how it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.4\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + In MISP Workflow terminology, supported events are called \textbf{Triggers} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.5em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{1em} + In MISP Workflow terminology, these are also called \textbf{Logic modules} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.5em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{1em} + In MISP Workflow terminology, these are also called \textbf{Action modules} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in the specified order + \item Basically the whole connected graph. + \item Workflows can be enabled / disabled + \item Workflows are always linked to a \textbf{trigger} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[width=10px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}{\bf Regular} Workflows execution outcome has no impact + \begin{itemize} + \item \textbf{Blocking modules} No way to prevent something that has already happened + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + % \begin{center} + % \includegraphics[width=0.6\linewidth]{pictures/module-type.png} + % \end{center} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations or custom scripts + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{center} + \includegraphics[width=0.85\linewidth]{pictures/no-slides-if-demo.jpg} + \end{center} +\end{frame} + +\section{Workflow - Getting started} +\begin{frame} + \frametitle{Getting started with workflows (1)} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (2)} + Review MISP settings: + \begin{enumerate} + \item Make sure \texttt{\bf MISP.background\_jobs} is turned on + \item Make sure workers are \textbf{up-and-running} and healthy + \item Turn the setting \texttt{\bf Plugin.Workflow\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/settings-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (3)} + [optional] Wanna enjoy \includegraphics[width=0.17\linewidth]{pictures/misp-module-icon.png} ? + \begin{enumerate} + \item Turn the setting \texttt{\bf Plugin.Action\_services\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/settings-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \begin{enumerate} + \item Go to the list of modules + \begin{itemize} + \item \texttt{Administration > Workflows > List Modules} + \item or \url{/workflows/moduleIndex} + \end{itemize} + \item Make sure \textbf{default} modules are loaded + \item {[optional:misp-module]} Make sure \textbf{misp-module} modules are loaded + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \centering + {\Large Everything is ready?}\\ + \vspace*{3em} + {\LARGE Let's see how to build a workflow!} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + \begin{center} + \begin{tikzpicture} + \node[align=left] (img1) at (0, 0) { + $\blacktriangleright$ 1. Go to the list of triggers \texttt{Administration > Workflows} \\ + $\blacktriangleright$ 2. Enable the trigger \\ + $\blacktriangleright$ 3. Edit the \texttt{trigger} you want to create a workflow for \\ + $\blacktriangleright$ 4. Drag an \texttt{action} module from the side panel\\ + to the canvas \\ + $\blacktriangleright$ 5. Drag another \texttt{action} module or a logic module\\ + from the side panel to the canvas \\ + $\blacktriangleright$ 6. From the \texttt{trigger} output, drag an arrow into\\ + the \texttt{action}'s input (left side) \\ + $\blacktriangleright$ 7. Continue linking modules with the input/output system\\ + until all wanted modules are connected \\ + $\blacktriangleright$ 8. Find an action that would execute the desired trigger \\ + $\blacktriangleright$ 9. Execute the action and observe the effect! \\ + $\blacktriangleright$ 10. Optionally, enable debug mode to see realtime execution \\ + $\blacktriangleright$ 10.1. Even more text to make the slide even more unreadable \\ + $\blacktriangleright$ 10.2. And even more boring + }; + \pause + \node (img2) at (0, 0) {\includegraphics[width=0.6\textwidth]{pictures/no-slides-if-demo3.jpg}}; + \end{tikzpicture} + \end{center} +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \textbf{non-blocking} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering} +Filtering and checking conditions using hash path expression. +\begin{lstlisting}[language=javascript,firstnumber=1] +$path_expression = '{n}[name=fred].id'; +$users = [ + {'id': 123, 'name': 'fred', 'surname': 'bloggs'}, + {'id': 245, 'name': 'fred', 'surname': 'smith'}, + {'id': 356, 'name': 'joe', 'surname': 'smith'}, +]; +$ids = Hash::extract($users, $path_expression); +// => $ids will be [123, 245] +\end{lstlisting} +\begin{columns} + \begin{column}{0.6\textwidth} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/attribute-json.png} + \end{center} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/module-if-generic.png} + \end{column} +\end{columns} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is compliant with the \textbf{MISP Core format} + \item But data has \textbf{additional properties} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Blocking modules\includegraphics[width=10px]{pictures/blocking-module.png} \textbf{cannot cancel} ongoing operations \includegraphics[width=0.05\linewidth]{pictures/time-machine.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\section{Debugging} +\begin{frame} + \frametitle{Debugging Workflows: Log Entries} + \begin{itemize} + \item Workflow execution is logged in the application logs: + \begin{itemize} + \item \texttt{/admin/logs/index} + \end{itemize} + \item Or stored on disk in the following file: + \begin{itemize} + \item \texttt{/app/tmp/logs/workflow-execution.log} + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/workflow-debug.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging Workflows: Debug mode} + \begin{itemize} + \item The \includegraphics[width=70px]{pictures/debug-mode.png} can be turned on for each workflows + \item Each nodes will send data to the provided URL + \begin{itemize} + \item Configure the setting: \texttt{Plugin.Workflow\_debug\_url} + \end{itemize} + \item Result can be visualized in + \begin{itemize} + \item \textbf{offline}: \texttt{tools/misp-workflows/webhook-listener.py} + \item \textbf{online}: \url{requestbin.com} or similar websites + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.6\linewidth]{pictures/request-bin.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Stateless execution} + \begin{itemize} + \item Test custom modules with custom input + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/stateless-execution.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Re-running workflows} + \begin{itemize} + \item Try workflows with custom input + \item Re-run workflows to ease debugging + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.55\linewidth]{pictures/running-workflows.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow execution and outcome + \item Module execution and outcome + \item Live workflow debugging with module inspection + \item Re-running/testing workflows with custom data + \item Stateless module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=0.65\linewidth]{pictures/custom-1.png} + \end{center} + + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=0.65\linewidth]{pictures/custom-2.png} + \end{center} + + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Ideas} + \begin{itemize} + \item Chat notification a community when new user joins an instance + \item Trigger on any action via log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Feature designed to quickly and cheaply support CTI pipeline + \item \textbf{Beta}: Feature unlikely to change. But still.. + \item Waiting for feedback! + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} + \includegraphics[width=1.0\linewidth]{pictures/first-cti.png} +\end{frame} + diff --git a/events/20221017-CTIS-2022-Workflows/misp.pdf b/events/20221017-CTIS-2022-Workflows/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/misp.pdf differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/action-module-index.png b/events/20221017-CTIS-2022-Workflows/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/action-module-index.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/attribute-json.png b/events/20221017-CTIS-2022-Workflows/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/attribute-json.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/automation.png b/events/20221017-CTIS-2022-Workflows/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/automation.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/belgian-joke.jpeg b/events/20221017-CTIS-2022-Workflows/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/belgian-joke.jpeg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/blocking-module.png b/events/20221017-CTIS-2022-Workflows/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/blocking-module.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/blocking-workflow.png b/events/20221017-CTIS-2022-Workflows/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/blocking-workflow.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/blueprint-1.png b/events/20221017-CTIS-2022-Workflows/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/blueprint-1.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/blueprint-32.png b/events/20221017-CTIS-2022-Workflows/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/blueprint-32.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/blueprint-debugging.png b/events/20221017-CTIS-2022-Workflows/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/blueprint-debugging.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/ctis.png b/events/20221017-CTIS-2022-Workflows/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/ctis.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/custom-1.png b/events/20221017-CTIS-2022-Workflows/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/custom-1.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/custom-2.png b/events/20221017-CTIS-2022-Workflows/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/custom-2.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/debug-mode.png b/events/20221017-CTIS-2022-Workflows/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/debug-mode.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/editor-1.png b/events/20221017-CTIS-2022-Workflows/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/editor-1.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/editor-not-allowed-1.png b/events/20221017-CTIS-2022-Workflows/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/editor-not-allowed-1.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/editor-not-allowed-2.png b/events/20221017-CTIS-2022-Workflows/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/editor-not-allowed-2.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/editor-warning-1.png b/events/20221017-CTIS-2022-Workflows/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/editor-warning-1.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/enough-debugging.jpg b/events/20221017-CTIS-2022-Workflows/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/enough-debugging.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/event-condition-action.png b/events/20221017-CTIS-2022-Workflows/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/event-condition-action.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/example-1a.png b/events/20221017-CTIS-2022-Workflows/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/example-1a.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/example-2a.png b/events/20221017-CTIS-2022-Workflows/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/example-2a.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/feeling-of-power.jpg b/events/20221017-CTIS-2022-Workflows/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/feeling-of-power.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/first-cti.png b/events/20221017-CTIS-2022-Workflows/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/first-cti.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/future-works.jpeg b/events/20221017-CTIS-2022-Workflows/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/future-works.jpeg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/geekweek75.jpg b/events/20221017-CTIS-2022-Workflows/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/geekweek75.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/infinite-loop.jpg b/events/20221017-CTIS-2022-Workflows/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/infinite-loop.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/log-entry-publish-blocked.png b/events/20221017-CTIS-2022-Workflows/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/log-entry-publish-blocked.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/log-entry-publish-success.png b/events/20221017-CTIS-2022-Workflows/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/log-entry-publish-success.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/logic-module-index.png b/events/20221017-CTIS-2022-Workflows/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/logic-module-index.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/misp-module-icon.png b/events/20221017-CTIS-2022-Workflows/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/misp-module-icon.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/module-buffet.png b/events/20221017-CTIS-2022-Workflows/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/module-buffet.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/module-concurrent.png b/events/20221017-CTIS-2022-Workflows/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/module-concurrent.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/module-filtering.png b/events/20221017-CTIS-2022-Workflows/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/module-filtering.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/module-if-generic.png b/events/20221017-CTIS-2022-Workflows/pictures/module-if-generic.png new file mode 100644 index 0000000..973ab23 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/module-if-generic.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/module-type.png b/events/20221017-CTIS-2022-Workflows/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/module-type.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo.jpg b/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo2.jpg b/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo3.jpg b/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/overview.png b/events/20221017-CTIS-2022-Workflows/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/overview.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/php-joke.jpg b/events/20221017-CTIS-2022-Workflows/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/php-joke.jpg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/psyduck.jpeg b/events/20221017-CTIS-2022-Workflows/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/psyduck.jpeg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/python-joke.png b/events/20221017-CTIS-2022-Workflows/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/python-joke.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/python-logo.png b/events/20221017-CTIS-2022-Workflows/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/python-logo.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/recursive-workflow.png b/events/20221017-CTIS-2022-Workflows/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/recursive-workflow.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/request-bin.png b/events/20221017-CTIS-2022-Workflows/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/request-bin.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/running-workflows.png b/events/20221017-CTIS-2022-Workflows/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/running-workflows.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/sc-action-icon.png b/events/20221017-CTIS-2022-Workflows/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/sc-action-icon.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/sc-action.png b/events/20221017-CTIS-2022-Workflows/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/sc-action.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/sc-condition-icon.png b/events/20221017-CTIS-2022-Workflows/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/sc-condition-icon.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/sc-condition.png b/events/20221017-CTIS-2022-Workflows/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/sc-condition.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/sc-event-icon.png b/events/20221017-CTIS-2022-Workflows/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/sc-event-icon.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/sc-event.png b/events/20221017-CTIS-2022-Workflows/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/sc-event.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/settings-1.png b/events/20221017-CTIS-2022-Workflows/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/settings-1.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/settings-2.png b/events/20221017-CTIS-2022-Workflows/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/settings-2.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/simple-workflow.png b/events/20221017-CTIS-2022-Workflows/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/simple-workflow.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/stateless-execution.png b/events/20221017-CTIS-2022-Workflows/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/stateless-execution.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/time-machine.png b/events/20221017-CTIS-2022-Workflows/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/time-machine.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/triggers.png b/events/20221017-CTIS-2022-Workflows/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/triggers.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/two-paths.jpeg b/events/20221017-CTIS-2022-Workflows/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/two-paths.jpeg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/upgrade-people.jpeg b/events/20221017-CTIS-2022-Workflows/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/upgrade-people.jpeg differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/whoami.png b/events/20221017-CTIS-2022-Workflows/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/whoami.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/whoami2.png b/events/20221017-CTIS-2022-Workflows/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/whoami2.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/workflow-debug.png b/events/20221017-CTIS-2022-Workflows/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/workflow-debug.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/workflow-experimental.png b/events/20221017-CTIS-2022-Workflows/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/workflow-experimental.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/workflow-release.png b/events/20221017-CTIS-2022-Workflows/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/workflow-release.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/workflow-trigger.png b/events/20221017-CTIS-2022-Workflows/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/workflow-trigger.png differ diff --git a/events/20221017-CTIS-2022-Workflows/pictures/zeromq.png b/events/20221017-CTIS-2022-Workflows/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20221017-CTIS-2022-Workflows/pictures/zeromq.png differ diff --git a/events/20221017-CTIS-2022-Workflows/slide.tex b/events/20221017-CTIS-2022-Workflows/slide.tex new file mode 100644 index 0000000..f675e51 --- /dev/null +++ b/events/20221017-CTIS-2022-Workflows/slide.tex @@ -0,0 +1,64 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to support your CTI pipelines} +\author{Sami Mokaddem} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.5]{misp.pdf}\\ \includegraphics[width=150px]{pictures/ctis.png}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/content.tex b/events/20221101-FIRSTCTI-Berlin-Workflows/content.tex new file mode 100755 index 0000000..9a6604f --- /dev/null +++ b/events/20221101-FIRSTCTI-Berlin-Workflows/content.tex @@ -0,0 +1,643 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{What problems are we trying to tackle?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \item \textbf{Hook} specific actions to run callbacks + \item Use-cases: + \begin{itemize} + \item Prevent publication of events not passing sanity checks + \item Prevent querying thrid-party services with sensitive information + \item Send notifications in a chat rooms + \item And much much more... + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{What already exists in MISP?} + \includegraphics[width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Get started + \item Using the system \& how it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.4\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + In MISP Workflow terminology, supported events are called \textbf{Triggers} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.5em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{1em} + In MISP Workflow terminology, these are also called \textbf{Logic modules} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.5em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{1em} + In MISP Workflow terminology, these are also called \textbf{Action modules} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in the specified order + \item Basically the whole connected graph. + \item Workflows can be enabled / disabled + \item Workflows are always linked to a \textbf{trigger} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[width=10px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}{\bf Regular} Workflows execution outcome has no impact + \begin{itemize} + \item \textbf{Blocking modules} No way to prevent something that has already happened + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + % \begin{center} + % \includegraphics[width=0.6\linewidth]{pictures/module-type.png} + % \end{center} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations or custom scripts + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{enumerate} + \item Send an email to \textbf{all} when a new event is created + \item Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red} + \end{enumerate} +\end{frame} + +\section{Workflow - Getting started} +\begin{frame} + \frametitle{Getting started with workflows (1)} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (2)} + Review MISP settings: + \begin{enumerate} + \item Make sure \texttt{\bf MISP.background\_jobs} is turned on + \item Make sure workers are \textbf{up-and-running} and healthy + \item Turn the setting \texttt{\bf Plugin.Workflow\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/settings-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (3)} + [optional] Wanna enjoy \includegraphics[width=0.17\linewidth]{pictures/misp-module-icon.png} ? + \begin{enumerate} + \item Turn the setting \texttt{\bf Plugin.Action\_services\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/settings-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \begin{enumerate} + \item Go to the list of modules + \begin{itemize} + \item \texttt{Administration > Workflows > List Modules} + \item or \url{/workflows/moduleIndex} + \end{itemize} + \item Make sure \textbf{default} modules are loaded + \item {[optional:misp-module]} Make sure \textbf{misp-module} modules are loaded + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \centering + {\Large Everything is ready?}\\ + \vspace*{3em} + {\LARGE Let's see how to build a workflow!} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + Prevent event publication if no \textbf{tlp:*} tag, otherwise send a message on Mattermost +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \textbf{non-blocking} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering} +Filtering and checking conditions using hash path expression. +\begin{lstlisting}[language=javascript,firstnumber=1] +$path_expression = '{n}[name=fred].id'; +$users = [ + {'id': 123, 'name': 'fred', 'surname': 'bloggs'}, + {'id': 245, 'name': 'fred', 'surname': 'smith'}, + {'id': 356, 'name': 'joe', 'surname': 'smith'}, +]; +$ids = Hash::extract($users, $path_expression); +// => $ids will be [123, 245] +\end{lstlisting} +\begin{columns} + \begin{column}{0.6\textwidth} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/attribute-json.png} + \end{center} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/module-if-generic.png} + \end{column} +\end{columns} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is compliant with the \textbf{MISP Core format} + \item But data has \textbf{additional properties} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Blocking modules\includegraphics[width=10px]{pictures/blocking-module.png} \textbf{cannot cancel} ongoing operations \includegraphics[width=0.05\linewidth]{pictures/time-machine.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\section{Debugging} +\begin{frame} + \frametitle{Debugging Workflows: Log Entries} + \begin{itemize} + \item Workflow execution is logged in the application logs: + \begin{itemize} + \item \texttt{/admin/logs/index} + \end{itemize} + \item Or stored on disk in the following file: + \begin{itemize} + \item \texttt{/app/tmp/logs/workflow-execution.log} + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/workflow-debug.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging Workflows: Debug mode} + \begin{itemize} + \item The \includegraphics[width=70px]{pictures/debug-mode.png} can be turned on for each workflows + \item Each nodes will send data to the provided URL + \begin{itemize} + \item Configure the setting: \texttt{Plugin.Workflow\_debug\_url} + \end{itemize} + \item Result can be visualized in + \begin{itemize} + \item \textbf{offline}: \texttt{tools/misp-workflows/webhook-listener.py} + \item \textbf{online}: \url{requestbin.com} or similar websites + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.6\linewidth]{pictures/request-bin.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Stateless execution} + \begin{itemize} + \item Test custom modules with custom input + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/stateless-execution.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Re-running workflows} + \begin{itemize} + \item Try workflows with custom input + \item Re-run workflows to ease debugging + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.55\linewidth]{pictures/running-workflows.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow execution and outcome + \item Module execution and outcome + \item Live workflow debugging with module inspection + \item Re-running/testing workflows with custom data + \item Stateless module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=0.65\linewidth]{pictures/custom-1.png} + \end{center} + + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=0.65\linewidth]{pictures/custom-2.png} + \end{center} + + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Ideas} + \begin{itemize} + \item Chat notification a community when new user joins an instance + \item Trigger on any action via log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Feature designed to quickly and cheaply support CTI pipeline + \item \textbf{Beta}: Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New action modules? + \item New conditional modules? + \item ... + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/misp.pdf b/events/20221101-FIRSTCTI-Berlin-Workflows/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/misp.pdf differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/action-module-index.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/action-module-index.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/attribute-json.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/attribute-json.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/automation.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/automation.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/belgian-joke.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/belgian-joke.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-module.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-module.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-workflow.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-workflow.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-32.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-32.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-debugging.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-debugging.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/ctis.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/ctis.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/debug-mode.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/debug-mode.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-warning-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-warning-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/enough-debugging.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/enough-debugging.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/event-condition-action.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/event-condition-action.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-1a.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-1a.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-2a.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-2a.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/feeling-of-power.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/feeling-of-power.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/first-cti.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/first-cti.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/future-works.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/future-works.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/geekweek75.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/geekweek75.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/infinite-loop.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/infinite-loop.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-blocked.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-blocked.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-success.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-success.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/logic-module-index.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/logic-module-index.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/misp-module-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/misp-module-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-buffet.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-buffet.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-concurrent.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-concurrent.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-filtering.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-filtering.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-if-generic.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-if-generic.png new file mode 100644 index 0000000..973ab23 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-if-generic.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-type.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-type.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo2.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo3.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/overview.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/overview.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/php-joke.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/php-joke.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/psyduck.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/psyduck.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-joke.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-joke.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-logo.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-logo.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/recursive-workflow.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/recursive-workflow.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/request-bin.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/request-bin.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/running-workflows.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/running-workflows.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/simple-workflow.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/simple-workflow.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/stateless-execution.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/stateless-execution.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/time-machine.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/time-machine.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/triggers.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/triggers.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/two-paths.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/two-paths.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/upgrade-people.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/upgrade-people.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-debug.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-debug.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-experimental.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-experimental.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-release.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-release.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-trigger.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-trigger.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/zeromq.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/zeromq.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide.tex b/events/20221101-FIRSTCTI-Berlin-Workflows/slide.tex new file mode 100644 index 0000000..67961fe --- /dev/null +++ b/events/20221101-FIRSTCTI-Berlin-Workflows/slide.tex @@ -0,0 +1,64 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to support your CTI pipelines} +\author{Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.5]{misp.pdf}\\ \includegraphics[width=0.8\linewidth]{pictures/first-cti.png}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide.upa b/events/20221101-FIRSTCTI-Berlin-Workflows/slide.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.tex b/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.tex new file mode 100644 index 0000000..6e3d259 --- /dev/null +++ b/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.tex @@ -0,0 +1,66 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to support your CTI pipelines} +\author{Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.5]{misp.pdf}\\ \includegraphics[width=0.8\linewidth]{pictures/first-cti.png}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.upa b/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/content.tex b/events/20221110-FIST-AUTOMATION-SIG-Workflows/content.tex new file mode 100755 index 0000000..b8eb3c0 --- /dev/null +++ b/events/20221110-FIST-AUTOMATION-SIG-Workflows/content.tex @@ -0,0 +1,601 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Automation in MISP: What already exists?} + \includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} + \vspace*{0.5em} + $\rightarrow$ No way to \textbf{prevent} behavior\\ + $\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks +\end{frame} + +\begin{frame} + \frametitle{What type of use-cases are we trying to support?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \begin{itemize} + \item Prevent \textbf{publication of events} not passing sanity checks + \item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information + \item $\cdots$ + \end{itemize} + \vspace*{1.0em} + \item \textbf{Hook} specific actions to run callbacks + \begin{itemize} + \item \textbf{Automatically run} enrichment services + \item Modify data on-the-fly: False positives, enable CTI-Pipeline + \item Send notifications in a chat rooms + \item $\cdots$ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation in MISP made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Using the system + \item How it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + {\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\ + {\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \vspace*{0.25em} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.25em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Logic modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/logic-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \vspace*{0.25em} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.25em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Action modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/action-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \item Custom scripts + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in a specific order + \item Workflows can be enabled / disabled + \item A Workflow is associated to \textbf{1-and-only-1 trigger} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \begin{itemize} + \item They might change the path taken during the execution + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact + \begin{itemize} + \item No way to prevent something that happened in the past + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (0)} + \begin{itemize} + \item \textbf{Trigger} module: MISP Source code \textbf{only} + \begin{itemize} + \item Get in touch if you want more + \end{itemize} + \item \textbf{Logic} module: MISP Source code \& \textbf{custom} + \item \textbf{Action} module: MISP Source code \& \textbf{custom} + \end{itemize} + \vspace*{2.0em} + \begin{itemize} + \item MISP Source code $\rightarrow$ Built-in \textbf{text} module + \item Custom $\rightarrow$ Write your own at 2 places + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.8\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{enumerate} + \item[WF-1.] Send an email to \textbf{all} when a new event has been pulled + \vspace*{2em} + \item[WF-2.] Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red} + \begin{itemize} + \item \textbf{tlp:red}: For the eyes and ears of individual recipients only + \item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside + \end{itemize} + \end{enumerate} +\end{frame} + +\section{Workflow - Getting started} +\begin{frame} + \frametitle{Getting started with workflows (1)} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \centering + {\Large Everything is ready?}\\ + \vspace*{3em} + {\LARGE Let's see how to build a workflow!} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + \begin{enumerate} + \item Prevent event publication if \textbf{tlp:red} tag + \item Send a mail to \texttt{admin@admin.test} about potential data leak + \item Otherwise, send a notification on Mattermost + \end{enumerate} +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \item But has \textbf{additional properties} + \begin{itemize} + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow \textbf{execution and outcome} + \item Module \textbf{execution and outcome} + \item \textbf{Live} workflow debugging with module inspection + \item \textbf{Re-running/testing} workflows with custom data + \item \textbf{Stateless} module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[scale=0.07]{pictures/PHP-logo.png} + \end{center} + \vspace*{2em} + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Fast + \item Re-use existing functionalities + \item No need for misp-modules + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[scale=0.03]{pictures/python-logo.png} + \end{center} + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Easier than PHP + \item Lots of libraries for integration + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{More ideas} + \begin{itemize} + \item Notification when new users join an instance + \item Trigger on any action generating log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Under development} + Ease data manipulation with \textbf{filtering modules} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines + \item \underline{\textbf{Beta}} Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New modules? + \item ... + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/misp.pdf b/events/20221110-FIST-AUTOMATION-SIG-Workflows/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/misp.pdf differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/PHP-logo.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/PHP-logo.png new file mode 100644 index 0000000..296dfe2 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/PHP-logo.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module-index.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module-index.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module.png new file mode 100644 index 0000000..6b622e8 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/attribute-json.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/attribute-json.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/automation.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/automation.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/belgian-joke.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/belgian-joke.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-module.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-module.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-32.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-32.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-debugging.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-debugging.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/ctis.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/ctis.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/debug-mode.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/debug-mode.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-warning-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-warning-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/enough-debugging.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/enough-debugging.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/event-condition-action.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/event-condition-action.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-1a.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-1a.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-2a.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-2a.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/feeling-of-power.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/feeling-of-power.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/filtering-modules.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/filtering-modules.png new file mode 100644 index 0000000..9ca53e3 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/filtering-modules.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/first-cti.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/first-cti.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/future-works.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/future-works.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/geekweek75.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/geekweek75.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/infinite-loop.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/infinite-loop.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-blocked.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-blocked.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-success.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-success.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module-index.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module-index.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module.png new file mode 100644 index 0000000..6a48ce6 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/misp-module-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/misp-module-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-buffet.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-buffet.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-concurrent.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-concurrent.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-filtering.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-filtering.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-if-generic.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-if-generic.png new file mode 100644 index 0000000..973ab23 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-if-generic.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-type.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-type.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo2.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo3.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/non-blocking-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/non-blocking-workflow.png new file mode 100644 index 0000000..4ae1495 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/non-blocking-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/overview.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/overview.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/php-joke.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/php-joke.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/psyduck.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/psyduck.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-joke.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-joke.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-logo.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-logo.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/recursive-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/recursive-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/request-bin.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/request-bin.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/running-workflows.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/running-workflows.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/simple-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/simple-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/stateless-execution.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/stateless-execution.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/time-machine.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/time-machine.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/triggers.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/triggers.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/two-paths.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/two-paths.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/upgrade-people.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/upgrade-people.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-debug.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-debug.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-experimental.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-experimental.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-release.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-release.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-trigger.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-trigger.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/zeromq.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/zeromq.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.tex b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.tex new file mode 100644 index 0000000..af22e84 --- /dev/null +++ b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.tex @@ -0,0 +1,65 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Sami Mokaddem} +\date{FIRST Automation SIG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.upa b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.tex b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.tex new file mode 100644 index 0000000..cd06a0e --- /dev/null +++ b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.tex @@ -0,0 +1,67 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Sami Mokaddem} +\date{FIRST Automation SIG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.upa b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221206-update/Sightings2.PNG b/events/20221206-update/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/events/20221206-update/Sightings2.PNG differ diff --git a/events/20221206-update/attack-screenshot.png b/events/20221206-update/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/events/20221206-update/attack-screenshot.png differ diff --git a/events/20221206-update/b.4-turning-data-into-actionable-intelligence-short.pdf b/events/20221206-update/b.4-turning-data-into-actionable-intelligence-short.pdf new file mode 100644 index 0000000..2bdf2e6 Binary files /dev/null and b/events/20221206-update/b.4-turning-data-into-actionable-intelligence-short.pdf differ diff --git a/events/20221206-update/bankaccount.png b/events/20221206-update/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/events/20221206-update/bankaccount.png differ diff --git a/events/20221206-update/bankview.png b/events/20221206-update/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/events/20221206-update/bankview.png differ diff --git a/events/20221206-update/circl.png b/events/20221206-update/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/events/20221206-update/circl.png differ diff --git a/events/20221206-update/content.aux b/events/20221206-update/content.aux new file mode 100644 index 0000000..0d9cb27 --- /dev/null +++ b/events/20221206-update/content.aux @@ -0,0 +1,98 @@ +\relax +\providecommand\hyper@newdestlabel[2]{} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {11}{11}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {12}{12}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {15}{15}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {16}{16}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {17}{17}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {18}{18}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {19}{19}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{20}{20/20}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {20}{20}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{21}{21/21}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {21}{21}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{22}{22/22}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {22}{22}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{23}{23/23}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {23}{23}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{24}{24/24}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {24}{24}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{25}{25/25}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {25}{25}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{26}{26/26}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {26}{26}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{27}{27/27}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {27}{27}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{28}{28/28}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {28}{28}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{29}{29/29}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {29}{29}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{30}{30/30}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {30}{30}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{31}{31/31}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {31}{31}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{32}{32/32}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {32}{32}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{33}{33/33}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {33}{33}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{34}{34/34}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {34}{34}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{35}{35/35}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {35}{35}}} +\@setckpt{content}{ +\setcounter{page}{36} +\setcounter{equation}{0} +\setcounter{enumi}{0} +\setcounter{enumii}{0} +\setcounter{enumiii}{0} +\setcounter{enumiv}{0} +\setcounter{footnote}{3} +\setcounter{mpfootnote}{0} +\setcounter{beamerpauses}{1} +\setcounter{bookmark@seq@number}{0} +\setcounter{lecture}{0} +\setcounter{part}{0} +\setcounter{section}{0} +\setcounter{subsection}{0} +\setcounter{subsubsection}{0} +\setcounter{subsectionslide}{35} +\setcounter{framenumber}{34} +\setcounter{figure}{0} +\setcounter{table}{0} +\setcounter{parentequation}{0} +\setcounter{theorem}{0} +\setcounter{lstnumber}{1} +\setcounter{section@level}{0} +\setcounter{lstlisting}{0} +} diff --git a/events/20221206-update/content.tex b/events/20221206-update/content.tex new file mode 100644 index 0000000..f178870 --- /dev/null +++ b/events/20221206-update/content.tex @@ -0,0 +1,319 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} +\frametitle{What is MISP?} +\begin{itemize} + \item MISP is a {\bf threat information sharing} platform that is free \& open source software + \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds + \item Normalises, {\bf correlates}, {\bf enriches} the data + \item Allows teams and communities to {\bf collaborate} + \item {\bf Feeds} automated protective tools and analyst tools with the output + \item MISP is a complete threat intelligence platform with strong sharing capabilities and extendability +\end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item A small update on the state of MISP's ongoing development + \item Some highlights of the changes that were introduced + \item Upcoming changes + \item Cerebrate (a MISP companion) update + \item Workflows + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP's evolution since past 6 months} + \begin{itemize} + \item 9 releases + \item 1775 commits + \item 74 contributors contributing to the core software and its components + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Main focus was securing our data and tooling} + \begin{itemize} + \item Current {\bf geo-political situation} lead to new challenges + \item It has been an interesting time period with quite some activity + \item Our goal was to {\bf shore up the security} aspects of MISP and Cerebrate + \item Build new functionalities and tools to allow users to {\bf protect their data} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sharing group blueprints} + \begin{itemize} + \item Solving the issue of {\bf sharing group lifecycle management} + \item Build SG blueprints for reusable, maintainable sharing groups + \item Abstract sharing groups, organisation metadata as building blocks + \item Solve newly arising sharing challenges + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Sharing group blueprints} +\includegraphics[scale=0.6]{images/blueprints2.png} +\end{frame} + +\begin{frame} + \frametitle{Cryptographic signing and tamper protection} + \begin{itemize} + \item Need to be able to share and ensure the {\bf veracity of critical events} + \item Tampering by {\bf malicious intermediaries}, even in closed networks became a new fear + \item We came up with a solution that allows us to {\bf lock down critical events} + \item Limits the distribution, but {\bf increases the resilience} of MISP immensely + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Cryptographic signing and tamper protection} +\includegraphics[scale=0.5]{images/signing1.png} +\end{frame} + +\begin{frame} +\frametitle{Cryptographic signing and tamper protection} +\includegraphics[scale=0.5]{images/signing2.png} +\end{frame} + +\begin{frame} +\frametitle{Cryptographic signing and tamper protection} +\includegraphics[scale=0.6]{images/signing3.png} +\includegraphics[scale=0.6]{images/signing4.png} +\end{frame} + +\begin{frame} + \frametitle{Other major improvements} + \begin{itemize} + \item Various other new functionalities that improve our day to day use of the tool + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Long list of security fixes} + \begin{itemize} + \item Partially from user reports + \item Partially by an exhaustive pentest series + \item Massive thank you to {\bf Zigrin Security} for conducting the tests... + \item ...and to the {\bf Luxembourgish Army} for financing it + \item Multiple {\bf CVEs} resolved, including a {\bf critical one that required a silent release} + \item Make sure you stay up to date! + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Long list of security fixes} +\includegraphics[scale=0.4]{images/security.png} +\end{frame} + + +\begin{frame} + \frametitle{Event warning system} + \begin{itemize} + \item Build a rule based tool that analyses an event and {\bf recommends improvements} + \item Typical issues easily caught (missing TLP, lack of context, etc) + \item Simple to extend, flexible + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Event warning system} +\includegraphics[scale=0.3]{images/warnings.png} +\end{frame} + + +\begin{frame} + \frametitle{Massive rework of the STIX integrations} + \begin{itemize} + \item Our resident STIX guru (Christian Studer) has become {\bf co-chair of the STIX commitee} at OASIS + \item Massive rework of how we handle {\bf STIX ingestion / generation} + \item Continuous work with {\bf MITRE/CISA} to improve the integration + \item STIX subsystem spun off as a standalone system {\bf misp-stix}\footnote{\url{https://github.com/MISP/misp-stix}} + \item Can be used a standalone to convert in both directions MISP standard format to all the STIX variantes + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Further synchronisation filtering methods} + \begin{itemize} + \item The ability to {\bf exclude} certain attribute {\bf types from the synchronisation} + \item Comes with some risks, but solves some issues + \item An example: {\bf Exclusion of malware samples when sharing towards classified networks} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Advanced timelining} + \begin{itemize} + \item Rework of the timelining in MISP + \item Inclusion of images, sightings + \item Various other improvements + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Timelining} +\includegraphics[scale=0.2]{images/timelining.png} +\end{frame} + +\begin{frame} + \frametitle{New background processor} + \begin{itemize} + \item Since late November last year we have had a {\bf new background processing engine} + \item Fully optional for now + \item Lean, closer to an OS native implementation via {\bf Supervisor} + \item Gets rid of a lot of the baggage of our previous system (scheduling) + \item Implemetation by @righel (Luciano Righetti) + \end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Long list of other fixes} + \begin{itemize} + \item Usability fixes + \item Performance improvements + \item Bug fixes + \item Too many improvements to the galaxies, taxonomies, object templates to list! + \item Huge thank you to {\bf Jakub Onderka} for the {\bf constant stream of improvements} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Workflows in MISP} + \begin{itemize} + \item Outcome of our initial work from GeekWeek 7.5\footnote{\href{https://cyber.gc.ca/en/events/geekweek-75}{Workshop organized by the Canadian Cyber Center}} + \item Goal: Modifying the execution of certain {\bf core functionalities} + \item Basically a {\bf hooking mechanism} + \item Modular approach using {\bf MISP-modules} or {\bf PHP modules} + \item Build and execute admin defined tasks on various actions + \item Modify data in place, block, fire-and-forget + \item All exposed via a {\bf completely new GUI} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Workflows in MISP} + \begin{itemize} + \item {\bf Branching} codebase + \item Context sensitive, per-module filters + \item Implemented by our UI expert Sami "GraphMan" Mokaddem + \end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Workflows in MISP} +\includegraphics[scale=0.2]{images/workflows1.png} +\end{frame} + +\begin{frame} +\frametitle{Workflows in MISP} +\includegraphics[scale=0.2]{images/workflows2.png} +\end{frame} + + +\begin{frame} + \frametitle{External data guard} + \begin{itemize} + \item Work in {\bf collaboration with BICES} + \item Proxy server\footnote{\url{https://github.com/MISP/misp-guard}} that {\bf inspects and blocks potential data leaks} during synchronisation + \item Standalone + \item Simplistic design and {\bf easy to audit} + \item Modular {\bf rule based} system + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Various reworks to support STIX mappings} + \begin{itemize} + \item {\bf Relationships for tags/galaxies} + \item {\bf Templating} for galaxy cluster creation + \item Dot notation {\bf deep cluster elements} + \item Built in {\bf TAXII 2.1 export support} with the help of MITRE/CISA + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Quick Cerebrate update} +\begin{center} +\includegraphics[scale=0.4]{images/cerebrate.png} +\end{center} +\end{frame} + +\begin{frame} + \frametitle{Quick Cerebrate update} + \begin{itemize} + \item 5 new releases + \item Deployment for the {\bf CSIRT network} ongoing + \item A host of new functionalities to solve day to day issues we have in the CSIRT community + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{User management} + \begin{itemize} + \item Reworked completely + \item Tight integration with {\bf KeyCloak} + \item Full user provisioning / maintaining via Cerebrate + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Reworked meta information system} + \begin{itemize} + \item Introduction of {\bf context specific custom fields} + \item Custom {\bf search algorithms} (for example CIDR block lookups for constituency information) + \item Customisable and {\bf blueprint-able data model} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{API along with its documentation fleshed out} + \begin{itemize} + \item {\bf OpenAPI integration} similarly to MISP + \item Integration tests and introduction of a {\bf CI pipeline} + \item Documentation and API examples available in Cerebrate directly + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Security fixes} + \begin{itemize} + \item Cerebrate, similarly to MISP received an in-depth pentest by {\bf Zigrin Security} + \item Likewise funded by the {\bf Luxembourgish Army} + \item Besides fixes to vulnerabilities, a host of usability findings and fixes + \item {\bf 5 CVEs} published + \item \url{https://www.cerebrate-project.org/security.html} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Cerebrate project + \begin{itemize} + \item \url{https://github.com/cerebrate-project} + \item \url{https://github.com/cerebrate-project/cerebrate} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/events/20221206-update/covid.png b/events/20221206-update/covid.png new file mode 100644 index 0000000..e6e869f Binary files /dev/null and b/events/20221206-update/covid.png differ diff --git a/events/20221206-update/creativity.png b/events/20221206-update/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/events/20221206-update/creativity.png differ diff --git a/events/20221206-update/dashboard-trendings.png b/events/20221206-update/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/events/20221206-update/dashboard-trendings.png differ diff --git a/events/20221206-update/decaying-basescore.png b/events/20221206-update/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/events/20221206-update/decaying-basescore.png differ diff --git a/events/20221206-update/decaying-event.png b/events/20221206-update/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/events/20221206-update/decaying-event.png differ diff --git a/events/20221206-update/decaying-index.png b/events/20221206-update/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/events/20221206-update/decaying-index.png differ diff --git a/events/20221206-update/decaying-simulation.png b/events/20221206-update/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/events/20221206-update/decaying-simulation.png differ diff --git a/events/20221206-update/decaying-tool.png b/events/20221206-update/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/events/20221206-update/decaying-tool.png differ diff --git a/events/20221206-update/en_cef.png b/events/20221206-update/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/events/20221206-update/en_cef.png differ diff --git a/events/20221206-update/galaxy-ransomware.png b/events/20221206-update/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/events/20221206-update/galaxy-ransomware.png differ diff --git a/events/20221206-update/images/SoD.png b/events/20221206-update/images/SoD.png new file mode 100644 index 0000000..b95a9ec Binary files /dev/null and b/events/20221206-update/images/SoD.png differ diff --git a/events/20221206-update/images/authkey.png b/events/20221206-update/images/authkey.png new file mode 100644 index 0000000..46174b9 Binary files /dev/null and b/events/20221206-update/images/authkey.png differ diff --git a/events/20221206-update/images/blueprints1.png b/events/20221206-update/images/blueprints1.png new file mode 100644 index 0000000..edaedcb Binary files /dev/null and b/events/20221206-update/images/blueprints1.png differ diff --git a/events/20221206-update/images/blueprints2.png b/events/20221206-update/images/blueprints2.png new file mode 100644 index 0000000..b2d73cb Binary files /dev/null and b/events/20221206-update/images/blueprints2.png differ diff --git a/events/20221206-update/images/cerebrate.png b/events/20221206-update/images/cerebrate.png new file mode 100644 index 0000000..82bcaab Binary files /dev/null and b/events/20221206-update/images/cerebrate.png differ diff --git a/events/20221206-update/images/dashboard.png b/events/20221206-update/images/dashboard.png new file mode 100644 index 0000000..d163f4d Binary files /dev/null and b/events/20221206-update/images/dashboard.png differ diff --git a/events/20221206-update/images/eventreport.png b/events/20221206-update/images/eventreport.png new file mode 100644 index 0000000..6f74bbe Binary files /dev/null and b/events/20221206-update/images/eventreport.png differ diff --git a/events/20221206-update/images/galaxy20.png b/events/20221206-update/images/galaxy20.png new file mode 100644 index 0000000..97911ac Binary files /dev/null and b/events/20221206-update/images/galaxy20.png differ diff --git a/events/20221206-update/images/mispcerebrate.png b/events/20221206-update/images/mispcerebrate.png new file mode 100644 index 0000000..d58796f Binary files /dev/null and b/events/20221206-update/images/mispcerebrate.png differ diff --git a/events/20221206-update/images/openapi.png b/events/20221206-update/images/openapi.png new file mode 100644 index 0000000..44726ea Binary files /dev/null and b/events/20221206-update/images/openapi.png differ diff --git a/events/20221206-update/images/security.png b/events/20221206-update/images/security.png new file mode 100644 index 0000000..8b51dd8 Binary files /dev/null and b/events/20221206-update/images/security.png differ diff --git a/events/20221206-update/images/signing1.png b/events/20221206-update/images/signing1.png new file mode 100644 index 0000000..d378f7b Binary files /dev/null and b/events/20221206-update/images/signing1.png differ diff --git a/events/20221206-update/images/signing2.png b/events/20221206-update/images/signing2.png new file mode 100644 index 0000000..450e7d6 Binary files /dev/null and b/events/20221206-update/images/signing2.png differ diff --git a/events/20221206-update/images/signing3.png b/events/20221206-update/images/signing3.png new file mode 100644 index 0000000..68e7ced Binary files /dev/null and b/events/20221206-update/images/signing3.png differ diff --git a/events/20221206-update/images/signing4.png b/events/20221206-update/images/signing4.png new file mode 100644 index 0000000..3a42468 Binary files /dev/null and b/events/20221206-update/images/signing4.png differ diff --git a/events/20221206-update/images/stix.png b/events/20221206-update/images/stix.png new file mode 100644 index 0000000..c0b59bb Binary files /dev/null and b/events/20221206-update/images/stix.png differ diff --git a/events/20221206-update/images/timelining.png b/events/20221206-update/images/timelining.png new file mode 100644 index 0000000..7753ba5 Binary files /dev/null and b/events/20221206-update/images/timelining.png differ diff --git a/events/20221206-update/images/warnings.png b/events/20221206-update/images/warnings.png new file mode 100644 index 0000000..86e16a3 Binary files /dev/null and b/events/20221206-update/images/warnings.png differ diff --git a/events/20221206-update/images/workflows1.png b/events/20221206-update/images/workflows1.png new file mode 100644 index 0000000..2790cfb Binary files /dev/null and b/events/20221206-update/images/workflows1.png differ diff --git a/events/20221206-update/images/workflows2.png b/events/20221206-update/images/workflows2.png new file mode 100644 index 0000000..5b5ad1a Binary files /dev/null and b/events/20221206-update/images/workflows2.png differ diff --git a/events/20221206-update/logo-circl.pdf b/events/20221206-update/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/events/20221206-update/logo-circl.pdf differ diff --git a/events/20221206-update/makefile b/events/20221206-update/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/events/20221206-update/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/events/20221206-update/misp.pdf b/events/20221206-update/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221206-update/misp.pdf differ diff --git a/events/20221206-update/misplogo.pdf b/events/20221206-update/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/events/20221206-update/misplogo.pdf differ diff --git a/events/20221206-update/object.png b/events/20221206-update/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/events/20221206-update/object.png differ diff --git a/events/20221206-update/sighting-n.png b/events/20221206-update/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/events/20221206-update/sighting-n.png differ diff --git a/a.13-misp-stix/slide.aux b/events/20221206-update/slide.aux similarity index 64% rename from a.13-misp-stix/slide.aux rename to events/20221206-update/slide.aux index 713a2cd..13f8989 100644 --- a/a.13-misp-stix/slide.aux +++ b/events/20221206-update/slide.aux @@ -1,5 +1,6 @@ \relax \providecommand\hyper@newdestlabel[2]{} +\providecommand\BKM@entry[2]{} \providecommand\HyperFirstAtBeginDocument{\AtBeginDocument} \HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined \global\let\oldcontentsline\contentsline @@ -16,12 +17,11 @@ \gdef\HyperFirstAtBeginDocument#1{#1} \providecommand\HyField@AuxAddToFields[1]{} \providecommand\HyField@AuxAddToCoFields[2]{} -\providecommand\BKM@entry[2]{} \@input{content.aux} -\pgfsyspdfmark {pgfid1}{1398509}{16636717} -\@writefile{nav}{\headcommand {\beamer@partpages {1}{8}}} -\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{8}}} -\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{8}}} -\@writefile{nav}{\headcommand {\beamer@documentpages {8}}} -\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {7}}} -\gdef \@abspage@last{8} +\providecommand \oddpage@label [2]{} +\pgfsyspdfmark {pgfid1}{1398509}{16990454} +\@writefile{nav}{\headcommand {\beamer@partpages {1}{35}}} +\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{35}}} +\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{35}}} +\@writefile{nav}{\headcommand {\beamer@documentpages {35}}} +\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {34}}} diff --git a/events/20221206-update/slide.log b/events/20221206-update/slide.log new file mode 100644 index 0000000..3eb7f55 --- /dev/null +++ b/events/20221206-update/slide.log @@ -0,0 +1,1545 @@ +This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019/Debian) (preloaded format=pdflatex 2021.10.14) 6 DEC 2022 09:22 +entering extended mode + restricted \write18 enabled. + %&-line parsing enabled. +**slide.tex +(./slide.tex +LaTeX2e <2020-02-02> patch level 2 +L3 programming layer <2020-02-14> +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamer.cls +Document Class: beamer 2019/09/29 v3.57 A class for typesetting presentations +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasemodes.sty +(/usr/share/texlive/texmf-dist/tex/latex/etoolbox/etoolbox.sty +Package: etoolbox 2019/09/21 v2.5h e-TeX tools for LaTeX (JAW) +\etb@tempcnta=\count167 +) +\beamer@tempbox=\box45 +\beamer@tempcount=\count168 +\c@beamerpauses=\count169 + +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasedecode.sty +\beamer@slideinframe=\count170 +\beamer@minimum=\count171 +\beamer@decode@box=\box46 +) +\beamer@commentbox=\box47 +\beamer@modecount=\count172 +) +(/usr/share/texlive/texmf-dist/tex/generic/iftex/ifpdf.sty +Package: ifpdf 2019/10/25 v3.4 ifpdf legacy package. Use iftex instead. + +(/usr/share/texlive/texmf-dist/tex/generic/iftex/iftex.sty +Package: iftex 2019/11/07 v1.0c TeX engine tests +)) +\headdp=\dimen134 +\footheight=\dimen135 +\sidebarheight=\dimen136 +\beamer@tempdim=\dimen137 +\beamer@finalheight=\dimen138 +\beamer@animht=\dimen139 +\beamer@animdp=\dimen140 +\beamer@animwd=\dimen141 +\beamer@leftmargin=\dimen142 +\beamer@rightmargin=\dimen143 +\beamer@leftsidebar=\dimen144 +\beamer@rightsidebar=\dimen145 +\beamer@boxsize=\dimen146 +\beamer@vboxoffset=\dimen147 +\beamer@descdefault=\dimen148 +\beamer@descriptionwidth=\dimen149 +\beamer@lastskip=\skip47 +\beamer@areabox=\box48 +\beamer@animcurrent=\box49 +\beamer@animshowbox=\box50 +\beamer@sectionbox=\box51 +\beamer@logobox=\box52 +\beamer@linebox=\box53 +\beamer@sectioncount=\count173 +\beamer@subsubsectionmax=\count174 +\beamer@subsectionmax=\count175 +\beamer@sectionmax=\count176 +\beamer@totalheads=\count177 +\beamer@headcounter=\count178 +\beamer@partstartpage=\count179 +\beamer@sectionstartpage=\count180 +\beamer@subsectionstartpage=\count181 +\beamer@animationtempa=\count182 +\beamer@animationtempb=\count183 +\beamer@xpos=\count184 +\beamer@ypos=\count185 +\beamer@ypos@offset=\count186 +\beamer@showpartnumber=\count187 +\beamer@currentsubsection=\count188 +\beamer@coveringdepth=\count189 +\beamer@sectionadjust=\count190 +\beamer@tocsectionnumber=\count191 + +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseoptions.sty +(/usr/share/texlive/texmf-dist/tex/latex/graphics/keyval.sty +Package: keyval 2014/10/28 v1.15 key=value parser (DPC) +\KV@toks@=\toks14 +)) +\beamer@paperwidth=\skip48 +\beamer@paperheight=\skip49 + +(/usr/share/texlive/texmf-dist/tex/latex/geometry/geometry.sty +Package: geometry 2020/01/02 v5.9 Page Geometry + +(/usr/share/texlive/texmf-dist/tex/generic/iftex/ifvtex.sty +Package: ifvtex 2019/10/25 v1.7 ifvtex legacy package. Use iftex instead. +) +\Gm@cnth=\count192 +\Gm@cntv=\count193 +\c@Gm@tempcnt=\count194 +\Gm@bindingoffset=\dimen150 +\Gm@wd@mp=\dimen151 +\Gm@odd@mp=\dimen152 +\Gm@even@mp=\dimen153 +\Gm@layoutwidth=\dimen154 +\Gm@layoutheight=\dimen155 +\Gm@layouthoffset=\dimen156 +\Gm@layoutvoffset=\dimen157 +\Gm@dimlist=\toks15 +) +(/usr/share/texlive/texmf-dist/tex/latex/base/size11.clo +File: size11.clo 2019/12/20 v1.4l Standard LaTeX file (size option) +) +(/usr/share/texlive/texmf-dist/tex/latex/pgf/basiclayer/pgfcore.sty +(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphicx.sty +Package: graphicx 2019/11/30 v1.2a Enhanced LaTeX Graphics (DPC,SPQR) + +(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphics.sty +Package: graphics 2019/11/30 v1.4a Standard LaTeX Graphics (DPC,SPQR) + +(/usr/share/texlive/texmf-dist/tex/latex/graphics/trig.sty +Package: trig 2016/01/03 v1.10 sin cos tan (DPC) +) +(/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/graphics.cfg +File: graphics.cfg 2016/06/04 v1.11 sample graphics configuration +) +Package graphics Info: Driver file: pdftex.def on input line 105. + +(/usr/share/texlive/texmf-dist/tex/latex/graphics-def/pdftex.def +File: pdftex.def 2018/01/08 v1.0l Graphics/color driver for pdftex +)) +\Gin@req@height=\dimen158 +\Gin@req@width=\dimen159 +) +(/usr/share/texlive/texmf-dist/tex/latex/pgf/systemlayer/pgfsys.sty +(/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/pgfrcs.sty +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfutil-common.tex +\pgfutil@everybye=\toks16 +\pgfutil@tempdima=\dimen160 +\pgfutil@tempdimb=\dimen161 + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfutil-common-lists.t +ex)) (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfutil-latex.def +\pgfutil@abb=\box54 +(/usr/share/texlive/texmf-dist/tex/latex/ms/everyshi.sty +Package: everyshi 2001/05/15 v3.00 EveryShipout Package (MS) +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfrcs.code.tex +(/usr/share/texlive/texmf-dist/tex/generic/pgf/pgf.revision.tex) +Package: pgfrcs 2020/01/08 v3.1.5b (3.1.5b) +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsys.code.tex +Package: pgfsys 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex +\pgfkeys@pathtoks=\toks17 +\pgfkeys@temptoks=\toks18 + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfkeysfiltered.code.t +ex +\pgfkeys@tmptoks=\toks19 +)) +\pgf@x=\dimen162 +\pgf@y=\dimen163 +\pgf@xa=\dimen164 +\pgf@ya=\dimen165 +\pgf@xb=\dimen166 +\pgf@yb=\dimen167 +\pgf@xc=\dimen168 +\pgf@yc=\dimen169 +\pgf@xd=\dimen170 +\pgf@yd=\dimen171 +\w@pgf@writea=\write3 +\r@pgf@reada=\read2 +\c@pgf@counta=\count195 +\c@pgf@countb=\count196 +\c@pgf@countc=\count197 +\c@pgf@countd=\count198 +\t@pgf@toka=\toks20 +\t@pgf@tokb=\toks21 +\t@pgf@tokc=\toks22 +\pgf@sys@id@count=\count199 + (/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgf.cfg +File: pgf.cfg 2020/01/08 v3.1.5b (3.1.5b) +) +Driver file for pgf: pgfsys-pdftex.def + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-pdftex.def +File: pgfsys-pdftex.def 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-common-pdf.de +f +File: pgfsys-common-pdf.def 2020/01/08 v3.1.5b (3.1.5b) +))) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code. +tex +File: pgfsyssoftpath.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfsyssoftpath@smallbuffer@items=\count266 +\pgfsyssoftpath@bigbuffer@items=\count267 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsysprotocol.code. +tex +File: pgfsysprotocol.code.tex 2020/01/08 v3.1.5b (3.1.5b) +)) (/usr/share/texlive/texmf-dist/tex/latex/xcolor/xcolor.sty +Package: xcolor 2016/05/11 v2.12 LaTeX color extensions (UK) + +(/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/color.cfg +File: color.cfg 2016/01/02 v1.6 sample color configuration +) +Package xcolor Info: Driver file: pdftex.def on input line 225. +Package xcolor Info: Model `cmy' substituted by `cmy0' on input line 1348. +Package xcolor Info: Model `hsb' substituted by `rgb' on input line 1352. +Package xcolor Info: Model `RGB' extended on input line 1364. +Package xcolor Info: Model `HTML' substituted by `rgb' on input line 1366. +Package xcolor Info: Model `Hsb' substituted by `hsb' on input line 1367. +Package xcolor Info: Model `tHsb' substituted by `hsb' on input line 1368. +Package xcolor Info: Model `HSB' substituted by `hsb' on input line 1369. +Package xcolor Info: Model `Gray' substituted by `gray' on input line 1370. +Package xcolor Info: Model `wave' substituted by `hsb' on input line 1371. +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcore.code.tex +Package: pgfcore 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathcalc.code.tex +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathutil.code.tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathparser.code.tex +\pgfmath@dimen=\dimen172 +\pgfmath@count=\count268 +\pgfmath@box=\box55 +\pgfmath@toks=\toks23 +\pgfmath@stack@operand=\toks24 +\pgfmath@stack@operation=\toks25 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.code.tex +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.basic.code +.tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.trigonomet +ric.code.tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.random.cod +e.tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.comparison +.code.tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.base.code. +tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.round.code +.tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.misc.code. +tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.integerari +thmetics.code.tex))) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfloat.code.tex +\c@pgfmathroundto@lastzeros=\count269 +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfint.code.tex) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepoints.code.te +x +File: pgfcorepoints.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@picminx=\dimen173 +\pgf@picmaxx=\dimen174 +\pgf@picminy=\dimen175 +\pgf@picmaxy=\dimen176 +\pgf@pathminx=\dimen177 +\pgf@pathmaxx=\dimen178 +\pgf@pathminy=\dimen179 +\pgf@pathmaxy=\dimen180 +\pgf@xx=\dimen181 +\pgf@xy=\dimen182 +\pgf@yx=\dimen183 +\pgf@yy=\dimen184 +\pgf@zx=\dimen185 +\pgf@zy=\dimen186 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathconstruct. +code.tex +File: pgfcorepathconstruct.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@path@lastx=\dimen187 +\pgf@path@lasty=\dimen188 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathusage.code +.tex +File: pgfcorepathusage.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@shorten@end@additional=\dimen189 +\pgf@shorten@start@additional=\dimen190 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorescopes.code.te +x +File: pgfcorescopes.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfpic=\box56 +\pgf@hbox=\box57 +\pgf@layerbox@main=\box58 +\pgf@picture@serial@count=\count270 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoregraphicstate.c +ode.tex +File: pgfcoregraphicstate.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgflinewidth=\dimen191 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransformation +s.code.tex +File: pgfcoretransformations.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@pt@x=\dimen192 +\pgf@pt@y=\dimen193 +\pgf@pt@temp=\dimen194 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorequick.code.tex +File: pgfcorequick.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreobjects.code.t +ex +File: pgfcoreobjects.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathprocessing +.code.tex +File: pgfcorepathprocessing.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorearrows.code.te +x +File: pgfcorearrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfarrowsep=\dimen195 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreshade.code.tex +File: pgfcoreshade.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@max=\dimen196 +\pgf@sys@shading@range@num=\count271 +\pgf@shadingcount=\count272 +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreimage.code.tex +File: pgfcoreimage.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreexternal.code. +tex +File: pgfcoreexternal.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfexternal@startupbox=\box59 +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorelayers.code.te +x +File: pgfcorelayers.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransparency.c +ode.tex +File: pgfcoretransparency.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepatterns.code. +tex +File: pgfcorepatterns.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorerdf.code.tex +File: pgfcorerdf.code.tex 2020/01/08 v3.1.5b (3.1.5b) +))) (/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/xxcolor.sty +Package: xxcolor 2003/10/24 ver 0.1 +\XC@nummixins=\count273 +\XC@countmixins=\count274 +) +(/usr/share/texlive/texmf-dist/tex/generic/atbegshi/atbegshi.sty +Package: atbegshi 2019/12/05 v1.19 At begin shipout hook (HO) + +(/usr/share/texlive/texmf-dist/tex/generic/infwarerr/infwarerr.sty +Package: infwarerr 2019/12/03 v1.5 Providing info/warning/error messages (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty +Package: ltxcmds 2019/12/15 v1.24 LaTeX kernel commands for general use (HO) +)) +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/hyperref.sty +Package: hyperref 2020/01/14 v7.00d Hypertext links for LaTeX + +(/usr/share/texlive/texmf-dist/tex/latex/pdftexcmds/pdftexcmds.sty +Package: pdftexcmds 2019/11/24 v0.31 Utility functions of pdfTeX for LuaTeX (HO +) +Package pdftexcmds Info: \pdf@primitive is available. +Package pdftexcmds Info: \pdf@ifprimitive is available. +Package pdftexcmds Info: \pdfdraftmode found. +) +(/usr/share/texlive/texmf-dist/tex/generic/kvsetkeys/kvsetkeys.sty +Package: kvsetkeys 2019/12/15 v1.18 Key value parser (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/kvdefinekeys/kvdefinekeys.sty +Package: kvdefinekeys 2019-12-19 v1.6 Define keys (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/pdfescape/pdfescape.sty +Package: pdfescape 2019/12/09 v1.15 Implements pdfTeX's escape features (HO) +) +(/usr/share/texlive/texmf-dist/tex/latex/hycolor/hycolor.sty +Package: hycolor 2020-01-27 v1.10 Color options for hyperref/bookmark (HO) +) +(/usr/share/texlive/texmf-dist/tex/latex/letltxmacro/letltxmacro.sty +Package: letltxmacro 2019/12/03 v1.6 Let assignment for LaTeX macros (HO) +) +(/usr/share/texlive/texmf-dist/tex/latex/auxhook/auxhook.sty +Package: auxhook 2019-12-17 v1.6 Hooks for auxiliary files (HO) +) +(/usr/share/texlive/texmf-dist/tex/latex/kvoptions/kvoptions.sty +Package: kvoptions 2019/11/29 v3.13 Key value format for package options (HO) +) +\@linkdim=\dimen197 +\Hy@linkcounter=\count275 +\Hy@pagecounter=\count276 + +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/pd1enc.def +File: pd1enc.def 2020/01/14 v7.00d Hyperref: PDFDocEncoding definition (HO) +Now handling font encoding PD1 ... +... no UTF-8 mapping file for font encoding PD1 +) +(/usr/share/texlive/texmf-dist/tex/generic/intcalc/intcalc.sty +Package: intcalc 2019/12/15 v1.3 Expandable calculations with integers (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/etexcmds/etexcmds.sty +Package: etexcmds 2019/12/15 v1.7 Avoid name clashes with e-TeX commands (HO) +) +\Hy@SavedSpaceFactor=\count277 +\pdfmajorversion=\count278 +Package hyperref Info: Option `bookmarks' set `true' on input line 4421. +Package hyperref Info: Option `bookmarksopen' set `true' on input line 4421. +Package hyperref Info: Option `implicit' set `false' on input line 4421. +Package hyperref Info: Hyper figures OFF on input line 4547. +Package hyperref Info: Link nesting OFF on input line 4552. +Package hyperref Info: Hyper index ON on input line 4555. +Package hyperref Info: Plain pages OFF on input line 4562. +Package hyperref Info: Backreferencing OFF on input line 4567. +Package hyperref Info: Implicit mode OFF; no redefinition of LaTeX internals. +Package hyperref Info: Bookmarks ON on input line 4800. +\c@Hy@tempcnt=\count279 + +(/usr/share/texlive/texmf-dist/tex/latex/url/url.sty +\Urlmuskip=\muskip16 +Package: url 2013/09/16 ver 3.4 Verb mode for urls, etc. +) +LaTeX Info: Redefining \url on input line 5159. +\XeTeXLinkMargin=\dimen198 + +(/usr/share/texlive/texmf-dist/tex/generic/bitset/bitset.sty +Package: bitset 2019/12/09 v1.3 Handle bit-vector datatype (HO) + +(/usr/share/texlive/texmf-dist/tex/generic/bigintcalc/bigintcalc.sty +Package: bigintcalc 2019/12/15 v1.5 Expandable calculations on big integers (HO +) +)) +\Fld@menulength=\count280 +\Field@Width=\dimen199 +\Fld@charsize=\dimen256 +Package hyperref Info: Hyper figures OFF on input line 6430. +Package hyperref Info: Link nesting OFF on input line 6435. +Package hyperref Info: Hyper index ON on input line 6438. +Package hyperref Info: backreferencing OFF on input line 6445. +Package hyperref Info: Link coloring OFF on input line 6450. +Package hyperref Info: Link coloring with OCG OFF on input line 6455. +Package hyperref Info: PDF/A mode OFF on input line 6460. +LaTeX Info: Redefining \ref on input line 6500. +LaTeX Info: Redefining \pageref on input line 6504. +\Hy@abspage=\count281 + + +Package hyperref Message: Stopped early. + +) +Package hyperref Info: Driver (autodetected): hpdftex. + (/usr/share/texlive/texmf-dist/tex/latex/hyperref/hpdftex.def +File: hpdftex.def 2020/01/14 v7.00d Hyperref driver for pdfTeX + +(/usr/share/texlive/texmf-dist/tex/latex/atveryend/atveryend.sty +Package: atveryend 2019-12-11 v1.11 Hooks at the very end of document (HO) +) +\Fld@listcount=\count282 +\c@bookmark@seq@number=\count283 + +(/usr/share/texlive/texmf-dist/tex/latex/rerunfilecheck/rerunfilecheck.sty +Package: rerunfilecheck 2019/12/05 v1.9 Rerun checks for auxiliary files (HO) + +(/usr/share/texlive/texmf-dist/tex/generic/uniquecounter/uniquecounter.sty +Package: uniquecounter 2019/12/15 v1.4 Provide unlimited unique counter (HO) +) +Package uniquecounter Info: New unique counter `rerunfilecheck' on input line 2 +86. +)) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaserequires.sty +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasecompatibility.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasefont.sty +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/amssymb.sty +Package: amssymb 2013/01/14 v3.01 AMS font symbols + +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/amsfonts.sty +Package: amsfonts 2013/01/14 v3.01 Basic AMSFonts support +\@emptytoks=\toks26 +\symAMSa=\mathgroup4 +\symAMSb=\mathgroup5 +LaTeX Font Info: Redeclaring math symbol \hbar on input line 98. +LaTeX Font Info: Overwriting math alphabet `\mathfrak' in version `bold' +(Font) U/euf/m/n --> U/euf/b/n on input line 106. +)) +(/usr/share/texlive/texmf-dist/tex/latex/sansmathaccent/sansmathaccent.sty +Package: sansmathaccent 2020/01/31 + +(/usr/share/texlive/texmf-dist/tex/latex/koma-script/scrlfile.sty +Package: scrlfile 2020/01/24 v3.29 KOMA-Script package (loading files) +))) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetranslator.sty +(/usr/share/texlive/texmf-dist/tex/latex/translator/translator.sty +Package: translator 2019-05-31 v1.12a Easy translation of strings in LaTeX +)) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasemisc.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetwoscreens.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseoverlay.sty +\beamer@argscount=\count284 +\beamer@lastskipcover=\skip50 +\beamer@trivlistdepth=\count285 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetitle.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasesection.sty +\c@lecture=\count286 +\c@part=\count287 +\c@section=\count288 +\c@subsection=\count289 +\c@subsubsection=\count290 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseframe.sty +\beamer@framebox=\box60 +\beamer@frametitlebox=\box61 +\beamer@zoombox=\box62 +\beamer@zoomcount=\count291 +\beamer@zoomframecount=\count292 +\beamer@frametextheight=\dimen257 +\c@subsectionslide=\count293 +\beamer@frametopskip=\skip51 +\beamer@framebottomskip=\skip52 +\beamer@frametopskipautobreak=\skip53 +\beamer@framebottomskipautobreak=\skip54 +\beamer@envbody=\toks27 +\framewidth=\dimen258 +\c@framenumber=\count294 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseverbatim.sty +\beamer@verbatimfileout=\write4 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseframesize.sty +\beamer@splitbox=\box63 +\beamer@autobreakcount=\count295 +\beamer@autobreaklastheight=\dimen259 +\beamer@frametitletoks=\toks28 +\beamer@framesubtitletoks=\toks29 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseframecomponents.sty +\beamer@footins=\box64 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasecolor.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasenotes.sty +\beamer@frameboxcopy=\box65 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetoc.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetemplates.sty +\beamer@sbttoks=\toks30 + +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseauxtemplates.sty +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseboxes.sty +\bmb@box=\box66 +\bmb@colorbox=\box67 +\bmb@boxshadow=\box68 +\bmb@boxshadowball=\box69 +\bmb@boxshadowballlarge=\box70 +\bmb@temp=\dimen260 +\bmb@dima=\dimen261 +\bmb@dimb=\dimen262 +\bmb@prevheight=\dimen263 +) +\beamer@blockheadheight=\dimen264 +)) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaselocalstructure.sty +(/usr/share/texlive/texmf-dist/tex/latex/tools/enumerate.sty +Package: enumerate 2015/07/23 v3.00 enumerate extensions (DPC) +\@enLab=\toks31 +) +\c@figure=\count296 +\c@table=\count297 +\abovecaptionskip=\skip55 +\belowcaptionskip=\skip56 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasenavigation.sty +\beamer@section@min@dim=\dimen265 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetheorems.sty +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsmath.sty +Package: amsmath 2020/01/20 v2.17e AMS math features +\@mathmargin=\skip57 + +For additional information on amsmath, use the `?' option. +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amstext.sty +Package: amstext 2000/06/29 v2.01 AMS text + +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsgen.sty +File: amsgen.sty 1999/11/30 v2.0 generic functions +\@emptytoks=\toks32 +\ex@=\dimen266 +)) +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsbsy.sty +Package: amsbsy 1999/11/29 v1.2d Bold Symbols +\pmbraise@=\dimen267 +) +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsopn.sty +Package: amsopn 2016/03/08 v2.02 operator names +) +\inf@bad=\count298 +LaTeX Info: Redefining \frac on input line 227. +\uproot@=\count299 +\leftroot@=\count300 +LaTeX Info: Redefining \overline on input line 389. +\classnum@=\count301 +\DOTSCASE@=\count302 +LaTeX Info: Redefining \ldots on input line 486. +LaTeX Info: Redefining \dots on input line 489. +LaTeX Info: Redefining \cdots on input line 610. +\Mathstrutbox@=\box71 +\strutbox@=\box72 +\big@size=\dimen268 +LaTeX Font Info: Redeclaring font encoding OML on input line 733. +LaTeX Font Info: Redeclaring font encoding OMS on input line 734. +\macc@depth=\count303 +\c@MaxMatrixCols=\count304 +\dotsspace@=\muskip17 +\c@parentequation=\count305 +\dspbrk@lvl=\count306 +\tag@help=\toks33 +\row@=\count307 +\column@=\count308 +\maxfields@=\count309 +\andhelp@=\toks34 +\eqnshift@=\dimen269 +\alignsep@=\dimen270 +\tagshift@=\dimen271 +\tagwidth@=\dimen272 +\totwidth@=\dimen273 +\lineht@=\dimen274 +\@envbody=\toks35 +\multlinegap=\skip58 +\multlinetaggap=\skip59 +\mathdisplay@stack=\toks36 +LaTeX Info: Redefining \[ on input line 2859. +LaTeX Info: Redefining \] on input line 2860. +) +(/usr/share/texlive/texmf-dist/tex/latex/amscls/amsthm.sty +Package: amsthm 2017/10/31 v2.20.4 +\thm@style=\toks37 +\thm@bodyfont=\toks38 +\thm@headfont=\toks39 +\thm@notefont=\toks40 +\thm@headpunct=\toks41 +\thm@preskip=\skip60 +\thm@postskip=\skip61 +\thm@headsep=\skip62 +\dth@everypar=\toks42 +) +\c@theorem=\count310 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasethemes.sty)) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerthemedefault.sty +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerfontthemedefault.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamercolorthemedefault.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerinnerthemedefault.sty +\beamer@dima=\dimen275 +\beamer@dimb=\dimen276 +) +(/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerouterthemedefault.sty))) +(/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamerthemefocus.sty +Package: beamerthemefocus 2019/11/20 v2.5 Focus Beamer theme +(/usr/share/texlive/texmf-dist/tex/latex/base/fontenc.sty +Package: fontenc 2020/02/11 v2.0o Standard LaTeX package +) +(/usr/share/texlive/texmf-dist/tex/latex/fira/FiraSans.sty +Package: FiraSans 2019/10/10 (Bob Tennent and autoinst) Style file for Fira San +s fonts. + +(/usr/share/texlive/texmf-dist/tex/generic/iftex/ifxetex.sty +Package: ifxetex 2019/10/25 v0.7 ifxetex legacy package. Use iftex instead. +) +(/usr/share/texlive/texmf-dist/tex/generic/iftex/ifluatex.sty +Package: ifluatex 2019/10/25 v1.5 ifluatex legacy package. Use iftex instead. +) +(/usr/share/texlive/texmf-dist/tex/latex/xkeyval/xkeyval.sty +Package: xkeyval 2014/12/03 v2.7a package option processing (HA) + +(/usr/share/texlive/texmf-dist/tex/generic/xkeyval/xkeyval.tex +(/usr/share/texlive/texmf-dist/tex/generic/xkeyval/xkvutils.tex +\XKV@toks=\toks43 +\XKV@tempa@toks=\toks44 +) +\XKV@depth=\count311 +File: xkeyval.tex 2014/12/03 v2.7a key=value parser (HA) +)) +(/usr/share/texlive/texmf-dist/tex/latex/base/textcomp.sty +Package: textcomp 2020/02/02 v2.0n Standard LaTeX package +) +(/usr/share/texlive/texmf-dist/tex/latex/fontaxes/fontaxes.sty +Package: fontaxes 2014/03/23 v1.0d Font selection axes +LaTeX Info: Redefining \upshape on input line 29. +LaTeX Info: Redefining \itshape on input line 31. +LaTeX Info: Redefining \slshape on input line 33. +LaTeX Info: Redefining \swshape on input line 35. +LaTeX Info: Redefining \scshape on input line 37. +LaTeX Info: Redefining \sscshape on input line 39. +LaTeX Info: Redefining \ulcshape on input line 41. +LaTeX Info: Redefining \textsw on input line 47. +LaTeX Info: Redefining \textssc on input line 48. +LaTeX Info: Redefining \textulc on input line 49. +)) +(/usr/share/texlive/texmf-dist/tex/latex/fira/FiraMono.sty +Package: FiraMono 2019/10/10 (Bob Tennent and autoinst) Style file for Fira Mon +o fonts. + +(/usr/share/texlive/texmf-dist/tex/latex/base/fontenc.sty +Package: fontenc 2020/02/11 v2.0o Standard LaTeX package +LaTeX Font Info: Trying to load font information for T1+FiraSans-OsF on inpu +t line 112. + +(/usr/share/texlive/texmf-dist/tex/latex/fira/T1FiraSans-OsF.fd +File: T1FiraSans-OsF.fd 2019/10/10 (autoinst) Font definitions for T1/FiraSans- +OsF. +) +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <10.95> not availa +ble +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 112. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 10.95pt on input line 112. +)) +(/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamercolorthemefocu +s.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamerfontthemefocus +.sty) +(/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamerinnerthemefocu +s.sty (/usr/share/texlive/texmf-dist/tex/latex/pgf/frontendlayer/tikz.sty +(/usr/share/texlive/texmf-dist/tex/latex/pgf/basiclayer/pgf.sty +Package: pgf 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/modules/pgfmoduleshapes.code.tex +File: pgfmoduleshapes.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfnodeparttextbox=\box73 +) (/usr/share/texlive/texmf-dist/tex/generic/pgf/modules/pgfmoduleplot.code.tex +File: pgfmoduleplot.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-0-65 +.sty +Package: pgfcomp-version-0-65 2020/01/08 v3.1.5b (3.1.5b) +\pgf@nodesepstart=\dimen277 +\pgf@nodesepend=\dimen278 +) +(/usr/share/texlive/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-1-18 +.sty +Package: pgfcomp-version-1-18 2020/01/08 v3.1.5b (3.1.5b) +)) (/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/pgffor.sty +(/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/pgfkeys.sty +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex)) +(/usr/share/texlive/texmf-dist/tex/latex/pgf/math/pgfmath.sty +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgffor.code.tex +Package: pgffor 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex) +\pgffor@iter=\dimen279 +\pgffor@skip=\dimen280 +\pgffor@stack=\toks45 +\pgffor@toks=\toks46 +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex +Package: tikz 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/pgflibraryplothandlers +.code.tex +File: pgflibraryplothandlers.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@plot@mark@count=\count312 +\pgfplotmarksize=\dimen281 +) +\tikz@lastx=\dimen282 +\tikz@lasty=\dimen283 +\tikz@lastxsaved=\dimen284 +\tikz@lastysaved=\dimen285 +\tikz@lastmovetox=\dimen286 +\tikz@lastmovetoy=\dimen287 +\tikzleveldistance=\dimen288 +\tikzsiblingdistance=\dimen289 +\tikz@figbox=\box74 +\tikz@figbox@bg=\box75 +\tikz@tempbox=\box76 +\tikz@tempbox@bg=\box77 +\tikztreelevel=\count313 +\tikznumberofchildren=\count314 +\tikznumberofcurrentchild=\count315 +\tikz@fig@count=\count316 + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/modules/pgfmodulematrix.code.tex +File: pgfmodulematrix.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfmatrixcurrentrow=\count317 +\pgfmatrixcurrentcolumn=\count318 +\pgf@matrix@numberofcolumns=\count319 +) +\tikz@expandcount=\count320 + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibrarytopaths.code.tex +File: tikzlibrarytopaths.code.tex 2020/01/08 v3.1.5b (3.1.5b) +)))) +(/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamerouterthemefocu +s.sty +(/usr/share/texlive/texmf-dist/tex/latex/appendixnumberbeamer/appendixnumberbea +mer.sty) (/usr/share/texlive/texmf-dist/tex/latex/bookmark/bookmark.sty +Package: bookmark 2019/12/03 v1.28 PDF bookmarks (HO) + +(/usr/share/texlive/texmf-dist/tex/latex/bookmark/bkm-pdftex.def +File: bkm-pdftex.def 2019/12/03 v1.28 bookmark driver for pdfTeX (HO) +\BKM@id=\count321 +)) +\focus@pbar@height=\skip63 +\focus@pbar@leftoffset=\skip64 +\focus@pbar@rightoffset=\skip65 +)) +(/usr/share/texlive/texmf-dist/tex/latex/base/inputenc.sty +Package: inputenc 2018/08/11 v1.3c Input encoding file +\inpenc@prehook=\toks47 +\inpenc@posthook=\toks48 +) +(/usr/share/texlive/texmf-dist/tex/latex/listings/listings.sty +\lst@mode=\count322 +\lst@gtempboxa=\box78 +\lst@token=\toks49 +\lst@length=\count323 +\lst@currlwidth=\dimen290 +\lst@column=\count324 +\lst@pos=\count325 +\lst@lostspace=\dimen291 +\lst@width=\dimen292 +\lst@newlines=\count326 +\lst@lineno=\count327 +\lst@maxwidth=\dimen293 + +(/usr/share/texlive/texmf-dist/tex/latex/listings/lstmisc.sty +File: lstmisc.sty 2019/09/10 1.8c (Carsten Heinz) +\c@lstnumber=\count328 +\lst@skipnumbers=\count329 +\lst@framebox=\box79 +) +(/usr/share/texlive/texmf-dist/tex/latex/listings/listings.cfg +File: listings.cfg 2019/09/10 1.8c listings configuration +)) +Package: listings 2019/09/10 1.8c (Carsten Heinz) + +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/adjustbox.sty +Package: adjustbox 2019/01/04 v1.2 Adjusting TeX boxes (trim, clip, ...) + +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/adjcalc.sty +Package: adjcalc 2012/05/16 v1.1 Provides advanced setlength with multiple back +-ends (calc, etex, pgfmath) +) +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/trimclip.sty +Package: trimclip 2018/04/08 v1.1 Trim and clip general TeX material + +(/usr/share/texlive/texmf-dist/tex/latex/collectbox/collectbox.sty +Package: collectbox 2012/05/17 v0.4b Collect macro arguments as boxes +\collectedbox=\box80 +) +\tc@llx=\dimen294 +\tc@lly=\dimen295 +\tc@urx=\dimen296 +\tc@ury=\dimen297 +Package trimclip Info: Using driver 'tc-pdftex.def'. + +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/tc-pdftex.def +File: tc-pdftex.def 2019/01/04 v2.2 Clipping driver for pdftex +)) +\adjbox@Width=\dimen298 +\adjbox@Height=\dimen299 +\adjbox@Depth=\dimen300 +\adjbox@Totalheight=\dimen301 +\adjbox@pwidth=\dimen302 +\adjbox@pheight=\dimen303 +\adjbox@pdepth=\dimen304 +\adjbox@ptotalheight=\dimen305 + +(/usr/share/texlive/texmf-dist/tex/latex/ifoddpage/ifoddpage.sty +Package: ifoddpage 2016/04/23 v1.1 Conditionals for odd/even page detection +\c@checkoddpage=\count330 +) +(/usr/share/texlive/texmf-dist/tex/latex/varwidth/varwidth.sty +Package: varwidth 2009/03/30 ver 0.92; Variable-width minipages +\@vwid@box=\box81 +\sift@deathcycles=\count331 +\@vwid@loff=\dimen306 +\@vwid@roff=\dimen307 +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibrarypositioning.code.tex +File: tikzlibrarypositioning.code.tex 2020/01/08 v3.1.5b (3.1.5b) +) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryshapes.code.tex +File: tikzlibraryshapes.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryshapes.geometric.code.tex +File: tikzlibraryshapes.geometric.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape +s.geometric.code.tex +File: pgflibraryshapes.geometric.code.tex 2020/01/08 v3.1.5b (3.1.5b) +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryshapes.misc.code.tex +File: tikzlibraryshapes.misc.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape +s.misc.code.tex +File: pgflibraryshapes.misc.code.tex 2020/01/08 v3.1.5b (3.1.5b) +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryshapes.symbols.code.tex +File: tikzlibraryshapes.symbols.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape +s.symbols.code.tex +File: pgflibraryshapes.symbols.code.tex 2020/01/08 v3.1.5b (3.1.5b) +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryshapes.arrows.code.tex +File: tikzlibraryshapes.arrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape +s.arrows.code.tex +File: pgflibraryshapes.arrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryshapes.callouts.code.tex +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape +s.callouts.code.tex)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryshapes.multipart.code.tex +File: tikzlibraryshapes.multipart.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape +s.multipart.code.tex +File: pgflibraryshapes.multipart.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfnodepartlowerbox=\box82 +\pgfnodeparttwobox=\box83 +\pgfnodepartthreebox=\box84 +\pgfnodepartfourbox=\box85 +\pgfnodeparttwentybox=\box86 +\pgfnodepartnineteenbox=\box87 +\pgfnodeparteighteenbox=\box88 +\pgfnodepartseventeenbox=\box89 +\pgfnodepartsixteenbox=\box90 +\pgfnodepartfifteenbox=\box91 +\pgfnodepartfourteenbox=\box92 +\pgfnodepartthirteenbox=\box93 +\pgfnodeparttwelvebox=\box94 +\pgfnodepartelevenbox=\box95 +\pgfnodeparttenbox=\box96 +\pgfnodepartninebox=\box97 +\pgfnodeparteightbox=\box98 +\pgfnodepartsevenbox=\box99 +\pgfnodepartsixbox=\box100 +\pgfnodepartfivebox=\box101 +))) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik +zlibraryarrows.code.tex +File: tikzlibraryarrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) + +(/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.code. +tex +File: pgflibraryarrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\arrowsize=\dimen308 +)) + +Package hyperref Warning: Token not allowed in a PDF string (PDFDocEncoding): +(hyperref) removing `\@ifnextchar' on input line 15. + +(/usr/share/texlive/texmf-dist/tex/latex/l3backend/l3backend-pdfmode.def +File: l3backend-pdfmode.def 2020-02-03 L3 backend support: PDF mode +\l__kernel_color_stack_int=\count332 +\l__pdf_internal_box=\box102 +) +(./slide.aux (./content.aux)) +\openout1 = `slide.aux'. + +LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 22. +LaTeX Font Info: ... okay on input line 22. +LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 22. +LaTeX Font Info: ... okay on input line 22. +LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 22. +LaTeX Font Info: ... okay on input line 22. +LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 22. +LaTeX Font Info: ... okay on input line 22. +LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 22. +LaTeX Font Info: ... okay on input line 22. +LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 22. +LaTeX Font Info: ... okay on input line 22. +LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 22. +LaTeX Font Info: ... okay on input line 22. +LaTeX Font Info: Checking defaults for PD1/pdf/m/n on input line 22. +LaTeX Font Info: ... okay on input line 22. + +*geometry* driver: auto-detecting +*geometry* detected driver: pdftex +*geometry* verbose mode - [ preamble ] result: +* driver: pdftex +* paper: custom +* layout: +* layoutoffset:(h,v)=(0.0pt,0.0pt) +* modes: includehead includefoot +* h-part:(L,W,R)=(21.33955pt, 321.51625pt, 21.33955pt) +* v-part:(T,H,B)=(0.0pt, 273.14662pt, 0.0pt) +* \paperwidth=364.19536pt +* \paperheight=273.14662pt +* \textwidth=321.51625pt +* \textheight=244.6939pt +* \oddsidemargin=-50.93044pt +* \evensidemargin=-50.93044pt +* \topmargin=-72.26999pt +* \headheight=14.22636pt +* \headsep=0.0pt +* \topskip=11.0pt +* \footskip=14.22636pt +* \marginparwidth=4.0pt +* \marginparsep=10.0pt +* \columnsep=10.0pt +* \skip\footins=10.0pt plus 4.0pt minus 2.0pt +* \hoffset=0.0pt +* \voffset=0.0pt +* \mag=1000 +* \@twocolumnfalse +* \@twosidefalse +* \@mparswitchfalse +* \@reversemarginfalse +* (1in=72.27pt=25.4mm, 1cm=28.453pt) + +(/usr/share/texlive/texmf-dist/tex/context/base/mkii/supp-pdf.mkii +[Loading MPS to PDF converter (version 2006.09.02).] +\scratchcounter=\count333 +\scratchdimen=\dimen309 +\scratchbox=\box103 +\nofMPsegments=\count334 +\nofMParguments=\count335 +\everyMPshowfont=\toks50 +\MPscratchCnt=\count336 +\MPscratchDim=\dimen310 +\MPnumerator=\count337 +\makeMPintoPDFobject=\count338 +\everyMPtoPDFconversion=\toks51 +) (/usr/share/texlive/texmf-dist/tex/latex/epstopdf-pkg/epstopdf-base.sty +Package: epstopdf-base 2020-01-24 v2.11 Base part for package epstopdf +Package epstopdf-base Info: Redefining graphics rule for `.eps' on input line 4 +85. + +(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg +File: epstopdf-sys.cfg 2010/07/13 v1.3 Configuration of (r)epstopdf for TeX Liv +e +)) +ABD: EveryShipout initializing macros +\AtBeginShipoutBox=\box104 +Package hyperref Info: Link coloring OFF on input line 22. + +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/nameref.sty +Package: nameref 2019/09/16 v2.46 Cross-referencing by name of section + +(/usr/share/texlive/texmf-dist/tex/latex/refcount/refcount.sty +Package: refcount 2019/12/15 v3.6 Data extraction from label references (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/gettitlestring/gettitlestring.sty +Package: gettitlestring 2019/12/15 v1.6 Cleanup title references (HO) +) +\c@section@level=\count339 +) +LaTeX Info: Redefining \ref on input line 22. +LaTeX Info: Redefining \pageref on input line 22. +LaTeX Info: Redefining \nameref on input line 22. +LaTeX Font Info: Overwriting symbol font `operators' in version `normal' +(Font) OT1/cmr/m/n --> OT1/cmss/m/n on input line 22. +LaTeX Font Info: Overwriting symbol font `operators' in version `bold' +(Font) OT1/cmr/bx/n --> OT1/cmss/b/n on input line 22. +\symnumbers=\mathgroup6 +\sympureletters=\mathgroup7 +LaTeX Font Info: Overwriting math alphabet `\mathrm' in version `normal' +(Font) OT1/cmss/m/n --> T1/cmr/m/n on input line 22. +LaTeX Font Info: Redeclaring math alphabet \mathbf on input line 22. +LaTeX Font Info: Overwriting math alphabet `\mathbf' in version `normal' +(Font) OT1/cmr/bx/n --> T1/FiraSans-OsF/b/n on input line 22. +LaTeX Font Info: Overwriting math alphabet `\mathbf' in version `bold' +(Font) OT1/cmr/bx/n --> T1/FiraSans-OsF/b/n on input line 22. +LaTeX Font Info: Redeclaring math alphabet \mathsf on input line 22. +LaTeX Font Info: Overwriting math alphabet `\mathsf' in version `normal' +(Font) OT1/cmss/m/n --> T1/FiraSans-OsF/m/n on input line 22. +LaTeX Font Info: Overwriting math alphabet `\mathsf' in version `bold' +(Font) OT1/cmss/bx/n --> T1/FiraSans-OsF/m/n on input line 22. + +LaTeX Font Info: Redeclaring math alphabet \mathit on input line 22. +LaTeX Font Info: Overwriting math alphabet `\mathit' in version `normal' +(Font) OT1/cmr/m/it --> T1/FiraSans-OsF/m/it on input line 22. + +LaTeX Font Info: Overwriting math alphabet `\mathit' in version `bold' +(Font) OT1/cmr/bx/it --> T1/FiraSans-OsF/m/it on input line 22 +. +LaTeX Font Info: Redeclaring math alphabet \mathtt on input line 22. +LaTeX Font Info: Overwriting math alphabet `\mathtt' in version `normal' +(Font) OT1/cmtt/m/n --> T1/FiraMono-TOsF/m/n on input line 22. + +LaTeX Font Info: Overwriting math alphabet `\mathtt' in version `bold' +(Font) OT1/cmtt/m/n --> T1/FiraMono-TOsF/m/n on input line 22. + +LaTeX Font Info: Overwriting symbol font `numbers' in version `bold' +(Font) T1/FiraSans-OsF/m/n --> T1/FiraSans-OsF/b/n on input li +ne 22. +LaTeX Font Info: Overwriting symbol font `pureletters' in version `bold' +(Font) T1/FiraSans-OsF/m/it --> T1/FiraSans-OsF/b/it on input +line 22. +LaTeX Font Info: Overwriting math alphabet `\mathrm' in version `bold' +(Font) OT1/cmss/b/n --> T1/cmr/b/n on input line 22. +LaTeX Font Info: Overwriting math alphabet `\mathbf' in version `bold' +(Font) T1/FiraSans-OsF/b/n --> T1/FiraSans-OsF/b/n on input li +ne 22. +LaTeX Font Info: Overwriting math alphabet `\mathsf' in version `bold' +(Font) T1/FiraSans-OsF/m/n --> T1/FiraSans-OsF/b/n on input li +ne 22. +LaTeX Font Info: Overwriting math alphabet `\mathit' in version `bold' +(Font) T1/FiraSans-OsF/m/it --> T1/FiraSans-OsF/b/it on input +line 22. +LaTeX Font Info: Overwriting math alphabet `\mathtt' in version `bold' +(Font) T1/FiraMono-TOsF/m/n --> T1/FiraMono-TOsF/b/n on input +line 22. + +(/usr/share/texlive/texmf-dist/tex/latex/translator/translator-basic-dictionary +-English.dict +Dictionary: translator-basic-dictionary, Language: English +) +(/usr/share/texlive/texmf-dist/tex/latex/translator/translator-bibliography-dic +tionary-English.dict +Dictionary: translator-bibliography-dictionary, Language: English +) +(/usr/share/texlive/texmf-dist/tex/latex/translator/translator-environment-dict +ionary-English.dict +Dictionary: translator-environment-dictionary, Language: English +) +(/usr/share/texlive/texmf-dist/tex/latex/translator/translator-months-dictionar +y-English.dict +Dictionary: translator-months-dictionary, Language: English +) +(/usr/share/texlive/texmf-dist/tex/latex/translator/translator-numbers-dictiona +ry-English.dict +Dictionary: translator-numbers-dictionary, Language: English +) +(/usr/share/texlive/texmf-dist/tex/latex/translator/translator-theorem-dictiona +ry-English.dict +Dictionary: translator-theorem-dictionary, Language: English +) +\c@mv@tabular=\count340 +\c@mv@boldtabular=\count341 +\c@lstlisting=\count342 + (./slide.nav) +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <6> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 22. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 6.0pt on input line 22. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <8> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 22. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 8.0pt on input line 22. +\openout2 = `content.aux'. + + (./content.tex +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <20.74> not availa +ble +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 20.74pt on input line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/sc' in size <20.74> not avail +able +(Font) Font shape `T1/FiraSans-OsF/regular/sc' tried instead on in +put line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/sc' will be +(Font) scaled to size 20.74pt on input line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/b/sc' in size <20.74> not avail +able +(Font) Font shape `T1/FiraSans-OsF/bold/sc' tried instead on input + line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/bold/sc' will be +(Font) scaled to size 20.74pt on input line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <14.4> not availab +le +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 14.4pt on input line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/sc' in size <14.4> not availa +ble +(Font) Font shape `T1/FiraSans-OsF/regular/sc' tried instead on in +put line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/sc' will be +(Font) scaled to size 14.4pt on input line 6. + +File: misp.pdf Graphic file (type pdf) + +Package pdftex.def Info: misp.pdf used on input line 6. +(pdftex.def) Requested size: 163.54448pt x 119.85817pt. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/sc' in size <10> not availabl +e +(Font) Font shape `T1/FiraSans-OsF/regular/sc' tried instead on in +put line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/sc' will be +(Font) scaled to size 10.0pt on input line 6. + (../../includes/authors.txt) +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <12> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 12.0pt on input line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/sc' in size <12> not availabl +e +(Font) Font shape `T1/FiraSans-OsF/regular/sc' tried instead on in +put line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/sc' will be +(Font) scaled to size 12.0pt on input line 6. + +File: misplogo.pdf Graphic file (type pdf) + +Package pdftex.def Info: misplogo.pdf used on input line 6. +(pdftex.def) Requested size: 55.00186pt x 40.3096pt. + +(../../includes/location.txt) +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <4> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 4.0pt on input line 6. + [1 + + +{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map} <./misp.pdf> <./misplogo.pd +f + +pdfTeX warning: pdflatex (file ./misplogo.pdf): PDF inclusion: multiple pdfs wi +th page group included in a single page +>] +LaTeX Font Info: Font shape `T1/FiraSans-OsF/b/n' in size <10.95> not availa +ble +(Font) Font shape `T1/FiraSans-OsF/bold/n' tried instead on input +line 18. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/bold/n' will be +(Font) scaled to size 10.95pt on input line 18. + [2 + +] [3 + +] [4 + +] [5 + +] [6 + +] + +File: images/blueprints2.png Graphic file (type png) + +Package pdftex.def Info: images/blueprints2.png used on input line 64. +(pdftex.def) Requested size: 274.62813pt x 172.54594pt. + [7 + + <./images/blueprints2.png (PNG copy)>] [8 + +] + +File: images/signing1.png Graphic file (type png) + +Package pdftex.def Info: images/signing1.png used on input line 79. +(pdftex.def) Requested size: 338.76479pt x 171.13895pt. + +Overfull \hbox (17.24854pt too wide) in paragraph at lines 79--79 +[][] + [] + +[9 + + <./images/signing1.png>] + +File: images/signing2.png Graphic file (type png) + +Package pdftex.def Info: images/signing2.png used on input line 84. +(pdftex.def) Requested size: 338.76479pt x 167.12396pt. + +Overfull \hbox (17.24854pt too wide) in paragraph at lines 84--84 +[][] + [] + +[10 + + <./images/signing2.png>] + +File: images/signing3.png Graphic file (type png) + +Package pdftex.def Info: images/signing3.png used on input line 90. +(pdftex.def) Requested size: 207.32616pt x 67.30194pt. + +File: images/signing4.png Graphic file (type png) + +Package pdftex.def Info: images/signing4.png used on input line 90. +(pdftex.def) Requested size: 276.43488pt x 47.42754pt. + [11 + + <./images/signing3.png (PNG copy)> <./images/signing4.png (PNG copy)>] [12 + +] [13 + +] + +File: images/security.png Graphic file (type png) + +Package pdftex.def Info: images/security.png used on input line 114. +(pdftex.def) Requested size: 262.87746pt x 136.10608pt. + [14 + + <./images/security.png (PNG copy)>] +[15 + +] + +File: images/warnings.png Graphic file (type png) + +Package pdftex.def Info: images/warnings.png used on input line 129. +(pdftex.def) Requested size: 347.12453pt x 50.36354pt. + +Overfull \hbox (25.60828pt too wide) in paragraph at lines 129--129 +[][] + [] + +[16 + + <./images/warnings.png (PNG copy)>] +LaTeX Font Info: Trying to load font information for U+msa on input line 141 +. + +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsa.fd +File: umsa.fd 2013/01/14 v3.01 AMS symbols A +) +LaTeX Font Info: Trying to load font information for U+msb on input line 141 +. + +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsb.fd +File: umsb.fd 2013/01/14 v3.01 AMS symbols B +) +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <10.95> not avail +able +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 10.95pt on input line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <8> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 8.0pt on input line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <6> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 6.0pt on input line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <9> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 9.0pt on input line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <5> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 5.0pt on input line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <9> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 9.0pt on input line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <5> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 141. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 5.0pt on input line 141. +LaTeX Font Info: Trying to load font information for T1+FiraMono-TOsF on inp +ut line 141. + +(/usr/share/texlive/texmf-dist/tex/latex/fira/T1FiraMono-TOsF.fd +File: T1FiraMono-TOsF.fd 2019/10/10 (autoinst) Font definitions for T1/FiraMono +-TOsF. +) +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/m/n' in size <9> not available + +(Font) Font shape `T1/FiraMono-TOsF/regular/n' tried instead on in +put line 141. +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/regular/n' will be +(Font) scaled to size 9.0pt on input line 141. + [17 + +] [18 + +] +[19 + +] + +File: images/timelining.png Graphic file (type png) + +Package pdftex.def Info: images/timelining.png used on input line 164. +(pdftex.def) Requested size: 345.68538pt x 165.21431pt. + +Overfull \hbox (24.16913pt too wide) in paragraph at lines 164--164 +[][] + [] + +[20 + + <./images/timelining.png>] [21 + +] [22 + +] [23 + +] [24 + +] + +File: images/workflows1.png Graphic file (type png) + +Package pdftex.def Info: images/workflows1.png used on input line 215. +(pdftex.def) Requested size: 353.91599pt x 220.41959pt. + +Overfull \hbox (32.39973pt too wide) in paragraph at lines 215--215 +[][] + [] + +[25 + + <./images/workflows1.png>] + +File: images/workflows2.png Graphic file (type png) + +Package pdftex.def Info: images/workflows2.png used on input line 220. +(pdftex.def) Requested size: 361.94585pt x 146.9464pt. + +Overfull \hbox (40.4296pt too wide) in paragraph at lines 220--220 +[][] + [] + +[26 + + <./images/workflows2.png>] [27 + +] [28 + +] + +File: images/cerebrate.png Graphic file (type png) + +Package pdftex.def Info: images/cerebrate.png used on input line 249. +(pdftex.def) Requested size: 203.79778pt x 200.03981pt. + [29 + + <./images/cerebrate.png>] [30 + +] +[31 + +] [32 + +] [33 + +] +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/m/n' in size <10.95> not avail +able +(Font) Font shape `T1/FiraMono-TOsF/regular/n' tried instead on in +put line 296. +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/regular/n' will be +(Font) scaled to size 10.95pt on input line 296. + [34 + +] +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <10> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 319. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 10.0pt on input line 319. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <7> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 319. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 7.0pt on input line 319. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <10> not availabl +e +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 319. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 10.0pt on input line 319. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <7> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 319. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 7.0pt on input line 319. +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/m/n' in size <10> not availabl +e +(Font) Font shape `T1/FiraMono-TOsF/regular/n' tried instead on in +put line 319. +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/regular/n' will be +(Font) scaled to size 10.0pt on input line 319. + [35 + +]) +\tf@nav=\write5 +\openout5 = `slide.nav'. + +\tf@toc=\write6 +\openout6 = `slide.toc'. + +\tf@snm=\write7 +\openout7 = `slide.snm'. + +Package atveryend Info: Empty hook `BeforeClearDocument' on input line 24. +Package atveryend Info: Empty hook `AfterLastShipout' on input line 24. + (./slide.aux (./content.aux)) +Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 24. +Package atveryend Info: Empty hook `AtEndAfterFileList' on input line 24. + ) +Here is how much of TeX's memory you used: + 27177 strings out of 481239 + 548854 string characters out of 5920376 + 801598 words of memory out of 5000000 + 41693 multiletter control sequences out of 15000+600000 + 884393 words of font info for 101 fonts, out of 8000000 for 9000 + 1141 hyphenation exceptions out of 8191 + 71i,16n,95p,811b,874s stack positions out of 5000i,500n,10000p,200000b,80000s +{/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_d4q673.enc}{/usr/shar +e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_iln36p.enc}{/usr/share/texlive/te +xmf-dist/fonts/enc/dvips/fira/fir_2mfh3o.enc} +Output written on slide.pdf (35 pages, 1103664 bytes). +PDF statistics: + 292 PDF objects out of 1000 (max. 8388607) + 217 compressed objects within 3 object streams + 71 named destinations out of 1000 (max. 500000) + 108 words of extra memory for PDF output out of 10000 (max. 10000000) + diff --git a/events/20221206-update/slide.nav b/events/20221206-update/slide.nav new file mode 100644 index 0000000..4f95528 --- /dev/null +++ b/events/20221206-update/slide.nav @@ -0,0 +1,75 @@ +\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}} +\headcommand {\beamer@framepages {1}{1}} +\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}} +\headcommand {\beamer@framepages {2}{2}} +\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}} +\headcommand {\beamer@framepages {3}{3}} +\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}} +\headcommand {\beamer@framepages {4}{4}} +\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}} +\headcommand {\beamer@framepages {5}{5}} +\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}} +\headcommand {\beamer@framepages {6}{6}} +\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}} +\headcommand {\beamer@framepages {7}{7}} +\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}} +\headcommand {\beamer@framepages {8}{8}} +\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}} +\headcommand {\beamer@framepages {9}{9}} +\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}} +\headcommand {\beamer@framepages {10}{10}} +\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}} +\headcommand {\beamer@framepages {11}{11}} +\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}} +\headcommand {\beamer@framepages {12}{12}} +\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}} +\headcommand {\beamer@framepages {13}{13}} +\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}} +\headcommand {\beamer@framepages {14}{14}} +\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}} +\headcommand {\beamer@framepages {15}{15}} +\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}} +\headcommand {\beamer@framepages {16}{16}} +\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}} +\headcommand {\beamer@framepages {17}{17}} +\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}} +\headcommand {\beamer@framepages {18}{18}} +\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}} +\headcommand {\beamer@framepages {19}{19}} +\headcommand {\slideentry {0}{0}{20}{20/20}{}{0}} +\headcommand {\beamer@framepages {20}{20}} +\headcommand {\slideentry {0}{0}{21}{21/21}{}{0}} +\headcommand {\beamer@framepages {21}{21}} +\headcommand {\slideentry {0}{0}{22}{22/22}{}{0}} +\headcommand {\beamer@framepages {22}{22}} +\headcommand {\slideentry {0}{0}{23}{23/23}{}{0}} +\headcommand {\beamer@framepages {23}{23}} +\headcommand {\slideentry {0}{0}{24}{24/24}{}{0}} +\headcommand {\beamer@framepages {24}{24}} +\headcommand {\slideentry {0}{0}{25}{25/25}{}{0}} +\headcommand {\beamer@framepages {25}{25}} +\headcommand {\slideentry {0}{0}{26}{26/26}{}{0}} +\headcommand {\beamer@framepages {26}{26}} +\headcommand {\slideentry {0}{0}{27}{27/27}{}{0}} +\headcommand {\beamer@framepages {27}{27}} +\headcommand {\slideentry {0}{0}{28}{28/28}{}{0}} +\headcommand {\beamer@framepages {28}{28}} +\headcommand {\slideentry {0}{0}{29}{29/29}{}{0}} +\headcommand {\beamer@framepages {29}{29}} +\headcommand {\slideentry {0}{0}{30}{30/30}{}{0}} +\headcommand {\beamer@framepages {30}{30}} +\headcommand {\slideentry {0}{0}{31}{31/31}{}{0}} +\headcommand {\beamer@framepages {31}{31}} +\headcommand {\slideentry {0}{0}{32}{32/32}{}{0}} +\headcommand {\beamer@framepages {32}{32}} +\headcommand {\slideentry {0}{0}{33}{33/33}{}{0}} +\headcommand {\beamer@framepages {33}{33}} +\headcommand {\slideentry {0}{0}{34}{34/34}{}{0}} +\headcommand {\beamer@framepages {34}{34}} +\headcommand {\slideentry {0}{0}{35}{35/35}{}{0}} +\headcommand {\beamer@framepages {35}{35}} +\headcommand {\beamer@partpages {1}{35}} +\headcommand {\beamer@subsectionpages {1}{35}} +\headcommand {\beamer@sectionpages {1}{35}} +\headcommand {\beamer@documentpages {35}} +\headcommand {\gdef \inserttotalframenumber {34}} diff --git a/events/20221206-update/slide.pdf b/events/20221206-update/slide.pdf new file mode 100644 index 0000000..cbc6d92 Binary files /dev/null and b/events/20221206-update/slide.pdf differ diff --git a/events/20221206-update/slide.snm b/events/20221206-update/slide.snm new file mode 100644 index 0000000..e69de29 diff --git a/events/20221206-update/slide.tex b/events/20221206-update/slide.tex new file mode 100644 index 0000000..3057376 --- /dev/null +++ b/events/20221206-update/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../../includes/authors.txt}}} +\title{MISP Project update} +\subtitle{The past 6 months} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{\input{../../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221206-update/slide.toc b/events/20221206-update/slide.toc new file mode 100644 index 0000000..e69de29 diff --git a/events/20221206-update/taxonomy-workflow.png b/events/20221206-update/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/events/20221206-update/taxonomy-workflow.png differ diff --git a/events/20221206-update/timeline-misp-overview.png b/events/20221206-update/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/events/20221206-update/timeline-misp-overview.png differ diff --git a/events/20221206-update/timeline.jpeg b/events/20221206-update/timeline.jpeg new file mode 100644 index 0000000..d60db13 Binary files /dev/null and b/events/20221206-update/timeline.jpeg differ diff --git a/events/20221206-update/warning-list-event.png b/events/20221206-update/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/events/20221206-update/warning-list-event.png differ diff --git a/events/20221206-update/warning-list.png b/events/20221206-update/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/events/20221206-update/warning-list.png differ diff --git a/events/20221206-update/workflow_initial.png b/events/20221206-update/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/events/20221206-update/workflow_initial.png differ diff --git a/events/20221206-update/workflow_initial2.png b/events/20221206-update/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/events/20221206-update/workflow_initial2.png differ diff --git a/events/20221206-update/x-isac-logo.png b/events/20221206-update/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/events/20221206-update/x-isac-logo.png differ diff --git a/events/20221207-ENISA-CTI-EU/Sightings2.PNG b/events/20221207-ENISA-CTI-EU/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/Sightings2.PNG differ diff --git a/events/20221207-ENISA-CTI-EU/attack-screenshot.png b/events/20221207-ENISA-CTI-EU/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/attack-screenshot.png differ diff --git a/events/20221207-ENISA-CTI-EU/b.4-turning-data-into-actionable-intelligence-short.pdf b/events/20221207-ENISA-CTI-EU/b.4-turning-data-into-actionable-intelligence-short.pdf new file mode 100644 index 0000000..2bdf2e6 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/b.4-turning-data-into-actionable-intelligence-short.pdf differ diff --git a/events/20221207-ENISA-CTI-EU/bankaccount.png b/events/20221207-ENISA-CTI-EU/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/bankaccount.png differ diff --git a/events/20221207-ENISA-CTI-EU/bankview.png b/events/20221207-ENISA-CTI-EU/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/bankview.png differ diff --git a/events/20221207-ENISA-CTI-EU/circl.png b/events/20221207-ENISA-CTI-EU/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/circl.png differ diff --git a/a.13-misp-stix/content.aux b/events/20221207-ENISA-CTI-EU/content.aux similarity index 76% rename from a.13-misp-stix/content.aux rename to events/20221207-ENISA-CTI-EU/content.aux index 99ea9f2..da00d88 100644 --- a/a.13-misp-stix/content.aux +++ b/events/20221207-ENISA-CTI-EU/content.aux @@ -16,14 +16,20 @@ \@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}} \@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}} \@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {11}{11}}} \@setckpt{content}{ -\setcounter{page}{9} +\setcounter{page}{12} \setcounter{equation}{0} \setcounter{enumi}{0} \setcounter{enumii}{0} \setcounter{enumiii}{0} \setcounter{enumiv}{0} -\setcounter{footnote}{3} +\setcounter{footnote}{12} \setcounter{mpfootnote}{0} \setcounter{beamerpauses}{1} \setcounter{bookmark@seq@number}{0} @@ -32,13 +38,12 @@ \setcounter{section}{0} \setcounter{subsection}{0} \setcounter{subsubsection}{0} -\setcounter{subsectionslide}{8} -\setcounter{framenumber}{7} +\setcounter{subsectionslide}{11} +\setcounter{framenumber}{10} \setcounter{figure}{0} \setcounter{table}{0} \setcounter{parentequation}{0} \setcounter{theorem}{0} -\setcounter{realframenumber}{7} \setcounter{lstnumber}{1} \setcounter{section@level}{0} \setcounter{lstlisting}{0} diff --git a/events/20221207-ENISA-CTI-EU/content.tex b/events/20221207-ENISA-CTI-EU/content.tex new file mode 100644 index 0000000..813db3a --- /dev/null +++ b/events/20221207-ENISA-CTI-EU/content.tex @@ -0,0 +1,120 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} +\frametitle{What is MISP?} +\begin{itemize} + \item MISP is a {\bf threat information sharing} platform that is free \& open source software + \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds + \item Normalises, {\bf correlates}, {\bf enriches} and {\bf connects} the data + \item Allows teams and communities to {\bf collaborate} and {\bf share} + \item {\bf Feeds} automated protective tools and analyst tools with the output + \item MISP is a {\bf complete threat intelligence platform} with strong sharing capabilities and extendability +\end{itemize} +\end{frame} + +\begin{frame}[plain,c] + \begin{center} + {\Huge Two years from now, threat intelligence will be easy.\\} + {\it Bill Gates had he worked in threat intelligence} + \end{center} +\end{frame} + + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item {\Large Showing the {\bf evolution of threat intelligence}\footnote{based on our empirical view from users using/integrating with MISP} and + \item {\bf data-driven threat hunting} over the past years} + \item {\Large What can we expect in {\bf the future}?} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{From standalone indicator to advanced object data models} + \begin{itemize} + \item In early 2012, MISP supported basic indicators sharing with a limited set of types + \item In 2022, MISP integrates a dynamic object model with advanced custom relationships + \item Why did it evolve this way? + \begin{itemize} + \item {\bf Increase in the use of intelligence across different sectors}. From threat-hunting\footnote{With different types of threat hunts, including TTP-driven, intelligence-driven, asset-driven...} to risk assessment and strategic decision making + \item {\bf Increased diversity\footnote{MISP object public store include 296 templates in 2022.} among analysts} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Multitude of intelligence models} + \begin{itemize} + \item Chains, triangles, circles, diamonds, arrows, a mix or even a multi-layer matrix + \item There are {\bf no perfect intelligence models} + \item Organisations invent their models, reuse existing ones or are even more creative + \item Showing {\bf how diverse\footnote{Embrace the diversity of models, taxonomies. 146 taxonomies are available in MISP taxonomies.} our societies are} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{But some models can be game changers} + \begin{itemize} + \item With the introduction of {\bf MITRE ATT\&CK(tm)} in 2013, this was a game changer. What makes it a successful model? + \begin{itemize} + \item Based on real and actual data\footnote{FMX - Fort Meade Experiment}, not just theory + \item {\bf Continuous updates} were performed on ATT\&CK + \item Embraced and recommended by many communities (e.g. EU ATT\&CK community) + \item Change in usage and practices takes time\footnote{On a MISP community, 1\% of ATT\&CK techniques attached in 2013. In 2022, it's 72\%.} + \item {\bf Percolation} to other models (e.g. reusing the same matrix-like format) + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Unstructured versus structured intelligence} + \begin{itemize} + \item {\bf Building narratives is critical in threat intelligence} + \begin{itemize} + \item Intelligence narratives can be described in structured format (e.g. course-of-action) + \item Or written in natural language, used to describe higher-level structures (e.g. assesment, executive summary or strategic information) + \end{itemize} + \item For years, many thought that the narrative and structured intelligence were separated. + \item Accepting that {\bf structured and unstructed belong together\footnote{Mixed free-text Markdown reports with graph-oriented intelligence sharing in MISP increased during the past year.}} became critical. + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Automation processes - "playbooks"} + \begin{itemize} + \item {\bf Sharing detection engineering} information became more prevalent + \begin{itemize} + \item Sharing only the resulting analysis (indicators) is the bare minimum requirement in various sharing communities + \item Sharing the complete detection process\footnote{Detection rules, scripts and playbooks} increases\footnote{New object template to support advanced detection engineering or intelligene pipelines.} + \item Reproducible {\bf workflows and playbooks} play an important role in {\bf actionable intelligence}\footnote{MISP worflow blueprints} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{What's the future?} + \begin{itemize} + \item {\bf Sharing more} without disclosing the actual information\footnote{Growth of research about PSI (private set intersection) and an increased usage of MISP feed caching} + \item {\bf Automatic data modeling} on unstructured intelligence + \item Advanced sighting and {\bf feedback on engineering detection rules}\footnote{Sharing back training-sets or dataset with the actual false-positive detection} + \item Automation and sharing of the threat intelligence pipelines framework. + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Contact} + \begin{itemize} + \item Contact CIRCL / MISP Project + \begin{itemize} + \item \url{mailto:info@circl.lu} - \url{mailto:info@misp-project.org} + \item \url{https://www.misp-project.org/} + \item \url{https://www.circl.lu/} + \item Mastodon {\it @circl@social.circl.lu - @misp@misp-community.org} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/events/20221207-ENISA-CTI-EU/covid.png b/events/20221207-ENISA-CTI-EU/covid.png new file mode 100644 index 0000000..e6e869f Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/covid.png differ diff --git a/events/20221207-ENISA-CTI-EU/creativity.png b/events/20221207-ENISA-CTI-EU/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/creativity.png differ diff --git a/events/20221207-ENISA-CTI-EU/dashboard-trendings.png b/events/20221207-ENISA-CTI-EU/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/dashboard-trendings.png differ diff --git a/events/20221207-ENISA-CTI-EU/decaying-basescore.png b/events/20221207-ENISA-CTI-EU/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/decaying-basescore.png differ diff --git a/events/20221207-ENISA-CTI-EU/decaying-event.png b/events/20221207-ENISA-CTI-EU/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/decaying-event.png differ diff --git a/events/20221207-ENISA-CTI-EU/decaying-index.png b/events/20221207-ENISA-CTI-EU/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/decaying-index.png differ diff --git a/events/20221207-ENISA-CTI-EU/decaying-simulation.png b/events/20221207-ENISA-CTI-EU/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/decaying-simulation.png differ diff --git a/events/20221207-ENISA-CTI-EU/decaying-tool.png b/events/20221207-ENISA-CTI-EU/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/decaying-tool.png differ diff --git a/events/20221207-ENISA-CTI-EU/en_cef.png b/events/20221207-ENISA-CTI-EU/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/en_cef.png differ diff --git a/events/20221207-ENISA-CTI-EU/galaxy-ransomware.png b/events/20221207-ENISA-CTI-EU/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/galaxy-ransomware.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/SoD.png b/events/20221207-ENISA-CTI-EU/images/SoD.png new file mode 100644 index 0000000..b95a9ec Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/SoD.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/authkey.png b/events/20221207-ENISA-CTI-EU/images/authkey.png new file mode 100644 index 0000000..46174b9 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/authkey.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/blueprints1.png b/events/20221207-ENISA-CTI-EU/images/blueprints1.png new file mode 100644 index 0000000..edaedcb Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/blueprints1.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/blueprints2.png b/events/20221207-ENISA-CTI-EU/images/blueprints2.png new file mode 100644 index 0000000..b2d73cb Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/blueprints2.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/cerebrate.png b/events/20221207-ENISA-CTI-EU/images/cerebrate.png new file mode 100644 index 0000000..82bcaab Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/cerebrate.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/dashboard.png b/events/20221207-ENISA-CTI-EU/images/dashboard.png new file mode 100644 index 0000000..d163f4d Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/dashboard.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/eventreport.png b/events/20221207-ENISA-CTI-EU/images/eventreport.png new file mode 100644 index 0000000..6f74bbe Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/eventreport.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/galaxy20.png b/events/20221207-ENISA-CTI-EU/images/galaxy20.png new file mode 100644 index 0000000..97911ac Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/galaxy20.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/mispcerebrate.png b/events/20221207-ENISA-CTI-EU/images/mispcerebrate.png new file mode 100644 index 0000000..d58796f Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/mispcerebrate.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/openapi.png b/events/20221207-ENISA-CTI-EU/images/openapi.png new file mode 100644 index 0000000..44726ea Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/openapi.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/security.png b/events/20221207-ENISA-CTI-EU/images/security.png new file mode 100644 index 0000000..8b51dd8 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/security.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/signing1.png b/events/20221207-ENISA-CTI-EU/images/signing1.png new file mode 100644 index 0000000..d378f7b Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/signing1.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/signing2.png b/events/20221207-ENISA-CTI-EU/images/signing2.png new file mode 100644 index 0000000..450e7d6 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/signing2.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/signing3.png b/events/20221207-ENISA-CTI-EU/images/signing3.png new file mode 100644 index 0000000..68e7ced Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/signing3.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/signing4.png b/events/20221207-ENISA-CTI-EU/images/signing4.png new file mode 100644 index 0000000..3a42468 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/signing4.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/stix.png b/events/20221207-ENISA-CTI-EU/images/stix.png new file mode 100644 index 0000000..c0b59bb Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/stix.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/timelining.png b/events/20221207-ENISA-CTI-EU/images/timelining.png new file mode 100644 index 0000000..7753ba5 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/timelining.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/warnings.png b/events/20221207-ENISA-CTI-EU/images/warnings.png new file mode 100644 index 0000000..86e16a3 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/warnings.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/workflows1.png b/events/20221207-ENISA-CTI-EU/images/workflows1.png new file mode 100644 index 0000000..2790cfb Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/workflows1.png differ diff --git a/events/20221207-ENISA-CTI-EU/images/workflows2.png b/events/20221207-ENISA-CTI-EU/images/workflows2.png new file mode 100644 index 0000000..5b5ad1a Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/images/workflows2.png differ diff --git a/events/20221207-ENISA-CTI-EU/logo-circl.pdf b/events/20221207-ENISA-CTI-EU/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/logo-circl.pdf differ diff --git a/events/20221207-ENISA-CTI-EU/makefile b/events/20221207-ENISA-CTI-EU/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/events/20221207-ENISA-CTI-EU/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/events/20221207-ENISA-CTI-EU/misp.pdf b/events/20221207-ENISA-CTI-EU/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/misp.pdf differ diff --git a/events/20221207-ENISA-CTI-EU/misplogo.pdf b/events/20221207-ENISA-CTI-EU/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/misplogo.pdf differ diff --git a/events/20221207-ENISA-CTI-EU/object.png b/events/20221207-ENISA-CTI-EU/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/object.png differ diff --git a/events/20221207-ENISA-CTI-EU/sighting-n.png b/events/20221207-ENISA-CTI-EU/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/sighting-n.png differ diff --git a/events/20221207-ENISA-CTI-EU/slide.aux b/events/20221207-ENISA-CTI-EU/slide.aux new file mode 100644 index 0000000..e011f3c --- /dev/null +++ b/events/20221207-ENISA-CTI-EU/slide.aux @@ -0,0 +1,27 @@ +\relax +\providecommand\hyper@newdestlabel[2]{} +\providecommand\BKM@entry[2]{} +\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument} +\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined +\global\let\oldcontentsline\contentsline +\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}} +\global\let\oldnewlabel\newlabel +\gdef\newlabel#1#2{\newlabelxx{#1}#2} +\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}} +\AtEndDocument{\ifx\hyper@anchor\@undefined +\let\contentsline\oldcontentsline +\let\newlabel\oldnewlabel +\fi} +\fi} +\global\let\hyper@last\relax +\gdef\HyperFirstAtBeginDocument#1{#1} +\providecommand\HyField@AuxAddToFields[1]{} +\providecommand\HyField@AuxAddToCoFields[2]{} +\@input{content.aux} +\providecommand \oddpage@label [2]{} +\pgfsyspdfmark {pgfid1}{1398509}{16990454} +\@writefile{nav}{\headcommand {\beamer@partpages {1}{11}}} +\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{11}}} +\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{11}}} +\@writefile{nav}{\headcommand {\beamer@documentpages {11}}} +\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {10}}} diff --git a/a.13-misp-stix/slide.log b/events/20221207-ENISA-CTI-EU/slide.log similarity index 63% rename from a.13-misp-stix/slide.log rename to events/20221207-ENISA-CTI-EU/slide.log index 44758bf..295d68e 100644 --- a/a.13-misp-stix/slide.log +++ b/events/20221207-ENISA-CTI-EU/slide.log @@ -1,84 +1,83 @@ -This is pdfTeX, Version 3.141592653-2.6-1.40.22 (TeX Live 2022/dev/Debian) (preloaded format=pdflatex 2022.9.14) 14 SEP 2022 17:33 +This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019/Debian) (preloaded format=pdflatex 2021.10.14) 7 DEC 2022 08:06 entering extended mode restricted \write18 enabled. %&-line parsing enabled. **slide.tex (./slide.tex -LaTeX2e <2021-11-15> patch level 1 -L3 programming layer <2022-01-21> +LaTeX2e <2020-02-02> patch level 2 +L3 programming layer <2020-02-14> (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamer.cls -Document Class: beamer 2022/01/21 v3.65 A class for typesetting presentations +Document Class: beamer 2019/09/29 v3.57 A class for typesetting presentations (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasemodes.sty (/usr/share/texlive/texmf-dist/tex/latex/etoolbox/etoolbox.sty -Package: etoolbox 2020/10/05 v2.5k e-TeX tools for LaTeX (JAW) -\etb@tempcnta=\count185 +Package: etoolbox 2019/09/21 v2.5h e-TeX tools for LaTeX (JAW) +\etb@tempcnta=\count167 ) -\beamer@tempbox=\box50 -\beamer@tempcount=\count186 -\c@beamerpauses=\count187 +\beamer@tempbox=\box45 +\beamer@tempcount=\count168 +\c@beamerpauses=\count169 (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasedecode.sty -\beamer@slideinframe=\count188 -\beamer@minimum=\count189 -\beamer@decode@box=\box51 +\beamer@slideinframe=\count170 +\beamer@minimum=\count171 +\beamer@decode@box=\box46 ) -\beamer@commentbox=\box52 -\beamer@modecount=\count190 +\beamer@commentbox=\box47 +\beamer@modecount=\count172 ) (/usr/share/texlive/texmf-dist/tex/generic/iftex/ifpdf.sty Package: ifpdf 2019/10/25 v3.4 ifpdf legacy package. Use iftex instead. (/usr/share/texlive/texmf-dist/tex/generic/iftex/iftex.sty -Package: iftex 2020/03/06 v1.0d TeX engine tests +Package: iftex 2019/11/07 v1.0c TeX engine tests )) -\headdp=\dimen138 -\footheight=\dimen139 -\sidebarheight=\dimen140 -\beamer@tempdim=\dimen141 -\beamer@finalheight=\dimen142 -\beamer@animht=\dimen143 -\beamer@animdp=\dimen144 -\beamer@animwd=\dimen145 -\beamer@leftmargin=\dimen146 -\beamer@rightmargin=\dimen147 -\beamer@leftsidebar=\dimen148 -\beamer@rightsidebar=\dimen149 -\beamer@boxsize=\dimen150 -\beamer@vboxoffset=\dimen151 -\beamer@descdefault=\dimen152 -\beamer@descriptionwidth=\dimen153 +\headdp=\dimen134 +\footheight=\dimen135 +\sidebarheight=\dimen136 +\beamer@tempdim=\dimen137 +\beamer@finalheight=\dimen138 +\beamer@animht=\dimen139 +\beamer@animdp=\dimen140 +\beamer@animwd=\dimen141 +\beamer@leftmargin=\dimen142 +\beamer@rightmargin=\dimen143 +\beamer@leftsidebar=\dimen144 +\beamer@rightsidebar=\dimen145 +\beamer@boxsize=\dimen146 +\beamer@vboxoffset=\dimen147 +\beamer@descdefault=\dimen148 +\beamer@descriptionwidth=\dimen149 \beamer@lastskip=\skip47 -\beamer@areabox=\box53 -\beamer@animcurrent=\box54 -\beamer@animshowbox=\box55 -\beamer@sectionbox=\box56 -\beamer@logobox=\box57 -\beamer@linebox=\box58 -\beamer@sectioncount=\count191 -\beamer@subsubsectionmax=\count192 -\beamer@subsectionmax=\count193 -\beamer@sectionmax=\count194 -\beamer@totalheads=\count195 -\beamer@headcounter=\count196 -\beamer@partstartpage=\count197 -\beamer@sectionstartpage=\count198 -\beamer@subsectionstartpage=\count199 -\beamer@animationtempa=\count266 -\beamer@animationtempb=\count267 -\beamer@xpos=\count268 -\beamer@ypos=\count269 -\beamer@ypos@offset=\count270 -\beamer@showpartnumber=\count271 -\beamer@currentsubsection=\count272 -\beamer@coveringdepth=\count273 -\beamer@sectionadjust=\count274 -\beamer@toclastsection=\count275 -\beamer@tocsectionnumber=\count276 +\beamer@areabox=\box48 +\beamer@animcurrent=\box49 +\beamer@animshowbox=\box50 +\beamer@sectionbox=\box51 +\beamer@logobox=\box52 +\beamer@linebox=\box53 +\beamer@sectioncount=\count173 +\beamer@subsubsectionmax=\count174 +\beamer@subsectionmax=\count175 +\beamer@sectionmax=\count176 +\beamer@totalheads=\count177 +\beamer@headcounter=\count178 +\beamer@partstartpage=\count179 +\beamer@sectionstartpage=\count180 +\beamer@subsectionstartpage=\count181 +\beamer@animationtempa=\count182 +\beamer@animationtempb=\count183 +\beamer@xpos=\count184 +\beamer@ypos=\count185 +\beamer@ypos@offset=\count186 +\beamer@showpartnumber=\count187 +\beamer@currentsubsection=\count188 +\beamer@coveringdepth=\count189 +\beamer@sectionadjust=\count190 +\beamer@tocsectionnumber=\count191 (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseoptions.sty (/usr/share/texlive/texmf-dist/tex/latex/graphics/keyval.sty Package: keyval 2014/10/28 v1.15 key=value parser (DPC) -\KV@toks@=\toks16 +\KV@toks@=\toks14 )) \beamer@paperwidth=\skip48 \beamer@paperheight=\skip49 @@ -89,136 +88,142 @@ Package: geometry 2020/01/02 v5.9 Page Geometry (/usr/share/texlive/texmf-dist/tex/generic/iftex/ifvtex.sty Package: ifvtex 2019/10/25 v1.7 ifvtex legacy package. Use iftex instead. ) -\Gm@cnth=\count277 -\Gm@cntv=\count278 -\c@Gm@tempcnt=\count279 -\Gm@bindingoffset=\dimen154 -\Gm@wd@mp=\dimen155 -\Gm@odd@mp=\dimen156 -\Gm@even@mp=\dimen157 -\Gm@layoutwidth=\dimen158 -\Gm@layoutheight=\dimen159 -\Gm@layouthoffset=\dimen160 -\Gm@layoutvoffset=\dimen161 -\Gm@dimlist=\toks17 +\Gm@cnth=\count192 +\Gm@cntv=\count193 +\c@Gm@tempcnt=\count194 +\Gm@bindingoffset=\dimen150 +\Gm@wd@mp=\dimen151 +\Gm@odd@mp=\dimen152 +\Gm@even@mp=\dimen153 +\Gm@layoutwidth=\dimen154 +\Gm@layoutheight=\dimen155 +\Gm@layouthoffset=\dimen156 +\Gm@layoutvoffset=\dimen157 +\Gm@dimlist=\toks15 +) +(/usr/share/texlive/texmf-dist/tex/latex/base/size11.clo +File: size11.clo 2019/12/20 v1.4l Standard LaTeX file (size option) ) (/usr/share/texlive/texmf-dist/tex/latex/pgf/basiclayer/pgfcore.sty (/usr/share/texlive/texmf-dist/tex/latex/graphics/graphicx.sty -Package: graphicx 2021/09/16 v1.2d Enhanced LaTeX Graphics (DPC,SPQR) +Package: graphicx 2019/11/30 v1.2a Enhanced LaTeX Graphics (DPC,SPQR) (/usr/share/texlive/texmf-dist/tex/latex/graphics/graphics.sty -Package: graphics 2021/03/04 v1.4d Standard LaTeX Graphics (DPC,SPQR) +Package: graphics 2019/11/30 v1.4a Standard LaTeX Graphics (DPC,SPQR) (/usr/share/texlive/texmf-dist/tex/latex/graphics/trig.sty -Package: trig 2021/08/11 v1.11 sin cos tan (DPC) +Package: trig 2016/01/03 v1.10 sin cos tan (DPC) ) (/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/graphics.cfg File: graphics.cfg 2016/06/04 v1.11 sample graphics configuration ) -Package graphics Info: Driver file: pdftex.def on input line 107. +Package graphics Info: Driver file: pdftex.def on input line 105. (/usr/share/texlive/texmf-dist/tex/latex/graphics-def/pdftex.def -File: pdftex.def 2020/10/05 v1.2a Graphics/color driver for pdftex +File: pdftex.def 2018/01/08 v1.0l Graphics/color driver for pdftex )) -\Gin@req@height=\dimen162 -\Gin@req@width=\dimen163 +\Gin@req@height=\dimen158 +\Gin@req@width=\dimen159 ) (/usr/share/texlive/texmf-dist/tex/latex/pgf/systemlayer/pgfsys.sty (/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/pgfrcs.sty (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfutil-common.tex -\pgfutil@everybye=\toks18 -\pgfutil@tempdima=\dimen164 -\pgfutil@tempdimb=\dimen165 +\pgfutil@everybye=\toks16 +\pgfutil@tempdima=\dimen160 +\pgfutil@tempdimb=\dimen161 (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfutil-common-lists.t ex)) (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfutil-latex.def -\pgfutil@abb=\box59 -) (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfrcs.code.tex +\pgfutil@abb=\box54 +(/usr/share/texlive/texmf-dist/tex/latex/ms/everyshi.sty +Package: everyshi 2001/05/15 v3.00 EveryShipout Package (MS) +)) +(/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfrcs.code.tex (/usr/share/texlive/texmf-dist/tex/generic/pgf/pgf.revision.tex) -Package: pgfrcs 2021/05/15 v3.1.9a (3.1.9a) +Package: pgfrcs 2020/01/08 v3.1.5b (3.1.5b) )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsys.code.tex -Package: pgfsys 2021/05/15 v3.1.9a (3.1.9a) +Package: pgfsys 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex -\pgfkeys@pathtoks=\toks19 -\pgfkeys@temptoks=\toks20 +\pgfkeys@pathtoks=\toks17 +\pgfkeys@temptoks=\toks18 (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfkeysfiltered.code.t ex -\pgfkeys@tmptoks=\toks21 +\pgfkeys@tmptoks=\toks19 )) -\pgf@x=\dimen166 -\pgf@y=\dimen167 -\pgf@xa=\dimen168 -\pgf@ya=\dimen169 -\pgf@xb=\dimen170 -\pgf@yb=\dimen171 -\pgf@xc=\dimen172 -\pgf@yc=\dimen173 -\pgf@xd=\dimen174 -\pgf@yd=\dimen175 +\pgf@x=\dimen162 +\pgf@y=\dimen163 +\pgf@xa=\dimen164 +\pgf@ya=\dimen165 +\pgf@xb=\dimen166 +\pgf@yb=\dimen167 +\pgf@xc=\dimen168 +\pgf@yc=\dimen169 +\pgf@xd=\dimen170 +\pgf@yd=\dimen171 \w@pgf@writea=\write3 \r@pgf@reada=\read2 -\c@pgf@counta=\count280 -\c@pgf@countb=\count281 -\c@pgf@countc=\count282 -\c@pgf@countd=\count283 -\t@pgf@toka=\toks22 -\t@pgf@tokb=\toks23 -\t@pgf@tokc=\toks24 -\pgf@sys@id@count=\count284 +\c@pgf@counta=\count195 +\c@pgf@countb=\count196 +\c@pgf@countc=\count197 +\c@pgf@countd=\count198 +\t@pgf@toka=\toks20 +\t@pgf@tokb=\toks21 +\t@pgf@tokc=\toks22 +\pgf@sys@id@count=\count199 (/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgf.cfg -File: pgf.cfg 2021/05/15 v3.1.9a (3.1.9a) +File: pgf.cfg 2020/01/08 v3.1.5b (3.1.5b) ) Driver file for pgf: pgfsys-pdftex.def (/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-pdftex.def -File: pgfsys-pdftex.def 2021/05/15 v3.1.9a (3.1.9a) +File: pgfsys-pdftex.def 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsys-common-pdf.de f -File: pgfsys-common-pdf.def 2021/05/15 v3.1.9a (3.1.9a) +File: pgfsys-common-pdf.def 2020/01/08 v3.1.5b (3.1.5b) ))) (/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsyssoftpath.code. tex -File: pgfsyssoftpath.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgfsyssoftpath@smallbuffer@items=\count285 -\pgfsyssoftpath@bigbuffer@items=\count286 +File: pgfsyssoftpath.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfsyssoftpath@smallbuffer@items=\count266 +\pgfsyssoftpath@bigbuffer@items=\count267 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/systemlayer/pgfsysprotocol.code. tex -File: pgfsysprotocol.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfsysprotocol.code.tex 2020/01/08 v3.1.5b (3.1.5b) )) (/usr/share/texlive/texmf-dist/tex/latex/xcolor/xcolor.sty -Package: xcolor 2021/10/31 v2.13 LaTeX color extensions (UK) +Package: xcolor 2016/05/11 v2.12 LaTeX color extensions (UK) (/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/color.cfg File: color.cfg 2016/01/02 v1.6 sample color configuration ) -Package xcolor Info: Driver file: pdftex.def on input line 227. -Package xcolor Info: Model `cmy' substituted by `cmy0' on input line 1352. -Package xcolor Info: Model `hsb' substituted by `rgb' on input line 1356. -Package xcolor Info: Model `RGB' extended on input line 1368. -Package xcolor Info: Model `HTML' substituted by `rgb' on input line 1370. -Package xcolor Info: Model `Hsb' substituted by `hsb' on input line 1371. -Package xcolor Info: Model `tHsb' substituted by `hsb' on input line 1372. -Package xcolor Info: Model `HSB' substituted by `hsb' on input line 1373. -Package xcolor Info: Model `Gray' substituted by `gray' on input line 1374. -Package xcolor Info: Model `wave' substituted by `hsb' on input line 1375. +Package xcolor Info: Driver file: pdftex.def on input line 225. +Package xcolor Info: Model `cmy' substituted by `cmy0' on input line 1348. +Package xcolor Info: Model `hsb' substituted by `rgb' on input line 1352. +Package xcolor Info: Model `RGB' extended on input line 1364. +Package xcolor Info: Model `HTML' substituted by `rgb' on input line 1366. +Package xcolor Info: Model `Hsb' substituted by `hsb' on input line 1367. +Package xcolor Info: Model `tHsb' substituted by `hsb' on input line 1368. +Package xcolor Info: Model `HSB' substituted by `hsb' on input line 1369. +Package xcolor Info: Model `Gray' substituted by `gray' on input line 1370. +Package xcolor Info: Model `wave' substituted by `hsb' on input line 1371. ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcore.code.tex -Package: pgfcore 2021/05/15 v3.1.9a (3.1.9a) +Package: pgfcore 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathcalc.code.tex (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathutil.code.tex) (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathparser.code.tex -\pgfmath@dimen=\dimen176 -\pgfmath@count=\count287 -\pgfmath@box=\box60 -\pgfmath@toks=\toks25 -\pgfmath@stack@operand=\toks26 -\pgfmath@stack@operation=\toks27 +\pgfmath@dimen=\dimen172 +\pgfmath@count=\count268 +\pgfmath@box=\box55 +\pgfmath@toks=\toks23 +\pgfmath@stack@operand=\toks24 +\pgfmath@stack@operation=\toks25 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.code.tex (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.basic.code @@ -238,128 +243,123 @@ tex) (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfunctions.integerari thmetics.code.tex))) (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmathfloat.code.tex -\c@pgfmathroundto@lastzeros=\count288 +\c@pgfmathroundto@lastzeros=\count269 )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfint.code.tex) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepoints.code.te x -File: pgfcorepoints.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgf@picminx=\dimen177 -\pgf@picmaxx=\dimen178 -\pgf@picminy=\dimen179 -\pgf@picmaxy=\dimen180 -\pgf@pathminx=\dimen181 -\pgf@pathmaxx=\dimen182 -\pgf@pathminy=\dimen183 -\pgf@pathmaxy=\dimen184 -\pgf@xx=\dimen185 -\pgf@xy=\dimen186 -\pgf@yx=\dimen187 -\pgf@yy=\dimen188 -\pgf@zx=\dimen189 -\pgf@zy=\dimen190 +File: pgfcorepoints.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@picminx=\dimen173 +\pgf@picmaxx=\dimen174 +\pgf@picminy=\dimen175 +\pgf@picmaxy=\dimen176 +\pgf@pathminx=\dimen177 +\pgf@pathmaxx=\dimen178 +\pgf@pathminy=\dimen179 +\pgf@pathmaxy=\dimen180 +\pgf@xx=\dimen181 +\pgf@xy=\dimen182 +\pgf@yx=\dimen183 +\pgf@yy=\dimen184 +\pgf@zx=\dimen185 +\pgf@zy=\dimen186 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathconstruct. code.tex -File: pgfcorepathconstruct.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgf@path@lastx=\dimen191 -\pgf@path@lasty=\dimen192 +File: pgfcorepathconstruct.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@path@lastx=\dimen187 +\pgf@path@lasty=\dimen188 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathusage.code .tex -File: pgfcorepathusage.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgf@shorten@end@additional=\dimen193 -\pgf@shorten@start@additional=\dimen194 +File: pgfcorepathusage.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@shorten@end@additional=\dimen189 +\pgf@shorten@start@additional=\dimen190 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorescopes.code.te x -File: pgfcorescopes.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgfpic=\box61 -\pgf@hbox=\box62 -\pgf@layerbox@main=\box63 -\pgf@picture@serial@count=\count289 +File: pgfcorescopes.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfpic=\box56 +\pgf@hbox=\box57 +\pgf@layerbox@main=\box58 +\pgf@picture@serial@count=\count270 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoregraphicstate.c ode.tex -File: pgfcoregraphicstate.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgflinewidth=\dimen195 +File: pgfcoregraphicstate.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgflinewidth=\dimen191 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransformation s.code.tex -File: pgfcoretransformations.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgf@pt@x=\dimen196 -\pgf@pt@y=\dimen197 -\pgf@pt@temp=\dimen198 +File: pgfcoretransformations.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@pt@x=\dimen192 +\pgf@pt@y=\dimen193 +\pgf@pt@temp=\dimen194 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorequick.code.tex -File: pgfcorequick.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfcorequick.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreobjects.code.t ex -File: pgfcoreobjects.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfcoreobjects.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepathprocessing .code.tex -File: pgfcorepathprocessing.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfcorepathprocessing.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorearrows.code.te x -File: pgfcorearrows.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgfarrowsep=\dimen199 +File: pgfcorearrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfarrowsep=\dimen195 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreshade.code.tex -File: pgfcoreshade.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgf@max=\dimen256 -\pgf@sys@shading@range@num=\count290 -\pgf@shadingcount=\count291 +File: pgfcoreshade.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@max=\dimen196 +\pgf@sys@shading@range@num=\count271 +\pgf@shadingcount=\count272 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreimage.code.tex -File: pgfcoreimage.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfcoreimage.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoreexternal.code. tex -File: pgfcoreexternal.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgfexternal@startupbox=\box64 +File: pgfcoreexternal.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfexternal@startupbox=\box59 )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorelayers.code.te x -File: pgfcorelayers.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfcorelayers.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcoretransparency.c ode.tex -File: pgfcoretransparency.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfcoretransparency.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorepatterns.code. tex -File: pgfcorepatterns.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfcorepatterns.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/basiclayer/pgfcorerdf.code.tex -File: pgfcorerdf.code.tex 2021/05/15 v3.1.9a (3.1.9a) -))) (/usr/share/texlive/texmf-dist/tex/latex/base/size11.clo -File: size11.clo 2021/10/04 v1.4n Standard LaTeX file (size option) -) -(/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/xxcolor.sty +File: pgfcorerdf.code.tex 2020/01/08 v3.1.5b (3.1.5b) +))) (/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/xxcolor.sty Package: xxcolor 2003/10/24 ver 0.1 -\XC@nummixins=\count292 -\XC@countmixins=\count293 -) -(/usr/share/texlive/texmf-dist/tex/latex/base/atbegshi-ltx.sty -Package: atbegshi-ltx 2021/01/10 v1.0c Emulation of the original atbegshi -package with kernel methods -) -(/usr/share/texlive/texmf-dist/tex/latex/hyperref/hyperref.sty -Package: hyperref 2021-06-07 v7.00m Hypertext links for LaTeX - -(/usr/share/texlive/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty -Package: ltxcmds 2020-05-10 v1.25 LaTeX kernel commands for general use (HO) -) -(/usr/share/texlive/texmf-dist/tex/generic/pdftexcmds/pdftexcmds.sty -Package: pdftexcmds 2020-06-27 v0.33 Utility functions of pdfTeX for LuaTeX (HO +\XC@nummixins=\count273 +\XC@countmixins=\count274 ) +(/usr/share/texlive/texmf-dist/tex/generic/atbegshi/atbegshi.sty +Package: atbegshi 2019/12/05 v1.19 At begin shipout hook (HO) (/usr/share/texlive/texmf-dist/tex/generic/infwarerr/infwarerr.sty Package: infwarerr 2019/12/03 v1.5 Providing info/warning/error messages (HO) ) +(/usr/share/texlive/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty +Package: ltxcmds 2019/12/15 v1.24 LaTeX kernel commands for general use (HO) +)) +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/hyperref.sty +Package: hyperref 2020/01/14 v7.00d Hypertext links for LaTeX + +(/usr/share/texlive/texmf-dist/tex/latex/pdftexcmds/pdftexcmds.sty +Package: pdftexcmds 2019/11/24 v0.31 Utility functions of pdfTeX for LuaTeX (HO +) Package pdftexcmds Info: \pdf@primitive is available. Package pdftexcmds Info: \pdf@ifprimitive is available. Package pdftexcmds Info: \pdfdraftmode found. @@ -383,52 +383,43 @@ Package: letltxmacro 2019/12/03 v1.6 Let assignment for LaTeX macros (HO) Package: auxhook 2019-12-17 v1.6 Hooks for auxiliary files (HO) ) (/usr/share/texlive/texmf-dist/tex/latex/kvoptions/kvoptions.sty -Package: kvoptions 2020-10-07 v3.14 Key value format for package options (HO) +Package: kvoptions 2019/11/29 v3.13 Key value format for package options (HO) ) -\@linkdim=\dimen257 -\Hy@linkcounter=\count294 -\Hy@pagecounter=\count295 +\@linkdim=\dimen197 +\Hy@linkcounter=\count275 +\Hy@pagecounter=\count276 (/usr/share/texlive/texmf-dist/tex/latex/hyperref/pd1enc.def -File: pd1enc.def 2021-06-07 v7.00m Hyperref: PDFDocEncoding definition (HO) +File: pd1enc.def 2020/01/14 v7.00d Hyperref: PDFDocEncoding definition (HO) Now handling font encoding PD1 ... ... no UTF-8 mapping file for font encoding PD1 ) -(/usr/share/texlive/texmf-dist/tex/latex/hyperref/hyperref-langpatches.def -File: hyperref-langpatches.def 2021-06-07 v7.00m Hyperref: patches for babel la -nguages -) (/usr/share/texlive/texmf-dist/tex/generic/intcalc/intcalc.sty Package: intcalc 2019/12/15 v1.3 Expandable calculations with integers (HO) ) (/usr/share/texlive/texmf-dist/tex/generic/etexcmds/etexcmds.sty Package: etexcmds 2019/12/15 v1.7 Avoid name clashes with e-TeX commands (HO) ) -\Hy@SavedSpaceFactor=\count296 - -(/usr/share/texlive/texmf-dist/tex/latex/hyperref/puenc.def -File: puenc.def 2021-06-07 v7.00m Hyperref: PDF Unicode definition (HO) -Now handling font encoding PU ... -... no UTF-8 mapping file for font encoding PU -) -Package hyperref Info: Option `bookmarks' set `true' on input line 4073. -Package hyperref Info: Option `bookmarksopen' set `true' on input line 4073. -Package hyperref Info: Option `implicit' set `false' on input line 4073. -Package hyperref Info: Hyper figures OFF on input line 4192. -Package hyperref Info: Link nesting OFF on input line 4197. -Package hyperref Info: Hyper index ON on input line 4200. -Package hyperref Info: Plain pages OFF on input line 4207. -Package hyperref Info: Backreferencing OFF on input line 4212. +\Hy@SavedSpaceFactor=\count277 +\pdfmajorversion=\count278 +Package hyperref Info: Option `bookmarks' set `true' on input line 4421. +Package hyperref Info: Option `bookmarksopen' set `true' on input line 4421. +Package hyperref Info: Option `implicit' set `false' on input line 4421. +Package hyperref Info: Hyper figures OFF on input line 4547. +Package hyperref Info: Link nesting OFF on input line 4552. +Package hyperref Info: Hyper index ON on input line 4555. +Package hyperref Info: Plain pages OFF on input line 4562. +Package hyperref Info: Backreferencing OFF on input line 4567. Package hyperref Info: Implicit mode OFF; no redefinition of LaTeX internals. -Package hyperref Info: Bookmarks ON on input line 4445. -\c@Hy@tempcnt=\count297 +Package hyperref Info: Bookmarks ON on input line 4800. +\c@Hy@tempcnt=\count279 (/usr/share/texlive/texmf-dist/tex/latex/url/url.sty \Urlmuskip=\muskip16 Package: url 2013/09/16 ver 3.4 Verb mode for urls, etc. ) -LaTeX Info: Redefining \url on input line 4804. -\XeTeXLinkMargin=\dimen258 +LaTeX Info: Redefining \url on input line 5159. +\XeTeXLinkMargin=\dimen198 (/usr/share/texlive/texmf-dist/tex/generic/bitset/bitset.sty Package: bitset 2019/12/09 v1.3 Handle bit-vector datatype (HO) @@ -437,19 +428,19 @@ Package: bitset 2019/12/09 v1.3 Handle bit-vector datatype (HO) Package: bigintcalc 2019/12/15 v1.5 Expandable calculations on big integers (HO ) )) -\Fld@menulength=\count298 -\Field@Width=\dimen259 -\Fld@charsize=\dimen260 -Package hyperref Info: Hyper figures OFF on input line 6076. -Package hyperref Info: Link nesting OFF on input line 6081. -Package hyperref Info: Hyper index ON on input line 6084. -Package hyperref Info: backreferencing OFF on input line 6091. -Package hyperref Info: Link coloring OFF on input line 6096. -Package hyperref Info: Link coloring with OCG OFF on input line 6101. -Package hyperref Info: PDF/A mode OFF on input line 6106. -LaTeX Info: Redefining \ref on input line 6146. -LaTeX Info: Redefining \pageref on input line 6150. -\Hy@abspage=\count299 +\Fld@menulength=\count280 +\Field@Width=\dimen199 +\Fld@charsize=\dimen256 +Package hyperref Info: Hyper figures OFF on input line 6430. +Package hyperref Info: Link nesting OFF on input line 6435. +Package hyperref Info: Hyper index ON on input line 6438. +Package hyperref Info: backreferencing OFF on input line 6445. +Package hyperref Info: Link coloring OFF on input line 6450. +Package hyperref Info: Link coloring with OCG OFF on input line 6455. +Package hyperref Info: PDF/A mode OFF on input line 6460. +LaTeX Info: Redefining \ref on input line 6500. +LaTeX Info: Redefining \pageref on input line 6504. +\Hy@abspage=\count281 Package hyperref Message: Stopped early. @@ -457,15 +448,13 @@ Package hyperref Message: Stopped early. ) Package hyperref Info: Driver (autodetected): hpdftex. (/usr/share/texlive/texmf-dist/tex/latex/hyperref/hpdftex.def -File: hpdftex.def 2021-06-07 v7.00m Hyperref driver for pdfTeX +File: hpdftex.def 2020/01/14 v7.00d Hyperref driver for pdfTeX -(/usr/share/texlive/texmf-dist/tex/latex/base/atveryend-ltx.sty -Package: atveryend-ltx 2020/08/19 v1.0a Emulation of the original atveryend pac -kage -with kernel methods +(/usr/share/texlive/texmf-dist/tex/latex/atveryend/atveryend.sty +Package: atveryend 2019-12-11 v1.11 Hooks at the very end of document (HO) ) -\Fld@listcount=\count300 -\c@bookmark@seq@number=\count301 +\Fld@listcount=\count282 +\c@bookmark@seq@number=\count283 (/usr/share/texlive/texmf-dist/tex/latex/rerunfilecheck/rerunfilecheck.sty Package: rerunfilecheck 2019/12/05 v1.9 Rerun checks for auxiliary files (HO) @@ -484,7 +473,7 @@ Package: amssymb 2013/01/14 v3.01 AMS font symbols (/usr/share/texlive/texmf-dist/tex/latex/amsfonts/amsfonts.sty Package: amsfonts 2013/01/14 v3.01 Basic AMSFonts support -\@emptytoks=\toks28 +\@emptytoks=\toks26 \symAMSa=\mathgroup4 \symAMSb=\mathgroup5 LaTeX Font Info: Redeclaring math symbol \hbar on input line 98. @@ -495,185 +484,177 @@ LaTeX Font Info: Overwriting math alphabet `\mathfrak' in version `bold' Package: sansmathaccent 2020/01/31 (/usr/share/texlive/texmf-dist/tex/latex/koma-script/scrlfile.sty -Package: scrlfile 2021/11/13 v3.35 KOMA-Script package (file load hooks) - -(/usr/share/texlive/texmf-dist/tex/latex/koma-script/scrlfile-hook.sty -Package: scrlfile-hook 2021/11/13 v3.35 KOMA-Script package (using LaTeX hooks) - - -(/usr/share/texlive/texmf-dist/tex/latex/koma-script/scrlogo.sty -Package: scrlogo 2021/11/13 v3.35 KOMA-Script package (logo) -))))) +Package: scrlfile 2020/01/24 v3.29 KOMA-Script package (loading files) +))) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetranslator.sty (/usr/share/texlive/texmf-dist/tex/latex/translator/translator.sty -Package: translator 2021-05-31 v1.12d Easy translation of strings in LaTeX +Package: translator 2019-05-31 v1.12a Easy translation of strings in LaTeX )) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasemisc.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetwoscreens.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseoverlay.sty -\beamer@argscount=\count302 +\beamer@argscount=\count284 \beamer@lastskipcover=\skip50 -\beamer@trivlistdepth=\count303 +\beamer@trivlistdepth=\count285 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetitle.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasesection.sty -\c@lecture=\count304 -\c@part=\count305 -\c@section=\count306 -\c@subsection=\count307 -\c@subsubsection=\count308 +\c@lecture=\count286 +\c@part=\count287 +\c@section=\count288 +\c@subsection=\count289 +\c@subsubsection=\count290 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseframe.sty -\beamer@framebox=\box65 -\beamer@frametitlebox=\box66 -\beamer@zoombox=\box67 -\beamer@zoomcount=\count309 -\beamer@zoomframecount=\count310 -\beamer@frametextheight=\dimen261 -\c@subsectionslide=\count311 +\beamer@framebox=\box60 +\beamer@frametitlebox=\box61 +\beamer@zoombox=\box62 +\beamer@zoomcount=\count291 +\beamer@zoomframecount=\count292 +\beamer@frametextheight=\dimen257 +\c@subsectionslide=\count293 \beamer@frametopskip=\skip51 \beamer@framebottomskip=\skip52 \beamer@frametopskipautobreak=\skip53 \beamer@framebottomskipautobreak=\skip54 -\beamer@envbody=\toks29 -\framewidth=\dimen262 -\c@framenumber=\count312 +\beamer@envbody=\toks27 +\framewidth=\dimen258 +\c@framenumber=\count294 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseverbatim.sty \beamer@verbatimfileout=\write4 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseframesize.sty -\beamer@splitbox=\box68 -\beamer@autobreakcount=\count313 -\beamer@autobreaklastheight=\dimen263 -\beamer@frametitletoks=\toks30 -\beamer@framesubtitletoks=\toks31 +\beamer@splitbox=\box63 +\beamer@autobreakcount=\count295 +\beamer@autobreaklastheight=\dimen259 +\beamer@frametitletoks=\toks28 +\beamer@framesubtitletoks=\toks29 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseframecomponents.sty -\beamer@footins=\box69 +\beamer@footins=\box64 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasecolor.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasenotes.sty -\beamer@frameboxcopy=\box70 +\beamer@frameboxcopy=\box65 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetoc.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetemplates.sty -\beamer@sbttoks=\toks32 +\beamer@sbttoks=\toks30 (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseauxtemplates.sty (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaseboxes.sty -\bmb@box=\box71 -\bmb@colorbox=\box72 -\bmb@boxwidth=\dimen264 -\bmb@boxheight=\dimen265 -\bmb@prevheight=\dimen266 -\bmb@temp=\dimen267 -\bmb@dima=\dimen268 -\bmb@dimb=\dimen269 -\bmb@prevheight=\dimen270 +\bmb@box=\box66 +\bmb@colorbox=\box67 +\bmb@boxshadow=\box68 +\bmb@boxshadowball=\box69 +\bmb@boxshadowballlarge=\box70 +\bmb@temp=\dimen260 +\bmb@dima=\dimen261 +\bmb@dimb=\dimen262 +\bmb@prevheight=\dimen263 ) -\beamer@blockheadheight=\dimen271 +\beamer@blockheadheight=\dimen264 )) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbaselocalstructure.sty (/usr/share/texlive/texmf-dist/tex/latex/tools/enumerate.sty Package: enumerate 2015/07/23 v3.00 enumerate extensions (DPC) -\@enLab=\toks33 +\@enLab=\toks31 ) -\beamer@bibiconwidth=\skip55 -\c@figure=\count314 -\c@table=\count315 -\abovecaptionskip=\skip56 -\belowcaptionskip=\skip57 +\c@figure=\count296 +\c@table=\count297 +\abovecaptionskip=\skip55 +\belowcaptionskip=\skip56 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasenavigation.sty -\beamer@section@min@dim=\dimen272 +\beamer@section@min@dim=\dimen265 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasetheorems.sty (/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsmath.sty -Package: amsmath 2021/10/15 v2.17l AMS math features -\@mathmargin=\skip58 +Package: amsmath 2020/01/20 v2.17e AMS math features +\@mathmargin=\skip57 For additional information on amsmath, use the `?' option. (/usr/share/texlive/texmf-dist/tex/latex/amsmath/amstext.sty -Package: amstext 2021/08/26 v2.01 AMS text +Package: amstext 2000/06/29 v2.01 AMS text (/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsgen.sty File: amsgen.sty 1999/11/30 v2.0 generic functions -\@emptytoks=\toks34 -\ex@=\dimen273 +\@emptytoks=\toks32 +\ex@=\dimen266 )) (/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsbsy.sty Package: amsbsy 1999/11/29 v1.2d Bold Symbols -\pmbraise@=\dimen274 +\pmbraise@=\dimen267 ) (/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsopn.sty -Package: amsopn 2021/08/26 v2.02 operator names +Package: amsopn 2016/03/08 v2.02 operator names ) -\inf@bad=\count316 -LaTeX Info: Redefining \frac on input line 234. -\uproot@=\count317 -\leftroot@=\count318 -LaTeX Info: Redefining \overline on input line 399. -\classnum@=\count319 -\DOTSCASE@=\count320 -LaTeX Info: Redefining \ldots on input line 496. -LaTeX Info: Redefining \dots on input line 499. -LaTeX Info: Redefining \cdots on input line 620. -\Mathstrutbox@=\box73 -\strutbox@=\box74 -\big@size=\dimen275 -LaTeX Font Info: Redeclaring font encoding OML on input line 743. -LaTeX Font Info: Redeclaring font encoding OMS on input line 744. -\macc@depth=\count321 -\c@MaxMatrixCols=\count322 +\inf@bad=\count298 +LaTeX Info: Redefining \frac on input line 227. +\uproot@=\count299 +\leftroot@=\count300 +LaTeX Info: Redefining \overline on input line 389. +\classnum@=\count301 +\DOTSCASE@=\count302 +LaTeX Info: Redefining \ldots on input line 486. +LaTeX Info: Redefining \dots on input line 489. +LaTeX Info: Redefining \cdots on input line 610. +\Mathstrutbox@=\box71 +\strutbox@=\box72 +\big@size=\dimen268 +LaTeX Font Info: Redeclaring font encoding OML on input line 733. +LaTeX Font Info: Redeclaring font encoding OMS on input line 734. +\macc@depth=\count303 +\c@MaxMatrixCols=\count304 \dotsspace@=\muskip17 -\c@parentequation=\count323 -\dspbrk@lvl=\count324 -\tag@help=\toks35 -\row@=\count325 -\column@=\count326 -\maxfields@=\count327 -\andhelp@=\toks36 -\eqnshift@=\dimen276 -\alignsep@=\dimen277 -\tagshift@=\dimen278 -\tagwidth@=\dimen279 -\totwidth@=\dimen280 -\lineht@=\dimen281 -\@envbody=\toks37 -\multlinegap=\skip59 -\multlinetaggap=\skip60 -\mathdisplay@stack=\toks38 -LaTeX Info: Redefining \[ on input line 2938. -LaTeX Info: Redefining \] on input line 2939. +\c@parentequation=\count305 +\dspbrk@lvl=\count306 +\tag@help=\toks33 +\row@=\count307 +\column@=\count308 +\maxfields@=\count309 +\andhelp@=\toks34 +\eqnshift@=\dimen269 +\alignsep@=\dimen270 +\tagshift@=\dimen271 +\tagwidth@=\dimen272 +\totwidth@=\dimen273 +\lineht@=\dimen274 +\@envbody=\toks35 +\multlinegap=\skip58 +\multlinetaggap=\skip59 +\mathdisplay@stack=\toks36 +LaTeX Info: Redefining \[ on input line 2859. +LaTeX Info: Redefining \] on input line 2860. ) (/usr/share/texlive/texmf-dist/tex/latex/amscls/amsthm.sty -Package: amsthm 2020/05/29 v2.20.6 -\thm@style=\toks39 -\thm@bodyfont=\toks40 -\thm@headfont=\toks41 -\thm@notefont=\toks42 -\thm@headpunct=\toks43 -\thm@preskip=\skip61 -\thm@postskip=\skip62 -\thm@headsep=\skip63 -\dth@everypar=\toks44 +Package: amsthm 2017/10/31 v2.20.4 +\thm@style=\toks37 +\thm@bodyfont=\toks38 +\thm@headfont=\toks39 +\thm@notefont=\toks40 +\thm@headpunct=\toks41 +\thm@preskip=\skip60 +\thm@postskip=\skip61 +\thm@headsep=\skip62 +\dth@everypar=\toks42 ) -\c@theorem=\count328 +\c@theorem=\count310 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerbasethemes.sty)) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerthemedefault.sty (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerfontthemedefault.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamercolorthemedefault.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerinnerthemedefault.sty -\beamer@dima=\dimen282 -\beamer@dimb=\dimen283 +\beamer@dima=\dimen275 +\beamer@dimb=\dimen276 ) (/usr/share/texlive/texmf-dist/tex/latex/beamer/beamerouterthemedefault.sty))) (/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamerthemefocus.sty -Package: beamerthemefocus 2021/12/08 v3.1.0 Focus Beamer theme +Package: beamerthemefocus 2019/11/20 v2.5 Focus Beamer theme (/usr/share/texlive/texmf-dist/tex/latex/base/fontenc.sty -Package: fontenc 2021/04/29 v2.0v Standard LaTeX package +Package: fontenc 2020/02/11 v2.0o Standard LaTeX package ) (/usr/share/texlive/texmf-dist/tex/latex/fira/FiraSans.sty Package: FiraSans 2019/10/10 (Bob Tennent and autoinst) Style file for Fira San @@ -686,21 +667,21 @@ Package: ifxetex 2019/10/25 v0.7 ifxetex legacy package. Use iftex instead. Package: ifluatex 2019/10/25 v1.5 ifluatex legacy package. Use iftex instead. ) (/usr/share/texlive/texmf-dist/tex/latex/xkeyval/xkeyval.sty -Package: xkeyval 2020/11/20 v2.8 package option processing (HA) +Package: xkeyval 2014/12/03 v2.7a package option processing (HA) (/usr/share/texlive/texmf-dist/tex/generic/xkeyval/xkeyval.tex (/usr/share/texlive/texmf-dist/tex/generic/xkeyval/xkvutils.tex -\XKV@toks=\toks45 -\XKV@tempa@toks=\toks46 +\XKV@toks=\toks43 +\XKV@tempa@toks=\toks44 ) -\XKV@depth=\count329 +\XKV@depth=\count311 File: xkeyval.tex 2014/12/03 v2.7a key=value parser (HA) )) (/usr/share/texlive/texmf-dist/tex/latex/base/textcomp.sty Package: textcomp 2020/02/02 v2.0n Standard LaTeX package ) (/usr/share/texlive/texmf-dist/tex/latex/fontaxes/fontaxes.sty -Package: fontaxes 2020/07/21 v1.0e Font selection axes +Package: fontaxes 2014/03/23 v1.0d Font selection axes LaTeX Info: Redefining \upshape on input line 29. LaTeX Info: Redefining \itshape on input line 31. LaTeX Info: Redefining \slshape on input line 33. @@ -717,7 +698,7 @@ Package: FiraMono 2019/10/10 (Bob Tennent and autoinst) Style file for Fira Mon o fonts. (/usr/share/texlive/texmf-dist/tex/latex/base/fontenc.sty -Package: fontenc 2021/04/29 v2.0v Standard LaTeX package +Package: fontenc 2020/02/11 v2.0o Standard LaTeX package LaTeX Font Info: Trying to load font information for T1+FiraSans-OsF on inpu t line 112. @@ -739,159 +720,201 @@ s.sty) (/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamerinnerthemefocu s.sty (/usr/share/texlive/texmf-dist/tex/latex/pgf/frontendlayer/tikz.sty (/usr/share/texlive/texmf-dist/tex/latex/pgf/basiclayer/pgf.sty -Package: pgf 2021/05/15 v3.1.9a (3.1.9a) +Package: pgf 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/modules/pgfmoduleshapes.code.tex -File: pgfmoduleshapes.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgfnodeparttextbox=\box75 +File: pgfmoduleshapes.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfnodeparttextbox=\box73 ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/modules/pgfmoduleplot.code.tex -File: pgfmoduleplot.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgfmoduleplot.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-0-65 .sty -Package: pgfcomp-version-0-65 2021/05/15 v3.1.9a (3.1.9a) -\pgf@nodesepstart=\dimen284 -\pgf@nodesepend=\dimen285 +Package: pgfcomp-version-0-65 2020/01/08 v3.1.5b (3.1.5b) +\pgf@nodesepstart=\dimen277 +\pgf@nodesepend=\dimen278 ) (/usr/share/texlive/texmf-dist/tex/latex/pgf/compatibility/pgfcomp-version-1-18 .sty -Package: pgfcomp-version-1-18 2021/05/15 v3.1.9a (3.1.9a) +Package: pgfcomp-version-1-18 2020/01/08 v3.1.5b (3.1.5b) )) (/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/pgffor.sty (/usr/share/texlive/texmf-dist/tex/latex/pgf/utilities/pgfkeys.sty (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgfkeys.code.tex)) (/usr/share/texlive/texmf-dist/tex/latex/pgf/math/pgfmath.sty (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex)) (/usr/share/texlive/texmf-dist/tex/generic/pgf/utilities/pgffor.code.tex -Package: pgffor 2021/05/15 v3.1.9a (3.1.9a) +Package: pgffor 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/math/pgfmath.code.tex) -\pgffor@iter=\dimen286 -\pgffor@skip=\dimen287 -\pgffor@stack=\toks47 -\pgffor@toks=\toks48 +\pgffor@iter=\dimen279 +\pgffor@skip=\dimen280 +\pgffor@stack=\toks45 +\pgffor@toks=\toks46 )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex -Package: tikz 2021/05/15 v3.1.9a (3.1.9a) +Package: tikz 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/pgflibraryplothandlers .code.tex -File: pgflibraryplothandlers.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgf@plot@mark@count=\count330 -\pgfplotmarksize=\dimen288 +File: pgflibraryplothandlers.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgf@plot@mark@count=\count312 +\pgfplotmarksize=\dimen281 ) -\tikz@lastx=\dimen289 -\tikz@lasty=\dimen290 -\tikz@lastxsaved=\dimen291 -\tikz@lastysaved=\dimen292 -\tikz@lastmovetox=\dimen293 -\tikz@lastmovetoy=\dimen294 -\tikzleveldistance=\dimen295 -\tikzsiblingdistance=\dimen296 -\tikz@figbox=\box76 -\tikz@figbox@bg=\box77 -\tikz@tempbox=\box78 -\tikz@tempbox@bg=\box79 -\tikztreelevel=\count331 -\tikznumberofchildren=\count332 -\tikznumberofcurrentchild=\count333 -\tikz@fig@count=\count334 +\tikz@lastx=\dimen282 +\tikz@lasty=\dimen283 +\tikz@lastxsaved=\dimen284 +\tikz@lastysaved=\dimen285 +\tikz@lastmovetox=\dimen286 +\tikz@lastmovetoy=\dimen287 +\tikzleveldistance=\dimen288 +\tikzsiblingdistance=\dimen289 +\tikz@figbox=\box74 +\tikz@figbox@bg=\box75 +\tikz@tempbox=\box76 +\tikz@tempbox@bg=\box77 +\tikztreelevel=\count313 +\tikznumberofchildren=\count314 +\tikznumberofcurrentchild=\count315 +\tikz@fig@count=\count316 (/usr/share/texlive/texmf-dist/tex/generic/pgf/modules/pgfmodulematrix.code.tex -File: pgfmodulematrix.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\pgfmatrixcurrentrow=\count335 -\pgfmatrixcurrentcolumn=\count336 -\pgf@matrix@numberofcolumns=\count337 +File: pgfmodulematrix.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\pgfmatrixcurrentrow=\count317 +\pgfmatrixcurrentcolumn=\count318 +\pgf@matrix@numberofcolumns=\count319 ) -\tikz@expandcount=\count338 +\tikz@expandcount=\count320 (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibrarytopaths.code.tex -File: tikzlibrarytopaths.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibrarytopaths.code.tex 2020/01/08 v3.1.5b (3.1.5b) )))) (/usr/share/texlive/texmf-dist/tex/latex/beamertheme-focus/beamerouterthemefocu s.sty (/usr/share/texlive/texmf-dist/tex/latex/appendixnumberbeamer/appendixnumberbea mer.sty) (/usr/share/texlive/texmf-dist/tex/latex/bookmark/bookmark.sty -Package: bookmark 2020-11-06 v1.29 PDF bookmarks (HO) +Package: bookmark 2019/12/03 v1.28 PDF bookmarks (HO) (/usr/share/texlive/texmf-dist/tex/latex/bookmark/bkm-pdftex.def -File: bkm-pdftex.def 2020-11-06 v1.29 bookmark driver for pdfTeX (HO) -\BKM@id=\count339 +File: bkm-pdftex.def 2019/12/03 v1.28 bookmark driver for pdfTeX (HO) +\BKM@id=\count321 )) -\c@realframenumber=\count340 -\focus@pbar@height=\skip64 -\focus@pbar@leftoffset=\skip65 -\focus@pbar@rightoffset=\skip66 +\focus@pbar@height=\skip63 +\focus@pbar@leftoffset=\skip64 +\focus@pbar@rightoffset=\skip65 )) (/usr/share/texlive/texmf-dist/tex/latex/base/inputenc.sty -Package: inputenc 2021/02/14 v1.3d Input encoding file -\inpenc@prehook=\toks49 -\inpenc@posthook=\toks50 +Package: inputenc 2018/08/11 v1.3c Input encoding file +\inpenc@prehook=\toks47 +\inpenc@posthook=\toks48 ) (/usr/share/texlive/texmf-dist/tex/latex/listings/listings.sty -\lst@mode=\count341 -\lst@gtempboxa=\box80 -\lst@token=\toks51 -\lst@length=\count342 -\lst@currlwidth=\dimen297 -\lst@column=\count343 -\lst@pos=\count344 -\lst@lostspace=\dimen298 -\lst@width=\dimen299 -\lst@newlines=\count345 -\lst@lineno=\count346 -\lst@maxwidth=\dimen300 +\lst@mode=\count322 +\lst@gtempboxa=\box78 +\lst@token=\toks49 +\lst@length=\count323 +\lst@currlwidth=\dimen290 +\lst@column=\count324 +\lst@pos=\count325 +\lst@lostspace=\dimen291 +\lst@width=\dimen292 +\lst@newlines=\count326 +\lst@lineno=\count327 +\lst@maxwidth=\dimen293 (/usr/share/texlive/texmf-dist/tex/latex/listings/lstmisc.sty -File: lstmisc.sty 2020/03/24 1.8d (Carsten Heinz) -\c@lstnumber=\count347 -\lst@skipnumbers=\count348 -\lst@framebox=\box81 +File: lstmisc.sty 2019/09/10 1.8c (Carsten Heinz) +\c@lstnumber=\count328 +\lst@skipnumbers=\count329 +\lst@framebox=\box79 ) (/usr/share/texlive/texmf-dist/tex/latex/listings/listings.cfg -File: listings.cfg 2020/03/24 1.8d listings configuration +File: listings.cfg 2019/09/10 1.8c listings configuration )) -Package: listings 2020/03/24 1.8d (Carsten Heinz) +Package: listings 2019/09/10 1.8c (Carsten Heinz) +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/adjustbox.sty +Package: adjustbox 2019/01/04 v1.2 Adjusting TeX boxes (trim, clip, ...) + +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/adjcalc.sty +Package: adjcalc 2012/05/16 v1.1 Provides advanced setlength with multiple back +-ends (calc, etex, pgfmath) +) +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/trimclip.sty +Package: trimclip 2018/04/08 v1.1 Trim and clip general TeX material + +(/usr/share/texlive/texmf-dist/tex/latex/collectbox/collectbox.sty +Package: collectbox 2012/05/17 v0.4b Collect macro arguments as boxes +\collectedbox=\box80 +) +\tc@llx=\dimen294 +\tc@lly=\dimen295 +\tc@urx=\dimen296 +\tc@ury=\dimen297 +Package trimclip Info: Using driver 'tc-pdftex.def'. + +(/usr/share/texlive/texmf-dist/tex/latex/adjustbox/tc-pdftex.def +File: tc-pdftex.def 2019/01/04 v2.2 Clipping driver for pdftex +)) +\adjbox@Width=\dimen298 +\adjbox@Height=\dimen299 +\adjbox@Depth=\dimen300 +\adjbox@Totalheight=\dimen301 +\adjbox@pwidth=\dimen302 +\adjbox@pheight=\dimen303 +\adjbox@pdepth=\dimen304 +\adjbox@ptotalheight=\dimen305 + +(/usr/share/texlive/texmf-dist/tex/latex/ifoddpage/ifoddpage.sty +Package: ifoddpage 2016/04/23 v1.1 Conditionals for odd/even page detection +\c@checkoddpage=\count330 +) +(/usr/share/texlive/texmf-dist/tex/latex/varwidth/varwidth.sty +Package: varwidth 2009/03/30 ver 0.92; Variable-width minipages +\@vwid@box=\box81 +\sift@deathcycles=\count331 +\@vwid@loff=\dimen306 +\@vwid@roff=\dimen307 +)) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibrarypositioning.code.tex -File: tikzlibrarypositioning.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibrarypositioning.code.tex 2020/01/08 v3.1.5b (3.1.5b) ) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryshapes.code.tex -File: tikzlibraryshapes.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibraryshapes.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryshapes.geometric.code.tex -File: tikzlibraryshapes.geometric.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibraryshapes.geometric.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape s.geometric.code.tex -File: pgflibraryshapes.geometric.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgflibraryshapes.geometric.code.tex 2020/01/08 v3.1.5b (3.1.5b) )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryshapes.misc.code.tex -File: tikzlibraryshapes.misc.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibraryshapes.misc.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape s.misc.code.tex -File: pgflibraryshapes.misc.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgflibraryshapes.misc.code.tex 2020/01/08 v3.1.5b (3.1.5b) )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryshapes.symbols.code.tex -File: tikzlibraryshapes.symbols.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibraryshapes.symbols.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape s.symbols.code.tex -File: pgflibraryshapes.symbols.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgflibraryshapes.symbols.code.tex 2020/01/08 v3.1.5b (3.1.5b) )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryshapes.arrows.code.tex -File: tikzlibraryshapes.arrows.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibraryshapes.arrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape s.arrows.code.tex -File: pgflibraryshapes.arrows.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgflibraryshapes.arrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) )) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryshapes.callouts.code.tex @@ -899,11 +922,11 @@ zlibraryshapes.callouts.code.tex s.callouts.code.tex)) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryshapes.multipart.code.tex -File: tikzlibraryshapes.multipart.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibraryshapes.multipart.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/shapes/pgflibraryshape s.multipart.code.tex -File: pgflibraryshapes.multipart.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: pgflibraryshapes.multipart.code.tex 2020/01/08 v3.1.5b (3.1.5b) \pgfnodepartlowerbox=\box82 \pgfnodeparttwobox=\box83 \pgfnodepartthreebox=\box84 @@ -927,20 +950,20 @@ File: pgflibraryshapes.multipart.code.tex 2021/05/15 v3.1.9a (3.1.9a) ))) (/usr/share/texlive/texmf-dist/tex/generic/pgf/frontendlayer/tikz/libraries/tik zlibraryarrows.code.tex -File: tikzlibraryarrows.code.tex 2021/05/15 v3.1.9a (3.1.9a) +File: tikzlibraryarrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) (/usr/share/texlive/texmf-dist/tex/generic/pgf/libraries/pgflibraryarrows.code. tex -File: pgflibraryarrows.code.tex 2021/05/15 v3.1.9a (3.1.9a) -\arrowsize=\dimen301 +File: pgflibraryarrows.code.tex 2020/01/08 v3.1.5b (3.1.5b) +\arrowsize=\dimen308 )) -Package hyperref Warning: Token not allowed in a PDF string (Unicode): -(hyperref) removing `\\' on input line 16. +Package hyperref Warning: Token not allowed in a PDF string (PDFDocEncoding): +(hyperref) removing `\@ifnextchar' on input line 15. -(/usr/share/texlive/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def -File: l3backend-pdftex.def 2022-01-12 L3 backend support: PDF output (pdfTeX) -\l__color_backend_stack_int=\count349 +(/usr/share/texlive/texmf-dist/tex/latex/l3backend/l3backend-pdfmode.def +File: l3backend-pdfmode.def 2020-02-03 L3 backend support: PDF mode +\l__kernel_color_stack_int=\count332 \l__pdf_internal_box=\box102 ) (./slide.aux (./content.aux)) @@ -962,8 +985,6 @@ LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 22. LaTeX Font Info: ... okay on input line 22. LaTeX Font Info: Checking defaults for PD1/pdf/m/n on input line 22. LaTeX Font Info: ... okay on input line 22. -LaTeX Font Info: Checking defaults for PU/pdf/m/n on input line 22. -LaTeX Font Info: ... okay on input line 22. *geometry* driver: auto-detecting *geometry* detected driver: pdftex @@ -1001,17 +1022,17 @@ LaTeX Font Info: ... okay on input line 22. (/usr/share/texlive/texmf-dist/tex/context/base/mkii/supp-pdf.mkii [Loading MPS to PDF converter (version 2006.09.02).] -\scratchcounter=\count350 -\scratchdimen=\dimen302 +\scratchcounter=\count333 +\scratchdimen=\dimen309 \scratchbox=\box103 -\nofMPsegments=\count351 -\nofMParguments=\count352 -\everyMPshowfont=\toks52 -\MPscratchCnt=\count353 -\MPscratchDim=\dimen303 -\MPnumerator=\count354 -\makeMPintoPDFobject=\count355 -\everyMPtoPDFconversion=\toks53 +\nofMPsegments=\count334 +\nofMParguments=\count335 +\everyMPshowfont=\toks50 +\MPscratchCnt=\count336 +\MPscratchDim=\dimen310 +\MPnumerator=\count337 +\makeMPintoPDFobject=\count338 +\everyMPtoPDFconversion=\toks51 ) (/usr/share/texlive/texmf-dist/tex/latex/epstopdf-pkg/epstopdf-base.sty Package: epstopdf-base 2020-01-24 v2.11 Base part for package epstopdf Package epstopdf-base Info: Redefining graphics rule for `.eps' on input line 4 @@ -1021,10 +1042,12 @@ Package epstopdf-base Info: Redefining graphics rule for `.eps' on input line 4 File: epstopdf-sys.cfg 2010/07/13 v1.3 Configuration of (r)epstopdf for TeX Liv e )) +ABD: EveryShipout initializing macros +\AtBeginShipoutBox=\box104 Package hyperref Info: Link coloring OFF on input line 22. (/usr/share/texlive/texmf-dist/tex/latex/hyperref/nameref.sty -Package: nameref 2021-04-02 v2.47 Cross-referencing by name of section +Package: nameref 2019/09/16 v2.46 Cross-referencing by name of section (/usr/share/texlive/texmf-dist/tex/latex/refcount/refcount.sty Package: refcount 2019/12/15 v3.6 Data extraction from label references (HO) @@ -1032,7 +1055,7 @@ Package: refcount 2019/12/15 v3.6 Data extraction from label references (HO) (/usr/share/texlive/texmf-dist/tex/generic/gettitlestring/gettitlestring.sty Package: gettitlestring 2019/12/15 v1.6 Cleanup title references (HO) ) -\c@section@level=\count356 +\c@section@level=\count339 ) LaTeX Info: Redefining \ref on input line 22. LaTeX Info: Redefining \pageref on input line 22. @@ -1115,9 +1138,9 @@ Dictionary: translator-numbers-dictionary, Language: English ry-English.dict Dictionary: translator-theorem-dictionary, Language: English ) -\c@mv@tabular=\count357 -\c@mv@boldtabular=\count358 -\c@lstlisting=\count359 +\c@mv@tabular=\count340 +\c@mv@boldtabular=\count341 +\c@lstlisting=\count342 (./slide.nav) LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <6> not available (Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp @@ -1162,17 +1185,18 @@ ble put line 6. LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/sc' will be (Font) scaled to size 14.4pt on input line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/sc' in size <10> not availabl +e +(Font) Font shape `T1/FiraSans-OsF/regular/sc' tried instead on in +put line 6. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/sc' will be +(Font) scaled to size 10.0pt on input line 6. File: misp.pdf Graphic file (type pdf) Package pdftex.def Info: misp.pdf used on input line 6. -(pdftex.def) Requested size: 105.82272pt x 77.55516pt. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/scit' in size <14.4> not avai -lable -(Font) Font shape `T1/FiraSans-OsF/regular/scit' tried instead on -input line 6. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/scit' will be -(Font) scaled to size 14.4pt on input line 6. +(pdftex.def) Requested size: 163.54448pt x 119.85817pt. + (../../includes/authors.txt) LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <12> not available (Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp @@ -1185,50 +1209,13 @@ e put line 6. LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/sc' will be (Font) scaled to size 12.0pt on input line 6. -LaTeX Font Info: Trying to load font information for T1+FiraMono-TOsF on inp -ut line 6. + +File: misplogo.pdf Graphic file (type pdf) + +Package pdftex.def Info: misplogo.pdf used on input line 6. +(pdftex.def) Requested size: 55.00186pt x 40.3096pt. -(/usr/share/texlive/texmf-dist/tex/latex/fira/T1FiraMono-TOsF.fd -File: T1FiraMono-TOsF.fd 2019/10/10 (autoinst) Font definitions for T1/FiraMono --TOsF. -) - -LaTeX Font Warning: Font shape `T1/FiraMono-TOsF/m/sc' undefined -(Font) using `T1/FiraMono-TOsF/m/n' instead on input line 6. - -LaTeX Font Info: Font shape `T1/FiraMono-TOsF/m/n' in size <12> not availabl -e -(Font) Font shape `T1/FiraMono-TOsF/regular/n' tried instead on in -put line 6. -LaTeX Font Info: Font shape `T1/FiraMono-TOsF/regular/n' will be -(Font) scaled to size 12.0pt on input line 6. -LaTeX Font Info: Trying to load font information for U+msa on input line 6. -(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsa.fd -File: umsa.fd 2013/01/14 v3.01 AMS symbols A -) -LaTeX Font Info: Trying to load font information for U+msb on input line 6. - -(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsb.fd -File: umsb.fd 2013/01/14 v3.01 AMS symbols B -) -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <12> not availabl -e -(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 6. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 12.0pt on input line 6. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <8> not available - -(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 6. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 8.0pt on input line 6. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <6> not available - -(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 6. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 6.0pt on input line 6. +(../../includes/location.txt) LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <4> not available (Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp ut line 6. @@ -1237,100 +1224,155 @@ LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be [1 -{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map} <./misp.pdf>] +{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map} <./misp.pdf> <./misplogo.pd +f + +pdfTeX warning: pdflatex (file ./misplogo.pdf): PDF inclusion: multiple pdfs wi +th page group included in a single page +>] LaTeX Font Info: Font shape `T1/FiraSans-OsF/b/n' in size <10.95> not availa ble (Font) Font shape `T1/FiraSans-OsF/bold/n' tried instead on input -line 24. +line 18. LaTeX Font Info: Font shape `T1/FiraSans-OsF/bold/n' will be -(Font) scaled to size 10.95pt on input line 24. +(Font) scaled to size 10.95pt on input line 18. + [2 + +] +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <24.88> not availa +ble +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 25. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 24.88pt on input line 25. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <10.95> not avail +able +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 25. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 10.95pt on input line 25. + [3 + +] +LaTeX Font Info: Font shape `T1/FiraSans-OsF/b/n' in size <14.4> not availab +le +(Font) Font shape `T1/FiraSans-OsF/bold/n' tried instead on input +line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/bold/n' will be +(Font) scaled to size 14.4pt on input line 35. +LaTeX Font Info: Trying to load font information for U+msa on input line 35. + + (/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsa.fd +File: umsa.fd 2013/01/14 v3.01 AMS symbols A +) +LaTeX Font Info: Trying to load font information for U+msb on input line 35. + + +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsb.fd +File: umsb.fd 2013/01/14 v3.01 AMS symbols B +) LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <10> not available (Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp -ut line 24. +ut line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be -(Font) scaled to size 10.0pt on input line 24. +(Font) scaled to size 10.0pt on input line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <7> not available (Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp -ut line 24. +ut line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be -(Font) scaled to size 7.0pt on input line 24. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <5> not available -(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp -ut line 24. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be -(Font) scaled to size 5.0pt on input line 24. +(Font) scaled to size 7.0pt on input line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <14.4> not availa +ble +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 14.4pt on input line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <10> not availabl e (Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 24. +put line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 10.0pt on input line 24. +(Font) scaled to size 10.0pt on input line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <7> not available (Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 24. +put line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 7.0pt on input line 24. +(Font) scaled to size 7.0pt on input line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <9> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 9.0pt on input line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <5> not available +(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp +ut line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be +(Font) scaled to size 5.0pt on input line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <9> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 9.0pt on input line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <6> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 35. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 6.0pt on input line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <5> not available (Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 24. +put line 35. LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 5.0pt on input line 24. - [2 +(Font) scaled to size 5.0pt on input line 35. + [4 ] LaTeX Font Info: Font shape `T1/FiraSans-OsF/b/n' in size <10> not available (Font) Font shape `T1/FiraSans-OsF/bold/n' tried instead on input -line 41. +line 48. LaTeX Font Info: Font shape `T1/FiraSans-OsF/bold/n' will be -(Font) scaled to size 10.0pt on input line 41. - [3 - -] [4 - -] -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <10.95> not avail -able -(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 70. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 10.95pt on input line 70. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' in size <9> not available -(Font) Font shape `T1/FiraSans-OsF/regular/n' tried instead on inp -ut line 70. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/n' will be -(Font) scaled to size 9.0pt on input line 70. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <9> not available - -(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in -put line 70. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be -(Font) scaled to size 9.0pt on input line 70. +(Font) scaled to size 10.0pt on input line 48. [5 ] -LaTeX Font Info: Font shape `T1/FiraSans-OsF/b/n' in size <9> not available -(Font) Font shape `T1/FiraSans-OsF/bold/n' tried instead on input -line 91. -LaTeX Font Info: Font shape `T1/FiraSans-OsF/bold/n' will be -(Font) scaled to size 9.0pt on input line 91. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' in size <8> not available + +(Font) Font shape `T1/FiraSans-OsF/regular/it' tried instead on in +put line 58. +LaTeX Font Info: Font shape `T1/FiraSans-OsF/regular/it' will be +(Font) scaled to size 8.0pt on input line 58. [6 ] [7 ] -LaTeX Font Info: Font shape `T1/FiraMono-TOsF/m/n' in size <10.95> not avail -able -(Font) Font shape `T1/FiraMono-TOsF/regular/n' tried instead on in -put line 123. -LaTeX Font Info: Font shape `T1/FiraMono-TOsF/regular/n' will be -(Font) scaled to size 10.95pt on input line 123. - [8 +] [9 + +] [10 + +] +LaTeX Font Info: Trying to load font information for T1+FiraMono-TOsF on inp +ut line 120. + (/usr/share/texlive/texmf-dist/tex/latex/fira/T1FiraMono-TOsF.fd +File: T1FiraMono-TOsF.fd 2019/10/10 (autoinst) Font definitions for T1/FiraMono +-TOsF. +) +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/m/n' in size <10> not availabl +e +(Font) Font shape `T1/FiraMono-TOsF/regular/n' tried instead on in +put line 120. +LaTeX Font Info: Font shape `T1/FiraMono-TOsF/regular/n' will be +(Font) scaled to size 10.0pt on input line 120. + +[11 + ]) \tf@nav=\write5 \openout5 = `slide.nav'. @@ -1341,31 +1383,32 @@ LaTeX Font Info: Font shape `T1/FiraMono-TOsF/regular/n' will be \tf@snm=\write7 \openout7 = `slide.snm'. +Package atveryend Info: Empty hook `BeforeClearDocument' on input line 24. +Package atveryend Info: Empty hook `AfterLastShipout' on input line 24. (./slide.aux (./content.aux)) - -LaTeX Font Warning: Some font shapes were not available, defaults substituted. - +Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 24. +Package atveryend Info: Empty hook `AtEndAfterFileList' on input line 24. ) Here is how much of TeX's memory you used: - 30169 strings out of 480247 - 621525 string characters out of 5896151 - 870505 words of memory out of 5000000 - 47449 multiletter control sequences out of 15000+600000 - 867316 words of font info for 115 fonts, out of 8000000 for 9000 - 14 hyphenation exceptions out of 8191 - 128i,16n,122p,424b,877s stack positions out of 5000i,500n,10000p,200000b,80000s -{/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_iln36p.enc}{/usr/shar -e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_d4q673.enc}{/usr/share/texlive/te + 27005 strings out of 481239 + 546503 string characters out of 5920376 + 800773 words of memory out of 5000000 + 41575 multiletter control sequences out of 15000+600000 + 945678 words of font info for 114 fonts, out of 8000000 for 9000 + 1141 hyphenation exceptions out of 8191 + 71i,16n,95p,811b,874s stack positions out of 5000i,500n,10000p,200000b,80000s +{/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_d4q673.enc}{/usr/shar +e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_iln36p.enc}{/usr/share/texlive/te xmf-dist/fonts/enc/dvips/fira/fir_2mfh3o.enc} -Output written on slide.pdf (8 pages, 209500 bytes). +Output written on slide.pdf (11 pages, 218758 bytes). PDF statistics: - 121 PDF objects out of 1000 (max. 8388607) - 87 compressed objects within 1 object stream - 17 named destinations out of 1000 (max. 500000) - 48 words of extra memory for PDF output out of 10000 (max. 10000000) + 135 PDF objects out of 1000 (max. 8388607) + 101 compressed objects within 2 object streams + 23 named destinations out of 1000 (max. 500000) + 53 words of extra memory for PDF output out of 10000 (max. 10000000) diff --git a/a.13-misp-stix/slide.nav b/events/20221207-ENISA-CTI-EU/slide.nav similarity index 58% rename from a.13-misp-stix/slide.nav rename to events/20221207-ENISA-CTI-EU/slide.nav index be91ad6..fb73761 100644 --- a/a.13-misp-stix/slide.nav +++ b/events/20221207-ENISA-CTI-EU/slide.nav @@ -14,8 +14,14 @@ \headcommand {\beamer@framepages {7}{7}} \headcommand {\slideentry {0}{0}{8}{8/8}{}{0}} \headcommand {\beamer@framepages {8}{8}} -\headcommand {\beamer@partpages {1}{8}} -\headcommand {\beamer@subsectionpages {1}{8}} -\headcommand {\beamer@sectionpages {1}{8}} -\headcommand {\beamer@documentpages {8}} -\headcommand {\gdef \inserttotalframenumber {7}} +\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}} +\headcommand {\beamer@framepages {9}{9}} +\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}} +\headcommand {\beamer@framepages {10}{10}} +\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}} +\headcommand {\beamer@framepages {11}{11}} +\headcommand {\beamer@partpages {1}{11}} +\headcommand {\beamer@subsectionpages {1}{11}} +\headcommand {\beamer@sectionpages {1}{11}} +\headcommand {\beamer@documentpages {11}} +\headcommand {\gdef \inserttotalframenumber {10}} diff --git a/events/20221207-ENISA-CTI-EU/slide.pdf b/events/20221207-ENISA-CTI-EU/slide.pdf new file mode 100644 index 0000000..29e903f Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/slide.pdf differ diff --git a/events/20221207-ENISA-CTI-EU/slide.snm b/events/20221207-ENISA-CTI-EU/slide.snm new file mode 100644 index 0000000..e69de29 diff --git a/events/20221207-ENISA-CTI-EU/slide.tex b/events/20221207-ENISA-CTI-EU/slide.tex new file mode 100644 index 0000000..628d72f --- /dev/null +++ b/events/20221207-ENISA-CTI-EU/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../../includes/authors.txt}}} +\title{10 years of MISP} +\subtitle{{\small What's next in threat intelligence information sharing?}} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{\input{../../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221207-ENISA-CTI-EU/slide.toc b/events/20221207-ENISA-CTI-EU/slide.toc new file mode 100644 index 0000000..e69de29 diff --git a/events/20221207-ENISA-CTI-EU/taxonomy-workflow.png b/events/20221207-ENISA-CTI-EU/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/taxonomy-workflow.png differ diff --git a/events/20221207-ENISA-CTI-EU/timeline-misp-overview.png b/events/20221207-ENISA-CTI-EU/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/timeline-misp-overview.png differ diff --git a/events/20221207-ENISA-CTI-EU/timeline.jpeg b/events/20221207-ENISA-CTI-EU/timeline.jpeg new file mode 100644 index 0000000..d60db13 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/timeline.jpeg differ diff --git a/events/20221207-ENISA-CTI-EU/warning-list-event.png b/events/20221207-ENISA-CTI-EU/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/warning-list-event.png differ diff --git a/events/20221207-ENISA-CTI-EU/warning-list.png b/events/20221207-ENISA-CTI-EU/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/warning-list.png differ diff --git a/events/20221207-ENISA-CTI-EU/workflow_initial.png b/events/20221207-ENISA-CTI-EU/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/workflow_initial.png differ diff --git a/events/20221207-ENISA-CTI-EU/workflow_initial2.png b/events/20221207-ENISA-CTI-EU/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/workflow_initial2.png differ diff --git a/events/20221207-ENISA-CTI-EU/x-isac-logo.png b/events/20221207-ENISA-CTI-EU/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/events/20221207-ENISA-CTI-EU/x-isac-logo.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/content.tex b/events/20221215-MISP-Workflows-December-Edition/content.tex new file mode 100755 index 0000000..72378fe --- /dev/null +++ b/events/20221215-MISP-Workflows-December-Edition/content.tex @@ -0,0 +1,720 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Automation in MISP: What already exists?} + \includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} + \vspace*{0.5em} + $\rightarrow$ No way to \textbf{prevent} behavior\\ + $\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks +\end{frame} + +\begin{frame} + \frametitle{What type of use-cases are we trying to support?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \begin{itemize} + \item Prevent \textbf{publication of events} not passing sanity checks + \item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information + \item $\cdots$ + \end{itemize} + \vspace*{1.0em} + \item \textbf{Hook} specific actions to run callbacks + \begin{itemize} + \item \textbf{Automatically run} enrichment services + \item Modify data on-the-fly: False positives, enable CTI-Pipeline + \item Send notifications in a chat rooms + \item $\cdots$ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation in MISP made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Using the system + \item How it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + {\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\ + {\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \vspace*{0.25em} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.25em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Logic modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/logic-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \vspace*{0.25em} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.25em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Action modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/action-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \item Custom scripts + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in a specific order + \item Workflows can be enabled / disabled + \item A Workflow is associated to \textbf{1-and-only-1 trigger} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \begin{itemize} + \item They might change the path taken during the execution + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact + \begin{itemize} + \item No way to prevent something that happened in the past + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (0)} + \begin{itemize} + \item \textbf{Trigger} module: MISP Source code \textbf{only} + \begin{itemize} + \item Get in touch if you want more + \end{itemize} + \item \textbf{Logic} module: MISP Source code \& \textbf{custom} + \item \textbf{Action} module: MISP Source code \& \textbf{custom} + \end{itemize} + \vspace*{2.0em} + \begin{itemize} + \item MISP Source code $\rightarrow$ Built-in \textbf{text} module + \item Custom $\rightarrow$ Write your own at 2 places + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.8\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{enumerate} + \item[WF-1.] Send an email to \textbf{all} when a new event has been pulled + \vspace*{2em} + \item[WF-2.] Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red} + \begin{itemize} + \item \textbf{tlp:red}: For the eyes and ears of individual recipients only + \item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside + \end{itemize} + \end{enumerate} +\end{frame} + +\section{Workflow - Getting started} +\begin{frame} + \frametitle{Getting started with workflows (1)} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \centering + {\Large Everything is ready?}\\ + \vspace*{3em} + {\LARGE Let's see how to build a workflow!} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + \begin{enumerate} + \item Prevent event publication if \textbf{tlp:red} tag + \item Send a mail to \texttt{admin@admin.test} about potential data leak + \item Otherwise, send a notification on Mattermost + \end{enumerate} +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \item But has \textbf{additional properties} + \begin{itemize} + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering} + Filtering and checking conditions using hash path expression. + \begin{lstlisting}[language=javascript,firstnumber=1] + $path_expression = '{n}[name=fred].id'; + $users = [ + {'id': 123, 'name': 'fred', 'surname': 'bloggs'}, + {'id': 245, 'name': 'fred', 'surname': 'smith'}, + {'id': 356, 'name': 'joe', 'surname': 'smith'}, + ]; + $ids = Hash::extract($users, $path_expression); + // => $ids will be [123, 245] + \end{lstlisting} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/attribute-json.png} + \end{center} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/module-if-generic.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering} + + \begin{columns} + \begin{column}{0.5\textwidth} +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "uuid": ... + "timestamp": ... + "distribution": ... + "Attribute": [ + {...}, + {...}, + ], + "Object": [ + {...}, + {...}, + ], + "_AttributeFlattened": [ + {...}, + {...}, + ] + } +} +\end{lstlisting} + \end{column} + \begin{column}{0.5\textwidth} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/node-filtering.png} + \end{center} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\section{Debugging} +\begin{frame} + \frametitle{Debugging Workflows: Log Entries} + \begin{itemize} + \item Workflow execution is logged in the application logs: + \begin{itemize} + \item \texttt{/admin/logs/index} + \item Note: Might be phased out as its too verbose + \end{itemize} + \item Or stored on disk in the following file: + \begin{itemize} + \item \texttt{/app/tmp/logs/workflow-execution.log} + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/workflow-debug.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging Workflows: Debug mode} + \begin{itemize} + \item The \includegraphics[width=70px]{pictures/debug-mode.png} can be turned on for each workflows + \item Each nodes will send data to the provided URL + \begin{itemize} + \item Configure the setting: \texttt{Plugin.Workflow\_debug\_url} + \end{itemize} + \item Result can be visualized in + \begin{itemize} + \item \textbf{offline}: \texttt{tools/misp-workflows/webhook-listener.py} + \item \textbf{online}: \url{requestbin.com} or similar websites + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.6\linewidth]{pictures/request-bin.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Stateless execution} + \begin{itemize} + \item Test custom modules with custom input + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/stateless-execution.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Re-running workflows} + \begin{itemize} + \item Try workflows with custom input + \item Re-run workflows to ease debugging + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.55\linewidth]{pictures/running-workflows.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow \textbf{execution and outcome} + \item Module \textbf{execution and outcome} + \item \textbf{Live} workflow debugging with module inspection + \item \textbf{Re-running/testing} workflows with custom data + \item \textbf{Stateless} module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[scale=0.07]{pictures/PHP-logo.png} + \end{center} + \vspace*{2em} + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Fast + \item Re-use existing functionalities + \item No need for misp-modules + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[scale=0.03]{pictures/python-logo.png} + \end{center} + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Easier than PHP + \item Lots of libraries for integration + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{More ideas} + \begin{itemize} + \item Notification when new users join an instance + \item Trigger on any action generating log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Under development} + Ease data manipulation with \textbf{filtering modules} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines + \item \underline{\textbf{Beta}} Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New modules? + \item ... + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/events/20221215-MISP-Workflows-December-Edition/misp.pdf b/events/20221215-MISP-Workflows-December-Edition/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/misp.pdf differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/PHP-logo.png b/events/20221215-MISP-Workflows-December-Edition/pictures/PHP-logo.png new file mode 100644 index 0000000..296dfe2 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/PHP-logo.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/action-module-index.png b/events/20221215-MISP-Workflows-December-Edition/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/action-module-index.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/action-module.png b/events/20221215-MISP-Workflows-December-Edition/pictures/action-module.png new file mode 100644 index 0000000..6b622e8 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/action-module.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/attribute-json.png b/events/20221215-MISP-Workflows-December-Edition/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/attribute-json.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/automation.png b/events/20221215-MISP-Workflows-December-Edition/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/automation.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/belgian-joke.jpeg b/events/20221215-MISP-Workflows-December-Edition/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/belgian-joke.jpeg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/blocking-module.png b/events/20221215-MISP-Workflows-December-Edition/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/blocking-module.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/blocking-workflow.png b/events/20221215-MISP-Workflows-December-Edition/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/blocking-workflow.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-1.png b/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-1.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-32.png b/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-32.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-debugging.png b/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/blueprint-debugging.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/ctis.png b/events/20221215-MISP-Workflows-December-Edition/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/ctis.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/custom-1.png b/events/20221215-MISP-Workflows-December-Edition/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/custom-1.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/custom-2.png b/events/20221215-MISP-Workflows-December-Edition/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/custom-2.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/debug-mode.png b/events/20221215-MISP-Workflows-December-Edition/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/debug-mode.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/editor-1.png b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-1.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/editor-not-allowed-1.png b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-not-allowed-1.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/editor-not-allowed-2.png b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-not-allowed-2.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/editor-warning-1.png b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/editor-warning-1.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/enough-debugging.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/enough-debugging.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/event-condition-action.png b/events/20221215-MISP-Workflows-December-Edition/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/event-condition-action.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/example-1a.png b/events/20221215-MISP-Workflows-December-Edition/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/example-1a.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/example-2a.png b/events/20221215-MISP-Workflows-December-Edition/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/example-2a.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/feeling-of-power.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/feeling-of-power.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/filtering-modules.png b/events/20221215-MISP-Workflows-December-Edition/pictures/filtering-modules.png new file mode 100644 index 0000000..9ca53e3 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/filtering-modules.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/first-cti.png b/events/20221215-MISP-Workflows-December-Edition/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/first-cti.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/future-works.jpeg b/events/20221215-MISP-Workflows-December-Edition/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/future-works.jpeg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/geekweek75.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/geekweek75.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/infinite-loop.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/infinite-loop.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/log-entry-publish-blocked.png b/events/20221215-MISP-Workflows-December-Edition/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/log-entry-publish-blocked.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/log-entry-publish-success.png b/events/20221215-MISP-Workflows-December-Edition/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/log-entry-publish-success.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/logic-module-index.png b/events/20221215-MISP-Workflows-December-Edition/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/logic-module-index.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/logic-module.png b/events/20221215-MISP-Workflows-December-Edition/pictures/logic-module.png new file mode 100644 index 0000000..6a48ce6 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/logic-module.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/misp-module-icon.png b/events/20221215-MISP-Workflows-December-Edition/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/misp-module-icon.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/module-buffet.png b/events/20221215-MISP-Workflows-December-Edition/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/module-buffet.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/module-concurrent.png b/events/20221215-MISP-Workflows-December-Edition/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/module-concurrent.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/module-filtering.png b/events/20221215-MISP-Workflows-December-Edition/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/module-filtering.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/module-if-generic.png b/events/20221215-MISP-Workflows-December-Edition/pictures/module-if-generic.png new file mode 100644 index 0000000..c20ec16 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/module-if-generic.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/module-type.png b/events/20221215-MISP-Workflows-December-Edition/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/module-type.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo2.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo3.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/node-filtering.png b/events/20221215-MISP-Workflows-December-Edition/pictures/node-filtering.png new file mode 100644 index 0000000..1878ee9 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/node-filtering.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/non-blocking-workflow.png b/events/20221215-MISP-Workflows-December-Edition/pictures/non-blocking-workflow.png new file mode 100644 index 0000000..4ae1495 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/non-blocking-workflow.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/overview.png b/events/20221215-MISP-Workflows-December-Edition/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/overview.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/php-joke.jpg b/events/20221215-MISP-Workflows-December-Edition/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/php-joke.jpg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/psyduck.jpeg b/events/20221215-MISP-Workflows-December-Edition/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/psyduck.jpeg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/python-joke.png b/events/20221215-MISP-Workflows-December-Edition/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/python-joke.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/python-logo.png b/events/20221215-MISP-Workflows-December-Edition/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/python-logo.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/recursive-workflow.png b/events/20221215-MISP-Workflows-December-Edition/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/recursive-workflow.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/request-bin.png b/events/20221215-MISP-Workflows-December-Edition/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/request-bin.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/running-workflows.png b/events/20221215-MISP-Workflows-December-Edition/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/running-workflows.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/sc-action-icon.png b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-action-icon.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/sc-action.png b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-action.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/sc-condition-icon.png b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-condition-icon.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/sc-condition.png b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-condition.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/sc-event-icon.png b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-event-icon.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/sc-event.png b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/sc-event.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/settings-1.png b/events/20221215-MISP-Workflows-December-Edition/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/settings-1.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/settings-2.png b/events/20221215-MISP-Workflows-December-Edition/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/settings-2.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/simple-workflow.png b/events/20221215-MISP-Workflows-December-Edition/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/simple-workflow.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/stateless-execution.png b/events/20221215-MISP-Workflows-December-Edition/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/stateless-execution.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/time-machine.png b/events/20221215-MISP-Workflows-December-Edition/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/time-machine.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/triggers.png b/events/20221215-MISP-Workflows-December-Edition/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/triggers.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/two-paths.jpeg b/events/20221215-MISP-Workflows-December-Edition/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/two-paths.jpeg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/upgrade-people.jpeg b/events/20221215-MISP-Workflows-December-Edition/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/upgrade-people.jpeg differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/whoami.png b/events/20221215-MISP-Workflows-December-Edition/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/whoami.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/whoami2.png b/events/20221215-MISP-Workflows-December-Edition/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/whoami2.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-debug.png b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-debug.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-experimental.png b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-experimental.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-release.png b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-release.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-trigger.png b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/workflow-trigger.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/pictures/zeromq.png b/events/20221215-MISP-Workflows-December-Edition/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20221215-MISP-Workflows-December-Edition/pictures/zeromq.png differ diff --git a/events/20221215-MISP-Workflows-December-Edition/slide.tex b/events/20221215-MISP-Workflows-December-Edition/slide.tex new file mode 100644 index 0000000..af22e84 --- /dev/null +++ b/events/20221215-MISP-Workflows-December-Edition/slide.tex @@ -0,0 +1,65 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Sami Mokaddem} +\date{FIRST Automation SIG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221215-MISP-Workflows-December-Edition/slide.upa b/events/20221215-MISP-Workflows-December-Edition/slide.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221215-MISP-Workflows-December-Edition/slide_handout.tex b/events/20221215-MISP-Workflows-December-Edition/slide_handout.tex new file mode 100644 index 0000000..cd06a0e --- /dev/null +++ b/events/20221215-MISP-Workflows-December-Edition/slide_handout.tex @@ -0,0 +1,67 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Sami Mokaddem} +\date{FIRST Automation SIG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221215-MISP-Workflows-December-Edition/slide_handout.upa b/events/20221215-MISP-Workflows-December-Edition/slide_handout.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20230605-FIRSTCON23-Workflows/clean.sh b/events/20230605-FIRSTCON23-Workflows/clean.sh new file mode 100755 index 0000000..bc963fd --- /dev/null +++ b/events/20230605-FIRSTCON23-Workflows/clean.sh @@ -0,0 +1,2 @@ +#!/bin/bash +rm *.aux *.listing *.log *.nav *.out *.snm *.toc *.vrb *.upa diff --git a/events/20230605-FIRSTCON23-Workflows/content.tex b/events/20230605-FIRSTCON23-Workflows/content.tex new file mode 100755 index 0000000..0296738 --- /dev/null +++ b/events/20230605-FIRSTCON23-Workflows/content.tex @@ -0,0 +1,1089 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{\texttt{\$ whoarewe}} + \begin{center} + \includegraphics[width=0.8\linewidth]{pictures/whoarewe.png} + \end{center} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=0.24\linewidth]{pictures/belgian-joke}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Automation in MISP: What already exists?} + \includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \hspace*{0.25em} + \begin{itemize} + \item Needs CRON Jobs in place + \item Potentially heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \hspace*{0.25em} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} + \vspace*{0.5em} + $\rightarrow$ No way to \textbf{prevent} behavior\\ + $\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks +\end{frame} + +\begin{frame} + \frametitle{What type of use-cases are we trying to support?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \begin{itemize} + \item Prevent \textbf{publication of events} not passing sanity checks + \item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information + \item $\cdots$ + \end{itemize} + \vspace*{1.0em} + \item \textbf{Hook} specific actions to run callbacks + \begin{itemize} + \item \textbf{Automatically run} enrichment services + \item Modify data on-the-fly: False positives, enable CTI-Pipeline + \item Send notifications in a chat rooms + \item $\cdots$ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation in MISP made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo with examples + \item Using the system + \item How it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +% \section{Workflow - Fundamentals} +\begin{frame} + \frametitle{ + \huge + \linebreak + \linebreak + \linebreak + Workflow - Fundamentals + \vspace{1em} + } + \textbf{Objective:} Start with the foundation to understand the basics + \begin{center} + \includegraphics[width=0.07\linewidth]{pictures/fundation} + \end{center} +\end{frame} + + +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + {\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\ + {\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \vspace*{0.25em} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.25em} + \begin{itemize} + \item A MISP Event is tagged with \texttt{tlp:red} + \item The distribution of an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Logic modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/logic-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \vspace*{0.25em} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.25em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Action modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/action-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks \& Custom scripts + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.95\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in a specific order + \item Workflows can be enabled / disabled + \item A Workflow is associated to \textbf{1-and-only-1 trigger} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \begin{itemize} + \item They might change the path taken during the execution + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact + \begin{itemize} + \item No way to prevent something that happened in the past + \end{itemize} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (0)} + Currently 36 built-in modules. + \vspace{1em} + \begin{itemize} + \item \textbf{Trigger} module (11): built-in \textbf{only} + \begin{itemize} + \item Get in touch if you want more + \end{itemize} + \item \textbf{Logic} module (10): built-in \& \textbf{custom} + \item \textbf{Action} module (15): built-in \& \textbf{custom} + \end{itemize} + \vspace*{2.0em} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection (or merge PR!) + \end{itemize} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.8\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{enumerate} + \item[WF-1.] Send an email to \textbf{all} when a new event has been pulled + \vspace*{2em} + \item[WF-2.] Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red} + \begin{itemize} + \item \textbf{tlp:red}: For the eyes and ears of individual recipients only + \item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside + \end{itemize} + \end{enumerate} +\end{frame} + +% \section{Workflow - Getting started} +\begin{frame} + \frametitle{ + \huge + \linebreak + \linebreak + \linebreak + Workflow - Getting started + \vspace{1em} + } + \textbf{Objective:} How to install \& configure workflows + \begin{center} + \includegraphics[width=0.2\linewidth]{pictures/getting-started} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (1)} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (2)} + Review MISP settings: + \begin{enumerate} + \item Make sure \texttt{MISP.background\_jobs} is turned on + \item Make sure workers are up-and-running and healthy + \item Turn the setting \texttt{Plugin.Workflow\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/settings-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (3)} + Review MISP settings: + \begin{enumerate} + \setcounter{enumi}{3} + \item {[optional:misp-module]} Turn the setting \texttt{Plugin.Action\_services\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/settings-1.png} + \end{center} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Getting started with workflows (4)} + If you wish to use action modules from \texttt{misp-module}, make sure to have: + \begin{itemize} + \item The latest update of \texttt{misp-module} + \begin{itemize} + \item There should be an \texttt{action\_mod} module type in \url{misp-modules/misp\_modules/modules} + \end{itemize} + \item Restarted your \texttt{misp-module} application + \end{itemize} + \vspace{1em} + \begin{lstlisting}[language=text,firstnumber=1] +# This command should show all `action` modules +$ curl -s http://127.0.0.1:6666/modules | \ +jq '.[] | select(.meta."module-type"[] | contains("action")) | +{name: .name, version: .meta.version}' + \end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (5)} + \centering + {\Large Everything is ready?}\\ + \vspace*{3em} + {\LARGE Let's see how to build a workflow!} + \begin{center} + \includegraphics[width=24px]{pictures/build-icon.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + \begin{enumerate} + \item Prevent event publication if \textbf{tlp:red} tag + \item Send a mail to \texttt{admin@admin.test} about potential data leak + \item Otherwise, send a notification on \textbf{Mattermost}, \textbf{MS Teams}, \textbf{Telegram}, ... + \end{enumerate} +\end{frame} + +% \section{Considerations when working with workflows} +\begin{frame} + \frametitle{ + \huge + \linebreak + \linebreak + \linebreak + Considerations when working with workflows + \vspace{1em} + } + \textbf{Objective:} Overview of some common pitfalls + \begin{center} + \includegraphics[width=24px]{pictures/radar.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +% \section{Advanced usage} +\begin{frame} + \frametitle{ + \huge + \linebreak + \linebreak + \linebreak + Advanced usage + \vspace{1em} + } + \textbf{Objective:} Overview of Blueprints, Data format and Filtering +\end{frame} + +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Workflow blueprints} + Currently, 4 blueprints available: + \vspace*{1em} + \begin{itemize} + \item Attach the \texttt{tlp:clear} tag on elements having the \texttt{tlp:white} tag + \item Block actions if any attributes have the \texttt{PAP:RED} or \texttt{tlp:red} tag + \item Disable \texttt{to\_ids} flag for existing hash in \textit{hashlookup} + \item Set tag based on \textit{BGP Ranking} maliciousness level + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \item But has \textbf{additional properties} + \begin{itemize} + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering (1)} + Filtering and checking conditions using hash path expression. + \begin{lstlisting}[language=javascript,firstnumber=1] + $path_expression = '{n}[name=fred].id'; + $users = [ + {'id': 123, 'name': 'fred', 'surname': 'bloggs'}, + {'id': 245, 'name': 'fred', 'surname': 'smith'}, + {'id': 356, 'name': 'joe', 'surname': 'smith'}, + ]; + $ids = Hash::extract($users, $path_expression); + // => $ids will be [123, 245] + \end{lstlisting} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/attribute-json.png} + \end{center} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/module-if-generic.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering (2)} + Hash path filtering can be used to \textbf{filter} data \textbf{on the node} it is passed to or on the \textbf{execution path}. + \begin{center} + \includegraphics[width=0.58\linewidth]{pictures/node-filtering.png} + \includegraphics[width=0.4\linewidth]{pictures/node-generic-filter.png} + \end{center} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Example} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "uuid": ... + "timestamp": ... + "distribution": 1, + "published": false, + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", ... + }, + { + "type": "domain", + "value": "misp-project.org", ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \item Access Event distribution + \begin{itemize} + \item \texttt{Event.distribution} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (1)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "uuid": ... + "distribution": 1, + "published": false, + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", ... + }, + { + "type": "domain", + "value": "misp-project.org", ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{1} + \item Access Event published state + \pause + \begin{itemize} + \item \texttt{Event.published} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (2)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "uuid": ... + "distribution": 1, + "published": false, + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", ... + }, + { + "type": "domain", + "value": "misp-project.org", ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{2} + \item Access all Attribute types + \begin{itemize} + \item Hint: Use \texttt{\bf \{n\}} to loop + \pause + \item \texttt{Event.Attribute.\{n\}.type} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (3)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", + "Tag": [ + { + "name": "PAP:AMBER", ... + } + ], ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{2} + \item Access all Tags attached to Attributes + \pause + \begin{itemize} + \item \texttt{Event.Attribute.\{n\}.Tag.\{n\}.name} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (4)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "Tag": [ + { + "name": "tlp:green", ... + } + ], ... + "Attribute": [ + { + "value": "8.8.8.8", + "Tag": [ + { + "name": "PAP:AMBER", ... + } + ], ... + } + ], + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{3} + \item Access all Tags attached to Attributes and from the Event + \pause + \begin{itemize} + \item \texttt{Event.Attribute.\{n\}.\_allTags.\{n\}.name} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (4)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "Tag": [...], + "Attribute": [ + { + "value": "8.8.8.8", + "_allTags": [ + { + "name": "tlp:green", + "inherited": true, ... + }, + { + "name": "PAP:AMBER", + "inherited": false, ... + } + ], + } + ... +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{3} + \item Access all Tags attached to Attributes and from the Event + \begin{itemize} + \item \texttt{Event.Attribute.\{n\}.\_allTags.\{n\}.name} + \end{itemize} + \end{enumerate} +\end{frame} + + +\begin{frame} + \frametitle{Fitlering data on which to apply a module} + What happens when an Event is about to be published? + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/remove-ids-1.png} + \end{center} + \pause + \vspace{1em} + All Attributes get their \texttt{to\_ids} turned off.\\ + \vspace{1em} + How could we force that action only on Attribute of type \texttt{comment}? + \begin{center} + $\rightarrow$ Hash path filtering! + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Fitlering data on which to apply a module} + \begin{center} + \includegraphics[width=0.5\textwidth]{pictures/remove-ids-3.png} + \end{center} + \begin{center} + \includegraphics[width=0.9\textwidth]{pictures/remove-ids-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Fitlering data on which to apply on multiple modules} + New feature as of \textbf{v2.4.171} allows setting filters on a path. + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/remove-ids-generic.png} + \end{center} +\end{frame} + +\section{Exercices} +\begin{frame} + \frametitle{Exercises} + \begin{enumerate} + \item PAP:RED and tlp:red blocking + \item Replace tlp:white by tlp:clear + \item Attach tag on attribute having a low value (<50) in bgp ranking + \item Remove to\_ids flag for attribute having a match in hashlookup + \end{enumerate} +\end{frame} + +\section{Debugging} +\begin{frame} + \frametitle{Debugging Workflows: Log Entries} + \begin{itemize} + \item Workflow execution is logged in the application logs: + \begin{itemize} + \item \texttt{/admin/logs/index} + \item Note: Might be phased out as its too verbose + \end{itemize} + \item Or stored on disk in the following file: + \begin{itemize} + \item \texttt{/app/tmp/logs/workflow-execution.log} + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/workflow-debug.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging Workflows: Debug mode} + \begin{itemize} + \item The \includegraphics[width=70px]{pictures/debug-mode.png} can be turned on for each workflows + \item Each nodes will send data to the provided URL + \begin{itemize} + \item Configure the setting: \texttt{Plugin.Workflow\_debug\_url} + \end{itemize} + \item Result can be visualized in + \begin{itemize} + \item \textbf{offline}: \texttt{tools/misp-workflows/webhook-listener.py} + \item \textbf{online}: \url{requestbin.com} or similar websites + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.6\linewidth]{pictures/request-bin.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Stateless execution} + \begin{itemize} + \item Test custom modules with custom input + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/stateless-execution.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Re-running workflows} + \begin{itemize} + \item Try workflows with custom input + \item Re-run workflows to ease debugging + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.55\linewidth]{pictures/running-workflows.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow \textbf{execution and outcome} + \item Module \textbf{execution and outcome} + \item \textbf{Live} workflow debugging with module inspection + \item \textbf{Re-running/testing} workflows with custom data + \item \textbf{Stateless} module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +% \section{Extending the system} +\begin{frame} + \frametitle{ + \huge + \linebreak + \linebreak + \linebreak + Extending the system + \vspace{1em} + } + \begin{center} + \includegraphics[width=0.6\linewidth]{pictures/craft.jpg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[scale=0.1]{pictures/PHP-logo.png} + \end{center} + \vspace*{2em} + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Fast + \item Re-use existing functionalities + \item No need for misp-modules + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[scale=0.05]{pictures/python-logo.png} + \end{center} + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Easier than PHP + \item Lots of libraries for integration + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Should I migrate to MISP Workflows} + I have automation in place using the API / ZMQ. Should I move to Workflows? + \vspace{1em} + \begin{itemize} + \item I (have/am planning to create) a curation pipeline using the API, should I port them to workflows? + \begin{itemize} + \item \textbf{No} in general, but WF can be used to start the curation process + \end{itemize} + \item What if I want to \textbf{block} some actions + \begin{itemize} + \item Put the blocking logic in the WF, the remaining outside + \end{itemize} + \item Currently, workflows with \textbf{ lots of node are not encouraged} + \item Bottom line is \textbf{Keep it simple} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{More ideas} + \begin{itemize} + \item Notification when new users join an instance + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item Automated alerts for high-priority IOCs + \item Assign tasks and notify incident response team members + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines + \item \underline{\textbf{Beta}} Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New modules? + \item What's acheivable + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/events/20230605-FIRSTCON23-Workflows/misp.pdf b/events/20230605-FIRSTCON23-Workflows/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/misp.pdf differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/PHP-logo.png b/events/20230605-FIRSTCON23-Workflows/pictures/PHP-logo.png new file mode 100644 index 0000000..296dfe2 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/PHP-logo.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/action-module-index.png b/events/20230605-FIRSTCON23-Workflows/pictures/action-module-index.png new file mode 100644 index 0000000..faa5397 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/action-module-index.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/action-module.png b/events/20230605-FIRSTCON23-Workflows/pictures/action-module.png new file mode 100644 index 0000000..6b622e8 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/action-module.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/attribute-json.png b/events/20230605-FIRSTCON23-Workflows/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/attribute-json.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/automation.png b/events/20230605-FIRSTCON23-Workflows/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/automation.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/belgian-joke.jpeg b/events/20230605-FIRSTCON23-Workflows/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/belgian-joke.jpeg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/belgian-joke2.jpeg b/events/20230605-FIRSTCON23-Workflows/pictures/belgian-joke2.jpeg new file mode 100644 index 0000000..c41fb16 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/belgian-joke2.jpeg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/blocking-module.png b/events/20230605-FIRSTCON23-Workflows/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/blocking-module.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/blocking-workflow.png b/events/20230605-FIRSTCON23-Workflows/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/blocking-workflow.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-1.png b/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-1.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-32.png b/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-32.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-debugging.png b/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/blueprint-debugging.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/build-icon.png b/events/20230605-FIRSTCON23-Workflows/pictures/build-icon.png new file mode 100644 index 0000000..e58d99c Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/build-icon.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/circl.png b/events/20230605-FIRSTCON23-Workflows/pictures/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/circl.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/craft.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/craft.jpg new file mode 100644 index 0000000..dddafd7 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/craft.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/ctis.png b/events/20230605-FIRSTCON23-Workflows/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/ctis.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/custom-1.png b/events/20230605-FIRSTCON23-Workflows/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/custom-1.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/custom-2.png b/events/20230605-FIRSTCON23-Workflows/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/custom-2.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/debug-mode.png b/events/20230605-FIRSTCON23-Workflows/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/debug-mode.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/editor-1.png b/events/20230605-FIRSTCON23-Workflows/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/editor-1.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/editor-not-allowed-1.png b/events/20230605-FIRSTCON23-Workflows/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/editor-not-allowed-1.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/editor-not-allowed-2.png b/events/20230605-FIRSTCON23-Workflows/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/editor-not-allowed-2.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/editor-warning-1.png b/events/20230605-FIRSTCON23-Workflows/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/editor-warning-1.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/enough-debugging.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/enough-debugging.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/event-condition-action.png b/events/20230605-FIRSTCON23-Workflows/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/event-condition-action.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/example-1a.png b/events/20230605-FIRSTCON23-Workflows/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/example-1a.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/example-2a.png b/events/20230605-FIRSTCON23-Workflows/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/example-2a.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/feeling-of-power.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/feeling-of-power.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/filtering-modules.png b/events/20230605-FIRSTCON23-Workflows/pictures/filtering-modules.png new file mode 100644 index 0000000..9ca53e3 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/filtering-modules.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/first-cti.png b/events/20230605-FIRSTCON23-Workflows/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/first-cti.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/firstcon23-speaker-banner-hr.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/firstcon23-speaker-banner-hr.jpg new file mode 100644 index 0000000..dcee3a3 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/firstcon23-speaker-banner-hr.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/fundation.png b/events/20230605-FIRSTCON23-Workflows/pictures/fundation.png new file mode 100644 index 0000000..b6c51ae Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/fundation.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/future-works.jpeg b/events/20230605-FIRSTCON23-Workflows/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/future-works.jpeg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/geekweek75.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/geekweek75.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/getting-started.png b/events/20230605-FIRSTCON23-Workflows/pictures/getting-started.png new file mode 100644 index 0000000..a15f01f Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/getting-started.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/infinite-loop.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/infinite-loop.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/log-entry-publish-blocked.png b/events/20230605-FIRSTCON23-Workflows/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/log-entry-publish-blocked.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/log-entry-publish-success.png b/events/20230605-FIRSTCON23-Workflows/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/log-entry-publish-success.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/logic-module-index.png b/events/20230605-FIRSTCON23-Workflows/pictures/logic-module-index.png new file mode 100644 index 0000000..c6fe0b3 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/logic-module-index.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/logic-module.png b/events/20230605-FIRSTCON23-Workflows/pictures/logic-module.png new file mode 100644 index 0000000..6a48ce6 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/logic-module.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/misp-module-icon.png b/events/20230605-FIRSTCON23-Workflows/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/misp-module-icon.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/module-buffet.png b/events/20230605-FIRSTCON23-Workflows/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/module-buffet.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/module-concurrent.png b/events/20230605-FIRSTCON23-Workflows/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/module-concurrent.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/module-filtering.png b/events/20230605-FIRSTCON23-Workflows/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/module-filtering.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/module-if-generic.png b/events/20230605-FIRSTCON23-Workflows/pictures/module-if-generic.png new file mode 100644 index 0000000..4068aa3 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/module-if-generic.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/module-type.png b/events/20230605-FIRSTCON23-Workflows/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/module-type.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo2.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo3.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/node-filtering.png b/events/20230605-FIRSTCON23-Workflows/pictures/node-filtering.png new file mode 100644 index 0000000..1878ee9 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/node-filtering.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/node-generic-filter.png b/events/20230605-FIRSTCON23-Workflows/pictures/node-generic-filter.png new file mode 100644 index 0000000..b41a358 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/node-generic-filter.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/non-blocking-workflow.png b/events/20230605-FIRSTCON23-Workflows/pictures/non-blocking-workflow.png new file mode 100644 index 0000000..4ae1495 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/non-blocking-workflow.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/overview.png b/events/20230605-FIRSTCON23-Workflows/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/overview.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/php-joke.jpg b/events/20230605-FIRSTCON23-Workflows/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/php-joke.jpg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/psyduck.jpeg b/events/20230605-FIRSTCON23-Workflows/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/psyduck.jpeg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/python-joke.png b/events/20230605-FIRSTCON23-Workflows/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/python-joke.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/python-logo.png b/events/20230605-FIRSTCON23-Workflows/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/python-logo.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/radar.png b/events/20230605-FIRSTCON23-Workflows/pictures/radar.png new file mode 100644 index 0000000..bbd632b Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/radar.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/recursive-workflow.png b/events/20230605-FIRSTCON23-Workflows/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/recursive-workflow.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-1.png b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-1.png new file mode 100644 index 0000000..8e75af2 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-1.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-2.png b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-2.png new file mode 100644 index 0000000..e455e49 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-2.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-3.png b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-3.png new file mode 100644 index 0000000..e5474a1 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-3.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-generic.png b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-generic.png new file mode 100644 index 0000000..e9c1933 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/remove-ids-generic.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/request-bin.png b/events/20230605-FIRSTCON23-Workflows/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/request-bin.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/running-workflows.png b/events/20230605-FIRSTCON23-Workflows/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/running-workflows.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/sc-action-icon.png b/events/20230605-FIRSTCON23-Workflows/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/sc-action-icon.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/sc-action.png b/events/20230605-FIRSTCON23-Workflows/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/sc-action.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/sc-condition-icon.png b/events/20230605-FIRSTCON23-Workflows/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/sc-condition-icon.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/sc-condition.png b/events/20230605-FIRSTCON23-Workflows/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/sc-condition.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/sc-event-icon.png b/events/20230605-FIRSTCON23-Workflows/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/sc-event-icon.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/sc-event.png b/events/20230605-FIRSTCON23-Workflows/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/sc-event.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/settings-1.png b/events/20230605-FIRSTCON23-Workflows/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/settings-1.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/settings-2.png b/events/20230605-FIRSTCON23-Workflows/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/settings-2.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/simple-workflow.png b/events/20230605-FIRSTCON23-Workflows/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/simple-workflow.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/stateless-execution.png b/events/20230605-FIRSTCON23-Workflows/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/stateless-execution.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/time-machine.png b/events/20230605-FIRSTCON23-Workflows/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/time-machine.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/triggers.png b/events/20230605-FIRSTCON23-Workflows/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/triggers.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/two-paths.jpeg b/events/20230605-FIRSTCON23-Workflows/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/two-paths.jpeg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/upgrade-people.jpeg b/events/20230605-FIRSTCON23-Workflows/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/upgrade-people.jpeg differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/whoami-adulau.png b/events/20230605-FIRSTCON23-Workflows/pictures/whoami-adulau.png new file mode 100644 index 0000000..d960fd4 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/whoami-adulau.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/whoami.png b/events/20230605-FIRSTCON23-Workflows/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/whoami.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/whoami2.png b/events/20230605-FIRSTCON23-Workflows/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/whoami2.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/whoarewe.png b/events/20230605-FIRSTCON23-Workflows/pictures/whoarewe.png new file mode 100644 index 0000000..a2377fe Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/whoarewe.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/workflow-debug.png b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-debug.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/workflow-experimental.png b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-experimental.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/workflow-release.png b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-release.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/workflow-trigger.png b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/workflow-trigger.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/pictures/zeromq.png b/events/20230605-FIRSTCON23-Workflows/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/pictures/zeromq.png differ diff --git a/events/20230605-FIRSTCON23-Workflows/slide.pdf b/events/20230605-FIRSTCON23-Workflows/slide.pdf new file mode 100644 index 0000000..8aadb69 Binary files /dev/null and b/events/20230605-FIRSTCON23-Workflows/slide.pdf differ diff --git a/events/20230605-FIRSTCON23-Workflows/slide.tex b/events/20230605-FIRSTCON23-Workflows/slide.tex new file mode 100644 index 0000000..822ccc1 --- /dev/null +++ b/events/20230605-FIRSTCON23-Workflows/slide.tex @@ -0,0 +1,66 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage[normalem]{ulem} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + stringstyle=\color{purple}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Building Your Own Workflows in MISP} +\subtitle{Tutorial and Hands-On} +\author{Sami Mokaddem \& Alexandre Dulaunoy} +\date{\includegraphics[width=0.7\linewidth]{pictures/firstcon23-speaker-banner-hr.jpg}} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.3]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20230605-FIRSTCON23-Workflows/slide_handout.tex b/events/20230605-FIRSTCON23-Workflows/slide_handout.tex new file mode 100644 index 0000000..cd06a0e --- /dev/null +++ b/events/20230605-FIRSTCON23-Workflows/slide_handout.tex @@ -0,0 +1,67 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Sami Mokaddem} +\date{FIRST Automation SIG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/misp-summit/2022/misp-grafana/misp-grafana.pdf b/events/misp-summit/2022/misp-grafana/misp-grafana.pdf new file mode 100644 index 0000000..52b1f7a Binary files /dev/null and b/events/misp-summit/2022/misp-grafana/misp-grafana.pdf differ diff --git a/events/misp-summit/2022/misp-guard/misp-guard.pdf b/events/misp-summit/2022/misp-guard/misp-guard.pdf new file mode 100644 index 0000000..fe20f04 Binary files /dev/null and b/events/misp-summit/2022/misp-guard/misp-guard.pdf differ diff --git a/output/0-intro-shorter_es.pdf b/output/0-intro-shorter_es.pdf new file mode 100644 index 0000000..6e5013c Binary files /dev/null and b/output/0-intro-shorter_es.pdf differ diff --git a/output/1-misp-usage_es.pdf b/output/1-misp-usage_es.pdf new file mode 100644 index 0000000..27000bc Binary files /dev/null and b/output/1-misp-usage_es.pdf differ