Merge branch 'main' of github.com:MISP/misp-training

0-intro-shorter/content_es.tex

@@ -0,0 +1,165 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}[t,plain]
+\titlepage
+\end{frame}
+
+\begin{frame}
+ \frametitle{MISP, comenzando desde un caso práctico}
+ \begin{itemize}
+         \item Durante un taller de análisis de malware en 2012, descubrimos que habíamos estado trabajando analizando el mismo malware.
+         \item Quisimos compartir información de forma fácil y automatizada para así {\bf evitar la duplicación de trabajo}.
+         \item Christophe Vandeplas (trabajando en el CERT del MINDEF Belga en aquel entonces) nos mostró su trabajo en una plataforma que luego se convertiría en MISP.
+         \item Una primera versión de MISP fue utilizada por el MALWG y {\bf los comentarios de los usuarios} nos ayudaron a realizar mejoras en la plataforma.
+         \item Actualmente MISP es {\bf un desarrollo impulsado por la comunidad}.
+ \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Acerca de CIRCL}
+El Centro de Respuesta ante Emergencias Informáticas de Luxemburgo (CIRCL) es una iniciativa impulsada por el gobierno, diseñada para proveer una respuesta sistemática a incidentes y amenazas de seguridad informática.
+\linebreak
+\linebreak
+CIRCL es el CERT del sector privado, municipios y entidades no gubernamentales en Luxemburgo y es operado por LHC g.i.e.
+\end{frame}
+
+\begin{frame}
+\frametitle{MISP y CIRCL}
+\begin{itemize}
+\item CIRCL es conducido por el Ministerio de Economía y actúa como el CERT Nacional para el sector privado.
+\item CIRCL lidera el desarrollo de MISP, la plataforma de código abierto de inteligencia de amenazas, que es utilizada por muchas comunidades militares o de inteligencia, empresas privadas, sector financiero, CERTs nacionales y fuerzas de seguridad (LEAs) en todo el mundo.
+\item {\bf CIRCL opera múltiples comunidades de MISP, que a diario comparten información de inteligencia de amenazas (threat-intelligence)}.
+\end{itemize}
+        \includegraphics{en_cef.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{¿Qué es MISP?}
+\begin{itemize}
+       \item MISP es una plataforma libre y de código abierto para el {\bf intercambio de información de amenazas}.
+       \item Es una herramienta que {\bf recolecta} información proveniente de diferentes participantes, sus analistas, sus herramientas, fuentes de inteligencia, etc.
+       \item Normaliza, {\bf correlaciona} y {\bf enriquece} la información.
+       \item Permite {\bf colaborar} a los diferentes equipos y comunidades.
+       \item {\bf Alimenta} las herramientas de seguridad y de los analistas con sus resultados.
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Desarrollo basado en comentarios de los usuarios}
+\begin{itemize}
+\item Existen muchos diferentes tipos de usuarios de plataformas de intercambio de información como MISP: 
+        \begin{itemize}
+                \item {\bf Analistas de Malware} dispuestos a compartir indicadores de compromiso con sus respectivos colegas.
+                \item {\bf Analistas de Seguridad} buscando, validando y utilizando indicadores en seguridad operacional.
+                \item {\bf Analistas de Inteligencia} recopilando información acerca de ciertos grupos de adversarios.
+                \item {\bf Fuerzas de Seguridad} utilizando indicadores para dar soporte a casos de análisis forense digital (DFIR).
+                \item {\bf Equipos de Análisis de Riesgos} dispuestos a saber más sobre nuevas amenazas, probabilidades e incidencias.
+                \item {\bf Analistas de Fraude} dispuestos a compartir indicadores financieros para detectar fraudes.
+        \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Modelo de gobernabilidad de MISP}
+\begin{center}
+\includegraphics[scale=0.2]{governance.png}
+\end{center}
+\end{frame}
+
+\begin{frame}
+\frametitle{Múltiples objetivos según diferentes grupos de usuarios}
+        \begin{itemize}
+                \item Compartiendo indicadores para la {\bf detección}.
+                        \begin{itemize}
+                                \item '¿Existen sistemas infectados en mi infraestructura o en las redes que opero?'
+                        \end{itemize}
+                \item Compartiendo indicadores para {\bf bloquear}.
+                        \begin{itemize}
+                                \item 'Utilizo estos indicadores para bloquear el acceso o redireccionar el tráfico.'
+                        \end{itemize}
+                \item Compartiendo indicadores para {\bf realizar actividades de inteligencia}.
+                        \begin{itemize}
+                                \item 'Recopilando información acerca de campañas y ataques. ¿Están relacionados? ¿Quién me tiene como objetivo? ¿Quiénes son los adversarios?'
+                        \end{itemize}
+                \item $\rightarrow$ Estos objetivos pueden ser contradictorios (p. ej. Los falsos-positivos tienen diferentes impactos)
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+ \frametitle{Comunidades utilizando MISP}
+ \begin{itemize}
+	 \item Las comunidades son grupos de usuarios que comparten un conjunto objetivos o valores comunes.
+	 \item CIRCL opera múltiples instancias de MISP con una gran cantidad de usuarios (más de 1200 organizaciones con más de 4000 usuarios).
+         \item {\bf Grupos de confianza} operando comunidades de MISP en modo aislado (air-gapped) o parcialmente conectados.
+	 \item {\bf Sector financiero} (bancos, Centros de Análisis e Intercambio de Información (ISACs), organizaciones de procesamiento de pagos) utilizan MISP como mecanismo de intercambio.
+	 \item {\bf Organizaciones internacionales y militares} OTAN, CSIRTs militares, CERTs, ...
+	 \item {\bf Proveedores de Seguridad} operando sus propias comunidades o interconectados con otras comunidades.
+         \item {\bf Comunidades temáticas} creadas para abordar problemáticas específicas (COVID-19 MISP) 
+ \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Las dificultades de compartir información}
+        \begin{itemize}
+                \item Las dificultades de compartir información no suelen ser problemas de índole tecnológico, en general se deben a las {\bf interacciones sociales} (p. ej. {\bf confianza}).
+                \item Restricciones legales\footnote{\url{https://www.misp-project.org/compliance/}}
+                        \begin{itemize}
+                                \item "Nuestro marco legal no nos permite compartir información."
+                                \item "El riesgo de filtraciones de información es muy alto y riesgoso para nuestra organización y nuestros socios."
+                        \end{itemize}
+                \item Restricciones prácticas
+                        \begin{itemize}
+                                \item "No tenemos información para compartir."
+                                \item "No tenemos tiempo para procesar o contribuir con indicadores."
+                                \item "Nuestro modelo de clasificación no se ajusta al modelo de MISP."
+                                \item "Las herramientas para intercambio de información están asociadas a un formato específico, nosotros utilizamos otro."
+                        \end{itemize}
+        \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+        \frametitle{Vista general del Proyecto MISP}
+        \includegraphics[scale=0.35]{misp-overview-simplified.pdf}
+\end{frame}
+
+\begin{frame}
+\frametitle{Compartiendo en MISP}
+    \begin{itemize}
+        \item Compartiendo vía listas de distribución - {\bf Grupos de intercambio} (sharing groups)
+        \item {\bf Delegación} para intercambio de información pseudo-anonimizada
+        \item {\bf Propuestas} y {\bf Eventos extendidos} para compartir información en forma colaborativa
+        \item Sincronización, Fuentes (feeds), intercambio aislado (air-gapped)
+        \item {\bf Filtros de intercambio } definidos por el usuario para todos los métodos mencionados anteriormente
+        \item {\bf Almacenamiento en caché} para búsquedas rápidas en grandes volúmenes de datos
+        \item Soporte de múltiples instancias de MISP para enclaves internas
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Gestión de la calidad de la Información}
+    \begin{itemize}
+        \item Información correlacionada
+        \item Ciclo de retroalimentación de detecciones vía {\bf Avistamientos} (Sightings)
+        \item {\bf Gestión de falsos positivos} vía el sistema de alertas (warninglists)
+        \item Sistema de {\bf enriquecimiento} vía MISP-modules
+        \item Sistema de {\bf flujos de trabajo} para revisar y controlar la información que se publica
+        \item {\bf Integraciones} con un gran número de herramientas y formatos
+        \item {\bf API} flexible y soporte de {\bf librerías} tales como PyMISP para facilitar la integración
+        \item {\bf Líneas de tiempo} (timelines) para dotar a la información de un marco temporal
+        \item Cadena completa de la {\bf gestión del ciclo de vida de indicadores}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Conclusión}
+        \begin{itemize}
+                \item {\bf Las prácticas de intercambio de información vienen con su uso} y con el ejemplo (p. ej. aprender mediante la imitación de la información compartida).
+                \item MISP es sólo una herramienta. Lo que importa son sus prácticas de intercambio. La herramienta debería darle soporte de la manera más transparente posible.
+                \item Permitir a los usuarios customizar MISP para satisfacer las necesidad de los casos de uso de su comunidad.
+                \item El proyecto MISP combina código abierto, estándares abiertos, mejores prácticas y comunidades para convertir el intercambio de información en una realidad.
+        \end{itemize}
+\end{frame}
+
+

0-intro-shorter/slide.tex

@@ -1,3 +1,4 @@
+% !TEX program = XeLaTeX
 \documentclass{beamer}
 \usetheme[numbering=progressbar]{focus}
 \definecolor{main}{RGB}{47, 161, 219}

0-intro-shorter/slide_es.tex

@@ -0,0 +1,25 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+
+
+\title{Una introducción al Intercambio de Información de Ciberseguridad}
+\subtitle{MISP - Threat Sharing}
+\author{\small{\input{../includes/authors.txt}}}
+\date{\input{../includes/location.txt}}
+\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
+\institute{MISP Project \\ \url{https://www.misp-project.org/}}
+
+
+\begin{document}
+\include{content_es}
+\end{document}
+

1-misp-usage/content_es.tex

@@ -0,0 +1,244 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+%\colorlet{punct}{red!60!black}
+%\definecolor{background}{HTML}{EEEEEE}
+%\definecolor{delim}{RGB}{20,105,176}
+%\colorlet{numb}{magenta!60!black}
+
+\lstdefinelanguage{json}{
+    basicstyle=\ttfamily\footnotesize,
+    numbers=left,
+    numberstyle=\ttfamily\footnotesize,
+    stepnumber=1,
+    numbersep=8pt,
+    showstringspaces=false,
+    breaklines=true,
+    frame=lines,
+    backgroundcolor=\color{background},
+    literate=
+     *{0}{{{\color{numb}0}}}{1}
+      {1}{{{\color{numb}1}}}{1}
+      {2}{{{\color{numb}2}}}{1}
+      {3}{{{\color{numb}3}}}{1}
+      {4}{{{\color{numb}4}}}{1}
+      {5}{{{\color{numb}5}}}{1}
+      {6}{{{\color{numb}6}}}{1}
+      {7}{{{\color{numb}7}}}{1}
+      {8}{{{\color{numb}8}}}{1}
+      {9}{{{\color{numb}9}}}{1}
+      {:}{{{\color{punct}{:}}}}{1}
+      {,}{{{\color{punct}{,}}}}{1}
+      {\{}{{{\color{delim}{\{}}}}{1}
+      {\}}{{{\color{delim}{\}}}}}{1}
+      {[}{{{\color{delim}{[}}}}{1}
+      {]}{{{\color{delim}{]}}}}{1},
+}
+
+\begin{frame}[t,plain]
+\titlepage
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - VM}
+    \begin{itemize}
+    \item Credenciales
+        \begin{itemize}
+            \item MISP admin: admin@admin.test/admin
+            \item SSH: misp/Password1234
+        \end{itemize}
+    \item Disponible para descargar aquí (VirtualBox and VMWare):
+        \begin{itemize}
+                \item \url{https://www.circl.lu/misp-images/latest/}
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Uso Básico}
+    Plan para esta parte de la capacitación
+        \begin{itemize}
+            \item Modelo de datos
+            \item Visualizando datos
+            \item Alta de datos
+            \item Cooperación
+            \item Distribución
+            \item Exportando datos
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (El componente fundamental de MISP)}
+    \includegraphics[scale=0.45]{screenshots/datamodel1.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (Atributos, dando significado a los eventos)}
+    \includegraphics[scale=0.45]{screenshots/datamodel2.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (Correlaciones entre atributos similares)}
+    \includegraphics[scale=0.45]{screenshots/datamodel3.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (Propuestas)}
+    \includegraphics[scale=0.45]{screenshots/datamodel4.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (Etiquetas)}
+    \includegraphics[scale=0.45]{screenshots/datamodel5.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (Discusiones)}
+    \includegraphics[scale=0.45]{screenshots/datamodel6.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (Taxonomías y propuestas de correlaciones)}
+    \includegraphics[scale=0.35]{screenshots/datamodel7.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Eventos (El estado del arte del modelo de datos de MISP)}
+    \includegraphics[scale=0.25]{screenshots/datamodel8.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Visualizando el listado de Eventos}
+    \begin{itemize}
+    \item Listar Eventos
+        \begin{itemize}
+            \item Contexto del Evento
+            \item Etiquetas
+            \item Distribución
+            \item Correlaciones
+        \end{itemize}
+    \item Filtros
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Visualizando un Evento}
+    \begin{itemize}
+     \item Ver Evento
+        \begin{itemize}
+            \item Contexto del Evento
+            \item Atributos
+            \begin{itemize}
+                \item Categoría/tipo, IDS, Correlaciones
+            \end{itemize}
+            \item Objetos
+            \item Galáxias
+            \item Propuestas
+            \item Discusiones
+        \end{itemize}
+    \item Herramientas para encontrar lo que buscas
+    \item Grafos de correlaciones
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Alta y carga de eventos en diferentes formas (demo)}
+    \begin{itemize}
+    \item Las principales formas de cargar eventos
+        \begin{itemize}
+            \item Añadir atributos / Añadir en lotes
+            \item Añadir objetos y cómo funcionan las plantillas de objetos
+            \item Importar texto libre
+            \item Importar
+            \item Plantillas
+            \item Añadir archivos adjuntos / capturas de pantalla
+            \item API
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Diferentes funcionalidades para añadir información}
+    \begin{itemize}
+        \item ¿Qué sucede automáticamente cuando agregamos información? 
+        \begin{itemize}
+            \item Correlación automática
+            \item Modificación de la carga vía validación y filtros (regex)
+            \item Etiquetado / Cúmulos de galaxias
+        \end{itemize}
+        \item Diferentes formas de publicar información
+        \begin{itemize}
+            \item Publicar con/sin enviar un e-mail
+            \item Publicar vía la API
+            \item Delegación
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Utilizando la información}
+    \begin{itemize}
+        \item Grafos de correlaciones
+        \item Descargando la información en diferentes formatos
+        \item API (más detalles luego)
+        \item Colaborando con usuarios (propuestas, discusiones, emails)
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Sincronización en detalle}
+    \begin{itemize}
+        \item Conexiones de sincronización
+        \item Modelo pull/push
+        \item Previsualización de instancias
+        \item Filtrado de la sincronización
+        \item Herramienta de prueba de conexión
+        \item Modo de selección manual
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Fuentes (feeds) en detalle}
+    \begin{itemize}
+        \item Tipos de fuentes (MISP, texto libre, CSV)
+        \item Alta/edición de fuentes
+        \item Previzualización de fuentes
+        \item Fuentes Locales vs. Remotas
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Distribuciones en detalle}
+    \begin{itemize}
+        \item Solo Mi Organización
+        \item Solo Esta Comunidad
+        \item Comunidades Conectadas
+        \item Todas las Comunidades
+        \item Grupo de Intercambio
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Distribución y Topología}
+    \includegraphics[scale=0.45]{screenshots/sync.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Exportar y API}
+    \begin{itemize}
+        \item Descargar un evento
+        \item Un vistazo a las APIs
+        \item Descargar resultados de una búsqueda
+        \item API REST y generador de consultas
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{MISP - Tareas administrativas}
+    \begin{itemize}
+        \item Configuración
+        \item Resolución de problemas
+        \item Trabajadores (workers)
+        \item Registros (logs)
+    \end{itemize}
+\end{frame}

1-misp-usage/slide_es.tex

@@ -0,0 +1,28 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+
+\author{\small{\input{../includes/authors.txt}}}
+
+\title{Capacitación de Usuario de MISP - Uso básico de MISP}
+\subtitle{MISP - Threat Sharing}
+\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}}
+\date{\input{../includes/location.txt}}
+\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
+
+
+\begin{document}
+\include{content_es}
+\end{document}
+

20220615-NATO-MUG-UPDATE/content.tex

@@ -0,0 +1,312 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+  \frametitle{The aim of this presentation}
+  \begin{itemize}
+     \item A small update on the state of MISP's ongoing development
+     \item Some highlights of the changes that were introduced
+     \item Upcoming changes
+     \item Cerebrate update
+     \item Workflows
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{MISP's evolution since the last MUG}
+  \begin{itemize}
+    \item Since the last MUG (18/11/2021) we've had:
+    \begin{itemize}
+        \item 9 releases
+        \item 1775 commits
+        \item 74 contributors contributing to the core software and its components
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Main focus was securing our data and tooling}
+  \begin{itemize}
+      \item Current {\bf geo-political situation} lead to new challenges
+      \item It has been an interesting time period with quite some activity
+      \item Our goal was to {\bf shore up the security} aspects of MISP and Cerebrate
+      \item Build new functionalities and tools to allow users to {\bf protect their data}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Sharing group blueprints}
+  \begin{itemize}
+     \item Solving the issue of {\bf sharing group lifecycle management}
+     \item Build SG blueprints for reusable, maintainable sharing groups
+     \item Abstract sharing groups, organisation metadata as building blocks
+     \item Solve newly arising sharing challenges
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Sharing group blueprints}
+\includegraphics[scale=0.6]{images/blueprints2.png}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Cryptographic signing and tamper protection}
+  \begin{itemize}
+     \item Need to be able to share and ensure the {\bf veracity of critical events}
+     \item Tampering by {\bf malicious intermediaries}, even in closed networks became a new fear
+     \item We came up with a solution that allows us to {\bf lock down critical events}
+     \item Limits the distribution, but {\bf increases the resilience} of MISP immensely
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Cryptographic signing and tamper protection}
+\includegraphics[scale=0.5]{images/signing1.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Cryptographic signing and tamper protection}
+\includegraphics[scale=0.5]{images/signing2.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Cryptographic signing and tamper protection}
+\includegraphics[scale=0.6]{images/signing3.png}
+\includegraphics[scale=0.6]{images/signing4.png}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Other major improvements}
+  \begin{itemize}
+      \item Various other new functionalities that improve our day to day use of the tool
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Long list of security fixes}
+  \begin{itemize}
+      \item Partially from user reports
+      \item Partially by an exhaustive pentest series
+      \item Massive thank you to {\bf Zigrin Security} for conducting the tests...
+      \item ...and to the {\bf Luxembourgish Army} for financing it
+      \item Multiple {\bf CVEs} resolved, including a {\bf critical one that required a silent release}
+      \item Make sure you stay up to date!
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Long list of security fixes}
+\includegraphics[scale=0.4]{images/security.png}
+\end{frame}
+
+
+\begin{frame}
+  \frametitle{Event warning system}
+  \begin{itemize}
+     \item Build a rule based tool that analyses an event and {\bf recommends improvements}
+     \item Typical issues easily caught (missing TLP, lack of context, etc)
+     \item Simple to extend, flexible
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Event warning system}
+\includegraphics[scale=0.3]{images/warnings.png}
+\end{frame}
+
+
+\begin{frame}
+  \frametitle{Massive rework of the STIX integrations}
+  \begin{itemize}
+     \item Our resident STIX guru (Christian Studer) has become {\bf co-chair of the STIX commitee} at OASIS
+     \item Massive rework of how we handle {\bf STIX ingestion / generation}
+     \item Continuous work with {\bf Mitre/CISA} to improve the integration
+     \item STIX subsystem spun off as a standalone system
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Further synchronisation filtering methods}
+  \begin{itemize}
+     \item The ability to {\bf exclude} certain attribute {\bf types from the synchronisation}
+     \item Comes with some risks, but solves some issues
+     \item An example: {\bf Exclusion of malware samples when sharing towards classified networks}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Advanced timelining}
+  \begin{itemize}
+     \item Rework of the timelining in MISP
+     \item Inclusion of images, sightings
+     \item Various other improvements
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Timelining}
+\includegraphics[scale=0.2]{images/timelining.png}
+\end{frame}
+
+\begin{frame}
+  \frametitle{New background processor}
+  \begin{itemize}
+     \item Since late November last year we have had a {\bf new background processing engine}
+     \item Fully optional for now
+     \item Lean, closer to an OS native implementation via {\bf Supervisor}
+     \item Gets rid of a lot of the baggage of our previous system (scheduling)
+     \item Implemetation by @righel (Luciano Righetti)
+  \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+  \frametitle{Long list of other fixes}
+  \begin{itemize}
+     \item Usability fixes
+     \item Performance improvements
+     \item Bug fixes
+     \item Too many improvements to the galaxies, taxonomies, object templates to list!
+     \item Huge thank you to {\bf Jakub Onderka} for the {\bf constant stream of improvements}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{What do we have planned for the (near) future?}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Workflows in MISP}
+  \begin{itemize}
+     \item Outcome of our initial work from GeekWeek 7.5\footnote{\href{https://cyber.gc.ca/en/events/geekweek-75}{Workshop organized by the Canadian Cyber Center}}
+     \item Goal: Modifying the execution of certain {\bf core functionalities}
+     \item Basically a {\bf hooking mechanism}
+     \item Modular approach using {\bf MISP-modules} or {\bf PHP modules}
+     \item Build and execute admin defined tasks on various actions
+     \item Modify data in place, block, fire-and-forget
+     \item All exposed via a {\bf completely new GUI}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Workflows in MISP}
+  \begin{itemize}
+     \item {\bf Branching} codebase
+     \item Context sensitive, per-module filters
+     \item Implemented by our UI expert Sami "GraphMan" Mokaddem 
+  \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Workflows in MISP}
+\includegraphics[scale=0.2]{images/workflows1.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Workflows in MISP}
+\includegraphics[scale=0.2]{images/workflows2.png}
+\end{frame}
+
+
+\begin{frame}
+  \frametitle{External data guard}
+  \begin{itemize}
+     \item Work in {\bf collaboration with BICES}
+     \item Proxy server that {\bf inspects and blocks potential data leaks} during synchronisation
+     \item Standalone
+     \item Simplistic design and {\bf easy to audit}
+     \item Modular {\bf rule based} system
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Various reworks to support STIX mappings}
+  \begin{itemize}
+     \item {\bf Relationships for tags/galaxies}
+     \item {\bf Templating} for galaxy cluster creation
+     \item Dot notation {\bf deep cluster elements}
+     \item Built in {\bf TAXII support} with the help of Mitre/CISA (currently not merged yet)
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Quick Cerebrate update}
+\begin{center}
+\includegraphics[scale=0.4]{images/cerebrate.png}
+\end{center}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Quick Cerebrate update}
+  \begin{itemize}
+     \item 5 new releases
+     \item Deployment for the {\bf CSIRT network} ongoing
+     \item A host of new functionalities to solve day to day issues we have in the CSIRT community
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{User management}
+  \begin{itemize}
+     \item Reworked completely
+     \item Tight integration with {\bf KeyCloak}
+     \item Full user provisioning / maintaining via Cerebrate
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Reworked meta information system}
+  \begin{itemize}
+     \item Introduction of {\bf context specific custom fields}
+     \item Custom {\bf search algorithms} (for example CIDR block lookups for constituency information)
+     \item Customisable and {\bf blueprint-able data model}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{API along with its documentation fleshed out}
+  \begin{itemize}
+     \item {\bf OpenAPI integration} similarly to MISP
+     \item Integration tests and introduction of a {\bf CI pipeline}
+     \item Documentation and API examples available in Cerebrate directly
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Security fixes}
+  \begin{itemize}
+     \item Cerebrate, similarly to MISP received an in-depth pentest by {\bf Zigrin Security}
+     \item Likewise funded by the {\bf Luxembourgish Army}
+     \item Besides fixes to vulnerabilities, a host of usability findings and fixes
+     \item {\bf 5 CVEs} published
+     \item \url{https://www.cerebrate-project.org/security.html}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Get in touch if you have any questions}
+  \begin{itemize}
+    \item Contact CIRCL
+    \begin{itemize}
+      \item info@circl.lu
+      \item \url{https://twitter.com/circl_lu}
+      \item \url{https://www.circl.lu/}
+    \end{itemize}
+    \item Contact MISPProject 
+    \begin{itemize}
+      \item \url{https://github.com/MISP}
+      \item \url{https://gitter.im/MISP/MISP}
+      \item \url{https://twitter.com/MISPProject}
+    \end{itemize}
+    \item Cerebrate project
+    \begin{itemize}
+      \item \url{https://github.com/cerebrate-project}
+      \item \url{https://github.com/cerebrate-project/cerebrate}
+    \end{itemize}
+  \end{itemize}
+\end{frame}

20220615-NATO-MUG-UPDATE/makefile

@@ -0,0 +1,5 @@
+all:
+	pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
+
+clean:
+	rm *.aux *.nav *.log *.snm *.toc *.vrb

20220615-NATO-MUG-UPDATE/slide.tex

@@ -0,0 +1,25 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+\author{\small{\input{../includes/authors.txt}}}
+\title{MISP status update}
+\subtitle{News since the last MUG}
+\institute{\includegraphics[scale=0.5]{misplogo.pdf}}
+\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
+
+\date{\input{../includes/location.txt}}
+\begin{document}
+\include{content}
+\end{document}
+

20221116-NATO-MUG/content.tex

@@ -0,0 +1,599 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}[t,plain]
+\titlepage
+\end{frame}
+
+\begin{frame}
+    \frametitle{Automation in MISP: What already exists?}
+    \includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP}
+    \begin{itemize}
+        \item Needs CRON Jobs in place
+        \item Heavy for the server
+        \item Not realtime
+    \end{itemize}
+    \vspace*{1em}
+    \includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels}
+    \begin{itemize}
+        \item After the actions happen: No feedback to MISP
+        \item Tougher to put in place \& to share
+        \item Full integration amounts to develop a new tool
+    \end{itemize}
+    \vspace*{0.5em}
+    $\rightarrow$ No way to \textbf{prevent} behavior\\
+    $\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks
+\end{frame}
+
+\begin{frame}
+    \frametitle{What type of use-cases are we trying to support?}
+    \begin{itemize}
+        \item \textbf{Prevent} default MISP behaviors to happen
+        \begin{itemize}
+            \item Prevent \textbf{publication of events} not passing sanity checks
+            \item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information
+            \item $\cdots$
+        \end{itemize}
+        \vspace*{1.0em}
+        \item \textbf{Hook} specific actions to run callbacks
+        \begin{itemize}
+            \item \textbf{Automatically run} enrichment services
+            \item Modify data on-the-fly: False positives, enable CTI-Pipeline
+            \item Send notifications in a chat rooms
+            \item $\cdots$
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Simple automation in MISP made easy}
+    \begin{center}
+        \includegraphics[width=0.3\linewidth]{pictures/automation.png}
+    \end{center}
+    \begin{itemize}
+        \item Why?
+        \begin{itemize}
+            \item Everyone loves \textbf{simple automation}
+            \item \textbf{Visual} dataflow programming
+            \item Users want \textbf{more control}
+        \end{itemize}
+        \item How?
+        \begin{itemize}
+            \item \textbf{Drag \& Drop} editor
+            \item Prevent actions \textbf{before they happen}
+            \item Flexible \textbf{Plug \& Play} system
+            \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay}
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Content of the presentation}
+    \begin{itemize}
+        \item MISP Workflows fundamentals
+        \item Demo by examples
+        \item Using the system
+        \item How it can be extended
+    \end{itemize}
+
+    \vspace*{1em}
+    \begin{center}
+        \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}}
+    \end{center}
+\end{frame}
+
+\section{Workflow - Fundamentals}
+\begin{frame}
+    \frametitle{How does it work}
+    \begin{center}
+        \frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}}
+    \end{center}
+    \begin{enumerate}
+        \item An \textbf{event} happens in MISP
+        \item Check if all \textbf{conditions} are satisfied
+        \item Execute all \textbf{actions}
+        \begin{itemize}
+            \item May prevent MISP to complete its original event
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{What kind of events?}
+    \includegraphics[width=60px]{pictures/sc-event.png}
+    \vspace*{0.5em}
+    \begin{itemize}
+        \item New MISP Event
+        \item Attribute has been saved
+        \item New discussion post
+        \item New user created
+        \item Query against third-party services
+        \item ...
+    \end{itemize}
+    \vspace*{1em}
+    {\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\
+    {\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Triggers currently available}
+    Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}.
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pictures/triggers.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{What kind of conditions?}
+    \vspace*{0.25em}
+    \includegraphics[width=70px]{pictures/sc-condition.png}
+    \vspace*{0.25em}
+    \begin{itemize}
+        \item An MISP Event is tagged with \texttt{tlp:red}
+        \item The distribution an Attribute is a sharing group
+        \item The creator organisation is \texttt{circl.lu}
+        \item Or any other \textbf{generic} conditions
+    \end{itemize}
+
+    \vspace*{0.5em}
+    {\Large \faIcon{question-circle}} These are also called \textbf{Logic modules}
+    \begin{center}
+        \includegraphics[width=0.43\textwidth]{pictures/logic-module.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow - Logic modules}
+    \begin{itemize}
+        \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow.
+        \begin{itemize}
+            \item IF conditions
+            \item Delay execution
+        \end{itemize}
+    \end{itemize}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{What kind of actions?}
+    \vspace*{0.25em}
+    \includegraphics[width=60px]{pictures/sc-action.png}
+    \vspace*{0.25em}
+    \begin{itemize}
+        \item Send an email notification
+        \item Perform enrichments
+        \item Send a chat message on MS Teams
+        \item Attach a local tag
+        \item ...
+    \end{itemize}
+
+    \vspace*{0.5em}
+    {\Large \faIcon{question-circle}} These are also called \textbf{Action modules}
+    \begin{center}
+        \includegraphics[width=0.43\textwidth]{pictures/action-module.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow - Action modules}
+    \begin{itemize}
+        \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations
+        \begin{itemize}
+            \item Tag operations
+            \item Send notifications
+            \item Webhooks
+            \item Custom scripts
+        \end{itemize}
+    \end{itemize}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{What is a MISP Workflow?}
+    \begin{itemize}
+        \item Sequence of all nodes to be executed in a specific order
+        \item Workflows can be enabled / disabled
+        \item A Workflow is associated to \textbf{1-and-only-1 trigger}
+    \end{itemize}
+    \vspace*{0.5em}
+    \begin{center}
+        \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow execution for Event publish}
+    \begin{itemize}
+        \setlength\itemsep{1em}
+        \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published
+        \begin{itemize}
+            \item The workflow for the \texttt{event-publish} trigger starts
+        \end{itemize}
+        \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated
+        \begin{itemize}
+            \item They might change the path taken during the execution
+        \end{itemize}
+        \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed
+        \begin{itemize}
+            \setlength\itemsep{0.75em}
+            \item {\bf\color{green!50!black}success}: Continue the publishing action
+            \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png}
+            \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason
+            \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png}
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Blocking and non-blocking}
+    Two types of workflows:
+    \vspace{0.5em}
+    \begin{itemize}
+        \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows
+        \begin{itemize}
+            \item Can prevent / block the original event to happen
+            \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action
+        \end{itemize}
+        \vspace{0.5em}
+        \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact
+        \begin{itemize}
+            \item No way to prevent something that happened in the past
+        \end{itemize}
+        \begin{center}
+            \includegraphics[width=0.4\linewidth]{pictures/time-machine.png}
+        \end{center}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Sources of Workflow modules (0)}
+    \begin{itemize}
+        \item \textbf{Trigger} module: MISP Source code \textbf{only}
+        \begin{itemize}
+            \item Get in touch if you want more
+        \end{itemize}
+        \item \textbf{Logic} module: MISP Source code \& \textbf{custom}
+        \item \textbf{Action} module: MISP Source code \& \textbf{custom}
+    \end{itemize}
+    \vspace*{2.0em}
+    \begin{itemize}
+        \item MISP Source code $\rightarrow$ Built-in \textbf{text} module
+        \item Custom $\rightarrow$ Write your own at 2 places
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Sources of Workflow modules (1)}
+    \begin{itemize}
+        \item Built-in \textbf{default} modules
+        \begin{itemize}
+            \item Part of the MISP codebase
+            \item Get in touch if you want us to increase the selection!
+        \end{itemize}
+    \end{itemize}
+    \vspace*{0.5em}
+    \begin{center}
+        \includegraphics[width=0.8\linewidth]{pictures/module-buffet.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Sources of Workflow modules (2)}
+    User-defined \textbf{custom} modules
+    \vspace*{0.5em}
+    \begin{columns}
+        \begin{column}{0.5\textwidth}
+            \begin{itemize}
+                \item Written in PHP
+                \item Extend existing modules
+                \item MISP code reuse
+            \end{itemize}
+        \end{column}
+        \begin{column}{0.5\textwidth}
+            \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg}
+        \end{column}
+    \end{columns}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Sources of Workflow modules (3)}
+    Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service}
+    \vspace*{0.5em}
+    \begin{columns}
+        \begin{column}{0.50\textwidth}
+            \begin{itemize}
+                \item Written in Python
+                \item Can use any python libraries
+                \item Plug \& Play
+            \end{itemize}
+        \end{column}
+        \begin{column}{0.50\textwidth}
+            \includegraphics[width=1.0\linewidth]{pictures/python-joke.png}
+        \end{column}
+    \end{columns}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Getting started with workflows}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png}
+    \end{center}
+    \begin{enumerate}
+        \item Update your MISP server
+        \item Update all your sub-modules
+    \end{enumerate}
+    \begin{center}
+        \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg}
+    \end{center}
+\end{frame}
+
+\section{Demo by examples}
+\begin{frame}
+    \frametitle{Demo 1: Block if Event.distribution < "Community"}
+    \begin{center}
+        \includegraphics[width=1.0\textwidth]{pictures/simple-workflow.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Demo 2: Send to ZMQ if any Attribute is tagged with `tlp:white`}
+    \begin{center}
+        \includegraphics[width=1.0\textwidth]{pictures/example-1a.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Demo 3: Block publish if *:red and email, else notify on Mattermost}
+    \begin{center}
+        \includegraphics[width=1.0\textwidth]{pictures/example-4.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Demo 4: Remove IDS flag \& add tag for known false-negative file hashes}
+    \begin{center}
+        \includegraphics[width=1.0\textwidth]{pictures/example-3.png}
+    \end{center}
+\end{frame}
+
+\section{Considerations when working with workflows}
+\begin{frame}
+    \frametitle{Working with the editor - Operations not allowed}
+    Execution loop are not authorized
+    \vspace*{1em}
+    \begin{columns}
+        \begin{column}{0.7\textwidth}
+            \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}}
+        \end{column}
+        \begin{column}{0.3\textwidth}
+            \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}}
+        \end{column}
+    \end{columns}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Recursive workflows}
+    \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}}
+    \danger Recursion: If an action re-run the workflow
+\end{frame}
+
+\begin{frame}
+    \frametitle{Working with the editor - Operations not allowed}
+    Multiple connections from the same output
+    \vspace*{1em}
+    \begin{columns}
+        \begin{column}{0.7\textwidth}
+            \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}}
+        \end{column}
+        \begin{column}{0.3\textwidth}
+            \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}}
+        \end{column}
+    \end{columns}
+    \begin{itemize}
+        \item Execution order not guaranted
+        \item Confusing for users
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Working with the editor}
+    Cases showing a warning:
+    \begin{itemize}
+        \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png}
+        \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module
+        \begin{center}
+            \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}}
+        \end{center}
+    \end{itemize}
+\end{frame}
+
+\section{Advanced usage}
+\begin{frame}
+    \frametitle{Workflow blueprints}
+    \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png}
+    \vspace*{-2em}
+    \begin{enumerate}
+        \item Blueprints allow to \textbf{re-use parts} of a workflow in another one
+        \item Blueprints can be saved, exported and \textbf{shared}
+    \end{enumerate}
+    \begin{center}
+        \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png}
+    \end{center}
+    Blueprints sources:
+    \begin{enumerate}
+        \item Created or imported by users
+        \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Data format in Workflows}
+    \begin{center}
+        \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png}
+    \end{center}
+    \begin{itemize}
+        \item In most cases, the format is the \textbf{MISP Core format}
+        \begin{itemize}
+            \item Attributes are \textbf{always encapsulated} in the Event or Object
+        \end{itemize}
+        \item But has \textbf{additional properties}
+        \begin{itemize}
+            \item Additional key \textbf{\texttt{\_AttributeFlattened}}
+            \item Additional key \textbf{\texttt{\_allTags}}
+            \item Additional key \textbf{\texttt{inherited}} for Tags
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Logic module: Concurrent Task}
+    \begin{itemize}
+        \item Logic module allowing \textbf{multiple output} connections
+        \item \textbf{Postpone the execution} for remaining modules
+        \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png}
+    \end{itemize}
+    \begin{center}
+        \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Debugging options}
+    \begin{columns}
+        \begin{column}{0.6\textwidth}
+            \begin{itemize}
+                \item Workflow \textbf{execution and outcome}
+                \item Module \textbf{execution and outcome}
+                \item \textbf{Live} workflow debugging with module inspection
+                \item \textbf{Re-running/testing} workflows with custom data
+                \item \textbf{Stateless} module execution
+            \end{itemize}
+        \end{column}
+        \begin{column}{0.4\textwidth}
+            \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg}
+        \end{column}
+    \end{columns}
+\end{frame}
+
+\section{Extending the system}
+\begin{frame}
+    \frametitle{Creating a new module in PHP}
+    \begin{center}
+        \includegraphics[scale=0.07]{pictures/PHP-logo.png}
+    \end{center}
+    \vspace*{2em}
+    \begin{itemize}
+        \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php}
+        \item Designed to be easilty extended
+        \begin{itemize}
+            \item Helper functions
+            \item Module configuration as variables
+            \item Implement runtime logic
+        \end{itemize}
+        \item Main benefits
+        \begin{itemize}
+            \item Fast
+            \item Re-use existing functionalities
+            \item No need for misp-modules
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Creating a new module in PHP}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pictures/custom-1.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Creating a new module in Python}
+    \begin{center}
+        \includegraphics[scale=0.03]{pictures/python-logo.png}
+    \end{center}
+    \begin{itemize}
+        \item Similar to how other \texttt{misp-modules} are implemented
+        \begin{itemize}
+            \item Helper functions
+            \item Module configuration as variables
+            \item Implement runtime logic
+        \end{itemize}
+        \item Main benefits
+        \begin{itemize}
+            \item Easier than PHP
+            \item Lots of libraries for integration
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Creating a new module in Python}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pictures/custom-2.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{More ideas}
+    \begin{itemize}
+        \item Notification when new users join an instance
+        \item Trigger on any action generating log entries
+        \item Extend existing MISP behavior: Push correlation in another system
+        \item Sanity check to block publishing
+        \item ...
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Under development}
+    Ease data manipulation with \textbf{filtering modules}
+    \begin{center}
+        \includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Future works}
+    \begin{columns}
+        \begin{column}{0.55\textwidth}
+            \begin{itemize}
+                \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules
+                \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules
+                \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers
+                \item More documentation
+                \item Recursion prevention system
+                \item On-the-fly data override?
+            \end{itemize}
+        \end{column}
+        \begin{column}{0.45\textwidth}
+            \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg}
+        \end{column}
+    \end{columns}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Final words}
+    \begin{columns}
+        \begin{column}{0.6\textwidth}
+            \begin{itemize}
+                \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines
+                \item \underline{\textbf{Beta}} Feature unlikely to change. But still..
+                \item Waiting for feedback!
+                \begin{itemize}
+                    \item New triggers?
+                    \item New modules?
+                    \item ...
+                \end{itemize}
+            \end{itemize}
+        \end{column}
+        \begin{column}{0.4\textwidth}
+            \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg}
+        \end{column}
+    \end{columns}
+    \vspace*{0.5em}
+\end{frame}
+