mirror of https://github.com/MISP/misp-training
chg: [cheatsheets] Typos and general improvements
parent
65f3b34cc4
commit
759486e761
|
@ -1,25 +1,25 @@
|
|||
\begin{center}{
|
||||
\huge{\textbf{MISP Concept Cheat sheet}}}\\
|
||||
\huge{\textbf{MISP Concepts Cheat sheet}}}\\
|
||||
\end{center}
|
||||
|
||||
\begin{multicols*}{2}
|
||||
\cheatboxlarge{Glossary}{
|
||||
\boxentry{Correlations}{Are links created automatically whenever an \attribute is created or modified. They allow interconnection between \events based on their values.}
|
||||
\boxentry{Correlation Engine}{Is the system used by MISP to create correlation between \attribute's value. It currently support strict string comparison, SSDEEP and CDIR blocks matches.}
|
||||
\boxentry{Caching}{Is the process of \textit{fetching} data from a MISP instance or feed but only storing hashes of the collected values for correlations and look-ups purposes.}
|
||||
\boxentry{Delegation}{Is the act of transfering the ownership of an \event to another organisation and removing any associations with the original creator.}
|
||||
\boxentry{Deletion (hard/soft)}{\textit{Hard deletion} is the act of removing the element from the database. It will thus do not perform revocation on other MISP instances. \textit{Soft deletion} is the act flagging an element as deleted and thus propagating the revocation among the network of connected MISP instances.}
|
||||
\boxentry{Extended Event}{Is an \event that extends an existing \event, providing a combined view of the data contained in both \events. The owner of the extending \event is the organisation that created the extension, this allows anyone to extend any \events and have control over them.}
|
||||
\boxentry{\galaxy Matrix}{Is a matrix derived from \clusters belonging to the same \galaxy. The layout (pages and columns) is defined at the \galaxy level and its content comes from the \clusters meta-data themselves.}
|
||||
\boxentry{Indicators}{contain a pattern that can be used to detect suspicious or malicious cyber activity. They are generally \attributes having their \texttt{to\_ids} flag set.}
|
||||
\boxentry{Orgc / Org}{\textit{Creator Organisation} (\textbf{Orgc}) is the organisation that created the data and the one allowed to modify it. \textit{Owner Organisation} (\textbf{Org}) is the organisation owning the data on a given instance and is allowed to view it regardless of the distribution level.}
|
||||
\boxentry{Publishing}{Is the action of declaring that an \event is ready to be synchronised. It may also send e-mail notifications and make it available to some formats.}
|
||||
\boxentry{Pulling}{Is the action of using a user on a remote instance to fetch the accessible data and store it locally.}
|
||||
\boxentry{Pushing}{Is the action of using an uplink connection via a \textit{sync. user} to send data to a remote instance.}
|
||||
\boxentry{Synchronisation}{Is the exchange of data between two (or more) MISP instances throught the \textit{pull} and \textit{push} mechanism.}
|
||||
\boxentry{Sync. filtering rule}{Can be applied on a synchronisation link for both the \textit{pull} and \textit{push} mechanisms to block or allow the data to be transfered.}
|
||||
\boxentry{Sync. User}{Special role of a user granting addional sync permissions. The recommanded way to setup \textit{pull} and \textit{push} synchronisation is to use \textit{sync users}.}
|
||||
\boxentry{Proposals}{Are a mechanism to propose modications to the creating organisations. If a path of connected MISP instances exists, it will be synchronized so that the creator may accept or discard it.}
|
||||
\boxentry{Correlations}{Links created automatically whenever an \attribute is created or modified. They allow interconnection between \events based on their attributes.}
|
||||
\boxentry{Correlation Engine}{Is the system used by MISP to create correlations between \attribute's value. It currently supports strict string comparison, SSDEEP and CDIR blocks matches.}
|
||||
\boxentry{Caching}{Is the process of \textit{fetching} data from a MISP instance or feed but only storing hashes of the collected values for correlation and look-up purposes.}
|
||||
\boxentry{Delegation}{Act of transfering the ownership of an \event to another organisation while hidding the original creator, thus providing anonymity.}
|
||||
\boxentry{Deletion (hard/soft)}{\textit{Hard deletion} is the act of removing the element from the system; it will not perform revocation on other MISP instances. \textit{Soft deletion} is the act flagging an element as deleted and propagating the revocation among the network of connected MISP instances.}
|
||||
\boxentry{Extended Event}{\event that extends an existing \event, providing a combined view of the data contained in both \events. The owner of the extending \event is the organisation that created the extension. This allows anyone to extend any \events and have total control over them.}
|
||||
\boxentry{\galaxy Matrix}{Matrix derived from \clusters belonging to the same \galaxy. The layout (pages and columns) is defined at the \galaxy level and its content comes from the \clusters meta-data themselves.}
|
||||
\boxentry{Indicators}{\attribute containing a pattern that can be used to detect suspicious or malicious activity. These \attributes usually have their \texttt{to\_ids} flag enabled.}
|
||||
\boxentry{Orgc / Org}{\textit{Creator Organisation} (\textbf{Orgc}) is the organisation that created the data and the one allowed to modify it. \textit{Owner Organisation} (\textbf{Org}) is the organisation owning the data on a given instance and is allowed to view it regardless of the distribution level. The two are not necessarily the same.}
|
||||
\boxentry{Publishing}{Action of declaring that an \event is ready to be synchronised. It may also send e-mail notifications and makes it available to some export formats.}
|
||||
\boxentry{Pulling}{Action of using a user on a remote instance to fetch the accessible data and storing it locally.}
|
||||
\boxentry{Pushing}{Action of using an uplink connection via a \textit{sync. user} to send data to a remote instance.}
|
||||
\boxentry{Synchronisation}{Is the exchange of data between two (or more) MISP instances throught the \textit{pull} or \textit{push} mechanisms.}
|
||||
\boxentry{Sync. filtering rule}{Can be applied on a synchronisation link for both the \textit{pull} and \textit{push} mechanisms to block or allow data to be transfered.}
|
||||
\boxentry{Sync. User}{Special role of a user granting addional sync permissions. The recommanded way to setup \textit{push} synchronisation is to use \textit{sync users}.}
|
||||
\boxentry{Proposals}{Are a mechanism to propose modications to the creating organisations (\textbf{Orgc}). If a path of connected MISP instances exists, the \proposal will be synchronised allowing the creator to accept or discard it.}
|
||||
}
|
||||
|
||||
\columnbreak
|
||||
|
@ -27,17 +27,17 @@
|
|||
\cheatboxlarge[Controls who can see the data and how it should be synchronised.]{Distribution}{
|
||||
\boxentry{Organisation only}{Only members of your organisation}
|
||||
\boxentry{This community}{Organisations on this MISP instance}
|
||||
\boxentry{Connected Communities}{Organisations on this MISP instance and those on MISP instances synchronising with this one. Upon receiving data, the distribution level will be downgraded to \texttt{This community} to avoid further propagation.}
|
||||
\boxentry{Connected Communities}{Organisations on this MISP instance and those on MISP instances synchronising with this one. Upon receiving data, the distribution will be downgraded to \texttt{This community} to avoid further propagation. ($n\leq 1$)}
|
||||
\vspace*{-0.7em}
|
||||
\begin{center}
|
||||
\createdistrilegend
|
||||
\hspace*{1em}
|
||||
\distrigraph{2}
|
||||
\end{center}
|
||||
\boxentry{All Communities}{Anyone having access: Will be freely propagated in the network of connected MISP instances.}
|
||||
\boxentry{All Communities}{Anyone having access. Data will be freely propagated in the network of connected MISP instances. ($n = \infty$)}
|
||||
\vspace*{-0.7em}
|
||||
\begin{center}\distrigraph{3}\end{center}
|
||||
\boxentry{\linkdest{sharinggroup}Sharing Groups}{Organisations being part of the distribution list that exhaustively keeps track of who can access the data and how it should be synchronised.}
|
||||
\boxentry{\linkdest{sharinggroup}Sharing Groups}{Distribution list that exhaustively keeps track of which organisations can access the data and how it should be synchronised.}
|
||||
|
||||
\begin{multicols*}{2}
|
||||
\begin{center}
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
\begin{minipage}{0.3\textwidth}
|
||||
\begin{itemize}[noitemsep,topsep=2pt,parsep=0pt,partopsep=0pt]
|
||||
\item[\taggable] Context such as \taxonomies or \clusters can be attached to the element
|
||||
\item[\distributable] Can have a distribution level
|
||||
\item[\distributable] Has a distribution level
|
||||
\item[\synchronisable] Can be synchronised to/from other instances
|
||||
\end{itemize}
|
||||
\end{minipage}
|
||||
|
@ -14,8 +14,8 @@
|
|||
|
||||
% EVENT
|
||||
\cheatbox[\faicon{envelope}]
|
||||
[Group datapoints and contexts together. Acting as an envelop, it allows setting its distribution and sharing rules.]
|
||||
[Encode incidents, events, reports, …]
|
||||
[Group datapoints and context together. Acting as an envelop, it allows setting distribution and sharing rules for itself and its children.]
|
||||
[Encode incidents/events/reports/…]
|
||||
[\taggable \distributable \synchronisable]
|
||||
[Encapsulations for contextually linked information.]
|
||||
{\linkdest{event}Event}
|
||||
|
@ -33,7 +33,7 @@
|
|||
{\linkdest{attribute}Attribute}
|
||||
{
|
||||
$\blacktriangleright$ \attributes cannot be duplicated inside the same \event and can have \sightings.\\
|
||||
$\blacktriangleright$ The difference between an IoC or supporting data is usualy indicated by the state of the attribute's \texttt{to\_ids} flag.
|
||||
$\blacktriangleright$ The difference between an indicator or supporting data is usualy indicated by the state of the attribute's \texttt{to\_ids} flag.
|
||||
}
|
||||
|
||||
% Object
|
||||
|
@ -44,14 +44,14 @@
|
|||
[Advanced building block providing \attribute compositions via templates.]
|
||||
{\linkdest{object}MISP Object}
|
||||
{
|
||||
$\blacktriangleright$ \objects have their attribute compositions described in their respective template. They are instanciated with \attributes and can reference \reference other \attributes or \objects.\\
|
||||
$\blacktriangleright$ MISP is not required to know the template to save and display the object. However, \textit{edits} will not be possible as the template to validate against is not known.
|
||||
$\blacktriangleright$ \objects have their attribute compositions described in their respective template. They are instanciated with \attributes and can \reference other \attributes or \objects.\\
|
||||
$\blacktriangleright$ MISP is not required to know the template to save and display the object. However, \textit{edits} will not be possible as the template to validate against is unknown.
|
||||
}
|
||||
\columnbreak
|
||||
|
||||
% Object Reference
|
||||
\cheatbox[$\nearrow$]
|
||||
[Allows to create relationships between entities, thus creating a graph where they are the edges and entities are the nodes]
|
||||
[Allows to create relationships between entities, thus creating a graph where they are the edges and entities are the nodes.]
|
||||
[Represent behaviours, similarities, affiliation, …]
|
||||
[\synchronisable]
|
||||
[Relationships between individual building blocks.]
|
||||
|
@ -62,10 +62,10 @@
|
|||
|
||||
% Sightings
|
||||
\cheatbox[\faicon{eye}]
|
||||
[Allows to add temporality to the data]
|
||||
[Allows to add temporality to the data.]
|
||||
[Record activity or occurence, perform IoC expiration, …]
|
||||
[\synchronisable]
|
||||
[Means to convey that a data point has been seen.]
|
||||
[Means to convey that an \attribute has been seen.]
|
||||
{\linkdest{sighting}Sightings}
|
||||
{
|
||||
$\blacktriangleright$ \sightings are the best way to express that something has been seen. They can also be used to mark \textit{false positives}.
|
||||
|
@ -73,13 +73,13 @@
|
|||
|
||||
% Event report
|
||||
\cheatbox[\faicon{file-text}]
|
||||
[Supporting data point to describe events or processes]
|
||||
[Supporting data point to describe events or processes.]
|
||||
[Encode reports, provide more information about the \event, …]
|
||||
[\distributable \synchronisable]
|
||||
[Advanced building block that can contain text.]
|
||||
[Advanced building block containing formated text.]
|
||||
{\linkdest{eventreport}Event Report}
|
||||
{
|
||||
$\blacktriangleright$ \eventreports are markdown-aware and includes a special syntax to reference data points or context.
|
||||
$\blacktriangleright$ \eventreports are markdown-aware and include a special syntax to reference data points or context.
|
||||
}
|
||||
|
||||
% Proposals
|
||||
|
@ -97,27 +97,28 @@
|
|||
% Taxonomies
|
||||
\cheatbox[$\mathcal{T}$]
|
||||
[Enable efficent classification globally understood, easing consumption and automation.]
|
||||
[TLP, Confidence, Source, Workflows, Event type, …]
|
||||
[Provide classification such as: TLP, Confidence, Source, Workflows, Event type, …]
|
||||
[]
|
||||
[Machine and human-readable labels standardised on a common set of vocabularies.]
|
||||
{\linkdest{taxonomy}Taxonomies}
|
||||
{
|
||||
$\blacktriangleright$ Even though MISP allows the creation of free-text tags, it's always preferable to use those coming from \taxonomies if they exists.
|
||||
$\blacktriangleright$ Even though MISP allows the creation of free-text tags, it's always preferable to use those coming from \taxonomies, if they exists.
|
||||
}
|
||||
|
||||
% Galaxies
|
||||
\cheatbox[\faicon{rebel}]
|
||||
[Bundle \clusters by their type to avoid confusing and to ease searches.]
|
||||
[Exploit-Kit, Preventive Measure, MITRE ATT\&CK, Tools, Threat-actors, …]
|
||||
[Bundle \clusters by their type to avoid confusion and to ease searches.]
|
||||
[Bundle types: Exploit-Kit, Preventive Measures, ATT\&CK, Tools, Threat-actors, …]
|
||||
[]
|
||||
[Act as a container to group together context described by \clusters by their type.]
|
||||
[Act as a container to group together context described in \clusters by their type.]
|
||||
{\linkdest{galaxy}Galaxies}
|
||||
{}
|
||||
|
||||
% Galaxy Clusters
|
||||
\cheatbox[\faicon{rebel}]
|
||||
[Enable description of complex high-level information for classification.]
|
||||
[\texttt{threat-actor="APT 29"}, \texttt{country="germany"}, \texttt{mitre-attack-pattern="Disk Wipe - T1561"}]
|
||||
% [\texttt{threat-actor="APT 29"}, \texttt{country="germany"}, \texttt{mitre-attack-pattern="Disk Wipe - T1561"}]
|
||||
[Extensively describe elements such as: threat actors, countries, technique used, …]
|
||||
[\distributable \synchronisable]
|
||||
[Kownledge base items used as tags with additional complex meta-data aimed for human consumption.]
|
||||
{\linkdest{cluster}Galaxies Clusters}
|
||||
|
|
|
@ -106,7 +106,7 @@ POST /tags/attachTagToObject
|
|||
}
|
||||
|
||||
\cheatboxlarge{Tips \& Tricks}{
|
||||
\boxentry{Get JSON Representation}{Append \texttt{.json} at any URL to get the content in JSON format. Example: \texttt{/events/view/42.json}}
|
||||
\boxentry{Get JSON Representation}{Append \texttt{.json} to any URLs to get their content in JSON format. Example: \texttt{/events/view/42.json}}
|
||||
}
|
||||
|
||||
\columnbreak
|
||||
|
@ -122,12 +122,12 @@ POST /tags/attachTagToObject
|
|||
All in 1-shot: \clicode{Admin updateMISP}\\
|
||||
Manually:
|
||||
\begin{enumerate}[noitemsep,topsep=2pt,parsep=0pt,partopsep=0pt]
|
||||
\item \bashcode{/var/www/MISP}
|
||||
\item \bashcode{cd /var/www/MISP}
|
||||
\item \bashcode{git pull origin 2.4}
|
||||
\item \bashcode{git submodule update --init --recursive}
|
||||
\item \clicode{Admin updateJSON}
|
||||
\setlength\itemsep{-0.1em}
|
||||
\item Check live update progress \texttt{/servers/updateProgress}
|
||||
\item Check live update progress \texttt{GET /servers/updateProgress}
|
||||
\end{enumerate}
|
||||
}
|
||||
\cheatboxlarge{Workers}{
|
||||
|
@ -138,10 +138,9 @@ POST /tags/attachTagToObject
|
|||
\cheatboxlarge{Settings}{
|
||||
Get: \clicode{Admin getSetting [setting]}\\
|
||||
Set: \clicode{Admin setSetting [setting] [value]}\\
|
||||
Stop: \clicode{Admin stopWorker [pid]}\\
|
||||
Base URL: \clicode{Baseurl [baseurl]}
|
||||
}
|
||||
\cheatboxlarge{Miscalenous}{
|
||||
\cheatboxlarge{Miscellaneous}{
|
||||
Clean Caches: \clicode{Admin cleanCaches}\\
|
||||
Get IPs For User ID: \clicode{Admin UserIP [user_id]}\\
|
||||
Get User ID For User IP: \clicode{Admin IPUser [ip]}\\
|
||||
|
|
|
@ -28,16 +28,21 @@
|
|||
\node[currentstyle] (d2) [right=of d1b] {};
|
||||
\changestyledistribution{#1}{2}
|
||||
\node[currentstyle] (d3) [right=of d2] {};
|
||||
\node[currentstyle] (d4a) [above right= 5pt and 30pt of d3] {};
|
||||
\node[currentstyle] (d4b) [right= of d3] {};
|
||||
|
||||
\node[textnode] (d0-notice) [above= 10pt of d0] {$n=0$};
|
||||
\node[textnode] (d1a-notice) [above= 5pt of d1a] {$n=1$};
|
||||
\node[textnode] (d2-notice) [above= 15pt of d2] {$n=2$};
|
||||
\node[textnode] (d3-notice) [above= 15pt of d3] {$n=3$};
|
||||
\node[textnode] (d4-notice) [above= 15pt of d4b] {$n=4$};
|
||||
|
||||
\draw[-] (d0) to[out=30, in=180] (d1a);
|
||||
\draw[-] (d0) to[out=-30, in=180] (d1b);
|
||||
\draw[-] (d1b) -- (d2);
|
||||
\draw[-] (d2) -- (d3);
|
||||
\draw[-] (d3) to[out=30, in=180] (d4a);
|
||||
\draw[-] (d3) -- (d4b);
|
||||
|
||||
% \draw[-] (d0-notice.east) -- +(15pt,0pt) -- (d0.135);
|
||||
% \draw[-] ($(d0-notice.east) + (-1pt,-2pt)$) -- ($(d0) + (-3pt,2pt)$);
|
||||
|
|
Loading…
Reference in New Issue