new: [20221116-MUG] Added initial version of workflow-slides
|
@ -0,0 +1,599 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Automation in MISP: What already exists?}
|
||||||
|
\includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Needs CRON Jobs in place
|
||||||
|
\item Heavy for the server
|
||||||
|
\item Not realtime
|
||||||
|
\end{itemize}
|
||||||
|
\vspace*{1em}
|
||||||
|
\includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels}
|
||||||
|
\begin{itemize}
|
||||||
|
\item After the actions happen: No feedback to MISP
|
||||||
|
\item Tougher to put in place \& to share
|
||||||
|
\item Full integration amounts to develop a new tool
|
||||||
|
\end{itemize}
|
||||||
|
\vspace*{0.5em}
|
||||||
|
$\rightarrow$ No way to \textbf{prevent} behavior\\
|
||||||
|
$\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What type of use-cases are we trying to support?}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Prevent} default MISP behaviors to happen
|
||||||
|
\begin{itemize}
|
||||||
|
\item Prevent \textbf{publication of events} not passing sanity checks
|
||||||
|
\item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information
|
||||||
|
\item $\cdots$
|
||||||
|
\end{itemize}
|
||||||
|
\vspace*{1.0em}
|
||||||
|
\item \textbf{Hook} specific actions to run callbacks
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Automatically run} enrichment services
|
||||||
|
\item Modify data on-the-fly: False positives, enable CTI-Pipeline
|
||||||
|
\item Send notifications in a chat rooms
|
||||||
|
\item $\cdots$
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Simple automation in MISP made easy}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.3\linewidth]{pictures/automation.png}
|
||||||
|
\end{center}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Why?
|
||||||
|
\begin{itemize}
|
||||||
|
\item Everyone loves \textbf{simple automation}
|
||||||
|
\item \textbf{Visual} dataflow programming
|
||||||
|
\item Users want \textbf{more control}
|
||||||
|
\end{itemize}
|
||||||
|
\item How?
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Drag \& Drop} editor
|
||||||
|
\item Prevent actions \textbf{before they happen}
|
||||||
|
\item Flexible \textbf{Plug \& Play} system
|
||||||
|
\item \textbf{Share} workflows, \textbf{debug} and \textbf{replay}
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Content of the presentation}
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP Workflows fundamentals
|
||||||
|
\item Demo by examples
|
||||||
|
\item Using the system
|
||||||
|
\item How it can be extended
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\vspace*{1em}
|
||||||
|
\begin{center}
|
||||||
|
\frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Workflow - Fundamentals}
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{How does it work}
|
||||||
|
\begin{center}
|
||||||
|
\frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}}
|
||||||
|
\end{center}
|
||||||
|
\begin{enumerate}
|
||||||
|
\item An \textbf{event} happens in MISP
|
||||||
|
\item Check if all \textbf{conditions} are satisfied
|
||||||
|
\item Execute all \textbf{actions}
|
||||||
|
\begin{itemize}
|
||||||
|
\item May prevent MISP to complete its original event
|
||||||
|
\end{itemize}
|
||||||
|
\end{enumerate}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What kind of events?}
|
||||||
|
\includegraphics[width=60px]{pictures/sc-event.png}
|
||||||
|
\vspace*{0.5em}
|
||||||
|
\begin{itemize}
|
||||||
|
\item New MISP Event
|
||||||
|
\item Attribute has been saved
|
||||||
|
\item New discussion post
|
||||||
|
\item New user created
|
||||||
|
\item Query against third-party services
|
||||||
|
\item ...
|
||||||
|
\end{itemize}
|
||||||
|
\vspace*{1em}
|
||||||
|
{\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\
|
||||||
|
{\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Triggers currently available}
|
||||||
|
Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}.
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/triggers.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What kind of conditions?}
|
||||||
|
\vspace*{0.25em}
|
||||||
|
\includegraphics[width=70px]{pictures/sc-condition.png}
|
||||||
|
\vspace*{0.25em}
|
||||||
|
\begin{itemize}
|
||||||
|
\item An MISP Event is tagged with \texttt{tlp:red}
|
||||||
|
\item The distribution an Attribute is a sharing group
|
||||||
|
\item The creator organisation is \texttt{circl.lu}
|
||||||
|
\item Or any other \textbf{generic} conditions
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\vspace*{0.5em}
|
||||||
|
{\Large \faIcon{question-circle}} These are also called \textbf{Logic modules}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.43\textwidth]{pictures/logic-module.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Workflow - Logic modules}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow.
|
||||||
|
\begin{itemize}
|
||||||
|
\item IF conditions
|
||||||
|
\item Delay execution
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What kind of actions?}
|
||||||
|
\vspace*{0.25em}
|
||||||
|
\includegraphics[width=60px]{pictures/sc-action.png}
|
||||||
|
\vspace*{0.25em}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Send an email notification
|
||||||
|
\item Perform enrichments
|
||||||
|
\item Send a chat message on MS Teams
|
||||||
|
\item Attach a local tag
|
||||||
|
\item ...
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\vspace*{0.5em}
|
||||||
|
{\Large \faIcon{question-circle}} These are also called \textbf{Action modules}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.43\textwidth]{pictures/action-module.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Workflow - Action modules}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations
|
||||||
|
\begin{itemize}
|
||||||
|
\item Tag operations
|
||||||
|
\item Send notifications
|
||||||
|
\item Webhooks
|
||||||
|
\item Custom scripts
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/action-module-index.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What is a MISP Workflow?}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Sequence of all nodes to be executed in a specific order
|
||||||
|
\item Workflows can be enabled / disabled
|
||||||
|
\item A Workflow is associated to \textbf{1-and-only-1 trigger}
|
||||||
|
\end{itemize}
|
||||||
|
\vspace*{0.5em}
|
||||||
|
\begin{center}
|
||||||
|
\frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Workflow execution for Event publish}
|
||||||
|
\begin{itemize}
|
||||||
|
\setlength\itemsep{1em}
|
||||||
|
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published
|
||||||
|
\begin{itemize}
|
||||||
|
\item The workflow for the \texttt{event-publish} trigger starts
|
||||||
|
\end{itemize}
|
||||||
|
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated
|
||||||
|
\begin{itemize}
|
||||||
|
\item They might change the path taken during the execution
|
||||||
|
\end{itemize}
|
||||||
|
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed
|
||||||
|
\begin{itemize}
|
||||||
|
\setlength\itemsep{0.75em}
|
||||||
|
\item {\bf\color{green!50!black}success}: Continue the publishing action
|
||||||
|
\hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png}
|
||||||
|
\item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason
|
||||||
|
\hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png}
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Blocking and non-blocking}
|
||||||
|
Two types of workflows:
|
||||||
|
\vspace{0.5em}
|
||||||
|
\begin{itemize}
|
||||||
|
\item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows
|
||||||
|
\begin{itemize}
|
||||||
|
\item Can prevent / block the original event to happen
|
||||||
|
\item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{0.5em}
|
||||||
|
\item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact
|
||||||
|
\begin{itemize}
|
||||||
|
\item No way to prevent something that happened in the past
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.4\linewidth]{pictures/time-machine.png}
|
||||||
|
\end{center}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Sources of Workflow modules (0)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Trigger} module: MISP Source code \textbf{only}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Get in touch if you want more
|
||||||
|
\end{itemize}
|
||||||
|
\item \textbf{Logic} module: MISP Source code \& \textbf{custom}
|
||||||
|
\item \textbf{Action} module: MISP Source code \& \textbf{custom}
|
||||||
|
\end{itemize}
|
||||||
|
\vspace*{2.0em}
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP Source code $\rightarrow$ Built-in \textbf{text} module
|
||||||
|
\item Custom $\rightarrow$ Write your own at 2 places
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Sources of Workflow modules (1)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Built-in \textbf{default} modules
|
||||||
|
\begin{itemize}
|
||||||
|
\item Part of the MISP codebase
|
||||||
|
\item Get in touch if you want us to increase the selection!
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\vspace*{0.5em}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.8\linewidth]{pictures/module-buffet.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Sources of Workflow modules (2)}
|
||||||
|
User-defined \textbf{custom} modules
|
||||||
|
\vspace*{0.5em}
|
||||||
|
\begin{columns}
|
||||||
|
\begin{column}{0.5\textwidth}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Written in PHP
|
||||||
|
\item Extend existing modules
|
||||||
|
\item MISP code reuse
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.5\textwidth}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Sources of Workflow modules (3)}
|
||||||
|
Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service}
|
||||||
|
\vspace*{0.5em}
|
||||||
|
\begin{columns}
|
||||||
|
\begin{column}{0.50\textwidth}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Written in Python
|
||||||
|
\item Can use any python libraries
|
||||||
|
\item Plug \& Play
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.50\textwidth}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/python-joke.png}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Getting started with workflows}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.9\linewidth]{pictures/workflow-release.png}
|
||||||
|
\end{center}
|
||||||
|
\begin{enumerate}
|
||||||
|
\item Update your MISP server
|
||||||
|
\item Update all your sub-modules
|
||||||
|
\end{enumerate}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Demo by examples}
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Demo 1: Block if Event.distribution < "Community"}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\textwidth]{pictures/simple-workflow.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Demo 2: Send to ZMQ if any Attribute is tagged with `tlp:white`}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\textwidth]{pictures/example-1a.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Demo 3: Block publish if *:red and email, else notify on Mattermost}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\textwidth]{pictures/example-4.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Demo 4: Remove IDS flag \& add tag for known false-negative file hashes}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\textwidth]{pictures/example-3.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Considerations when working with workflows}
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Working with the editor - Operations not allowed}
|
||||||
|
Execution loop are not authorized
|
||||||
|
\vspace*{1em}
|
||||||
|
\begin{columns}
|
||||||
|
\begin{column}{0.7\textwidth}
|
||||||
|
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.3\textwidth}
|
||||||
|
\frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Recursive workflows}
|
||||||
|
\frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}}
|
||||||
|
\danger Recursion: If an action re-run the workflow
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Working with the editor - Operations not allowed}
|
||||||
|
Multiple connections from the same output
|
||||||
|
\vspace*{1em}
|
||||||
|
\begin{columns}
|
||||||
|
\begin{column}{0.7\textwidth}
|
||||||
|
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.3\textwidth}
|
||||||
|
\frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Execution order not guaranted
|
||||||
|
\item Confusing for users
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Working with the editor}
|
||||||
|
Cases showing a warning:
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png}
|
||||||
|
\item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module
|
||||||
|
\begin{center}
|
||||||
|
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}}
|
||||||
|
\end{center}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Advanced usage}
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Workflow blueprints}
|
||||||
|
\hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png}
|
||||||
|
\vspace*{-2em}
|
||||||
|
\begin{enumerate}
|
||||||
|
\item Blueprints allow to \textbf{re-use parts} of a workflow in another one
|
||||||
|
\item Blueprints can be saved, exported and \textbf{shared}
|
||||||
|
\end{enumerate}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png}
|
||||||
|
\end{center}
|
||||||
|
Blueprints sources:
|
||||||
|
\begin{enumerate}
|
||||||
|
\item Created or imported by users
|
||||||
|
\item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints}
|
||||||
|
\end{enumerate}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Data format in Workflows}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png}
|
||||||
|
\end{center}
|
||||||
|
\begin{itemize}
|
||||||
|
\item In most cases, the format is the \textbf{MISP Core format}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Attributes are \textbf{always encapsulated} in the Event or Object
|
||||||
|
\end{itemize}
|
||||||
|
\item But has \textbf{additional properties}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Additional key \textbf{\texttt{\_AttributeFlattened}}
|
||||||
|
\item Additional key \textbf{\texttt{\_allTags}}
|
||||||
|
\item Additional key \textbf{\texttt{inherited}} for Tags
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Logic module: Concurrent Task}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Logic module allowing \textbf{multiple output} connections
|
||||||
|
\item \textbf{Postpone the execution} for remaining modules
|
||||||
|
\item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png}
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Debugging options}
|
||||||
|
\begin{columns}
|
||||||
|
\begin{column}{0.6\textwidth}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Workflow \textbf{execution and outcome}
|
||||||
|
\item Module \textbf{execution and outcome}
|
||||||
|
\item \textbf{Live} workflow debugging with module inspection
|
||||||
|
\item \textbf{Re-running/testing} workflows with custom data
|
||||||
|
\item \textbf{Stateless} module execution
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.4\textwidth}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Extending the system}
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Creating a new module in PHP}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.07]{pictures/PHP-logo.png}
|
||||||
|
\end{center}
|
||||||
|
\vspace*{2em}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php}
|
||||||
|
\item Designed to be easilty extended
|
||||||
|
\begin{itemize}
|
||||||
|
\item Helper functions
|
||||||
|
\item Module configuration as variables
|
||||||
|
\item Implement runtime logic
|
||||||
|
\end{itemize}
|
||||||
|
\item Main benefits
|
||||||
|
\begin{itemize}
|
||||||
|
\item Fast
|
||||||
|
\item Re-use existing functionalities
|
||||||
|
\item No need for misp-modules
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Creating a new module in PHP}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/custom-1.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Creating a new module in Python}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.03]{pictures/python-logo.png}
|
||||||
|
\end{center}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Similar to how other \texttt{misp-modules} are implemented
|
||||||
|
\begin{itemize}
|
||||||
|
\item Helper functions
|
||||||
|
\item Module configuration as variables
|
||||||
|
\item Implement runtime logic
|
||||||
|
\end{itemize}
|
||||||
|
\item Main benefits
|
||||||
|
\begin{itemize}
|
||||||
|
\item Easier than PHP
|
||||||
|
\item Lots of libraries for integration
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Creating a new module in Python}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/custom-2.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{More ideas}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Notification when new users join an instance
|
||||||
|
\item Trigger on any action generating log entries
|
||||||
|
\item Extend existing MISP behavior: Push correlation in another system
|
||||||
|
\item Sanity check to block publishing
|
||||||
|
\item ...
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Under development}
|
||||||
|
Ease data manipulation with \textbf{filtering modules}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Future works}
|
||||||
|
\begin{columns}
|
||||||
|
\begin{column}{0.55\textwidth}
|
||||||
|
\begin{itemize}
|
||||||
|
\item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules
|
||||||
|
\item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules
|
||||||
|
\item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers
|
||||||
|
\item More documentation
|
||||||
|
\item Recursion prevention system
|
||||||
|
\item On-the-fly data override?
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.45\textwidth}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Final words}
|
||||||
|
\begin{columns}
|
||||||
|
\begin{column}{0.6\textwidth}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines
|
||||||
|
\item \underline{\textbf{Beta}} Feature unlikely to change. But still..
|
||||||
|
\item Waiting for feedback!
|
||||||
|
\begin{itemize}
|
||||||
|
\item New triggers?
|
||||||
|
\item New modules?
|
||||||
|
\item ...
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{column}
|
||||||
|
\begin{column}{0.4\textwidth}
|
||||||
|
\includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg}
|
||||||
|
\end{column}
|
||||||
|
\end{columns}
|
||||||
|
\vspace*{0.5em}
|
||||||
|
\end{frame}
|
||||||
|
|
After Width: | Height: | Size: 36 KiB |
After Width: | Height: | Size: 78 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 28 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 32 KiB |
After Width: | Height: | Size: 4.8 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 143 KiB |
After Width: | Height: | Size: 3.7 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 9.5 KiB |
After Width: | Height: | Size: 140 KiB |
After Width: | Height: | Size: 90 KiB |
After Width: | Height: | Size: 6.0 KiB |
After Width: | Height: | Size: 21 KiB |
After Width: | Height: | Size: 64 KiB |
After Width: | Height: | Size: 48 KiB |
After Width: | Height: | Size: 35 KiB |
After Width: | Height: | Size: 87 KiB |
After Width: | Height: | Size: 3.7 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 84 KiB |
After Width: | Height: | Size: 65 KiB |
After Width: | Height: | Size: 72 KiB |
After Width: | Height: | Size: 138 KiB |
After Width: | Height: | Size: 43 KiB |
After Width: | Height: | Size: 88 KiB |
After Width: | Height: | Size: 545 KiB |
After Width: | Height: | Size: 92 KiB |
After Width: | Height: | Size: 272 KiB |
After Width: | Height: | Size: 71 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 8.9 KiB |
After Width: | Height: | Size: 61 KiB |
After Width: | Height: | Size: 30 KiB |
After Width: | Height: | Size: 7.6 KiB |
After Width: | Height: | Size: 688 KiB |
After Width: | Height: | Size: 118 KiB |
After Width: | Height: | Size: 21 KiB |
After Width: | Height: | Size: 15 KiB |
After Width: | Height: | Size: 9.0 KiB |
After Width: | Height: | Size: 74 KiB |
After Width: | Height: | Size: 83 KiB |
After Width: | Height: | Size: 60 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 77 KiB |
After Width: | Height: | Size: 28 KiB |
After Width: | Height: | Size: 30 KiB |
After Width: | Height: | Size: 654 KiB |
After Width: | Height: | Size: 71 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 29 KiB |
After Width: | Height: | Size: 46 KiB |
After Width: | Height: | Size: 816 B |
After Width: | Height: | Size: 1.1 KiB |
After Width: | Height: | Size: 759 B |
After Width: | Height: | Size: 1.1 KiB |
After Width: | Height: | Size: 827 B |
After Width: | Height: | Size: 1.3 KiB |
After Width: | Height: | Size: 54 KiB |
After Width: | Height: | Size: 37 KiB |
After Width: | Height: | Size: 42 KiB |
After Width: | Height: | Size: 53 KiB |
After Width: | Height: | Size: 162 KiB |
After Width: | Height: | Size: 162 KiB |
After Width: | Height: | Size: 160 KiB |
After Width: | Height: | Size: 100 KiB |
After Width: | Height: | Size: 19 KiB |
After Width: | Height: | Size: 24 KiB |
After Width: | Height: | Size: 55 KiB |
After Width: | Height: | Size: 9.3 KiB |
After Width: | Height: | Size: 30 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 14 KiB |
|
@ -0,0 +1,65 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
% \usepackage{pgfpages}
|
||||||
|
% \setbeameroption{show notes on second screen=right}
|
||||||
|
\usepackage[draft]{pdfcomment}
|
||||||
|
\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}}
|
||||||
|
|
||||||
|
\usepackage[utf8]{inputenc}
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{fontawesome5}
|
||||||
|
\usepackage[export]{adjustbox}
|
||||||
|
\usepackage{fourier}
|
||||||
|
\usetikzlibrary{positioning}
|
||||||
|
\usetikzlibrary{shapes,arrows}
|
||||||
|
|
||||||
|
\lstdefinelanguage{javascript}{
|
||||||
|
basicstyle=\scriptsize,
|
||||||
|
numbers=left,
|
||||||
|
numberstyle=\scriptsize,
|
||||||
|
stepnumber=1,
|
||||||
|
numbersep=5pt,
|
||||||
|
showstringspaces=false,
|
||||||
|
breaklines=true,
|
||||||
|
frame=lines,
|
||||||
|
keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
|
||||||
|
%keywordstyle=\color{blue}\bfseries,
|
||||||
|
ndkeywords={class, export, boolean, throw, implements, import, this},
|
||||||
|
ndkeywordstyle=\color{darkgray}\bfseries,
|
||||||
|
identifierstyle=\color{black},
|
||||||
|
sensitive=false,
|
||||||
|
comment=[l]{//},
|
||||||
|
morecomment=[s]{/*}{*/},
|
||||||
|
commentstyle=\color{purple}\ttfamily,
|
||||||
|
%stringstyle=\color{red}\ttfamily,
|
||||||
|
morestring=[b]',
|
||||||
|
morestring=[b]"
|
||||||
|
}
|
||||||
|
\lstdefinelanguage{text}{
|
||||||
|
basicstyle=\scriptsize,
|
||||||
|
numbers=left,
|
||||||
|
numberstyle=\scriptsize,
|
||||||
|
stepnumber=1,
|
||||||
|
numbersep=5pt,
|
||||||
|
showstringspaces=false,
|
||||||
|
breaklines=true,
|
||||||
|
frame=lines
|
||||||
|
}
|
||||||
|
|
||||||
|
\title{Automation with MISP Workflows}
|
||||||
|
\subtitle{A new way to integrate MISP in your CTI pipelines}
|
||||||
|
\author{Andras Iklody}
|
||||||
|
\date{MUG}
|
||||||
|
\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\}
|
||||||
|
\institute{MISP Project \\ \url{https://www.misp-project.org/}}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
% \usepackage{pgfpages}
|
||||||
|
% \setbeameroption{show notes on second screen=right}
|
||||||
|
\usepackage[draft]{pdfcomment}
|
||||||
|
\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}}
|
||||||
|
|
||||||
|
\usepackage{pgfpages}
|
||||||
|
\setbeameroption{show notes on second screen=right}
|
||||||
|
\usepackage[utf8]{inputenc}
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{fontawesome5}
|
||||||
|
\usepackage[export]{adjustbox}
|
||||||
|
\usepackage{fourier}
|
||||||
|
\usetikzlibrary{positioning}
|
||||||
|
\usetikzlibrary{shapes,arrows}
|
||||||
|
|
||||||
|
\lstdefinelanguage{javascript}{
|
||||||
|
basicstyle=\scriptsize,
|
||||||
|
numbers=left,
|
||||||
|
numberstyle=\scriptsize,
|
||||||
|
stepnumber=1,
|
||||||
|
numbersep=5pt,
|
||||||
|
showstringspaces=false,
|
||||||
|
breaklines=true,
|
||||||
|
frame=lines,
|
||||||
|
keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
|
||||||
|
%keywordstyle=\color{blue}\bfseries,
|
||||||
|
ndkeywords={class, export, boolean, throw, implements, import, this},
|
||||||
|
ndkeywordstyle=\color{darkgray}\bfseries,
|
||||||
|
identifierstyle=\color{black},
|
||||||
|
sensitive=false,
|
||||||
|
comment=[l]{//},
|
||||||
|
morecomment=[s]{/*}{*/},
|
||||||
|
commentstyle=\color{purple}\ttfamily,
|
||||||
|
%stringstyle=\color{red}\ttfamily,
|
||||||
|
morestring=[b]',
|
||||||
|
morestring=[b]"
|
||||||
|
}
|
||||||
|
\lstdefinelanguage{text}{
|
||||||
|
basicstyle=\scriptsize,
|
||||||
|
numbers=left,
|
||||||
|
numberstyle=\scriptsize,
|
||||||
|
stepnumber=1,
|
||||||
|
numbersep=5pt,
|
||||||
|
showstringspaces=false,
|
||||||
|
breaklines=true,
|
||||||
|
frame=lines
|
||||||
|
}
|
||||||
|
|
||||||
|
\title{Automation with MISP Workflows}
|
||||||
|
\subtitle{A new way to integrate MISP in your CTI pipelines}
|
||||||
|
\author{Andras Iklody}
|
||||||
|
\date{MUG}
|
||||||
|
\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\}
|
||||||
|
\institute{MISP Project \\ \url{https://www.misp-project.org/}}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|