mirror of https://github.com/MISP/misp-training
chg: [event:AusCERT24] A few changes on the automation tools
- Move the slide on MISP modules - Added slides for Workflows and PubSub channelspull/25/head
Christian Studer
parent
0ecc273202
commit
8c6779afaa
|
|
@ -70,7 +70,7 @@
|
|||
\item Adaptable to easily extend the format to new use-cases
|
||||
\end{itemize}
|
||||
\item []
|
||||
\item Ensuring \textbf{interoperability} with existing MISP software and other Threat Intelligence Platforms and tools
|
||||
\item Ensuring \textbf{long term interoperability} with existing MISP software and other Threat Intelligence Platforms and tools
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
|
@ -170,24 +170,6 @@
|
|||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Import/Export modules}
|
||||
\begin{itemize}
|
||||
\item \textbf{Simple Python scripts} to automate the import/export of data
|
||||
\item Extending the range of supported formats
|
||||
\item Allows anyone to build their own module to either:
|
||||
\begin{itemize}
|
||||
\item Populate MISP Events with data from external sources/formats
|
||||
\item Extract and convert data from MISP Events
|
||||
\end{itemize}
|
||||
\item []
|
||||
\item \textbf{Not as powerful} as built-in modules though
|
||||
\begin{itemize}
|
||||
\item Future plan is to rework the modules system
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{An advanced STIX conversion feature}
|
||||
\begin{itemize}
|
||||
|
|
@ -206,6 +188,61 @@
|
|||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP modules}
|
||||
\begin{itemize}
|
||||
\item \textbf{Simple Python scripts} to automate the \textbf{import/export} of data
|
||||
\begin{itemize}
|
||||
\item Extending the range of supported formats
|
||||
\item Allows anyone to build their own module to either:
|
||||
\begin{itemize}
|
||||
\item Populate MISP Events with data from external sources/formats
|
||||
\item Extract and convert data from MISP Events
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\item Enrichment modules
|
||||
\begin{itemize}
|
||||
\item Use-case examples:
|
||||
\begin{itemize}
|
||||
\item \textbf{enrich} data with additional context
|
||||
\item \textbf{cross-reference} data with external sources
|
||||
\item \textbf{validate} data
|
||||
\end{itemize}
|
||||
\item Can be triggered automatically by \textbf{Workflows}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP Workflows}
|
||||
\begin{itemize}
|
||||
\item Needs that Workflows can address:
|
||||
\begin{itemize}
|
||||
\item Prevent default MISP behaviors
|
||||
\item Trigger specific actions to run callbacks
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\frame{\includegraphics[width=1.0\linewidth]{../images/workflow.png}}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{PubSub channels}
|
||||
\begin{itemize}
|
||||
\item ZeroMQ channels
|
||||
\begin{itemize}
|
||||
\item N-to-N Asynchronous message-processing tasks
|
||||
\item Publisher(MISP) and consumer (scripts)
|
||||
\end{itemize}
|
||||
\item []
|
||||
\item \textbf{Streaming data as it is created in MISP}
|
||||
\item Advantage is the subscriber can \textbf{automatically use the published data}
|
||||
\item Be careful though with data being \textbf{republished}
|
||||
\item Also, there is \textbf{no access control} on the data that is streamed
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Data feeding mechanisms}
|
||||
|
||||
\begin{frame}
|
||||
|
|
|
|||
Loading…
Reference in New Issue