Merge branch 'main' of github.com:MISP/misp-training into main

events/20220602-EU-ATTACK/content.aux

@@ -0,0 +1,90 @@
+\relax 
+\providecommand\hyper@newdestlabel[2]{}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {11}{11}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {12}{12}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}}
+\@writefile{toc}{\beamer@sectionintoc {1}{Learning by examples}{15}{0}{1}}
+\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{14}}}
+\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{14}}}
+\@writefile{nav}{\headcommand {\sectionentry {1}{Learning by examples}{15}{Learning by examples}{0}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{1}{15/15}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {15}{15}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{2}{16/16}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {16}{16}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{3}{17/17}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {17}{17}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{4}{18/18}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {18}{18}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{5}{19/19}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {19}{19}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{6}{20/20}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {20}{20}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{7}{21/21}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {21}{21}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{8}{22/22}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {22}{22}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{9}{23/23}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {23}{23}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{10}{24/24}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {24}{24}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{11}{25/25}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {25}{25}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{12}{26/26}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {26}{26}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{13}{27/27}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {27}{27}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{14}{28/28}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {28}{28}}}
+\@writefile{nav}{\headcommand {\slideentry {1}{0}{15}{29/29}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {29}{29}}}
+\@setckpt{content}{
+\setcounter{page}{30}
+\setcounter{equation}{0}
+\setcounter{enumi}{2}
+\setcounter{enumii}{0}
+\setcounter{enumiii}{0}
+\setcounter{enumiv}{0}
+\setcounter{footnote}{0}
+\setcounter{mpfootnote}{0}
+\setcounter{beamerpauses}{1}
+\setcounter{bookmark@seq@number}{0}
+\setcounter{lecture}{0}
+\setcounter{part}{0}
+\setcounter{section}{1}
+\setcounter{subsection}{0}
+\setcounter{subsubsection}{0}
+\setcounter{subsectionslide}{15}
+\setcounter{framenumber}{27}
+\setcounter{figure}{0}
+\setcounter{table}{0}
+\setcounter{parentequation}{0}
+\setcounter{theorem}{0}
+\setcounter{lstnumber}{1}
+\setcounter{section@level}{0}
+\setcounter{lstlisting}{0}
+}

events/20220602-EU-ATTACK/content.tex

@@ -0,0 +1,388 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}[t,plain]
+\titlepage
+\end{frame}
+
+\begin{frame}
+    \frametitle{Bringing workflows into threat intelligence platform}
+    After multiple years, MISP users have reach a significant maturity level:
+    \begin{itemize}
+        \item Events with {\bf complex TTPs, objects and attributes};
+        \item Exhaustive context such as {\bf MITRE ATT\&CK}, tags and relationships;
+        \item Availability of {\bf external modules and services} (e.g. from expansion services to third-party CTI);
+        \item Comprehensive {\bf processing pipelines} for threat intelligence are available;
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Where is the glue?}
+    \begin{itemize}
+        \item Initial idea came from GeekWeek7.5
+        \begin{center}
+            \includegraphics[width=0.5\linewidth]{pictures/geekweek75.jpg}
+        \end{center}
+    \item Experienced users wanted to have a way to {\bf trigger actions and to modify to behavior of MISP} and especially leveraging what they have in their MISP platform.
+    \item {\bf Creating workflows for any of the steps} in MISP (creating attributes/objects, publishing and sharing information, ...). 
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Simplistic overview}
+    \begin{enumerate}
+        \item User/API Interraction
+        \item MISP handles the request
+        \item MISP executes workflows listening to the trigger
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Terminology}
+    \begin{enumerate}
+        \item \textbf{workflow}: Sequence of actions to be executed
+        \item \textbf{execution path}: A path composed of actions to be executed sequentially
+        \item \textbf{trigger}: Starting point of an \texttt{execution path}. Triggers are called when specific action are done by MISP
+    \end{enumerate}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pictures/workflow-view.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow execution}
+    \begin{enumerate}
+        \item A trigger is called
+        \item Collect workflows listening to called trigger
+        \item Execute workflows in the saved order
+    \end{enumerate}
+    \begin{center}
+        \includegraphics[width=0.5\linewidth]{pictures/execution-order-1.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Execution Paths}
+    Currently 2 types of execution path:
+    \vspace{0.5em}
+    \begin{itemize}
+        \item {\bf Blocking}: Execution is stoped in case of error
+        \begin{itemize}
+            \item Current workflow's blocking execution path is {\bf stopped}
+            \item Any other blocking path of next workflows {\bf will not be executed}
+        \end{itemize}
+        \vspace{0.5em}
+        \item {\bf Non-blocking}/Deferred: Stop execution for current path only
+        \begin{itemize}
+            \item Current execution path is {\bf stopped}
+            \item {\bf Resume} execution of remaining paths
+            \item Paths from other workflow will be {\bf executed}
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Execution Order and Execution Types}
+    \begin{itemize}
+        \item \textbf{Blocking} paths from all workflows are executed first in the saved order
+        \item If any blocking executions failed, the action that called the trigger will \textbf{be stopped}
+        \item \textbf{Parallel/Deferred} paths from all workflows are executed. The order is irrelevant
+    \end{itemize}
+
+    \begin{center}
+        \includegraphics[width=0.35\linewidth]{pictures/execution-order-2.png}
+        \includegraphics[width=0.40\linewidth]{pictures/trigger-outputs.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Publishing example}
+    Example:
+    \begin{enumerate}
+        \item An Event is published
+        \item MISP starts the publishing process
+        \item MISP executes a workflow listening to the trigger
+        \begin{itemize}
+            \item {\bf execution success}: Proceed publishing
+            \item {\bf execution failure}: Stop publishing, log the reason and report the failure to the user
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Execution context}
+    \begin{itemize}
+        \item Workflow can be triggered by any users
+        \item However, the user for which the workflow executes is the workflow creator
+        \item This is to make sure users with a higher privilege will have their workflow correctly executed
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow modules}
+    \begin{center}
+        \includegraphics[width=0.5\linewidth]{pictures/module-type.png}
+    \end{center}
+    \begin{itemize}
+        \item 3 types of modules
+        \begin{itemize}
+            \item \texttt{trigger}: Entry point of the execution
+            \begin{itemize}
+                \item Event publish, email about to be sent, feed data about to be saved, ...
+            \end{itemize}
+            \item \texttt{logic}: Allow to redirect the execution flow.
+            \begin{itemize}
+                \item IF condition, fork the blocking execution into a non-blocking one, ...
+            \end{itemize}
+            \item \texttt{action}: Modules that can modify data, prevent execution or perform additional actions
+            \begin{itemize}
+                \item Publish to ZMQ, perform enrichments, block the execution, ...
+            \end{itemize}
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow modules}
+    \begin{itemize}
+        \item \texttt{action} modules can be from 2 sources
+        \begin{itemize}
+            \item \texttt{\scriptsize app/Model/WorkflowModules/action/[module\_name].php}
+            \begin{itemize}
+                \item Written in PHP
+                \item They can use MISP's built-in functionalities (restsearch, enrichment, push to zmq, ...)
+                \item Faster and easier to interact with for those having internal knowledge of MISP
+            \end{itemize}
+            \item \texttt{From the misp-module service} 
+            \begin{itemize}
+                \item Written in Python
+                \item They can use any python libraries
+                \item Easier to write
+                \item New module type \texttt{action}
+            \end{itemize}
+        \end{itemize}
+        \item Both systems are \textbf{plug-and-play}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Creating a workflow with the editor}
+    \begin{enumerate}
+        \item Drag a \texttt{trigger} module from the side panel to the canvas
+        \item Drag an \texttt{action} module from the side panel to the canvas
+        \item From the \texttt{trigger} output, drag an arrow into the \texttt{action} input (left side)
+        \begin{itemize}
+            \item You can choose between a \texttt{blocking} and \texttt{non-blocking} execution path by using the associated trigger output
+        \end{itemize}
+    \end{enumerate}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pictures/editor-1.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Working with the editor}
+    Operations not allowed
+    \begin{itemize}
+        \item Create an execution loop
+    \end{itemize}
+    \begin{center}
+        \includegraphics[width=0.7\linewidth]{pictures/editor-not-allowed-1.png}
+    \end{center}
+    \begin{itemize}
+        \item Use the same trigger twice
+    \end{itemize}
+\end{frame}
+
+\section{Learning by examples}
+\begin{frame}
+    \frametitle{Workflow example 1}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-1.png}
+    \end{center}
+
+    \begin{enumerate}
+        \item Will the next blocking path (from another workflow) be executed?
+    \end{enumerate}
+\end{frame}
+\begin{frame}
+    \frametitle{Workflow example 1: Answers}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-1.png}
+    \end{center}
+
+    \begin{enumerate}
+        \item Will the next blocking path (from another workflow) be executed?
+        \begin{itemize}
+            \item \textbf{No}. We are in a blocking path. As the execution has been stopped, no other blocking paths will be executed.
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow example 2}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-2.png}
+    \end{center}
+
+    \begin{enumerate}
+        \item Will the next blocking path (from another workflow) be executed?
+        \item Will \texttt{Enrich Event} module be executed?
+    \end{enumerate}
+\end{frame}
+\begin{frame}
+    \frametitle{Workflow example 2: Answers}
+    \begin{center}
+        \includegraphics[width=0.7\linewidth]{pictures/example-2.png}
+    \end{center}
+
+    \begin{enumerate}
+        \item Will the next blocking path (from another workflow) be executed?
+        \begin{itemize}
+            \item \textbf{No}. Same reason that before
+        \end{itemize}
+        \item Will \texttt{Enrich Event} module be executed?
+        \begin{itemize}
+            \item \textbf{Yes}. The module is in the non-blocking path. Regardless of the result of the blocking path, it will be executed.
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow example 3}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-3.png}
+    \end{center}
+
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+        \item Will the next blocking path (from another workflow) be executed?
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow example 3: Answers}
+    \begin{center}
+        \includegraphics[width=0.55\linewidth]{pictures/example-3.png}
+    \end{center}
+
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+        \begin{itemize}
+            \item \textbf{Yes}
+            \item The blocking path is executed before the non-blocking one
+            \item The result of the non-blocking path has no influence on the blocking one
+        \end{itemize}
+        \item Will the next blocking path (from another workflow) be executed?
+        \begin{itemize}
+            \item \textbf{Yes}
+            \item The blocking path is executed before the non-blocking one
+            \item The result of the non-blocking path has no influence the execution of other workflows
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow example 4}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-4.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+    \end{enumerate}
+\end{frame}
+
+
+\begin{frame}
+    \frametitle{Workflow example 4: Answers}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-4.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+        \begin{itemize}
+            \item \textbf{Yes} and \textbf{No}. The execution order for the same output is not guaranteed
+            \item If \texttt{Stop execution} is executed first, it's a no.
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow example 5}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-5.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+    \end{enumerate}
+\end{frame}
+\begin{frame}
+    \frametitle{Workflow example 5: Answers}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-5.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+        \begin{itemize}
+            \item \textbf{Yes}. The execution order for the same output is not guaranteed
+            \item However, as we are in a non-blocking path, the outcome of the execution of another path has no impact
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow example 6}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-6.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+    \end{enumerate}
+\end{frame}
+\begin{frame}
+    \frametitle{Workflow example 6: Answers}
+    \begin{center}
+        \includegraphics[width=0.9\linewidth]{pictures/example-6.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+        \begin{itemize}
+            \item \textbf{No}. Even if we are in a non-blocking path, if the current execution path is blocked, the execution will be stopped
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Workflow example 7}
+    \vspace{-2em}
+    \begin{center}
+        \includegraphics[width=1.05\linewidth]{pictures/example-7.png}
+    \end{center}
+    \begin{center}
+        \includegraphics[width=0.45\linewidth]{pictures/event-1.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+        \item Will \texttt{circl.lu} have a tag attached to it?
+    \end{enumerate}
+\end{frame}
+\begin{frame}
+    \frametitle{Workflow example 7: Answers}
+    \begin{center}
+        \includegraphics[width=0.7\linewidth]{pictures/example-7.png}
+    \end{center}
+    \begin{center}
+        \includegraphics[width=0.3\linewidth]{pictures/event-1.png}
+    \end{center}
+    \begin{enumerate}
+        \item Will \texttt{Enrich Event} module be executed?
+        \begin{itemize}
+            \item \textbf{Yes}. The event contains an attribute satisfying the matching condition
+        \end{itemize}
+        \item Will \texttt{circl.lu} have a tag attached to it?
+        \begin{itemize}
+            \item \textbf{No}. The event contains an attribute satisfying the matching condition. The \texttt{else} part will not be executed.
+        \end{itemize}
+    \end{enumerate}
+\end{frame}
+

events/20220602-EU-ATTACK/slide.aux

@@ -0,0 +1,29 @@
+\relax 
+\providecommand\hyper@newdestlabel[2]{}
+\providecommand\BKM@entry[2]{}
+\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
+\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
+\global\let\oldcontentsline\contentsline
+\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
+\global\let\oldnewlabel\newlabel
+\gdef\newlabel#1#2{\newlabelxx{#1}#2}
+\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
+\AtEndDocument{\ifx\hyper@anchor\@undefined
+\let\contentsline\oldcontentsline
+\let\newlabel\oldnewlabel
+\fi}
+\fi}
+\global\let\hyper@last\relax 
+\gdef\HyperFirstAtBeginDocument#1{#1}
+\providecommand\HyField@AuxAddToFields[1]{}
+\providecommand\HyField@AuxAddToCoFields[2]{}
+\@input{content.aux}
+\providecommand \oddpage@label [2]{}
+\pgfsyspdfmark {pgfid1}{1398509}{16636717}
+\BKM@entry{id=1,open,dest={4F75746C696E65302E31},srcline={197}}{4C6561726E696E67206279206578616D706C6573}
+\pgfsyspdfmark {pgfid29}{1398509}{17009647}
+\@writefile{nav}{\headcommand {\beamer@partpages {1}{29}}}
+\@writefile{nav}{\headcommand {\beamer@subsectionpages {15}{29}}}
+\@writefile{nav}{\headcommand {\beamer@sectionpages {15}{29}}}
+\@writefile{nav}{\headcommand {\beamer@documentpages {29}}}
+\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {27}}}

events/20220602-EU-ATTACK/slide.nav

@@ -0,0 +1,66 @@
+\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
+\headcommand {\beamer@framepages {1}{1}}
+\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
+\headcommand {\beamer@framepages {2}{2}}
+\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
+\headcommand {\beamer@framepages {3}{3}}
+\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
+\headcommand {\beamer@framepages {4}{4}}
+\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
+\headcommand {\beamer@framepages {5}{5}}
+\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
+\headcommand {\beamer@framepages {6}{6}}
+\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}
+\headcommand {\beamer@framepages {7}{7}}
+\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}
+\headcommand {\beamer@framepages {8}{8}}
+\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}
+\headcommand {\beamer@framepages {9}{9}}
+\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}
+\headcommand {\beamer@framepages {10}{10}}
+\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}
+\headcommand {\beamer@framepages {11}{11}}
+\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}
+\headcommand {\beamer@framepages {12}{12}}
+\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}
+\headcommand {\beamer@framepages {13}{13}}
+\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}
+\headcommand {\beamer@framepages {14}{14}}
+\headcommand {\beamer@sectionpages {1}{14}}
+\headcommand {\beamer@subsectionpages {1}{14}}
+\headcommand {\sectionentry {1}{Learning by examples}{15}{Learning by examples}{0}}
+\headcommand {\slideentry {1}{0}{1}{15/15}{}{0}}
+\headcommand {\beamer@framepages {15}{15}}
+\headcommand {\slideentry {1}{0}{2}{16/16}{}{0}}
+\headcommand {\beamer@framepages {16}{16}}
+\headcommand {\slideentry {1}{0}{3}{17/17}{}{0}}
+\headcommand {\beamer@framepages {17}{17}}
+\headcommand {\slideentry {1}{0}{4}{18/18}{}{0}}
+\headcommand {\beamer@framepages {18}{18}}
+\headcommand {\slideentry {1}{0}{5}{19/19}{}{0}}
+\headcommand {\beamer@framepages {19}{19}}
+\headcommand {\slideentry {1}{0}{6}{20/20}{}{0}}
+\headcommand {\beamer@framepages {20}{20}}
+\headcommand {\slideentry {1}{0}{7}{21/21}{}{0}}
+\headcommand {\beamer@framepages {21}{21}}
+\headcommand {\slideentry {1}{0}{8}{22/22}{}{0}}
+\headcommand {\beamer@framepages {22}{22}}
+\headcommand {\slideentry {1}{0}{9}{23/23}{}{0}}
+\headcommand {\beamer@framepages {23}{23}}
+\headcommand {\slideentry {1}{0}{10}{24/24}{}{0}}
+\headcommand {\beamer@framepages {24}{24}}
+\headcommand {\slideentry {1}{0}{11}{25/25}{}{0}}
+\headcommand {\beamer@framepages {25}{25}}
+\headcommand {\slideentry {1}{0}{12}{26/26}{}{0}}
+\headcommand {\beamer@framepages {26}{26}}
+\headcommand {\slideentry {1}{0}{13}{27/27}{}{0}}
+\headcommand {\beamer@framepages {27}{27}}
+\headcommand {\slideentry {1}{0}{14}{28/28}{}{0}}
+\headcommand {\beamer@framepages {28}{28}}
+\headcommand {\slideentry {1}{0}{15}{29/29}{}{0}}
+\headcommand {\beamer@framepages {29}{29}}
+\headcommand {\beamer@partpages {1}{29}}
+\headcommand {\beamer@subsectionpages {15}{29}}
+\headcommand {\beamer@sectionpages {15}{29}}
+\headcommand {\beamer@documentpages {29}}
+\headcommand {\gdef \inserttotalframenumber {27}}

events/20220602-EU-ATTACK/slide.tex

@@ -0,0 +1,48 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+
+\lstdefinelanguage{javascript}{
+    basicstyle=\scriptsize,
+    numbers=left,
+    numberstyle=\scriptsize,
+    stepnumber=1,
+    numbersep=5pt,
+    showstringspaces=false,
+    breaklines=true,
+    frame=lines,
+    keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
+    %keywordstyle=\color{blue}\bfseries,
+    ndkeywords={class, export, boolean, throw, implements, import, this},
+    ndkeywordstyle=\color{darkgray}\bfseries,
+    identifierstyle=\color{black},
+    sensitive=false,
+    comment=[l]{//},
+    morecomment=[s]{/*}{*/},
+    commentstyle=\color{purple}\ttfamily,
+    %stringstyle=\color{red}\ttfamily,
+    morestring=[b]',
+    morestring=[b]"
+}
+
+\title{Discovering MISP workflows}
+\subtitle{Improving automation in threat intelligence with ATT\&CK}
+\author{\small{\input{../../includes/authors.txt}}}
+\date{\input{../../includes/location.txt}}
+\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
+\institute{MISP Project \\ \url{https://www.misp-project.org/}}
+
+
+\begin{document}
+\include{content}
+\end{document}
+

events/20220602-EU-ATTACK/slide.toc

@@ -0,0 +1 @@
+\beamer@sectionintoc {1}{Learning by examples}{15}{0}{1}

events/20220602-EU-ATTACK/slide_handout.tex

@@ -0,0 +1,50 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usepackage{pgfpages}
+\setbeameroption{show notes on second screen=right}
+\usetikzlibrary{shapes,arrows}
+
+\lstdefinelanguage{javascript}{
+    basicstyle=\scriptsize,
+    numbers=left,
+    numberstyle=\scriptsize,
+    stepnumber=1,
+    numbersep=5pt,
+    showstringspaces=false,
+    breaklines=true,
+    frame=lines,
+    keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
+    %keywordstyle=\color{blue}\bfseries,
+    ndkeywords={class, export, boolean, throw, implements, import, this},
+    ndkeywordstyle=\color{darkgray}\bfseries,
+    identifierstyle=\color{black},
+    sensitive=false,
+    comment=[l]{//},
+    morecomment=[s]{/*}{*/},
+    commentstyle=\color{purple}\ttfamily,
+    %stringstyle=\color{red}\ttfamily,
+    morestring=[b]',
+    morestring=[b]"
+}
+
+\title{An Introduction to Workflows in MISP}
+\subtitle{MISP - Threat Sharing}
+\author{\small{\input{../includes/authors.txt}}}
+\date{\input{../includes/location.txt}}
+\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
+\institute{MISP Project \\ \url{https://www.misp-project.org/}}
+
+
+\begin{document}
+\include{content}
+\end{document}
+