Merge branch 'main' of github.com:MISP/misp-training

pull/25/head
Christian Studer 2024-04-15 10:03:06 +02:00
commit 9a3221e3b7
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
7 changed files with 17225 additions and 175 deletions

View File

@ -10,6 +10,7 @@
\begin{itemize}
\item Explanation of the CSIRT use case for information sharing and what CIRCL does
\item Building an information sharing community and best practices\footnote{We published the complete guidelines in \url{https://www.x-isac.org/assets/images/guidelines_to_set-up_an_ISAC.pdf}}
\item Quick demo of MISP capabilities
\end{itemize}
\end{frame}
@ -176,15 +177,15 @@
\end{frame}
\begin{frame}
\frametitle{A quick note on compliance...}
\frametitle{A quick note on legal compliance...}
\begin{itemize}
\item Collaboration with Deloitte and legal advisors as part of a CEF project for creating compliance documents
\item Collaboration with legal advisors as part of a CEF project for creating compliance documents
\begin{itemize}
\item Information sharing and cooperation {\bf enabled by GDPR}
\item Information sharing and cooperation {\bf such as GDPR}
\item How MISP enables stakeholders identified by the {\bf NISD} to perform key activities
\item {\bf AIL} and MISP
\end{itemize}
\item For more information: \url{https://github.com/CIRCL/compliance}
\item For more information: \url{https://github.com/CIRCL/compliance} about DORA, GDPR, ISO 27010 and MISP compliance
\end{itemize}
\end{frame}
@ -437,7 +438,7 @@
\begin{itemize}
\item Getting started with building a new community can be daunting. Feel free to get in touch with us if you have any questions!
\item Contact: info@circl.lu
\item \url{https://www.circl.lu/}
\item \url{https://www.circl.lu/} \url{https://www.misp-project.org/}
\item \url{https://github.com/MISP} \url{https://gitter.im/MISP/MISP} \url{https://twitter.com/MISPProject}
\end{itemize}
\end{frame}

View File

@ -52,14 +52,14 @@
},
{
"cell_type": "code",
"execution_count": 38,
"execution_count": 6,
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"The version of PyMISP recommended by the MISP instance (2.4.183) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n"
"The version of PyMISP recommended by the MISP instance (2.4.188) is newer than the one you're using now (2.4.168). Please upgrade PyMISP.\n"
]
}
],
@ -84,7 +84,7 @@
" if 'Attribute' in result:\n",
" print(\"Count: %s\" % len(result['Attribute']))\n",
" flag_printed = True\n",
" elif 'Event' in result and 'Attribute' in result['Event']['Attribute']:\n",
" elif 'Event' in result and 'Attribute' in result['Event']:\n",
" print(\"Attribute count: %s\" % len(result['Event']['Attribute']))\n",
" flag_printed = True\n",
" if flag_printed:\n",
@ -697,186 +697,38 @@
},
{
"cell_type": "code",
"execution_count": 58,
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Event': {'Attribute': [{'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Network activity',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56142',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705581872',\n",
" 'to_ids': True,\n",
" 'type': 'ip-src',\n",
" 'uuid': '6938d503-7d96-48b6-9a18-f8e6f95f04dd',\n",
" 'value': '9.9.9.9'},\n",
" {'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Network activity',\n",
" 'comment': 'Comment added via the API',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56143',\n",
" 'last_seen': None,\n",
" 'object_id': '0',\n",
" 'object_relation': None,\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1705582453',\n",
" 'to_ids': False,\n",
" 'type': 'ip-dst',\n",
" 'uuid': '8153fcad-cd37-45d9-a1d1-a509942116f8',\n",
" 'value': '127.2.2.2'}],\n",
" 'CryptographicKey': [],\n",
" 'EventReport': [],\n",
" 'Galaxy': [],\n",
" 'Object': [{'Attribute': [{'Galaxy': [],\n",
" 'ShadowAttribute': [],\n",
" 'category': 'Other',\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'disable_correlation': False,\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '56144',\n",
" 'last_seen': None,\n",
" 'object_id': '645',\n",
" 'object_relation': 'post',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1558702173',\n",
" 'to_ids': False,\n",
" 'type': 'text',\n",
" 'uuid': '7ed55fe3-cae9-4353-9cd6-cdcb9a50bba5',\n",
" 'value': 'post'}],\n",
" 'ObjectReference': [],\n",
" 'comment': '',\n",
" 'deleted': False,\n",
" 'description': 'Microblog post like a Twitter tweet or '\n",
" 'a post on a Facebook wall.',\n",
" 'distribution': '5',\n",
" 'event_id': '126',\n",
" 'first_seen': None,\n",
" 'id': '645',\n",
" 'last_seen': None,\n",
" 'meta-category': 'misc',\n",
" 'name': 'microblog',\n",
" 'sharing_group_id': '0',\n",
" 'template_uuid': '8ec8c911-ddbe-4f5b-895b-fbff70c42a60',\n",
" 'template_version': '5',\n",
" 'timestamp': '1558702173',\n",
" 'uuid': '838aefb1-0f6e-4967-9a99-e7414887ae9a'}],\n",
" 'Org': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'RelatedEvent': [{'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2024-01-16',\n",
" 'distribution': '3',\n",
" 'id': '122',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': False,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705581786',\n",
" 'uuid': 'de96c637-2282-4fc0-9c4e-ca7db60bace1'}},\n",
" {'Event': {'Org': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'id': '1',\n",
" 'name': 'ORGNAME',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'analysis': '0',\n",
" 'date': '2023-09-28',\n",
" 'distribution': '0',\n",
" 'id': '87',\n",
" 'info': 'Event created via the API as '\n",
" 'an example',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'published': True,\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1695907402',\n",
" 'uuid': 'a1348888-5a3e-4e18-acd5-b5015c9621ed'}}],\n",
" 'ShadowAttribute': [],\n",
" 'Tag': [{'colour': '#FF2B2B',\n",
" 'exportable': True,\n",
" 'hide_tag': False,\n",
" 'id': '16',\n",
" 'is_custom_galaxy': False,\n",
" 'is_galaxy': False,\n",
" 'local': 0,\n",
" 'local_only': False,\n",
" 'name': 'tlp:red',\n",
" 'numerical_value': None,\n",
" 'relationship_type': None,\n",
" 'user_id': '0'},\n",
" {'colour': '#33FF00',\n",
" 'exportable': True,\n",
" 'hide_tag': False,\n",
" 'id': '79',\n",
" 'is_custom_galaxy': False,\n",
" 'is_galaxy': False,\n",
" 'local': 0,\n",
" 'local_only': False,\n",
" 'name': 'tlp:green',\n",
" 'numerical_value': None,\n",
" 'relationship_type': None,\n",
" 'user_id': '0'}],\n",
" 'analysis': '0',\n",
" 'attribute_count': '3',\n",
" 'date': '2024-01-18',\n",
" 'disable_correlation': False,\n",
" 'distribution': '0',\n",
" 'event_creator_email': 'admin@admin.test',\n",
" 'extends_uuid': '',\n",
" 'id': '126',\n",
" 'info': 'Event created via the API as an example',\n",
" 'locked': False,\n",
"{'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n",
" 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n",
" 'date': '2023-12-11',\n",
" 'id': '119',\n",
" 'info': 'testtest',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'proposal_email_lock': False,\n",
" 'protected': None,\n",
" 'publish_timestamp': '0',\n",
" 'published': False,\n",
" 'sharing_group_id': '0',\n",
" 'threat_level_id': '1',\n",
" 'timestamp': '1705582663',\n",
" 'uuid': 'b3cc1ea2-892f-48e1-a6dc-20279818a724'}}\n"
" 'user_id': '6'},\n",
" 'EventReport': {'content': 'Body',\n",
" 'deleted': False,\n",
" 'distribution': '5',\n",
" 'event_id': '119',\n",
" 'id': '52',\n",
" 'name': 'Report from API',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1712818726',\n",
" 'uuid': '9b6a2be2-127a-4c61-875b-a9eeba3b1139'},\n",
" 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}\n"
]
}
],
"source": [
"# Edition 2 - tagging 2\n",
"endpoint = '/events/edit/'\n",
"relative_path = '126'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"distribution\": 0,\n",
@ -889,6 +741,272 @@
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Event reports"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"endpoint = '/eventReports/add/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"name\": \"Report from API\",\n",
" \"distribution\": 5,\n",
" \"sharing_group_id\": 0,\n",
" \"content\": \"Body\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"event_report_id = res['EventReport']['id']\n",
"\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {},
"outputs": [],
"source": [
"# Download HTML, convert it into markdown then save it as Event Report.\n",
"endpoint = '/eventReports/importReportFromUrl/'\n",
"relative_path = str(event_id)\n",
"\n",
"body = {\n",
" \"url\": \"https://domain.example/blogpost/123.pdf\"\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'report': {'Event': {'Org': {'id': '1', 'name': 'ORGNAME'},\n",
" 'Orgc': {'id': '1', 'name': 'ORGNAME'},\n",
" 'date': '2023-12-11',\n",
" 'id': '119',\n",
" 'info': 'testtest',\n",
" 'org_id': '1',\n",
" 'orgc_id': '1',\n",
" 'user_id': '6'},\n",
" 'EventReport': {'content': 'Body @[tag](tlp:red) '\n",
" '@[attribute](bffa5ba8-7040-4f38-979f-7386f5a3a251)',\n",
" 'deleted': False,\n",
" 'distribution': '5',\n",
" 'event_id': '119',\n",
" 'id': '50',\n",
" 'name': 'Report from API',\n",
" 'sharing_group_id': '0',\n",
" 'timestamp': '1712821134',\n",
" 'uuid': '972d3aeb-a60e-4bab-9db9-a76ef0551188'},\n",
" 'SharingGroup': {'id': None, 'name': None, 'uuid': None}}}\n"
]
}
],
"source": [
" # Extract all entities, tag Event with tag found\n",
"endpoint = '/eventReports/extractAllFromReport/'\n",
"relative_path = str(50)\n",
"\n",
"body = {\n",
" \"tag_event\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Analyst Data"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Analyst Note"
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Note': {'Org': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" '_canEdit': True,\n",
" 'authors': 'john.doe@admin.test',\n",
" 'created': '2024-04-11 07:54:06',\n",
" 'distribution': '1',\n",
" 'id': '80',\n",
" 'language': 'fr-BE',\n",
" 'locked': False,\n",
" 'modified': '2024-04-11 07:54:06',\n",
" 'note': 'Ceci est une note',\n",
" 'note_type': 0,\n",
" 'note_type_name': 'Note',\n",
" 'object_type': 'Event50',\n",
" 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n",
" 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'sharing_group_id': None,\n",
" 'uuid': 'b6362eab-b232-4d7b-867f-52c6971a743b'}}\n"
]
}
],
"source": [
"analystType = 'Note'\n",
"objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n",
"# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n",
"# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n",
"objectType = 'Event'\n",
"endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n",
"\n",
"body = {\n",
" \"note\": \"Ceci est une note\",\n",
" \"language\": \"fr-BE\",\n",
" \"authors\": \"john.doe@admin.test\",\n",
" \"distribution\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Analyst Opinion"
]
},
{
"cell_type": "code",
"execution_count": 23,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{'Opinion': {'Org': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin '\n",
" 'organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" 'Orgc': {'contacts': '',\n",
" 'created_by': '0',\n",
" 'date_created': '2021-09-30 13:28:31',\n",
" 'date_modified': '2023-09-07 07:40:54',\n",
" 'description': 'Automatically generated admin '\n",
" 'organisation',\n",
" 'id': '1',\n",
" 'landingpage': None,\n",
" 'local': True,\n",
" 'name': 'ORGNAME',\n",
" 'nationality': 'Belgium',\n",
" 'restricted_to_domain': [],\n",
" 'sector': '',\n",
" 'type': 'ADMIN',\n",
" 'uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6'},\n",
" '_canEdit': True,\n",
" 'authors': 'john.doe@admin.test',\n",
" 'comment': 'This is an opinion',\n",
" 'created': '2024-04-11 07:54:12',\n",
" 'distribution': '1',\n",
" 'id': '64',\n",
" 'locked': False,\n",
" 'modified': '2024-04-11 07:54:12',\n",
" 'note_type': 1,\n",
" 'note_type_name': 'Opinion',\n",
" 'object_type': 'Event50',\n",
" 'object_uuid': '03cbbd87-9081-4ea9-94e2-431939fa85dc',\n",
" 'opinion': '75',\n",
" 'org_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'orgc_uuid': 'c5de83b4-36ba-49d6-9530-2a315caeece6',\n",
" 'sharing_group_id': None,\n",
" 'uuid': 'eea00f1d-71aa-4763-9489-bd137cae2a57'}}\n"
]
}
],
"source": [
"analystType = 'Opinion'\n",
"objectUUID = '03cbbd87-9081-4ea9-94e2-431939fa85dc'\n",
"# objectType[Enum]: \"Attribute\" \"Event\" \"EventReport\" \"GalaxyCluster\" \"Galaxy\"\n",
"# \"Object\" \"Note\" \"Opinion\" \"Relationship\" \"Organisation\" \"SharingGroup\"\n",
"objectType = 'Event'\n",
"endpoint = f'/analystData/add/{analystType}/{objectUUID}/{objectType}'\n",
"\n",
"body = {\n",
" \"opinion\": 75,\n",
" \"comment\": \"This is an opinion\",\n",
" \"authors\": \"john.doe@admin.test\",\n",
" \"distribution\": 1\n",
"}\n",
"\n",
"res = misp.direct_call(endpoint + relative_path, body)\n",
"print_result(res)"
]
},
{
"cell_type": "markdown",
"metadata": {},

View File

@ -136,4 +136,56 @@
\end{itemize}
\end{itemize}
}
\end{multicols*}
\end{multicols*}
\newpage
\begin{multicols*}{3}
% Analyst Note
\cheatbox[\faicon{sticky-note}]
[Share and add an analysis to any MISP data]
[Describe information about specific details, annotate elements]
[\distributable \synchronisable]
[Text element that can be attached to many element]
{\linkdest{note}Analyst Notes}
{
$\blacktriangleright$ Any user can attach \notes to data they don't own.
For example: \events, \attributes, \clusters, $\cdots$\\
$\blacktriangleright$ The note is actually attached to the target's UUID
}
% Analyst Opinion
\cheatbox[\faicon{gavel}]
[Share and add an opinion to any MISP data]
[Provide feedback to third-parties, Coordinate and Collaborate]
[\distributable \synchronisable]
[Text element with a numerical opinion that can be attached to many element]
{\linkdest{opinion}Analyst Opinions}
{
$\blacktriangleright$ Basically the same as a \note\\
$\blacktriangleright$ The numerical value of the \opinion is $\in [0, 100]$. where $50$ is the neutral point. Any values $<50$ are considered negatives, values $>50$ are considered positives.
}
% Analyst Relationship
\cheatbox[\faicon{arrow-up}]
[Create a relationship between elements]
[Manually create correlation link, add similarities]
[\distributable \synchronisable]
[Link between two entities using a verb]
{\linkdest{opinion}Analyst Relationships}
{
$\blacktriangleright$ Basically the same as a \note but includes the target element\\
$\blacktriangleright$ Example could be an \event $\rightarrow$ \event relationship where one is \textit{Suspected to be part of the same campaign based on HUMINT sources}
}
% Element Collection
\cheatbox[\faicon{object-group}]
[Allow groupping multiple elements into a single collection]
[Grouping \events together if they are part of the same campaing]
[\distributable]
[Group element into collection]
{\linkdest{collection}Element Collection}
{
}
\end{multicols*}

View File

@ -25,6 +25,14 @@
\newcommand{\cluster}{\hyperlink{cluster}{\texttt{Galaxy Cluster}} }
\newcommand{\sharinggroups}{\hyperlink{sharinggroup}{\texttt{Sharing Groups}} }
\newcommand{\sharinggroup}{\hyperlink{sharinggroup}{\texttt{Sharing Group}} }
\newcommand{\notes}{\hyperlink{note}{\texttt{Analyst Notes}} }
\newcommand{\note}{\hyperlink{note}{\texttt{Analyst Note}} }
\newcommand{\opinions}{\hyperlink{opinion}{\texttt{Analyst Opinions}} }
\newcommand{\opinion}{\hyperlink{opinion}{\texttt{Analyst Opinion}} }
\newcommand{\relationships}{\hyperlink{relationship}{\texttt{Analyst Relationships}} }
\newcommand{\relationship}{\hyperlink{relationship}{\texttt{Analyst Relationship}} }
\newcommand{\collections}{\hyperlink{collection}{\texttt{Element Collections}} }
\newcommand{\collection}{\hyperlink{collection}{\texttt{Element Collection}} }
\newcommand{\taggable}{\faicon{tags}\hspace*{0.3em}}
\newcommand{\distributable}{\faicon{eye-slash}\hspace*{0.3em}}

File diff suppressed because it is too large Load Diff

File diff suppressed because one or more lines are too long