diff --git a/build.sh b/build.sh index 0f1f6be..4b011f4 100755 --- a/build.sh +++ b/build.sh @@ -2,7 +2,6 @@ # slidedecks=("0-intro-shorter" "0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on" "a.9-restsearch-dev" "a.10-galaxy-2.0" "a.11-misp-data-model" "a.a-widget-dev" "b.2-turning-data-into-actionable-intelligence" "b.5-turning-data-into-actionable-intelligence-training" "4-misp-standard" "a.b-cli" "a.c-deployment" "a.12-misp-workflows" "a.12-misp-workflows-short" "a.13-misp-stix" "b.6-automation") -slidedecks=("b.6-automation") mkdir output mkdir output/handout diff --git a/events/20231107-FIRSTCTI23-MISP3/content.tex b/events/20231107-FIRSTCTI23-MISP3/content.tex index 1f4e393..79e9c33 100755 --- a/events/20231107-FIRSTCTI23-MISP3/content.tex +++ b/events/20231107-FIRSTCTI23-MISP3/content.tex @@ -458,7 +458,7 @@ \begin{itemize} \item \textbf{Simplified} installation based on package managers \item Upstream Docker installer - \item OS targerts: \textbf{Ubuntu} and \textbf{RHEL} + \item OS targets: \textbf{Ubuntu} and \textbf{RHEL} \end{itemize} \end{minipage}% \begin{minipage}{0.48\textwidth} diff --git a/events/20231107-FIRSTCTI23-MISP3/pictures/sharinggroup-add.png b/events/20231107-FIRSTCTI23-MISP3/pictures/sharinggroup-add.png index 1d48c4f..945bb63 100644 Binary files a/events/20231107-FIRSTCTI23-MISP3/pictures/sharinggroup-add.png and b/events/20231107-FIRSTCTI23-MISP3/pictures/sharinggroup-add.png differ diff --git a/events/20231107-FIRSTCTI23-MISP3/slide.pdf b/events/20231107-FIRSTCTI23-MISP3/slide.pdf index c6ca6ad..7e323a0 100644 Binary files a/events/20231107-FIRSTCTI23-MISP3/slide.pdf and b/events/20231107-FIRSTCTI23-MISP3/slide.pdf differ diff --git a/events/20231114-NATO-MUG-Workflow/clean.sh b/events/20231114-NATO-MUG-Workflow/clean.sh new file mode 100755 index 0000000..bc963fd --- /dev/null +++ b/events/20231114-NATO-MUG-Workflow/clean.sh @@ -0,0 +1,2 @@ +#!/bin/bash +rm *.aux *.listing *.log *.nav *.out *.snm *.toc *.vrb *.upa diff --git a/events/20231114-NATO-MUG-Workflow/content.tex b/events/20231114-NATO-MUG-Workflow/content.tex new file mode 100755 index 0000000..654680f --- /dev/null +++ b/events/20231114-NATO-MUG-Workflow/content.tex @@ -0,0 +1,756 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Example of use-cases} + \begin{itemize} + \item \textbf{Notification} on specifc actions + \begin{itemize} + \item New events matching criteria + \item New users + \item Automated alerts for high-priority IOCs + \end{itemize} + \item \textbf{Extend} existing MISP behavior + \begin{itemize} + \item Push data to another system + \item Automatic enrichment + \item Sanity check to block publishing / sharing + \item Curation pipelines + \end{itemize} + \item \textbf{Hook} capabilities + \begin{itemize} + \item Assign tasks and notify incident response team members + \end{itemize} + \item ... + \end{itemize} +\end{frame} + +% \section{Workflow - Fundamentals} +\begin{frame} + \frametitle{ + \huge + Workflow - Fundamentals + \vspace{1em} + } + \textbf{Objective:} Start with the foundation to understand the basics + \begin{center} + \includegraphics[width=0.07\linewidth]{pictures/fundation} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Triggers} + Currently 11 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/triggers.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Logic modules / Conditions} + \vspace*{0.25em} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.25em} + {\Large \faIcon{question-circle}} \textbf{Logic modules} allow to redirect the execution flow + \begin{itemize} + % \colorbox{red!100}{\textcolor{white}{\texttt{tlp:red}}} + \item A MISP Event is tagged with \texttt{tlp:red} + \item The distribution of an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/logic-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Actions modules} + \vspace*{0.25em} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.25em} + {\Large \faIcon{question-circle}} \textbf{Action modules} allow to executes operations + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/action-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in a specific order + \item Workflows can be enabled / disabled + \item A Workflow is associated to \textbf{1-and-only-1 trigger} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + + +\begin{frame} + \frametitle{Sources of Workflow modules} + {\large Built-in \textbf{default} modules} + \begin{itemize} + \item Part of the MISP codebase + \item Ready to use once enabled + \end{itemize} + \vspace{1em} + {\large User-defined \textbf{custom} modules} + \vspace{0.5em} + \begin{columns}[t] + \begin{column}{0.5\textwidth} + \underline{Written in PHP} + \begin{itemize} + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \underline{Written in Python} + \begin{itemize} + \item Can rely on extensive python libraries + \item Easier to write + \item Rely on the \textbf{enrichment service} \includegraphics[width=0.12\linewidth]{pictures/misp-module-icon.png} + \end{itemize} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{enumerate} + \item[WF-1.] Send an email to \textbf{all admins} when a new event has been pulled + \vspace*{2em} + \item[WF-2.] Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red} + \begin{itemize} + \item \textbf{tlp:red}: For the eyes and ears of individual recipients only + \item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Demo WF-1: Send an email to \textbf{all admins} when a new event has been pulled} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/demo-wf1.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo WF-2: Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red}} + \begin{itemize} + \small + \item \textbf{tlp:red}: For the eyes and ears of individual recipients only + \item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside + \end{itemize} + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/demo-wf2.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + \begin{enumerate} + \item \underline{Prevent} event publication \texttt{\bf \large if tlp:red} tag + \begin{itemize} + \item \underline{Send a mail} to \texttt{\scriptsize admin@admin.test} about potential data leak + \end{itemize} + \item \texttt{\bf \large else}, \underline{send a notification} on Mattermost + \end{enumerate} +\end{frame} + +% \section{Considerations when working with workflows} +\begin{frame} + \frametitle{ + \huge + Considerations when working with workflows + \vspace{1em} + } + \textbf{Objective:} Overview of some common pitfalls + \begin{center} + \includegraphics[width=24px]{pictures/radar.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\section{New recent features} +\begin{frame} + \frametitle{New recent features I} + \begin{itemize} + \item New action modules \& improvements + \begin{itemize} + \item \texttt{Assign country} + \item \texttt{Attach warninglist} + \item \texttt{Attribute operations} + \item \texttt{Tag replacements} + \item \texttt{Webhook}, $\cdots$ + \end{itemize} + \item New logic modules \& improvements + \begin{itemize} + \item \texttt{Filter :: Generic} + \item \texttt{Filter :: Remove} + \item \texttt{IF :: *} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{New recent features I} + \frame{\includegraphics[width=1.0\linewidth]{pictures/new-modules.png}} +\end{frame} + +\begin{frame} + \frametitle{New recent features II} + $\sim 12$ New blueprints for IoC curation + \frame{\includegraphics[width=1.0\linewidth]{pictures/curation-google-safe-browsing.png}} +\end{frame} + +\begin{frame} + \frametitle{New recent features III} + \begin{itemize} + \item UI improvements + \begin{itemize} + \item Frame to annotate and group modules + \item More documentation (Format, Jinja2 syntax) + \item Collapsible sidebar and quick node insert + \item Hash path picker + \end{itemize} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/frames.png}} + \end{center} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{ + \huge + Advanced usage + \vspace{1em} + } + \textbf{Objective:} + \begin{itemize} + \item Blocking workflows + \item Blueprints + \item Filtering + \item Data format + \item Debugging + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action + \item \texttt{event-publish}, \texttt{event-before-save}, \texttt{enrichment-before-query}, $\cdots$ + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact + \begin{itemize} + \item No way to prevent something that happened in the past + \item \texttt{event-after-save}, \texttt{attribute-after-save} \texttt{log-after-save}, $\cdots$ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow blueprints} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: \texttt{\scriptsize MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \begin{itemize} + \small + \item Block actions if any attributes have the \texttt{PAP:RED} or \texttt{tlp:red} tag + \item Curation pipeline + \item Enrich data from 3rd-party + \end{itemize} +\end{frame} + +\section{Filtering} +\begin{frame} + \frametitle{Fitlering data on which to apply a module} + What is the outcome of executing this workflow? + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/remove-ids-1.png} + \end{center} + \pause + \vspace{1em} + All Attributes get their \texttt{to\_ids} turned off.\\ + \vspace{1em} + How could we force that action only on Attribute of type \texttt{comment}? + \begin{center} + $\rightarrow$ Hash path filtering! + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Fitlering data on which to apply a module} + \begin{center} + \includegraphics[width=0.5\textwidth]{pictures/remove-ids-3.png} + \end{center} + \begin{center} + \includegraphics[width=0.9\textwidth]{pictures/remove-ids-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Fitlering data on which to apply a module} + \begin{center} + \includegraphics[width=0.5\textwidth]{pictures/remove-ids-3.png} + \end{center} + \begin{center} + \includegraphics[width=0.9\textwidth]{pictures/remove-ids-2-details.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Fitlering data on which to apply a module} + \Wider{\includegraphics[width=1.01\textwidth]{pictures/filtering-diagram}} +\end{frame} + +\begin{frame} + \frametitle{Fitlering data on which to apply on multiple modules} + New feature as of \textbf{v2.4.171} allows setting filters on a path. + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/remove-ids-generic.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/misp-core-format.png} + \end{center} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Example} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "uuid": ... + "timestamp": ... + "distribution": 1, + "published": false, + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", ... + }, + { + "type": "domain", + "value": "misp-project.org", ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \item Access Event distribution + \begin{itemize} + \item \texttt{Event.distribution} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (1)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "uuid": ... + "distribution": 1, + "published": false, + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", ... + }, + { + "type": "domain", + "value": "misp-project.org", ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{1} + \item Access Event published state + \pause + \begin{itemize} + \item \texttt{Event.published} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (2)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "uuid": ... + "distribution": 1, + "published": false, + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", ... + }, + { + "type": "domain", + "value": "misp-project.org", ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{2} + \item Access all Attribute types + \begin{itemize} + \item Hint: Use \texttt{\bf \{n\}} to loop + \pause + \item \texttt{Event.Attribute.\{n\}.type} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (3)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "Attribute": [ + { + "type": "ip-src", + "value": "8.8.8.8", + "Tag": [ + { + "name": "PAP:AMBER", ... + } + ], ... + } + ], + ... + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{2} + \item Access all Tags attached to Attributes + \pause + \begin{itemize} + \item \texttt{Event.Attribute.\{n\}.Tag.\{n\}.name} + \end{itemize} + \end{enumerate} +\end{frame} + + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (4)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "Tag": [ + { + "name": "tlp:green", ... + } + ], ... + "Attribute": [ + { + "value": "8.8.8.8", + "Tag": [ + { + "name": "PAP:AMBER", ... + } + ], ... + } + ], + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{3} + \item Access all Tags attached to Attributes and from the Event + \begin{itemize} + \item Hint: Use \texttt{\bf \_allTags} to access {\bf all} tags + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (4)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "Tag": [ + { + "name": "tlp:green", ... + } + ], ... + "Attribute": [ + { + "value": "8.8.8.8", + "Tag": [ + { + "name": "PAP:AMBER", ... + } + ], ... + } + ], + } +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{3} + \item Access all Tags attached to Attributes and from the Event + \begin{itemize} + \item \texttt{Event.Attribute.\{n\}.\_allTags.\{n\}.name} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering - Exercise (4)} + +\begin{lstlisting}[language=javascript,firstnumber=1] +{ + "Event": { + "Tag": [...], + "Attribute": [ + { + "value": "8.8.8.8", + "_allTags": [ + { + "name": "tlp:green", + "inherited": true, ... + }, + { + "name": "PAP:AMBER", + "inherited": false, ... + } + ], + } + ... +} +\end{lstlisting} + \begin{enumerate} + \setcounter{enumi}{3} + \item Access all Tags attached to Attributes and from the Event + \begin{itemize} + \item \texttt{Event.Attribute.\{n\}.\_allTags.\{n\}.name} + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \item The MISP Core format has \textbf{additional properties} + \begin{itemize} + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\section{Debugging} +\begin{frame} + \frametitle{Debugging Workflows: Log Entries} + \begin{itemize} + \item Workflow execution is logged in the application logs: + \begin{itemize} + \item \texttt{/admin/logs/index} + \item \faIcon{exclamation-triangle} Might be phased out as its too verbose + \end{itemize} + \item Or stored on disk in the following file: + \begin{itemize} + \item \texttt{/app/tmp/logs/workflow-execution.log} + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/workflow-debug.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging Workflows: Debug mode} + \begin{itemize} + \item The \includegraphics[width=70px]{pictures/debug-mode.png} can be turned on for each workflows + \item Each nodes will send data to the provided URL + \begin{itemize} + \item Configure the setting: \texttt{Plugin.Workflow\_debug\_url} + \end{itemize} + \item Result can be visualized in + \begin{itemize} + \item \textbf{offline}: \texttt{tools/misp-workflows/webhook-listener.py} + \item \textbf{online}: \url{requestbin.com} or similar websites + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.6\linewidth]{pictures/request-bin.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Re-running workflows} + \begin{itemize} + \item Try workflows with custom input + \item Re-run workflows to ease debugging + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.55\linewidth]{pictures/running-workflows.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{itemize} + \item Workflow \textbf{execution and outcome} + \item Individual module \textbf{execution and outcome} + \item \textbf{Live} workflow debugging with module inspection + \item \textbf{Re-running/testing} workflows with custom data + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Should I migrate to MISP Workflows} + I have automation in place using the API/ZMQ. Should I move to Workflows? + \vspace{1em} + \begin{itemize} + \item I have a curation pipeline using the API, should I port it to workflows? + \begin{itemize} + \item \textbf{No} in general, but WF can be used to start the curation process or perform simple pre-processing + \end{itemize} + \item What if I want to \textbf{block} some actions + \begin{itemize} + \item Put the blocking logic in the WF, keep the remaining outside + \end{itemize} + \item Bottom line is \textbf{Keep it simple} for you to maintain + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{itemize} + \item More action modules \includegraphics[width=12px]{pictures/sc-action-icon.png} + \item More logic modules \includegraphics[width=12px]{pictures/sc-condition-icon.png} + \item More triggers \includegraphics[width=12px]{pictures/sc-event-icon.png} + \item Recursion prevention system + \item Improvement for logging + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{itemize} + \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New modules? + \end{itemize} + \end{itemize} +\end{frame} + diff --git a/events/20231114-NATO-MUG-Workflow/misp.pdf b/events/20231114-NATO-MUG-Workflow/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/misp.pdf differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/PHP-logo.png b/events/20231114-NATO-MUG-Workflow/pictures/PHP-logo.png new file mode 100644 index 0000000..296dfe2 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/PHP-logo.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-49-39.png b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-49-39.png new file mode 100644 index 0000000..bb4019b Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-49-39.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-50-12.png b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-50-12.png new file mode 100644 index 0000000..789d8d0 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-50-12.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-50-48.png b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-50-48.png new file mode 100644 index 0000000..daee6e0 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-19 11-50-48.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-28 14-44-03.png b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-28 14-44-03.png new file mode 100644 index 0000000..4bdf837 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/Screenshot from 2023-07-28 14-44-03.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/action-module-index.png b/events/20231114-NATO-MUG-Workflow/pictures/action-module-index.png new file mode 100644 index 0000000..faa5397 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/action-module-index.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/action-module.png b/events/20231114-NATO-MUG-Workflow/pictures/action-module.png new file mode 100644 index 0000000..6b622e8 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/action-module.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/attribute-json.png b/events/20231114-NATO-MUG-Workflow/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/attribute-json.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/automation.png b/events/20231114-NATO-MUG-Workflow/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/automation.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/belgian-joke.jpeg b/events/20231114-NATO-MUG-Workflow/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/belgian-joke.jpeg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/belgian-joke2.jpeg b/events/20231114-NATO-MUG-Workflow/pictures/belgian-joke2.jpeg new file mode 100644 index 0000000..c41fb16 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/belgian-joke2.jpeg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/blocking-module.png b/events/20231114-NATO-MUG-Workflow/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/blocking-module.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/blocking-workflow.png b/events/20231114-NATO-MUG-Workflow/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/blocking-workflow.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/blueprint-1.png b/events/20231114-NATO-MUG-Workflow/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/blueprint-1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/blueprint-32.png b/events/20231114-NATO-MUG-Workflow/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/blueprint-32.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/blueprint-debugging.png b/events/20231114-NATO-MUG-Workflow/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/blueprint-debugging.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/build-icon.png b/events/20231114-NATO-MUG-Workflow/pictures/build-icon.png new file mode 100644 index 0000000..e58d99c Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/build-icon.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/circl.png b/events/20231114-NATO-MUG-Workflow/pictures/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/circl.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/craft.jpg b/events/20231114-NATO-MUG-Workflow/pictures/craft.jpg new file mode 100644 index 0000000..dddafd7 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/craft.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/ctis.png b/events/20231114-NATO-MUG-Workflow/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/ctis.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/curation-google-safe-browsing.png b/events/20231114-NATO-MUG-Workflow/pictures/curation-google-safe-browsing.png new file mode 100644 index 0000000..0535dd4 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/curation-google-safe-browsing.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/custom-1.png b/events/20231114-NATO-MUG-Workflow/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/custom-1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/custom-2.png b/events/20231114-NATO-MUG-Workflow/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/custom-2.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/debug-mode.png b/events/20231114-NATO-MUG-Workflow/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/debug-mode.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/demo-wf1.png b/events/20231114-NATO-MUG-Workflow/pictures/demo-wf1.png new file mode 100644 index 0000000..02846ad Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/demo-wf1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/demo-wf2.png b/events/20231114-NATO-MUG-Workflow/pictures/demo-wf2.png new file mode 100644 index 0000000..9ea313a Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/demo-wf2.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/editor-1.png b/events/20231114-NATO-MUG-Workflow/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/editor-1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/editor-not-allowed-1.png b/events/20231114-NATO-MUG-Workflow/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/editor-not-allowed-1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/editor-not-allowed-2.png b/events/20231114-NATO-MUG-Workflow/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/editor-not-allowed-2.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/editor-warning-1.png b/events/20231114-NATO-MUG-Workflow/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/editor-warning-1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/enough-debugging.jpg b/events/20231114-NATO-MUG-Workflow/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/enough-debugging.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/event-condition-action.png b/events/20231114-NATO-MUG-Workflow/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/event-condition-action.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/example-1a.png b/events/20231114-NATO-MUG-Workflow/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/example-1a.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/example-2a.png b/events/20231114-NATO-MUG-Workflow/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/example-2a.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/feeling-of-power.jpg b/events/20231114-NATO-MUG-Workflow/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/feeling-of-power.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/filtering-diagram.png b/events/20231114-NATO-MUG-Workflow/pictures/filtering-diagram.png new file mode 100644 index 0000000..34393e6 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/filtering-diagram.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/filtering-modules.png b/events/20231114-NATO-MUG-Workflow/pictures/filtering-modules.png new file mode 100644 index 0000000..9ca53e3 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/filtering-modules.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/first-cti.png b/events/20231114-NATO-MUG-Workflow/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/first-cti.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/firstcon23-speaker-banner-hr.jpg b/events/20231114-NATO-MUG-Workflow/pictures/firstcon23-speaker-banner-hr.jpg new file mode 100644 index 0000000..dcee3a3 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/firstcon23-speaker-banner-hr.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/frames.png b/events/20231114-NATO-MUG-Workflow/pictures/frames.png new file mode 100644 index 0000000..1cc6b48 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/frames.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/fundation.png b/events/20231114-NATO-MUG-Workflow/pictures/fundation.png new file mode 100644 index 0000000..b6c51ae Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/fundation.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/future-works.jpeg b/events/20231114-NATO-MUG-Workflow/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/future-works.jpeg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/geekweek75.jpg b/events/20231114-NATO-MUG-Workflow/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/geekweek75.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/getting-started.png b/events/20231114-NATO-MUG-Workflow/pictures/getting-started.png new file mode 100644 index 0000000..a15f01f Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/getting-started.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/hash-path-diagram.odp b/events/20231114-NATO-MUG-Workflow/pictures/hash-path-diagram.odp new file mode 100644 index 0000000..7b1bfaa Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/hash-path-diagram.odp differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/infinite-loop.jpg b/events/20231114-NATO-MUG-Workflow/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/infinite-loop.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/log-entry-publish-blocked.png b/events/20231114-NATO-MUG-Workflow/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/log-entry-publish-blocked.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/log-entry-publish-success.png b/events/20231114-NATO-MUG-Workflow/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/log-entry-publish-success.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/logic-module-index.png b/events/20231114-NATO-MUG-Workflow/pictures/logic-module-index.png new file mode 100644 index 0000000..c6fe0b3 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/logic-module-index.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/logic-module.png b/events/20231114-NATO-MUG-Workflow/pictures/logic-module.png new file mode 100644 index 0000000..6a48ce6 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/logic-module.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/misp-core-format.png b/events/20231114-NATO-MUG-Workflow/pictures/misp-core-format.png new file mode 100644 index 0000000..a9ffe39 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/misp-core-format.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/misp-module-icon.png b/events/20231114-NATO-MUG-Workflow/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/misp-module-icon.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/module-buffet.png b/events/20231114-NATO-MUG-Workflow/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/module-buffet.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/module-concurrent.png b/events/20231114-NATO-MUG-Workflow/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/module-concurrent.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/module-filtering.png b/events/20231114-NATO-MUG-Workflow/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/module-filtering.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/module-if-generic.png b/events/20231114-NATO-MUG-Workflow/pictures/module-if-generic.png new file mode 100644 index 0000000..4068aa3 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/module-if-generic.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/module-type.png b/events/20231114-NATO-MUG-Workflow/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/module-type.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/new-modules.png b/events/20231114-NATO-MUG-Workflow/pictures/new-modules.png new file mode 100644 index 0000000..2c6924e Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/new-modules.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo.jpg b/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo2.jpg b/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo3.jpg b/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/node-filtering.png b/events/20231114-NATO-MUG-Workflow/pictures/node-filtering.png new file mode 100644 index 0000000..1878ee9 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/node-filtering.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/node-generic-filter.png b/events/20231114-NATO-MUG-Workflow/pictures/node-generic-filter.png new file mode 100644 index 0000000..b41a358 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/node-generic-filter.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/non-blocking-workflow.png b/events/20231114-NATO-MUG-Workflow/pictures/non-blocking-workflow.png new file mode 100644 index 0000000..4ae1495 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/non-blocking-workflow.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/overview.png b/events/20231114-NATO-MUG-Workflow/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/overview.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/php-joke.jpg b/events/20231114-NATO-MUG-Workflow/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/php-joke.jpg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/psyduck.jpeg b/events/20231114-NATO-MUG-Workflow/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/psyduck.jpeg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/python-joke.png b/events/20231114-NATO-MUG-Workflow/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/python-joke.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/python-logo.png b/events/20231114-NATO-MUG-Workflow/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/python-logo.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/radar.png b/events/20231114-NATO-MUG-Workflow/pictures/radar.png new file mode 100644 index 0000000..bbd632b Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/radar.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/recursive-workflow.png b/events/20231114-NATO-MUG-Workflow/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/recursive-workflow.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-1.png b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-1.png new file mode 100644 index 0000000..8e75af2 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-2-details.png b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-2-details.png new file mode 100644 index 0000000..334e567 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-2-details.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-2.png b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-2.png new file mode 100644 index 0000000..e455e49 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-2.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-3.png b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-3.png new file mode 100644 index 0000000..e5474a1 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-3.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-generic.png b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-generic.png new file mode 100644 index 0000000..e9c1933 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/remove-ids-generic.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/request-bin.png b/events/20231114-NATO-MUG-Workflow/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/request-bin.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/running-workflows.png b/events/20231114-NATO-MUG-Workflow/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/running-workflows.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/sc-action-icon.png b/events/20231114-NATO-MUG-Workflow/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/sc-action-icon.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/sc-action.png b/events/20231114-NATO-MUG-Workflow/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/sc-action.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/sc-condition-icon.png b/events/20231114-NATO-MUG-Workflow/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/sc-condition-icon.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/sc-condition.png b/events/20231114-NATO-MUG-Workflow/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/sc-condition.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/sc-event-icon.png b/events/20231114-NATO-MUG-Workflow/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/sc-event-icon.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/sc-event.png b/events/20231114-NATO-MUG-Workflow/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/sc-event.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/settings-1.png b/events/20231114-NATO-MUG-Workflow/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/settings-1.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/settings-2.png b/events/20231114-NATO-MUG-Workflow/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/settings-2.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/simple-workflow.png b/events/20231114-NATO-MUG-Workflow/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/simple-workflow.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/stateless-execution.png b/events/20231114-NATO-MUG-Workflow/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/stateless-execution.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/time-machine.png b/events/20231114-NATO-MUG-Workflow/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/time-machine.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/triggers.png b/events/20231114-NATO-MUG-Workflow/pictures/triggers.png new file mode 100644 index 0000000..1275546 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/triggers.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/two-paths.jpeg b/events/20231114-NATO-MUG-Workflow/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/two-paths.jpeg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/upgrade-people.jpeg b/events/20231114-NATO-MUG-Workflow/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/upgrade-people.jpeg differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/whoami-adulau.png b/events/20231114-NATO-MUG-Workflow/pictures/whoami-adulau.png new file mode 100644 index 0000000..d960fd4 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/whoami-adulau.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/whoami.png b/events/20231114-NATO-MUG-Workflow/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/whoami.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/whoami2.png b/events/20231114-NATO-MUG-Workflow/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/whoami2.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/whoarewe.png b/events/20231114-NATO-MUG-Workflow/pictures/whoarewe.png new file mode 100644 index 0000000..a2377fe Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/whoarewe.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/workflow-debug.png b/events/20231114-NATO-MUG-Workflow/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/workflow-debug.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/workflow-experimental.png b/events/20231114-NATO-MUG-Workflow/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/workflow-experimental.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/workflow-release.png b/events/20231114-NATO-MUG-Workflow/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/workflow-release.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/workflow-trigger.png b/events/20231114-NATO-MUG-Workflow/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/workflow-trigger.png differ diff --git a/events/20231114-NATO-MUG-Workflow/pictures/zeromq.png b/events/20231114-NATO-MUG-Workflow/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/pictures/zeromq.png differ diff --git a/events/20231114-NATO-MUG-Workflow/slide.pdf b/events/20231114-NATO-MUG-Workflow/slide.pdf new file mode 100644 index 0000000..d994d15 Binary files /dev/null and b/events/20231114-NATO-MUG-Workflow/slide.pdf differ diff --git a/events/20231114-NATO-MUG-Workflow/slide.tex b/events/20231114-NATO-MUG-Workflow/slide.tex new file mode 100644 index 0000000..77ed0e6 --- /dev/null +++ b/events/20231114-NATO-MUG-Workflow/slide.tex @@ -0,0 +1,75 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage[normalem]{ulem} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\newcommand\Wider[2][3em]{% +\makebox[\linewidth][c]{% + \begin{minipage}{\dimexpr\textwidth+#1\relax} + \raggedright#2 + \end{minipage}% + }% +} + + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + stringstyle=\color{purple}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with Workflows in MISP} +\subtitle{Advanced version} +\author{Sami Mokaddem} +\date{} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.3]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20231114-NATO-MUG-Workflow/slide_handout.tex b/events/20231114-NATO-MUG-Workflow/slide_handout.tex new file mode 100644 index 0000000..8ce0d80 --- /dev/null +++ b/events/20231114-NATO-MUG-Workflow/slide_handout.tex @@ -0,0 +1,68 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage[normalem]{ulem} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + stringstyle=\color{purple}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation in MISP} +\subtitle{Tutorial and Hands-On} +\author{Sami Mokaddem} +\date{} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.3]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} +