diff --git a/README.md b/README.md index a450098..905d2f4 100644 --- a/README.md +++ b/README.md @@ -29,13 +29,19 @@ given to the materials. We welcome contributions in order to improve the trainin | [a.2-pymisp](https://www.misp-project.org/misp-training/a.2-pymisp.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.2-pymisp) | | [a.3-misp-feed](https://www.misp-project.org/misp-training/a.3-misp-feed.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.3-misp-feed) | | [a.4-best-practices](https://www.misp-project.org/misp-training/a.4-best-practices.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.4-best-practices) | -| [a.5-decaying-indicators](https://www.misp-project.org/misp-training/a.5-bis-decaying-indicators-light-version.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-bis-decaying-indicators-light-version) | +| [a.5-decaying-indicators](https://www.misp-project.org/misp-training/a.5-decaying-indicators.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-decaying-indicators) | +| [a.5-bis-decaying-indicators-light-version](https://www.misp-project.org/misp-training/a.5-bis-decaying-indicators-light-version.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-bis-decaying-indicators-light-version) | | [a.6-forensic](https://www.misp-project.org/misp-training/a.6-forensic.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.6-forensic) | | [a.7-rest-API](https://www.misp-project.org/misp-training/a.7-rest-API.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.7-rest-API) | -| [a.8-dev-hands-on.pdf](https://www.misp-project.org/misp-training/a.8-dev-hands-on.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.8-dev-hands-on) | -| [a.9-restsearch-dev.pdf](https://www.misp-project.org/misp-training/a.9-restsearch-dev.pdf) |[source](https://github.com/MISP/misp-training/tree/master/a.9-restsearch-dev) | -| [b.1-best-practices-in-threat-intelligence](https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.1-best-practices-in-threat-intelligence) -| [b.2-turning-data-into-actionable-intelligence](https://www.misp-project.org/misp-training/b.2-turning-data-into-actionable-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.2-turning-data-into-actionable-intelligence) +| [b.1-best-practices-in-threat-intelligence](https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.1-best-practices-in-threat-intelligence) | +| [a.8-dev-hands-on](https://www.misp-project.org/misp-training/a.8-dev-hands-on.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.8-dev-hands-on) | +| [a.9-restsearch-dev](https://www.misp-project.org/misp-training/a.9-restsearch-dev.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.9-restsearch-dev) | +| [a.10-galaxy-2.0](https://www.misp-project.org/misp-training/a.10-galaxy-2.0.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.10-galaxy-2.0) | +| [a.11-misp-data-model](https://www.misp-project.org/misp-training/a.11-misp-data-model.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.11-misp-data-model) | +| [a.a-widget-dev](https://www.misp-project.org/misp-training/a.a-widget-dev.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.a-widget-dev) | +| [b.2-turning-data-into-actionable-intelligence](https://www.misp-project.org/misp-training/b.2-turning-data-into-actionable-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.2-turning-data-into-actionable-intelligence) | +| [4-misp-standard](https://www.misp-project.org/misp-training/4-misp-standard.pdf) | [source](https://github.com/MISP/misp-training/tree/master/4-misp-standard) | + ### Complementary materials diff --git a/a.10-galaxy-2.0/content.tex b/a.10-galaxy-2.0/content.tex index 4aeae55..81e7e4a 100644 --- a/a.10-galaxy-2.0/content.tex +++ b/a.10-galaxy-2.0/content.tex @@ -18,37 +18,65 @@ Galaxy 2.0 introduces various new features for \textit{Galaxies} and their \textit{Clusters} allowing: \begin{itemize} \item Creation of \textbf{custom} \textit{Clusters} - \item ACL on \textit{Clusters} + \item \textbf{ACL} on \textit{Clusters} \item \textbf{Connection} of \textit{Clusters} via \textit{Relations} \item \textbf{Synchronization} to connected instances. \item \textbf{Visualization} of forks and relationships \end{itemize} \end{frame} +\begin{frame} + \frametitle{Default Galaxy clusters} + {\bf Default} {\it Galaxy cluster} + \begin{itemize} + \item Coming from the \texttt{misp-galaxy} repository\footnote{\url{https://github.com/MISP/misp-galaxy}} + \item Cannot be edited + \begin{itemize} + \item Only way to provide modification is to modify the stored JSON or to open a pull request + \item Are not synchronized + \item Source of trust + \end{itemize} + \item Restrictions propagate to their children (\texttt{Galaxy cluster elements}, \texttt{Cluster relationships}) + \end{itemize} + + \vspace{0.5em} + {\bf Custom} {\it Galaxy cluster} + \begin{itemize} + \item Can be created via the UI or API + \item Belongs to an organisation + \begin{itemize} + \item Fully editable + \item Are synchronized + \end{itemize} + \end{itemize} +\end{frame} + \begin{frame} - \frametitle{MISP Galaxy 2.0 - New \textit{Cluster} fields} + \frametitle{MISP Galaxy 2.0 - Comparison with prior version} \textit{Clusters} and \textit{Relations} can be edited. \begin{itemize} \item New \textit{Clusters} fields - \item \texttt{distribution}, \texttt{sharing\_group\_id} - \item \texttt{org\_id}, \texttt{orgc\_id} - \item \texttt{locked}, \texttt{published}, \texttt{deleted} - \item \texttt{default} \begin{itemize} - \item \textit{Clusters} coming from the \texttt{misp-galaxies} repository are marked as default - \item Not synchronized - \end{itemize} - \begin{itemize} - \item Same purpose as \textit{Events}s \texttt{locked} - \end{itemize} - \item \texttt{extends\_uuid} - \begin{itemize} - \item Point to the \textit{Cluster} that has been forked - \end{itemize} - \item \texttt{extends\_version} - \begin{itemize} - \item Keep track of the \textit{Cluster} version that has been forked + \item \texttt{distribution}, \texttt{sharing\_group\_id} + \item \texttt{org\_id}, \texttt{orgc\_id} + \item \texttt{locked}, \texttt{published}, \texttt{deleted} + \item \texttt{default} + \begin{itemize} + \item \textit{Clusters} coming from the \texttt{misp-galaxies} repository are marked as default + \item Not synchronized + \end{itemize} + \begin{itemize} + \item Same purpose as \textit{Event}'s \texttt{locked} field + \end{itemize} + \item \texttt{extends\_uuid} + \begin{itemize} + \item Point to the \textit{Cluster} that has been forked + \end{itemize} + \item \texttt{extends\_version} + \begin{itemize} + \item Keep track of the \textit{Cluster} version that has been forked + \end{itemize} \end{itemize} \end{itemize} \end{frame} @@ -58,7 +86,7 @@ \begin{itemize} \item \textit{Role} \texttt{perm\_galaxy\_editor} \item Relations also have a \texttt{distribution} and can have \textit{Tags} - \item Servers have 2 new flags + \item Synchronization servers have 2 new flags \begin{itemize} \item \texttt{pull\_galaxy\_clusters} \item \texttt{push\_galaxy\_clusters} @@ -84,16 +112,21 @@ \begin{frame} \frametitle{Features in depth: Visualization} - Tree view of forked Clusters \includegraphics[scale=0.5]{pics/cluster-forks} - - - \includegraphics[width=1.0\linewidth]{pics/cluster-forks-tree} + Tree view of forked Clusters + \includegraphics[scale=0.5]{pics/cluster-forks} + \vspace{0.5em} + \begin{center} + \includegraphics[width=1.0\linewidth]{pics/cluster-forks-tree} + \end{center} \end{frame} \begin{frame} \frametitle{Features in depth: Visualization} Tree and network views for Relations between Clusters - \includegraphics[width=1.0\linewidth]{pics/cluster-relations} + \vspace{0.5em} + \begin{center} + \includegraphics[width=1.0\linewidth]{pics/cluster-relations} + \end{center} \end{frame} \begin{frame} @@ -103,9 +136,35 @@ \end{frame} \begin{frame} - \frametitle{Features in depth: Synchronization} - Own synchronization mechanism which can be enabled with the \texttt{pull\_galaxy\_cluster} and \texttt{push\_galaxy\_cluster} flags + \frametitle{Galaxy cluster elements} + Hasn't been touched: Still a key-value stored. But new feature have been added\footnote{Will be included in next release} + \vspace{0.5em} + Tabular view + \begin{itemize} + \item Allows you to browse {\bf cluster elements} like before + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pics/tabular-view.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Galaxy cluster elements} + JSON view + \begin{itemize} + \item Allows you to visualisation {\bf cluster element} in a JSON structure + \item Allows you to convert any JSON into {\bf cluster elements} enabling searches and correlations + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pics/json-view.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Synchronization in depth} + Has its own synchronization mechanism which can be enabled with the \texttt{pull\_galaxy\_cluster} and \texttt{push\_galaxy\_cluster} flags + \vspace{0.5em} \begin{itemize} \item \textbf{Pull All}: Pull all remote Clusters (similar to event's pull all) \item \textbf{Pull Update}: Update local Clusters (similar to event's pull update) @@ -113,49 +172,3 @@ \item \textbf{Push}: Triggered whenever a Cluster is published or via standard push \end{itemize} \end{frame} - -\begin{frame} - \frametitle{New views factories \& elements} - \begin{itemize} - \item\texttt{GenericForm.simpleFieldAllowedList} - \begin{itemize} - \item \texttt{checked}, \texttt{multiple}, \texttt{selected}, \texttt{legend}, \texttt{disabled}, - \end{itemize} - \item\texttt{IndexTable.booleanOrNA} - \begin{itemize} - \item Displays icons or N/A - \end{itemize} - \item\texttt{IndexTable.galaxy\_cluster\_link} - \begin{itemize} - \item Display basic galaxy cluster info in a compact way (\texttt{galaxy\_type :: cluster\_value} + Hover) - \end{itemize} - \item\texttt{IndexTable.in\_and\_out\_counts} - \begin{itemize} - \item Display \# of outbound and \# of inbound (This \textit{Cluster} has \# relations) - \end{itemize} - \item\texttt{IndexTable.tree} - \begin{itemize} - \item Generate a tree like hierarchy (Root cluster and its forks) - \end{itemize} - \end{itemize} -\end{frame} - -\begin{frame} - \frametitle{Synchronization edge cases} - \begin{itemize} - \item Missing galaxy on the remote end - \begin{itemize} - \item[$\rightarrow$] Capture it - \end{itemize} - \end{itemize} -\end{frame} - -\begin{frame} - \frametitle{Impossible due to design} - \begin{itemize} - \item Share \textit{Galaxy Matrix} - \begin{itemize} - \item[$\rightarrow$] Can only be insterted in an existing \textit{galaxy} matrix as the layout is defined at the \textit{galaxy} level - \end{itemize} - \end{itemize} -\end{frame} diff --git a/a.10-galaxy-2.0/misp.pdf b/a.10-galaxy-2.0/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/a.10-galaxy-2.0/misp.pdf differ diff --git a/a.10-galaxy-2.0/pics/json-view.png b/a.10-galaxy-2.0/pics/json-view.png new file mode 100644 index 0000000..24b08e9 Binary files /dev/null and b/a.10-galaxy-2.0/pics/json-view.png differ diff --git a/a.10-galaxy-2.0/pics/tabular-view.png b/a.10-galaxy-2.0/pics/tabular-view.png new file mode 100644 index 0000000..03c30e0 Binary files /dev/null and b/a.10-galaxy-2.0/pics/tabular-view.png differ diff --git a/build.sh b/build.sh index 899cda5..ebdd76b 100755 --- a/build.sh +++ b/build.sh @@ -1,7 +1,7 @@ #!/bin/bash # -slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on" "a.9-restsearch-dev" "a.a-widget-dev" "b.2-turning-data-into-actionable-intelligence" "4-misp-standard") +slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on" "a.9-restsearch-dev" "a.10-galaxy-2.0" "a.11-misp-data-model" "a.a-widget-dev" "b.2-turning-data-into-actionable-intelligence" "4-misp-standard") mkdir output export TEXINPUTS=::`pwd`/themes/ echo ${TEXINPUTS} @@ -55,6 +55,7 @@ done echo ${listofpdf} pdfunite ${listofpdf} cheatsheet.pdf usage.pdf ack.pdf ../misp-training.pdf +cp ../misp-training.pdf . cd .. exiftool -overwrite_original_in_place -Title="MISP Training and Slide Decks" -Author="CIRCL Computer Incident Response Center Luxembourg" -Subject="MISP Threat Intelligence Platform Training Materials" -Keywords="MISP Threat Intelligence CTI STIX information sharing yara sigma suricata snort bro openioc threat-actor TIP threat intelligence platform circl.lu training cybersecurity MISPProject" misp-training.pdf