Merge branch 'main' of github.com:MISP/misp-training into main

README.md

@@ -29,13 +29,19 @@ given to the materials. We welcome contributions in order to improve the trainin
 | [a.2-pymisp](https://www.misp-project.org/misp-training/a.2-pymisp.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.2-pymisp) |
 | [a.3-misp-feed](https://www.misp-project.org/misp-training/a.3-misp-feed.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.3-misp-feed) |
 | [a.4-best-practices](https://www.misp-project.org/misp-training/a.4-best-practices.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.4-best-practices) |
-| [a.5-decaying-indicators](https://www.misp-project.org/misp-training/a.5-bis-decaying-indicators-light-version.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-bis-decaying-indicators-light-version) |
+| [a.5-decaying-indicators](https://www.misp-project.org/misp-training/a.5-decaying-indicators.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-decaying-indicators) |
+| [a.5-bis-decaying-indicators-light-version](https://www.misp-project.org/misp-training/a.5-bis-decaying-indicators-light-version.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-bis-decaying-indicators-light-version) |
 | [a.6-forensic](https://www.misp-project.org/misp-training/a.6-forensic.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.6-forensic) |
 | [a.7-rest-API](https://www.misp-project.org/misp-training/a.7-rest-API.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.7-rest-API) |
-| [a.8-dev-hands-on.pdf](https://www.misp-project.org/misp-training/a.8-dev-hands-on.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.8-dev-hands-on) |
+| [b.1-best-practices-in-threat-intelligence](https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.1-best-practices-in-threat-intelligence) |
-| [a.9-restsearch-dev.pdf](https://www.misp-project.org/misp-training/a.9-restsearch-dev.pdf) |[source](https://github.com/MISP/misp-training/tree/master/a.9-restsearch-dev) |
+| [a.8-dev-hands-on](https://www.misp-project.org/misp-training/a.8-dev-hands-on.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.8-dev-hands-on) |
-| [b.1-best-practices-in-threat-intelligence](https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.1-best-practices-in-threat-intelligence)
+| [a.9-restsearch-dev](https://www.misp-project.org/misp-training/a.9-restsearch-dev.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.9-restsearch-dev) |
-| [b.2-turning-data-into-actionable-intelligence](https://www.misp-project.org/misp-training/b.2-turning-data-into-actionable-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.2-turning-data-into-actionable-intelligence)
+| [a.10-galaxy-2.0](https://www.misp-project.org/misp-training/a.10-galaxy-2.0.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.10-galaxy-2.0) |
+| [a.11-misp-data-model](https://www.misp-project.org/misp-training/a.11-misp-data-model.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.11-misp-data-model) |
+| [a.a-widget-dev](https://www.misp-project.org/misp-training/a.a-widget-dev.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.a-widget-dev) |
+| [b.2-turning-data-into-actionable-intelligence](https://www.misp-project.org/misp-training/b.2-turning-data-into-actionable-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.2-turning-data-into-actionable-intelligence) |
+| [4-misp-standard](https://www.misp-project.org/misp-training/4-misp-standard.pdf) | [source](https://github.com/MISP/misp-training/tree/master/4-misp-standard) |
+
 
 ### Complementary materials
 

a.10-galaxy-2.0/content.tex

@@ -18,37 +18,65 @@
     Galaxy 2.0 introduces various new features for \textit{Galaxies} and their \textit{Clusters} allowing:
     \begin{itemize}
         \item Creation of \textbf{custom} \textit{Clusters}
-        \item ACL on \textit{Clusters}
+        \item \textbf{ACL} on \textit{Clusters}
         \item \textbf{Connection} of \textit{Clusters} via \textit{Relations}
         \item \textbf{Synchronization} to connected instances.
         \item \textbf{Visualization} of forks and relationships
     \end{itemize}
 \end{frame}
 
+\begin{frame}
+    \frametitle{Default Galaxy clusters}
+    {\bf Default} {\it Galaxy cluster} 
+    \begin{itemize}
+        \item Coming from the \texttt{misp-galaxy} repository\footnote{\url{https://github.com/MISP/misp-galaxy}}
+        \item Cannot be edited
+        \begin{itemize}
+            \item Only way to provide modification is to modify the stored JSON or to open a pull request
+            \item Are not synchronized
+            \item Source of trust
+        \end{itemize}
+        \item Restrictions propagate to their children (\texttt{Galaxy cluster elements}, \texttt{Cluster relationships})
+    \end{itemize}
+
+    \vspace{0.5em}
+    {\bf Custom} {\it Galaxy cluster} 
+    \begin{itemize}
+        \item Can be created via the UI or API
+        \item Belongs to an organisation
+        \begin{itemize}
+            \item Fully editable
+            \item Are synchronized
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
 
 \begin{frame}
-    \frametitle{MISP Galaxy 2.0 - New \textit{Cluster} fields}
+    \frametitle{MISP Galaxy 2.0 - Comparison with prior version}
     \textit{Clusters} and \textit{Relations} can be edited.
     \begin{itemize}
         \item New \textit{Clusters} fields
-        \item \texttt{distribution}, \texttt{sharing\_group\_id}
-        \item \texttt{org\_id}, \texttt{orgc\_id}
-        \item \texttt{locked}, \texttt{published}, \texttt{deleted}
-        \item \texttt{default}
         \begin{itemize}
-            \item \textit{Clusters} coming from the \texttt{misp-galaxies} repository are marked as default
+            \item \texttt{distribution}, \texttt{sharing\_group\_id}
-            \item Not synchronized
+            \item \texttt{org\_id}, \texttt{orgc\_id}
-        \end{itemize}
+            \item \texttt{locked}, \texttt{published}, \texttt{deleted}
-        \begin{itemize}
+            \item \texttt{default}
-            \item Same purpose as \textit{Events}s \texttt{locked}
+            \begin{itemize}
-        \end{itemize}
+                \item \textit{Clusters} coming from the \texttt{misp-galaxies} repository are marked as default
-        \item \texttt{extends\_uuid}
+                \item Not synchronized
-        \begin{itemize}
+            \end{itemize}
-            \item Point to the \textit{Cluster} that has been forked
+            \begin{itemize}
-        \end{itemize}
+                \item Same purpose as \textit{Event}'s \texttt{locked} field
-        \item \texttt{extends\_version}
+            \end{itemize}
-        \begin{itemize}
+            \item \texttt{extends\_uuid}
-            \item Keep track of the \textit{Cluster} version that has been forked
+            \begin{itemize}
+                \item Point to the \textit{Cluster} that has been forked
+            \end{itemize}
+            \item \texttt{extends\_version}
+            \begin{itemize}
+                \item Keep track of the \textit{Cluster} version that has been forked
+            \end{itemize}
         \end{itemize}
     \end{itemize}
 \end{frame}
@@ -58,7 +86,7 @@
     \begin{itemize}
         \item \textit{Role} \texttt{perm\_galaxy\_editor}
         \item Relations also have a \texttt{distribution} and can have \textit{Tags}
-        \item Servers have 2 new flags
+        \item Synchronization servers have 2 new flags
         \begin{itemize}
             \item \texttt{pull\_galaxy\_clusters}
             \item \texttt{push\_galaxy\_clusters}
@@ -84,16 +112,21 @@
 
 \begin{frame}
     \frametitle{Features in depth: Visualization}
-    Tree view of forked Clusters \includegraphics[scale=0.5]{pics/cluster-forks}
+    Tree view of forked Clusters
-
+    \includegraphics[scale=0.5]{pics/cluster-forks}
-
+    \vspace{0.5em}
-    \includegraphics[width=1.0\linewidth]{pics/cluster-forks-tree}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pics/cluster-forks-tree}
+    \end{center}
 \end{frame}
 
 \begin{frame}
     \frametitle{Features in depth: Visualization}
     Tree and network views for Relations between Clusters
-    \includegraphics[width=1.0\linewidth]{pics/cluster-relations}
+    \vspace{0.5em}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pics/cluster-relations}
+    \end{center}
 \end{frame}
 
 \begin{frame}
@@ -103,9 +136,35 @@
 \end{frame}
 
 \begin{frame}
-    \frametitle{Features in depth: Synchronization}
+    \frametitle{Galaxy cluster elements}
-    Own synchronization mechanism which can be enabled with the \texttt{pull\_galaxy\_cluster} and \texttt{push\_galaxy\_cluster} flags
+    Hasn't been touched: Still a key-value stored. But new feature have been added\footnote{Will be included in next release}
+    \vspace{0.5em}
 
+    Tabular view
+    \begin{itemize}
+        \item Allows you to browse {\bf cluster elements} like before
+    \end{itemize}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pics/tabular-view.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Galaxy cluster elements}
+    JSON view
+    \begin{itemize}
+        \item Allows you to visualisation {\bf cluster element} in a JSON structure
+        \item Allows you to convert any JSON into {\bf cluster elements} enabling searches and correlations
+    \end{itemize}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pics/json-view.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Synchronization in depth}
+    Has its own synchronization mechanism which can be enabled with the \texttt{pull\_galaxy\_cluster} and \texttt{push\_galaxy\_cluster} flags
+    \vspace{0.5em}
     \begin{itemize}
         \item \textbf{Pull All}: Pull all remote Clusters (similar to event's pull all)
         \item \textbf{Pull Update}: Update local Clusters (similar to event's pull update)
@@ -113,49 +172,3 @@
         \item \textbf{Push}: Triggered whenever a Cluster is published or via standard push
     \end{itemize}
 \end{frame}
-
-\begin{frame}
-    \frametitle{New views factories \& elements}
-    \begin{itemize}
-        \item\texttt{GenericForm.simpleFieldAllowedList}
-        \begin{itemize}
-            \item \texttt{checked}, \texttt{multiple}, \texttt{selected}, \texttt{legend}, \texttt{disabled},
-        \end{itemize}
-        \item\texttt{IndexTable.booleanOrNA}
-        \begin{itemize}
-            \item Displays icons or N/A
-        \end{itemize}
-        \item\texttt{IndexTable.galaxy\_cluster\_link}
-        \begin{itemize}
-            \item Display basic galaxy cluster info in a compact way (\texttt{galaxy\_type :: cluster\_value} + Hover)
-        \end{itemize}
-        \item\texttt{IndexTable.in\_and\_out\_counts}
-        \begin{itemize}
-            \item Display \# of outbound and \# of inbound (This \textit{Cluster} has \# relations)
-        \end{itemize}
-        \item\texttt{IndexTable.tree}
-        \begin{itemize}
-            \item Generate a tree like hierarchy (Root cluster and its forks)
-        \end{itemize}
-    \end{itemize}
-\end{frame}
-
-\begin{frame}
-    \frametitle{Synchronization edge cases}
-    \begin{itemize}
-        \item Missing galaxy on the remote end
-        \begin{itemize}
-            \item[$\rightarrow$] Capture it
-        \end{itemize}
-    \end{itemize}
-\end{frame}
-
-\begin{frame}
-    \frametitle{Impossible due to design}
-    \begin{itemize}
-        \item Share \textit{Galaxy Matrix}
-        \begin{itemize}
-            \item[$\rightarrow$] Can only be insterted in an existing \textit{galaxy} matrix as the layout is defined at the \textit{galaxy} level
-        \end{itemize}
-    \end{itemize}
-\end{frame}

build.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 #
 
-slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on" "a.9-restsearch-dev" "a.a-widget-dev" "b.2-turning-data-into-actionable-intelligence" "4-misp-standard")
+slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on" "a.9-restsearch-dev" "a.10-galaxy-2.0" "a.11-misp-data-model" "a.a-widget-dev" "b.2-turning-data-into-actionable-intelligence" "4-misp-standard")
 mkdir output
 export TEXINPUTS=::`pwd`/themes/
 echo ${TEXINPUTS}
@@ -55,6 +55,7 @@ done
 echo ${listofpdf}
 
 pdfunite ${listofpdf} cheatsheet.pdf usage.pdf ack.pdf ../misp-training.pdf
+cp ../misp-training.pdf .
 cd ..
 
 exiftool -overwrite_original_in_place -Title="MISP Training and Slide Decks" -Author="CIRCL Computer Incident Response Center Luxembourg" -Subject="MISP Threat Intelligence Platform Training Materials" -Keywords="MISP Threat Intelligence CTI STIX information sharing yara sigma suricata snort bro openioc threat-actor TIP threat intelligence platform circl.lu training cybersecurity MISPProject" misp-training.pdf