MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [galaxy-2.0] Updated presentation

exercise-movie
mokaddem 2020-12-16 13:07:05 +01:00
parent 8c56e9388f
commit cb4e5ac0fb
3 changed files with 86 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
a.10-galaxy-2.0/content.tex
View File

@ -18,37 +18,65 @@
Galaxy 2.0 introduces various new features for \textit{Galaxies} and their \textit{Clusters} allowing:
\begin{itemize}
\item Creation of \textbf{custom} \textit{Clusters}
\item ACL on \textit{Clusters}
\item \textbf{ACL} on \textit{Clusters}
\item \textbf{Connection} of \textit{Clusters} via \textit{Relations}
\item \textbf{Synchronization} to connected instances.
\item \textbf{Visualization} of forks and relationships
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Default Galaxy clusters}
{\bf Default} {\it Galaxy cluster}
\begin{itemize}
\item Coming from the \texttt{misp-galaxy} repository\footnote{\url{https://github.com/MISP/misp-galaxy}}
\item Cannot be edited
\begin{itemize}
\item Only way to provide modification is to modify the stored JSON or to open a pull request
\item Are not synchronized
\item Source of trust
\end{itemize}
\item Restrictions propagate to their children (\texttt{Galaxy cluster elements}, \texttt{Cluster relationships})
\end{itemize}
\vspace{0.5em}
{\bf Custom} {\it Galaxy cluster}
\begin{itemize}
\item Can be created via the UI or API
\item Belongs to an organisation
\begin{itemize}
\item Fully editable
\item Are synchronized
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Galaxy 2.0 - New \textit{Cluster} fields}
\frametitle{MISP Galaxy 2.0 - Comparison with prior version}
\textit{Clusters} and \textit{Relations} can be edited.
\begin{itemize}
\item New \textit{Clusters} fields
\item \texttt{distribution}, \texttt{sharing\_group\_id}
\item \texttt{org\_id}, \texttt{orgc\_id}
\item \texttt{locked}, \texttt{published}, \texttt{deleted}
\item \texttt{default}
\begin{itemize}
\item \textit{Clusters} coming from the \texttt{misp-galaxies} repository are marked as default
\item Not synchronized
\end{itemize}
\begin{itemize}
\item Same purpose as \textit{Events}s \texttt{locked}
\end{itemize}
\item \texttt{extends\_uuid}
\begin{itemize}
\item Point to the \textit{Cluster} that has been forked
\end{itemize}
\item \texttt{extends\_version}
\begin{itemize}
\item Keep track of the \textit{Cluster} version that has been forked
\item \texttt{distribution}, \texttt{sharing\_group\_id}
\item \texttt{org\_id}, \texttt{orgc\_id}
\item \texttt{locked}, \texttt{published}, \texttt{deleted}
\item \texttt{default}
\begin{itemize}
\item \textit{Clusters} coming from the \texttt{misp-galaxies} repository are marked as default
\item Not synchronized
\end{itemize}
\begin{itemize}
\item Same purpose as \textit{Event}'s \texttt{locked} field
\end{itemize}
\item \texttt{extends\_uuid}
\begin{itemize}
\item Point to the \textit{Cluster} that has been forked
\end{itemize}
\item \texttt{extends\_version}
\begin{itemize}
\item Keep track of the \textit{Cluster} version that has been forked
\end{itemize}
\end{itemize}
\end{itemize}
\end{frame}
@ -58,7 +86,7 @@
\begin{itemize}
\item \textit{Role} \texttt{perm\_galaxy\_editor}
\item Relations also have a \texttt{distribution} and can have \textit{Tags}
\item Servers have 2 new flags
\item Synchronization servers have 2 new flags
\begin{itemize}
\item \texttt{pull\_galaxy\_clusters}
\item \texttt{push\_galaxy\_clusters}
@ -84,16 +112,21 @@
\begin{frame}
\frametitle{Features in depth: Visualization}
Tree view of forked Clusters \includegraphics[scale=0.5]{pics/cluster-forks}
\includegraphics[width=1.0\linewidth]{pics/cluster-forks-tree}
Tree view of forked Clusters
\includegraphics[scale=0.5]{pics/cluster-forks}
\vspace{0.5em}
\begin{center}
\includegraphics[width=1.0\linewidth]{pics/cluster-forks-tree}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Features in depth: Visualization}
Tree and network views for Relations between Clusters
\includegraphics[width=1.0\linewidth]{pics/cluster-relations}
\vspace{0.5em}
\begin{center}
\includegraphics[width=1.0\linewidth]{pics/cluster-relations}
\end{center}
\end{frame}
\begin{frame}
@ -103,9 +136,35 @@
\end{frame}
\begin{frame}
\frametitle{Features in depth: Synchronization}
Own synchronization mechanism which can be enabled with the \texttt{pull\_galaxy\_cluster} and \texttt{push\_galaxy\_cluster} flags
\frametitle{Galaxy cluster elements}
Hasn't been touched: Still a key-value stored. But new feature have been added\footnote{Will be included in next release}
\vspace{0.5em}
Tabular view
\begin{itemize}
\item Allows you to browse {\bf cluster elements} like before
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pics/tabular-view.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Galaxy cluster elements}
JSON view
\begin{itemize}
\item Allows you to visualisation {\bf cluster element} in a JSON structure
\item Allows you to convert any JSON into {\bf cluster elements} enabling searches and correlations
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pics/json-view.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Synchronization in depth}
Has its own synchronization mechanism which can be enabled with the \texttt{pull\_galaxy\_cluster} and \texttt{push\_galaxy\_cluster} flags
\vspace{0.5em}
\begin{itemize}
\item \textbf{Pull All}: Pull all remote Clusters (similar to event's pull all)
\item \textbf{Pull Update}: Update local Clusters (similar to event's pull update)
@ -113,49 +172,3 @@
\item \textbf{Push}: Triggered whenever a Cluster is published or via standard push
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{New views factories \& elements}
\begin{itemize}
\item\texttt{GenericForm.simpleFieldAllowedList}
\begin{itemize}
\item \texttt{checked}, \texttt{multiple}, \texttt{selected}, \texttt{legend}, \texttt{disabled},
\end{itemize}
\item\texttt{IndexTable.booleanOrNA}
\begin{itemize}
\item Displays icons or N/A
\end{itemize}
\item\texttt{IndexTable.galaxy\_cluster\_link}
\begin{itemize}
\item Display basic galaxy cluster info in a compact way (\texttt{galaxy\_type :: cluster\_value} + Hover)
\end{itemize}
\item\texttt{IndexTable.in\_and\_out\_counts}
\begin{itemize}
\item Display \# of outbound and \# of inbound (This \textit{Cluster} has \# relations)
\end{itemize}
\item\texttt{IndexTable.tree}
\begin{itemize}
\item Generate a tree like hierarchy (Root cluster and its forks)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Synchronization edge cases}
\begin{itemize}
\item Missing galaxy on the remote end
\begin{itemize}
\item[$\rightarrow$] Capture it
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Impossible due to design}
\begin{itemize}
\item Share \textit{Galaxy Matrix}
\begin{itemize}
\item[$\rightarrow$] Can only be insterted in an existing \textit{galaxy} matrix as the layout is defined at the \textit{galaxy} level
\end{itemize}
\end{itemize}
\end{frame}

BIN
a.10-galaxy-2.0/pics/json-view.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
a.10-galaxy-2.0/pics/tabular-view.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB