chg: moved old events in the correct folder

pull/22/head
Sami Mokaddem 2022-11-15 15:01:07 +01:00 committed by Luciano Righetti
parent 8b5144d957
commit db259c1e10
No known key found for this signature in database
GPG Key ID: CB91F2A37C557248
159 changed files with 1607 additions and 0 deletions

View File

@ -0,0 +1,44 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{Agenda}
\begin{itemize}
\item 09:30 -> 10:50: MISP Intro + Usage %(1h30)
\item 30min break
\item 11:20 -> 12:40: Usage + Exercise I %(1h20)
\item Lunch break
\item 14:15 -> 15:35: Excercise I + Excercise II %(1h20)
\item 10min break
\item 16:05 -> 17:25: Excrcise II %(1h20)
\end{itemize}
\vspace{0.5cm}
\textbf{Hybrid session}: Hands-on \& Open bar for questions
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\item Cerebrate project
\begin{itemize}
\item \url{https://github.com/cerebrate-project}
\item \url{https://github.com/cerebrate-project/cerebrate}
\end{itemize}
\end{itemize}
\end{frame}

Binary file not shown.

After

Width:  |  Height:  |  Size: 497 KiB

Binary file not shown.

View File

@ -0,0 +1,5 @@
all:
pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
clean:
rm *.aux *.nav *.log *.snm *.toc *.vrb

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,25 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usepackage{listings}
\usepackage{adjustbox}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
%\usepackage[T1]{fontenc}
%\usepackage[scaled]{beramono}
\author{\small{\input{../includes/authors.txt}}}
\title{MISP CTI Analyst Training}
\subtitle{Hands-on workshop}
\institute{\includegraphics[scale=0.5]{misplogo.pdf}}
\titlegraphic{\vspace{1cm}\includegraphics[scale=0.65]{misp.pdf}\linebreak\includegraphics[scale=0.6]{images/FIRSTCON22-Speaker-Horizontal.png}}
\date{\input{../includes/location.txt}}
\begin{document}
\include{content}
\end{document}

View File

@ -0,0 +1,27 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usepackage{listings}
\usepackage{adjustbox}
\usetikzlibrary{positioning}
\usepackage{pgfpages}
\setbeameroption{show notes on second screen=right}
\usetikzlibrary{shapes,arrows}
%\usepackage[T1]{fontenc}
%\usepackage[scaled]{beramono}
\author{\small{\input{../includes/authors.txt}}}
\title{MISP CTI Analyst Training}
\subtitle{Hands-on workshop}
\institute{\includegraphics[scale=0.5]{misplogo.pdf}}
\titlegraphic{\vspace{1cm}\includegraphics[scale=0.65]{misp.pdf}\linebreak\includegraphics[scale=0.6]{images/FIRSTCON22-Speaker-Horizontal.png}}
\date{\input{../includes/location.txt}}
\begin{document}
\include{content}
\end{document}

View File

@ -0,0 +1,643 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}
\frametitle{What problems are we trying to tackle?}
\begin{itemize}
\item \textbf{Prevent} default MISP behaviors to happen
\item \textbf{Hook} specific actions to run callbacks
\item Use-cases:
\begin{itemize}
\item Prevent publication of events not passing sanity checks
\item Prevent querying thrid-party services with sensitive information
\item Send notifications in a chat rooms
\item And much much more...
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What already exists in MISP?}
\includegraphics[width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP}
\begin{itemize}
\item Needs CRON Jobs in place
\item Heavy for the server
\item Not realtime
\end{itemize}
\vspace*{1em}
\includegraphics[width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels}
\begin{itemize}
\item After the actions happen: No feedback to MISP
\item Tougher to put in place \& to share
\item Full integration amounts to develop a new tool
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Simple automation made easy}
\begin{center}
\includegraphics[width=0.3\linewidth]{pictures/automation.png}
\end{center}
\begin{itemize}
\item Why?
\begin{itemize}
\item Everyone loves \textbf{simple automation}
\item \textbf{Visual} dataflow programming
\item Users want \textbf{more control}
\end{itemize}
\item How?
\begin{itemize}
\item \textbf{Drag \& Drop} editor
\item Prevent actions \textbf{before they happen}
\item Flexible \textbf{Plug \& Play} system
\item \textbf{Share} workflows, \textbf{debug} and \textbf{replay}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Content of the presentation}
\begin{itemize}
\item MISP Workflows fundamentals
\item Demo by examples
\item Get started
\item Using the system \& how it can be extended
\end{itemize}
\vspace*{1em}
\begin{center}
\frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}}
\end{center}
\end{frame}
\section{Workflow - Fundamentals}
\begin{frame}
\frametitle{How does it work}
\begin{center}
\frame{\includegraphics[width=0.4\linewidth]{pictures/event-condition-action.png}}
\end{center}
\begin{enumerate}
\item An \textbf{event} happens in MISP
\item Check if all \textbf{conditions} are satisfied
\item Execute all \textbf{actions}
\begin{itemize}
\item May prevent MISP to complete its original event
\end{itemize}
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{What kind of events?}
\includegraphics[width=60px]{pictures/sc-event.png}
\vspace*{0.5em}
\begin{itemize}
\item New MISP Event
\item Attribute has been saved
\item New discussion post
\item New user created
\item Query against third-party services
\item ...
\end{itemize}
\vspace*{1em}
In MISP Workflow terminology, supported events are called \textbf{Triggers}
\end{frame}
\begin{frame}
\frametitle{What kind of conditions?}
\includegraphics[width=70px]{pictures/sc-condition.png}
\vspace*{0.5em}
\begin{itemize}
\item An MISP Event is tagged with \texttt{tlp:red}
\item The distribution an Attribute is a sharing group
\item The creator organisation is \texttt{circl.lu}
\item Or any other \textbf{generic} conditions
\end{itemize}
\vspace*{1em}
In MISP Workflow terminology, these are also called \textbf{Logic modules}
\end{frame}
\begin{frame}
\frametitle{What kind of actions?}
\includegraphics[width=60px]{pictures/sc-action.png}
\vspace*{0.5em}
\begin{itemize}
\item Send an email notification
\item Perform enrichments
\item Send a chat message on MS Teams
\item Attach a local tag
\item ...
\end{itemize}
\vspace*{1em}
In MISP Workflow terminology, these are also called \textbf{Action modules}
\end{frame}
\begin{frame}
\frametitle{What is a MISP Workflow?}
\begin{itemize}
\item Sequence of all nodes to be executed in the specified order
\item Basically the whole connected graph.
\item Workflows can be enabled / disabled
\item Workflows are always linked to a \textbf{trigger}
\end{itemize}
\begin{center}
\frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Workflow execution for Event publish}
\begin{itemize}
\setlength\itemsep{1em}
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published
\begin{itemize}
\item The workflow for the \texttt{event-publish} trigger starts
\end{itemize}
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed
\begin{itemize}
\setlength\itemsep{0.75em}
\item {\bf\color{green!50!black}success}: Continue the publishing action
\hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png}
\item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason
\hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Blocking and non-blocking}
Two types of workflows:
\vspace{0.5em}
\begin{itemize}
\item[] \hspace*{-2em}\includegraphics[width=48px]{pictures/blocking-workflow.png} Workflows
\begin{itemize}
\item Can prevent / block the original event to happen
\item If a \textbf{blocking module}\includegraphics[width=10px]{pictures/blocking-module.png} blocks the action
\end{itemize}
\vspace{0.5em}
\item[] \hspace*{-2em}{\bf Regular} Workflows execution outcome has no impact
\begin{itemize}
\item \textbf{Blocking modules} No way to prevent something that has already happened
\end{itemize}
\begin{center}
\includegraphics[width=0.4\linewidth]{pictures/time-machine.png}
\end{center}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Workflow - Action modules}
% \begin{center}
% \includegraphics[width=0.6\linewidth]{pictures/module-type.png}
% \end{center}
\begin{itemize}
\item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations or custom scripts
\begin{itemize}
\item Tag operations
\item Send notifications
\item Webhooks
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/action-module-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Workflow - Logic modules}
\begin{itemize}
\item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow.
\begin{itemize}
\item IF conditions
\item Delay execution
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (1)}
\begin{itemize}
\item Built-in \textbf{default} modules
\begin{itemize}
\item Part of the MISP codebase
\item Get in touch if you want us to increase the selection!
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/module-buffet.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (2)}
User-defined \textbf{custom} modules
\vspace*{0.5em}
\begin{columns}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item Written in PHP
\item Extend existing modules
\item MISP code reuse
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (3)}
Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service}
\vspace*{0.5em}
\begin{columns}
\begin{column}{0.50\textwidth}
\begin{itemize}
\item Written in Python
\item Can use any python libraries
\item Plug \& Play
\end{itemize}
\end{column}
\begin{column}{0.50\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/python-joke.png}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Triggers currently available}
Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}.
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/triggers.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Demo by examples}
\begin{enumerate}
\item Send an email to \textbf{all} when a new event is created
\item Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red}
\end{enumerate}
\end{frame}
\section{Workflow - Getting started}
\begin{frame}
\frametitle{Getting started with workflows (1)}
\begin{center}
\includegraphics[width=0.9\linewidth]{pictures/workflow-release.png}
\end{center}
\begin{enumerate}
\item Update your MISP server
\item Update all your sub-modules
\end{enumerate}
\begin{center}
\includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Getting started with workflows (2)}
Review MISP settings:
\begin{enumerate}
\item Make sure \texttt{\bf MISP.background\_jobs} is turned on
\item Make sure workers are \textbf{up-and-running} and healthy
\item Turn the setting \texttt{\bf Plugin.Workflow\_enable} on
\end{enumerate}
\begin{center}
\includegraphics[width=1.0\textwidth]{pictures/settings-2.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Getting started with workflows (3)}
[optional] Wanna enjoy \includegraphics[width=0.17\linewidth]{pictures/misp-module-icon.png} ?
\begin{enumerate}
\item Turn the setting \texttt{\bf Plugin.Action\_services\_enable} on
\end{enumerate}
\begin{center}
\includegraphics[width=1.0\textwidth]{pictures/settings-1.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Getting started with workflows (4)}
\begin{enumerate}
\item Go to the list of modules
\begin{itemize}
\item \texttt{Administration > Workflows > List Modules}
\item or \url{/workflows/moduleIndex}
\end{itemize}
\item Make sure \textbf{default} modules are loaded
\item {[optional:misp-module]} Make sure \textbf{misp-module} modules are loaded
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Getting started with workflows (4)}
\centering
{\Large Everything is ready?}\\
\vspace*{3em}
{\LARGE Let's see how to build a workflow!}
\end{frame}
\begin{frame}
\frametitle{Creating a workflow with the editor}
Prevent event publication if no \textbf{tlp:*} tag, otherwise send a message on Mattermost
\end{frame}
\section{Considerations when working with workflows}
\begin{frame}
\frametitle{Working with the editor - Operations not allowed}
Execution loop are not authorized
\vspace*{1em}
\begin{columns}
\begin{column}{0.7\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}}
\end{column}
\begin{column}{0.3\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Recursive workflows}
\frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}}
\danger Recursion: If an action re-run the workflow
\end{frame}
\begin{frame}
\frametitle{Working with the editor - Operations not allowed}
Multiple connections from the same output
\vspace*{1em}
\begin{columns}
\begin{column}{0.7\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}}
\end{column}
\begin{column}{0.3\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}}
\end{column}
\end{columns}
\begin{itemize}
\item Execution order not guaranted
\item Confusing for users
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Working with the editor}
Cases showing a warning:
\begin{itemize}
\item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \textbf{non-blocking} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png}
\item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module
\begin{center}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}}
\end{center}
\end{itemize}
\end{frame}
\section{Advanced usage}
\begin{frame}
\frametitle{Workflow blueprints}
\hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png}
\vspace*{-2em}
\begin{enumerate}
\item Blueprints allow to \textbf{re-use parts} of a workflow in another one
\item Blueprints can be saved, exported and \textbf{shared}
\end{enumerate}
\begin{center}
\includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png}
\end{center}
Blueprints sources:
\begin{enumerate}
\item Created or imported by users
\item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints}
\end{enumerate}
\end{frame}
\begin{frame}[fragile]
\frametitle{Hash path filtering}
Filtering and checking conditions using hash path expression.
\begin{lstlisting}[language=javascript,firstnumber=1]
$path_expression = '{n}[name=fred].id';
$users = [
{'id': 123, 'name': 'fred', 'surname': 'bloggs'},
{'id': 245, 'name': 'fred', 'surname': 'smith'},
{'id': 356, 'name': 'joe', 'surname': 'smith'},
];
$ids = Hash::extract($users, $path_expression);
// => $ids will be [123, 245]
\end{lstlisting}
\begin{columns}
\begin{column}{0.6\textwidth}
\begin{center}
\includegraphics[width=0.7\linewidth]{pictures/attribute-json.png}
\end{center}
\end{column}
\begin{column}{0.4\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/module-if-generic.png}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Data format in Workflows}
\begin{center}
\includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png}
\end{center}
\begin{itemize}
\item In most cases, the format is compliant with the \textbf{MISP Core format}
\item But data has \textbf{additional properties}
\begin{itemize}
\item Attributes are \textbf{always encapsulated} in the Event or Object
\item Additional key \textbf{\texttt{\_AttributeFlattened}}
\item Additional key \textbf{\texttt{\_allTags}}
\item Additional key \textbf{\texttt{inherited}} for Tags
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Logic module: Concurrent Task}
\begin{itemize}
\item Logic module allowing \textbf{multiple output} connections
\item \textbf{Postpone the execution} for remaining modules
\item Blocking modules\includegraphics[width=10px]{pictures/blocking-module.png} \textbf{cannot cancel} ongoing operations \includegraphics[width=0.05\linewidth]{pictures/time-machine.png}
\end{itemize}
\begin{center}
\frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}}
\end{center}
\end{frame}
\section{Debugging}
\begin{frame}
\frametitle{Debugging Workflows: Log Entries}
\begin{itemize}
\item Workflow execution is logged in the application logs:
\begin{itemize}
\item \texttt{/admin/logs/index}
\end{itemize}
\item Or stored on disk in the following file:
\begin{itemize}
\item \texttt{/app/tmp/logs/workflow-execution.log}
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/workflow-debug.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Debugging Workflows: Debug mode}
\begin{itemize}
\item The \includegraphics[width=70px]{pictures/debug-mode.png} can be turned on for each workflows
\item Each nodes will send data to the provided URL
\begin{itemize}
\item Configure the setting: \texttt{Plugin.Workflow\_debug\_url}
\end{itemize}
\item Result can be visualized in
\begin{itemize}
\item \textbf{offline}: \texttt{tools/misp-workflows/webhook-listener.py}
\item \textbf{online}: \url{requestbin.com} or similar websites
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=0.6\linewidth]{pictures/request-bin.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Debugging modules: Stateless execution}
\begin{itemize}
\item Test custom modules with custom input
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/stateless-execution.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Debugging modules: Re-running workflows}
\begin{itemize}
\item Try workflows with custom input
\item Re-run workflows to ease debugging
\end{itemize}
\begin{center}
\frame{\includegraphics[width=0.55\linewidth]{pictures/running-workflows.png}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Debugging options}
\begin{columns}
\begin{column}{0.6\textwidth}
\begin{itemize}
\item Workflow execution and outcome
\item Module execution and outcome
\item Live workflow debugging with module inspection
\item Re-running/testing workflows with custom data
\item Stateless module execution
\end{itemize}
\end{column}
\begin{column}{0.4\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg}
\end{column}
\end{columns}
\end{frame}
\section{Extending the system}
\begin{frame}
\frametitle{Creating a new module in PHP}
\begin{center}
\includegraphics[width=0.65\linewidth]{pictures/custom-1.png}
\end{center}
\begin{itemize}
\item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php}
\item Designed to be easilty extended
\begin{itemize}
\item Helper functions
\item Module configuration as variables
\item Implement runtime logic
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Creating a new module in Python}
\begin{center}
\includegraphics[width=0.65\linewidth]{pictures/custom-2.png}
\end{center}
\begin{itemize}
\item Similar to how other \texttt{misp-modules} are implemented
\begin{itemize}
\item Helper functions
\item Module configuration as variables
\item Implement runtime logic
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Ideas}
\begin{itemize}
\item Chat notification a community when new user joins an instance
\item Trigger on any action via log entries
\item Extend existing MISP behavior: Push correlation in another system
\item Sanity check to block publishing
\item ...
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Future works}
\begin{columns}
\begin{column}{0.55\textwidth}
\begin{itemize}
\item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules
\item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules
\item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers
\item More documentation
\item Recursion prevention system
\item On-the-fly data override?
\end{itemize}
\end{column}
\begin{column}{0.45\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Final words}
\begin{columns}
\begin{column}{0.6\textwidth}
\begin{itemize}
\item Feature designed to quickly and cheaply support CTI pipeline
\item \textbf{Beta}: Feature unlikely to change. But still..
\item Waiting for feedback!
\begin{itemize}
\item New triggers?
\item New action modules?
\item New conditional modules?
\item ...
\end{itemize}
\end{itemize}
\end{column}
\begin{column}{0.4\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg}
\end{column}
\end{columns}
\vspace*{0.5em}
\end{frame}

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 78 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.8 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 143 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 140 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 90 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.0 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 21 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 64 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 35 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 87 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 65 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 43 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 545 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 92 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 272 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 71 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 61 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.6 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 688 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 118 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 21 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.0 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 74 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 83 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 60 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 77 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 654 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 71 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 29 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 46 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 816 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 759 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 827 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 54 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 37 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 53 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 162 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 162 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 160 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 100 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 55 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

View File

@ -0,0 +1,64 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
% \usepackage{pgfpages}
% \setbeameroption{show notes on second screen=right}
\usepackage[draft]{pdfcomment}
\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usepackage{listings}
\usepackage{adjustbox}
\usepackage{fourier}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
\lstdefinelanguage{javascript}{
basicstyle=\scriptsize,
numbers=left,
numberstyle=\scriptsize,
stepnumber=1,
numbersep=5pt,
showstringspaces=false,
breaklines=true,
frame=lines,
keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
%keywordstyle=\color{blue}\bfseries,
ndkeywords={class, export, boolean, throw, implements, import, this},
ndkeywordstyle=\color{darkgray}\bfseries,
identifierstyle=\color{black},
sensitive=false,
comment=[l]{//},
morecomment=[s]{/*}{*/},
commentstyle=\color{purple}\ttfamily,
%stringstyle=\color{red}\ttfamily,
morestring=[b]',
morestring=[b]"
}
\lstdefinelanguage{text}{
basicstyle=\scriptsize,
numbers=left,
numberstyle=\scriptsize,
stepnumber=1,
numbersep=5pt,
showstringspaces=false,
breaklines=true,
frame=lines
}
\title{Automation with MISP Workflows}
\subtitle{A new way to support your CTI pipelines}
\author{Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem}
\date{\input{../includes/location.txt}}
\titlegraphic{\includegraphics[scale=0.5]{misp.pdf}\\ \includegraphics[width=0.8\linewidth]{pictures/first-cti.png}}
\institute{MISP Project \\ \url{https://www.misp-project.org/}}
\begin{document}
\include{content}
\end{document}

View File

@ -0,0 +1,66 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
% \usepackage{pgfpages}
% \setbeameroption{show notes on second screen=right}
\usepackage[draft]{pdfcomment}
\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}}
\usepackage{pgfpages}
\setbeameroption{show notes on second screen=right}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usepackage{listings}
\usepackage{adjustbox}
\usepackage{fourier}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
\lstdefinelanguage{javascript}{
basicstyle=\scriptsize,
numbers=left,
numberstyle=\scriptsize,
stepnumber=1,
numbersep=5pt,
showstringspaces=false,
breaklines=true,
frame=lines,
keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
%keywordstyle=\color{blue}\bfseries,
ndkeywords={class, export, boolean, throw, implements, import, this},
ndkeywordstyle=\color{darkgray}\bfseries,
identifierstyle=\color{black},
sensitive=false,
comment=[l]{//},
morecomment=[s]{/*}{*/},
commentstyle=\color{purple}\ttfamily,
%stringstyle=\color{red}\ttfamily,
morestring=[b]',
morestring=[b]"
}
\lstdefinelanguage{text}{
basicstyle=\scriptsize,
numbers=left,
numberstyle=\scriptsize,
stepnumber=1,
numbersep=5pt,
showstringspaces=false,
breaklines=true,
frame=lines
}
\title{Automation with MISP Workflows}
\subtitle{A new way to support your CTI pipelines}
\author{Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem}
\date{\input{../includes/location.txt}}
\titlegraphic{\includegraphics[scale=0.5]{misp.pdf}\\ \includegraphics[width=0.8\linewidth]{pictures/first-cti.png}}
\institute{MISP Project \\ \url{https://www.misp-project.org/}}
\begin{document}
\include{content}
\end{document}

View File

@ -0,0 +1,601 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}
\frametitle{Automation in MISP: What already exists?}
\includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP}
\begin{itemize}
\item Needs CRON Jobs in place
\item Heavy for the server
\item Not realtime
\end{itemize}
\vspace*{1em}
\includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels}
\begin{itemize}
\item After the actions happen: No feedback to MISP
\item Tougher to put in place \& to share
\item Full integration amounts to develop a new tool
\end{itemize}
\vspace*{0.5em}
$\rightarrow$ No way to \textbf{prevent} behavior\\
$\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks
\end{frame}
\begin{frame}
\frametitle{What type of use-cases are we trying to support?}
\begin{itemize}
\item \textbf{Prevent} default MISP behaviors to happen
\begin{itemize}
\item Prevent \textbf{publication of events} not passing sanity checks
\item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information
\item $\cdots$
\end{itemize}
\vspace*{1.0em}
\item \textbf{Hook} specific actions to run callbacks
\begin{itemize}
\item \textbf{Automatically run} enrichment services
\item Modify data on-the-fly: False positives, enable CTI-Pipeline
\item Send notifications in a chat rooms
\item $\cdots$
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Simple automation in MISP made easy}
\begin{center}
\includegraphics[width=0.3\linewidth]{pictures/automation.png}
\end{center}
\begin{itemize}
\item Why?
\begin{itemize}
\item Everyone loves \textbf{simple automation}
\item \textbf{Visual} dataflow programming
\item Users want \textbf{more control}
\end{itemize}
\item How?
\begin{itemize}
\item \textbf{Drag \& Drop} editor
\item Prevent actions \textbf{before they happen}
\item Flexible \textbf{Plug \& Play} system
\item \textbf{Share} workflows, \textbf{debug} and \textbf{replay}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Content of the presentation}
\begin{itemize}
\item MISP Workflows fundamentals
\item Demo by examples
\item Using the system
\item How it can be extended
\end{itemize}
\vspace*{1em}
\begin{center}
\frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}}
\end{center}
\end{frame}
\section{Workflow - Fundamentals}
\begin{frame}
\frametitle{How does it work}
\begin{center}
\frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}}
\end{center}
\begin{enumerate}
\item An \textbf{event} happens in MISP
\item Check if all \textbf{conditions} are satisfied
\item Execute all \textbf{actions}
\begin{itemize}
\item May prevent MISP to complete its original event
\end{itemize}
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{What kind of events?}
\includegraphics[width=60px]{pictures/sc-event.png}
\vspace*{0.5em}
\begin{itemize}
\item New MISP Event
\item Attribute has been saved
\item New discussion post
\item New user created
\item Query against third-party services
\item ...
\end{itemize}
\vspace*{1em}
{\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\
{\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow}
\end{frame}
\begin{frame}
\frametitle{Triggers currently available}
Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}.
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/triggers.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What kind of conditions?}
\vspace*{0.25em}
\includegraphics[width=70px]{pictures/sc-condition.png}
\vspace*{0.25em}
\begin{itemize}
\item An MISP Event is tagged with \texttt{tlp:red}
\item The distribution an Attribute is a sharing group
\item The creator organisation is \texttt{circl.lu}
\item Or any other \textbf{generic} conditions
\end{itemize}
\vspace*{0.5em}
{\Large \faIcon{question-circle}} These are also called \textbf{Logic modules}
\begin{center}
\includegraphics[width=0.43\textwidth]{pictures/logic-module.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Workflow - Logic modules}
\begin{itemize}
\item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow.
\begin{itemize}
\item IF conditions
\item Delay execution
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What kind of actions?}
\vspace*{0.25em}
\includegraphics[width=60px]{pictures/sc-action.png}
\vspace*{0.25em}
\begin{itemize}
\item Send an email notification
\item Perform enrichments
\item Send a chat message on MS Teams
\item Attach a local tag
\item ...
\end{itemize}
\vspace*{0.5em}
{\Large \faIcon{question-circle}} These are also called \textbf{Action modules}
\begin{center}
\includegraphics[width=0.43\textwidth]{pictures/action-module.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Workflow - Action modules}
\begin{itemize}
\item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations
\begin{itemize}
\item Tag operations
\item Send notifications
\item Webhooks
\item Custom scripts
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/action-module-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What is a MISP Workflow?}
\begin{itemize}
\item Sequence of all nodes to be executed in a specific order
\item Workflows can be enabled / disabled
\item A Workflow is associated to \textbf{1-and-only-1 trigger}
\end{itemize}
\vspace*{0.5em}
\begin{center}
\frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Workflow execution for Event publish}
\begin{itemize}
\setlength\itemsep{1em}
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published
\begin{itemize}
\item The workflow for the \texttt{event-publish} trigger starts
\end{itemize}
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated
\begin{itemize}
\item They might change the path taken during the execution
\end{itemize}
\item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed
\begin{itemize}
\setlength\itemsep{0.75em}
\item {\bf\color{green!50!black}success}: Continue the publishing action
\hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png}
\item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason
\hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Blocking and non-blocking}
Two types of workflows:
\vspace{0.5em}
\begin{itemize}
\item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows
\begin{itemize}
\item Can prevent / block the original event to happen
\item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action
\end{itemize}
\vspace{0.5em}
\item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact
\begin{itemize}
\item No way to prevent something that happened in the past
\end{itemize}
\begin{center}
\includegraphics[width=0.4\linewidth]{pictures/time-machine.png}
\end{center}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (0)}
\begin{itemize}
\item \textbf{Trigger} module: MISP Source code \textbf{only}
\begin{itemize}
\item Get in touch if you want more
\end{itemize}
\item \textbf{Logic} module: MISP Source code \& \textbf{custom}
\item \textbf{Action} module: MISP Source code \& \textbf{custom}
\end{itemize}
\vspace*{2.0em}
\begin{itemize}
\item MISP Source code $\rightarrow$ Built-in \textbf{text} module
\item Custom $\rightarrow$ Write your own at 2 places
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (1)}
\begin{itemize}
\item Built-in \textbf{default} modules
\begin{itemize}
\item Part of the MISP codebase
\item Get in touch if you want us to increase the selection!
\end{itemize}
\end{itemize}
\vspace*{0.5em}
\begin{center}
\includegraphics[width=0.8\linewidth]{pictures/module-buffet.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (2)}
User-defined \textbf{custom} modules
\vspace*{0.5em}
\begin{columns}
\begin{column}{0.5\textwidth}
\begin{itemize}
\item Written in PHP
\item Extend existing modules
\item MISP code reuse
\end{itemize}
\end{column}
\begin{column}{0.5\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Sources of Workflow modules (3)}
Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service}
\vspace*{0.5em}
\begin{columns}
\begin{column}{0.50\textwidth}
\begin{itemize}
\item Written in Python
\item Can use any python libraries
\item Plug \& Play
\end{itemize}
\end{column}
\begin{column}{0.50\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/python-joke.png}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Demo by examples}
\begin{enumerate}
\item[WF-1.] Send an email to \textbf{all} when a new event has been pulled
\vspace*{2em}
\item[WF-2.] Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red}
\begin{itemize}
\item \textbf{tlp:red}: For the eyes and ears of individual recipients only
\item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside
\end{itemize}
\end{enumerate}
\end{frame}
\section{Workflow - Getting started}
\begin{frame}
\frametitle{Getting started with workflows (1)}
\begin{center}
\includegraphics[width=0.9\linewidth]{pictures/workflow-release.png}
\end{center}
\begin{enumerate}
\item Update your MISP server
\item Update all your sub-modules
\end{enumerate}
\begin{center}
\includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Getting started with workflows (4)}
\centering
{\Large Everything is ready?}\\
\vspace*{3em}
{\LARGE Let's see how to build a workflow!}
\end{frame}
\begin{frame}
\frametitle{Creating a workflow with the editor}
\begin{enumerate}
\item Prevent event publication if \textbf{tlp:red} tag
\item Send a mail to \texttt{admin@admin.test} about potential data leak
\item Otherwise, send a notification on Mattermost
\end{enumerate}
\end{frame}
\section{Considerations when working with workflows}
\begin{frame}
\frametitle{Working with the editor - Operations not allowed}
Execution loop are not authorized
\vspace*{1em}
\begin{columns}
\begin{column}{0.7\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}}
\end{column}
\begin{column}{0.3\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Recursive workflows}
\frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}}
\danger Recursion: If an action re-run the workflow
\end{frame}
\begin{frame}
\frametitle{Working with the editor - Operations not allowed}
Multiple connections from the same output
\vspace*{1em}
\begin{columns}
\begin{column}{0.7\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}}
\end{column}
\begin{column}{0.3\textwidth}
\frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}}
\end{column}
\end{columns}
\begin{itemize}
\item Execution order not guaranted
\item Confusing for users
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Working with the editor}
Cases showing a warning:
\begin{itemize}
\item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png}
\item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module
\begin{center}
\frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}}
\end{center}
\end{itemize}
\end{frame}
\section{Advanced usage}
\begin{frame}
\frametitle{Workflow blueprints}
\hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png}
\vspace*{-2em}
\begin{enumerate}
\item Blueprints allow to \textbf{re-use parts} of a workflow in another one
\item Blueprints can be saved, exported and \textbf{shared}
\end{enumerate}
\begin{center}
\includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png}
\end{center}
Blueprints sources:
\begin{enumerate}
\item Created or imported by users
\item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints}
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Data format in Workflows}
\begin{center}
\includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png}
\end{center}
\begin{itemize}
\item In most cases, the format is the \textbf{MISP Core format}
\begin{itemize}
\item Attributes are \textbf{always encapsulated} in the Event or Object
\end{itemize}
\item But has \textbf{additional properties}
\begin{itemize}
\item Additional key \textbf{\texttt{\_AttributeFlattened}}
\item Additional key \textbf{\texttt{\_allTags}}
\item Additional key \textbf{\texttt{inherited}} for Tags
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Logic module: Concurrent Task}
\begin{itemize}
\item Logic module allowing \textbf{multiple output} connections
\item \textbf{Postpone the execution} for remaining modules
\item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png}
\end{itemize}
\begin{center}
\frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Debugging options}
\begin{columns}
\begin{column}{0.6\textwidth}
\begin{itemize}
\item Workflow \textbf{execution and outcome}
\item Module \textbf{execution and outcome}
\item \textbf{Live} workflow debugging with module inspection
\item \textbf{Re-running/testing} workflows with custom data
\item \textbf{Stateless} module execution
\end{itemize}
\end{column}
\begin{column}{0.4\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg}
\end{column}
\end{columns}
\end{frame}
\section{Extending the system}
\begin{frame}
\frametitle{Creating a new module in PHP}
\begin{center}
\includegraphics[scale=0.07]{pictures/PHP-logo.png}
\end{center}
\vspace*{2em}
\begin{itemize}
\item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php}
\item Designed to be easilty extended
\begin{itemize}
\item Helper functions
\item Module configuration as variables
\item Implement runtime logic
\end{itemize}
\item Main benefits
\begin{itemize}
\item Fast
\item Re-use existing functionalities
\item No need for misp-modules
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Creating a new module in PHP}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/custom-1.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Creating a new module in Python}
\begin{center}
\includegraphics[scale=0.03]{pictures/python-logo.png}
\end{center}
\begin{itemize}
\item Similar to how other \texttt{misp-modules} are implemented
\begin{itemize}
\item Helper functions
\item Module configuration as variables
\item Implement runtime logic
\end{itemize}
\item Main benefits
\begin{itemize}
\item Easier than PHP
\item Lots of libraries for integration
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Creating a new module in Python}
\begin{center}
\includegraphics[width=1.0\linewidth]{pictures/custom-2.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{More ideas}
\begin{itemize}
\item Notification when new users join an instance
\item Trigger on any action generating log entries
\item Extend existing MISP behavior: Push correlation in another system
\item Sanity check to block publishing
\item ...
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Under development}
Ease data manipulation with \textbf{filtering modules}
\begin{center}
\includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Future works}
\begin{columns}
\begin{column}{0.55\textwidth}
\begin{itemize}
\item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules
\item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules
\item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers
\item More documentation
\item Recursion prevention system
\item On-the-fly data override?
\end{itemize}
\end{column}
\begin{column}{0.45\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg}
\end{column}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Final words}
\begin{columns}
\begin{column}{0.6\textwidth}
\begin{itemize}
\item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines
\item \underline{\textbf{Beta}} Feature unlikely to change. But still..
\item Waiting for feedback!
\begin{itemize}
\item New triggers?
\item New modules?
\item ...
\end{itemize}
\end{itemize}
\end{column}
\begin{column}{0.4\textwidth}
\includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg}
\end{column}
\end{columns}
\vspace*{0.5em}
\end{frame}

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 78 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.8 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 143 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 140 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 90 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.0 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 21 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 64 KiB

Some files were not shown because too many files have changed in this diff Show More