diff --git a/events/20220630-FIRSTCON22/content.tex b/events/20220630-FIRSTCON22/content.tex new file mode 100644 index 0000000..561702f --- /dev/null +++ b/events/20220630-FIRSTCON22/content.tex @@ -0,0 +1,44 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} +\frametitle{Agenda} + \begin{itemize} + \item 09:30 -> 10:50: MISP Intro + Usage %(1h30) + \item 30min break + \item 11:20 -> 12:40: Usage + Exercise I %(1h20) + \item Lunch break + \item 14:15 -> 15:35: Excercise I + Excercise II %(1h20) + \item 10min break + \item 16:05 -> 17:25: Excrcise II %(1h20) + \end{itemize} + \vspace{0.5cm} + \textbf{Hybrid session}: Hands-on \& Open bar for questions +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Cerebrate project + \begin{itemize} + \item \url{https://github.com/cerebrate-project} + \item \url{https://github.com/cerebrate-project/cerebrate} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/events/20220630-FIRSTCON22/images/FIRSTCON22-Speaker-Horizontal.png b/events/20220630-FIRSTCON22/images/FIRSTCON22-Speaker-Horizontal.png new file mode 100644 index 0000000..ec4329d Binary files /dev/null and b/events/20220630-FIRSTCON22/images/FIRSTCON22-Speaker-Horizontal.png differ diff --git a/events/20220630-FIRSTCON22/logo-circl.pdf b/events/20220630-FIRSTCON22/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/events/20220630-FIRSTCON22/logo-circl.pdf differ diff --git a/events/20220630-FIRSTCON22/makefile b/events/20220630-FIRSTCON22/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/events/20220630-FIRSTCON22/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/events/20220630-FIRSTCON22/misp.pdf b/events/20220630-FIRSTCON22/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20220630-FIRSTCON22/misp.pdf differ diff --git a/events/20220630-FIRSTCON22/misplogo.pdf b/events/20220630-FIRSTCON22/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/events/20220630-FIRSTCON22/misplogo.pdf differ diff --git a/events/20220630-FIRSTCON22/slide.tex b/events/20220630-FIRSTCON22/slide.tex new file mode 100644 index 0000000..f390b50 --- /dev/null +++ b/events/20220630-FIRSTCON22/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP CTI Analyst Training} +\subtitle{Hands-on workshop} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\vspace{1cm}\includegraphics[scale=0.65]{misp.pdf}\linebreak\includegraphics[scale=0.6]{images/FIRSTCON22-Speaker-Horizontal.png}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/events/20220630-FIRSTCON22/slide_handout.tex b/events/20220630-FIRSTCON22/slide_handout.tex new file mode 100644 index 0000000..a4af0c3 --- /dev/null +++ b/events/20220630-FIRSTCON22/slide_handout.tex @@ -0,0 +1,27 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP CTI Analyst Training} +\subtitle{Hands-on workshop} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\vspace{1cm}\includegraphics[scale=0.65]{misp.pdf}\linebreak\includegraphics[scale=0.6]{images/FIRSTCON22-Speaker-Horizontal.png}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/content.tex b/events/20221101-FIRSTCTI-Berlin-Workflows/content.tex new file mode 100755 index 0000000..9a6604f --- /dev/null +++ b/events/20221101-FIRSTCTI-Berlin-Workflows/content.tex @@ -0,0 +1,643 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{What problems are we trying to tackle?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \item \textbf{Hook} specific actions to run callbacks + \item Use-cases: + \begin{itemize} + \item Prevent publication of events not passing sanity checks + \item Prevent querying thrid-party services with sensitive information + \item Send notifications in a chat rooms + \item And much much more... + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{What already exists in MISP?} + \includegraphics[width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Get started + \item Using the system \& how it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.4\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + In MISP Workflow terminology, supported events are called \textbf{Triggers} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.5em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{1em} + In MISP Workflow terminology, these are also called \textbf{Logic modules} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.5em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{1em} + In MISP Workflow terminology, these are also called \textbf{Action modules} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in the specified order + \item Basically the whole connected graph. + \item Workflows can be enabled / disabled + \item Workflows are always linked to a \textbf{trigger} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[width=10px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}{\bf Regular} Workflows execution outcome has no impact + \begin{itemize} + \item \textbf{Blocking modules} No way to prevent something that has already happened + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + % \begin{center} + % \includegraphics[width=0.6\linewidth]{pictures/module-type.png} + % \end{center} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations or custom scripts + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{enumerate} + \item Send an email to \textbf{all} when a new event is created + \item Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red} + \end{enumerate} +\end{frame} + +\section{Workflow - Getting started} +\begin{frame} + \frametitle{Getting started with workflows (1)} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (2)} + Review MISP settings: + \begin{enumerate} + \item Make sure \texttt{\bf MISP.background\_jobs} is turned on + \item Make sure workers are \textbf{up-and-running} and healthy + \item Turn the setting \texttt{\bf Plugin.Workflow\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/settings-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (3)} + [optional] Wanna enjoy \includegraphics[width=0.17\linewidth]{pictures/misp-module-icon.png} ? + \begin{enumerate} + \item Turn the setting \texttt{\bf Plugin.Action\_services\_enable} on + \end{enumerate} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/settings-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \begin{enumerate} + \item Go to the list of modules + \begin{itemize} + \item \texttt{Administration > Workflows > List Modules} + \item or \url{/workflows/moduleIndex} + \end{itemize} + \item Make sure \textbf{default} modules are loaded + \item {[optional:misp-module]} Make sure \textbf{misp-module} modules are loaded + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \centering + {\Large Everything is ready?}\\ + \vspace*{3em} + {\LARGE Let's see how to build a workflow!} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + Prevent event publication if no \textbf{tlp:*} tag, otherwise send a message on Mattermost +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \textbf{non-blocking} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Hash path filtering} +Filtering and checking conditions using hash path expression. +\begin{lstlisting}[language=javascript,firstnumber=1] +$path_expression = '{n}[name=fred].id'; +$users = [ + {'id': 123, 'name': 'fred', 'surname': 'bloggs'}, + {'id': 245, 'name': 'fred', 'surname': 'smith'}, + {'id': 356, 'name': 'joe', 'surname': 'smith'}, +]; +$ids = Hash::extract($users, $path_expression); +// => $ids will be [123, 245] +\end{lstlisting} +\begin{columns} + \begin{column}{0.6\textwidth} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/attribute-json.png} + \end{center} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/module-if-generic.png} + \end{column} +\end{columns} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is compliant with the \textbf{MISP Core format} + \item But data has \textbf{additional properties} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Blocking modules\includegraphics[width=10px]{pictures/blocking-module.png} \textbf{cannot cancel} ongoing operations \includegraphics[width=0.05\linewidth]{pictures/time-machine.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\section{Debugging} +\begin{frame} + \frametitle{Debugging Workflows: Log Entries} + \begin{itemize} + \item Workflow execution is logged in the application logs: + \begin{itemize} + \item \texttt{/admin/logs/index} + \end{itemize} + \item Or stored on disk in the following file: + \begin{itemize} + \item \texttt{/app/tmp/logs/workflow-execution.log} + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/workflow-debug.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging Workflows: Debug mode} + \begin{itemize} + \item The \includegraphics[width=70px]{pictures/debug-mode.png} can be turned on for each workflows + \item Each nodes will send data to the provided URL + \begin{itemize} + \item Configure the setting: \texttt{Plugin.Workflow\_debug\_url} + \end{itemize} + \item Result can be visualized in + \begin{itemize} + \item \textbf{offline}: \texttt{tools/misp-workflows/webhook-listener.py} + \item \textbf{online}: \url{requestbin.com} or similar websites + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=0.6\linewidth]{pictures/request-bin.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Stateless execution} + \begin{itemize} + \item Test custom modules with custom input + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/stateless-execution.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging modules: Re-running workflows} + \begin{itemize} + \item Try workflows with custom input + \item Re-run workflows to ease debugging + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.55\linewidth]{pictures/running-workflows.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow execution and outcome + \item Module execution and outcome + \item Live workflow debugging with module inspection + \item Re-running/testing workflows with custom data + \item Stateless module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=0.65\linewidth]{pictures/custom-1.png} + \end{center} + + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=0.65\linewidth]{pictures/custom-2.png} + \end{center} + + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Ideas} + \begin{itemize} + \item Chat notification a community when new user joins an instance + \item Trigger on any action via log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Feature designed to quickly and cheaply support CTI pipeline + \item \textbf{Beta}: Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New action modules? + \item New conditional modules? + \item ... + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/misp.pdf b/events/20221101-FIRSTCTI-Berlin-Workflows/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/misp.pdf differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/action-module-index.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/action-module-index.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/attribute-json.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/attribute-json.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/automation.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/automation.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/belgian-joke.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/belgian-joke.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-module.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-module.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-workflow.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blocking-workflow.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-32.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-32.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-debugging.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/blueprint-debugging.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/ctis.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/ctis.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/custom-2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/debug-mode.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/debug-mode.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-not-allowed-2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-warning-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/editor-warning-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/enough-debugging.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/enough-debugging.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/event-condition-action.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/event-condition-action.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-1a.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-1a.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-2a.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/example-2a.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/feeling-of-power.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/feeling-of-power.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/first-cti.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/first-cti.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/future-works.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/future-works.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/geekweek75.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/geekweek75.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/infinite-loop.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/infinite-loop.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-blocked.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-blocked.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-success.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/log-entry-publish-success.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/logic-module-index.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/logic-module-index.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/misp-module-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/misp-module-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-buffet.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-buffet.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-concurrent.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-concurrent.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-filtering.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-filtering.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-if-generic.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-if-generic.png new file mode 100644 index 0000000..973ab23 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-if-generic.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-type.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/module-type.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo2.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo3.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/overview.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/overview.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/php-joke.jpg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/php-joke.jpg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/psyduck.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/psyduck.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-joke.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-joke.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-logo.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/python-logo.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/recursive-workflow.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/recursive-workflow.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/request-bin.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/request-bin.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/running-workflows.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/running-workflows.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-action.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-condition.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event-icon.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event-icon.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/sc-event.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-1.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-1.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/settings-2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/simple-workflow.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/simple-workflow.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/stateless-execution.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/stateless-execution.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/time-machine.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/time-machine.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/triggers.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/triggers.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/two-paths.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/two-paths.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/upgrade-people.jpeg b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/upgrade-people.jpeg differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami2.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/whoami2.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-debug.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-debug.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-experimental.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-experimental.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-release.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-release.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-trigger.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/workflow-trigger.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/zeromq.png b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20221101-FIRSTCTI-Berlin-Workflows/pictures/zeromq.png differ diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide.tex b/events/20221101-FIRSTCTI-Berlin-Workflows/slide.tex new file mode 100644 index 0000000..67961fe --- /dev/null +++ b/events/20221101-FIRSTCTI-Berlin-Workflows/slide.tex @@ -0,0 +1,64 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to support your CTI pipelines} +\author{Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.5]{misp.pdf}\\ \includegraphics[width=0.8\linewidth]{pictures/first-cti.png}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide.upa b/events/20221101-FIRSTCTI-Berlin-Workflows/slide.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.tex b/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.tex new file mode 100644 index 0000000..6e3d259 --- /dev/null +++ b/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.tex @@ -0,0 +1,66 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to support your CTI pipelines} +\author{Alexandre Dulaunoy, Andras Iklody, Sami Mokaddem} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.5]{misp.pdf}\\ \includegraphics[width=0.8\linewidth]{pictures/first-cti.png}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.upa b/events/20221101-FIRSTCTI-Berlin-Workflows/slide_handout.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/content.tex b/events/20221110-FIST-AUTOMATION-SIG-Workflows/content.tex new file mode 100755 index 0000000..b8eb3c0 --- /dev/null +++ b/events/20221110-FIST-AUTOMATION-SIG-Workflows/content.tex @@ -0,0 +1,601 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Automation in MISP: What already exists?} + \includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} + \vspace*{0.5em} + $\rightarrow$ No way to \textbf{prevent} behavior\\ + $\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks +\end{frame} + +\begin{frame} + \frametitle{What type of use-cases are we trying to support?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \begin{itemize} + \item Prevent \textbf{publication of events} not passing sanity checks + \item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information + \item $\cdots$ + \end{itemize} + \vspace*{1.0em} + \item \textbf{Hook} specific actions to run callbacks + \begin{itemize} + \item \textbf{Automatically run} enrichment services + \item Modify data on-the-fly: False positives, enable CTI-Pipeline + \item Send notifications in a chat rooms + \item $\cdots$ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation in MISP made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Using the system + \item How it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + {\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\ + {\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \vspace*{0.25em} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.25em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Logic modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/logic-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \vspace*{0.25em} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.25em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Action modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/action-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \item Custom scripts + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in a specific order + \item Workflows can be enabled / disabled + \item A Workflow is associated to \textbf{1-and-only-1 trigger} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \begin{itemize} + \item They might change the path taken during the execution + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact + \begin{itemize} + \item No way to prevent something that happened in the past + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (0)} + \begin{itemize} + \item \textbf{Trigger} module: MISP Source code \textbf{only} + \begin{itemize} + \item Get in touch if you want more + \end{itemize} + \item \textbf{Logic} module: MISP Source code \& \textbf{custom} + \item \textbf{Action} module: MISP Source code \& \textbf{custom} + \end{itemize} + \vspace*{2.0em} + \begin{itemize} + \item MISP Source code $\rightarrow$ Built-in \textbf{text} module + \item Custom $\rightarrow$ Write your own at 2 places + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.8\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Demo by examples} + \begin{enumerate} + \item[WF-1.] Send an email to \textbf{all} when a new event has been pulled + \vspace*{2em} + \item[WF-2.] Block queries on 3rd party services when \textbf{tlp:red} or \textbf{PAP:red} + \begin{itemize} + \item \textbf{tlp:red}: For the eyes and ears of individual recipients only + \item \textbf{PAP:RED}: Only passive actions that are not detectable from the outside + \end{itemize} + \end{enumerate} +\end{frame} + +\section{Workflow - Getting started} +\begin{frame} + \frametitle{Getting started with workflows (1)} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows (4)} + \centering + {\Large Everything is ready?}\\ + \vspace*{3em} + {\LARGE Let's see how to build a workflow!} +\end{frame} + +\begin{frame} + \frametitle{Creating a workflow with the editor} + \begin{enumerate} + \item Prevent event publication if \textbf{tlp:red} tag + \item Send a mail to \texttt{admin@admin.test} about potential data leak + \item Otherwise, send a notification on Mattermost + \end{enumerate} +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \item But has \textbf{additional properties} + \begin{itemize} + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow \textbf{execution and outcome} + \item Module \textbf{execution and outcome} + \item \textbf{Live} workflow debugging with module inspection + \item \textbf{Re-running/testing} workflows with custom data + \item \textbf{Stateless} module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[scale=0.07]{pictures/PHP-logo.png} + \end{center} + \vspace*{2em} + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Fast + \item Re-use existing functionalities + \item No need for misp-modules + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[scale=0.03]{pictures/python-logo.png} + \end{center} + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Easier than PHP + \item Lots of libraries for integration + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{More ideas} + \begin{itemize} + \item Notification when new users join an instance + \item Trigger on any action generating log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Under development} + Ease data manipulation with \textbf{filtering modules} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines + \item \underline{\textbf{Beta}} Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New modules? + \item ... + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/misp.pdf b/events/20221110-FIST-AUTOMATION-SIG-Workflows/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/misp.pdf differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/PHP-logo.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/PHP-logo.png new file mode 100644 index 0000000..296dfe2 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/PHP-logo.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module-index.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module-index.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module.png new file mode 100644 index 0000000..6b622e8 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/action-module.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/attribute-json.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/attribute-json.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/automation.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/automation.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/belgian-joke.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/belgian-joke.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-module.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-module.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blocking-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-32.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-32.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-debugging.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/blueprint-debugging.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/ctis.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/ctis.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/custom-2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/debug-mode.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/debug-mode.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-not-allowed-2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-warning-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/editor-warning-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/enough-debugging.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/enough-debugging.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/event-condition-action.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/event-condition-action.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-1a.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-1a.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-2a.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/example-2a.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/feeling-of-power.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/feeling-of-power.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/filtering-modules.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/filtering-modules.png new file mode 100644 index 0000000..9ca53e3 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/filtering-modules.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/first-cti.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/first-cti.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/future-works.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/future-works.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/geekweek75.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/geekweek75.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/infinite-loop.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/infinite-loop.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-blocked.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-blocked.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-success.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/log-entry-publish-success.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module-index.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module-index.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module.png new file mode 100644 index 0000000..6a48ce6 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/logic-module.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/misp-module-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/misp-module-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-buffet.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-buffet.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-concurrent.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-concurrent.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-filtering.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-filtering.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-if-generic.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-if-generic.png new file mode 100644 index 0000000..973ab23 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-if-generic.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-type.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/module-type.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo2.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo2.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo3.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/no-slides-if-demo3.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/non-blocking-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/non-blocking-workflow.png new file mode 100644 index 0000000..4ae1495 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/non-blocking-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/overview.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/overview.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/php-joke.jpg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/php-joke.jpg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/psyduck.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/psyduck.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-joke.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-joke.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-logo.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/python-logo.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/recursive-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/recursive-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/request-bin.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/request-bin.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/running-workflows.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/running-workflows.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-action.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-condition.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event-icon.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event-icon.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/sc-event.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-1.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-1.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/settings-2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/simple-workflow.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/simple-workflow.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/stateless-execution.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/stateless-execution.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/time-machine.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/time-machine.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/triggers.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/triggers.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/two-paths.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/two-paths.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/upgrade-people.jpeg b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/upgrade-people.jpeg differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami2.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/whoami2.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-debug.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-debug.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-experimental.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-experimental.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-release.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-release.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-trigger.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/workflow-trigger.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/zeromq.png b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/events/20221110-FIST-AUTOMATION-SIG-Workflows/pictures/zeromq.png differ diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.tex b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.tex new file mode 100644 index 0000000..af22e84 --- /dev/null +++ b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.tex @@ -0,0 +1,65 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Sami Mokaddem} +\date{FIRST Automation SIG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.upa b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide.upa new file mode 100644 index 0000000..e69de29 diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.tex b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.tex new file mode 100644 index 0000000..cd06a0e --- /dev/null +++ b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.tex @@ -0,0 +1,67 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Sami Mokaddem} +\date{FIRST Automation SIG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.upa b/events/20221110-FIST-AUTOMATION-SIG-Workflows/slide_handout.upa new file mode 100644 index 0000000..e69de29