diff --git a/20221116-NATO-MUG/content.tex b/20221116-NATO-MUG/content.tex new file mode 100755 index 0000000..cd28581 --- /dev/null +++ b/20221116-NATO-MUG/content.tex @@ -0,0 +1,599 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Automation in MISP: What already exists?} + \includegraphics[valign=m,width=16px]{pictures/python-logo.png}\hspace*{0.5em} \textbf{MISP API / PyMISP} + \begin{itemize} + \item Needs CRON Jobs in place + \item Heavy for the server + \item Not realtime + \end{itemize} + \vspace*{1em} + \includegraphics[valign=m,width=16px]{pictures/zeromq.png}\hspace*{0.5em} \textbf{PubSub channels} + \begin{itemize} + \item After the actions happen: No feedback to MISP + \item Tougher to put in place \& to share + \item Full integration amounts to develop a new tool + \end{itemize} + \vspace*{0.5em} + $\rightarrow$ No way to \textbf{prevent} behavior\\ + $\rightarrow$ Difficult to setup \textbf{hooks} to execute callbacks +\end{frame} + +\begin{frame} + \frametitle{What type of use-cases are we trying to support?} + \begin{itemize} + \item \textbf{Prevent} default MISP behaviors to happen + \begin{itemize} + \item Prevent \textbf{publication of events} not passing sanity checks + \item Prevent \textbf{querying} thrid-party \textbf{services} with sensitive information + \item $\cdots$ + \end{itemize} + \vspace*{1.0em} + \item \textbf{Hook} specific actions to run callbacks + \begin{itemize} + \item \textbf{Automatically run} enrichment services + \item Modify data on-the-fly: False positives, enable CTI-Pipeline + \item Send notifications in a chat rooms + \item $\cdots$ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Simple automation in MISP made easy} + \begin{center} + \includegraphics[width=0.3\linewidth]{pictures/automation.png} + \end{center} + \begin{itemize} + \item Why? + \begin{itemize} + \item Everyone loves \textbf{simple automation} + \item \textbf{Visual} dataflow programming + \item Users want \textbf{more control} + \end{itemize} + \item How? + \begin{itemize} + \item \textbf{Drag \& Drop} editor + \item Prevent actions \textbf{before they happen} + \item Flexible \textbf{Plug \& Play} system + \item \textbf{Share} workflows, \textbf{debug} and \textbf{replay} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Content of the presentation} + \begin{itemize} + \item MISP Workflows fundamentals + \item Demo by examples + \item Using the system + \item How it can be extended + \end{itemize} + + \vspace*{1em} + \begin{center} + \frame{\includegraphics[width=0.7\linewidth]{pictures/overview.png}} + \end{center} +\end{frame} + +\section{Workflow - Fundamentals} +\begin{frame} + \frametitle{How does it work} + \begin{center} + \frame{\includegraphics[width=0.6\linewidth]{pictures/event-condition-action.png}} + \end{center} + \begin{enumerate} + \item An \textbf{event} happens in MISP + \item Check if all \textbf{conditions} are satisfied + \item Execute all \textbf{actions} + \begin{itemize} + \item May prevent MISP to complete its original event + \end{itemize} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{What kind of events?} + \includegraphics[width=60px]{pictures/sc-event.png} + \vspace*{0.5em} + \begin{itemize} + \item New MISP Event + \item Attribute has been saved + \item New discussion post + \item New user created + \item Query against third-party services + \item ... + \end{itemize} + \vspace*{1em} + {\Large \faIcon{question-circle}} Supported events in MISP are called \textbf{Triggers}\\ + {\Large \faIcon{question-circle}} A \textbf{Trigger} is associated with \textbf{1-and-only-1 Workflow} +\end{frame} + +\begin{frame} + \frametitle{Triggers currently available} + Currently 10 triggers can be hooked. 3 being \includegraphics[width=36px]{pictures/blocking-workflow.png}. + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/triggers.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of conditions?} + \vspace*{0.25em} + \includegraphics[width=70px]{pictures/sc-condition.png} + \vspace*{0.25em} + \begin{itemize} + \item An MISP Event is tagged with \texttt{tlp:red} + \item The distribution an Attribute is a sharing group + \item The creator organisation is \texttt{circl.lu} + \item Or any other \textbf{generic} conditions + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Logic modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/logic-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Logic modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-condition-icon.png} \textbf{logic} modules: Allow to redirect the execution flow. + \begin{itemize} + \item IF conditions + \item Delay execution + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/logic-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What kind of actions?} + \vspace*{0.25em} + \includegraphics[width=60px]{pictures/sc-action.png} + \vspace*{0.25em} + \begin{itemize} + \item Send an email notification + \item Perform enrichments + \item Send a chat message on MS Teams + \item Attach a local tag + \item ... + \end{itemize} + + \vspace*{0.5em} + {\Large \faIcon{question-circle}} These are also called \textbf{Action modules} + \begin{center} + \includegraphics[width=0.43\textwidth]{pictures/action-module.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow - Action modules} + \begin{itemize} + \item \includegraphics[width=12px]{pictures/sc-action-icon.png} \textbf{action} modules: Allow to executes operations + \begin{itemize} + \item Tag operations + \item Send notifications + \item Webhooks + \item Custom scripts + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/action-module-index.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{What is a MISP Workflow?} + \begin{itemize} + \item Sequence of all nodes to be executed in a specific order + \item Workflows can be enabled / disabled + \item A Workflow is associated to \textbf{1-and-only-1 trigger} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/simple-workflow.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Workflow execution for Event publish} + \begin{itemize} + \setlength\itemsep{1em} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-event-icon.png} \hspace*{0.25em} An Event is about to be published + \begin{itemize} + \item The workflow for the \texttt{event-publish} trigger starts + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-condition-icon.png} \hspace*{0.25em} Conditions are evaluated + \begin{itemize} + \item They might change the path taken during the execution + \end{itemize} + \item[] \hspace*{-2em}\includegraphics[width=16px]{pictures/sc-action-icon.png} \hspace*{0.25em} Actions are executed + \begin{itemize} + \setlength\itemsep{0.75em} + \item {\bf\color{green!50!black}success}: Continue the publishing action + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-success.png} + \item {\bf\color{red}failure} | \texttt{\color{red}blocked}: Stop publishing and log the reason + \hspace*{-4em}\includegraphics[width=1.0\textwidth]{pictures/log-entry-publish-blocked.png} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Blocking and non-blocking} + Two types of workflows: + \vspace{0.5em} + \begin{itemize} + \item[] \hspace*{-2em}\includegraphics[valign=m,width=48px]{pictures/blocking-workflow.png} Workflows + \begin{itemize} + \item Can prevent / block the original event to happen + \item If a \textbf{blocking module}\includegraphics[valign=b,width=12px]{pictures/blocking-module.png} blocks the action + \end{itemize} + \vspace{0.5em} + \item[] \hspace*{-2em}\includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} Workflows execution outcome has no impact + \begin{itemize} + \item No way to prevent something that happened in the past + \end{itemize} + \begin{center} + \includegraphics[width=0.4\linewidth]{pictures/time-machine.png} + \end{center} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (0)} + \begin{itemize} + \item \textbf{Trigger} module: MISP Source code \textbf{only} + \begin{itemize} + \item Get in touch if you want more + \end{itemize} + \item \textbf{Logic} module: MISP Source code \& \textbf{custom} + \item \textbf{Action} module: MISP Source code \& \textbf{custom} + \end{itemize} + \vspace*{2.0em} + \begin{itemize} + \item MISP Source code $\rightarrow$ Built-in \textbf{text} module + \item Custom $\rightarrow$ Write your own at 2 places + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (1)} + \begin{itemize} + \item Built-in \textbf{default} modules + \begin{itemize} + \item Part of the MISP codebase + \item Get in touch if you want us to increase the selection! + \end{itemize} + \end{itemize} + \vspace*{0.5em} + \begin{center} + \includegraphics[width=0.8\linewidth]{pictures/module-buffet.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (2)} + User-defined \textbf{custom} modules + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item Written in PHP + \item Extend existing modules + \item MISP code reuse + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/php-joke.jpg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Sources of Workflow modules (3)} + Modules from the \includegraphics[width=0.20\linewidth]{pictures/misp-module-icon.png} \textbf{enrichment service} + \vspace*{0.5em} + \begin{columns} + \begin{column}{0.50\textwidth} + \begin{itemize} + \item Written in Python + \item Can use any python libraries + \item Plug \& Play + \end{itemize} + \end{column} + \begin{column}{0.50\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/python-joke.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Getting started with workflows} + \begin{center} + \includegraphics[width=0.9\linewidth]{pictures/workflow-release.png} + \end{center} + \begin{enumerate} + \item Update your MISP server + \item Update all your sub-modules + \end{enumerate} + \begin{center} + \includegraphics[width=0.6\textwidth]{pictures/upgrade-people.jpeg} + \end{center} +\end{frame} + +\section{Demo by examples} +\begin{frame} + \frametitle{Demo 1: Block if Event.distribution < "Community"} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/simple-workflow.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo 2: Send to ZMQ if any Attribute is tagged with `tlp:white`} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/example-1a.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo 3: Block publish if *:red and email, else notify on Mattermost} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/example-4.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Demo 4: Remove IDS flag \& add tag for known false-negative file hashes} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/example-3.png} + \end{center} +\end{frame} + +\section{Considerations when working with workflows} +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Execution loop are not authorized + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-1.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/infinite-loop.jpg}} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Recursive workflows} + \frame{\includegraphics[width=1.0\linewidth]{pictures/recursive-workflow.png}} + \danger Recursion: If an action re-run the workflow +\end{frame} + +\begin{frame} + \frametitle{Working with the editor - Operations not allowed} + Multiple connections from the same output + \vspace*{1em} + \begin{columns} + \begin{column}{0.7\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-not-allowed-2.png}} + \end{column} + \begin{column}{0.3\textwidth} + \frame{\includegraphics[width=1.0\linewidth]{pictures/two-paths.jpeg}} + \end{column} + \end{columns} + \begin{itemize} + \item Execution order not guaranted + \item Confusing for users + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Working with the editor} + Cases showing a warning: + \begin{itemize} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} in a \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} workflow \includegraphics[width=0.12\linewidth]{pictures/time-machine.png} + \item \textbf{Blocking} modules \includegraphics[width=10px]{pictures/blocking-module.png} after a \textbf{concurrent tasks} module + \begin{center} + \frame{\includegraphics[width=1.0\linewidth]{pictures/editor-warning-1.png}} + \end{center} + \end{itemize} +\end{frame} + +\section{Advanced usage} +\begin{frame} + \frametitle{Workflow blueprints} + \hspace*{0.9\textwidth}\includegraphics[width=32px]{pictures/blueprint-32.png} + \vspace*{-2em} + \begin{enumerate} + \item Blueprints allow to \textbf{re-use parts} of a workflow in another one + \item Blueprints can be saved, exported and \textbf{shared} + \end{enumerate} + \begin{center} + \includegraphics[width=0.5\linewidth]{pictures/blueprint-debugging.png} + \end{center} + Blueprints sources: + \begin{enumerate} + \item Created or imported by users + \item From the \texttt{MISP/misp-workflow-blueprints} repository\footnote{\scriptsize https://github.com/MISP/misp-workflow-blueprints} + \end{enumerate} +\end{frame} + +\begin{frame} + \frametitle{Data format in Workflows} + \begin{center} + \includegraphics[width=0.7\linewidth]{pictures/workflow-trigger.png} + \end{center} + \begin{itemize} + \item In most cases, the format is the \textbf{MISP Core format} + \begin{itemize} + \item Attributes are \textbf{always encapsulated} in the Event or Object + \end{itemize} + \item But has \textbf{additional properties} + \begin{itemize} + \item Additional key \textbf{\texttt{\_AttributeFlattened}} + \item Additional key \textbf{\texttt{\_allTags}} + \item Additional key \textbf{\texttt{inherited}} for Tags + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Logic module: Concurrent Task} + \begin{itemize} + \item Logic module allowing \textbf{multiple output} connections + \item \textbf{Postpone the execution} for remaining modules + \item Convert \includegraphics[valign=b,width=44px]{pictures/blocking-workflow.png} \faIcon{long-arrow-alt-right} \includegraphics[valign=b,width=56px]{pictures/non-blocking-workflow.png} + \end{itemize} + \begin{center} + \frame{\includegraphics[width=0.5\linewidth]{pictures/module-concurrent.png}} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Debugging options} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Workflow \textbf{execution and outcome} + \item Module \textbf{execution and outcome} + \item \textbf{Live} workflow debugging with module inspection + \item \textbf{Re-running/testing} workflows with custom data + \item \textbf{Stateless} module execution + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/enough-debugging.jpg} + \end{column} + \end{columns} +\end{frame} + +\section{Extending the system} +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[scale=0.07]{pictures/PHP-logo.png} + \end{center} + \vspace*{2em} + \begin{itemize} + \item \texttt{\small \textbf{app/Lib/}WorkflowModules/action/[module\_name].php} + \item Designed to be easilty extended + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Fast + \item Re-use existing functionalities + \item No need for misp-modules + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in PHP} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-1.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[scale=0.03]{pictures/python-logo.png} + \end{center} + \begin{itemize} + \item Similar to how other \texttt{misp-modules} are implemented + \begin{itemize} + \item Helper functions + \item Module configuration as variables + \item Implement runtime logic + \end{itemize} + \item Main benefits + \begin{itemize} + \item Easier than PHP + \item Lots of libraries for integration + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Creating a new module in Python} + \begin{center} + \includegraphics[width=1.0\linewidth]{pictures/custom-2.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{More ideas} + \begin{itemize} + \item Notification when new users join an instance + \item Trigger on any action generating log entries + \item Extend existing MISP behavior: Push correlation in another system + \item Sanity check to block publishing + \item ... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Under development} + Ease data manipulation with \textbf{filtering modules} + \begin{center} + \includegraphics[width=1.0\textwidth]{pictures/filtering-modules.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Future works} + \begin{columns} + \begin{column}{0.55\textwidth} + \begin{itemize} + \item More \includegraphics[width=12px]{pictures/sc-action-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-condition-icon.png} modules + \item More \includegraphics[width=12px]{pictures/sc-event-icon.png} triggers + \item More documentation + \item Recursion prevention system + \item On-the-fly data override? + \end{itemize} + \end{column} + \begin{column}{0.45\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/future-works.jpeg} + \end{column} + \end{columns} +\end{frame} + +\begin{frame} + \frametitle{Final words} + \begin{columns} + \begin{column}{0.6\textwidth} + \begin{itemize} + \item Designed to \textbf{quickly} and \textbf{cheaply} integrate MISP in CTI pipelines + \item \underline{\textbf{Beta}} Feature unlikely to change. But still.. + \item Waiting for feedback! + \begin{itemize} + \item New triggers? + \item New modules? + \item ... + \end{itemize} + \end{itemize} + \end{column} + \begin{column}{0.4\textwidth} + \includegraphics[width=1.0\linewidth]{pictures/feeling-of-power.jpg} + \end{column} + \end{columns} + \vspace*{0.5em} +\end{frame} + diff --git a/20221116-NATO-MUG/misp.pdf b/20221116-NATO-MUG/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20221116-NATO-MUG/misp.pdf differ diff --git a/20221116-NATO-MUG/pictures/PHP-logo.png b/20221116-NATO-MUG/pictures/PHP-logo.png new file mode 100644 index 0000000..296dfe2 Binary files /dev/null and b/20221116-NATO-MUG/pictures/PHP-logo.png differ diff --git a/20221116-NATO-MUG/pictures/action-module-index.png b/20221116-NATO-MUG/pictures/action-module-index.png new file mode 100644 index 0000000..dd9c62d Binary files /dev/null and b/20221116-NATO-MUG/pictures/action-module-index.png differ diff --git a/20221116-NATO-MUG/pictures/action-module.png b/20221116-NATO-MUG/pictures/action-module.png new file mode 100644 index 0000000..6b622e8 Binary files /dev/null and b/20221116-NATO-MUG/pictures/action-module.png differ diff --git a/20221116-NATO-MUG/pictures/attribute-json.png b/20221116-NATO-MUG/pictures/attribute-json.png new file mode 100644 index 0000000..4ad2065 Binary files /dev/null and b/20221116-NATO-MUG/pictures/attribute-json.png differ diff --git a/20221116-NATO-MUG/pictures/automation.png b/20221116-NATO-MUG/pictures/automation.png new file mode 100644 index 0000000..d628e0f Binary files /dev/null and b/20221116-NATO-MUG/pictures/automation.png differ diff --git a/20221116-NATO-MUG/pictures/belgian-joke.jpeg b/20221116-NATO-MUG/pictures/belgian-joke.jpeg new file mode 100644 index 0000000..6deff1b Binary files /dev/null and b/20221116-NATO-MUG/pictures/belgian-joke.jpeg differ diff --git a/20221116-NATO-MUG/pictures/blocking-module.png b/20221116-NATO-MUG/pictures/blocking-module.png new file mode 100644 index 0000000..f8a817d Binary files /dev/null and b/20221116-NATO-MUG/pictures/blocking-module.png differ diff --git a/20221116-NATO-MUG/pictures/blocking-workflow.png b/20221116-NATO-MUG/pictures/blocking-workflow.png new file mode 100644 index 0000000..145cc12 Binary files /dev/null and b/20221116-NATO-MUG/pictures/blocking-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/blueprint-1.png b/20221116-NATO-MUG/pictures/blueprint-1.png new file mode 100644 index 0000000..1e3acbf Binary files /dev/null and b/20221116-NATO-MUG/pictures/blueprint-1.png differ diff --git a/20221116-NATO-MUG/pictures/blueprint-32.png b/20221116-NATO-MUG/pictures/blueprint-32.png new file mode 100644 index 0000000..8d1d4c6 Binary files /dev/null and b/20221116-NATO-MUG/pictures/blueprint-32.png differ diff --git a/20221116-NATO-MUG/pictures/blueprint-debugging.png b/20221116-NATO-MUG/pictures/blueprint-debugging.png new file mode 100644 index 0000000..c2974e7 Binary files /dev/null and b/20221116-NATO-MUG/pictures/blueprint-debugging.png differ diff --git a/20221116-NATO-MUG/pictures/ctis.png b/20221116-NATO-MUG/pictures/ctis.png new file mode 100644 index 0000000..aef68a5 Binary files /dev/null and b/20221116-NATO-MUG/pictures/ctis.png differ diff --git a/20221116-NATO-MUG/pictures/custom-1.png b/20221116-NATO-MUG/pictures/custom-1.png new file mode 100644 index 0000000..afadf8e Binary files /dev/null and b/20221116-NATO-MUG/pictures/custom-1.png differ diff --git a/20221116-NATO-MUG/pictures/custom-2.png b/20221116-NATO-MUG/pictures/custom-2.png new file mode 100644 index 0000000..0dad53f Binary files /dev/null and b/20221116-NATO-MUG/pictures/custom-2.png differ diff --git a/20221116-NATO-MUG/pictures/debug-mode.png b/20221116-NATO-MUG/pictures/debug-mode.png new file mode 100644 index 0000000..ba7688d Binary files /dev/null and b/20221116-NATO-MUG/pictures/debug-mode.png differ diff --git a/20221116-NATO-MUG/pictures/editor-1.png b/20221116-NATO-MUG/pictures/editor-1.png new file mode 100644 index 0000000..c8c3edf Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-1.png differ diff --git a/20221116-NATO-MUG/pictures/editor-not-allowed-1.png b/20221116-NATO-MUG/pictures/editor-not-allowed-1.png new file mode 100644 index 0000000..d4dc939 Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-not-allowed-1.png differ diff --git a/20221116-NATO-MUG/pictures/editor-not-allowed-2.png b/20221116-NATO-MUG/pictures/editor-not-allowed-2.png new file mode 100644 index 0000000..538bb3f Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-not-allowed-2.png differ diff --git a/20221116-NATO-MUG/pictures/editor-warning-1.png b/20221116-NATO-MUG/pictures/editor-warning-1.png new file mode 100644 index 0000000..8370f96 Binary files /dev/null and b/20221116-NATO-MUG/pictures/editor-warning-1.png differ diff --git a/20221116-NATO-MUG/pictures/enough-debugging.jpg b/20221116-NATO-MUG/pictures/enough-debugging.jpg new file mode 100644 index 0000000..f17c14c Binary files /dev/null and b/20221116-NATO-MUG/pictures/enough-debugging.jpg differ diff --git a/20221116-NATO-MUG/pictures/event-condition-action.png b/20221116-NATO-MUG/pictures/event-condition-action.png new file mode 100644 index 0000000..0ee3afe Binary files /dev/null and b/20221116-NATO-MUG/pictures/event-condition-action.png differ diff --git a/20221116-NATO-MUG/pictures/example-1a.png b/20221116-NATO-MUG/pictures/example-1a.png new file mode 100644 index 0000000..e4df2d5 Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-1a.png differ diff --git a/20221116-NATO-MUG/pictures/example-2.png b/20221116-NATO-MUG/pictures/example-2.png new file mode 100644 index 0000000..51eef7e Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-2.png differ diff --git a/20221116-NATO-MUG/pictures/example-2a.png b/20221116-NATO-MUG/pictures/example-2a.png new file mode 100644 index 0000000..ce103af Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-2a.png differ diff --git a/20221116-NATO-MUG/pictures/example-3.png b/20221116-NATO-MUG/pictures/example-3.png new file mode 100644 index 0000000..54602ac Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-3.png differ diff --git a/20221116-NATO-MUG/pictures/example-4.png b/20221116-NATO-MUG/pictures/example-4.png new file mode 100644 index 0000000..cca5687 Binary files /dev/null and b/20221116-NATO-MUG/pictures/example-4.png differ diff --git a/20221116-NATO-MUG/pictures/feeling-of-power.jpg b/20221116-NATO-MUG/pictures/feeling-of-power.jpg new file mode 100644 index 0000000..b84c299 Binary files /dev/null and b/20221116-NATO-MUG/pictures/feeling-of-power.jpg differ diff --git a/20221116-NATO-MUG/pictures/filtering-modules.png b/20221116-NATO-MUG/pictures/filtering-modules.png new file mode 100644 index 0000000..9ca53e3 Binary files /dev/null and b/20221116-NATO-MUG/pictures/filtering-modules.png differ diff --git a/20221116-NATO-MUG/pictures/first-cti.png b/20221116-NATO-MUG/pictures/first-cti.png new file mode 100644 index 0000000..5d8fec1 Binary files /dev/null and b/20221116-NATO-MUG/pictures/first-cti.png differ diff --git a/20221116-NATO-MUG/pictures/future-works.jpeg b/20221116-NATO-MUG/pictures/future-works.jpeg new file mode 100644 index 0000000..874805d Binary files /dev/null and b/20221116-NATO-MUG/pictures/future-works.jpeg differ diff --git a/20221116-NATO-MUG/pictures/geekweek75.jpg b/20221116-NATO-MUG/pictures/geekweek75.jpg new file mode 100644 index 0000000..799e121 Binary files /dev/null and b/20221116-NATO-MUG/pictures/geekweek75.jpg differ diff --git a/20221116-NATO-MUG/pictures/infinite-loop.jpg b/20221116-NATO-MUG/pictures/infinite-loop.jpg new file mode 100644 index 0000000..a45fff7 Binary files /dev/null and b/20221116-NATO-MUG/pictures/infinite-loop.jpg differ diff --git a/20221116-NATO-MUG/pictures/log-entry-publish-blocked.png b/20221116-NATO-MUG/pictures/log-entry-publish-blocked.png new file mode 100644 index 0000000..9ccb098 Binary files /dev/null and b/20221116-NATO-MUG/pictures/log-entry-publish-blocked.png differ diff --git a/20221116-NATO-MUG/pictures/log-entry-publish-success.png b/20221116-NATO-MUG/pictures/log-entry-publish-success.png new file mode 100644 index 0000000..2a26119 Binary files /dev/null and b/20221116-NATO-MUG/pictures/log-entry-publish-success.png differ diff --git a/20221116-NATO-MUG/pictures/logic-module-index.png b/20221116-NATO-MUG/pictures/logic-module-index.png new file mode 100644 index 0000000..736313c Binary files /dev/null and b/20221116-NATO-MUG/pictures/logic-module-index.png differ diff --git a/20221116-NATO-MUG/pictures/logic-module.png b/20221116-NATO-MUG/pictures/logic-module.png new file mode 100644 index 0000000..6a48ce6 Binary files /dev/null and b/20221116-NATO-MUG/pictures/logic-module.png differ diff --git a/20221116-NATO-MUG/pictures/misp-module-icon.png b/20221116-NATO-MUG/pictures/misp-module-icon.png new file mode 100644 index 0000000..6fa189b Binary files /dev/null and b/20221116-NATO-MUG/pictures/misp-module-icon.png differ diff --git a/20221116-NATO-MUG/pictures/module-buffet.png b/20221116-NATO-MUG/pictures/module-buffet.png new file mode 100644 index 0000000..8a4a676 Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-buffet.png differ diff --git a/20221116-NATO-MUG/pictures/module-concurrent.png b/20221116-NATO-MUG/pictures/module-concurrent.png new file mode 100644 index 0000000..ba994b4 Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-concurrent.png differ diff --git a/20221116-NATO-MUG/pictures/module-filtering.png b/20221116-NATO-MUG/pictures/module-filtering.png new file mode 100644 index 0000000..876d5ad Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-filtering.png differ diff --git a/20221116-NATO-MUG/pictures/module-if-generic.png b/20221116-NATO-MUG/pictures/module-if-generic.png new file mode 100644 index 0000000..973ab23 Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-if-generic.png differ diff --git a/20221116-NATO-MUG/pictures/module-type.png b/20221116-NATO-MUG/pictures/module-type.png new file mode 100644 index 0000000..d869b9d Binary files /dev/null and b/20221116-NATO-MUG/pictures/module-type.png differ diff --git a/20221116-NATO-MUG/pictures/no-slides-if-demo.jpg b/20221116-NATO-MUG/pictures/no-slides-if-demo.jpg new file mode 100644 index 0000000..aeb155d Binary files /dev/null and b/20221116-NATO-MUG/pictures/no-slides-if-demo.jpg differ diff --git a/20221116-NATO-MUG/pictures/no-slides-if-demo2.jpg b/20221116-NATO-MUG/pictures/no-slides-if-demo2.jpg new file mode 100644 index 0000000..38bf7f1 Binary files /dev/null and b/20221116-NATO-MUG/pictures/no-slides-if-demo2.jpg differ diff --git a/20221116-NATO-MUG/pictures/no-slides-if-demo3.jpg b/20221116-NATO-MUG/pictures/no-slides-if-demo3.jpg new file mode 100644 index 0000000..61d2a2b Binary files /dev/null and b/20221116-NATO-MUG/pictures/no-slides-if-demo3.jpg differ diff --git a/20221116-NATO-MUG/pictures/non-blocking-workflow.png b/20221116-NATO-MUG/pictures/non-blocking-workflow.png new file mode 100644 index 0000000..4ae1495 Binary files /dev/null and b/20221116-NATO-MUG/pictures/non-blocking-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/overview.png b/20221116-NATO-MUG/pictures/overview.png new file mode 100644 index 0000000..0a5a3d3 Binary files /dev/null and b/20221116-NATO-MUG/pictures/overview.png differ diff --git a/20221116-NATO-MUG/pictures/php-joke.jpg b/20221116-NATO-MUG/pictures/php-joke.jpg new file mode 100644 index 0000000..0abc16d Binary files /dev/null and b/20221116-NATO-MUG/pictures/php-joke.jpg differ diff --git a/20221116-NATO-MUG/pictures/psyduck.jpeg b/20221116-NATO-MUG/pictures/psyduck.jpeg new file mode 100644 index 0000000..8e54f30 Binary files /dev/null and b/20221116-NATO-MUG/pictures/psyduck.jpeg differ diff --git a/20221116-NATO-MUG/pictures/python-joke.png b/20221116-NATO-MUG/pictures/python-joke.png new file mode 100644 index 0000000..0ce5189 Binary files /dev/null and b/20221116-NATO-MUG/pictures/python-joke.png differ diff --git a/20221116-NATO-MUG/pictures/python-logo.png b/20221116-NATO-MUG/pictures/python-logo.png new file mode 100644 index 0000000..2416f26 Binary files /dev/null and b/20221116-NATO-MUG/pictures/python-logo.png differ diff --git a/20221116-NATO-MUG/pictures/recursive-workflow.png b/20221116-NATO-MUG/pictures/recursive-workflow.png new file mode 100644 index 0000000..c56eb72 Binary files /dev/null and b/20221116-NATO-MUG/pictures/recursive-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/request-bin.png b/20221116-NATO-MUG/pictures/request-bin.png new file mode 100644 index 0000000..ee355fb Binary files /dev/null and b/20221116-NATO-MUG/pictures/request-bin.png differ diff --git a/20221116-NATO-MUG/pictures/running-workflows.png b/20221116-NATO-MUG/pictures/running-workflows.png new file mode 100644 index 0000000..d591c8f Binary files /dev/null and b/20221116-NATO-MUG/pictures/running-workflows.png differ diff --git a/20221116-NATO-MUG/pictures/sc-action-icon.png b/20221116-NATO-MUG/pictures/sc-action-icon.png new file mode 100644 index 0000000..2ac49b8 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-action-icon.png differ diff --git a/20221116-NATO-MUG/pictures/sc-action.png b/20221116-NATO-MUG/pictures/sc-action.png new file mode 100644 index 0000000..e8d7a66 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-action.png differ diff --git a/20221116-NATO-MUG/pictures/sc-condition-icon.png b/20221116-NATO-MUG/pictures/sc-condition-icon.png new file mode 100644 index 0000000..f447a5d Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-condition-icon.png differ diff --git a/20221116-NATO-MUG/pictures/sc-condition.png b/20221116-NATO-MUG/pictures/sc-condition.png new file mode 100644 index 0000000..bb24b90 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-condition.png differ diff --git a/20221116-NATO-MUG/pictures/sc-event-icon.png b/20221116-NATO-MUG/pictures/sc-event-icon.png new file mode 100644 index 0000000..d1f70ef Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-event-icon.png differ diff --git a/20221116-NATO-MUG/pictures/sc-event.png b/20221116-NATO-MUG/pictures/sc-event.png new file mode 100644 index 0000000..b58c120 Binary files /dev/null and b/20221116-NATO-MUG/pictures/sc-event.png differ diff --git a/20221116-NATO-MUG/pictures/settings-1.png b/20221116-NATO-MUG/pictures/settings-1.png new file mode 100644 index 0000000..290851b Binary files /dev/null and b/20221116-NATO-MUG/pictures/settings-1.png differ diff --git a/20221116-NATO-MUG/pictures/settings-2.png b/20221116-NATO-MUG/pictures/settings-2.png new file mode 100644 index 0000000..712a31a Binary files /dev/null and b/20221116-NATO-MUG/pictures/settings-2.png differ diff --git a/20221116-NATO-MUG/pictures/simple-workflow.png b/20221116-NATO-MUG/pictures/simple-workflow.png new file mode 100644 index 0000000..f494348 Binary files /dev/null and b/20221116-NATO-MUG/pictures/simple-workflow.png differ diff --git a/20221116-NATO-MUG/pictures/stateless-execution.png b/20221116-NATO-MUG/pictures/stateless-execution.png new file mode 100644 index 0000000..fa513b3 Binary files /dev/null and b/20221116-NATO-MUG/pictures/stateless-execution.png differ diff --git a/20221116-NATO-MUG/pictures/time-machine.png b/20221116-NATO-MUG/pictures/time-machine.png new file mode 100644 index 0000000..494153a Binary files /dev/null and b/20221116-NATO-MUG/pictures/time-machine.png differ diff --git a/20221116-NATO-MUG/pictures/triggers.png b/20221116-NATO-MUG/pictures/triggers.png new file mode 100644 index 0000000..ba637cc Binary files /dev/null and b/20221116-NATO-MUG/pictures/triggers.png differ diff --git a/20221116-NATO-MUG/pictures/two-paths.jpeg b/20221116-NATO-MUG/pictures/two-paths.jpeg new file mode 100644 index 0000000..93542ca Binary files /dev/null and b/20221116-NATO-MUG/pictures/two-paths.jpeg differ diff --git a/20221116-NATO-MUG/pictures/upgrade-people.jpeg b/20221116-NATO-MUG/pictures/upgrade-people.jpeg new file mode 100644 index 0000000..1e6ddde Binary files /dev/null and b/20221116-NATO-MUG/pictures/upgrade-people.jpeg differ diff --git a/20221116-NATO-MUG/pictures/whoami.png b/20221116-NATO-MUG/pictures/whoami.png new file mode 100644 index 0000000..eba7518 Binary files /dev/null and b/20221116-NATO-MUG/pictures/whoami.png differ diff --git a/20221116-NATO-MUG/pictures/whoami2.png b/20221116-NATO-MUG/pictures/whoami2.png new file mode 100644 index 0000000..46066cd Binary files /dev/null and b/20221116-NATO-MUG/pictures/whoami2.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-debug.png b/20221116-NATO-MUG/pictures/workflow-debug.png new file mode 100644 index 0000000..a2a932f Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-debug.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-experimental.png b/20221116-NATO-MUG/pictures/workflow-experimental.png new file mode 100644 index 0000000..96e05ec Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-experimental.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-release.png b/20221116-NATO-MUG/pictures/workflow-release.png new file mode 100644 index 0000000..1eef024 Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-release.png differ diff --git a/20221116-NATO-MUG/pictures/workflow-trigger.png b/20221116-NATO-MUG/pictures/workflow-trigger.png new file mode 100644 index 0000000..9ea7fad Binary files /dev/null and b/20221116-NATO-MUG/pictures/workflow-trigger.png differ diff --git a/20221116-NATO-MUG/pictures/zeromq.png b/20221116-NATO-MUG/pictures/zeromq.png new file mode 100644 index 0000000..970e9fc Binary files /dev/null and b/20221116-NATO-MUG/pictures/zeromq.png differ diff --git a/20221116-NATO-MUG/slide.tex b/20221116-NATO-MUG/slide.tex new file mode 100644 index 0000000..c2d6508 --- /dev/null +++ b/20221116-NATO-MUG/slide.tex @@ -0,0 +1,65 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Andras Iklody} +\date{MUG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/20221116-NATO-MUG/slide.upa b/20221116-NATO-MUG/slide.upa new file mode 100644 index 0000000..e69de29 diff --git a/20221116-NATO-MUG/slide_handout.tex b/20221116-NATO-MUG/slide_handout.tex new file mode 100644 index 0000000..9e1211a --- /dev/null +++ b/20221116-NATO-MUG/slide_handout.tex @@ -0,0 +1,67 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +% \usepackage{pgfpages} +% \setbeameroption{show notes on second screen=right} +\usepackage[draft]{pdfcomment} +\newcommand{\pdfnote}[1]{\marginnote{\pdfcomment[icon=note]{#1}}} + +\usepackage{pgfpages} +\setbeameroption{show notes on second screen=right} +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{fontawesome5} +\usepackage[export]{adjustbox} +\usepackage{fourier} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\lstdefinelanguage{javascript}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + %keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + %stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} +\lstdefinelanguage{text}{ + basicstyle=\scriptsize, + numbers=left, + numberstyle=\scriptsize, + stepnumber=1, + numbersep=5pt, + showstringspaces=false, + breaklines=true, + frame=lines +} + +\title{Automation with MISP Workflows} +\subtitle{A new way to integrate MISP in your CTI pipelines} +\author{Andras Iklody} +\date{MUG} +\titlegraphic{\vspace*{1em}\includegraphics[scale=0.5]{misp.pdf}\\} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/20221116-NATO-MUG/slide_handout.upa b/20221116-NATO-MUG/slide_handout.upa new file mode 100644 index 0000000..e69de29