Skip to content

Commit

Permalink
Feature/docs/80 add example playbooks to example folder (#83)
Browse files Browse the repository at this point in the history
  • Loading branch information
@MaartendeKruijf
MaartendeKruijf committed Mar 18, 2024
1 parent 382a3e7 commit 72c48aa
Show file tree
Hide file tree
Showing 4 changed files with 200 additions and 35 deletions.
19 changes: 19 additions & 0 deletions docs/content/en/docs/getting-started/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,25 @@ swag init

Compiled binary files can be found under `/bin`.

### Playbook execution

You can use the following commands to execute the example playbooks via the terminal while SOARCA is running assuming on localhost. Alternatively you can go to `http://localhost:8080/swagger/index.html` and use the trigger/playbook endpoint.


Example playbooks:
{{< tabpane langEqualsHeader=false >}}
{{< tab header="ssh" lang="sh" >}}
# make sure an ssh server is running on adres 192.168.0.10
curl -X POST -H "Content-Type: application/json" -d @./example/ssh-playbook.json localhost:8080/trigger/playbook
{{< /tab >}}
{{< tab header="http" lang="sh" >}}
curl -X POST -H "Content-Type: application/json" -d @./example/http-playbook.json localhost:8080/trigger/playbook
{{< /tab >}}
{{< tab header="openC2" lang="sh" >}}
curl -X POST -H "Content-Type: application/json" -d @./example/openc2-playbook.json localhost:8080/trigger/playbook
{{< /tab >}}
{{< /tabpane >}}


## Configuration

Expand Down
77 changes: 77 additions & 0 deletions example/http-playbook.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
{
"type": "playbook",
"spec_version": "cacao-2.0",
"id": "playbook--300270f9-0e64-42c8-93cc-0927edbe3ae7",
"name": "Example ssh",
"description": "This playbook is to demonstrate the http functionality",
"playbook_types": [
"notification"
],
"created_by": "identity--96abab60-238a-44ff-8962-5806aa60cbce",
"created": "2023-11-20T15:56:00.123456Z",
"modified": "2023-11-20T15:56:00.123456Z",
"valid_from": "2023-11-20T15:56:00.123456Z",
"valid_until": "2123-11-20T15:56:00.123456Z",
"priority": 1,
"severity": 1,
"impact": 1,
"labels": [
"soarca",
"http-api",
"get"
],
"agent_definitions": {
"soarca--00020001-1000-1000-a000-000100010001": {
"type": "soarca",
"name": "soarca-http-api"
}
},
"target_definitions": {
"http-api--1c3900b4-f86b-430d-b415-12312b9e31f4": {
"type": "http-api",
"name": "httpbin",
"address": {
"dname": [
"httpbin.org"
]
}
}
},
"external_references": [
{
"name": "TNO COSSAS",
"description": "TNO COSSAS",
"source": "TNO COSSAS",
"url": "https://cossas-project.org"
}
],
"workflow_start": "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008",
"workflow_exception": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958",
"workflow": {
"start--9e7d62b2-88ac-4656-94e1-dbd4413ba008": {
"type": "start",
"name": "Start example flow http-api",
"on_completion": "action--eb9372d4-d524-49fc-bf24-be26ea084779"
},
"action--eb9372d4-d524-49fc-bf24-be26ea084779": {
"type": "action",
"name": "get",
"description": "Get request with ",
"on_completion": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958",
"commands": [
{
"type": "http-api",
"command": "GET get HTTP1.1"
}
],
"targets": [
"http-api--1c3900b4-f86b-430d-b415-12312b9e31f4"
],
"agent": "soarca--00020001-1000-1000-a000-000100010001"
},
"end--a6f0b81e-affb-4bca-b4f6-a2d5af908958": {
"type": "end",
"name": "End Flow"
}
}
}
78 changes: 78 additions & 0 deletions example/openc2-playbook.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
{
"type": "playbook",
"spec_version": "cacao-2.0",
"id": "playbook--300270f9-0e64-42c8-93cc-0927edbe3ae7",
"name": "Example ssh",
"description": "This playbook is to demonstrate the openc2 functionality",
"playbook_types": [
"notification"
],
"created_by": "identity--96abab60-238a-44ff-8962-5806aa60cbce",
"created": "2023-11-20T15:56:00.123456Z",
"modified": "2023-11-20T15:56:00.123456Z",
"valid_from": "2023-11-20T15:56:00.123456Z",
"valid_until": "2123-11-20T15:56:00.123456Z",
"priority": 1,
"severity": 1,
"impact": 1,
"labels": [
"soarca",
"openc2",
"post"
],
"agent_definitions": {
"soarca--00020001-1000-1000-a000-000100010001": {
"type": "soarca",
"name": "soarca-openc2-http"
}
},
"target_definitions": {
"http-api--1c3900b4-f86b-430d-b415-12312b9e31f4": {
"type": "http-api",
"name": "httpbin",
"address": {
"dname": [
"httpbin.org"
]
}
}
},
"external_references": [
{
"name": "TNO COSSAS",
"description": "TNO COSSAS",
"source": "TNO COSSAS",
"url": "https://cossas-project.org"
}
],
"workflow_start": "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008",
"workflow_exception": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958",
"workflow": {
"start--9e7d62b2-88ac-4656-94e1-dbd4413ba008": {
"type": "start",
"name": "Start example flow openc2 http",
"on_completion": "action--eb9372d4-d524-49fc-bf24-be26ea084779"
},
"action--eb9372d4-d524-49fc-bf24-be26ea084779": {
"type": "action",
"name": "openc2",
"description": "Get request with ",
"on_completion": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958",
"commands": [
{
"type": "openc2",
"command": "POST post HTTP1.1",
"content_b64": "ewogICJoZWFkZXJzIjogewogICAgInJlcXVlc3RfaWQiOiAiZDFhYzA0ODktZWQ1MS00MzQ1LTkxNzUtZjMwNzhmMzBhZmU1IiwKICAgICJjcmVhdGVkIjogMTU0NTI1NzcwMDAwMCwKICAgICJmcm9tIjogIm9jMnByb2R1Y2VyLmNvbXBhbnkubmV0IiwKICAgICJ0byI6IFsKICAgICAgIm9jMmNvbnN1bWVyLmNvbXBhbnkubmV0IgogICAgXQogIH0sCiAgImJvZHkiOiB7CiAgICAib3BlbmMyIjogewogICAgICAicmVxdWVzdCI6IHsKICAgICAgICAiYWN0aW9uIjogImRlbnkiLAogICAgICAgICJ0YXJnZXQiOiB7CiAgICAgICAgICAiaXB2NF9jb25uZWN0aW9uIjogewogICAgICAgICAgICAicHJvdG9jb2wiOiAidGNwIiwKICAgICAgICAgICAgInNyY19hZGRyIjogIjEuMi4zLjQiLAogICAgICAgICAgICAic3JjX3BvcnQiOiAxMDk5NiwKICAgICAgICAgICAgImRzdF9hZGRyIjogIjE5OC4yLjMuNCIsCiAgICAgICAgICAgICJkc3RfcG9ydCI6IDgwCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiYXJncyI6IHsKICAgICAgICAgICJzdGFydF90aW1lIjogMTUzNDc3NTQ2MDAwMCwKICAgICAgICAgICJkdXJhdGlvbiI6IDUwMCwKICAgICAgICAgICJyZXNwb25zZV9yZXF1ZXN0ZWQiOiAiYWNrIiwKICAgICAgICAgICJzbHBmIjogewogICAgICAgICAgICAiZHJvcF9wcm9jZXNzIjogIm5vbmUiCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAicHJvZmlsZSI6ICJzbHBmIgogICAgICB9CiAgICB9CiAgfQp9"
}
],
"targets": [
"http-api--1c3900b4-f86b-430d-b415-12312b9e31f4"
],
"agent": "soarca--00020001-1000-1000-a000-000100010001"
},
"end--a6f0b81e-affb-4bca-b4f6-a2d5af908958": {
"type": "end",
"name": "End Flow"
}
}
}
61 changes: 26 additions & 35 deletions example/ssh-command.txt → example/ssh-playbook.json
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
curl -d '{
{
"type": "playbook",
"spec_version": "cacao-2.0",
"id": "playbook--300270f9-0e64-42c8-93cc-0927edbe3ae7",
"name": "Block malware",
"description": "This playbook will block malware by performing multiple actions",
"name": "Example ssh",
"description": "This playbook demonstrates ssh functionality",
"playbook_types": [
"notification"
],
Expand All @@ -17,29 +17,20 @@ curl -d '{
"impact": 1,
"labels": [
"soarca",
"coa9",
"coa7"
"ssh",
"example"
],
"authentication_info_definitions": {
"user-auth--b7ddc2ea-9f6a-4e82-8eaa-be202e942090": {
"type": "user-auth",
"username": "root",
"password": "\"mIUpk_6O\"c9ECziTM67fu,c`gy6PK6:"
"password": "password"
}
},
"agent_definitions": {
"soarca--11110001-0001-0000-0000-000100010001": {
"soarca--00010001-1000-1000-a000-000100010001": {
"type": "soarca",
"name": "soarca-ssh-capability"
},
"soarca--22220001-0001-0000-0000-000100010001": {
"type": "soarca",
"name": "soarca-http-api-capability"
},
"soarca--e896aa3b-bb37-429e-8ece-2d4286cf326d": {
"type": "soarca",
"name": "mod-virustotal--e896aa3b-bb37-429e-8ece-2d4286cf326d",
"authentication_info": "user-auth--b7ddc2ea-9f6a-4e82-8eaa-be202e942090"
"name": "soarca-ssh"
}
},
"target_definitions": {
Expand All @@ -48,70 +39,70 @@ curl -d '{
"name": "system 1",
"address": {
"ipv4": [
"134.221.49.62"
"192.168.0.10"
]
},
"authentication_info": "user-auth--b7ddc2ea-9f6a-4e82-8eaa-be202e942090"
}
},
"external_references": [
{
"name": "TNO CST - AInception",
"description": "AInception",
"source": "TNO CST",
"url": "http://tno.nl/cst"
"name": "TNO COSSAS",
"description": "TNO COSSAS",
"source": "TNO COSSAS",
"url": "https://cossas-project.org"
}
],
"workflow_start": "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008",
"workflow_exception": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958",
"workflow": {
"start--9e7d62b2-88ac-4656-94e1-dbd4413ba008": {
"type": "start",
"name": "Start block malware Flow",
"name": "Start ssh example",
"on_completion": "action--eb9372d4-d524-49fc-bf24-be26ea084779"
},
"action--eb9372d4-d524-49fc-bf24-be26ea084779": {
"type": "action",
"name": "coa9 - kill malware process",
"description": "Block malware by killing the malware process",
"name": "Execute command",
"description": "Execute command specified in variable",
"on_completion": "action--88f4c4df-fa96-44e6-b310-1c06d193ea55",
"commands": [
{
"type": "ssh",
"command": "touch /root/file3"
"command": "__command__:value"
}
],
"targets": [
"ssh--1c3900b4-f86b-430d-b415-12312b9e31f4"
],
"agent": "soarca--11110001-0001-0000-0000-000100010001",
"agent": "soarca--00010001-1000-1000-a000-000100010001",
"step_variables": {
"__processname__": {
"__command__": {
"type": "string",
"value": "malware.exe",
"value": "ls -la",
"constant": true
}
}
},
"action--88f4c4df-fa96-44e6-b310-1c06d193ea55": {
"type": "action",
"name": "coa7 - delete program",
"description": "Delete program specified",
"name": "Touch file",
"description": "Touch file at path specified by variable",
"on_completion": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958",
"commands": [
{
"type": "ssh",
"command": "touch /root/file4"
"command": "touch __path__:value"
}
],
"targets": [
"ssh--1c3900b4-f86b-430d-b415-12312b9e31f4"
],
"agent": "soarca--11110001-0001-0000-0000-000100010001",
"agent": "soarca--00010001-1000-1000-a000-000100010001",
"step_variables": {
"__path__": {
"type": "string",
"value": "/bin/malware",
"value": "/root/file1",
"constant": true
}
}
Expand All @@ -121,4 +112,4 @@ curl -d '{
"name": "End Flow"
}
}
}' -H "Content-Type: application/json" -X POST http://localhost:8080/trigger/workflow
}

0 comments on commit 72c48aa

Please sign in to comment.