diff --git a/docs/content/en/docs/getting-started/_index.md b/docs/content/en/docs/getting-started/_index.md index 6e953a79..86a4c81d 100644 --- a/docs/content/en/docs/getting-started/_index.md +++ b/docs/content/en/docs/getting-started/_index.md @@ -55,6 +55,25 @@ swag init Compiled binary files can be found under `/bin`. +### Playbook execution + +You can use the following commands to execute the example playbooks via the terminal while SOARCA is running assuming on localhost. Alternatively you can go to `http://localhost:8080/swagger/index.html` and use the trigger/playbook endpoint. + + +Example playbooks: +{{< tabpane langEqualsHeader=false >}} +{{< tab header="ssh" lang="sh" >}} +# make sure an ssh server is running on adres 192.168.0.10 +curl -X POST -H "Content-Type: application/json" -d @./example/ssh-playbook.json localhost:8080/trigger/playbook +{{< /tab >}} +{{< tab header="http" lang="sh" >}} +curl -X POST -H "Content-Type: application/json" -d @./example/http-playbook.json localhost:8080/trigger/playbook +{{< /tab >}} +{{< tab header="openC2" lang="sh" >}} +curl -X POST -H "Content-Type: application/json" -d @./example/openc2-playbook.json localhost:8080/trigger/playbook +{{< /tab >}} +{{< /tabpane >}} + ## Configuration diff --git a/example/http-playbook.json b/example/http-playbook.json new file mode 100644 index 00000000..1148259d --- /dev/null +++ b/example/http-playbook.json @@ -0,0 +1,77 @@ +{ + "type": "playbook", + "spec_version": "cacao-2.0", + "id": "playbook--300270f9-0e64-42c8-93cc-0927edbe3ae7", + "name": "Example ssh", + "description": "This playbook is to demonstrate the http functionality", + "playbook_types": [ + "notification" + ], + "created_by": "identity--96abab60-238a-44ff-8962-5806aa60cbce", + "created": "2023-11-20T15:56:00.123456Z", + "modified": "2023-11-20T15:56:00.123456Z", + "valid_from": "2023-11-20T15:56:00.123456Z", + "valid_until": "2123-11-20T15:56:00.123456Z", + "priority": 1, + "severity": 1, + "impact": 1, + "labels": [ + "soarca", + "http-api", + "get" + ], + "agent_definitions": { + "soarca--00020001-1000-1000-a000-000100010001": { + "type": "soarca", + "name": "soarca-http-api" + } + }, + "target_definitions": { + "http-api--1c3900b4-f86b-430d-b415-12312b9e31f4": { + "type": "http-api", + "name": "httpbin", + "address": { + "dname": [ + "httpbin.org" + ] + } + } + }, + "external_references": [ + { + "name": "TNO COSSAS", + "description": "TNO COSSAS", + "source": "TNO COSSAS", + "url": "https://cossas-project.org" + } + ], + "workflow_start": "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008", + "workflow_exception": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958", + "workflow": { + "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008": { + "type": "start", + "name": "Start example flow http-api", + "on_completion": "action--eb9372d4-d524-49fc-bf24-be26ea084779" + }, + "action--eb9372d4-d524-49fc-bf24-be26ea084779": { + "type": "action", + "name": "get", + "description": "Get request with ", + "on_completion": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958", + "commands": [ + { + "type": "http-api", + "command": "GET get HTTP1.1" + } + ], + "targets": [ + "http-api--1c3900b4-f86b-430d-b415-12312b9e31f4" + ], + "agent": "soarca--00020001-1000-1000-a000-000100010001" + }, + "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958": { + "type": "end", + "name": "End Flow" + } + } +} \ No newline at end of file diff --git a/example/openc2-playbook.json b/example/openc2-playbook.json new file mode 100644 index 00000000..256a07ec --- /dev/null +++ b/example/openc2-playbook.json @@ -0,0 +1,78 @@ +{ + "type": "playbook", + "spec_version": "cacao-2.0", + "id": "playbook--300270f9-0e64-42c8-93cc-0927edbe3ae7", + "name": "Example ssh", + "description": "This playbook is to demonstrate the openc2 functionality", + "playbook_types": [ + "notification" + ], + "created_by": "identity--96abab60-238a-44ff-8962-5806aa60cbce", + "created": "2023-11-20T15:56:00.123456Z", + "modified": "2023-11-20T15:56:00.123456Z", + "valid_from": "2023-11-20T15:56:00.123456Z", + "valid_until": "2123-11-20T15:56:00.123456Z", + "priority": 1, + "severity": 1, + "impact": 1, + "labels": [ + "soarca", + "openc2", + "post" + ], + "agent_definitions": { + "soarca--00020001-1000-1000-a000-000100010001": { + "type": "soarca", + "name": "soarca-openc2-http" + } + }, + "target_definitions": { + "http-api--1c3900b4-f86b-430d-b415-12312b9e31f4": { + "type": "http-api", + "name": "httpbin", + "address": { + "dname": [ + "httpbin.org" + ] + } + } + }, + "external_references": [ + { + "name": "TNO COSSAS", + "description": "TNO COSSAS", + "source": "TNO COSSAS", + "url": "https://cossas-project.org" + } + ], + "workflow_start": "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008", + "workflow_exception": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958", + "workflow": { + "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008": { + "type": "start", + "name": "Start example flow openc2 http", + "on_completion": "action--eb9372d4-d524-49fc-bf24-be26ea084779" + }, + "action--eb9372d4-d524-49fc-bf24-be26ea084779": { + "type": "action", + "name": "openc2", + "description": "Get request with ", + "on_completion": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958", + "commands": [ + { + "type": "openc2", + "command": "POST post HTTP1.1", + "content_b64": "ewogICJoZWFkZXJzIjogewogICAgInJlcXVlc3RfaWQiOiAiZDFhYzA0ODktZWQ1MS00MzQ1LTkxNzUtZjMwNzhmMzBhZmU1IiwKICAgICJjcmVhdGVkIjogMTU0NTI1NzcwMDAwMCwKICAgICJmcm9tIjogIm9jMnByb2R1Y2VyLmNvbXBhbnkubmV0IiwKICAgICJ0byI6IFsKICAgICAgIm9jMmNvbnN1bWVyLmNvbXBhbnkubmV0IgogICAgXQogIH0sCiAgImJvZHkiOiB7CiAgICAib3BlbmMyIjogewogICAgICAicmVxdWVzdCI6IHsKICAgICAgICAiYWN0aW9uIjogImRlbnkiLAogICAgICAgICJ0YXJnZXQiOiB7CiAgICAgICAgICAiaXB2NF9jb25uZWN0aW9uIjogewogICAgICAgICAgICAicHJvdG9jb2wiOiAidGNwIiwKICAgICAgICAgICAgInNyY19hZGRyIjogIjEuMi4zLjQiLAogICAgICAgICAgICAic3JjX3BvcnQiOiAxMDk5NiwKICAgICAgICAgICAgImRzdF9hZGRyIjogIjE5OC4yLjMuNCIsCiAgICAgICAgICAgICJkc3RfcG9ydCI6IDgwCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiYXJncyI6IHsKICAgICAgICAgICJzdGFydF90aW1lIjogMTUzNDc3NTQ2MDAwMCwKICAgICAgICAgICJkdXJhdGlvbiI6IDUwMCwKICAgICAgICAgICJyZXNwb25zZV9yZXF1ZXN0ZWQiOiAiYWNrIiwKICAgICAgICAgICJzbHBmIjogewogICAgICAgICAgICAiZHJvcF9wcm9jZXNzIjogIm5vbmUiCiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAicHJvZmlsZSI6ICJzbHBmIgogICAgICB9CiAgICB9CiAgfQp9" + } + ], + "targets": [ + "http-api--1c3900b4-f86b-430d-b415-12312b9e31f4" + ], + "agent": "soarca--00020001-1000-1000-a000-000100010001" + }, + "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958": { + "type": "end", + "name": "End Flow" + } + } +} \ No newline at end of file diff --git a/example/ssh-command.txt b/example/ssh-playbook.json similarity index 62% rename from example/ssh-command.txt rename to example/ssh-playbook.json index fdcab6e5..c5689ba0 100644 --- a/example/ssh-command.txt +++ b/example/ssh-playbook.json @@ -1,9 +1,9 @@ -curl -d '{ +{ "type": "playbook", "spec_version": "cacao-2.0", "id": "playbook--300270f9-0e64-42c8-93cc-0927edbe3ae7", - "name": "Block malware", - "description": "This playbook will block malware by performing multiple actions", + "name": "Example ssh", + "description": "This playbook demonstrates ssh functionality", "playbook_types": [ "notification" ], @@ -17,29 +17,20 @@ curl -d '{ "impact": 1, "labels": [ "soarca", - "coa9", - "coa7" + "ssh", + "example" ], "authentication_info_definitions": { "user-auth--b7ddc2ea-9f6a-4e82-8eaa-be202e942090": { "type": "user-auth", "username": "root", - "password": "\"mIUpk_6O\"c9ECziTM67fu,c`gy6PK6:" + "password": "password" } }, "agent_definitions": { - "soarca--11110001-0001-0000-0000-000100010001": { + "soarca--00010001-1000-1000-a000-000100010001": { "type": "soarca", - "name": "soarca-ssh-capability" - }, - "soarca--22220001-0001-0000-0000-000100010001": { - "type": "soarca", - "name": "soarca-http-api-capability" - }, - "soarca--e896aa3b-bb37-429e-8ece-2d4286cf326d": { - "type": "soarca", - "name": "mod-virustotal--e896aa3b-bb37-429e-8ece-2d4286cf326d", - "authentication_info": "user-auth--b7ddc2ea-9f6a-4e82-8eaa-be202e942090" + "name": "soarca-ssh" } }, "target_definitions": { @@ -48,7 +39,7 @@ curl -d '{ "name": "system 1", "address": { "ipv4": [ - "134.221.49.62" + "192.168.0.10" ] }, "authentication_info": "user-auth--b7ddc2ea-9f6a-4e82-8eaa-be202e942090" @@ -56,10 +47,10 @@ curl -d '{ }, "external_references": [ { - "name": "TNO CST - AInception", - "description": "AInception", - "source": "TNO CST", - "url": "http://tno.nl/cst" + "name": "TNO COSSAS", + "description": "TNO COSSAS", + "source": "TNO COSSAS", + "url": "https://cossas-project.org" } ], "workflow_start": "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008", @@ -67,51 +58,51 @@ curl -d '{ "workflow": { "start--9e7d62b2-88ac-4656-94e1-dbd4413ba008": { "type": "start", - "name": "Start block malware Flow", + "name": "Start ssh example", "on_completion": "action--eb9372d4-d524-49fc-bf24-be26ea084779" }, "action--eb9372d4-d524-49fc-bf24-be26ea084779": { "type": "action", - "name": "coa9 - kill malware process", - "description": "Block malware by killing the malware process", + "name": "Execute command", + "description": "Execute command specified in variable", "on_completion": "action--88f4c4df-fa96-44e6-b310-1c06d193ea55", "commands": [ { "type": "ssh", - "command": "touch /root/file3" + "command": "__command__:value" } ], "targets": [ "ssh--1c3900b4-f86b-430d-b415-12312b9e31f4" ], - "agent": "soarca--11110001-0001-0000-0000-000100010001", + "agent": "soarca--00010001-1000-1000-a000-000100010001", "step_variables": { - "__processname__": { + "__command__": { "type": "string", - "value": "malware.exe", + "value": "ls -la", "constant": true } } }, "action--88f4c4df-fa96-44e6-b310-1c06d193ea55": { "type": "action", - "name": "coa7 - delete program", - "description": "Delete program specified", + "name": "Touch file", + "description": "Touch file at path specified by variable", "on_completion": "end--a6f0b81e-affb-4bca-b4f6-a2d5af908958", "commands": [ { "type": "ssh", - "command": "touch /root/file4" + "command": "touch __path__:value" } ], "targets": [ "ssh--1c3900b4-f86b-430d-b415-12312b9e31f4" ], - "agent": "soarca--11110001-0001-0000-0000-000100010001", + "agent": "soarca--00010001-1000-1000-a000-000100010001", "step_variables": { "__path__": { "type": "string", - "value": "/bin/malware", + "value": "/root/file1", "constant": true } } @@ -121,4 +112,4 @@ curl -d '{ "name": "End Flow" } } -}' -H "Content-Type: application/json" -X POST http://localhost:8080/trigger/workflow \ No newline at end of file +} \ No newline at end of file