diff --git a/README.md b/README.md index 2bff84a..1b8cdba 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,17 @@ For more information about MISP workflows in MISP, the training materials [MISP - [Remote `to_ids` flag if the indicator appears in known file list](https://github.com/MISP/misp-workflow-blueprints/blob/main/blueprints/blueprint_disable-to_ids-flag-for-existing-hash-in-hashlookup_1667228944.json) - Disable to_ids flag for existing hash in [hashlookup](https://www.hashlookup.io/). - [Set tag based on BGP Ranking maliciousness level](https://github.com/MISP/misp-workflow-blueprints/blob/main/blueprints/blueprint_set-tag-based-on-bgp-ranking-maliciousness-level_1668498668.json) - Set tag based on [BGP Ranking](https://bgpranking.circl.lu) maliciousness level. +### Curation blueprints +- [Curation - Allow curation process](./blueprints/blueprint_curation---allow-curation-process.json) +- [Curation - Assign threat-level based on enriched location](./blueprints/blueprint_curation---assign-threat-level-based-on-enriched-location.json) +- [Curation - Assign a country GalaxyCluster on IPs](./blueprints/blueprint_curation---assign-a-country-galaxycluster-on-ips.json) +- [Curation - Normalize TLP & PAP Tag](./blueprints/blueprint_curation---normalize-tlp-&-pap-tag.json) +- [Curation - Remove automation flag from known non-malicious hashes](./blueprints/blueprint_curation---remove-automation-flag-from-known-non-malicious-hashes.json) +- [Curation - Remove automation flag from false-positive tripping over warninglist](./blueprints/blueprint_curation---remove-automation-flag-from-false-positive-tripping-over-warninglist.json) +- [Curation - Remove automation flag from data having correlation with predefined feed](./blueprints/blueprint_curation---remove-automation-flag-from-data-having-correlation-with-predefined-feed.json) +- [Curation - Toggle automation flag from network IoC based on AbuseIPDB](./blueprints/blueprint_curation---toggle-automation-flag-from-network-ioc-based-on-abuseipdb.json) +- [Curation - Toggle automation flag from URLs based on Google-Safe-Browsing](./blueprints/blueprint_curation---toggle-automation-flag-from-urls-based-on-google-safe-browsing.json) + ## How to contribute your workflow blueprints? It's very easy. Fork the repository, create a new JSON file with your blueprint and make a pull-request. diff --git a/blueprints/blueprint_curation---allow-curation-process.json b/blueprints/blueprint_curation---allow-curation-process.json new file mode 100644 index 0000000..33e4418 --- /dev/null +++ b/blueprints/blueprint_curation---allow-curation-process.json @@ -0,0 +1,56 @@ +{ + "WorkflowBlueprint": { + "id": "30", + "uuid": "19be89c7-58ca-40c4-9e42-a4fd8aa0e6d7", + "name": "Curation - Allow curation process", + "description": "Allow running the curation process if an event is tagged with the appropriate tag", + "timestamp": "1690446130", + "data": [ + { + "id": 78, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event", + "condition": "in_or", + "tags": [ + "misp-workflow:run=\"allowed\"" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "57q277772vi0n7dp0o8ftak", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [] + }, + "output_2": { + "connections": [] + } + }, + "pos_x": 2141.2864500253677, + "pos_y": 519 + } + ], + "default": false, + "mermaid": "flowchart LR\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---assign-a-country-galaxycluster-on-ips.json b/blueprints/blueprint_curation---assign-a-country-galaxycluster-on-ips.json new file mode 100644 index 0000000..65f502a --- /dev/null +++ b/blueprints/blueprint_curation---assign-a-country-galaxycluster-on-ips.json @@ -0,0 +1,367 @@ +{ + "WorkflowBlueprint": { + "id": "21", + "uuid": "97090f43-4790-4fed-b4c1-b8a122ffc5a5", + "name": "Curation - Assign a country GalaxyCluster on IPs", + "description": "Using an enrichment module, resolve the location of IPs then permanently attach a galaxy cluster.", + "timestamp": "1689083255", + "data": [ + { + "id": 16, + "name": "Attach enrichment", + "data": { + "indexed_params": { + "modules": [ + "", + "mmdb_lookup" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "23spllllfu01rct6zbd2wih", + "module_type": "action", + "id": "attach-enrichment", + "name": "Attach enrichment", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.3" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "20", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "17", + "output": "input_1" + } + ] + } + }, + "pos_x": -646.7039502299574, + "pos_y": 1356.4238392223008 + }, + { + "id": 17, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "B", + "selector": "Event._AttributeFlattened.{n}", + "value": "geolocation", + "operator": "in", + "hash_path": "enrichment.{n}.Object.0.name" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "23t83lllfu00ylcicdkukb", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "16", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "21", + "output": "input_1" + } + ] + } + }, + "pos_x": -220.70395022995808, + "pos_y": 1211.4238392223008 + }, + { + "id": 18, + "name": "Assign country", + "data": { + "indexed_params": { + "scope": "attribute", + "hash_path": "enrichment.{n}.Object.0.Attribute.{n}[object_relation=country].value", + "locality": "global", + "galaxy_name": "", + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "23te0l77bzpy5e8", + "module_type": "action", + "id": "assign_country", + "name": "Assign country", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "21", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "19", + "output": "input_1" + } + ] + } + }, + "pos_x": 693.4507351104521, + "pos_y": 1062.1994215660343 + }, + { + "id": 19, + "name": "Filter :: Remove filter", + "data": { + "indexed_params": { + "filtering-label": "all" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "23tii0c26rtkrkdcp", + "module_type": "logic", + "id": "generic-filter-reset", + "name": "Filter :: Remove filter", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "18", + "input": "output_1" + }, + { + "node": "22", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 1151.4507351104521, + "pos_y": 1361.4620027265223 + }, + { + "id": 20, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "A", + "selector": "Event._AttributeFlattened.{n}", + "value": "", + "value_list": [ + "ip-src", + "ip-dst", + "ip-src|port", + "ip-dst|port" + ], + "operator": "in_or", + "hash_path": "type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "23tlllllfu01x6pcf13we6", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "16", + "output": "input_1" + } + ] + } + }, + "pos_x": -1054.9063387784088, + "pos_y": 1202.4238392223008 + }, + { + "id": 21, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event", + "condition": "in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "23tsweeecyi0q18dszjwe6h", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "17", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "18", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "22", + "output": "input_1" + } + ] + } + }, + "pos_x": 192.45073511045211, + "pos_y": 1278.9628939921195 + }, + { + "id": 22, + "name": "Assign country", + "data": { + "indexed_params": { + "scope": "attribute", + "hash_path": "enrichment.{n}.Object.0.Attribute.{n}[object_relation=country].value", + "locality": "local", + "galaxy_name": "", + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "23uhi0n6ccq0wctts", + "module_type": "action", + "id": "assign_country", + "name": "Assign country", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "21", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "19", + "output": "input_1" + } + ] + } + }, + "pos_x": 696.2142075365373, + "pos_y": 1439.9628939921195 + } + ], + "default": false, + "mermaid": "flowchart LR\n 17[/\"fas:fa-filter Filter :: Generic\"/] --> 21[/\"fas:fa-code-branch IF :: Tag\"/]\n 18[\"fas:fa-globe Assign country\"] --> 19[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 21[/\"fas:fa-code-branch IF :: Tag\"/] --> 18[\"fas:fa-globe Assign country\"]\n 21[/\"fas:fa-code-branch IF :: Tag\"/] --> 22[\"fas:fa-globe Assign country\"]\n 22[\"fas:fa-globe Assign country\"] --> 19[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---assign-threat-level-based-on-enriched-location.json b/blueprints/blueprint_curation---assign-threat-level-based-on-enriched-location.json new file mode 100644 index 0000000..914a185 --- /dev/null +++ b/blueprints/blueprint_curation---assign-threat-level-based-on-enriched-location.json @@ -0,0 +1,374 @@ +{ + "WorkflowBlueprint": { + "id": "20", + "uuid": "6d98087d-170f-42ea-966d-7751ed2726e0", + "name": "Curation - Assign threat-level based on enriched location", + "description": "Using an enrichment module, resolve the location of IPs then assign the selected threat-level", + "timestamp": "1689083162", + "data": [ + { + "id": 9, + "name": "Attach enrichment", + "data": { + "indexed_params": { + "modules": [ + "", + "mmdb_lookup" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1ft6eeeecyi0q0h59h8a51", + "module_type": "action", + "id": "attach-enrichment", + "name": "Attach enrichment", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.3" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "12", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "11", + "output": "input_1" + } + ] + } + }, + "pos_x": -1064.8818359375, + "pos_y": 1366.8623046874995 + }, + { + "id": 10, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "misp:threat-level=\"medium-risk\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1ftq77772vi0r9hmtz59qra", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "14", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "13", + "output": "input_1" + } + ] + } + }, + "pos_x": 248.1181640625009, + "pos_y": 1030.8623046874995 + }, + { + "id": 11, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "B", + "selector": "Event._AttributeFlattened.{n}", + "value": "", + "value_list": [ + "United States", + "Luxembourg" + ], + "operator": "in_or", + "hash_path": "enrichment.{n}.Object.0.Attribute.{n}[object_relation=country].value" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1fu5llllfu0rybf6tt5kjb", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "9", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "14", + "output": "input_1" + } + ] + } + }, + "pos_x": -631.8818359375, + "pos_y": 1223.8623046874995 + }, + { + "id": 12, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "A", + "selector": "Event._AttributeFlattened.{n}", + "value_list": [ + "ip-src", + "ip-dst", + "ip-src|port", + "ip-dst|port" + ], + "operator": "in_or", + "hash_path": "type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1fubassspx0mdqg4sytcz", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "9", + "output": "input_1" + } + ] + } + }, + "pos_x": -1462.8818359374995, + "pos_y": 1212.8623046874995 + }, + { + "id": 13, + "name": "Filter :: Remove filter", + "data": { + "indexed_params": { + "filtering-label": "all" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1fuhllllfu093tnootgp9f", + "module_type": "logic", + "id": "generic-filter-reset", + "name": "Filter :: Remove filter", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "10", + "input": "output_1" + }, + { + "node": "15", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 682.1181640625009, + "pos_y": 1355.8623046874995 + }, + { + "id": 14, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event", + "condition": "in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1fukassspx0nyv4jy2i6r", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "11", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "10", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "15", + "output": "input_1" + } + ] + } + }, + "pos_x": -215.8818359375, + "pos_y": 1285.8623046874995 + }, + { + "id": 15, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "misp:threat-level=\"medium-risk\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1fv5weeecyi0n5lgwlgd0mk", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "14", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "13", + "output": "input_1" + } + ] + } + }, + "pos_x": 246.1181640625009, + "pos_y": 1427.8623046874995 + } + ], + "default": false, + "mermaid": "flowchart LR\n 10[\"fas:fa-tags Tag operation\"] --> 13[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 11[/\"fas:fa-filter Filter :: Generic\"/] --> 14[/\"fas:fa-code-branch IF :: Tag\"/]\n 14[/\"fas:fa-code-branch IF :: Tag\"/] --> 10[\"fas:fa-tags Tag operation\"]\n 14[/\"fas:fa-code-branch IF :: Tag\"/] --> 15[\"fas:fa-tags Tag operation\"]\n 15[\"fas:fa-tags Tag operation\"] --> 13[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---normalize-tlp-&-pap-tag.json b/blueprints/blueprint_curation---normalize-tlp-&-pap-tag.json new file mode 100644 index 0000000..fc19eb7 --- /dev/null +++ b/blueprints/blueprint_curation---normalize-tlp-&-pap-tag.json @@ -0,0 +1,251 @@ +{ + "WorkflowBlueprint": { + "id": "26", + "uuid": "0acf54da-ac75-4c5f-ad0c-c40da7977611", + "name": "Curation - Normalize TLP & PAP Tag", + "description": "Try to guess the TLP or PAP level from non-normalized tags and (potentially) replace them by their equivalent from the TLP or PAP taxonomy. Example: \"PAP--green\" becomes \"PAP:GREEN\"", + "timestamp": "1689267785", + "data": [ + { + "id": 45, + "name": "Tag Replacement - PAP", + "data": { + "indexed_params": { + "scope": "all", + "remove_substituted": "yes", + "locality": "global" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "6tyi77772vi03yoo2jh2o2p", + "module_type": "action", + "id": "tag_replacement_pap", + "name": "Tag Replacement - PAP", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "46", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 1130.8585958392323, + "pos_y": 1528.7683574969947 + }, + { + "id": 46, + "name": "Tag Replacement - TLP", + "data": { + "indexed_params": { + "scope": "all", + "remove_substituted": "yes", + "locality": "global" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "6tyqi03vzihg18t5v", + "module_type": "action", + "id": "tag_replacement_tlp", + "name": "Tag Replacement - TLP", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "47", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "45", + "output": "input_1" + } + ] + } + }, + "pos_x": 675.8585958392323, + "pos_y": 1528.7683574969947 + }, + { + "id": 47, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "6tyvp7772vi0agqk9xbkd3d", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "46", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "49", + "output": "input_1" + } + ] + } + }, + "pos_x": 248.6418269230769, + "pos_y": 1687.551588580839 + }, + { + "id": 48, + "name": "Tag Replacement - PAP", + "data": { + "indexed_params": { + "scope": "all", + "remove_substituted": "no", + "locality": "local", + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "6tzi77772vi0kzvvvq4e1i", + "module_type": "action", + "id": "tag_replacement_pap", + "name": "Tag Replacement - PAP", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "49", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 1128.8585958392323, + "pos_y": 1846.7683574969947 + }, + { + "id": 49, + "name": "Tag Replacement - TLP", + "data": { + "indexed_params": { + "scope": "all", + "remove_substituted": "no", + "locality": "local", + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "6tzkeeeecyi0uwpd8bgqqb", + "module_type": "action", + "id": "tag_replacement_tlp", + "name": "Tag Replacement - TLP", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "47", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "48", + "output": "input_1" + } + ] + } + }, + "pos_x": 673.8585958392325, + "pos_y": 1846.7683574969947 + } + ], + "default": false, + "mermaid": "flowchart LR\n 47[/\"fas:fa-code-branch IF :: Tag\"/] --> 46[\"fas:fa-tags Tag Replacement - TLP\"]\n 47[/\"fas:fa-code-branch IF :: Tag\"/] --> 49[\"fas:fa-tags Tag Replacement - TLP\"]\n 49[\"fas:fa-tags Tag Replacement - TLP\"] --> 48[\"fas:fa-tags Tag Replacement - PAP\"]\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---remove-automation-flag-from-data-having-correlation-with-predefined-feed.json b/blueprints/blueprint_curation---remove-automation-flag-from-data-having-correlation-with-predefined-feed.json new file mode 100644 index 0000000..64e899c --- /dev/null +++ b/blueprints/blueprint_curation---remove-automation-flag-from-data-having-correlation-with-predefined-feed.json @@ -0,0 +1,315 @@ +{ + "WorkflowBlueprint": { + "id": "24", + "uuid": "9bebd5d0-935b-4a8e-a902-f36e02497802", + "name": "Curation - Remove automation flag from data having correlation with predefined feed", + "description": "Using correlation with feeds, disable the ids_flag for attribute having a hit on the selected feed if the tag `curation:mutability=\"allowed\"` is attached. Tag accordingly in both cases.", + "timestamp": "1689107183", + "data": [ + { + "id": 39, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "A", + "selector": "Event._AttributeFlattened.{n}", + "value": "Tor exit nodes", + "operator": "in", + "hash_path": "Feed.{n}.name" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "5ptsllllfu0aeex0tvlv3d", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "43", + "output": "input_1" + } + ] + } + }, + "pos_x": -323.24629350142027, + "pos_y": 1342.1948797052553 + }, + { + "id": 40, + "name": "Attribute IDS Flag operation", + "data": { + "indexed_params": { + "action": "remove" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "5pu70elwlhoq8uzu", + "module_type": "action", + "id": "attribute_ids_flag_operation", + "name": "Attribute IDS Flag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "43", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "41", + "output": "input_1" + } + ] + } + }, + "pos_x": 500.7537064985795, + "pos_y": 1303.1948797052555 + }, + { + "id": 41, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "false-positive:risk=\"medium\"", + "misp-workflow:action-taken=\"ids-flag-removed\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "5pu9eeeecyi0gj3yjstjv", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "40", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "42", + "output": "input_1" + } + ] + } + }, + "pos_x": 972.7537064985797, + "pos_y": 1162.1948797052555 + }, + { + "id": 42, + "name": "Filter :: Remove filter", + "data": { + "indexed_params": { + "filtering-label": "all" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "5puqeeeecyi0dpyhib52yb5", + "module_type": "logic", + "id": "generic-filter-reset", + "name": "Filter :: Remove filter", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "41", + "input": "output_1" + }, + { + "node": "44", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 1374.7537064985797, + "pos_y": 1516.1948797052553 + }, + { + "id": 43, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "5pussssspx0ftlvrwsf3t", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "39", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "40", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "44", + "output": "input_1" + } + ] + } + }, + "pos_x": 54.75370649857973, + "pos_y": 1406.9781107891 + }, + { + "id": 44, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "false-positive:risk=\"medium\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "5pvf3lllfu0vgogmy1q1g", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "43", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "42", + "output": "input_1" + } + ] + } + }, + "pos_x": 975.7537064985797, + "pos_y": 1638.1948797052553 + } + ], + "default": false, + "mermaid": "flowchart LR\n 40[\"fas:fa-edit Attribute IDS Flag operation\"] --> 41[\"fas:fa-tags Tag operation\"]\n 41[\"fas:fa-tags Tag operation\"] --> 42[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 43[/\"fas:fa-code-branch IF :: Tag\"/] --> 40[\"fas:fa-edit Attribute IDS Flag operation\"]\n 43[/\"fas:fa-code-branch IF :: Tag\"/] --> 44[\"fas:fa-tags Tag operation\"]\n 44[\"fas:fa-tags Tag operation\"] --> 42[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---remove-automation-flag-from-false-positive-tripping-over-warninglist.json b/blueprints/blueprint_curation---remove-automation-flag-from-false-positive-tripping-over-warninglist.json new file mode 100644 index 0000000..6ddc9a9 --- /dev/null +++ b/blueprints/blueprint_curation---remove-automation-flag-from-false-positive-tripping-over-warninglist.json @@ -0,0 +1,361 @@ +{ + "WorkflowBlueprint": { + "id": "23", + "uuid": "0e01afab-9e00-467f-8ebb-f29d29712749", + "name": "Curation - Remove automation flag from false-positive tripping over warninglist", + "description": "Using warninglists, disable the ids_flag for attribute tripping a `false-positive` warning-lists if the tag `curation:mutability=\"allowed\"` is attached. Tag accordingly in both cases.", + "timestamp": "1689090764", + "data": [ + { + "id": 32, + "name": "Attach warninglist", + "data": { + "indexed_params": { + "warninglists": "ALL" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "43ysassspx0b4doebjd4jk", + "module_type": "action", + "id": "attach-warninglist", + "name": "Attach warninglist", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "33", + "output": "input_1" + } + ] + } + }, + "pos_x": -365.06447531960225, + "pos_y": 1276.74033425071 + }, + { + "id": 33, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "A", + "selector": "Event._AttributeFlattened.{n}", + "value": "false_positive", + "operator": "in", + "hash_path": "warnings.{n}.warninglist_category" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "43yy3lllfu0etu3c9h8dj9", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "32", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "37", + "output": "input_1" + } + ] + } + }, + "pos_x": 62.89196565935322, + "pos_y": 1136.74033425071 + }, + { + "id": 34, + "name": "Attribute IDS Flag operation", + "data": { + "indexed_params": { + "action": "remove" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "43za3lllfu08l7lyyze1cn", + "module_type": "action", + "id": "attribute_ids_flag_operation", + "name": "Attribute IDS Flag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "37", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "35", + "output": "input_1" + } + ] + } + }, + "pos_x": 943.0237697167897, + "pos_y": 1062.7662388094168 + }, + { + "id": 35, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "false-positive:risk=\"high\"", + "misp-workflow:action-taken=\"ids-flag-removed\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "43zbweeecyi0gf5yxskzt1d", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "34", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "36", + "output": "input_1" + } + ] + } + }, + "pos_x": 1425.3333333333333, + "pos_y": 924 + }, + { + "id": 36, + "name": "Filter :: Remove filter", + "data": { + "indexed_params": { + "filtering-label": "all" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "43zqsssspx0req9eycz469", + "module_type": "logic", + "id": "generic-filter-reset", + "name": "Filter :: Remove filter", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "35", + "input": "output_1" + }, + { + "node": "38", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 1874.631877824898, + "pos_y": 1278.1581307013087 + }, + { + "id": 37, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "43zt06cggzw3depb", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "33", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "34", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "38", + "output": "input_1" + } + ] + } + }, + "pos_x": 453.239985933006, + "pos_y": 1202.7662388094168 + }, + { + "id": 38, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "false-positive:risk=\"high\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "440cp7772vi0lsj64y49fz9", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "37", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "36", + "output": "input_1" + } + ] + } + }, + "pos_x": 1429.239985933006, + "pos_y": 1396.7662388094168 + } + ], + "default": false, + "mermaid": "flowchart LR\n 33[/\"fas:fa-filter Filter :: Generic\"/] --> 37[/\"fas:fa-code-branch IF :: Tag\"/]\n 34[\"fas:fa-edit Attribute IDS Flag operation\"] --> 35[\"fas:fa-tags Tag operation\"]\n 35[\"fas:fa-tags Tag operation\"] --> 36[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 37[/\"fas:fa-code-branch IF :: Tag\"/] --> 34[\"fas:fa-edit Attribute IDS Flag operation\"]\n 37[/\"fas:fa-code-branch IF :: Tag\"/] --> 38[\"fas:fa-tags Tag operation\"]\n 38[\"fas:fa-tags Tag operation\"] --> 36[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---remove-automation-flag-from-known-non-malicious-hashes.json b/blueprints/blueprint_curation---remove-automation-flag-from-known-non-malicious-hashes.json new file mode 100644 index 0000000..e0231b5 --- /dev/null +++ b/blueprints/blueprint_curation---remove-automation-flag-from-known-non-malicious-hashes.json @@ -0,0 +1,461 @@ +{ + "WorkflowBlueprint": { + "id": "22", + "uuid": "4b8ce40a-68d2-485f-9473-af6b69adb7fb", + "name": "Curation - Remove automation flag from known non-malicious hashes", + "description": "Using an enrichment module (hashlookup), will disable the ids_flag for known non-malicious file hashes if the tag `curation:mutability=\"allowed\"` is attached. Tag accordingly in both cases.", + "timestamp": "1689085055", + "data": [ + { + "id": 23, + "name": "Attach enrichment", + "data": { + "indexed_params": { + "modules": [ + "", + "hashlookup" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2wrgweeecyi0pvvrx7ry80f", + "module_type": "action", + "id": "attach-enrichment", + "name": "Attach enrichment", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.3" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "28", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "26", + "output": "input_1" + } + ] + } + }, + "pos_x": -432.1275916466345, + "pos_y": 1393.3837421123794 + }, + { + "id": 24, + "name": "Attribute IDS Flag operation", + "data": { + "indexed_params": { + "action": "remove" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2ws0eeeecyi0pc8evhu06ot", + "module_type": "action", + "id": "attribute_ids_flag_operation", + "name": "Attribute IDS Flag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "30", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "25", + "output": "input_1" + } + ] + } + }, + "pos_x": 937.7997654201272, + "pos_y": 1165.8823107543158 + }, + { + "id": 25, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "misp-workflow:action-taken=\"ids-flag-removed\"", + "misp-workflow:analysis=\"known-file-hash\"" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2ws200n5uudkuwgsa", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "24", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "27", + "output": "input_1" + } + ] + } + }, + "pos_x": 1395.7997654201272, + "pos_y": 1039.8823107543158 + }, + { + "id": 26, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "B", + "selector": "Event._AttributeFlattened.{n}", + "value": "filename", + "operator": "in", + "hash_path": "enrichment.{n}.Object.{n}.Attribute.{n}[object_relation=FileName].type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2wshsssspx07ozvlw59doj", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "23", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "30", + "output": "input_1" + } + ] + } + }, + "pos_x": -0.10414172612581751, + "pos_y": 1249.3837421123794 + }, + { + "id": 27, + "name": "Attribute comment operation", + "data": { + "indexed_params": { + "comment": "{% for objectAttribute in __currentAttribute.enrichment.0.Object.0.Attribute %}\n\t{% if objectAttribute.object_relation == \"FileName\" %}\n\t\t[Curation pipeline enrichment:filename] `{{ objectAttribute.value }}`\n\t{% endif %}\n{% endfor %}" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2wsni06yze571tlnw", + "module_type": "action", + "id": "Module_attribute_comment_operation", + "name": "Attribute comment operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "25", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "29", + "output": "input_1" + } + ] + } + }, + "pos_x": 1844.7997654201276, + "pos_y": 1167.882310754316 + }, + { + "id": 28, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "A", + "selector": "Event._AttributeFlattened.{n}", + "value": "", + "value_list": [ + "md5", + "sha1", + "sha256" + ], + "operator": "in_or", + "hash_path": "type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2wsq3lllfu0lmhmct72cs", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "23", + "output": "input_1" + } + ] + } + }, + "pos_x": -842.1275916466343, + "pos_y": 1253.3929389322686 + }, + { + "id": 29, + "name": "Filter :: Remove filter", + "data": { + "indexed_params": { + "filtering-label": "all" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2wswassspx0s2gdcwm38yg", + "module_type": "logic", + "id": "generic-filter-reset", + "name": "Filter :: Remove filter", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "27", + "input": "output_1" + }, + { + "node": "31", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 2331.799765420127, + "pos_y": 1397.496978973175 + }, + { + "id": 30, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2wsyllllfu0rynby35cgmr", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "26", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "24", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "31", + "output": "input_1" + } + ] + } + }, + "pos_x": 460.7997654201272, + "pos_y": 1315.496978973175 + }, + { + "id": 31, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "misp-workflow:analysis=\"known-file-hash\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "2wtiweeecyi0dtvy72znf6", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "30", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "29", + "output": "input_1" + } + ] + } + }, + "pos_x": 1393.7997654201267, + "pos_y": 1473.8823107543158 + } + ], + "default": false, + "mermaid": "flowchart LR\n 24[\"fas:fa-edit Attribute IDS Flag operation\"] --> 25[\"fas:fa-tags Tag operation\"]\n 25[\"fas:fa-tags Tag operation\"] --> 27[\"fas:fa-edit Attribute comment operation\"]\n 26[/\"fas:fa-filter Filter :: Generic\"/] --> 30[/\"fas:fa-code-branch IF :: Tag\"/]\n 27[\"fas:fa-edit Attribute comment operation\"] --> 29[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 30[/\"fas:fa-code-branch IF :: Tag\"/] --> 24[\"fas:fa-edit Attribute IDS Flag operation\"]\n 30[/\"fas:fa-code-branch IF :: Tag\"/] --> 31[\"fas:fa-tags Tag operation\"]\n 31[\"fas:fa-tags Tag operation\"] --> 29[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---toggle-automation-flag-from-network-ioc-based-on-abuseipdb.json b/blueprints/blueprint_curation---toggle-automation-flag-from-network-ioc-based-on-abuseipdb.json new file mode 100644 index 0000000..e278413 --- /dev/null +++ b/blueprints/blueprint_curation---toggle-automation-flag-from-network-ioc-based-on-abuseipdb.json @@ -0,0 +1,743 @@ +{ + "WorkflowBlueprint": { + "id": "27", + "uuid": "c3a03f8f-609a-46db-9744-a320770ab0c2", + "name": "Curation - Toggle automation flag from network IoC based on AbuseIPDB", + "description": "Using an enrichment module (AbuseIPDB), toggle the ids_flag for network IoCs if the tag `curation:mutability=\"allowed\"` is attached. Tag accordingly in both cases.", + "timestamp": "1689267951", + "data": [ + { + "id": 50, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "not_in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "jqeeeecyi2031dvxu1smm1", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "0.4", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "58", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "62", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "52", + "output": "input_1" + } + ] + } + }, + "pos_x": 2056.233138590476, + "pos_y": 1261.076049804687 + }, + { + "id": 51, + "name": "Attach enrichment", + "data": { + "indexed_params": { + "modules": [ + "", + "abuseipdb" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "ke0d7y5woh55cg", + "module_type": "action", + "id": "attach-enrichment", + "name": "Attach enrichment", + "multiple_output_connection": false, + "previous_module_version": "0.3", + "module_version": "0.3" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "60", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "54", + "output": "input_1" + } + ] + } + }, + "pos_x": 608.6418269230769, + "pos_y": 1571.568474047111 + }, + { + "id": 52, + "name": "Attribute IDS Flag operation", + "data": { + "indexed_params": { + "action": "add" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "kkweeecyi20y590dhqvty", + "module_type": "action", + "id": "attribute_ids_flag_operation", + "name": "Attribute IDS Flag operation", + "multiple_output_connection": false, + "previous_module_version": "0.1", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "50", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "53", + "output": "input_1" + } + ] + } + }, + "pos_x": 2624.2331385904754, + "pos_y": 1335.076049804687 + }, + { + "id": 53, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "false-positive:risk=\"low\"", + "misp-workflow:action-taken=\"ids-flag-added\"", + "misp-workflow:analysis=\"highly-likely-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "km0m2ugacx5kyb", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "0.2", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "52", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "57", + "output": "input_1" + } + ] + } + }, + "pos_x": 3128, + "pos_y": 1172 + }, + { + "id": 54, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "B", + "selector": "Event._AttributeFlattened.{n}", + "value": "boolean", + "operator": "in", + "hash_path": "enrichment.{n}.Object.{n}[name=abuseipdb].Attribute.{n}[object_relation=is-malicious].type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "l0p7772vi5p02rxmrv01tp3", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "0.2", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "51", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "58", + "output": "input_1" + } + ] + } + }, + "pos_x": 1052.6418269230771, + "pos_y": 1425.568474047111 + }, + { + "id": 55, + "name": "Attribute IDS Flag operation", + "data": { + "indexed_params": { + "action": "remove" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "l5i0gl6cpf4tzi7", + "module_type": "action", + "id": "attribute_ids_flag_operation", + "name": "Attribute IDS Flag operation", + "multiple_output_connection": false, + "previous_module_version": "0.1", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "61", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "56", + "output": "input_1" + } + ] + } + }, + "pos_x": 2617.233138590475, + "pos_y": 1824.076049804687 + }, + { + "id": 56, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "false-positive:risk=\"high\"", + "misp-workflow:action-taken=\"ids-flag-removed\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "l6eeeecyi20s3hf1gwcmx", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "0.2", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "55", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "57", + "output": "input_1" + } + ] + } + }, + "pos_x": 3128.139047470468, + "pos_y": 1679 + }, + { + "id": 57, + "name": "Attribute comment operation", + "data": { + "indexed_params": { + "comment": "{% for objectAttribute in __currentAttribute.enrichment.0.Object.0.Attribute %}\n\t{% if objectAttribute.object_relation == \"is-malicious\" %}\n\t\t[Curation pipeline enrichment:abusipdb.is-malicious] `{{ objectAttribute.value }}`\n\t{% endif %}\n{% endfor %}" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "ljeeeecyi2032as5q80hlv", + "module_type": "action", + "id": "Module_attribute_comment_operation", + "name": "Attribute comment operation", + "multiple_output_connection": false, + "previous_module_version": "0.1", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "53", + "input": "output_1" + }, + { + "node": "56", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "59", + "output": "input_1" + } + ] + } + }, + "pos_x": 3606.2331385904754, + "pos_y": 1583.076049804687 + }, + { + "id": 58, + "name": "IF :: Generic", + "data": { + "indexed_params": { + "value": "1", + "operator": "in", + "hash_path": "Event._AttributeFlattened.{n}.enrichment.{n}.Object.{n}[name=abuseipdb].Attribute.{n}[object_relation=is-malicious].value" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "ll3lllfu07l07rafmhwoiba", + "module_type": "logic", + "id": "generic-if", + "name": "IF :: Generic", + "multiple_output_connection": false, + "previous_module_version": "0.2", + "module_version": "0.2" + }, + "class": "block-type-if block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "54", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "50", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "61", + "output": "input_1" + } + ] + } + }, + "pos_x": 1536.6418269230771, + "pos_y": 1513.5684740471113 + }, + { + "id": 59, + "name": "Filter :: Remove filter", + "data": { + "indexed_params": { + "filtering-label": "all" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "lsi0fimdt9yvhe9", + "module_type": "logic", + "id": "generic-filter-reset", + "name": "Filter :: Remove filter", + "multiple_output_connection": false, + "previous_module_version": "0.1", + "module_version": "0.1" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "57", + "input": "output_1" + }, + { + "node": "62", + "input": "output_1" + }, + { + "node": "63", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 4097.233138590476, + "pos_y": 1598.076049804687 + }, + { + "id": 60, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "A", + "selector": "Event._AttributeFlattened.{n}", + "value": "", + "value_list": [ + "ip-src", + "ip-dst", + "hostname", + "domain", + "domain|ip" + ], + "operator": "in_or", + "hash_path": "type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "lwsssspx03t03ive3p7335o", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "0.2", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "51", + "output": "input_1" + } + ] + } + }, + "pos_x": 148.6418269230769, + "pos_y": 1419.5684740471113 + }, + { + "id": 61, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "not_in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "m0weeecyi20a9chc18ibx", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "0.4", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "58", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "55", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "63", + "output": "input_1" + } + ] + } + }, + "pos_x": 2063.233138590476, + "pos_y": 1770.076049804687 + }, + { + "id": 62, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "false-positive:risk=\"low\"", + "misp-workflow:analysis=\"highly-likely-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "mt77772vi5p0h8dx2jm4kpq", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "0.2", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "50", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "59", + "output": "input_1" + } + ] + } + }, + "pos_x": 3131, + "pos_y": 710 + }, + { + "id": 63, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "false-positive:risk=\"high\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "n7llllfu07l04gd9g8axqss", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "0.2", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "61", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "59", + "output": "input_1" + } + ] + } + }, + "pos_x": 3133.860952529532, + "pos_y": 2150.139047470468 + } + ], + "default": false, + "mermaid": "flowchart LR\n 51[\"fas:fa-asterisk Attach enrichment\"] --> 54[/\"fas:fa-filter Filter :: Generic\"/]\n 52[\"fas:fa-edit Attribute IDS Flag operation\"] --> 53[\"fas:fa-tags Tag operation\"]\n 53[\"fas:fa-tags Tag operation\"] --> 57[\"fas:fa-edit Attribute comment operation\"]\n 54[/\"fas:fa-filter Filter :: Generic\"/] --> 58[/\"fas:fa-code-branch IF :: Generic\"/]\n 55[\"fas:fa-edit Attribute IDS Flag operation\"] --> 56[\"fas:fa-tags Tag operation\"]\n 56[\"fas:fa-tags Tag operation\"] --> 57[\"fas:fa-edit Attribute comment operation\"]\n 57[\"fas:fa-edit Attribute comment operation\"] --> 59[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 58[/\"fas:fa-code-branch IF :: Generic\"/] --> 61[/\"fas:fa-code-branch IF :: Tag\"/]\n 60[/\"fas:fa-filter Filter :: Generic\"/] --> 51[\"fas:fa-asterisk Attach enrichment\"]\n 61[/\"fas:fa-code-branch IF :: Tag\"/] --> 55[\"fas:fa-edit Attribute IDS Flag operation\"]\n 61[/\"fas:fa-code-branch IF :: Tag\"/] --> 63[\"fas:fa-tags Tag operation\"]\n 62[\"fas:fa-tags Tag operation\"] --> 59[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 63[\"fas:fa-tags Tag operation\"] --> 59[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n" + } +} \ No newline at end of file diff --git a/blueprints/blueprint_curation---toggle-automation-flag-from-urls-based-on-google-safe-browsing.json b/blueprints/blueprint_curation---toggle-automation-flag-from-urls-based-on-google-safe-browsing.json new file mode 100644 index 0000000..e8b6b64 --- /dev/null +++ b/blueprints/blueprint_curation---toggle-automation-flag-from-urls-based-on-google-safe-browsing.json @@ -0,0 +1,741 @@ +{ + "WorkflowBlueprint": { + "id": "28", + "uuid": "bf8b766a-f800-43dd-9bd4-e6ebe02cfdd9", + "name": "Curation - Toggle automation flag from URLs based on Google-Safe-Browsing", + "description": "Using an enrichment module (google-safe-browsing), toggle the ids_flag for network URLs if the tag `curation:mutability=\"allowed\"` is attached. Tag accordingly in both cases.", + "timestamp": "1689268231", + "data": [ + { + "id": 64, + "name": "Attach enrichment", + "data": { + "indexed_params": { + "modules": [ + "", + "google_safe_browsing" + ] + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c04sssspx083qdi7c9ewt", + "module_type": "action", + "id": "attach-enrichment", + "name": "Attach enrichment", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.3" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "73", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "67", + "output": "input_1" + } + ] + } + }, + "pos_x": 1216.4969282156617, + "pos_y": 869.2408347664507 + }, + { + "id": 65, + "name": "Attribute IDS Flag operation", + "data": { + "indexed_params": { + "action": "add" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c0s77772vi0qy0qehrx5gq", + "module_type": "action", + "id": "attribute_ids_flag_operation", + "name": "Attribute IDS Flag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "74", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "66", + "output": "input_1" + } + ] + } + }, + "pos_x": 3161, + "pos_y": 614 + }, + { + "id": 66, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "false-positive:risk=\"low\"", + "misp-workflow:action-taken=\"ids-flag-added\"", + "misp-workflow:analysis=\"highly-likely-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c0tsssspx0dw9nnk52ogf", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "65", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "70", + "output": "input_1" + } + ] + } + }, + "pos_x": 3612, + "pos_y": 448 + }, + { + "id": 67, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "B", + "selector": "Event._AttributeFlattened.{n}", + "value": "boolean", + "value_list": "", + "operator": "in", + "hash_path": "enrichment.{n}.Object.{n}[name=google-safe-browsing].Attribute.{n}[object_relation=malicious].type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c1ollllfu0ivc42v0zku", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "64", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "71", + "output": "input_1" + } + ] + } + }, + "pos_x": 1660.4969282156617, + "pos_y": 723.2408347664507 + }, + { + "id": 68, + "name": "Attribute IDS Flag operation", + "data": { + "indexed_params": { + "action": "remove" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c1zllllfu0g9p8uxha0j", + "module_type": "action", + "id": "attribute_ids_flag_operation", + "name": "Attribute IDS Flag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "75", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "69", + "output": "input_1" + } + ] + } + }, + "pos_x": 3158.4969282156626, + "pos_y": 1095.2408347664507 + }, + { + "id": 69, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "global", + "tags": [ + "false-positive:risk=\"high\"", + "misp-workflow:action-taken=\"ids-flag-removed\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c22p7772vi0pgmqlrcw9s", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "68", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "70", + "output": "input_1" + } + ] + } + }, + "pos_x": 3616, + "pos_y": 950 + }, + { + "id": 70, + "name": "Attribute comment operation", + "data": { + "indexed_params": { + "comment": "{% for objectAttribute in __currentAttribute.enrichment.0.Object.0.Attribute %}\n\t{% if objectAttribute.object_relation == \"malicious\" %}\n\t\t[Curation pipeline enrichment:google-safe-browsing.malicious] `{{ objectAttribute.value }}`\n\t{% endif %}\n{% endfor %}" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c2tassspx0q01pteaj7rh", + "module_type": "action", + "id": "Module_attribute_comment_operation", + "name": "Attribute comment operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "66", + "input": "output_1" + }, + { + "node": "69", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "72", + "output": "input_1" + } + ] + } + }, + "pos_x": 4003.4969282156617, + "pos_y": 872.2408347664507 + }, + { + "id": 71, + "name": "IF :: Generic", + "data": { + "indexed_params": { + "value": "1", + "value_list": "", + "operator": "in", + "hash_path": "Event._AttributeFlattened.{n}.enrichment.{n}.Object.{n}[name=google-safe-browsing].Attribute.{n}[object_relation=malicious].value" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c2yp7772vi0gut7ca8y5cw", + "module_type": "logic", + "id": "generic-if", + "name": "IF :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-if block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "67", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "74", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "75", + "output": "input_1" + } + ] + } + }, + "pos_x": 2090.4969282156617, + "pos_y": 814.3478843748055 + }, + { + "id": 72, + "name": "Filter :: Remove filter", + "data": { + "indexed_params": { + "filtering-label": "all" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c3d0fhxxzjguqru", + "module_type": "logic", + "id": "generic-filter-reset", + "name": "Filter :: Remove filter", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.1" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "70", + "input": "output_1" + }, + { + "node": "76", + "input": "output_1" + }, + { + "node": "77", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [] + } + }, + "pos_x": 4468.496928215662, + "pos_y": 885.2408347664511 + }, + { + "id": 73, + "name": "Filter :: Generic", + "data": { + "indexed_params": { + "filtering-label": "A", + "selector": "Event._AttributeFlattened.{n}", + "value": "", + "value_list": [ + "url" + ], + "operator": "in_or", + "hash_path": "type" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c3i77772vi0yoiovmuijr", + "module_type": "logic", + "id": "generic-filter-data", + "name": "Filter :: Generic", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default block-type-logic", + "typenode": false, + "inputs": { + "input_1": { + "connections": [] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "64", + "output": "input_1" + } + ] + } + }, + "pos_x": 765.4969282156617, + "pos_y": 729.2408347664511 + }, + { + "id": 74, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "not_in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c3tweeecyi071rxlgxlc9q", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "71", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "76", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "65", + "output": "input_1" + } + ] + } + }, + "pos_x": 2547, + "pos_y": 539 + }, + { + "id": 75, + "name": "IF :: Tag", + "data": { + "indexed_params": { + "scope": "event_attribute", + "condition": "not_in_or", + "tags": [ + "misp-workflow:mutability=\"allowed\"" + ], + "clusters": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c4k0novy1mbg13", + "module_type": "logic", + "id": "tag-if", + "name": "IF :: Tag", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.4" + }, + "class": "block-type-if block-type-logic expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "71", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "68", + "output": "input_1" + } + ] + }, + "output_2": { + "connections": [ + { + "node": "77", + "output": "input_1" + } + ] + } + }, + "pos_x": 2546.4969282156617, + "pos_y": 1040.2408347664507 + }, + { + "id": 76, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "false-positive:risk=\"low\"", + "misp-workflow:analysis=\"highly-likely-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c5eeeeecyi0fh9rrhfvinu", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "74", + "input": "output_1" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "72", + "output": "input_1" + } + ] + } + }, + "pos_x": 3612, + "pos_y": -19 + }, + { + "id": 77, + "name": "Tag operation", + "data": { + "indexed_params": { + "scope": "attribute", + "action": "add", + "locality": "local", + "tags": [ + "false-positive:risk=\"high\"", + "misp-workflow:analysis=\"false-positive\"" + ], + "relationship_type": "" + }, + "saved_filters": { + "selector": "", + "value": "", + "operator": "", + "path": "" + }, + "node_uid": "1c66weeecyi05khda4m0j5c", + "module_type": "action", + "id": "tag_operation", + "name": "Tag operation", + "multiple_output_connection": false, + "previous_module_version": "?", + "module_version": "0.2" + }, + "class": "block-type-default expect-misp-core-format", + "typenode": false, + "inputs": { + "input_1": { + "connections": [ + { + "node": "75", + "input": "output_2" + } + ] + } + }, + "outputs": { + "output_1": { + "connections": [ + { + "node": "72", + "output": "input_1" + } + ] + } + }, + "pos_x": 3617, + "pos_y": 1406.4310260707152 + } + ], + "default": false, + "mermaid": "flowchart LR\n 65[\"fas:fa-edit Attribute IDS Flag operation\"] --> 66[\"fas:fa-tags Tag operation\"]\n 66[\"fas:fa-tags Tag operation\"] --> 70[\"fas:fa-edit Attribute comment operation\"]\n 67[/\"fas:fa-filter Filter :: Generic\"/] --> 71[/\"fas:fa-code-branch IF :: Generic\"/]\n 68[\"fas:fa-edit Attribute IDS Flag operation\"] --> 69[\"fas:fa-tags Tag operation\"]\n 69[\"fas:fa-tags Tag operation\"] --> 70[\"fas:fa-edit Attribute comment operation\"]\n 70[\"fas:fa-edit Attribute comment operation\"] --> 72[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 71[/\"fas:fa-code-branch IF :: Generic\"/] --> 74[/\"fas:fa-code-branch IF :: Tag\"/]\n 71[/\"fas:fa-code-branch IF :: Generic\"/] --> 75[/\"fas:fa-code-branch IF :: Tag\"/]\n 74[/\"fas:fa-code-branch IF :: Tag\"/] --> 76[\"fas:fa-tags Tag operation\"]\n 74[/\"fas:fa-code-branch IF :: Tag\"/] --> 65[\"fas:fa-edit Attribute IDS Flag operation\"]\n 75[/\"fas:fa-code-branch IF :: Tag\"/] --> 68[\"fas:fa-edit Attribute IDS Flag operation\"]\n 75[/\"fas:fa-code-branch IF :: Tag\"/] --> 77[\"fas:fa-tags Tag operation\"]\n 76[\"fas:fa-tags Tag operation\"] --> 72[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n 77[\"fas:fa-tags Tag operation\"] --> 72[/\"fas:fa-redo-alt Filter :: Remove filter\"/]\n" + } +} \ No newline at end of file