Created
December 5, 2018 12:51
-
-
Save itayw/b8a78e1d27b6543ee6608f107f2349d7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"id":"bf547258.3071f","type":"echo-watch-list-get","z":"d2217a1e.7327b8","name":"Check if VPN","property":"vpn","propertyType":"str","value":"payload.ip","valueType":"msg","x":470,"y":360,"wires":[["86492330.22551"]]},{"id":"b6a188fb.2fefa8","type":"echo-ioc-check","z":"d2217a1e.7327b8","name":"Check if IOC","property":"ip","propertyType":"str","value":"payload.ip","valueType":"msg","x":470,"y":640,"wires":[["399bd4d9.4fa94c"]]},{"id":"e93785bc.d24118","type":"echo-watch-list-get","z":"d2217a1e.7327b8","name":"Check blacklist","property":"blacklist","propertyType":"str","value":"payload.ip","valueType":"msg","x":710,"y":640,"wires":[["399bd4d9.4fa94c"]]},{"id":"3f14bdbf.f33fe2","type":"echo-ioc-check","z":"d2217a1e.7327b8","name":"Check if TOR","property":"tor","propertyType":"str","value":"payload.ip","valueType":"msg","x":230,"y":640,"wires":[["399bd4d9.4fa94c"]]},{"id":"399bd4d9.4fa94c","type":"echo-collect","z":"d2217a1e.7327b8","name":"Wait for checks","waitForInputs":"2","x":470,"y":800,"wires":[["6ac0f118.b555a","a51f5fbc.2ae9b"]]},{"id":"a51f5fbc.2ae9b","type":"function","z":"d2217a1e.7327b8","name":"Should we trigger a detection?","func":"\nreturn msg;","outputs":2,"noerr":0,"x":510,"y":940,"wires":[["d26e8398.eb227","8e6ce52b.bbf2d8","30f9a3e0.2bb66c"],[]],"outputLabels":["Yes","No"]},{"id":"101e25dc.cae19a","type":"tcp out","z":"d2217a1e.7327b8","host":"arcsight.example.com","port":"1514","beserver":"client","base64":false,"end":false,"name":"Send to Arcsight","x":470,"y":1220,"wires":[]},{"id":"d26e8398.eb227","type":"function","z":"d2217a1e.7327b8","name":"Format an email","func":"\nreturn msg;","outputs":1,"noerr":0,"x":730,"y":1080,"wires":[["dbc4100a.b1cdd"]]},{"id":"dbc4100a.b1cdd","type":"e-mail","z":"d2217a1e.7327b8","server":"smtp.gmail.com","port":"465","secure":true,"name":"","dname":"Send alert email","x":730,"y":1220,"wires":[]},{"id":"8e6ce52b.bbf2d8","type":"echo-alert-add","z":"d2217a1e.7327b8","name":"","subject":"Malicious login","subjectType":"str","description":"We have identified a malicious login","descriptionType":"str","_category":"Login","_categoryType":"str","subcategory":"Remote Access Origin","subcategoryType":"str","rule":"Malicious Login Detected","ruleType":"str","severity":"high","severityType":"str","priority":"high","priorityType":"str","evidence":"event","evidenceType":"msg","tags":"login-attempt, detection","tagsType":"str","x":210,"y":1080,"wires":[[]]},{"id":"28880ac1.c18e36","type":"function","z":"d2217a1e.7327b8","name":"Extract IP","func":"msg.event = msg.payload;\nmsg.payload = {ip: msg.payload.sourceAddress};\nreturn msg;","outputs":1,"noerr":0,"x":470,"y":240,"wires":[["bf547258.3071f"]]},{"id":"6ac0f118.b555a","type":"debug","z":"d2217a1e.7327b8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","x":890,"y":940,"wires":[]},{"id":"688a58e.09322a8","type":"echo-subscribe","z":"d2217a1e.7327b8","name":"","tags":"login-attempt","x":470,"y":120,"wires":[["28880ac1.c18e36"]]},{"id":"86492330.22551","type":"function","z":"d2217a1e.7327b8","name":"Should we inspect this?","func":"if (msg.payload.watch_list.exists) {\n return {\n event: msg.event,\n payload: {\n ip:msg.payload.ip\n \n }\n }; \n}\n","outputs":1,"noerr":0,"x":490,"y":500,"wires":[["e93785bc.d24118","3f14bdbf.f33fe2","b6a188fb.2fefa8"]]},{"id":"30f9a3e0.2bb66c","type":"syslog","z":"d2217a1e.7327b8","name":"","property":"payload","x":470,"y":1080,"wires":[["101e25dc.cae19a"]]}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"id":"aa35a99b.3473b8","type":"echo-beats-in","z":"be86a662.40f248","name":"","port":"9595","x":370,"y":340,"wires":[["cba29948.8c1a48"]]},{"id":"cba29948.8c1a48","type":"echo-push","z":"be86a662.40f248","name":"","key":"makelogs","keyType":"str","x":750,"y":500,"wires":[]},{"id":"bc7b9f87.95f77","type":"tcp in","z":"be86a662.40f248","name":"","server":"server","host":"","port":"","datamode":"stream","datatype":"buffer","newline":"","topic":"","base64":false,"x":590,"y":200,"wires":[["bd81902b.230ab"]]},{"id":"932efc7d.1b0d1","type":"udp in","z":"be86a662.40f248","name":"","iface":"","port":"","ipv":"udp4","multicast":"false","group":"","datatype":"buffer","x":910,"y":200,"wires":[["bd81902b.230ab"]]},{"id":"bd81902b.230ab","type":"cef","z":"be86a662.40f248","name":"","property":"payload","x":750,"y":340,"wires":[["cba29948.8c1a48"]]}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"id":"865454a1.d0ea48","type":"echo-elastic-store","z":"e0d9e50e.40d368","name":"","x":470,"y":520,"wires":[]},{"id":"54dba235.14457c","type":"echo-event","z":"e0d9e50e.40d368","name":"","index":"echo-raw-v2","rollover":"daily","x":470,"y":240,"wires":[["b1256840.6aff18"]]},{"id":"b1256840.6aff18","type":"function","z":"e0d9e50e.40d368","name":"","func":"delete msg.payload.echo.device\ndelete msg.payload.echo.source\ndelete msg.payload.echo.viz\ndelete msg.payload.echo.destination\nreturn msg;","outputs":1,"noerr":0,"x":470,"y":360,"wires":[["865454a1.d0ea48","aa70a2e.758ee6","94d1c972.406908"]]},{"id":"aa70a2e.758ee6","type":"echo-pop","z":"e0d9e50e.40d368","name":"","key":"makelogs","keyType":"str","x":470,"y":100,"wires":[["54dba235.14457c"]]},{"id":"94d1c972.406908","type":"match","z":"e0d9e50e.40d368","name":"Check if login attempt","rules":[{"property":"payload.eventId","propertyType":"msg","type":"eq","value":"4672","valueType":"str"}],"x":220,"y":520,"wires":[["babb7ae.e3b3388"],[]],"outputLabels":["Yes","No"]},{"id":"babb7ae.e3b3388","type":"echo-push","z":"e0d9e50e.40d368","name":"","key":"login-attempts","keyType":"str","x":210,"y":640,"wires":[]}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"id":"33c501c3.68413e","type":"inject","z":"bf0aedff.8658f","name":"Inject VPN Login","topic":"","payload":"{\"deviceCustomDate1Label\":\"Elapsed Time\",\"categoryBehavior\":\"/Access\",\"deviceCustomDate2Label\":\"Subs Expired\",\"eventAnnotationEndTime\":\"2018-12-06T16:59:22.146Z\",\"locality\":\"1\",\"deviceCustomNumber2Label\":\"icmp_type\",\"deviceTimeZone\":\"Asia/Jerusalem\",\"categoryTupleDescription\":\"Firewall\",\"receiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceCustomString5Label\":\"Total bytes\",\"agentAddress\":\"150.0.0.0\",\"agentType\":\"superagent_ng\",\"relevance\":\"10\",\"eventAnnotationVersion\":\"1\",\"deviceDirection\":\"1\",\"customerURI\":\"/All Customers/Bank ********\",\"deviceCustomNumber1Label\":\"Elapsed Time in Seconds\",\"categoryOutcome\":\"/Failure\",\"sourcePort\":36542,\"agentReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceInboundInterface\":\"eth3\",\"deviceCustomString4Label\":\"Rule UID\",\"deviceCustomString2Label\":\"UFP category\",\"sourceAddress\":\"210.28.67.10\",\"deviceAction\":\"drop\",\"categoryObject\":\"/Host/Application/Service\",\"priority\":\"2\",\"index\":\"echo-raw-2018.12.06\",\"deviceEventCategory\":\"SecurityLog\",\"destinationZoneID\":\"M0cHU5fsAABCCXbv-GNArfg\\\\\",\"deviceCustomString4\":\"{D941CC58-1EFE-4733-8231-732444F79D94}\",\"deviceZoneID\":\"ML8022AABABCDTFpYAT3UdQ'\",\"categoryDeviceGroup\":\"/Firewall\",\"deviceZoneURI\":\"/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255\",\"eventId\":226165302314,\"customerID\":\"S6QNT3SQBABCAfq+HISRrrw\\\\\",\"destinationPort\":\"379\",\"deviceCustomNumber3Label\":\"icmp_code\",\"_cefVer\":\"0.1\",\"deviceAddress\":\"10.12.144.173\",\"echo\":{\"viz\":{},\"device\":{},\"destination\":{},\"source\":{\"location\":{\"ll\":[120.5954,31.3041],\"country\":\"CN\",\"city\":\"Suzhou\",\"range\":[3525066752,3525070847],\"region\":\"04\",\"zip\":0,\"metro\":0}},\"domain\":\"network\"},\"deviceVersion\":\"\",\"categorySignificance\":\"/Normal\",\"severity\":\"0\",\"eventAnnotationManagerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"agentVersion\":\"6.0.4.6830.0\",\"deviceCustomString1Label\":\"Rule & Rule Name\",\"@timestamp\":\"2018-12-06T16:59:22.146Z\",\"agentHostName\":\"arcsight.joo.la\",\"agentTimeZone\":\"Israel\",\"eventAnnotationAuditTrail\":\"1;1453885395068;root;Queued;;;;\\\\n\",\"deviceCustomString6\":\"Default_Running\",\"deviceCustomString6Label\":\"Policy Name\",\"destinationAddress\":\"10.9.101.85\",\"destinationServiceName\":\"\",\"tags\":[],\"destinationZoneURI\":\"/All Zones/ArcSight System/Public Address Space Zones/ARIN/10.0.0.0-255.255.255.255 (ARIN)\",\"eventAnnotationModificationTime\":\"2018-12-06T16:59:22.146Z\",\"ESN\":\"echo-raw-v2-2018.12.04/log/0ef4364d-4f23-4a37-bb89-fa9a6454bb29\",\"deviceCustomString3Label\":\"Manager\",\"managerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationStageUpdateTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationFlags\":\"0\",\"deviceVendor\":\"Check Point\",\"@version\":\"1\",\"assetCriticality\":0,\"deviceCustomString1\":\"19 & BlueCote Rule for Health Check\",\"agentId\":\"3U4UDl04BABCAAyv03Td5tg\\\\\",\"deviceCustomString3\":\"fwmanage\",\"deviceProduct\":\"VPN-1 & FireWall-1\"}","payloadType":"json","repeat":"","crontab":"","once":false,"onceDelay":0.1,"x":330,"y":120,"wires":[["caeb87bc.9ccf98"]]},{"id":"caeb87bc.9ccf98","type":"echo-watch-list-add","z":"bf0aedff.8658f","name":"","property":"vpn","propertyType":"str","value":"payload.sourceAddress","valueType":"msg","expire":"60","expireUnits":"seconds","x":330,"y":260,"wires":[]},{"id":"c7b80266.959e2","type":"inject","z":"bf0aedff.8658f","name":"","topic":"","payload":"{\"deviceCustomDate1Label\":\"Elapsed Time\",\"categoryBehavior\":\"/Access\",\"deviceCustomDate2Label\":\"Subs Expired\",\"eventAnnotationEndTime\":\"2018-12-06T16:59:22.146Z\",\"locality\":\"1\",\"deviceCustomNumber2Label\":\"icmp_type\",\"deviceTimeZone\":\"Asia/Jerusalem\",\"categoryTupleDescription\":\"Firewall\",\"receiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceCustomString5Label\":\"Total bytes\",\"agentAddress\":\"150.0.0.0\",\"agentType\":\"superagent_ng\",\"relevance\":\"10\",\"eventAnnotationVersion\":\"1\",\"deviceDirection\":\"1\",\"customerURI\":\"/All Customers/Bank ********\",\"deviceCustomNumber1Label\":\"Elapsed Time in Seconds\",\"categoryOutcome\":\"/Failure\",\"sourcePort\":36542,\"agentReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceInboundInterface\":\"eth3\",\"deviceCustomString4Label\":\"Rule UID\",\"deviceCustomString2Label\":\"UFP category\",\"sourceAddress\":\"210.28.67.10\",\"deviceAction\":\"drop\",\"categoryObject\":\"/Host/Application/Service\",\"priority\":\"2\",\"index\":\"echo-raw-2018.12.06\",\"deviceEventCategory\":\"SecurityLog\",\"destinationZoneID\":\"M0cHU5fsAABCCXbv-GNArfg\\\\\",\"deviceCustomString4\":\"{D941CC58-1EFE-4733-8231-732444F79D94}\",\"deviceZoneID\":\"ML8022AABABCDTFpYAT3UdQ'\",\"categoryDeviceGroup\":\"/Firewall\",\"deviceZoneURI\":\"/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255\",\"eventId\":226165302314,\"customerID\":\"S6QNT3SQBABCAfq+HISRrrw\\\\\",\"destinationPort\":\"379\",\"deviceCustomNumber3Label\":\"icmp_code\",\"_cefVer\":\"0.1\",\"deviceAddress\":\"10.12.144.173\",\"echo\":{\"viz\":{},\"device\":{},\"destination\":{},\"source\":{\"location\":{\"ll\":[120.5954,31.3041],\"country\":\"CN\",\"city\":\"Suzhou\",\"range\":[3525066752,3525070847],\"region\":\"04\",\"zip\":0,\"metro\":0}},\"domain\":\"network\"},\"deviceVersion\":\"\",\"categorySignificance\":\"/Normal\",\"severity\":\"0\",\"eventAnnotationManagerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"agentVersion\":\"6.0.4.6830.0\",\"deviceCustomString1Label\":\"Rule & Rule Name\",\"@timestamp\":\"2018-12-06T16:59:22.146Z\",\"agentHostName\":\"arcsight.joo.la\",\"agentTimeZone\":\"Israel\",\"eventAnnotationAuditTrail\":\"1;1453885395068;root;Queued;;;;\\\\n\",\"deviceCustomString6\":\"Default_Running\",\"deviceCustomString6Label\":\"Policy Name\",\"destinationAddress\":\"10.9.101.85\",\"destinationServiceName\":\"\",\"tags\":[],\"destinationZoneURI\":\"/All Zones/ArcSight System/Public Address Space Zones/ARIN/10.0.0.0-255.255.255.255 (ARIN)\",\"eventAnnotationModificationTime\":\"2018-12-06T16:59:22.146Z\",\"ESN\":\"echo-raw-v2-2018.12.04/doc/fdcfa16d-a246-4a52-891c-4432741bd3f1\",\"deviceCustomString3Label\":\"Manager\",\"managerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationStageUpdateTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationFlags\":\"0\",\"deviceVendor\":\"Check Point\",\"@version\":\"1\",\"assetCriticality\":0,\"deviceCustomString1\":\"19 & BlueCote Rule for Health Check\",\"agentId\":\"3U4UDl04BABCAAyv03Td5tg\\\\\",\"deviceCustomString3\":\"fwmanage\",\"deviceProduct\":\"VPN-1 & FireWall-1\"}","payloadType":"json","repeat":"","crontab":"","once":false,"onceDelay":0.1,"x":870,"y":120,"wires":[["12be99b4.708766"]]},{"id":"12be99b4.708766","type":"echo-publish","z":"bf0aedff.8658f","name":"","property":"login-attempt","propertyType":"str","x":870,"y":260,"wires":[]},{"id":"11d25284.3f624d","type":"inject","z":"bf0aedff.8658f","name":"Inject into Blacklist","topic":"","payload":"{\"deviceCustomDate1Label\":\"Elapsed Time\",\"categoryBehavior\":\"/Access\",\"deviceCustomDate2Label\":\"Subs Expired\",\"eventAnnotationEndTime\":\"2018-12-06T16:59:22.146Z\",\"locality\":\"1\",\"deviceCustomNumber2Label\":\"icmp_type\",\"deviceTimeZone\":\"Asia/Jerusalem\",\"categoryTupleDescription\":\"Firewall\",\"receiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceCustomString5Label\":\"Total bytes\",\"agentAddress\":\"150.0.0.0\",\"agentType\":\"superagent_ng\",\"relevance\":\"10\",\"eventAnnotationVersion\":\"1\",\"deviceDirection\":\"1\",\"customerURI\":\"/All Customers/Bank ********\",\"deviceCustomNumber1Label\":\"Elapsed Time in Seconds\",\"categoryOutcome\":\"/Failure\",\"sourcePort\":36542,\"agentReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceInboundInterface\":\"eth3\",\"deviceCustomString4Label\":\"Rule UID\",\"deviceCustomString2Label\":\"UFP category\",\"sourceAddress\":\"210.28.67.10\",\"deviceAction\":\"drop\",\"categoryObject\":\"/Host/Application/Service\",\"priority\":\"2\",\"index\":\"echo-raw-2018.12.06\",\"deviceEventCategory\":\"SecurityLog\",\"destinationZoneID\":\"M0cHU5fsAABCCXbv-GNArfg\\\\\",\"deviceCustomString4\":\"{D941CC58-1EFE-4733-8231-732444F79D94}\",\"deviceZoneID\":\"ML8022AABABCDTFpYAT3UdQ'\",\"categoryDeviceGroup\":\"/Firewall\",\"deviceZoneURI\":\"/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255\",\"eventId\":226165302314,\"customerID\":\"S6QNT3SQBABCAfq+HISRrrw\\\\\",\"destinationPort\":\"379\",\"deviceCustomNumber3Label\":\"icmp_code\",\"_cefVer\":\"0.1\",\"deviceAddress\":\"10.12.144.173\",\"echo\":{\"viz\":{},\"device\":{},\"destination\":{},\"source\":{\"location\":{\"ll\":[120.5954,31.3041],\"country\":\"CN\",\"city\":\"Suzhou\",\"range\":[3525066752,3525070847],\"region\":\"04\",\"zip\":0,\"metro\":0}},\"domain\":\"network\"},\"deviceVersion\":\"\",\"categorySignificance\":\"/Normal\",\"severity\":\"0\",\"eventAnnotationManagerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"agentVersion\":\"6.0.4.6830.0\",\"deviceCustomString1Label\":\"Rule & Rule Name\",\"@timestamp\":\"2018-12-06T16:59:22.146Z\",\"agentHostName\":\"arcsight.joo.la\",\"agentTimeZone\":\"Israel\",\"eventAnnotationAuditTrail\":\"1;1453885395068;root;Queued;;;;\\\\n\",\"deviceCustomString6\":\"Default_Running\",\"deviceCustomString6Label\":\"Policy Name\",\"destinationAddress\":\"10.9.101.85\",\"destinationServiceName\":\"\",\"tags\":[],\"destinationZoneURI\":\"/All Zones/ArcSight System/Public Address Space Zones/ARIN/10.0.0.0-255.255.255.255 (ARIN)\",\"eventAnnotationModificationTime\":\"2018-12-06T16:59:22.146Z\",\"ESN\":\"echo-raw-v2-2018.12.04/log/0ef4364d-4f23-4a37-bb89-fa9a6454bb29\",\"deviceCustomString3Label\":\"Manager\",\"managerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationStageUpdateTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationFlags\":\"0\",\"deviceVendor\":\"Check Point\",\"@version\":\"1\",\"assetCriticality\":0,\"deviceCustomString1\":\"19 & BlueCote Rule for Health Check\",\"agentId\":\"3U4UDl04BABCAAyv03Td5tg\\\\\",\"deviceCustomString3\":\"fwmanage\",\"deviceProduct\":\"VPN-1 & FireWall-1\"}","payloadType":"json","repeat":"","crontab":"","once":false,"onceDelay":0.1,"x":330,"y":540,"wires":[["fe4d1a02.203778"]]},{"id":"fe4d1a02.203778","type":"echo-watch-list-add","z":"bf0aedff.8658f","name":"","property":"blacklist","propertyType":"str","value":"payload.sourceAddress","valueType":"msg","expire":"60","expireUnits":"seconds","x":330,"y":680,"wires":[]},{"id":"78317ea3.0543d","type":"echo-ioc-add","z":"bf0aedff.8658f","name":"","property":"tor","propertyType":"str","value":"payload.sourceAddress","valueType":"msg","source":"demo","sourceType":"str","detailsUrl":"http://nowhere.com","detailsUrlType":"str","x":870,"y":680,"wires":[["6c1aee96.c747"]]},{"id":"9460f1a4.e481e","type":"inject","z":"bf0aedff.8658f","name":"Inject as IOC","topic":"","payload":"{\"deviceCustomDate1Label\":\"Elapsed Time\",\"categoryBehavior\":\"/Access\",\"deviceCustomDate2Label\":\"Subs Expired\",\"eventAnnotationEndTime\":\"2018-12-06T16:59:22.146Z\",\"locality\":\"1\",\"deviceCustomNumber2Label\":\"icmp_type\",\"deviceTimeZone\":\"Asia/Jerusalem\",\"categoryTupleDescription\":\"Firewall\",\"receiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceCustomString5Label\":\"Total bytes\",\"agentAddress\":\"150.0.0.0\",\"agentType\":\"superagent_ng\",\"relevance\":\"10\",\"eventAnnotationVersion\":\"1\",\"deviceDirection\":\"1\",\"customerURI\":\"/All Customers/Bank ********\",\"deviceCustomNumber1Label\":\"Elapsed Time in Seconds\",\"categoryOutcome\":\"/Failure\",\"sourcePort\":36542,\"agentReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"deviceInboundInterface\":\"eth3\",\"deviceCustomString4Label\":\"Rule UID\",\"deviceCustomString2Label\":\"UFP category\",\"sourceAddress\":\"210.28.67.10\",\"deviceAction\":\"drop\",\"categoryObject\":\"/Host/Application/Service\",\"priority\":\"2\",\"index\":\"echo-raw-2018.12.06\",\"deviceEventCategory\":\"SecurityLog\",\"destinationZoneID\":\"M0cHU5fsAABCCXbv-GNArfg\\\\\",\"deviceCustomString4\":\"{D941CC58-1EFE-4733-8231-732444F79D94}\",\"deviceZoneID\":\"ML8022AABABCDTFpYAT3UdQ'\",\"categoryDeviceGroup\":\"/Firewall\",\"deviceZoneURI\":\"/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255\",\"eventId\":226165302314,\"customerID\":\"S6QNT3SQBABCAfq+HISRrrw\\\\\",\"destinationPort\":\"379\",\"deviceCustomNumber3Label\":\"icmp_code\",\"_cefVer\":\"0.1\",\"deviceAddress\":\"10.12.144.173\",\"echo\":{\"viz\":{},\"device\":{},\"destination\":{},\"source\":{\"location\":{\"ll\":[120.5954,31.3041],\"country\":\"CN\",\"city\":\"Suzhou\",\"range\":[3525066752,3525070847],\"region\":\"04\",\"zip\":0,\"metro\":0}},\"domain\":\"network\"},\"deviceVersion\":\"\",\"categorySignificance\":\"/Normal\",\"severity\":\"0\",\"eventAnnotationManagerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"agentVersion\":\"6.0.4.6830.0\",\"deviceCustomString1Label\":\"Rule & Rule Name\",\"@timestamp\":\"2018-12-06T16:59:22.146Z\",\"agentHostName\":\"arcsight.joo.la\",\"agentTimeZone\":\"Israel\",\"eventAnnotationAuditTrail\":\"1;1453885395068;root;Queued;;;;\\\\n\",\"deviceCustomString6\":\"Default_Running\",\"deviceCustomString6Label\":\"Policy Name\",\"destinationAddress\":\"10.9.101.85\",\"destinationServiceName\":\"\",\"tags\":[],\"destinationZoneURI\":\"/All Zones/ArcSight System/Public Address Space Zones/ARIN/10.0.0.0-255.255.255.255 (ARIN)\",\"eventAnnotationModificationTime\":\"2018-12-06T16:59:22.146Z\",\"ESN\":\"echo-raw-v2-2018.12.04/log/0ef4364d-4f23-4a37-bb89-fa9a6454bb29\",\"deviceCustomString3Label\":\"Manager\",\"managerReceiptTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationStageUpdateTime\":\"2018-12-06T16:59:22.146Z\",\"eventAnnotationFlags\":\"0\",\"deviceVendor\":\"Check Point\",\"@version\":\"1\",\"assetCriticality\":0,\"deviceCustomString1\":\"19 & BlueCote Rule for Health Check\",\"agentId\":\"3U4UDl04BABCAAyv03Td5tg\\\\\",\"deviceCustomString3\":\"fwmanage\",\"deviceProduct\":\"VPN-1 & FireWall-1\"}","payloadType":"json","repeat":"","crontab":"","once":false,"onceDelay":0.1,"x":870,"y":540,"wires":[["78317ea3.0543d"]]},{"id":"6c1aee96.c747","type":"echo-elastic-store","z":"bf0aedff.8658f","name":"","x":870,"y":820,"wires":[]}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"id":"47386015.ac543","type":"echo-playbook-start","z":"18f9b240.a91c1e","name":"Run Trace on Source IP","_category":"Login","_categoryType":"str","subcategory":"Remote Access Origin","subcategoryType":"str","rule":"Malicious Login Detected","ruleType":"str","x":270,"y":80,"wires":[["c6603121.5ff7b"]]},{"id":"11d60ec8.323ab1","type":"echo-playbook-end","z":"18f9b240.a91c1e","name":"","x":250,"y":680,"wires":[[]]},{"id":"c6603121.5ff7b","type":"echo-alert-get","z":"18f9b240.a91c1e","name":"","esn":"payload.ESN","esnType":"msg","x":250,"y":200,"wires":[["f377ab1.5456e58"]]},{"id":"f377ab1.5456e58","type":"function","z":"18f9b240.a91c1e","name":"Extract IP for inspection","func":"msg.payload = msg.alert['@evidence'][0].sourceAddress;\nreturn msg;","outputs":1,"noerr":0,"x":270,"y":320,"wires":[["734bf8a2.e09688"]]},{"id":"734bf8a2.e09688","type":"echo-trace-route","z":"18f9b240.a91c1e","name":"","property":"payload","propertyType":"msg","x":250,"y":440,"wires":[["22a10463.939a6c"],[]]},{"id":"22a10463.939a6c","type":"echo-alert-evidence-add","z":"18f9b240.a91c1e","name":"","esn":"alert.ESN","esnType":"msg","_type":"Trace","_typeType":"str","title":"Trace Results","titleType":"str","content":"payload","contentType":"msg","x":250,"y":560,"wires":[["11d60ec8.323ab1"]]},{"id":"48f147a.122eab8","type":"echo-playbook-start","z":"18f9b240.a91c1e","name":"Mark IP as IOC","_category":"Login","_categoryType":"str","subcategory":"Remote Access Origin","subcategoryType":"str","rule":"Malicious Login Detected","ruleType":"str","x":630,"y":80,"wires":[["e279a9ca.b81db8"]]},{"id":"e279a9ca.b81db8","type":"echo-alert-get","z":"18f9b240.a91c1e","name":"","esn":"payload.ESN","esnType":"msg","x":630,"y":200,"wires":[["bbf5054f.84f2f8"]]},{"id":"bbf5054f.84f2f8","type":"function","z":"18f9b240.a91c1e","name":"Extract IP for inspection","func":"msg.payload = msg.alert['@evidence'][0].sourceAddress;\nreturn msg;","outputs":1,"noerr":0,"x":650,"y":320,"wires":[["563301e6.cd848"]]},{"id":"563301e6.cd848","type":"echo-ioc-add","z":"18f9b240.a91c1e","name":"","property":"ip","propertyType":"str","value":"payload","valueType":"msg","source":"demo","sourceType":"str","detailsUrl":"http://nowhere.com","detailsUrlType":"str","x":630,"y":440,"wires":[["311547be.38dec8","9e36d681.533e38","8a821087.a4d56"]]},{"id":"311547be.38dec8","type":"echo-elastic-store","z":"18f9b240.a91c1e","name":"","x":630,"y":560,"wires":[]},{"id":"9e36d681.533e38","type":"echo-alert-evidence-add","z":"18f9b240.a91c1e","name":"","esn":"alert.ESN","esnType":"msg","_type":"IOC","_typeType":"str","title":"IOC Details","titleType":"str","content":"ioc","contentType":"msg","x":930,"y":560,"wires":[["b637807a.9a1fd"]]},{"id":"b637807a.9a1fd","type":"echo-playbook-end","z":"18f9b240.a91c1e","name":"","x":930,"y":680,"wires":[[]]},{"id":"8a821087.a4d56","type":"debug","z":"18f9b240.a91c1e","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","x":700,"y":700,"wires":[]}] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment