From 72fd0faa310b97559d4be4dd1aafacd095f7b421 Mon Sep 17 00:00:00 2001 From: CharlesLR-sekoia Date: Fri, 27 Jun 2025 15:18:10 +0200 Subject: [PATCH 1/2] add_stix_to_xsiam_template --- playbooks/templates/playbooks.json | 221 +++++++++++++++----- playbooks/templates/push_iocs_to_xsiam.json | 77 +++++++ 2 files changed, 244 insertions(+), 54 deletions(-) create mode 100644 playbooks/templates/push_iocs_to_xsiam.json diff --git a/playbooks/templates/playbooks.json b/playbooks/templates/playbooks.json index 53a3df2..419686e 100644 --- a/playbooks/templates/playbooks.json +++ b/playbooks/templates/playbooks.json @@ -6,7 +6,7 @@ "alerts", "IOC Collection", "blocklist" - ], + ], "workspace": "Operation Center", "description": "Add the destination ip addresses from the events linked to the alert to an IOC collection" }, @@ -17,7 +17,7 @@ "alerts", "IOC Collection", "blocklist" - ], + ], "workspace": "Operation Center", "description": "Add the source ip addresses from the events linked to the alert to an IOC collection" }, @@ -31,7 +31,7 @@ ], "workspace": "Operation Center", "description": "Add the domains from the events linked to the alert to an IOC collection" - }, + }, { "file": "create_jira_ticket_on_alert.json", "name": "Jira ticket on alert", @@ -41,7 +41,9 @@ "Jira" ], "description": "Create Jira ticket when new alerts are created.", - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "msteams_notification.json", @@ -52,7 +54,9 @@ "MS Teams" ], "description": "Notify by Microsoft Teams when new alerts are created.", - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "URL_scan_VirusTotal_Enrichement.json", @@ -62,7 +66,9 @@ "alerts", "enrichement" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "HTTP_request_Remediation.json", @@ -72,7 +78,9 @@ "alerts", "webhook" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "email_notification_on_alert_webhook.json", @@ -83,7 +91,9 @@ "notifications", "webhook" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "mattermost_notification_on_alert.json", @@ -93,7 +103,9 @@ "alerts", "notifications" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "alert_webhook_internet_scan.json", @@ -103,7 +115,9 @@ "alerts", "webhook" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "playbook_adware.json", @@ -112,7 +126,9 @@ "tags": [ "alerts" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "urgency_to_0_on_rejected.json", @@ -121,7 +137,9 @@ "tags": [ "alerts" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "VirusTotal_Enrichement.json", @@ -131,14 +149,21 @@ "alerts", "enrichment" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "Enrich_alerts_with_VirusTotal_Hash.json", "name": "Scan for hash on VirusTotal", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Enrich to check if this file.hash.sha1 is known from VirusTotal, directly from SEKOIA.IO.", - "tags": ["alerts", "enrichement"] + "tags": [ + "alerts", + "enrichement" + ] }, { "file": "Reject_old_alerts.json", @@ -148,7 +173,9 @@ "alerts", "cron" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "Enrich_with_IKnow_What_You_Download.json", @@ -159,7 +186,9 @@ "webhook", "enrichment" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "Enrich_alerts_with_hostnames.json", @@ -169,23 +198,29 @@ "alerts", "enrichment" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "Shodan_search_to_observables.json", "name": "Shodan search to observables", - "workspace": ["Intelligence Center"], + "workspace": [ + "Intelligence Center" + ], "description": "Get IP addresses from a shodan search and add it to Observable data base with a tag", "tags": [ - "observable", - "shodan", - "TIP" + "observable", + "shodan", + "TIP" ] }, { "file": "OSINT_to_observables.json", "name": "Generic Fetch OSINT to observable", - "workspace": ["Intelligence Center"], + "workspace": [ + "Intelligence Center" + ], "description": "Retrieve observables from an OSINT to add it to observable database with a tag (eg: https://github.com/MISP/misp-warninglists/tree/main/lists)", "tags": [ "observable", @@ -196,25 +231,37 @@ { "file": "create_alert_on_the_hive_automatic.json", "name": "Automatically create an alert on TheHive", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Automatically create an alert on TheHive when a new alert is raised in SEKOIA.IO.", - "tags": ["alerts", "thehive"] + "tags": [ + "alerts", + "thehive" + ] }, { "file": "create_alert_on_the_hive_manual.json", "name": "Manually create an Alert on TheHive", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Create an alert on TheHive via the alert page.", - "tags": ["alerts", "thehive"] + "tags": [ + "alerts", + "thehive" + ] }, { "file": "DigitalShadows_SearchLight_fetch_alerts.json", "name": "Fetch alerts from Digital Shadows SearchLight", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Synchronise alerts from Digital Shadows SearchLight to SEKOIA.IO events", "tags": [ - "alerts", - "osint" + "alerts", + "osint" ] }, { @@ -231,48 +278,73 @@ { "file": "imperva_waf_fetch_logs.json", "name": "Imperva WAF fetch logs", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Fetch events from Imperva Web Application Firewall and forward them to SEKOIA.IO intake", - "tags": ["events"] + "tags": [ + "events" + ] }, { "file": "forward_vadesecure_records.json", "name": "Forward Vade M365 email Events to SEKOIA.IO", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "This playbook collect logs from 'Vade for M365' then push them to SEKOIA.IO", - "tags": ["events"] + "tags": [ + "events" + ] }, { "file": "Tranco_top_domains_to_observables.json", "name": "Tranco top domains to observables", - "workspace": ["Intelligence Center"], + "workspace": [ + "Intelligence Center" + ], "tags": [ "observables", "tranco", "TIP" - ], - "description": "Automatically import Tranco's top 1 000 000 domain names to observable database" + ], + "description": "Automatically import Tranco's top 1 000 000 domain names to observable database" }, { "file": "forward_google_pubsub_events.json", "name": "Forward Google Pubsub records to SEKOIA.IO", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "This playbook consumes records from Google Pubsub and push them to SEKOIA.IO", - "tags": ["google", "events"] + "tags": [ + "google", + "events" + ] }, { "file": "Enrich_alerts_with_AbuseIPDB.json", "name": "Enrich alerts with AbuseIPDB", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Enrich with AbuseIPDB to check if the IP is known from this service, directly from SEKOIA.IO.", - "tags": ["alerts", "enrichment"] + "tags": [ + "alerts", + "enrichment" + ] }, { "file": "Alerts_Shodan_Enrichment.json", "name": "Enrich with Shodan", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Enrich with Shodan to check if the IP is known from this service, directly from SEKOIA.IO.", - "tags": ["alerts", "enrichment"] + "tags": [ + "alerts", + "enrichment" + ] }, { "file": "slack_notification_on_alert.json", @@ -282,14 +354,24 @@ "alerts", "notifications" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "get_data_and_enrich_with_cloudflare.json", "name": "Get data from OSINT and enrich DNS names with cloudflare DNS over HTTPs API", "description": "Playbook to get data from OSINT and enrich it with CloudFlare DNS over HTTPs API. The playbook then upload observables to database.\n\nPlease configure 'Fetch Osint' node and 'Get domains from Fetch OSINT' jpath to get domains.", - "tags": ["observable", "cloudflare", "fetch osint", "enrich","TIP"], - "workspace": ["Intelligence Center"] + "tags": [ + "observable", + "cloudflare", + "fetch osint", + "enrich", + "TIP" + ], + "workspace": [ + "Intelligence Center" + ] }, { "file": "CrowdSec_alert_enrichment.json", @@ -300,7 +382,9 @@ "alerts", "enrichment" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "Crowdstrike_dissemination.json", @@ -310,7 +394,10 @@ "CrowdStrike", "Dissemination" ], - "workspace": ["Operation Center", "Intelligence Center"] + "workspace": [ + "Operation Center", + "Intelligence Center" + ] }, { "file": "create_incident_on_cortex_xsoar.json", @@ -320,20 +407,46 @@ "alerts", "XSOAR" ], - "workspace": ["Operation Center"] + "workspace": [ + "Operation Center" + ] }, { "file": "send_alert_to_nybble_hub.json", "name": "Automatically send an alert to Nybble Hub", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Automatically send an alert to Nybble Hub when a new alert is raised in SEKOIA.IO.", - "tags": ["alerts", "nybble"] + "tags": [ + "alerts", + "nybble" + ] }, { "file": "get_additional_harfang_telemetry.json", "name": "HarfangLab telemetry events", - "workspace": ["Operation Center"], + "workspace": [ + "Operation Center" + ], "description": "Retrieve additional telemetry when an HarfangLab alert is raised", - "tags": ["alerts", "enrich", "events"] + "tags": [ + "alerts", + "enrich", + "events" + ] + }, + { + "file": "push_iocs_to_xsiam.json", + "name": "Push Sekoia.io IOCs to Palo Alto XSIAM Collection", + "workspace": [ + "Intelligence Center" + ], + "tags": [ + "observables", + "XSIAM", + "Dissemination" + ], + "description": "Add Sekoia active IOCs in Palo Alto XSIAM Collection for detection" } -] +] \ No newline at end of file diff --git a/playbooks/templates/push_iocs_to_xsiam.json b/playbooks/templates/push_iocs_to_xsiam.json new file mode 100644 index 0000000..6858b92 --- /dev/null +++ b/playbooks/templates/push_iocs_to_xsiam.json @@ -0,0 +1,77 @@ +{ + "name": "Push Sekoia.io IOCs to Palo Alto XSIAM Collection", + "nodes": { + "0": { + "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHAAAABwCAYAAADG4PRLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAiiSURBVHgB7V09TB1HED4w/oMWKLHcgeTKKdxACgq7cuFUVuwOmdIxToVFOmS6hKS0RRdHrkhBRQqKhAbJThpLuLOgNJR5zzHhJ/fdZRWs3MzuvdvZ27H3k57OP/Dubr+dn52Zne07yZElqEV/lqAaiUDlSAQqRyJQORKBypEIVI5EoHIkApUjEagciUDlSAQqRyJQORKBypEIVI5EoHIkApUjEagciUDlSAQqx0CmHPtvj7PtV0fFdf/tSbZXXI8rf3Z4tD8bHOrLLl3uz8byz8gormcyzejTVtTU7ZxkL7cOs9c5abji700AUsevnMkm8s9n1wYKgjVBDYGvXx1mq88PCuIkMTl9NicSZJ7NNCBqAiFd62sH2W8bfxfqMSQgmbdun8umpuMmMloCQdqzlfeNVWRTxE5kdATuvjnOflz5S1xV1gWIfLR4sbjGhKgI/Pn5+/xzkDXB8GhfMchDuTNiHBJIcSf/4IoJ0gSQxlu3z2exIAoC4fY/+aG+1IEgeI7Gi3SVDpC48+aouN927hzVta9YgjyYj0MaWycQg7m81HUeRJA2NT1QeIkgzgdAJGxuHTJjUamtEljHUQFxN26eyz9nxdZqZo0JVe5CJJ7j3v0LhRZoC60RCPKe5mrThhDEVQG2+Jd8CdNxmFwgsS0vtRUCXcmDipzNB6ctNQXbDCLxvDZ8ldvENiQxOIGweY8Xula1eWfmQiF1MQAkQq1ygHaYXxws4qwhEZRAzGiQx9kXDAQ8PF8Oii+4OFttODZBp8vy0jvrACx+NxgdeQCWDo9yCcM6k4JZDoVEMAKhgrhFdKyRjtMon5EnEUsSm7r1iSCjZZwBChrIM3AhEe+60zDi44ogIwa7xyGWqIYr8KwP5gfZn3m2EkaVio+aLRWEuOLYZT3kGeCZ4SlTMNEdaYiPHGcP4KwgOBwSZUD7qEgQm0+vKSsscziHC6pUOh0muvK0SR8W6SEAkl7kIbLft+hYpymtqJuNxzt8M9etjNjA9mMMEEmSgug68OHsn+SAQXVKSx8GzzWueRp1k7hcGgzf9e2ToUwKYgQiKPx9vu6rAvdSRsVVAYt8lyqyXtNTWcVzunjHeOavZztk3BReq9TaVkyFcgackzwQT8VJMQgYDA7m933YHkyEhzkxd2bOs2oQE+t6bg8pKVzNJdT23L1CxInBi8PeVAEvOyE0GzFpIPW+HQekvGyLcxA8RGRLEMCQcmZECNxmVBci9hJrPgzSU8Ewli0rgYk5OV2t0EyeUQIiKpR7WIm8GSQegWYbShva/0EBLwa3LK04skoJJJEr3YD3ur5WTTLuIfHuIgRSTohx1X0DBb82TxNeL5UUvnGzvGLw19dorxUEwzmi7BneDWq0ypnBpL6X+Yd3XQZVRg2AhO2D9G0yqq3McAwVjpMtow+CXYLVnHd79RqtRqk9G03gncA95iGlpI+CWQbUCdW5BKtXLdElCtsCta4CEkg/pO9sNWY1J31w/3txmAyJFCCB1HtyWkaFBHJpFN9bubgZPVVsUundxJtoTN17cxNGYn+HdwIpT05i6YAYJwUfHh/3HZwdpNTvngYJpDdX+i8JpKQdzooPe4tJRz33jqW6oAoqJDAkqMniM784cWWg1r2BkPWrwQgcUZRxb4qhj5HABBkEI1AimEupKp+2hnI8ODXZEQpcVyEYgRIe2CViWbLPdKqoAxMnrQJnZ7uaCaQ8sG4n8w5uEH0UFHFB+V4IlPDEvRM4QrrQ/nNi3EIdgemm9+NygJR3ClAFzBLOjYAE8qXnfu9FZzdA3jJR0uEC1HVyBVDU5NllI1H+LVYwFQpIBHNt0ZJe9ipA8qi8nu2eO0wsWKIrlHcCuWDurkC5OQaTk3oEuxfmOk7SXyaG31m3AUxN0+qTm6QjGmyg6RBRBamygtn7F9n/x8RBcRKk8eXWh7ax9DQPi9YmC3NdspbHAAFuTstQ8dlhob5sIhl5JDWrvEDjlvvOC+L7UFSErk4cII2bDbxTSDuvsunCYamNnyLfyhH0YktmvwByf5OC+9TLvRB8f5hfN2jpvSq0/VqEQM6939w4FFvoosxdgkSzuZOLvsB+/sGoX6lSShECuXSOaWDH/W7Zben/H5coP0j02Unpeq6aUVNjuzecFyqEJlVKCYiV1sPWUfsCMRgorZdMuzQtr8cE/CKfCK72mtsHItnBQqy0fryon+yrfCkjhZI9x0xdi9mn5xpaq0scwG2g4Rb9PiC6O4nbtQPpQ0ODkDtzQSYW2mVY779/h41DYBzXuloB34XlB2XXpZsAiRJo27XjslkldmDhT60dpbeWAaLTH7P5S8b1hkTY1m4xAxqGW/iH2H0srr+gPjh7gv0GsTV3dQGiO/aQm3ynqSAG6O4Mv5W6bAAUpi2HD7hspkFFeAgEIRDOAbdBErby8YIOEl3ahcG7DuWcBXMBEYYat5Sdx06iC3mYrCE7bwStSitbR/LhKJAYo000XRZtvd7QtCgkWmk3ubTQtVZuxdRcHJ4ynC0O8LixJBr7mNtNGmhq+Ooajmura2/0LZcBSCOcoFAl6ybU51oY9cm1XDYAiT/lqsmlENZs96pzvEBd1CUOEwrOWZunuqg7dgBAzu/zaZwX4SdIbFpx1clVGoel7UZ90Rz8gcV83aKn00fHlWcCumUQzJmDvR5h17ZtPo3Ijt45aNzt1hy9A5wuMjYHQzbdN4EE792ZdPQOCZfFchuA1CEkGFtv06iPn+ul06BvxOCocIj+BM+2iDTZhNAnxtSFmiNYkXcDmVLFwYBpxVW3pKJNqDsE2XiQILQsj2j2+KePsEuHILeAsrVXeR4g/txhWlpBLY7823kCf5YMCoSCegI/daQmB8qRCFSORKByJAKVIxGoHIlA5UgEKkciUDkSgcqRCFSORKByJAKVIxGoHIlA5UgEKkciUDkSgcqRCFSORKBy/AOXZjGMPAv8TQAAAABJRU5ErkJggg==", + "name": "Feed Consumption", + "type": "trigger", + "outputs": { + "default": [ + "1" + ] + }, + "position": { + "x": -520, + "y": -150 + }, + "module_uuid": "92d8bb47-7c51-445d-81de-ae04edbb6f0a", + "trigger_uuid": "ac6100ed-3fb7-4355-83ac-049c14aa44fd" + }, + "1": { + "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPAAAADwCAYAAAA+VemSAAABhGlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw0AcxV9TtVIqDlYQcchQnSyIijhqFYpQIdQKrTqYXPohNGlIUlwcBdeCgx+LVQcXZ10dXAVB8APEXXBSdJES/5cUWsR4cNyPd/ced+8AoV5mmtUxBmi6baaTCTGbWxFDr+iCgDD6EZSZZcxKUgq+4+seAb7exXmW/7k/R4+atxgQEIlnmGHaxOvEU5u2wXmfOMpKskp8Tjxq0gWJH7muePzGueiywDOjZiY9RxwlFottrLQxK5ka8SRxTNV0yheyHquctzhr5Spr3pO/MJLXl5e4TnMISSxgERJEKKhiA2XYiNOqk2IhTfsJH/+g65fIpZBrA4wc86hAg+z6wf/gd7dWYWLcS4okgM4Xx/kYBkK7QKPmON/HjtM4AYLPwJXe8lfqwPQn6bWWFjsCereBi+uWpuwBlzvAwJMhm7IrBWkKhQLwfkbflAP6boHwqtdbcx+nD0CGukrdAAeHwEiRstd83t3d3tu/Z5r9/QDfw3Js24UtpAAAAAZiS0dEAAAAAAAA+UO7fwAAAAlwSFlzAAALEgAACxIB0t1+/AAAAAd0SU1FB+kGAgoYLouMzYEAAAqwSURBVHja7Z3NbdtIGIbfGClAHSxdgRWAd1MVRKnA0oVXSxXYqcDylRczFViuwMqdgOUKonSgEvYwI6ySXW/0Y0nzfXwewHCQBTbSkA+/n5nhSAAAAAAAAAAAAAAAAAAA4IkPDIFTmrIjqRt//oq/V3+3LTPlVY9BTY+PDIEbWYso5+WarIDAkLCwn9eiLCAwJCxtV9LVWqQFQODEpe3HKNsnJQYEthNpr5EWENhWTTuI4mYMCCCwDXGLWNcOGAxAYDvirqItzShAYNJkQGA4pLijKC5NKUBgQ/LeIi4gsM0a94ZUGRDYlrhFFLdgMACBbdW5d2I6CI7MGUOwt7wjST+QF4jAtsTNJD2QLgMR2G7URV4gAhN1AYjAh5Z3IOkFeYEIbEtcOsyAwEbl7caUmU0HQAptTN6+pGfkBQS2J++tpEexhhlIoal3ARD4OPKSMgMptEF5u8gLRGDb8lLvAhEYeQEQGHkBEPhNeQvkBQS2G3mZ4wUEJm0GQGDkBUBg5AUE9ihvh5oXENiuvM/i/cyAwCa5E8sjAYFNRt9bsasIENikvAOFExIAENiYvN2YOgMgsDF5OwrvsKLjDAhsEJpWgMCG694BlxQQ2J68GXUvtJEPTgR+IXXem7mkZfx5/e2/XejffYWFpJ/xzzNJUl7NGEYE3lbeWzFltA2LKNzP+HuhvFq84xgv4sPgVdIMqRH4/26srsJ5RfBnYZ+iUMsTPCTX//05l+T9sP5Suwcu4ZvSTiV9S0SYQqtD4Zoytc+GwCeKviPq3l9YRjHuExcjkzSSNFJTziV9k1TvlBmA0RQ6dJ1fxIKNVbT9Kml6MAkO32dYPXy+/rEeBxcR+A55NYvRdurgu3QU5vAHasoakTfH3jxweKNkv8XXbC6pp7zqOZH3dwaSfqgpH2KmBc4icFsbV0tJY+VV3ZLvO5DUV1PeS5pQI3uIwGG5ZBufyhNJ5y2Sdz21vpH0Es9rBrMR+J+jP9uWLg+ZblEm6VFNOY3jQTQ2GIFHalfjaqK8+oS8v9CP9XHBUFgSOETf6xbVuj3l1Zjb8820+jlObSEw0Te5lPmc9cMbcaOmfI4PdwQm+p6cOqbM1HebUyg0uLoITPQ9JWPl1RAfdyKLKXWBwETfUzBUXk3w8F3q4gECp0XfefQdtnBu95A8tE3i1AW+QV5AYosCh5U3GfICEtuMwNfIC3tKXCDwaaJvptUbHHwxRt6j8uh9iinVCOwx+tZ0m49OJ0rcQeDj4m3nyZx53pORKZwRjcBHSp+9Na/C2mY4JV015R0CH4fPzsb4C8sjk2DkcU9xWgKHWsXTIE/YmJAUD97q4dQisKeVV3O2BCbH6vhZBCZ9/iM0rdKk7ymVTk3gwlHqzJs0SKVbJHB4KnoY1KXCi9Yh7VT6BoFJn/+LMV1nE4w8vHc6JYE9pM8Llkqa4g6B3yd9zuRj8QaNK1v0rW94OEtmIO3DYdY2uUHg/bl0cCPc44JJCss7ls6SGUT7te8UF8xyjcD71b/Wp4+YNrLNwGpHOoUIbD36rg6nBusSI/BOXBi/8FPmfV1whcC7Yf2VJzSvfJBZXCNNCr0fC9Y8u+IzAm+D/ReOUfv6ggi8ddpim2/c867oWEujTy2w5QhM+uyTSwTeHMsd6Bn3Oml02wW2vIDjiXvdJZmlRR2nFrgwfKFJn/1SILBvFsqrBcPglgsE9g3R1zddBPbNK0NACo3AdpkxBM4x0shC4F1rYPAOAruFBhZpNAITfQEQGIHhMFwgMIBdOgjsk+8MASAwQNpkCAyAwAgMAAgMgMAAgMAAgMAAB2OBwAAIjMCJccEQAALbpcMQAAIjMKTNdwT2SZchAAS2jNHDoGErZgjsFwT2zxKB/VIwBM4xcu4VAu/GXwwB6TMC24VGlm/mCOxd4KZkOskvrwi8GQvqYCCFRuBTcMl97hJTB9edWmDLL4jrc68Tfdsu8NLwhc5Y0OGSJwTeHOvHdBKFfbFUXk0ReFPyamb8gl9xz7tiau0DpzCNtDB8wbuk0aTPbRfYehp9zX1P+txmga0fVTLg3ndBbfFDE4H3p6OmRGL73CPwLthvZJFG22dq9dD2VNZCW5e4q6Ys8IDo21aBPRzZeYMHJplZzgKJwO9HQRQ2yVfLHz4NgcMTcOngZiAKE31bGYE9RWGWVxJ9Wynwk5Ob4o7N/iaoPcyAEIHfn0zSCD+SZilp7OGLpCNwmIebO7lBbtSUvDcr5dQ5r5YI/P58c3STPOBJksyUVxMvXyY1gaeObpSumvIWX5JLnYeevlBaAvtKo0ml02NsdcmklQgsGV7W9gaPdKWToFZe1d6+VIoCT52NcUY9fHLmctJ1Tl/g0B309qTsqynv8Ohkde8XL11nCxFY8tWNXjFi3/BJ6Hmre9MXOKyQ8TjoD2x4OCpDK6cMeovAkr9m1opHOtNHk7f2/iVTFriWjx1Kv9OR9IzEyOtb4NB0mDoddyRGXvcRWHKw3WsDiamJkdepwKF7WLdA4gHuIa/HCCz5bWat88C66Z1ZSvrURnltCBymAWYtuBY3akqWXW7HPMo7b+sAnBn5nF9bcj36orm1KbWcL9LwI3BY2NGWFKkr6UVNyVs93k6Zh8qrodflkR4jcJui8Io7NeUzpx/+wqzN9a5tgf13pP+LIkbjW6Kuxsqr1qfMliOwFLaEtS1t6ig0uH60dM64lnTu6TU47RU41Dz3Lb1WmUKDqy1NrlW6TK3rKAJLeXUrnzuVtk2rH5yKPFPoLvfaPD3kV+DAkEunQRT52clpENM1cWdc3s34YPaTN+WjwrwpBBaxvHj/s25DE+0Q5z6t3r5yT3NqNz4a/uzDmE6ycumfGvlOYfppqnBUzTTB+nG1y+xJeTXlsrU1AofIMIo3LbzNPMq8+0l8+0fgRaxtkRaB/3VzPcdIDJsxUzhQfS5psVGjaHuBZ/H//xofHKTHCPzmzZVJeiGV3rt+Xv38/C16LyVdKTTN1v9ulQ6/rkm7QFYE3kXivqRHLucBo3Ze9RiG9Dhz8S1CXVVzOQGB7TJWuxd4AAKbjsLhDfwACGxW4rlYpQUIbFrimnoYENi2xEP5OmcYoEUCB3pq395hQGA3UXiJxIDAtiWmqQUIbFziKRIDAtuWuFZY6AGAwEYlnojpJUBg0xIPkRgQGIkBEBiJARAYiQGBWywx3WlAYMMST8Q8MSCwaYnrKDHLLgGBDUvM2mlAYMMSzyWdi62IgMBmJV7tYqoZDEBgqxLToQYENi/yRNIn6mJAYPt1MWf6AAIbTqm/xJSaaAwIbDil7okuNSCw4ZQ6rz5J+spgAALbFfk21sYzBgMQ2KbEi3hqH8swAYENi1zHaDxhMACBbUq8VF6NSasBgX2k1T1EBgS2K/JsTeQFAwIIbFfkc4Wzi4nIgMBGRZ6SWgMC+0mtzxW2LDL9BAhsUORF3LJ4rjCPzPJM2JoPDEFCNGVX0pWkgaROQp9slTUAAsOGMvclfZbUT0BmBEZg2FPmyyhzhsCAwHZlzqLIl5KKI0VnBEZgOGDdXEi6iL8zBG4PHxkC44RX/szXhO5I6safiyh0V2k1xYAIDDtE6yL+afX7Yk3s7H+iNxEYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPA33h8Va912rEgAAAAASUVORK5CYII=", + "name": "Transform Sekoia STIX to XSIAM", + "type": "action", + "outputs": { + "default": [ + "2" + ] + }, + "position": { + "x": -518, + "y": 28 + }, + "arguments": { + "comment": "Valid from {valid_from} AND STIX Pattern: {pattern}", + "class_override": "{id}", + "stix_objects_path": "{{ node.0.stix_objects_path }}" + }, + "action_uuid": "68a6bdfa-e0bc-46c6-9580-76a2b44163b0", + "module_uuid": "537e1880-5b6c-4b46-ae6c-f228cfc6c6e4" + }, + "2": { + "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPAAAADwCAYAAAA+VemSAAABhGlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw0AcxV9TtVIqDlYQcchQnSyIijhqFYpQIdQKrTqYXPohNGlIUlwcBdeCgx+LVQcXZ10dXAVB8APEXXBSdJES/5cUWsR4cNyPd/ced+8AoV5mmtUxBmi6baaTCTGbWxFDr+iCgDD6EZSZZcxKUgq+4+seAb7exXmW/7k/R4+atxgQEIlnmGHaxOvEU5u2wXmfOMpKskp8Tjxq0gWJH7muePzGueiywDOjZiY9RxwlFottrLQxK5ka8SRxTNV0yheyHquctzhr5Spr3pO/MJLXl5e4TnMISSxgERJEKKhiA2XYiNOqk2IhTfsJH/+g65fIpZBrA4wc86hAg+z6wf/gd7dWYWLcS4okgM4Xx/kYBkK7QKPmON/HjtM4AYLPwJXe8lfqwPQn6bWWFjsCereBi+uWpuwBlzvAwJMhm7IrBWkKhQLwfkbflAP6boHwqtdbcx+nD0CGukrdAAeHwEiRstd83t3d3tu/Z5r9/QDfw3Js24UtpAAAAAZiS0dEAAAAAAAA+UO7fwAAAAlwSFlzAAALEgAACxIB0t1+/AAAAAd0SU1FB+kGAgoYLouMzYEAAAqwSURBVHja7Z3NbdtIGIbfGClAHSxdgRWAd1MVRKnA0oVXSxXYqcDylRczFViuwMqdgOUKonSgEvYwI6ySXW/0Y0nzfXwewHCQBTbSkA+/n5nhSAAAAAAAAAAAAAAAAAAA4IkPDIFTmrIjqRt//oq/V3+3LTPlVY9BTY+PDIEbWYso5+WarIDAkLCwn9eiLCAwJCxtV9LVWqQFQODEpe3HKNsnJQYEthNpr5EWENhWTTuI4mYMCCCwDXGLWNcOGAxAYDvirqItzShAYNJkQGA4pLijKC5NKUBgQ/LeIi4gsM0a94ZUGRDYlrhFFLdgMACBbdW5d2I6CI7MGUOwt7wjST+QF4jAtsTNJD2QLgMR2G7URV4gAhN1AYjAh5Z3IOkFeYEIbEtcOsyAwEbl7caUmU0HQAptTN6+pGfkBQS2J++tpEexhhlIoal3ARD4OPKSMgMptEF5u8gLRGDb8lLvAhEYeQEQGHkBEPhNeQvkBQS2G3mZ4wUEJm0GQGDkBUBg5AUE9ihvh5oXENiuvM/i/cyAwCa5E8sjAYFNRt9bsasIENikvAOFExIAENiYvN2YOgMgsDF5OwrvsKLjDAhsEJpWgMCG694BlxQQ2J68GXUvtJEPTgR+IXXem7mkZfx5/e2/XejffYWFpJ/xzzNJUl7NGEYE3lbeWzFltA2LKNzP+HuhvFq84xgv4sPgVdIMqRH4/26srsJ5RfBnYZ+iUMsTPCTX//05l+T9sP5Suwcu4ZvSTiV9S0SYQqtD4Zoytc+GwCeKviPq3l9YRjHuExcjkzSSNFJTziV9k1TvlBmA0RQ6dJ1fxIKNVbT9Kml6MAkO32dYPXy+/rEeBxcR+A55NYvRdurgu3QU5vAHasoakTfH3jxweKNkv8XXbC6pp7zqOZH3dwaSfqgpH2KmBc4icFsbV0tJY+VV3ZLvO5DUV1PeS5pQI3uIwGG5ZBufyhNJ5y2Sdz21vpH0Es9rBrMR+J+jP9uWLg+ZblEm6VFNOY3jQTQ2GIFHalfjaqK8+oS8v9CP9XHBUFgSOETf6xbVuj3l1Zjb8820+jlObSEw0Te5lPmc9cMbcaOmfI4PdwQm+p6cOqbM1HebUyg0uLoITPQ9JWPl1RAfdyKLKXWBwETfUzBUXk3w8F3q4gECp0XfefQdtnBu95A8tE3i1AW+QV5AYosCh5U3GfICEtuMwNfIC3tKXCDwaaJvptUbHHwxRt6j8uh9iinVCOwx+tZ0m49OJ0rcQeDj4m3nyZx53pORKZwRjcBHSp+9Na/C2mY4JV015R0CH4fPzsb4C8sjk2DkcU9xWgKHWsXTIE/YmJAUD97q4dQisKeVV3O2BCbH6vhZBCZ9/iM0rdKk7ymVTk3gwlHqzJs0SKVbJHB4KnoY1KXCi9Yh7VT6BoFJn/+LMV1nE4w8vHc6JYE9pM8Llkqa4g6B3yd9zuRj8QaNK1v0rW94OEtmIO3DYdY2uUHg/bl0cCPc44JJCss7ls6SGUT7te8UF8xyjcD71b/Wp4+YNrLNwGpHOoUIbD36rg6nBusSI/BOXBi/8FPmfV1whcC7Yf2VJzSvfJBZXCNNCr0fC9Y8u+IzAm+D/ReOUfv6ggi8ddpim2/c867oWEujTy2w5QhM+uyTSwTeHMsd6Bn3Oml02wW2vIDjiXvdJZmlRR2nFrgwfKFJn/1SILBvFsqrBcPglgsE9g3R1zddBPbNK0NACo3AdpkxBM4x0shC4F1rYPAOAruFBhZpNAITfQEQGIHhMFwgMIBdOgjsk+8MASAwQNpkCAyAwAgMAAgMgMAAgMAAgMAAB2OBwAAIjMCJccEQAALbpcMQAAIjMKTNdwT2SZchAAS2jNHDoGErZgjsFwT2zxKB/VIwBM4xcu4VAu/GXwwB6TMC24VGlm/mCOxd4KZkOskvrwi8GQvqYCCFRuBTcMl97hJTB9edWmDLL4jrc68Tfdsu8NLwhc5Y0OGSJwTeHOvHdBKFfbFUXk0ReFPyamb8gl9xz7tiau0DpzCNtDB8wbuk0aTPbRfYehp9zX1P+txmga0fVTLg3ndBbfFDE4H3p6OmRGL73CPwLthvZJFG22dq9dD2VNZCW5e4q6Ys8IDo21aBPRzZeYMHJplZzgKJwO9HQRQ2yVfLHz4NgcMTcOngZiAKE31bGYE9RWGWVxJ9Wynwk5Ob4o7N/iaoPcyAEIHfn0zSCD+SZilp7OGLpCNwmIebO7lBbtSUvDcr5dQ5r5YI/P58c3STPOBJksyUVxMvXyY1gaeObpSumvIWX5JLnYeevlBaAvtKo0ml02NsdcmklQgsGV7W9gaPdKWToFZe1d6+VIoCT52NcUY9fHLmctJ1Tl/g0B309qTsqynv8Ohkde8XL11nCxFY8tWNXjFi3/BJ6Hmre9MXOKyQ8TjoD2x4OCpDK6cMeovAkr9m1opHOtNHk7f2/iVTFriWjx1Kv9OR9IzEyOtb4NB0mDoddyRGXvcRWHKw3WsDiamJkdepwKF7WLdA4gHuIa/HCCz5bWat88C66Z1ZSvrURnltCBymAWYtuBY3akqWXW7HPMo7b+sAnBn5nF9bcj36orm1KbWcL9LwI3BY2NGWFKkr6UVNyVs93k6Zh8qrodflkR4jcJui8Io7NeUzpx/+wqzN9a5tgf13pP+LIkbjW6Kuxsqr1qfMliOwFLaEtS1t6ig0uH60dM64lnTu6TU47RU41Dz3Lb1WmUKDqy1NrlW6TK3rKAJLeXUrnzuVtk2rH5yKPFPoLvfaPD3kV+DAkEunQRT52clpENM1cWdc3s34YPaTN+WjwrwpBBaxvHj/s25DE+0Q5z6t3r5yT3NqNz4a/uzDmE6ycumfGvlOYfppqnBUzTTB+nG1y+xJeTXlsrU1AofIMIo3LbzNPMq8+0l8+0fgRaxtkRaB/3VzPcdIDJsxUzhQfS5psVGjaHuBZ/H//xofHKTHCPzmzZVJeiGV3rt+Xv38/C16LyVdKTTN1v9ulQ6/rkm7QFYE3kXivqRHLucBo3Ze9RiG9Dhz8S1CXVVzOQGB7TJWuxd4AAKbjsLhDfwACGxW4rlYpQUIbFrimnoYENi2xEP5OmcYoEUCB3pq395hQGA3UXiJxIDAtiWmqQUIbFziKRIDAtuWuFZY6AGAwEYlnojpJUBg0xIPkRgQGIkBEBiJARAYiQGBWywx3WlAYMMST8Q8MSCwaYnrKDHLLgGBDUvM2mlAYMMSzyWdi62IgMBmJV7tYqoZDEBgqxLToQYENi/yRNIn6mJAYPt1MWf6AAIbTqm/xJSaaAwIbDil7okuNSCw4ZQ6rz5J+spgAALbFfk21sYzBgMQ2KbEi3hqH8swAYENi1zHaDxhMACBbUq8VF6NSasBgX2k1T1EBgS2K/JsTeQFAwIIbFfkc4Wzi4nIgMBGRZ6SWgMC+0mtzxW2LDL9BAhsUORF3LJ4rjCPzPJM2JoPDEFCNGVX0pWkgaROQp9slTUAAsOGMvclfZbUT0BmBEZg2FPmyyhzhsCAwHZlzqLIl5KKI0VnBEZgOGDdXEi6iL8zBG4PHxkC44RX/szXhO5I6safiyh0V2k1xYAIDDtE6yL+afX7Yk3s7H+iNxEYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPA33h8Va912rEgAAAAASUVORK5CYII=", + "name": "Send batch to XSIAM", + "type": "action", + "outputs": { + "default": [] + }, + "position": { + "x": -516, + "y": 220 + }, + "arguments": { + "url": "https://api-xxxxxxxxxxxxyourfqdn/public_api/v1/indicators/insert_jsons", + "json": "{\n \"request_data\": {{ node.1.data }},\n \"validate\": True\n}", + "method": "post", + "headers": { + "Accept": "application/json", + "Content-Type": "application/json", + "Authorization": "REDACTED_TO_REPLACED_WITH_API_KEY", + "x-xdr-auth-id": "REPLACE_WITH_API_ID" + }, + "verify_ssl": false, + "fail_on_http_error": true + }, + "action_uuid": "40bcf3c0-aa8b-4111-9b4e-f3caffccb4e5", + "module_uuid": "5894985f-91eb-46db-9306-cc5ac6463d3d" + } + }, + "description": "Add Sekoia active IOCs in Palo Alto XSIAM Collection for detection", + "workspace": "Operation Center", + "tags": [ + "observables", + "XSIAM", + "Dissemination" + ], + "uuid": "7b81c7f7-7c9a-4882-ac26-5cb35446e1a0" +} \ No newline at end of file From 6bbf9e540df77f91defaaf2489beff7a6abe6843 Mon Sep 17 00:00:00 2001 From: Charles LE REUN <77982369+CharlesLR-sekoia@users.noreply.github.com> Date: Fri, 27 Jun 2025 15:58:19 +0200 Subject: [PATCH 2/2] typo fixing --- playbooks/templates/push_iocs_to_xsiam.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/templates/push_iocs_to_xsiam.json b/playbooks/templates/push_iocs_to_xsiam.json index 6858b92..82a48cd 100644 --- a/playbooks/templates/push_iocs_to_xsiam.json +++ b/playbooks/templates/push_iocs_to_xsiam.json @@ -56,7 +56,7 @@ "headers": { "Accept": "application/json", "Content-Type": "application/json", - "Authorization": "REDACTED_TO_REPLACED_WITH_API_KEY", + "Authorization": "REPLACE_WITH_API_KEY", "x-xdr-auth-id": "REPLACE_WITH_API_ID" }, "verify_ssl": false, @@ -74,4 +74,4 @@ "Dissemination" ], "uuid": "7b81c7f7-7c9a-4882-ac26-5cb35446e1a0" -} \ No newline at end of file +}