Skip to content

Soar guide

V1D1AN edited this page Apr 26, 2022 · 11 revisions

In S1EM, you have the SOAR n8n.

With n8n, you can automate actions.

Prerequisites

Cortex

For cortex, you must activate some analyzers:

TheHive

For sending eml file to TheHive, you must have "play.http.parser.maxMemoryBuffer: 10MB" in the application.conf In this example, you can send a eml file less than 10MB

Analyze Email

In the workflow I share, I send suspicious emails to a particular box. They are automatically retrieved for analysis by Cortex. The email is parsed by EML Parser and the extracted observables are then re-analyzed by Cortex

image

image

image

Workflow for n8n

{
  "name": "Email",
  "nodes": [
    {
      "parameters": {},
      "name": "Start",
      "type": "n8n-nodes-base.start",
      "typeVersion": 1,
      "position": [
        -320,
        600
      ]
    },
    {
      "parameters": {
        "format": "resolved",
        "options": {}
      },
      "name": "IMAP Email",
      "type": "n8n-nodes-base.emailReadImap",
      "typeVersion": 1,
      "position": [
        -300,
        200
      ],
      "credentials": {
        "imap": {
          "id": "5",
          "name": "IMAP account"
        }
      }
    },
    {
      "parameters": {
        "title": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
        "description": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
        "tags": "Email",
        "type": "Email",
        "source": "Outlook",
        "sourceRef": "={{$node[\"IMAP Email\"].json[\"messageId\"]}}",
        "artifactUi": {
          "artifactValues": [
            {
              "dataType": "file",
              "binaryProperty": "attachment_0"
            }
          ]
        },
        "additionalFields": {}
      },
      "name": "TheHive",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -20,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "operation": "promote",
        "id": "={{$node[\"TheHive\"].json[\"_id\"]}}",
        "additionalFields": {}
      },
      "name": "Create Case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        280,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "case",
        "operation": "get",
        "id": "={{$node[\"Create Case\"].json[\"_id\"]}}"
      },
      "name": "Case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        540,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "returnAll": true,
        "options": {}
      },
      "name": "Observable",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1060,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Observable\"].json[\"_id\"]}}",
        "dataType": "file",
        "analyzers": [
          "24a64a086a410e1c7d7ace74003c4480::CORTEX"
        ]
      },
      "name": "Analyzer Email",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1340,
        200
      ],
      "alwaysOutputData": true,
      "retryOnFail": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "job",
        "operation": "report",
        "jobId": "={{$node[\"Analyzer Email\"].json[\"cortexJobId\"]}}"
      },
      "name": "Cortex",
      "type": "n8n-nodes-base.cortex",
      "typeVersion": 1,
      "position": [
        1560,
        200
      ],
      "credentials": {
        "cortexApi": {
          "id": "2",
          "name": "Cortex account"
        }
      }
    },
    {
      "parameters": {
        "conditions": {
          "number": [
            {
              "value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"].length}}",
              "operation": "larger"
            },
            {
              "value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"].length}}",
              "operation": "larger"
            },
            {
              "value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"].length}}",
              "operation": "larger"
            }
          ]
        },
        "combineOperation": "any"
      },
      "name": "IF",
      "type": "n8n-nodes-base.if",
      "typeVersion": 1,
      "position": [
        -20,
        640
      ]
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "create",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "dataType": "domain",
        "data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"]}}",
        "message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
        "ioc": true,
        "status": "Ok",
        "options": {
          "tags": "Domain"
        }
      },
      "name": "Update Case Domain",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        420,
        420
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "create",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "dataType": "mail",
        "data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"]}}",
        "message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
        "ioc": true,
        "status": "Ok",
        "options": {
          "tags": "Domain"
        }
      },
      "name": "Update Case Email",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        420,
        620
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "create",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "dataType": "ip",
        "data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"]}}",
        "message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
        "ioc": true,
        "status": "Ok",
        "options": {
          "tags": "Domain"
        }
      },
      "name": "Update Case Ip",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        420,
        820
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "amount": 5,
        "unit": "seconds"
      },
      "name": "Wait",
      "type": "n8n-nodes-base.wait",
      "typeVersion": 1,
      "position": [
        800,
        200
      ],
      "webhookId": "ecada1d5-a671-44fc-906e-c64c6f05e760"
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Update Case Email\"].json[\"id\"]}}",
        "dataType": "mail",
        "analyzers": [
          "9902b4e5c58015184b177de13f2151c7::CORTEX"
        ]
      },
      "name": "Email Reputation",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        640,
        620
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "conditions": {
          "boolean": [
            {
              "value1": "={{$node[\"Email Reputation\"].json[\"report\"][\"full\"][\"suspicious\"]}}",
              "value2": "={{false}}"
            }
          ],
          "string": [
            {
              "value1": "={{$node[\"Analyze DOMAIN\"].json[\"report\"][\"full\"][\"results\"][0][\"result\"]}}",
              "operation": "notContains",
              "value2": "=[Array: []]"
            },
            {
              "value1": "={{$node[\"Analyze IP\"].json[\"report\"][\"full\"][\"results\"][0][\"result\"]}}",
              "operation": "notContains",
              "value2": "=[Array: []]"
            }
          ]
        }
      },
      "name": "IF1",
      "type": "n8n-nodes-base.if",
      "typeVersion": 1,
      "position": [
        960,
        620
      ]
    },
    {
      "parameters": {
        "resource": "case",
        "operation": "update",
        "id": "={{$node[\"Case\"].json[\"_id\"]}}",
        "jsonParameters": false,
        "updateFields": {
          "resolutionStatus": "FalsePositive",
          "status": "Resolved"
        }
      },
      "name": "Close case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1240,
        440
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "case",
        "operation": "update",
        "id": "={{$node[\"Case\"].json[\"_id\"]}}",
        "jsonParameters": false,
        "updateFields": {
          "resolutionStatus": "Indeterminate",
          "status": "Open"
        }
      },
      "name": "Inderterminte case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1240,
        840
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Update Case Domain\"].json[\"id\"]}}",
        "dataType": "domain",
        "analyzers": [
          "b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
          "69bda1b828b81062489cf810dbf07380::CORTEX"
        ]
      },
      "name": "Analyze DOMAIN",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        640,
        420
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Update Case Ip\"].json[\"id\"]}}",
        "dataType": "ip",
        "analyzers": [
          "b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
          "69bda1b828b81062489cf810dbf07380::CORTEX"
        ]
      },
      "name": "Analyze IP",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        640,
        820
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    }
  ],
  "connections": {
    "IMAP Email": {
      "main": [
        [
          {
            "node": "TheHive",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Create Case": {
      "main": [
        [
          {
            "node": "Case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Case": {
      "main": [
        [
          {
            "node": "Wait",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "TheHive": {
      "main": [
        [
          {
            "node": "Create Case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Observable": {
      "main": [
        [
          {
            "node": "Analyzer Email",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyzer Email": {
      "main": [
        [
          {
            "node": "Cortex",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Cortex": {
      "main": [
        [
          {
            "node": "IF",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF": {
      "main": [
        [
          {
            "node": "Update Case Domain",
            "type": "main",
            "index": 0
          },
          {
            "node": "Update Case Email",
            "type": "main",
            "index": 0
          },
          {
            "node": "Update Case Ip",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Wait": {
      "main": [
        [
          {
            "node": "Observable",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Update Case Ip": {
      "main": [
        [
          {
            "node": "Analyze IP",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Update Case Email": {
      "main": [
        [
          {
            "node": "Email Reputation",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Update Case Domain": {
      "main": [
        [
          {
            "node": "Analyze DOMAIN",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Email Reputation": {
      "main": [
        [
          {
            "node": "IF1",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF1": {
      "main": [
        [
          {
            "node": "Close case",
            "type": "main",
            "index": 0
          }
        ],
        [
          {
            "node": "Inderterminte case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyze DOMAIN": {
      "main": [
        [
          {
            "node": "IF1",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyze IP": {
      "main": [
        [
          {
            "node": "IF1",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  },
  "active": true,
  "settings": {
    "saveDataErrorExecution": "none",
    "saveDataSuccessExecution": "none",
    "saveExecutionProgress": "DEFAULT",
    "saveManualExecutions": false
  },
  "id": 4
}

Analyzer Misp

In the workflow I share, when thehive receive a alert from Misp, the alert is promote to case and the ioc from Misp will search into S1EM.

image

Workflow n8n

{
  "name": "Misp",
  "nodes": [
    {
      "parameters": {},
      "name": "Start",
      "type": "n8n-nodes-base.start",
      "typeVersion": 1,
      "position": [
        -1100,
        -320
      ],
      "disabled": true
    },
    {
      "parameters": {
        "operation": "promote",
        "id": "={{$node[\"Get alert\"].json[\"_id\"]}}",
        "additionalFields": {}
      },
      "name": "Create Case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -340,
        -140
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "case",
        "operation": "get",
        "id": "={{$node[\"Create Case\"].json[\"_id\"]}}"
      },
      "name": "Case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -120,
        -140
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "returnAll": true,
        "options": {}
      },
      "name": "Observable",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -1080,
        280
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "events": [
          "alert_create"
        ]
      },
      "name": "TheHive Trigger",
      "type": "n8n-nodes-base.theHiveTrigger",
      "typeVersion": 1,
      "position": [
        -1100,
        -120
      ],
      "webhookId": "6c781b58-6e54-45a4-9167-6ee7fcb62352"
    },
    {
      "parameters": {
        "operation": "get",
        "id": "={{$node[\"TheHive Trigger\"].json[\"body\"][\"object\"][\"_id\"]}}"
      },
      "name": "Get alert",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -580,
        -140
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Get Hash\"].json[\"_id\"]}}",
        "dataType": "hash",
        "analyzers": [
          "0fce46174e1fa2e8c6b8d0e8168eff86::CORTEX"
        ]
      },
      "name": "Analyze hash",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -360,
        120
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Get IP\"].json[\"_id\"]}}",
        "dataType": "ip",
        "analyzers": [
          "1dc583fae797ac4cae3a9afbd40d0f97::CORTEX"
        ]
      },
      "name": "Analyze Ip",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -360,
        360
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "conditions": {
          "string": [
            {
              "value1": "={{$node[\"TheHive Trigger\"].json[\"body\"][\"object\"][\"type\"]}}",
              "value2": "misp"
            }
          ]
        }
      },
      "name": "IF1",
      "type": "n8n-nodes-base.if",
      "typeVersion": 1,
      "position": [
        -840,
        -120
      ]
    },
    {
      "parameters": {
        "webhookUri": "https://discord.com/api/webhooks/968102639449554995/yKsEveOtLlekvCSGQko6fr7RIB83NonCOJlJ9FKW_iqPSGSHBylCxbvcS1PBY1Jci9iY",
        "text": "={{$node[\"Create Case\"].json[\"title\"]}}",
        "options": {}
      },
      "name": "Discord",
      "type": "n8n-nodes-base.discord",
      "typeVersion": 1,
      "position": [
        20,
        240
      ]
    },
    {
      "parameters": {
        "amount": 10,
        "unit": "seconds"
      },
      "name": "Wait",
      "type": "n8n-nodes-base.wait",
      "typeVersion": 1,
      "position": [
        100,
        -140
      ],
      "webhookId": "54dd3167-8d4d-4f1a-9343-c77b059ce7c9"
    },
    {
      "parameters": {
        "conditions": {
          "string": [
            {
              "value1": "={{$node[\"Observable\"].json[\"dataType\"]}}",
              "value2": "hash"
            }
          ]
        }
      },
      "name": "IF Hash",
      "type": "n8n-nodes-base.if",
      "typeVersion": 1,
      "position": [
        -800,
        140
      ]
    },
    {
      "parameters": {
        "conditions": {
          "string": [
            {
              "value1": "={{$node[\"Observable\"].json[\"dataType\"]}}",
              "value2": "ip"
            }
          ]
        }
      },
      "name": "IF IP",
      "type": "n8n-nodes-base.if",
      "typeVersion": 1,
      "position": [
        -800,
        380
      ]
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "get",
        "id": "={{$node[\"IF IP\"].json[\"_id\"]}}"
      },
      "name": "Get IP",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -580,
        360
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "get",
        "id": "={{$node[\"IF Hash\"].json[\"_id\"]}}"
      },
      "name": "Get Hash",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -580,
        120
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    }
  ],
  "connections": {
    "Create Case": {
      "main": [
        [
          {
            "node": "Case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Case": {
      "main": [
        [
          {
            "node": "Wait",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "TheHive Trigger": {
      "main": [
        [
          {
            "node": "IF1",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Get alert": {
      "main": [
        [
          {
            "node": "Create Case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Observable": {
      "main": [
        [
          {
            "node": "IF Hash",
            "type": "main",
            "index": 0
          },
          {
            "node": "IF IP",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF1": {
      "main": [
        [
          {
            "node": "Get alert",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyze hash": {
      "main": [
        [
          {
            "node": "Discord",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyze Ip": {
      "main": [
        [
          {
            "node": "Discord",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Wait": {
      "main": [
        [
          {
            "node": "Observable",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF Hash": {
      "main": [
        [
          {
            "node": "Get Hash",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF IP": {
      "main": [
        [
          {
            "node": "Get IP",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Get IP": {
      "main": [
        [
          {
            "node": "Analyze Ip",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Get Hash": {
      "main": [
        [
          {
            "node": "Analyze hash",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  },
  "active": true,
  "settings": {
    "timezone": "Europe/Paris",
    "errorWorkflow": "1",
    "executionTimeout": 3600
  },
  "id": 1
}
Clone this wiki locally