Soar guide
In S1EM, you have the SOAR n8n.
With n8n, you can automate actions.
For cortex, you must activate some analyzers:
- Eml Parser
- EmailRep ( request free api on https://emailrep.io/ )
- OTX
For sending eml file to TheHive, you must have "play.http.parser.maxMemoryBuffer: 10MB" in the application.conf In this example, you can send a eml file less than 10MB
In the workflow I share, I send suspicious emails to a particular box. They are automatically retrieved for analysis by Cortex. The email is parsed by EML Parser and the extracted observables are then re-analyzed by Cortex
{
"name": "Email",
"nodes": [
{
"parameters": {},
"name": "Start",
"type": "n8n-nodes-base.start",
"typeVersion": 1,
"position": [
-320,
600
]
},
{
"parameters": {
"format": "resolved",
"options": {}
},
"name": "IMAP Email",
"type": "n8n-nodes-base.emailReadImap",
"typeVersion": 1,
"position": [
-300,
200
],
"credentials": {
"imap": {
"id": "5",
"name": "IMAP account"
}
}
},
{
"parameters": {
"title": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
"description": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
"tags": "Email",
"type": "Email",
"source": "Outlook",
"sourceRef": "={{$node[\"IMAP Email\"].json[\"messageId\"]}}",
"artifactUi": {
"artifactValues": [
{
"dataType": "file",
"binaryProperty": "attachment_0"
}
]
},
"additionalFields": {}
},
"name": "TheHive",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-20,
200
],
"alwaysOutputData": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"operation": "promote",
"id": "={{$node[\"TheHive\"].json[\"_id\"]}}",
"additionalFields": {}
},
"name": "Create Case",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
280,
200
],
"alwaysOutputData": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "case",
"operation": "get",
"id": "={{$node[\"Create Case\"].json[\"_id\"]}}"
},
"name": "Case",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
540,
200
],
"alwaysOutputData": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"returnAll": true,
"options": {}
},
"name": "Observable",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
1060,
200
],
"alwaysOutputData": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Observable\"].json[\"_id\"]}}",
"dataType": "file",
"analyzers": [
"24a64a086a410e1c7d7ace74003c4480::CORTEX"
]
},
"name": "Analyzer Email",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
1340,
200
],
"alwaysOutputData": true,
"retryOnFail": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "job",
"operation": "report",
"jobId": "={{$node[\"Analyzer Email\"].json[\"cortexJobId\"]}}"
},
"name": "Cortex",
"type": "n8n-nodes-base.cortex",
"typeVersion": 1,
"position": [
1560,
200
],
"credentials": {
"cortexApi": {
"id": "2",
"name": "Cortex account"
}
}
},
{
"parameters": {
"conditions": {
"number": [
{
"value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"].length}}",
"operation": "larger"
},
{
"value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"].length}}",
"operation": "larger"
},
{
"value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"].length}}",
"operation": "larger"
}
]
},
"combineOperation": "any"
},
"name": "IF",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
-20,
640
]
},
{
"parameters": {
"resource": "observable",
"operation": "create",
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"dataType": "domain",
"data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"]}}",
"message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
"ioc": true,
"status": "Ok",
"options": {
"tags": "Domain"
}
},
"name": "Update Case Domain",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
420,
420
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "create",
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"dataType": "mail",
"data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"]}}",
"message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
"ioc": true,
"status": "Ok",
"options": {
"tags": "Domain"
}
},
"name": "Update Case Email",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
420,
620
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "create",
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"dataType": "ip",
"data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"]}}",
"message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
"ioc": true,
"status": "Ok",
"options": {
"tags": "Domain"
}
},
"name": "Update Case Ip",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
420,
820
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"amount": 5,
"unit": "seconds"
},
"name": "Wait",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
800,
200
],
"webhookId": "ecada1d5-a671-44fc-906e-c64c6f05e760"
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Update Case Email\"].json[\"id\"]}}",
"dataType": "mail",
"analyzers": [
"9902b4e5c58015184b177de13f2151c7::CORTEX"
]
},
"name": "Email Reputation",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
640,
620
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"conditions": {
"boolean": [
{
"value1": "={{$node[\"Email Reputation\"].json[\"report\"][\"full\"][\"suspicious\"]}}",
"value2": "={{false}}"
}
],
"string": [
{
"value1": "={{$node[\"Analyze DOMAIN\"].json[\"report\"][\"full\"][\"results\"][0][\"result\"]}}",
"operation": "notContains",
"value2": "=[Array: []]"
},
{
"value1": "={{$node[\"Analyze IP\"].json[\"report\"][\"full\"][\"results\"][0][\"result\"]}}",
"operation": "notContains",
"value2": "=[Array: []]"
}
]
}
},
"name": "IF1",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
960,
620
]
},
{
"parameters": {
"resource": "case",
"operation": "update",
"id": "={{$node[\"Case\"].json[\"_id\"]}}",
"jsonParameters": false,
"updateFields": {
"resolutionStatus": "FalsePositive",
"status": "Resolved"
}
},
"name": "Close case",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
1240,
440
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "case",
"operation": "update",
"id": "={{$node[\"Case\"].json[\"_id\"]}}",
"jsonParameters": false,
"updateFields": {
"resolutionStatus": "Indeterminate",
"status": "Open"
}
},
"name": "Inderterminte case",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
1240,
840
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Update Case Domain\"].json[\"id\"]}}",
"dataType": "domain",
"analyzers": [
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
"69bda1b828b81062489cf810dbf07380::CORTEX"
]
},
"name": "Analyze DOMAIN",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
640,
420
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Update Case Ip\"].json[\"id\"]}}",
"dataType": "ip",
"analyzers": [
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
"69bda1b828b81062489cf810dbf07380::CORTEX"
]
},
"name": "Analyze IP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
640,
820
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
}
],
"connections": {
"IMAP Email": {
"main": [
[
{
"node": "TheHive",
"type": "main",
"index": 0
}
]
]
},
"Create Case": {
"main": [
[
{
"node": "Case",
"type": "main",
"index": 0
}
]
]
},
"Case": {
"main": [
[
{
"node": "Wait",
"type": "main",
"index": 0
}
]
]
},
"TheHive": {
"main": [
[
{
"node": "Create Case",
"type": "main",
"index": 0
}
]
]
},
"Observable": {
"main": [
[
{
"node": "Analyzer Email",
"type": "main",
"index": 0
}
]
]
},
"Analyzer Email": {
"main": [
[
{
"node": "Cortex",
"type": "main",
"index": 0
}
]
]
},
"Cortex": {
"main": [
[
{
"node": "IF",
"type": "main",
"index": 0
}
]
]
},
"IF": {
"main": [
[
{
"node": "Update Case Domain",
"type": "main",
"index": 0
},
{
"node": "Update Case Email",
"type": "main",
"index": 0
},
{
"node": "Update Case Ip",
"type": "main",
"index": 0
}
]
]
},
"Wait": {
"main": [
[
{
"node": "Observable",
"type": "main",
"index": 0
}
]
]
},
"Update Case Ip": {
"main": [
[
{
"node": "Analyze IP",
"type": "main",
"index": 0
}
]
]
},
"Update Case Email": {
"main": [
[
{
"node": "Email Reputation",
"type": "main",
"index": 0
}
]
]
},
"Update Case Domain": {
"main": [
[
{
"node": "Analyze DOMAIN",
"type": "main",
"index": 0
}
]
]
},
"Email Reputation": {
"main": [
[
{
"node": "IF1",
"type": "main",
"index": 0
}
]
]
},
"IF1": {
"main": [
[
{
"node": "Close case",
"type": "main",
"index": 0
}
],
[
{
"node": "Inderterminte case",
"type": "main",
"index": 0
}
]
]
},
"Analyze DOMAIN": {
"main": [
[
{
"node": "IF1",
"type": "main",
"index": 0
}
]
]
},
"Analyze IP": {
"main": [
[
{
"node": "IF1",
"type": "main",
"index": 0
}
]
]
}
},
"active": true,
"settings": {
"saveDataErrorExecution": "none",
"saveDataSuccessExecution": "none",
"saveExecutionProgress": "DEFAULT",
"saveManualExecutions": false
},
"id": 4
}
In the workflow I share, when thehive receive a alert from Misp, the alert is promote to case and the ioc from Misp will search into S1EM.
{
"name": "Alertes thehive",
"nodes": [
{
"parameters": {},
"name": "Start",
"type": "n8n-nodes-base.start",
"typeVersion": 1,
"position": [
-1520,
120
],
"id": "03336b57-a08e-4f73-8988-8bcc969be91d",
"disabled": true
},
{
"parameters": {
"events": [
"alert_create"
]
},
"name": "TheHive Trigger",
"type": "n8n-nodes-base.theHiveTrigger",
"typeVersion": 1,
"position": [
-2400,
-1320
],
"webhookId": "6c781b58-6e54-45a4-9167-6ee7fcb62352",
"alwaysOutputData": true,
"id": "30776f3d-f763-4f9c-be53-aa0a4bec2db9"
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "={{$node[\"TheHive Trigger\"].json[\"body\"][\"object\"][\"type\"]}}",
"operation": "notEqual",
"value2": "misp"
}
]
}
},
"name": "IF Not Alert Misp",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
-480,
-1320
],
"id": "133e93b3-007c-4ad7-bd00-e694c8207527"
},
{
"parameters": {
"operation": "promote",
"id": "={{$node[\"Alerts Elastalert\"].json[\"_id\"]}}",
"additionalFields": {}
},
"name": "Create Case From Alerts Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
100,
-1340
],
"id": "29dd3091-40ed-44a0-9fce-e0e3f7a4b05d",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"operation": "get",
"id": "={{$node[\"TheHive Trigger\"].json[\"body\"][\"object\"][\"_id\"]}}",
"options": {}
},
"name": "Alerts Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-180,
-1340
],
"id": "7a40715b-ed1d-42fa-bc34-f97e5f36ecf8",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "case",
"operation": "get",
"id": "={{$node[\"Create Case From Alerts Elastalert\"].json[\"_id\"]}}"
},
"name": "Get Case From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
340,
-1340
],
"id": "9cb0602e-46e8-46f9-a38f-e2a7d0625775",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"amount": 10,
"unit": "seconds"
},
"name": "Wait For Case Elastalert",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
560,
-1340
],
"webhookId": "dcc0ae8c-40b5-48c3-8568-abc674fcc088",
"id": "58847682-853d-4f53-bc50-ff2277d36195"
},
{
"parameters": {
"resource": "observable",
"caseId": "={{$node[\"Get Case From Case Elastalert\"].json[\"_id\"]}}",
"returnAll": true,
"options": {}
},
"name": "Get Observables From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-920,
-660
],
"alwaysOutputData": true,
"id": "586baef3-31cb-46e5-8725-587fab176c9f",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "={{$node[\"Get Observables From Case Elastalert\"].json[\"dataType\"]}}",
"value2": "hash"
}
]
}
},
"name": "IF Hash From Case Elastalert",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
-480,
-1060
],
"id": "0848942b-cf70-468b-be60-41b2b7ea63da"
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "={{$node[\"Get Observables From Case Elastalert\"].json[\"dataType\"]}}",
"value2": "ip"
}
]
}
},
"name": "IF IP From Case Elastalert",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
-480,
-820
],
"id": "f2417b7a-75cc-48a6-876f-66568832d9af"
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{$node[\"IF Hash From Case Elastalert\"].json[\"_id\"]}}"
},
"name": "Get Hash From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-180,
-1080
],
"id": "2c7924bc-15a4-40da-a3ba-fd178a9c377d",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{$node[\"IF IP From Case Elastalert\"].json[\"_id\"]}}"
},
"name": "Get IP From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-180,
-840
],
"id": "b9d19a73-fe0a-4df7-b881-91c727a4cc80",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{$node[\"IF Domain From Case Elastalert\"].json[\"_id\"]}}"
},
"name": "Get Domain From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-180,
-600
],
"id": "47197c62-8701-482d-a87d-db5b298e0317",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{$node[\"IF Registry From Case Elastalert\"].json[\"_id\"]}}"
},
"name": "Get Registry From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-180,
-360
],
"id": "6c98a709-be6b-4ca8-9d45-d4ac7f048112",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Get Hash From Case Elastalert\"].json[\"_id\"]}}",
"dataType": "hash",
"analyzers": [
"69bda1b828b81062489cf810dbf07380::CORTEX",
"d92d9cb7809d6ba5de4ddc1d3ca4e53d::CORTEX",
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
"bd4fcb243af10d554adc2a4bcca9600c::CORTEX"
]
},
"name": "Analyze Hash From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
100,
-1080
],
"id": "1552ecb0-b560-469c-a079-3e065f74b7f1",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Get IP From Case Elastalert\"].json[\"_id\"]}}",
"dataType": "ip",
"analyzers": [
"69bda1b828b81062489cf810dbf07380::CORTEX",
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
"d92d9cb7809d6ba5de4ddc1d3ca4e53d::CORTEX"
]
},
"name": "Analyze IP From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
100,
-840
],
"id": "03a788f2-33aa-4cc9-a0f0-b14d92cd02af",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Get Domain From Case Elastalert\"].json[\"_id\"]}}",
"dataType": "ip",
"analyzers": [
"69bda1b828b81062489cf810dbf07380::CORTEX",
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
"d92d9cb7809d6ba5de4ddc1d3ca4e53d::CORTEX"
]
},
"name": "Analyze Domain From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
100,
-600
],
"id": "ab26f12e-fea1-4b00-b362-dc20c6619233",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Get Registry From Case Elastalert\"].json[\"_id\"]}}",
"dataType": "ip",
"analyzers": [
"69bda1b828b81062489cf810dbf07380::CORTEX",
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
"d92d9cb7809d6ba5de4ddc1d3ca4e53d::CORTEX"
]
},
"name": "Analyze Registry From Case Elastalert",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
100,
-360
],
"id": "c3b15206-3ae9-4e05-847d-cf4c2053b7bc",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "={{$node[\"TheHive Trigger\"].json[\"body\"][\"object\"][\"type\"]}}",
"value2": "misp"
}
]
}
},
"name": "IF Alert From MISP",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
-480,
-120
],
"id": "5c127f3f-2745-4f77-9900-3933c2c5e6b1"
},
{
"parameters": {
"operation": "promote",
"id": "={{$node[\"Get Alerts From MISP\"].json[\"_id\"]}}",
"additionalFields": {}
},
"name": "Create Case From Alerts MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
100,
-140
],
"id": "1970e340-cad9-4fa7-9cc3-378bd627e9f0",
"executeOnce": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "case",
"operation": "get",
"id": "={{$node[\"Create Case From Alerts MISP\"].json[\"_id\"]}}"
},
"name": "Get Case From Alert MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
340,
-140
],
"id": "6df610a9-4eac-4d51-b413-fca746ccddfa",
"executeOnce": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"amount": 30,
"unit": "seconds"
},
"name": "Wait For Case MISP",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
560,
-140
],
"webhookId": "54dd3167-8d4d-4f1a-9343-c77b059ce7c9",
"id": "9e5d9c45-ffd8-4ae6-bedd-8272074c62a5"
},
{
"parameters": {
"resource": "observable",
"caseId": "={{$node[\"Get Case From Alert MISP\"].json[\"_id\"]}}",
"returnAll": true,
"options": {}
},
"name": "Get Observables From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-900,
380
],
"alwaysOutputData": false,
"id": "c516dfd4-0b61-4166-8d00-daa12a536831",
"executeOnce": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"operation": "get",
"id": "={{$node[\"TheHive Trigger\"].json[\"body\"][\"object\"][\"_id\"]}}",
"options": {}
},
"name": "Get Alerts From MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
-180,
-140
],
"id": "432de117-dbe1-44f0-ad18-846a9cd5c3ee",
"executeOnce": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "={{$node[\"Get Observables From Case Elastalert\"].json[\"dataType\"]}}",
"value2": "registry"
}
]
}
},
"name": "IF Registry From Case Elastalert",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
-480,
-340
],
"id": "82d6049d-ba41-4ed0-9d03-9837343a6ea9"
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "={{$node[\"Get Observables From Case Elastalert\"].json[\"dataType\"]}}",
"value2": "domain"
}
]
}
},
"name": "IF Domain From Case Elastalert",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
-480,
-580
],
"id": "9fdc0da3-48a7-4423-a123-8d152bed560b"
},
{
"parameters": {
"resource": "observable",
"caseId": "={{$node[\"Get Case From Alert MISP\"].json[\"_id\"]}}",
"returnAll": true,
"options": {}
},
"name": "Get Observables From Case MISP after Analyze",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
1700,
380
],
"alwaysOutputData": false,
"id": "f82d34a8-9db3-4369-8409-f7b173742126",
"executeOnce": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "={{ $jmespath($json.reports.Elasticsearch_IP_Analysis_1_0, \"taxonomies[*].level\") }}",
"operation": "contains",
"value2": "suspicious"
},
{
"value1": "{{ $jmespath($json.reports.Elasticsearch_Hash_Analysis_1_0, \"taxonomies[*].level\") }}",
"operation": "contains",
"value2": "suspicious"
},
{
"value1": "{{ $jmespath($json.reports.Elasticsearch_Domain_Analysis_1_0, \"taxonomies[*].level\") }}",
"operation": "contains",
"value2": "suspicious"
}
]
},
"combineOperation": "any"
},
"id": "9b5191d0-88b5-4d69-94a8-f9c63e11d670",
"name": "IF after Analyze",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
1920,
380
]
},
{
"parameters": {
"resource": "case",
"operation": "update",
"id": "={{$node[\"Create Case From Alerts MISP\"].json[\"_id\"]}}",
"jsonParameters": false,
"updateFields": {
"flag": false,
"resolutionStatus": "FalsePositive",
"status": "Resolved",
"summary": "Close summary"
}
},
"id": "16969873-f3fc-415d-889f-81371dbc1a3c",
"name": "TheHive",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
2640,
520
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
},
"continueOnFail": true
},
{
"parameters": {
"amount": 10,
"unit": "seconds"
},
"id": "1bb52a9d-ed17-4837-b648-ea82af2ef380",
"name": "Wait2",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
2200,
520
],
"webhookId": "e052a960-deed-4a88-8d82-a4a4359a7c47"
},
{
"parameters": {
"webhookUri": "https://discord.com/api/webhooks/968102639449554995/yKsEveOtLlekvCSGQko6fr7RIB83NonCOJlJ9FKW_iqPSGSHBylCxbvcS1PBY1Jci9iY",
"text": "={{$node[\"Create Case From Alerts MISP\"].json[\"title\"]}} ",
"options": {}
},
"name": "Output Discord",
"type": "n8n-nodes-base.discord",
"typeVersion": 1,
"position": [
2200,
200
],
"id": "63ce4e2c-1f29-4695-be08-a9ef83274f56"
},
{
"parameters": {
"resource": "case",
"operation": "update",
"id": "={{$node[\"Create Case From Alerts MISP\"].json[\"id\"]}}",
"jsonParameters": false,
"updateFields": {
"status": "Open"
}
},
"id": "6b0256fc-c21b-4000-aded-bf57b42b4621",
"name": "TheHive1",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
2640,
200
],
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
},
"continueOnFail": true
},
{
"parameters": {
"amount": 30,
"unit": "seconds"
},
"id": "badf1f0c-1155-49b1-b61a-970831eebf57",
"name": "Wait3",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
2420,
200
],
"webhookId": "e052a960-deed-4a88-8d82-a4a4359a7c47"
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{ $json._id }}"
},
"name": "Get Hash From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
180,
200
],
"id": "58e7c95f-780e-414d-b8e5-9722bf77b881",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{ $json._id }}"
},
"name": "Get IP From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
180,
380
],
"id": "6ea214ed-3e7b-4f3b-8e4f-ee5190e8f36e",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Get IP From Case MISP\"].json[\"_id\"]}}",
"dataType": "ip",
"analyzers": [
"1dc583fae797ac4cae3a9afbd40d0f97::CORTEX"
]
},
"name": "Analyze IP From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
460,
380
],
"id": "d29dffb4-009e-453e-beaa-16a0855dbd09",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Get Hash From Case MISP\"].json[\"_id\"]}}",
"dataType": "hash",
"analyzers": [
"0fce46174e1fa2e8c6b8d0e8168eff86::CORTEX"
]
},
"name": "Analyze Hash From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
460,
200
],
"id": "dd6b5717-fcb5-4e1a-bcb2-674f76a03751",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "executeAnalyzer",
"id": "={{$node[\"Get Domain From Case MISP\"].json[\"_id\"]}}",
"dataType": "domain",
"analyzers": [
"23ab61a62433bf4b43ea8c641ae33430::CORTEX"
]
},
"name": "Analyze Domain From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
460,
580
],
"id": "1936835a-f573-4a4a-8a11-3f6b4146c7bd",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{ $json._id }}"
},
"name": "Get Domain From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
180,
580
],
"id": "f3a4a529-d6da-4fbf-85e4-8fc3cce41488",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"amount": 5,
"unit": "seconds"
},
"id": "8c04462b-2d6b-4b0a-9c4e-44d7da624539",
"name": "Wait",
"type": "n8n-nodes-base.wait",
"typeVersion": 1,
"position": [
860,
380
],
"webhookId": "4302eff4-69f5-4fd4-a867-efaba1e44e90"
},
{
"parameters": {
"resource": "case",
"operation": "get",
"id": "={{ $node[\"Get Case From Alert MISP\"].json._id }}"
},
"name": "Get Case From Alert MISP after Analyze",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
1160,
380
],
"id": "9e268a95-8897-4e84-b344-3c63ea38bf03",
"executeOnce": true,
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"dataType": "string",
"value1": "={{ $json.dataType }}",
"rules": {
"rules": [
{
"operation": "contains",
"value2": "hash"
},
{
"operation": "contains",
"value2": "ip",
"output": 1
},
{
"operation": "contains",
"value2": "domain",
"output": 2
}
]
},
"fallbackOutput": 3
},
"id": "45df3cc0-10a0-4f1c-a856-8cb736c449e9",
"name": "Switch",
"type": "n8n-nodes-base.switch",
"typeVersion": 1,
"position": [
-480,
380
]
},
{
"parameters": {
"resource": "observable",
"operation": "get",
"id": "={{ $json._id }}"
},
"name": "Get Others From Case MISP",
"type": "n8n-nodes-base.theHive",
"typeVersion": 1,
"position": [
460,
840
],
"id": "b8f6e47d-9930-42c8-913b-bdc15de3297c",
"credentials": {
"theHiveApi": {
"id": "1",
"name": "The Hive account"
}
}
},
{
"parameters": {
"options": {}
},
"id": "dc4aa52b-abd5-45ac-8b27-f5dff895dfc5",
"name": "Split In Batches",
"type": "n8n-nodes-base.splitInBatches",
"typeVersion": 1,
"position": [
1440,
380
]
}
],
"pinData": {},
"connections": {
"TheHive Trigger": {
"main": [
[
{
"node": "IF Alert From MISP",
"type": "main",
"index": 0
},
{
"node": "IF Not Alert Misp",
"type": "main",
"index": 0
}
]
]
},
"IF Not Alert Misp": {
"main": [
[
{
"node": "Alerts Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Create Case From Alerts Elastalert": {
"main": [
[
{
"node": "Get Case From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Alerts Elastalert": {
"main": [
[
{
"node": "Create Case From Alerts Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Get Case From Case Elastalert": {
"main": [
[
{
"node": "Wait For Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Wait For Case Elastalert": {
"main": [
[
{
"node": "Get Observables From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Get Observables From Case Elastalert": {
"main": [
[
{
"node": "IF Hash From Case Elastalert",
"type": "main",
"index": 0
},
{
"node": "IF IP From Case Elastalert",
"type": "main",
"index": 0
},
{
"node": "IF Domain From Case Elastalert",
"type": "main",
"index": 0
},
{
"node": "IF Registry From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"IF Hash From Case Elastalert": {
"main": [
[
{
"node": "Get Hash From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"IF IP From Case Elastalert": {
"main": [
[
{
"node": "Get IP From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Get Hash From Case Elastalert": {
"main": [
[
{
"node": "Analyze Hash From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Get IP From Case Elastalert": {
"main": [
[
{
"node": "Analyze IP From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Get Domain From Case Elastalert": {
"main": [
[
{
"node": "Analyze Domain From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Get Registry From Case Elastalert": {
"main": [
[
{
"node": "Analyze Registry From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"IF Alert From MISP": {
"main": [
[
{
"node": "Get Alerts From MISP",
"type": "main",
"index": 0
}
]
]
},
"Create Case From Alerts MISP": {
"main": [
[
{
"node": "Get Case From Alert MISP",
"type": "main",
"index": 0
}
]
]
},
"Get Case From Alert MISP": {
"main": [
[
{
"node": "Wait For Case MISP",
"type": "main",
"index": 0
}
]
]
},
"Wait For Case MISP": {
"main": [
[
{
"node": "Get Observables From Case MISP",
"type": "main",
"index": 0
}
]
]
},
"Get Observables From Case MISP": {
"main": [
[
{
"node": "Switch",
"type": "main",
"index": 0
}
]
]
},
"Get Alerts From MISP": {
"main": [
[
{
"node": "Create Case From Alerts MISP",
"type": "main",
"index": 0
}
]
]
},
"IF Registry From Case Elastalert": {
"main": [
[
{
"node": "Get Registry From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"IF Domain From Case Elastalert": {
"main": [
[
{
"node": "Get Domain From Case Elastalert",
"type": "main",
"index": 0
}
]
]
},
"Get Observables From Case MISP after Analyze": {
"main": [
[
{
"node": "IF after Analyze",
"type": "main",
"index": 0
}
]
]
},
"IF after Analyze": {
"main": [
[
{
"node": "Output Discord",
"type": "main",
"index": 0
}
],
[
{
"node": "Wait2",
"type": "main",
"index": 0
}
]
]
},
"Wait2": {
"main": [
[
{
"node": "TheHive",
"type": "main",
"index": 0
}
]
]
},
"Wait3": {
"main": [
[
{
"node": "TheHive1",
"type": "main",
"index": 0
}
]
]
},
"Output Discord": {
"main": [
[
{
"node": "Wait3",
"type": "main",
"index": 0
}
]
]
},
"Get Hash From Case MISP": {
"main": [
[
{
"node": "Analyze Hash From Case MISP",
"type": "main",
"index": 0
}
]
]
},
"Get IP From Case MISP": {
"main": [
[
{
"node": "Analyze IP From Case MISP",
"type": "main",
"index": 0
}
]
]
},
"Analyze IP From Case MISP": {
"main": [
[
{
"node": "Wait",
"type": "main",
"index": 0
}
]
]
},
"Analyze Hash From Case MISP": {
"main": [
[
{
"node": "Wait",
"type": "main",
"index": 0
}
]
]
},
"Analyze Domain From Case MISP": {
"main": [
[
{
"node": "Wait",
"type": "main",
"index": 0
}
]
]
},
"Get Domain From Case MISP": {
"main": [
[
{
"node": "Analyze Domain From Case MISP",
"type": "main",
"index": 0
}
]
]
},
"Wait": {
"main": [
[
{
"node": "Get Case From Alert MISP after Analyze",
"type": "main",
"index": 0
}
]
]
},
"Switch": {
"main": [
[
{
"node": "Get Hash From Case MISP",
"type": "main",
"index": 0
}
],
[
{
"node": "Get IP From Case MISP",
"type": "main",
"index": 0
}
],
[
{
"node": "Get Domain From Case MISP",
"type": "main",
"index": 0
}
],
[
{
"node": "Get Others From Case MISP",
"type": "main",
"index": 0
}
]
]
},
"Get Others From Case MISP": {
"main": [
[
{
"node": "Wait",
"type": "main",
"index": 0
}
]
]
},
"Get Case From Alert MISP after Analyze": {
"main": [
[
{
"node": "Split In Batches",
"type": "main",
"index": 0
}
]
]
},
"Split In Batches": {
"main": [
[
{
"node": "Get Observables From Case MISP after Analyze",
"type": "main",
"index": 0
}
]
]
}
},
"active": true,
"settings": {
"timezone": "Europe/Paris",
"errorWorkflow": "1",
"saveManualExecutions": false,
"callerPolicy": "any"
},
"versionId": "11c71289-3cfb-4828-b586-6d39fa4c3eb9",
"id": "1",
"meta": {
"instanceId": "ae2c3b36e0c96f988ef0c068ac5443fafc66aace4493a62da8517779eea129d3"
},
"tags": [
{
"createdAt": "2022-04-26T20:14:21.384Z",
"updatedAt": "2022-04-26T20:14:21.384Z",
"id": "1",
"name": "misp"
},
{
"createdAt": "2022-04-26T20:15:15.988Z",
"updatedAt": "2022-04-26T20:15:15.988Z",
"id": "3",
"name": "alert"
}
]
}
