Skip to content

Soar guide

V1D1AN edited this page Mar 2, 2023 · 11 revisions

In S1EM, you have the SOAR n8n and you can automate actions.

Automation with S1EM

In the workflow I share and directly into S1EM, when thehive receive a alert from Misp, the alert is promote to case and the ioc from Misp will search into S1EM.

If Zeek extract a file, the docker file4thehive will send the file to TheHive and Cortex Will analyze the file extracted.

If you put a Alert in TheHive with Elastalert, the soar will start the analyze of the Alert with MISP/OpenCTI/OTX.

image

Analyse a Email with S1EM/N8N

Prerequisites

For cortex, you must activate some analyzers:

TheHive

For sending eml file to TheHive, you must have "play.http.parser.maxMemoryBuffer: 10MB" in the application.conf In this example, you can send a eml file less than 10MB

Analyze Email

In the workflow I share, I send suspicious emails to a particular box. They are automatically retrieved for analysis by Cortex. The email is parsed by EML Parser and the extracted observables are then re-analyzed by Cortex

image

image

image

Workflow for n8n

{
  "name": "Email",
  "nodes": [
    {
      "parameters": {},
      "name": "Start",
      "type": "n8n-nodes-base.start",
      "typeVersion": 1,
      "position": [
        -320,
        600
      ]
    },
    {
      "parameters": {
        "format": "resolved",
        "options": {}
      },
      "name": "IMAP Email",
      "type": "n8n-nodes-base.emailReadImap",
      "typeVersion": 1,
      "position": [
        -300,
        200
      ],
      "credentials": {
        "imap": {
          "id": "5",
          "name": "IMAP account"
        }
      }
    },
    {
      "parameters": {
        "title": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
        "description": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
        "tags": "Email",
        "type": "Email",
        "source": "Outlook",
        "sourceRef": "={{$node[\"IMAP Email\"].json[\"messageId\"]}}",
        "artifactUi": {
          "artifactValues": [
            {
              "dataType": "file",
              "binaryProperty": "attachment_0"
            }
          ]
        },
        "additionalFields": {}
      },
      "name": "TheHive",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        -20,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "operation": "promote",
        "id": "={{$node[\"TheHive\"].json[\"_id\"]}}",
        "additionalFields": {}
      },
      "name": "Create Case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        280,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "case",
        "operation": "get",
        "id": "={{$node[\"Create Case\"].json[\"_id\"]}}"
      },
      "name": "Case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        540,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "returnAll": true,
        "options": {}
      },
      "name": "Observable",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1060,
        200
      ],
      "alwaysOutputData": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Observable\"].json[\"_id\"]}}",
        "dataType": "file",
        "analyzers": [
          "24a64a086a410e1c7d7ace74003c4480::CORTEX"
        ]
      },
      "name": "Analyzer Email",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1340,
        200
      ],
      "alwaysOutputData": true,
      "retryOnFail": true,
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "job",
        "operation": "report",
        "jobId": "={{$node[\"Analyzer Email\"].json[\"cortexJobId\"]}}"
      },
      "name": "Cortex",
      "type": "n8n-nodes-base.cortex",
      "typeVersion": 1,
      "position": [
        1560,
        200
      ],
      "credentials": {
        "cortexApi": {
          "id": "2",
          "name": "Cortex account"
        }
      }
    },
    {
      "parameters": {
        "conditions": {
          "number": [
            {
              "value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"].length}}",
              "operation": "larger"
            },
            {
              "value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"].length}}",
              "operation": "larger"
            },
            {
              "value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"].length}}",
              "operation": "larger"
            }
          ]
        },
        "combineOperation": "any"
      },
      "name": "IF",
      "type": "n8n-nodes-base.if",
      "typeVersion": 1,
      "position": [
        -20,
        640
      ]
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "create",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "dataType": "domain",
        "data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"]}}",
        "message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
        "ioc": true,
        "status": "Ok",
        "options": {
          "tags": "Domain"
        }
      },
      "name": "Update Case Domain",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        420,
        420
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "create",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "dataType": "mail",
        "data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"]}}",
        "message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
        "ioc": true,
        "status": "Ok",
        "options": {
          "tags": "Domain"
        }
      },
      "name": "Update Case Email",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        420,
        620
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "create",
        "caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
        "dataType": "ip",
        "data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"]}}",
        "message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
        "ioc": true,
        "status": "Ok",
        "options": {
          "tags": "Domain"
        }
      },
      "name": "Update Case Ip",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        420,
        820
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "amount": 5,
        "unit": "seconds"
      },
      "name": "Wait",
      "type": "n8n-nodes-base.wait",
      "typeVersion": 1,
      "position": [
        800,
        200
      ],
      "webhookId": "ecada1d5-a671-44fc-906e-c64c6f05e760"
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Update Case Email\"].json[\"id\"]}}",
        "dataType": "mail",
        "analyzers": [
          "9902b4e5c58015184b177de13f2151c7::CORTEX"
        ]
      },
      "name": "Email Reputation",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        640,
        620
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "conditions": {
          "boolean": [
            {
              "value1": "={{$node[\"Email Reputation\"].json[\"report\"][\"full\"][\"suspicious\"]}}",
              "value2": "={{false}}"
            }
          ],
          "string": [
            {
              "value1": "={{$node[\"Analyze DOMAIN\"].json[\"report\"][\"full\"][\"results\"][0][\"result\"]}}",
              "operation": "notContains",
              "value2": "=[Array: []]"
            },
            {
              "value1": "={{$node[\"Analyze IP\"].json[\"report\"][\"full\"][\"results\"][0][\"result\"]}}",
              "operation": "notContains",
              "value2": "=[Array: []]"
            }
          ]
        }
      },
      "name": "IF1",
      "type": "n8n-nodes-base.if",
      "typeVersion": 1,
      "position": [
        960,
        620
      ]
    },
    {
      "parameters": {
        "resource": "case",
        "operation": "update",
        "id": "={{$node[\"Case\"].json[\"_id\"]}}",
        "jsonParameters": false,
        "updateFields": {
          "resolutionStatus": "FalsePositive",
          "status": "Resolved"
        }
      },
      "name": "Close case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1240,
        440
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "case",
        "operation": "update",
        "id": "={{$node[\"Case\"].json[\"_id\"]}}",
        "jsonParameters": false,
        "updateFields": {
          "resolutionStatus": "Indeterminate",
          "status": "Open"
        }
      },
      "name": "Inderterminte case",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        1240,
        840
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Update Case Domain\"].json[\"id\"]}}",
        "dataType": "domain",
        "analyzers": [
          "b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
          "69bda1b828b81062489cf810dbf07380::CORTEX"
        ]
      },
      "name": "Analyze DOMAIN",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        640,
        420
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    },
    {
      "parameters": {
        "resource": "observable",
        "operation": "executeAnalyzer",
        "id": "={{$node[\"Update Case Ip\"].json[\"id\"]}}",
        "dataType": "ip",
        "analyzers": [
          "b084bf78d1aea92966b6ef6a4f6193a5::CORTEX",
          "69bda1b828b81062489cf810dbf07380::CORTEX"
        ]
      },
      "name": "Analyze IP",
      "type": "n8n-nodes-base.theHive",
      "typeVersion": 1,
      "position": [
        640,
        820
      ],
      "credentials": {
        "theHiveApi": {
          "id": "1",
          "name": "The Hive account"
        }
      }
    }
  ],
  "connections": {
    "IMAP Email": {
      "main": [
        [
          {
            "node": "TheHive",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Create Case": {
      "main": [
        [
          {
            "node": "Case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Case": {
      "main": [
        [
          {
            "node": "Wait",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "TheHive": {
      "main": [
        [
          {
            "node": "Create Case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Observable": {
      "main": [
        [
          {
            "node": "Analyzer Email",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyzer Email": {
      "main": [
        [
          {
            "node": "Cortex",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Cortex": {
      "main": [
        [
          {
            "node": "IF",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF": {
      "main": [
        [
          {
            "node": "Update Case Domain",
            "type": "main",
            "index": 0
          },
          {
            "node": "Update Case Email",
            "type": "main",
            "index": 0
          },
          {
            "node": "Update Case Ip",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Wait": {
      "main": [
        [
          {
            "node": "Observable",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Update Case Ip": {
      "main": [
        [
          {
            "node": "Analyze IP",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Update Case Email": {
      "main": [
        [
          {
            "node": "Email Reputation",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Update Case Domain": {
      "main": [
        [
          {
            "node": "Analyze DOMAIN",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Email Reputation": {
      "main": [
        [
          {
            "node": "IF1",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF1": {
      "main": [
        [
          {
            "node": "Close case",
            "type": "main",
            "index": 0
          }
        ],
        [
          {
            "node": "Inderterminte case",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyze DOMAIN": {
      "main": [
        [
          {
            "node": "IF1",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyze IP": {
      "main": [
        [
          {
            "node": "IF1",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  },
  "active": true,
  "settings": {
    "saveDataErrorExecution": "none",
    "saveDataSuccessExecution": "none",
    "saveExecutionProgress": "DEFAULT",
    "saveManualExecutions": false
  },
  "id": 4
}
Clone this wiki locally