├── .gitignore ├── .gitmodules ├── Dockerfile ├── LICENSE ├── README.md ├── SkillAegis.sh ├── app.py ├── application ├── skillaegis-logo.png ├── skillaegis-logo.svg ├── skillaegis-text.svg └── welcome.html ├── config.json.sample ├── docker-compose.yml ├── docs ├── SkillAegis-Dashboard-recording.gif ├── SkillAegis-Dashboard_fullscreen.png ├── SkillAegis-Dashboard_main.png ├── SkillAegis-Editor_designer.png ├── SkillAegis-Editor_index.png ├── SkillAegis-Editor_inject-tester.png └── skillaegis_main_app.png ├── scenarios ├── Campaign Targeting Multiple ISACs.json ├── Protect the network.json ├── Workflow Exercise.json ├── basic-event-creation.json ├── basic-filtering.json ├── flubot-malware.json ├── ransomware-encoding.json ├── scam-call-encoding.json └── spearphishing-incident.json └── template.env /.gitignore: -------------------------------------------------------------------------------- 1 | config.json 2 | __pycache__ 3 | __pycache__/* 4 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "SkillAegis-Dashboard"] 2 | path = SkillAegis-Dashboard 3 | url = https://github.com/MISP/SkillAegis-Dashboard.git 4 | [submodule "SkillAegis-Editor"] 5 | path = SkillAegis-Editor 6 | url = https://github.com/MISP/SkillAegis-Editor.git 7 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.12-slim 2 | 3 | WORKDIR /app 4 | 5 | COPY . . 6 | 7 | RUN apt-get update \ 8 | && apt-get install -y --no-install-recommends jq \ 9 | && apt-get purge -y --auto-remove \ 10 | && rm -rf /var/lib/apt/lists/* 11 | 12 | RUN cp config.json.sample config.json 13 | 14 | EXPOSE 4000 15 | 16 | CMD ["./app.py"] 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SkillAegis 2 | 3 | 4 | **SkillAegis** is a platform to design, run, and monitor exercise scenarios, enhancing skills in applications like MISP and training users in best practices for information management and protective tools. Its gamification system makes learning engaging, ensuring users acquire essential technical skills and adhere to industry standards. 5 | 6 | 7 | ## Features 8 | 9 | - **Create Exercise Scenarios**: Design and customize various training exercises tailored to your needs. 10 | - **Run Exercises**: Deploy scenarios and run training sessions. 11 | - **Live Dashboard**: Monitor progress and performance with the live dashboard, providing realtime insights and analytics. 12 | 13 | ## Installation 14 | 15 | To get started with SkillAegis, follow these steps: 16 | 17 | 0. Ensure Python **3.10** or higher is installed. 18 | ```bash 19 | python -V 20 | ``` 21 | 1. Clone the repository: 22 | ```bash 23 | git clone https://github.com/MISP/SkillAegis.git 24 | ``` 25 | 2. Navigate to the project directory: 26 | ```bash 27 | cd SkillAegis 28 | ``` 29 | 3. Initialize the submodules 30 | ```bash 31 | git submodule update --init --recursive 32 | ``` 33 | 4. Clone the configuration file 34 | ```bash 35 | cp config.json.sample config.json 36 | ``` 37 | - [optional] Update the configuration 38 | 5. Install the submodule dependencies 39 | ```bash 40 | # Editor 41 | pushd SkillAegis-Editor 42 | python3 -m venv venv 43 | source venv/bin/activate 44 | pip3 install -r requirements.txt 45 | cp config.py.sample config.py 46 | # [recommended] Update the configuration's MISP part 47 | deactivate 48 | popd 49 | 50 | # Dashboard 51 | pushd SkillAegis-Dashboard 52 | python3 -m venv venv 53 | source venv/bin/activate 54 | pip3 install -r requirements.txt 55 | cp config.py.sample config.py 56 | # [recommended] Update the configuration 57 | deactivate 58 | popd 59 | ``` 60 | 6. Start the project 61 | ```bash 62 | bash SkillAegis.sh 63 | ``` 64 | 65 | ## Update 66 | 67 | To update the project, follow these steps: 68 | 69 | 1. Pull the latest changes 70 | ```bash 71 | git pull 72 | ``` 73 | 2. Pull the latest changes for all submodules 74 | ```bash 75 | git submodule update --recursive 76 | ``` 77 | 78 | ## Docker 79 | 80 | You can alternatively run it in Docker, following those steps : 81 | 82 | 1. Build the image 83 | ```bash 84 | docker compose build 85 | ``` 86 | 2. Copy and update the config 87 | ```bash 88 | cp template.env .env 89 | vim .env 90 | ``` 91 | 3. [optional] Allow the application to reach services on the host 92 | ```bash 93 | # Create a docker override file and add the host as extra_hosts 94 | tee docker-compose.override.yml > /dev/null <]" 12 | exit 1 13 | } 14 | 15 | PARAM_SCENARIO_FOLDER="" 16 | CONFIG_SCENARIO_FOLDER=$(get_config_value ".main.scenario_folder") 17 | 18 | while [ "$#" -gt 0 ]; do 19 | case "$1" in 20 | --scenario_folder) 21 | PARAM_SCENARIO_FOLDER="$2" 22 | shift 2 23 | ;; 24 | *) 25 | usage 26 | ;; 27 | esac 28 | done 29 | 30 | 31 | SESSION="SkillAegis" 32 | 33 | 34 | APP_MAIN="Main" 35 | MAIN_HOST=$(get_config_value ".main.host") 36 | MAIN_PORT=$(get_config_value ".main.port") 37 | if [ ! -z "$PARAM_SCENARIO_FOLDER" ]; then 38 | SCENARIO_FOLDER="$PARAM_SCENARIO_FOLDER" 39 | else 40 | SCENARIO_FOLDER="$CONFIG_SCENARIO_FOLDER" 41 | fi 42 | SCENARIO_FOLDER_ABSOLUTE=$(realpath "$SCENARIO_FOLDER" 2>/dev/null) 43 | 44 | if [ ! -d "$SCENARIO_FOLDER_ABSOLUTE" ]; then 45 | echo "Error: The folder '$SCENARIO_FOLDER_ABSOLUTE' does not exist." 46 | exit 1 47 | fi 48 | 49 | APP_EDITOR="Editor" 50 | EDITOR_HOST=$(get_config_value ".editor.host") 51 | EDITOR_PORT=$(get_config_value ".editor.port") 52 | 53 | APP_DASHBOARD="Dashboard" 54 | DASHBOARD_HOST=$(get_config_value ".dashboard.host") 55 | DASHBOARD_PORT=$(get_config_value ".dashboard.port") 56 | 57 | EDITOR_URL=$(get_config_value ".main.editor_url") 58 | DASHBOARD_URL=$(get_config_value ".main.dashboard_url") 59 | 60 | 61 | screen -dmS $SESSION 62 | 63 | screen -S $SESSION -X screen -t "$APP_MAIN" bash -c "python3 app.py --host $MAIN_HOST --port $MAIN_PORT --editor_url $EDITOR_URL --dashboard_url $DASHBOARD_URL; read x;" 64 | screen -S $SESSION -X screen -t "$APP_DASHBOARD" bash -c "cd SkillAegis-Dashboard && bash start.sh --host $DASHBOARD_HOST --port $DASHBOARD_PORT --exercise_folder $SCENARIO_FOLDER_ABSOLUTE; read x;" 65 | screen -S $SESSION -X screen -t "$APP_EDITOR" bash -c "cd SkillAegis-Editor && bash start.sh --host $EDITOR_HOST --port $EDITOR_PORT --exercise_folder $SCENARIO_FOLDER_ABSOLUTE; read x;" 66 | 67 | sleep 0.5 68 | screen -d -r $SESSION -p $APP_MAIN 69 | -------------------------------------------------------------------------------- /app.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import argparse 3 | import http.server 4 | import socketserver 5 | import os 6 | 7 | HOST = "0.0.0.0" 8 | PORT = 8001 9 | 10 | DASHBOARD_URL="" 11 | EDITOR_URL="" 12 | VERSION="1.0.0" 13 | 14 | class MyHttpRequestHandler(http.server.BaseHTTPRequestHandler): 15 | def do_GET(self): 16 | global DASHBOARD_URL, EDITOR_URL, VERSION 17 | 18 | if self.path == '/': 19 | self.path = 'application/welcome.html' 20 | with open(self.path, 'r') as file: 21 | html = file.read() 22 | html = html \ 23 | .replace('{{url_dashboard}}', DASHBOARD_URL) \ 24 | .replace('{{url_editor}}', EDITOR_URL) \ 25 | .replace('{{version}}', VERSION) 26 | # Write the modified HTML to the response 27 | self.send_response(200) 28 | self.send_header("Content-type", "text/html") 29 | self.end_headers() 30 | self.wfile.write(bytes(html, "utf8")) 31 | elif self.path == '/skillaegis-logo.svg': 32 | image_path = 'application/skillaegis-logo.svg' 33 | if os.path.exists(image_path): 34 | self.send_response(200) 35 | self.send_header("Content-type", "image/svg+xml") 36 | self.end_headers() 37 | with open(image_path, 'rb') as file: 38 | self.wfile.write(file.read()) 39 | else: 40 | self.send_error(404, "File not found") 41 | elif self.path == '/skillaegis-logo.png': 42 | image_path = 'application/skillaegis-logo.png' 43 | if os.path.exists(image_path): 44 | self.send_response(200) 45 | self.send_header("Content-type", "image/png") 46 | self.end_headers() 47 | with open(image_path, 'rb') as file: 48 | self.wfile.write(file.read()) 49 | else: 50 | self.send_error(404, "File not found") 51 | elif self.path == '/skillaegis-text.svg': 52 | image_path = 'application/skillaegis-text.svg' 53 | if os.path.exists(image_path): 54 | self.send_response(200) 55 | self.send_header("Content-type", "image/svg+xml") 56 | self.end_headers() 57 | with open(image_path, 'rb') as file: 58 | self.wfile.write(file.read()) 59 | else: 60 | self.send_error(404, "File not found") 61 | elif self.path.startswith('/assets/'): 62 | font_path = 'application/assets/' + self.path[8:] 63 | if os.path.exists(font_path): 64 | self.send_response(200) 65 | self.end_headers() 66 | with open(font_path, 'rb') as file: 67 | self.wfile.write(file.read()) 68 | else: 69 | self.send_error(404, "File not found") 70 | else: 71 | self.send_response(404, "Not found") 72 | 73 | 74 | def main(): 75 | global DASHBOARD_URL, EDITOR_URL 76 | parser = argparse.ArgumentParser(description='Parse command-line arguments for SkillAegis Dashboard.') 77 | print(os.getenv("SKILLAEGIS_DASHBOARD_URL", '#')) 78 | print(os.getenv("SKILLAEGIS_EDITOR_URL", '#')) 79 | 80 | parser.add_argument('--dashboard_url', type=str, required=False, default=os.getenv("SKILLAEGIS_DASHBOARD_URL", '#'), help='The URL of the dashboard application') 81 | parser.add_argument('--editor_url', type=str, required=False, default=os.getenv("SKILLAEGIS_EDITOR_URL", '#'), help='The URL of the editor application') 82 | parser.add_argument('--host', type=str, required=False, default=os.getenv("SKILLAEGIS_HOST", HOST), help='The host to listen to') 83 | parser.add_argument('--port', type=int, required=False, default=os.getenv("SKILLAEGIS_PORT", PORT), help='The port to listen to') 84 | 85 | args = parser.parse_args() 86 | 87 | if not args.dashboard_url.startswith('http'): 88 | parser.error(f"The dashboard URL is not valid: {args.dashboard_url}") 89 | else: 90 | DASHBOARD_URL = args.dashboard_url 91 | 92 | if not args.editor_url.startswith('http'): 93 | parser.error(f"The editor URL is not valid: {args.editor_url}") 94 | else: 95 | EDITOR_URL = args.editor_url 96 | 97 | print(f'Serving main server on {args.host}:{args.port}') 98 | print(f'Access the application here: http://127.0.0.1:{args.port}') 99 | server = http.server.ThreadingHTTPServer((args.host, args.port), MyHttpRequestHandler) 100 | server.serve_forever() 101 | 102 | 103 | if __name__ == '__main__': 104 | main() 105 | -------------------------------------------------------------------------------- /application/skillaegis-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/application/skillaegis-logo.png -------------------------------------------------------------------------------- /application/skillaegis-logo.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 19 | 45 | 47 | 52 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /application/skillaegis-text.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 12 | 14 | 17 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /application/welcome.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | SkillAegis 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | Live Dashboard 21 | Run a scenario and visualize the progress in real-time 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | Scenario Editor 32 | Design and test scenarios 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | v{{version}} 42 | 43 | 44 | 45 | 196 | -------------------------------------------------------------------------------- /config.json.sample: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "host": "0.0.0.0", 4 | "port": "4000", 5 | "scenario_folder": "scenarios", 6 | "dashboard_url": "https://127.0.0.1:4001", 7 | "editor_url": "https://127.0.0.1:4002" 8 | }, 9 | "dashboard": { 10 | "host": "0.0.0.0", 11 | "port": "4001" 12 | }, 13 | "editor": { 14 | "host": "0.0.0.0", 15 | "port": "4002" 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | volumes: 2 | skillaegis_main_storage: 3 | skillaegis_dashboard_storage: 4 | skillaegis_editor_storage: 5 | 6 | services: 7 | skillaegis-main: 8 | build: 9 | context: . 10 | container_name: skillaegis-main 11 | image: skillaegis/main:latest 12 | working_dir: /app 13 | environment: 14 | - SKILLAEGIS_HOST=0.0.0.0 15 | - SKILLAEGIS_PORT=4000 16 | - SKILLAEGIS_DASHBOARD_URL=http://localhost:4001 17 | - SKILLAEGIS_EDITOR_URL=http://localhost:4002 18 | volumes: 19 | - skillaegis_main_storage:/app/ 20 | - ./scenarios:/app/scenarios 21 | ports: 22 | - "4000:4000" 23 | 24 | skillaegis-dashboard: 25 | build: 26 | context: ./SkillAegis-Dashboard 27 | container_name: skillaegis-dashboard 28 | image: skillaegis/dashboard:latest 29 | working_dir: /app 30 | environment: 31 | - SKILLAEGIS_HOST=0.0.0.0 32 | - SKILLAEGIS_PORT=4001 33 | - SKILLAEGIS_EXERCISE_FOLDER=scenarios 34 | - SKILLAEGIS_MISP_URL=${SKILLAEGIS_MISP_URL:-https://localhost/} 35 | - SKILLAEGIS_MISP_APIKEY=${SKILLAEGIS_MISP_APIKEY:-FI4gCRghRZvLVjlLPLTFZ852x2njkkgPSz0zQ3E0} 36 | - SKILLAEGIS_MISP_SKIPSSL=${SKILLAEGIS_MISP_SKIPSSL:-1} 37 | volumes: 38 | - skillaegis_dashboard_storage:/app/ 39 | - ./scenarios:/app/scenarios 40 | ports: 41 | - "4001:4001" 42 | 43 | skillaegis-editor: 44 | build: 45 | context: ./SkillAegis-Editor 46 | container_name: skillaegis-editor 47 | image: skillaegis/editor:latest 48 | working_dir: /app 49 | environment: 50 | - SKILLAEGIS_HOST=0.0.0.0 51 | - SKILLAEGIS_PORT=4002 52 | - SKILLAEGIS_EXERCISE_FOLDER=scenarios 53 | volumes: 54 | - skillaegis_editor_storage:/app/ 55 | - ./scenarios:/app/scenarios 56 | ports: 57 | - "4002:4002" 58 | -------------------------------------------------------------------------------- /docs/SkillAegis-Dashboard-recording.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/docs/SkillAegis-Dashboard-recording.gif -------------------------------------------------------------------------------- /docs/SkillAegis-Dashboard_fullscreen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/docs/SkillAegis-Dashboard_fullscreen.png -------------------------------------------------------------------------------- /docs/SkillAegis-Dashboard_main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/docs/SkillAegis-Dashboard_main.png -------------------------------------------------------------------------------- /docs/SkillAegis-Editor_designer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/docs/SkillAegis-Editor_designer.png -------------------------------------------------------------------------------- /docs/SkillAegis-Editor_index.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/docs/SkillAegis-Editor_index.png -------------------------------------------------------------------------------- /docs/SkillAegis-Editor_inject-tester.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/docs/SkillAegis-Editor_inject-tester.png -------------------------------------------------------------------------------- /docs/skillaegis_main_app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MISP/SkillAegis/15c5612121aa9fee86461b91f69d0041e4a6449e/docs/skillaegis_main_app.png -------------------------------------------------------------------------------- /scenarios/Protect the network.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "name": "Protect the network!", 4 | "namespace": "suricata", 5 | "description": "Encode IoCs in MISP to protect the infrastructure.", 6 | "meta": { 7 | "author": "MISP Project", 8 | "level": "advanced", 9 | "priority": 10 10 | }, 11 | "uuid": "15024065-dfb6-4bda-bea9-20e0e1abcaf4", 12 | "version": "202492" 13 | }, 14 | "inject_flow": [ 15 | { 16 | "inject_uuid": "31be00f0-65ad-4d78-bf19-7a3895fc6363", 17 | "description": "", 18 | "requirements": {}, 19 | "sequence": { 20 | "followed_by": [], 21 | "trigger": [ 22 | "manual", 23 | "periodic" 24 | ], 25 | "completion_trigger": [] 26 | }, 27 | "timing": { 28 | "triggered_at": null, 29 | "periodic_run_every": 10 30 | } 31 | }, 32 | { 33 | "inject_uuid": "4c42312a-209c-478f-baf7-962a09005c23", 34 | "description": "", 35 | "requirements": {}, 36 | "sequence": { 37 | "followed_by": [], 38 | "trigger": [ 39 | "periodic" 40 | ], 41 | "completion_trigger": [] 42 | }, 43 | "timing": { 44 | "triggered_at": 1800, 45 | "periodic_run_every": 5 46 | } 47 | } 48 | ], 49 | "inject_payloads": [], 50 | "injects": [ 51 | { 52 | "name": "Event Creation", 53 | "action": "", 54 | "target_tool": "MISP", 55 | "uuid": "31be00f0-65ad-4d78-bf19-7a3895fc6363", 56 | "description": "Create an Event that will contains the IoCs", 57 | "inject_evaluation": [ 58 | { 59 | "parameters": [ 60 | { 61 | ".Event.info": { 62 | "comparison": "regex", 63 | "values": [ 64 | ".*team-[0-9]{2}.*" 65 | ] 66 | } 67 | } 68 | ], 69 | "result": "event created", 70 | "evaluation_strategy": "data_filtering", 71 | "evaluation_context": {}, 72 | "score_range": [ 73 | 0, 74 | 20 75 | ] 76 | }, 77 | { 78 | "parameters": [ 79 | { 80 | ".response[].Event.event_creator_email": { 81 | "comparison": "equals", 82 | "values": [ 83 | "{{user_email}}" 84 | ] 85 | } 86 | }, 87 | { 88 | ".response[].Event.info": { 89 | "comparison": "regex", 90 | "values": [ 91 | ".*team-[0-9]{2}.*" 92 | ] 93 | } 94 | } 95 | ], 96 | "result": "event created", 97 | "evaluation_strategy": "query_search", 98 | "evaluation_context": { 99 | "query_context": { 100 | "url": "/events/restSearch", 101 | "request_method": "POST", 102 | "payload": { 103 | "timestamp": "6h", 104 | "info": "%team-%" 105 | } 106 | } 107 | }, 108 | "score_range": [ 109 | 0, 110 | 20 111 | ] 112 | } 113 | ], 114 | "inject_evaluation_join_type": "OR" 115 | }, 116 | { 117 | "name": "C2 server", 118 | "action": "", 119 | "target_tool": "suricata", 120 | "uuid": "4c42312a-209c-478f-baf7-962a09005c23", 121 | "description": "Block traffic to the C2 server", 122 | "inject_evaluation": [ 123 | { 124 | "parameters": [ 125 | { 126 | ".[].verdict.action": { 127 | "comparison": "equals", 128 | "values": [ 129 | "drop" 130 | ] 131 | }, 132 | ".[].dest_ip": { 133 | "comparison": "equals", 134 | "values": [ 135 | "195.208.152.43" 136 | ] 137 | } 138 | } 139 | ], 140 | "result": "IP Blocked", 141 | "evaluation_strategy": "simulate_ips", 142 | "evaluation_context": { 143 | "query_context": { 144 | "request_method": "POST", 145 | "url": "/attributes/restSearch", 146 | "payload": { 147 | "published": false, 148 | "timestamp": "1d", 149 | "returnFormat": "suricata" 150 | } 151 | } 152 | }, 153 | "score_range": [ 154 | 0, 155 | 10 156 | ] 157 | } 158 | ], 159 | "inject_evaluation_join_type": null 160 | } 161 | ] 162 | } -------------------------------------------------------------------------------- /scenarios/Workflow Exercise.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "name": "Workflow Exercise", 4 | "namespace": "misp-workflow", 5 | "description": "Workflow Exercise", 6 | "meta": { 7 | "author": "Sami Mokaddem", 8 | "level": "expert", 9 | "priority": 10 10 | }, 11 | "uuid": "ff5e17cb-9234-4d02-893c-1772f968969f", 12 | "version": "2025411" 13 | }, 14 | "inject_flow": [ 15 | { 16 | "inject_uuid": "0bd0e885-9eb0-41b1-a204-9bf9c40785cb", 17 | "description": "", 18 | "requirements": {}, 19 | "sequence": { 20 | "followed_by": [], 21 | "trigger": [ 22 | "startex", 23 | "periodic" 24 | ], 25 | "completion_trigger": [] 26 | }, 27 | "timing": { 28 | "triggered_at": null, 29 | "periodic_run_every": 10 30 | } 31 | }, 32 | { 33 | "inject_uuid": "4e4ea731-9be5-40b2-96ff-a6d52f7e214c", 34 | "description": "", 35 | "requirements": { 36 | "inject_uuid": "0bd0e885-9eb0-41b1-a204-9bf9c40785cb" 37 | }, 38 | "sequence": { 39 | "followed_by": [], 40 | "trigger": [ 41 | "manual" 42 | ], 43 | "completion_trigger": [] 44 | }, 45 | "timing": { 46 | "triggered_at": null, 47 | "periodic_run_every": null 48 | } 49 | }, 50 | { 51 | "inject_uuid": "8126b80f-a0c7-4efd-b570-16ade7e5a353", 52 | "description": "", 53 | "requirements": { 54 | "inject_uuid": "4e4ea731-9be5-40b2-96ff-a6d52f7e214c" 55 | }, 56 | "sequence": { 57 | "followed_by": [], 58 | "trigger": [ 59 | "manual" 60 | ], 61 | "completion_trigger": [] 62 | }, 63 | "timing": { 64 | "triggered_at": null, 65 | "periodic_run_every": null 66 | } 67 | }, 68 | { 69 | "inject_uuid": "bd0ee246-80a4-4863-a75a-3acfc4602303", 70 | "description": "", 71 | "requirements": { 72 | "inject_uuid": "8126b80f-a0c7-4efd-b570-16ade7e5a353" 73 | }, 74 | "sequence": { 75 | "followed_by": [], 76 | "trigger": [ 77 | "manual" 78 | ], 79 | "completion_trigger": [] 80 | }, 81 | "timing": { 82 | "triggered_at": null, 83 | "periodic_run_every": null 84 | } 85 | }, 86 | { 87 | "inject_uuid": "24ae700e-7952-4538-8184-21d12977c8db", 88 | "description": "", 89 | "requirements": { 90 | "inject_uuid": "bd0ee246-80a4-4863-a75a-3acfc4602303" 91 | }, 92 | "sequence": { 93 | "followed_by": [], 94 | "trigger": [ 95 | "manual" 96 | ], 97 | "completion_trigger": [] 98 | }, 99 | "timing": { 100 | "triggered_at": null, 101 | "periodic_run_every": null 102 | } 103 | }, 104 | { 105 | "inject_uuid": "644014c6-b39f-4d75-8be8-7ca1d6ccdf43", 106 | "description": "", 107 | "requirements": { 108 | "inject_uuid": "24ae700e-7952-4538-8184-21d12977c8db" 109 | }, 110 | "sequence": { 111 | "followed_by": [], 112 | "trigger": [ 113 | "manual" 114 | ], 115 | "completion_trigger": [] 116 | }, 117 | "timing": { 118 | "triggered_at": null, 119 | "periodic_run_every": null 120 | } 121 | }, 122 | { 123 | "inject_uuid": "05f42195-dccf-447d-8f2d-bf0725e907e6", 124 | "description": "", 125 | "requirements": { 126 | "inject_uuid": "644014c6-b39f-4d75-8be8-7ca1d6ccdf43" 127 | }, 128 | "sequence": { 129 | "followed_by": [], 130 | "trigger": [ 131 | "manual" 132 | ], 133 | "completion_trigger": [] 134 | }, 135 | "timing": { 136 | "triggered_at": null, 137 | "periodic_run_every": null 138 | } 139 | }, 140 | { 141 | "inject_uuid": "b177e518-b709-4eaf-8d85-8851fcbb20bc", 142 | "description": "", 143 | "requirements": { 144 | "inject_uuid": "05f42195-dccf-447d-8f2d-bf0725e907e6" 145 | }, 146 | "sequence": { 147 | "followed_by": [], 148 | "trigger": [ 149 | "manual" 150 | ], 151 | "completion_trigger": [] 152 | }, 153 | "timing": { 154 | "triggered_at": null, 155 | "periodic_run_every": null 156 | } 157 | }, 158 | { 159 | "inject_uuid": "28bec3c6-c941-41d1-b67a-fb48131f0b11", 160 | "description": "", 161 | "requirements": { 162 | "inject_uuid": "b177e518-b709-4eaf-8d85-8851fcbb20bc" 163 | }, 164 | "sequence": { 165 | "followed_by": [], 166 | "trigger": [ 167 | "manual" 168 | ], 169 | "completion_trigger": [] 170 | }, 171 | "timing": { 172 | "triggered_at": null, 173 | "periodic_run_every": null 174 | } 175 | }, 176 | { 177 | "inject_uuid": "47a70f62-f8ce-4c09-af63-f2d28fa4e6e9", 178 | "description": "", 179 | "requirements": { 180 | "inject_uuid": "28bec3c6-c941-41d1-b67a-fb48131f0b11" 181 | }, 182 | "sequence": { 183 | "followed_by": [], 184 | "trigger": [ 185 | "manual" 186 | ], 187 | "completion_trigger": [] 188 | }, 189 | "timing": { 190 | "triggered_at": null, 191 | "periodic_run_every": null 192 | } 193 | }, 194 | { 195 | "inject_uuid": "699dd07b-b42f-423e-b23a-1b4f2f454d77", 196 | "description": "", 197 | "requirements": { 198 | "inject_uuid": "47a70f62-f8ce-4c09-af63-f2d28fa4e6e9" 199 | }, 200 | "sequence": { 201 | "followed_by": [], 202 | "trigger": [ 203 | "manual" 204 | ], 205 | "completion_trigger": [] 206 | }, 207 | "timing": { 208 | "triggered_at": null, 209 | "periodic_run_every": null 210 | } 211 | } 212 | ], 213 | "inject_payloads": [], 214 | "injects": [ 215 | { 216 | "name": "Enable Your Workflow", 217 | "action": "", 218 | "target_tool": "MISP", 219 | "uuid": "0bd0e885-9eb0-41b1-a204-9bf9c40785cb", 220 | "description": "Make your workflow executable by enabling it", 221 | "inject_evaluation": [ 222 | { 223 | "parameters": [ 224 | { 225 | ". | map( select(.Workflow.name | contains(\"{{user_email}}\")) ) | map( select(.Workflow.enabled) ) | .[].Workflow.name": { 226 | "extract_type": "all", 227 | "comparison": "count", 228 | "values": [ 229 | ">0" 230 | ] 231 | } 232 | } 233 | ], 234 | "result": "Workflow enabled", 235 | "evaluation_strategy": "query_search", 236 | "evaluation_context": { 237 | "request_is_rest": false, 238 | "query_context": { 239 | "url": "/workflows/adhoc/searchall:Workflow+of%20User/limit:300", 240 | "request_method": "GET", 241 | "payload": {} 242 | } 243 | }, 244 | "score_range": [ 245 | 0, 246 | 1 247 | ] 248 | } 249 | ], 250 | "inject_evaluation_join_type": null 251 | }, 252 | { 253 | "name": "Ping", 254 | "action": "", 255 | "target_tool": "webhook", 256 | "uuid": "4e4ea731-9be5-40b2-96ff-a6d52f7e214c", 257 | "description": "Send the Event for Validation", 258 | "inject_evaluation": [ 259 | { 260 | "parameters": [ 261 | { 262 | "._secret": { 263 | "comparison": "equals", 264 | "values": [ 265 | "__secret_key__" 266 | ] 267 | } 268 | } 269 | ], 270 | "result": "Event was sent for validation", 271 | "evaluation_strategy": "data_filtering", 272 | "evaluation_context": {}, 273 | "score_range": [ 274 | 0, 275 | 10 276 | ] 277 | } 278 | ], 279 | "inject_evaluation_join_type": null 280 | }, 281 | { 282 | "name": "Attach Tag I", 283 | "action": "", 284 | "target_tool": "webhook", 285 | "uuid": "8126b80f-a0c7-4efd-b570-16ade7e5a353", 286 | "description": "Attach the tag `misp-workflow:run=\"allowed\"` to the Event", 287 | "inject_evaluation": [ 288 | { 289 | "parameters": [ 290 | { 291 | "._secret": { 292 | "comparison": "equals", 293 | "values": [ 294 | "__secret_key__" 295 | ] 296 | } 297 | }, 298 | { 299 | ".Event.Tag[].name | select((contains(\"workflow-exercise:tag_1\")))": { 300 | "extract_type": "all", 301 | "comparison": "count", 302 | "values": [ 303 | "1" 304 | ] 305 | } 306 | } 307 | ], 308 | "result": "", 309 | "evaluation_strategy": "data_filtering", 310 | "evaluation_context": {}, 311 | "score_range": [ 312 | 0, 313 | 20 314 | ] 315 | } 316 | ], 317 | "inject_evaluation_join_type": null 318 | }, 319 | { 320 | "name": "Enrich Event", 321 | "action": "", 322 | "target_tool": "webhook", 323 | "uuid": "bd0ee246-80a4-4863-a75a-3acfc4602303", 324 | "description": "Enrich the Event with the provided enrichment module", 325 | "inject_evaluation": [ 326 | { 327 | "parameters": [ 328 | { 329 | "._secret": { 330 | "comparison": "equals", 331 | "values": [ 332 | "__secret_key__" 333 | ] 334 | } 335 | }, 336 | { 337 | ".Event.Attribute[] | select(.value == \"misptestluctvnzlxtsk2llvc3zjiqc3ej2ok3kezvbhp2vzov6aflid.onion\") | .Tag[].name": { 338 | "extract_type": "all", 339 | "comparison": "contains", 340 | "values": [ 341 | "dark-web:structure=\"test\"" 342 | ] 343 | } 344 | } 345 | ], 346 | "result": "", 347 | "evaluation_strategy": "data_filtering", 348 | "evaluation_context": {}, 349 | "score_range": [ 350 | 0, 351 | 20 352 | ] 353 | } 354 | ], 355 | "inject_evaluation_join_type": null 356 | }, 357 | { 358 | "name": "Adapt Distribution", 359 | "action": "", 360 | "target_tool": "webhook", 361 | "uuid": "24ae700e-7952-4538-8184-21d12977c8db", 362 | "description": "Change the distribution to \"All Communities\" if tlp:white is attached ", 363 | "inject_evaluation": [ 364 | { 365 | "parameters": [ 366 | { 367 | "._secret": { 368 | "comparison": "equals", 369 | "values": [ 370 | "__secret_key__" 371 | ] 372 | } 373 | }, 374 | { 375 | ".Event.Tag[].name | select((contains(\"tlp:white\")))": { 376 | "extract_type": "all", 377 | "comparison": "count", 378 | "values": [ 379 | "1" 380 | ] 381 | } 382 | }, 383 | { 384 | ".Event.distribution": { 385 | "comparison": "equals", 386 | "values": [ 387 | "3" 388 | ] 389 | } 390 | } 391 | ], 392 | "result": "", 393 | "evaluation_strategy": "data_filtering", 394 | "evaluation_context": {}, 395 | "score_range": [ 396 | 0, 397 | 20 398 | ] 399 | } 400 | ], 401 | "inject_evaluation_join_type": null 402 | }, 403 | { 404 | "name": "Add a Note", 405 | "action": "", 406 | "target_tool": "webhook", 407 | "uuid": "644014c6-b39f-4d75-8be8-7ca1d6ccdf43", 408 | "description": "Add a formatted Note using Jinja2", 409 | "inject_evaluation": [ 410 | { 411 | "parameters": [ 412 | { 413 | ".Event.Note[].note": { 414 | "extract_type": "first", 415 | "comparison": "contains", 416 | "values": [ 417 | "{{.webhook_data.Event.Object | length}}", 418 | "{{.webhook_data.Event.attribute_count}}" 419 | ] 420 | } 421 | } 422 | ], 423 | "result": "", 424 | "evaluation_strategy": "misp_query_search", 425 | "evaluation_context": { 426 | "query_context": { 427 | "url": "/events/view/{{.webhook_data.Event.uuid}}.json", 428 | "request_method": "GET" 429 | } 430 | }, 431 | "score_range": [ 432 | 0, 433 | 20 434 | ] 435 | } 436 | ], 437 | "inject_evaluation_join_type": null 438 | }, 439 | { 440 | "name": "Replace tlp:white by tlp:clear", 441 | "action": "", 442 | "target_tool": "webhook", 443 | "uuid": "05f42195-dccf-447d-8f2d-bf0725e907e6", 444 | "description": "Replace all tag tlp:white by tlp:clear", 445 | "inject_evaluation": [ 446 | { 447 | "parameters": [ 448 | { 449 | "._secret": { 450 | "comparison": "equals", 451 | "values": [ 452 | "__secret_key__" 453 | ] 454 | } 455 | }, 456 | { 457 | ".Event.Attribute | map( select(.value == \"8.8.8.8\" or .value == \"1.1.1.1\" or .value == \"9.9.9.9\" or .value == \"2.2.2.2\") ) | map( if has (\"Tag\") then .Tag[].name else \"\" end ) | map( select(. == \"tlp:clear\") ) | length": { 458 | "comment": "if count is >3, more tlp tags were added, probably because of bad filtering. If <2, not enough were added", 459 | "extract_type": "all", 460 | "comparison": "count", 461 | "values": [ 462 | "3" 463 | ] 464 | } 465 | } 466 | ], 467 | "result": "", 468 | "evaluation_strategy": "data_filtering", 469 | "evaluation_context": {}, 470 | "score_range": [ 471 | 0, 472 | 20 473 | ] 474 | } 475 | ], 476 | "inject_evaluation_join_type": null 477 | }, 478 | { 479 | "name": "Attach Tag II", 480 | "action": "", 481 | "target_tool": "webhook", 482 | "uuid": "b177e518-b709-4eaf-8d85-8851fcbb20bc", 483 | "description": "Attach the tag `take-down` on all Attributes having the tag `active`", 484 | "inject_evaluation": [ 485 | { 486 | "parameters": [ 487 | { 488 | "._secret": { 489 | "comparison": "equals", 490 | "values": [ 491 | "__secret_key__" 492 | ] 493 | } 494 | }, 495 | { 496 | ".Event.Attribute | map(select(has(\"Tag\"))) | map( select(any(.Tag[]; .name==\"adversary:infrastructure-state=\\\"active\\\"\")) ) | map( .Tag[].name ) | map( select(contains(\"adversary:infrastructure-state=\\\"active\\\"\") or contains(\"adversary:infrastructure-action=\\\"take-down\\\"\")) ) | group_by(.) | map({name: .[0], count: length}) | .[0].count == .[1].count": { 497 | "comment": "Get All Attributes with the active tag then check if they also have the take-down tag attached", 498 | "extract_type": "first", 499 | "comparison": "equals", 500 | "values": [ 501 | "true" 502 | ] 503 | } 504 | } 505 | ], 506 | "result": "", 507 | "evaluation_strategy": "data_filtering", 508 | "evaluation_context": { 509 | "option_1": { 510 | ".Event.Attribute | map(select(has(\"Tag\"))) | map( select(any(.Tag[]; .name==\"adversary:infrastructure-state=\\\"active\\\"\")) ) | map( .Tag[].name ) | map( select(contains(\"adversary:infrastructure-state=\\\"active\\\"\") or contains(\"adversary:infrastructure-action=\\\"take-down\\\"\")) ) | group_by(.) | map({name: .[0], count: length}) | .[0].count == .[1].count": "Get All Attributes with the active tag then check if they also have the take-down tag attached" 511 | }, 512 | "option_2": { 513 | ".Event.Attribute | map(select(has(\"Tag\"))) | map( select(any(.Tag[]; .name==\"adversary:infrastructure-state=\\\"active\\\"\")) ) | map( .Tag[].name ) | map( select(contains(\"adversary:infrastructure-state=\\\"active\\\"\") or contains(\"adversary:infrastructure-action=\\\"take-down\\\"\")) ) | length / 2": { 514 | "comment": "Get all Attributes with the active tag then check if they all have the take-down tag attached" 515 | } 516 | } 517 | }, 518 | "score_range": [ 519 | 0, 520 | 20 521 | ] 522 | } 523 | ], 524 | "inject_evaluation_join_type": null 525 | }, 526 | { 527 | "name": "False Positive I", 528 | "action": "", 529 | "target_tool": "webhook", 530 | "uuid": "28bec3c6-c941-41d1-b67a-fb48131f0b11", 531 | "description": "Remove the IDS flag of all Attributes of type onion-address", 532 | "inject_evaluation": [ 533 | { 534 | "parameters": [ 535 | { 536 | "._secret": { 537 | "comparison": "equals", 538 | "values": [ 539 | "__secret_key__" 540 | ] 541 | } 542 | }, 543 | { 544 | ".Event._AttributeFlattened | map( select(.type == \"onion-address\" and .to_ids==false) ) | length": { 545 | "extract_type": "first", 546 | "comparison": "equals", 547 | "values": [ 548 | "0" 549 | ] 550 | } 551 | } 552 | ], 553 | "result": "", 554 | "evaluation_strategy": "data_filtering", 555 | "evaluation_context": {}, 556 | "score_range": [ 557 | 0, 558 | 20 559 | ] 560 | } 561 | ], 562 | "inject_evaluation_join_type": null 563 | }, 564 | { 565 | "name": "False Positive II", 566 | "action": "", 567 | "target_tool": "webhook", 568 | "uuid": "47a70f62-f8ce-4c09-af63-f2d28fa4e6e9", 569 | "description": "Remove the IDS flag of all Attributes having hit on Warning lists", 570 | "inject_evaluation": [ 571 | { 572 | "parameters": [ 573 | { 574 | "._secret": { 575 | "comparison": "equals", 576 | "values": [ 577 | "__secret_key__" 578 | ] 579 | } 580 | }, 581 | { 582 | ".Event._AttributeFlattened | map( select(has(\"warnings\")) ) | map( select(any(.warnings[]; .warninglist_category==\"false_positive\"))) | map( select(.to_ids==false) ) | length": { 583 | "extract_type": "first", 584 | "comparison": "equals", 585 | "values": [ 586 | "0" 587 | ] 588 | } 589 | } 590 | ], 591 | "result": "", 592 | "evaluation_strategy": "data_filtering", 593 | "evaluation_context": {}, 594 | "score_range": [ 595 | 0, 596 | 20 597 | ] 598 | } 599 | ], 600 | "inject_evaluation_join_type": null 601 | }, 602 | { 603 | "name": "Safe Sharing & Notification", 604 | "action": "", 605 | "target_tool": "webhook", 606 | "uuid": "699dd07b-b42f-423e-b23a-1b4f2f454d77", 607 | "description": "Restrict the sharing of very sensitive IoCs", 608 | "inject_evaluation": [ 609 | { 610 | "parameters": [ 611 | { 612 | "._secret": { 613 | "comparison": "equals", 614 | "values": [ 615 | "__secret_key__" 616 | ] 617 | } 618 | }, 619 | { 620 | ".Event._AttributeFlattened | map( select(.type == \"onion-address\") ) | map( select(has(\"enrichment\")) ) | map( select(any(.enrichment[].Attribute[0].Tag[]; .name==\"dark-web:topic=\\\"pornography-child-exploitation\\\"\"))) | map( select(.distribution != \"0\") )": { 621 | "comment": "Filter all onions having the child-exploitation tag, then filter the ones not having distribution=0", 622 | "extract_type": "first", 623 | "comparison": "count", 624 | "values": [ 625 | "0" 626 | ] 627 | } 628 | }, 629 | { 630 | ".Event._AttributeFlattened | map( select(.type == \"onion-address\") ) | map( select(has(\"enrichment\")) ) | map( select(any(.enrichment[].Attribute[0].Tag[]; .name==\"infoleak:automatic-detection=\\\"credit-card\\\"\"))) | map(.Tag[].name) | map( select((contains(\"misp-workflow:action-taken=\\\"email-sent\\\"\"))) )": { 631 | "comment": "Filter all onions having the credit-card tag, then filter the ones having the tag email-sent", 632 | "extract_type": "first", 633 | "comparison": "count", 634 | "values": [ 635 | "1" 636 | ] 637 | } 638 | } 639 | ], 640 | "result": "", 641 | "evaluation_strategy": "data_filtering", 642 | "evaluation_context": {}, 643 | "score_range": [ 644 | 0, 645 | 20 646 | ] 647 | }, 648 | { 649 | "parameters": [ 650 | { 651 | "._secret": { 652 | "comparison": "equals", 653 | "values": [ 654 | "__secret_key__" 655 | ] 656 | } 657 | }, 658 | { 659 | ".Event._AttributeFlattened | map( select(.type == \"onion-address\") ) | map( select(any(.Tag[]; .name==\"dark-web:topic=\\\"pornography-child-exploitation\\\"\"))) | map( select(.distribution != \"0\") )": { 660 | "comment": "Filter all onions having the child-exploitation tag, then filter the ones not having distribution=0", 661 | "extract_type": "first", 662 | "comparison": "count", 663 | "values": [ 664 | "0" 665 | ] 666 | } 667 | }, 668 | { 669 | ".Event._AttributeFlattened | map( select(.type == \"onion-address\") ) | map( select(any(.Tag[]; .name==\"infoleak:automatic-detection=\\\"credit-card\\\"\"))) | map(.Tag[].name) | map( select((contains(\"misp-workflow:action-taken=\\\"email-sent\\\"\"))) )": { 670 | "comment": "Filter all onions having the credit-card tag, then filter the ones having the tag email-sent", 671 | "extract_type": "first", 672 | "comparison": "count", 673 | "values": [ 674 | "2" 675 | ] 676 | } 677 | } 678 | ], 679 | "result": "", 680 | "evaluation_strategy": "data_filtering", 681 | "evaluation_context": {}, 682 | "score_range": [ 683 | 0, 684 | 20 685 | ] 686 | } 687 | ], 688 | "inject_evaluation_join_type": "OR" 689 | } 690 | ] 691 | } -------------------------------------------------------------------------------- /scenarios/basic-event-creation.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "description": "Simple Data Creation: Creation of an Event using the API", 4 | "expanded": "Simple Data Creation: Creation of an Event using the API", 5 | "meta": { 6 | "author": "MISP Project", 7 | "level": "beginner", 8 | "priority": 1 9 | }, 10 | "name": "API: Simple Data Creation", 11 | "namespace": "misp-only", 12 | "tags": [ 13 | "exercise:software-scope=\"misp\"", 14 | "state:production" 15 | ], 16 | "total_duration": "7200", 17 | "uuid": "29324587-db6c-4a73-a209-cf8c79871629", 18 | "version": "202492" 19 | }, 20 | "inject_flow": [ 21 | { 22 | "description": "Event Creation", 23 | "inject_uuid": "a6b5cf88-ba93-4c3f-8265-04e00d53778e", 24 | "reporting_callback": [], 25 | "requirements": {}, 26 | "sequence": { 27 | "completion_trigger": [ 28 | "time_expiration", 29 | "completion" 30 | ], 31 | "followed_by": [ 32 | "00275360-d84a-4ce7-84fc-98baefd13776" 33 | ], 34 | "trigger": [ 35 | "startex" 36 | ] 37 | }, 38 | "timing": { 39 | "triggered_at": null, 40 | "periodic_run_every": null 41 | } 42 | }, 43 | { 44 | "description": "Attributes Creation", 45 | "inject_uuid": "00275360-d84a-4ce7-84fc-98baefd13776", 46 | "reporting_callback": [], 47 | "requirements": { 48 | "inject_uuid": "a6b5cf88-ba93-4c3f-8265-04e00d53778e", 49 | "resolution_requirement": "MISP Event created" 50 | }, 51 | "sequence": { 52 | "completion_trigger": [ 53 | "time_expiration", 54 | "completion" 55 | ], 56 | "followed_by": [ 57 | "be1c3d25-e0df-4492-bdc1-f2e825194ef3" 58 | ], 59 | "trigger": [] 60 | }, 61 | "timing": { 62 | "triggered_at": null, 63 | "periodic_run_every": null 64 | } 65 | }, 66 | { 67 | "description": "Object Creation", 68 | "inject_uuid": "be1c3d25-e0df-4492-bdc1-f2e825194ef3", 69 | "reporting_callback": [], 70 | "requirements": { 71 | "inject_uuid": "a6b5cf88-ba93-4c3f-8265-04e00d53778e", 72 | "resolution_requirement": "MISP Event created" 73 | }, 74 | "sequence": { 75 | "completion_trigger": [ 76 | "time_expiration", 77 | "completion" 78 | ], 79 | "followed_by": [ 80 | "cf149a8c-5601-4eec-aea3-5142170d309b" 81 | ], 82 | "trigger": [] 83 | }, 84 | "timing": { 85 | "triggered_at": null, 86 | "periodic_run_every": null 87 | } 88 | }, 89 | { 90 | "inject_uuid": "cf149a8c-5601-4eec-aea3-5142170d309b", 91 | "description": "Edition to `org-only`", 92 | "requirements": { 93 | "inject_uuid": "00275360-d84a-4ce7-84fc-98baefd13776", 94 | "resolution_requirement": "MISP Attributes created" 95 | }, 96 | "sequence": { 97 | "completion_trigger": [ 98 | "time_expiration", 99 | "completion" 100 | ], 101 | "followed_by": [ 102 | "b4a8c490-4f0a-4a33-bee1-044b9f659e83" 103 | ], 104 | "trigger": [] 105 | }, 106 | "timing": { 107 | "triggered_at": null, 108 | "periodic_run_every": null 109 | } 110 | }, 111 | { 112 | "inject_uuid": "b4a8c490-4f0a-4a33-bee1-044b9f659e83", 113 | "description": "Tagging `tlp:green`", 114 | "requirements": { 115 | "inject_uuid": "00275360-d84a-4ce7-84fc-98baefd13776", 116 | "resolution_requirement": "MISP Attributes created" 117 | }, 118 | "sequence": { 119 | "completion_trigger": [ 120 | "time_expiration", 121 | "completion" 122 | ], 123 | "followed_by": [], 124 | "trigger": [] 125 | }, 126 | "timing": { 127 | "triggered_at": null, 128 | "periodic_run_every": null 129 | } 130 | } 131 | ], 132 | "inject_payloads": [], 133 | "injects": [ 134 | { 135 | "action": "event_creation", 136 | "inject_evaluation": [ 137 | { 138 | "parameters": [ 139 | { 140 | ".response[].Event.event_creator_email": { 141 | "comparison": "equals", 142 | "values": [ 143 | "{{user_email}}" 144 | ] 145 | } 146 | }, 147 | { 148 | ".response[].Event.info": { 149 | "comparison": "contains", 150 | "values": [ 151 | "event", 152 | "API" 153 | ] 154 | } 155 | } 156 | ], 157 | "result": "MISP Event created", 158 | "evaluation_strategy": "query_search", 159 | "evaluation_context": { 160 | "request_is_rest": true, 161 | "query_context": { 162 | "url": "/events/restSearch", 163 | "request_method": "POST", 164 | "payload": { 165 | "timestamp": "10d", 166 | "eventinfo": "%API%" 167 | } 168 | } 169 | }, 170 | "score_range": [ 171 | 0, 172 | 20 173 | ] 174 | } 175 | ], 176 | "name": "Event Creation", 177 | "target_tool": "MISP", 178 | "uuid": "a6b5cf88-ba93-4c3f-8265-04e00d53778e" 179 | }, 180 | { 181 | "action": "attribute_creation", 182 | "inject_evaluation": [ 183 | { 184 | "parameters": [ 185 | { 186 | ".Event.info": { 187 | "comparison": "contains", 188 | "values": [ 189 | "event", 190 | "API" 191 | ] 192 | } 193 | }, 194 | { 195 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"ip-dst\")).value": { 196 | "comparison": "contains", 197 | "values": [ 198 | "4.3.2.1" 199 | ] 200 | } 201 | }, 202 | { 203 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"domain\")).value": { 204 | "comparison": "contains", 205 | "values": [ 206 | "evil.com" 207 | ] 208 | } 209 | }, 210 | { 211 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"filename\")).value": { 212 | "comparison": "contains", 213 | "values": [ 214 | "evil.exe" 215 | ] 216 | } 217 | } 218 | ], 219 | "result": "MISP Attributes created", 220 | "evaluation_strategy": "data_filtering", 221 | "evaluation_context": { 222 | "request_is_rest": true 223 | }, 224 | "score_range": [ 225 | 0, 226 | 30 227 | ] 228 | } 229 | ], 230 | "name": "Attributes Creation", 231 | "target_tool": "MISP", 232 | "uuid": "00275360-d84a-4ce7-84fc-98baefd13776" 233 | }, 234 | { 235 | "action": "object_creation", 236 | "inject_evaluation": [ 237 | { 238 | "parameters": [ 239 | { 240 | ".Event.info": { 241 | "comparison": "contains", 242 | "values": [ 243 | "event", 244 | "API" 245 | ] 246 | } 247 | }, 248 | { 249 | ".Event.Object[] | select(.name == \"domain-ip\")": { 250 | "comparison": "count", 251 | "values": [ 252 | ">0" 253 | ] 254 | } 255 | } 256 | ], 257 | "result": "MISP Object created`", 258 | "evaluation_strategy": "data_filtering", 259 | "evaluation_context": { 260 | "request_is_rest": true 261 | }, 262 | "score_range": [ 263 | 0, 264 | 10 265 | ] 266 | }, 267 | { 268 | "parameters": [ 269 | { 270 | ".Event.info": { 271 | "comparison": "contains", 272 | "values": [ 273 | "event", 274 | "API" 275 | ] 276 | } 277 | }, 278 | { 279 | ".Event.Object[] | select(.name == \"domain-ip\") | .Attribute[] | select((.type == \"ip\")).value": { 280 | "comparison": "contains", 281 | "values": [ 282 | "4.3.2.1" 283 | ] 284 | } 285 | }, 286 | { 287 | ".Event.Object[] | select(.name == \"domain-ip\") | .Attribute[] | select((.type == \"domain\")).value": { 288 | "comparison": "contains", 289 | "values": [ 290 | "foobar.baz" 291 | ] 292 | } 293 | }, 294 | { 295 | ".Event.Object[] | select(.name == \"domain-ip\") | .Attribute[] | select((.type == \"text\")).value": { 296 | "comparison": "contains", 297 | "values": [ 298 | "Classified information" 299 | ] 300 | } 301 | } 302 | ], 303 | "result": "MISP Object's Attributes created`", 304 | "evaluation_strategy": "data_filtering", 305 | "evaluation_context": { 306 | "request_is_rest": true 307 | }, 308 | "score_range": [ 309 | 0, 310 | 10 311 | ] 312 | } 313 | ], 314 | "name": "Object Creation", 315 | "target_tool": "MISP", 316 | "uuid": "be1c3d25-e0df-4492-bdc1-f2e825194ef3" 317 | }, 318 | { 319 | "name": "Edition to `org-only`", 320 | "action": "edition_org_only", 321 | "target_tool": "MISP", 322 | "uuid": "cf149a8c-5601-4eec-aea3-5142170d309b", 323 | "description": null, 324 | "inject_evaluation": [ 325 | { 326 | "parameters": [ 327 | { 328 | ".Event.info": { 329 | "comparison": "contains", 330 | "values": [ 331 | "event", 332 | "API" 333 | ] 334 | } 335 | }, 336 | { 337 | ".Event.Attribute[] | select((.type == \"text\") and (.value == \"Classified information\")).distribution": { 338 | "comparison": "contains", 339 | "values": [ 340 | 0 341 | ] 342 | } 343 | } 344 | ], 345 | "result": "MISP Edition `org-only` done", 346 | "evaluation_strategy": "data_filtering", 347 | "evaluation_context": { 348 | "request_is_rest": true 349 | }, 350 | "score_range": [ 351 | 0, 352 | 10 353 | ] 354 | } 355 | ] 356 | }, 357 | { 358 | "name": "Tagging `tlp:green`", 359 | "action": "tagging_tlp_green", 360 | "target_tool": "MISP", 361 | "uuid": "b4a8c490-4f0a-4a33-bee1-044b9f659e83", 362 | "description": null, 363 | "inject_evaluation": [ 364 | { 365 | "parameters": [ 366 | { 367 | ".Event.info": { 368 | "comparison": "contains", 369 | "values": [ 370 | "event", 371 | "API" 372 | ] 373 | } 374 | }, 375 | { 376 | ".Event.Attribute[] | select((.type == \"ip-dst\") and (.value == \"1.2.3.4\")).Tag[].name": { 377 | "comparison": "contains", 378 | "values": [ 379 | "tlp:green" 380 | ] 381 | } 382 | } 383 | ], 384 | "result": "MISP Tagging `tlp:green` done", 385 | "evaluation_strategy": "data_filtering", 386 | "evaluation_context": { 387 | "request_is_rest": true 388 | }, 389 | "score_range": [ 390 | 0, 391 | 20 392 | ] 393 | } 394 | ] 395 | } 396 | ] 397 | } -------------------------------------------------------------------------------- /scenarios/basic-filtering.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "description": "Basic Filtering: Usage of the API to filter data", 4 | "expanded": "Basic Filtering: Usage of the API to filter data", 5 | "meta": { 6 | "author": "MISP Project", 7 | "level": "beginner", 8 | "priority": 2 9 | }, 10 | "name": "API: Basic Filtering", 11 | "namespace": "misp-only", 12 | "tags": [ 13 | "exercise:software-scope=\"misp\"", 14 | "state:production" 15 | ], 16 | "total_duration": "7200", 17 | "uuid": "4703a4b2-0ae4-47f3-9dc3-91250be60156", 18 | "version": "202492" 19 | }, 20 | "inject_flow": [ 21 | { 22 | "inject_uuid": "156ca5fd-841d-42bc-b2f9-80f71f81c532", 23 | "description": "", 24 | "requirements": {}, 25 | "sequence": { 26 | "completion_trigger": [ 27 | "time_expiration", 28 | "completion" 29 | ], 30 | "followed_by": [], 31 | "trigger": [] 32 | }, 33 | "timing": { 34 | "triggered_at": null, 35 | "periodic_run_every": null 36 | } 37 | }, 38 | { 39 | "inject_uuid": "0f70f7dc-cada-4a27-9766-eac9938a3239", 40 | "description": "", 41 | "requirements": { 42 | "inject_uuid": "156ca5fd-841d-42bc-b2f9-80f71f81c532" 43 | }, 44 | "sequence": { 45 | "followed_by": [], 46 | "trigger": [], 47 | "completion_trigger": [] 48 | }, 49 | "timing": { 50 | "triggered_at": null, 51 | "periodic_run_every": null 52 | } 53 | }, 54 | { 55 | "inject_uuid": "7eaf1a6b-4dab-4860-88a6-14f65798f7f4", 56 | "description": "", 57 | "requirements": { 58 | "inject_uuid": "0f70f7dc-cada-4a27-9766-eac9938a3239" 59 | }, 60 | "sequence": { 61 | "followed_by": [], 62 | "trigger": [], 63 | "completion_trigger": [] 64 | }, 65 | "timing": { 66 | "triggered_at": null, 67 | "periodic_run_every": null 68 | } 69 | }, 70 | { 71 | "inject_uuid": "e2216993-6192-4e7c-ae30-97cfe9de61b4", 72 | "description": "Get Published in the past 48h", 73 | "requirements": { 74 | "inject_uuid": "7eaf1a6b-4dab-4860-88a6-14f65798f7f4" 75 | }, 76 | "sequence": { 77 | "completion_trigger": [ 78 | "time_expiration", 79 | "completion" 80 | ], 81 | "followed_by": [ 82 | "caf68c86-65ed-4df3-99b8-7e346fa498ba" 83 | ], 84 | "trigger": [] 85 | }, 86 | "timing": { 87 | "triggered_at": null, 88 | "periodic_run_every": null 89 | } 90 | }, 91 | { 92 | "description": "IP IoCs changed in the past 48h in CSV", 93 | "inject_uuid": "caf68c86-65ed-4df3-99b8-7e346fa498ba", 94 | "reporting_callback": [], 95 | "requirements": { 96 | "inject_uuid": "e2216993-6192-4e7c-ae30-97cfe9de61b4" 97 | }, 98 | "sequence": { 99 | "completion_trigger": [ 100 | "time_expiration", 101 | "completion" 102 | ], 103 | "followed_by": [ 104 | "3e96fb13-4aba-448c-8d79-efb93392cc88" 105 | ], 106 | "trigger": [] 107 | }, 108 | "timing": { 109 | "triggered_at": null, 110 | "periodic_run_every": null 111 | } 112 | }, 113 | { 114 | "inject_uuid": "3e96fb13-4aba-448c-8d79-efb93392cc88", 115 | "description": "First 20 Attribute with TLP lower than `amber`", 116 | "requirements": { 117 | "inject_uuid": "caf68c86-65ed-4df3-99b8-7e346fa498ba" 118 | }, 119 | "sequence": { 120 | "completion_trigger": [ 121 | "time_expiration", 122 | "completion" 123 | ], 124 | "followed_by": [ 125 | "1da0fdc8-9d0d-4618-a811-66491e196833" 126 | ], 127 | "trigger": [] 128 | }, 129 | "timing": { 130 | "triggered_at": null, 131 | "periodic_run_every": null 132 | } 133 | }, 134 | { 135 | "inject_uuid": "1da0fdc8-9d0d-4618-a811-66491e196833", 136 | "description": "Event count with `Phishing - T1566` involved", 137 | "requirements": { 138 | "inject_uuid": "3e96fb13-4aba-448c-8d79-efb93392cc88" 139 | }, 140 | "sequence": { 141 | "completion_trigger": [ 142 | "time_expiration", 143 | "completion" 144 | ], 145 | "followed_by": [], 146 | "trigger": [] 147 | }, 148 | "timing": { 149 | "triggered_at": null, 150 | "periodic_run_every": null 151 | } 152 | } 153 | ], 154 | "inject_payloads": [], 155 | "injects": [ 156 | { 157 | "name": "Get your user info", 158 | "action": "", 159 | "target_tool": "MISP", 160 | "uuid": "156ca5fd-841d-42bc-b2f9-80f71f81c532", 161 | "description": "Get the information about your user", 162 | "inject_evaluation": [ 163 | { 164 | "parameters": [], 165 | "result": "Get your user info", 166 | "evaluation_strategy": "query_mirror", 167 | "evaluation_context": { 168 | "request_is_rest": true, 169 | "query_context": { 170 | "url": "/users/view/me", 171 | "request_method": "GET" 172 | } 173 | }, 174 | "score_range": [ 175 | 0, 176 | 20 177 | ] 178 | } 179 | ], 180 | "inject_evaluation_join_type": null 181 | }, 182 | { 183 | "name": "tlp:green Events", 184 | "action": "", 185 | "target_tool": "MISP", 186 | "uuid": "0f70f7dc-cada-4a27-9766-eac9938a3239", 187 | "description": "Get all tlp:green Events", 188 | "inject_evaluation": [ 189 | { 190 | "parameters": [ 191 | { 192 | "tags": "tlp:green" 193 | } 194 | ], 195 | "result": "tlp:green Events", 196 | "evaluation_strategy": "query_mirror", 197 | "evaluation_context": { 198 | "request_is_rest": true, 199 | "query_context": { 200 | "url": "/events/restSearch", 201 | "request_method": "POST" 202 | } 203 | }, 204 | "score_range": [ 205 | 0, 206 | 20 207 | ] 208 | }, 209 | { 210 | "parameters": [ 211 | { 212 | "tags": [ 213 | "tlp:green" 214 | ] 215 | } 216 | ], 217 | "result": "tlp:green Events", 218 | "evaluation_strategy": "query_mirror", 219 | "evaluation_context": { 220 | "request_is_rest": true, 221 | "query_context": { 222 | "url": "/events/index", 223 | "request_method": "POST" 224 | } 225 | }, 226 | "score_range": [ 227 | 0, 228 | 20 229 | ] 230 | } 231 | ], 232 | "inject_evaluation_join_type": "OR" 233 | }, 234 | { 235 | "name": "All URLs", 236 | "action": "", 237 | "target_tool": "MISP", 238 | "uuid": "7eaf1a6b-4dab-4860-88a6-14f65798f7f4", 239 | "description": "Get all URLs", 240 | "inject_evaluation": [ 241 | { 242 | "parameters": [ 243 | { 244 | "type": "url" 245 | } 246 | ], 247 | "result": "All URLs", 248 | "evaluation_strategy": "query_mirror", 249 | "evaluation_context": { 250 | "request_is_rest": true, 251 | "query_context": { 252 | "url": "/attributes/restSearch", 253 | "request_method": "POST" 254 | } 255 | }, 256 | "score_range": [ 257 | 0, 258 | 20 259 | ] 260 | } 261 | ], 262 | "inject_evaluation_join_type": null 263 | }, 264 | { 265 | "name": "Get Published in the past 48h", 266 | "action": "published_48", 267 | "target_tool": "MISP", 268 | "uuid": "e2216993-6192-4e7c-ae30-97cfe9de61b4", 269 | "description": null, 270 | "inject_evaluation": [ 271 | { 272 | "parameters": [ 273 | { 274 | "publish_timestamp": "48h", 275 | "published": 1 276 | } 277 | ], 278 | "result": "Published 48h retreived", 279 | "evaluation_strategy": "query_mirror", 280 | "evaluation_context": { 281 | "request_is_rest": true, 282 | "query_context": { 283 | "url": "/attributes/restSearch", 284 | "request_method": "POST" 285 | } 286 | }, 287 | "score_range": [ 288 | 0, 289 | 20 290 | ] 291 | } 292 | ], 293 | "inject_evaluation_join_type": null 294 | }, 295 | { 296 | "action": "ip_csv", 297 | "inject_evaluation": [ 298 | { 299 | "parameters": [ 300 | { 301 | "type": [ 302 | "ip-src", 303 | "ip-dst" 304 | ], 305 | "timestamp": "48h", 306 | "to_ids": 1, 307 | "returnFormat": "csv" 308 | } 309 | ], 310 | "result": "IP CSV retrieved", 311 | "evaluation_strategy": "query_mirror", 312 | "evaluation_context": { 313 | "request_is_rest": true, 314 | "query_context": { 315 | "url": "/attributes/restSearch", 316 | "request_method": "POST" 317 | } 318 | }, 319 | "score_range": [ 320 | 0, 321 | 40 322 | ] 323 | } 324 | ], 325 | "name": "IP IoCs changed in the past 48h in CSV", 326 | "target_tool": "MISP", 327 | "uuid": "caf68c86-65ed-4df3-99b8-7e346fa498ba" 328 | }, 329 | { 330 | "name": "First 20 Attribute with TLP lower than `amber`", 331 | "action": "20_tlp", 332 | "target_tool": "MISP", 333 | "uuid": "3e96fb13-4aba-448c-8d79-efb93392cc88", 334 | "description": null, 335 | "inject_evaluation": [ 336 | { 337 | "parameters": [ 338 | { 339 | "page": 1, 340 | "limit": 20, 341 | "tags": [ 342 | "tlp:white", 343 | "tlp:clear", 344 | "tlp:green" 345 | ] 346 | } 347 | ], 348 | "result": "20 Attribute tagged retrieved", 349 | "evaluation_strategy": "query_mirror", 350 | "evaluation_context": { 351 | "request_is_rest": true, 352 | "query_context": { 353 | "url": "/attributes/restSearch", 354 | "request_method": "POST" 355 | } 356 | }, 357 | "score_range": [ 358 | 0, 359 | 30 360 | ] 361 | } 362 | ], 363 | "inject_evaluation_join_type": null 364 | }, 365 | { 366 | "name": "Event count with `Phishing - T1566` involved", 367 | "action": "phishing_count", 368 | "target_tool": "MISP", 369 | "uuid": "1da0fdc8-9d0d-4618-a811-66491e196833", 370 | "description": null, 371 | "inject_evaluation": [ 372 | { 373 | "parameters": [ 374 | { 375 | "returnFormat": "attack", 376 | "tags": [ 377 | "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"" 378 | ] 379 | } 380 | ], 381 | "result": "Phising counted", 382 | "evaluation_strategy": "query_mirror", 383 | "evaluation_context": { 384 | "request_is_rest": true, 385 | "query_context": { 386 | "url": "/events/restSearch", 387 | "request_method": "POST" 388 | } 389 | }, 390 | "score_range": [ 391 | 0, 392 | 10 393 | ] 394 | } 395 | ], 396 | "inject_evaluation_join_type": null 397 | } 398 | ] 399 | } -------------------------------------------------------------------------------- /scenarios/flubot-malware.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "description": "MISP Encoding Exercise : Flubot Malware", 4 | "expanded": "MISP Encoding Exercise : Flubot Malware", 5 | "meta": { 6 | "author": "MISP Project", 7 | "level": "beginner", 8 | "priority": 5 9 | }, 10 | "name": "MISP Encoding Exercise : Flubot Malware", 11 | "namespace": "data-model", 12 | "tags": [ 13 | "exercise:software-scope=\"misp\"", 14 | "state:production" 15 | ], 16 | "total_duration": "7200", 17 | "uuid": "a7cb0e57-83f4-4c10-9f5f-6c54877b685e", 18 | "version": "20240702" 19 | }, 20 | "inject_flow": [ 21 | { 22 | "inject_uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212", 23 | "description": "phishing-sms", 24 | "requirements": {}, 25 | "sequence": { 26 | "completion_trigger": [ 27 | "time_expiration", 28 | "completion" 29 | ], 30 | "followed_by": [], 31 | "trigger": [] 32 | }, 33 | "timing": { 34 | "triggered_at": null, 35 | "periodic_run_every": null 36 | } 37 | }, 38 | { 39 | "inject_uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8", 40 | "description": "phone-number", 41 | "requirements": {}, 42 | "sequence": { 43 | "completion_trigger": [ 44 | "time_expiration", 45 | "completion" 46 | ], 47 | "followed_by": [], 48 | "trigger": [] 49 | }, 50 | "timing": { 51 | "triggered_at": null, 52 | "periodic_run_every": null 53 | } 54 | }, 55 | { 56 | "inject_uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8", 57 | "description": "phishing-url&IP", 58 | "requirements": {}, 59 | "sequence": { 60 | "completion_trigger": [ 61 | "time_expiration", 62 | "completion" 63 | ], 64 | "followed_by": [], 65 | "trigger": [] 66 | }, 67 | "timing": { 68 | "triggered_at": null, 69 | "periodic_run_every": null 70 | } 71 | }, 72 | { 73 | "inject_uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62", 74 | "description": "apk", 75 | "requirements": {}, 76 | "sequence": { 77 | "completion_trigger": [ 78 | "time_expiration", 79 | "completion" 80 | ], 81 | "followed_by": [], 82 | "trigger": [] 83 | }, 84 | "timing": { 85 | "triggered_at": null, 86 | "periodic_run_every": null 87 | } 88 | }, 89 | { 90 | "inject_uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1", 91 | "description": "CVE", 92 | "requirements": {}, 93 | "sequence": { 94 | "completion_trigger": [ 95 | "time_expiration", 96 | "completion" 97 | ], 98 | "followed_by": [], 99 | "trigger": [] 100 | }, 101 | "timing": { 102 | "triggered_at": null, 103 | "periodic_run_every": null 104 | } 105 | }, 106 | { 107 | "inject_uuid": "f995b04d-4648-41b6-893b-19eeebd365ef", 108 | "description": "c2", 109 | "requirements": {}, 110 | "sequence": { 111 | "completion_trigger": [ 112 | "time_expiration", 113 | "completion" 114 | ], 115 | "followed_by": [], 116 | "trigger": [] 117 | }, 118 | "timing": { 119 | "triggered_at": null, 120 | "periodic_run_every": null 121 | } 122 | }, 123 | { 124 | "inject_uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78", 125 | "description": "yara", 126 | "requirements": {}, 127 | "sequence": { 128 | "completion_trigger": [ 129 | "time_expiration", 130 | "completion" 131 | ], 132 | "followed_by": [], 133 | "trigger": [] 134 | }, 135 | "timing": { 136 | "triggered_at": null, 137 | "periodic_run_every": null 138 | } 139 | }, 140 | { 141 | "inject_uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4", 142 | "description": "Contextualization", 143 | "requirements": {}, 144 | "sequence": { 145 | "completion_trigger": [ 146 | "time_expiration", 147 | "completion" 148 | ], 149 | "followed_by": [], 150 | "trigger": [] 151 | }, 152 | "timing": { 153 | "triggered_at": null, 154 | "periodic_run_every": null 155 | } 156 | }, 157 | { 158 | "inject_uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5", 159 | "description": "Published", 160 | "requirements": {}, 161 | "sequence": { 162 | "completion_trigger": [ 163 | "time_expiration", 164 | "completion" 165 | ], 166 | "followed_by": [], 167 | "trigger": [] 168 | }, 169 | "timing": { 170 | "triggered_at": null, 171 | "periodic_run_every": null 172 | } 173 | } 174 | ], 175 | "inject_payloads": [], 176 | "injects": [ 177 | { 178 | "name": "Phishing SMS", 179 | "action": "phishing-sms", 180 | "target_tool": "MISP", 181 | "uuid": "104377cb-cb45-4f6e-affb-2bc1350a4212", 182 | "description": null, 183 | "inject_evaluation": [ 184 | { 185 | "parameters": [ 186 | { 187 | ".Event.Object[] | select((.name == \"short-message-service\")).Attribute[] | select((.type == \"text\")).value": { 188 | "extract_type": "all", 189 | "comparison": "contains-regex", 190 | "values": [ 191 | "Missed Call: You have a missed call\\..*" 192 | ] 193 | } 194 | } 195 | ], 196 | "result": "SMS added", 197 | "evaluation_strategy": "data_filtering", 198 | "evaluation_context": {}, 199 | "score_range": [ 200 | 0, 201 | 20 202 | ] 203 | } 204 | ], 205 | "inject_evaluation_join_type": null 206 | }, 207 | { 208 | "name": "Phone Number", 209 | "action": "phone-number", 210 | "target_tool": "MISP", 211 | "uuid": "5a449087-ff74-4dea-9d97-d09dd2abe0b8", 212 | "description": null, 213 | "inject_evaluation": [ 214 | { 215 | "parameters": [ 216 | { 217 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"phone-number\")).value": { 218 | "extract_type": "all", 219 | "comparison": "contains-regex", 220 | "values": [ 221 | "\\+?352131575" 222 | ] 223 | } 224 | } 225 | ], 226 | "result": "Phone Number added", 227 | "evaluation_strategy": "data_filtering", 228 | "evaluation_context": {}, 229 | "score_range": [ 230 | 0, 231 | 20 232 | ] 233 | } 234 | ], 235 | "inject_evaluation_join_type": null 236 | }, 237 | { 238 | "name": "Download URL & IP", 239 | "action": "url", 240 | "target_tool": "MISP", 241 | "uuid": "1729e6f9-b899-47b4-b3e8-c3e02f2a2ff8", 242 | "description": null, 243 | "inject_evaluation": [ 244 | { 245 | "parameters": [ 246 | { 247 | ".Event.Object[].Attribute[] | select((.type == \"url\")).value": { 248 | "extract_type": "all", 249 | "comparison": "equals", 250 | "values": [ 251 | "https://evilprovider.com/r.php?e1525c0f" 252 | ] 253 | } 254 | }, 255 | { 256 | ".Event.Object[].Attribute[] | select(.object_relation == \"query_string\").value": { 257 | "extract_type": "all", 258 | "comparison": "equals", 259 | "values": [ 260 | ".?e1525c0f" 261 | ] 262 | } 263 | } 264 | ], 265 | "result": "Download URL added", 266 | "evaluation_strategy": "data_filtering", 267 | "evaluation_context": {}, 268 | "score_range": [ 269 | 0, 270 | 20 271 | ] 272 | } 273 | ], 274 | "inject_evaluation_join_type": null 275 | }, 276 | { 277 | "name": "Malicious APK", 278 | "action": "apk", 279 | "target_tool": "MISP", 280 | "uuid": "a4ba921e-744f-4f58-9958-a7d59ff5ff62", 281 | "description": null, 282 | "inject_evaluation": [ 283 | { 284 | "parameters": [ 285 | { 286 | ".Event.Object[].Attribute[] | select((.type == \"sha1\")).value": { 287 | "extract_type": "all", 288 | "comparison": "equals", 289 | "values": [ 290 | "4714aaa5195da29c6e74aeee9e9f19678af5c15b" 291 | ] 292 | } 293 | } 294 | ], 295 | "result": "APK added", 296 | "evaluation_strategy": "data_filtering", 297 | "evaluation_context": {}, 298 | "score_range": [ 299 | 0, 300 | 20 301 | ] 302 | } 303 | ], 304 | "inject_evaluation_join_type": null 305 | }, 306 | { 307 | "name": "CVE", 308 | "action": "cve", 309 | "target_tool": "MISP", 310 | "uuid": "9dc28a53-9011-4cb0-b9df-bff3fe095de1", 311 | "description": null, 312 | "inject_evaluation": [ 313 | { 314 | "parameters": [ 315 | { 316 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"vulnerability\")).value": { 317 | "extract_type": "all", 318 | "comparison": "equals", 319 | "values": [ 320 | "CVE-2022-27835" 321 | ] 322 | } 323 | } 324 | ], 325 | "result": "CVE added", 326 | "evaluation_strategy": "data_filtering", 327 | "evaluation_context": {}, 328 | "score_range": [ 329 | 0, 330 | 20 331 | ] 332 | } 333 | ], 334 | "inject_evaluation_join_type": null 335 | }, 336 | { 337 | "name": "C2 Server", 338 | "action": "c2", 339 | "target_tool": "MISP", 340 | "uuid": "f995b04d-4648-41b6-893b-19eeebd365ef", 341 | "description": null, 342 | "inject_evaluation": [ 343 | { 344 | "parameters": [ 345 | { 346 | ".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"url\")).value": { 347 | "extract_type": "all", 348 | "comparison": "equals", 349 | "values": [ 350 | "https://another.evil.provider.com:42666/c.php?e1525c0f" 351 | ] 352 | } 353 | }, 354 | { 355 | ".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": { 356 | "extract_type": "all", 357 | "comparison": "equals", 358 | "values": [ 359 | "another.evil.provider.com" 360 | ] 361 | } 362 | }, 363 | { 364 | ".Event.Object[] | select((.name == \"url\")).Attribute[] | select((.object_relation == \"ip\")).value": { 365 | "extract_type": "all", 366 | "comparison": "equals", 367 | "values": [ 368 | "226.140.183.77" 369 | ] 370 | } 371 | } 372 | ], 373 | "result": "C2 added", 374 | "evaluation_strategy": "data_filtering", 375 | "evaluation_context": {}, 376 | "score_range": [ 377 | 0, 378 | 20 379 | ] 380 | } 381 | ], 382 | "inject_evaluation_join_type": null 383 | }, 384 | { 385 | "name": "Yara Rule", 386 | "action": "yara", 387 | "target_tool": "MISP", 388 | "uuid": "2d9a7cf7-25d2-4224-9f61-6aba91adfa78", 389 | "description": null, 390 | "inject_evaluation": [ 391 | { 392 | "parameters": [ 393 | { 394 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"yara\")).value": { 395 | "extract_type": "all", 396 | "comparison": "contains-regex", 397 | "values": [ 398 | "rule android_flubot \\{.*" 399 | ] 400 | } 401 | } 402 | ], 403 | "result": "Yara rule added", 404 | "evaluation_strategy": "data_filtering", 405 | "evaluation_context": {}, 406 | "score_range": [ 407 | 0, 408 | 20 409 | ] 410 | } 411 | ], 412 | "inject_evaluation_join_type": null 413 | }, 414 | { 415 | "name": "Contextualization", 416 | "action": "context", 417 | "target_tool": "MISP", 418 | "uuid": "05b3e7aa-b761-4f65-92e9-eed84e48a6a4", 419 | "description": null, 420 | "inject_evaluation": [ 421 | { 422 | "parameters": [ 423 | { 424 | ".Event.Tag | select(length > 0) | .[].name": { 425 | "extract_type": "all", 426 | "comparison": "count", 427 | "values": [ 428 | ">=3" 429 | ] 430 | } 431 | } 432 | ], 433 | "result": "Context added", 434 | "evaluation_strategy": "data_filtering", 435 | "evaluation_context": {}, 436 | "score_range": [ 437 | 0, 438 | 20 439 | ] 440 | } 441 | ], 442 | "inject_evaluation_join_type": null 443 | }, 444 | { 445 | "name": "Published", 446 | "action": "published", 447 | "target_tool": "MISP", 448 | "uuid": "49df070b-f6fc-47c3-bf43-92454f1582d5", 449 | "description": null, 450 | "inject_evaluation": [ 451 | { 452 | "parameters": [ 453 | { 454 | ".Event.published": { 455 | "comparison": "equals", 456 | "values": [ 457 | "1" 458 | ] 459 | } 460 | } 461 | ], 462 | "result": "Event published", 463 | "evaluation_strategy": "data_filtering", 464 | "evaluation_context": {}, 465 | "score_range": [ 466 | 0, 467 | 20 468 | ] 469 | } 470 | ], 471 | "inject_evaluation_join_type": null 472 | } 473 | ] 474 | } -------------------------------------------------------------------------------- /scenarios/ransomware-encoding.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "description": "MISP Encoding Exercise : Ransomware infection via e-mail", 4 | "expanded": "MISP Encoding Exercise : Ransomware infection via e-mail", 5 | "meta": { 6 | "author": "MISP Project", 7 | "level": "advanced", 8 | "priority": 10 9 | }, 10 | "name": "MISP Encoding Exercise : Ransomware infection via e-mail", 11 | "namespace": "misp-only", 12 | "tags": [ 13 | "exercise:software-scope=\"misp\"", 14 | "state:production" 15 | ], 16 | "total_duration": "7200", 17 | "uuid": "eb00428f-40b5-4da7-9402-7ce22a840659", 18 | "version": "202492" 19 | }, 20 | "inject_flow": [ 21 | { 22 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae", 23 | "description": "event-creation", 24 | "requirements": {}, 25 | "sequence": { 26 | "completion_trigger": [ 27 | "time_expiration", 28 | "completion" 29 | ], 30 | "followed_by": [ 31 | "8f636640-e4f0-4ffb-abff-4e85597aa1bd" 32 | ], 33 | "trigger": [ 34 | "startex", 35 | "periodic" 36 | ] 37 | }, 38 | "timing": { 39 | "triggered_at": null, 40 | "periodic_run_every": 10 41 | } 42 | }, 43 | { 44 | "inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd", 45 | "description": "infection-email", 46 | "requirements": { 47 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" 48 | }, 49 | "sequence": { 50 | "completion_trigger": [ 51 | "time_expiration", 52 | "completion" 53 | ], 54 | "followed_by": [ 55 | "3e61a340-0314-4622-91cc-042f3ff8543a" 56 | ], 57 | "trigger": [ 58 | "periodic" 59 | ] 60 | }, 61 | "timing": { 62 | "triggered_at": null, 63 | "periodic_run_every": 10 64 | } 65 | }, 66 | { 67 | "inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a", 68 | "description": "malicious-payload", 69 | "requirements": { 70 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" 71 | }, 72 | "sequence": { 73 | "completion_trigger": [ 74 | "time_expiration", 75 | "completion" 76 | ], 77 | "followed_by": [ 78 | "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828" 79 | ], 80 | "trigger": [ 81 | "periodic" 82 | ] 83 | }, 84 | "timing": { 85 | "triggered_at": null, 86 | "periodic_run_every": 10 87 | } 88 | }, 89 | { 90 | "inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828", 91 | "description": "c2-ip-address", 92 | "requirements": { 93 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" 94 | }, 95 | "sequence": { 96 | "completion_trigger": [ 97 | "time_expiration", 98 | "completion" 99 | ], 100 | "followed_by": [ 101 | "9df13cc8-b61b-4c9f-a1a8-66def8b64439" 102 | ], 103 | "trigger": [ 104 | "periodic" 105 | ] 106 | }, 107 | "timing": { 108 | "triggered_at": null, 109 | "periodic_run_every": 10 110 | } 111 | }, 112 | { 113 | "inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439", 114 | "description": "registry-keys", 115 | "requirements": { 116 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" 117 | }, 118 | "sequence": { 119 | "completion_trigger": [ 120 | "time_expiration", 121 | "completion" 122 | ], 123 | "followed_by": [ 124 | "c5c03af1-7ef3-44e7-819a-6c4fd402148a" 125 | ], 126 | "trigger": [ 127 | "periodic" 128 | ] 129 | }, 130 | "timing": { 131 | "triggered_at": null, 132 | "periodic_run_every": 10 133 | } 134 | }, 135 | { 136 | "inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a", 137 | "description": "asym-encryption-key", 138 | "requirements": { 139 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" 140 | }, 141 | "sequence": { 142 | "completion_trigger": [ 143 | "time_expiration", 144 | "completion" 145 | ], 146 | "followed_by": [ 147 | "11f6f0c2-8813-42ee-a312-136649d3f077" 148 | ], 149 | "trigger": [ 150 | "periodic" 151 | ] 152 | }, 153 | "timing": { 154 | "triggered_at": null, 155 | "periodic_run_every": 10 156 | } 157 | }, 158 | { 159 | "inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077", 160 | "description": "context", 161 | "requirements": { 162 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" 163 | }, 164 | "sequence": { 165 | "completion_trigger": [ 166 | "time_expiration", 167 | "completion" 168 | ], 169 | "followed_by": [ 170 | "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f" 171 | ], 172 | "trigger": [ 173 | "periodic" 174 | ] 175 | }, 176 | "timing": { 177 | "triggered_at": null, 178 | "periodic_run_every": 10 179 | } 180 | }, 181 | { 182 | "inject_uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f", 183 | "description": "published", 184 | "requirements": { 185 | "inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae" 186 | }, 187 | "sequence": { 188 | "completion_trigger": [ 189 | "time_expiration", 190 | "completion" 191 | ], 192 | "followed_by": [], 193 | "trigger": [ 194 | "periodic" 195 | ] 196 | }, 197 | "timing": { 198 | "triggered_at": null, 199 | "periodic_run_every": 10 200 | } 201 | } 202 | ], 203 | "inject_payloads": [], 204 | "injects": [ 205 | { 206 | "name": "Event Creation", 207 | "action": "event-creation", 208 | "target_tool": "MISP", 209 | "uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae", 210 | "description": "Create an Event containing `ransomware`", 211 | "inject_evaluation": [ 212 | { 213 | "parameters": [ 214 | { 215 | ".Event.info": { 216 | "comparison": "contains", 217 | "values": [ 218 | "ransomware" 219 | ] 220 | } 221 | } 222 | ], 223 | "result": "MISP Event created", 224 | "evaluation_strategy": "data_filtering", 225 | "evaluation_context": {}, 226 | "score_range": [ 227 | 0, 228 | 20 229 | ] 230 | }, 231 | { 232 | "parameters": [ 233 | { 234 | ".response[].Event.event_creator_email": { 235 | "comparison": "equals", 236 | "values": [ 237 | "{{user_email}}" 238 | ] 239 | } 240 | }, 241 | { 242 | ".response[].Event.info": { 243 | "comparison": "contains", 244 | "values": [ 245 | "ransomware" 246 | ] 247 | } 248 | } 249 | ], 250 | "result": "", 251 | "evaluation_strategy": "query_search", 252 | "evaluation_context": { 253 | "request_is_rest": false, 254 | "query_context": { 255 | "url": "/events/restSearch", 256 | "request_method": "POST", 257 | "payload": { 258 | "timestamp": "2h" 259 | } 260 | } 261 | }, 262 | "score_range": [ 263 | 0, 264 | 20 265 | ] 266 | } 267 | ], 268 | "inject_evaluation_join_type": "OR" 269 | }, 270 | { 271 | "name": "Infection Email", 272 | "action": "infection-email", 273 | "target_tool": "MISP", 274 | "uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd", 275 | "description": null, 276 | "inject_evaluation": [ 277 | { 278 | "parameters": [ 279 | { 280 | ".Event.info": { 281 | "comparison": "contains", 282 | "values": [ 283 | "ransomware" 284 | ] 285 | } 286 | }, 287 | { 288 | ".Event.Object[].Attribute[] | select(.object_relation == \"email-body\")": { 289 | "extract_type": "all", 290 | "comparison": "count", 291 | "values": [ 292 | ">=1" 293 | ] 294 | } 295 | } 296 | ], 297 | "result": "Infection Email added", 298 | "evaluation_strategy": "data_filtering", 299 | "evaluation_context": {}, 300 | "score_range": [ 301 | 0, 302 | 20 303 | ] 304 | }, 305 | { 306 | "parameters": [ 307 | { 308 | ".response[].Event.event_creator_email": { 309 | "comparison": "equals", 310 | "values": [ 311 | "{{user_email}}" 312 | ] 313 | } 314 | }, 315 | { 316 | ".response[].Event.Object[].Attribute[] | select(.object_relation == \"email-body\")": { 317 | "extract_type": "all", 318 | "comparison": "count", 319 | "values": [ 320 | ">=1" 321 | ] 322 | } 323 | } 324 | ], 325 | "result": "", 326 | "evaluation_strategy": "query_search", 327 | "evaluation_context": { 328 | "request_is_rest": false, 329 | "query_context": { 330 | "url": "/events/restSearch", 331 | "request_method": "POST", 332 | "payload": { 333 | "timestamp": "2h" 334 | } 335 | } 336 | }, 337 | "score_range": [ 338 | 0, 339 | 20 340 | ] 341 | } 342 | ], 343 | "inject_evaluation_join_type": "OR" 344 | }, 345 | { 346 | "name": "Malicious Payload", 347 | "action": "malicious-payload", 348 | "target_tool": "MISP", 349 | "uuid": "3e61a340-0314-4622-91cc-042f3ff8543a", 350 | "description": null, 351 | "inject_evaluation": [ 352 | { 353 | "parameters": [ 354 | { 355 | ".Event.info": { 356 | "comparison": "contains", 357 | "values": [ 358 | "ransomware" 359 | ] 360 | } 361 | }, 362 | { 363 | ".Event.Object[].Attribute[] | select((.type == \"filename\")).value": { 364 | "extract_type": "all", 365 | "comparison": "equals", 366 | "values": [ 367 | "cryptolocker.exe" 368 | ] 369 | } 370 | } 371 | ], 372 | "result": "Malicious payload added", 373 | "evaluation_strategy": "data_filtering", 374 | "evaluation_context": {}, 375 | "score_range": [ 376 | 0, 377 | 20 378 | ] 379 | }, 380 | { 381 | "parameters": [ 382 | { 383 | ".response[].Event.event_creator_email": { 384 | "comparison": "equals", 385 | "values": [ 386 | "{{user_email}}" 387 | ] 388 | } 389 | }, 390 | { 391 | ".response[].Event.Object[].Attribute[] | select((.type == \"filename\")).value": { 392 | "extract_type": "all", 393 | "comparison": "equals", 394 | "values": [ 395 | "cryptolocker.exe" 396 | ] 397 | } 398 | } 399 | ], 400 | "result": "", 401 | "evaluation_strategy": "query_search", 402 | "evaluation_context": { 403 | "request_is_rest": false, 404 | "query_context": { 405 | "url": "/events/restSearch", 406 | "request_method": "POST", 407 | "payload": { 408 | "timestamp": "2h" 409 | } 410 | } 411 | }, 412 | "score_range": [ 413 | 0, 414 | 20 415 | ] 416 | } 417 | ], 418 | "inject_evaluation_join_type": "OR" 419 | }, 420 | { 421 | "name": "C2 IP Address", 422 | "action": "c2-ip", 423 | "target_tool": "MISP", 424 | "uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828", 425 | "description": null, 426 | "inject_evaluation": [ 427 | { 428 | "parameters": [ 429 | { 430 | ".Event.info": { 431 | "comparison": "contains", 432 | "values": [ 433 | "ransomware" 434 | ] 435 | } 436 | }, 437 | { 438 | ".Event.Object[] | select((.name == \"domain-ip\") or (.name == \"ip-port\")) | .Attribute[].value": { 439 | "extract_type": "all", 440 | "comparison": "contains", 441 | "values": [ 442 | "81.177.170.166" 443 | ] 444 | } 445 | } 446 | ], 447 | "result": "C2 IP added", 448 | "evaluation_strategy": "data_filtering", 449 | "evaluation_context": {}, 450 | "score_range": [ 451 | 0, 452 | 20 453 | ] 454 | }, 455 | { 456 | "parameters": [ 457 | { 458 | ".response[].Event.event_creator_email": { 459 | "comparison": "equals", 460 | "values": [ 461 | "{{user_email}}" 462 | ] 463 | } 464 | }, 465 | { 466 | ".response[].Event.Object[] | select((.name == \"domain-ip\") or (.name == \"ip-port\")) | .Attribute[].value": { 467 | "extract_type": "all", 468 | "comparison": "contains", 469 | "values": [ 470 | "81.177.170.166" 471 | ] 472 | } 473 | } 474 | ], 475 | "result": "", 476 | "evaluation_strategy": "query_search", 477 | "evaluation_context": { 478 | "query_context": { 479 | "request_is_rest": false, 480 | "url": "/events/restSearch", 481 | "request_method": "POST", 482 | "payload": { 483 | "timestamp": "2h" 484 | } 485 | } 486 | }, 487 | "score_range": [ 488 | 0, 489 | 20 490 | ] 491 | } 492 | ], 493 | "inject_evaluation_join_type": "OR" 494 | }, 495 | { 496 | "name": "Registry Keys", 497 | "action": "registry-key", 498 | "target_tool": "MISP", 499 | "uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439", 500 | "description": null, 501 | "inject_evaluation": [ 502 | { 503 | "parameters": [ 504 | { 505 | ".Event.info": { 506 | "comparison": "contains", 507 | "values": [ 508 | "ransomware" 509 | ] 510 | } 511 | }, 512 | { 513 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": { 514 | "extract_type": "all", 515 | "comparison": "contains-regex", 516 | "values": [ 517 | "HKCU.+SOFTWARE.+CryptoLocker.*" 518 | ] 519 | } 520 | } 521 | ], 522 | "result": "Registry key added", 523 | "evaluation_strategy": "data_filtering", 524 | "evaluation_context": {}, 525 | "score_range": [ 526 | 0, 527 | 20 528 | ] 529 | }, 530 | { 531 | "parameters": [ 532 | { 533 | ".response[].Event.event_creator_email": { 534 | "comparison": "equals", 535 | "values": [ 536 | "{{user_email}}" 537 | ] 538 | } 539 | }, 540 | { 541 | "[.response[].Event.Object[].Attribute[], .response[].Event.Attribute[]] | .[].value": { 542 | "extract_type": "all", 543 | "comparison": "contains-regex", 544 | "values": [ 545 | "HKCU.+SOFTWARE.+CryptoLocker.*" 546 | ] 547 | } 548 | } 549 | ], 550 | "result": "", 551 | "evaluation_strategy": "query_search", 552 | "evaluation_context": { 553 | "request_is_rest": false, 554 | "query_context": { 555 | "url": "/events/restSearch", 556 | "request_method": "POST", 557 | "payload": { 558 | "timestamp": "2h" 559 | } 560 | } 561 | }, 562 | "score_range": [ 563 | 0, 564 | 20 565 | ] 566 | } 567 | ], 568 | "inject_evaluation_join_type": "OR" 569 | }, 570 | { 571 | "name": "Public Key", 572 | "action": "pub-key", 573 | "target_tool": "MISP", 574 | "uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a", 575 | "description": null, 576 | "inject_evaluation": [ 577 | { 578 | "parameters": [ 579 | { 580 | ".Event.info": { 581 | "comparison": "contains", 582 | "values": [ 583 | "ransomware" 584 | ] 585 | } 586 | }, 587 | { 588 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": { 589 | "extract_type": "all", 590 | "comparison": "contains-regex", 591 | "values": [ 592 | "-----BEGIN PUBLIC KEY-----.*" 593 | ] 594 | } 595 | } 596 | ], 597 | "result": "Public key added", 598 | "evaluation_strategy": "data_filtering", 599 | "evaluation_context": {}, 600 | "score_range": [ 601 | 0, 602 | 20 603 | ] 604 | }, 605 | { 606 | "parameters": [ 607 | { 608 | ".response[].Event.event_creator_email": { 609 | "comparison": "equals", 610 | "values": [ 611 | "{{user_email}}" 612 | ] 613 | } 614 | }, 615 | { 616 | "[.response[].Event.Object[].Attribute[], .response[].Event.Attribute[]] | .[].value": { 617 | "extract_type": "all", 618 | "comparison": "contains-regex", 619 | "values": [ 620 | "-----BEGIN PUBLIC KEY-----.*" 621 | ] 622 | } 623 | } 624 | ], 625 | "result": "", 626 | "evaluation_strategy": "query_search", 627 | "evaluation_context": { 628 | "request_is_rest": false, 629 | "query_context": { 630 | "url": "/events/restSearch", 631 | "request_method": "POST", 632 | "payload": { 633 | "timestamp": "2h" 634 | } 635 | } 636 | }, 637 | "score_range": [ 638 | 0, 639 | 20 640 | ] 641 | } 642 | ], 643 | "inject_evaluation_join_type": "OR" 644 | }, 645 | { 646 | "name": "Contextualization", 647 | "action": "context", 648 | "target_tool": "MISP", 649 | "uuid": "11f6f0c2-8813-42ee-a312-136649d3f077", 650 | "description": null, 651 | "inject_evaluation": [ 652 | { 653 | "parameters": [ 654 | { 655 | ".Event.info": { 656 | "comparison": "contains", 657 | "values": [ 658 | "ransomware" 659 | ] 660 | } 661 | }, 662 | { 663 | ".Event.Tag[].name | select((contains(\"misp-galaxy:mitre-attack-pattern\")))": { 664 | "extract_type": "all", 665 | "comparison": "count", 666 | "values": [ 667 | ">=3" 668 | ] 669 | } 670 | } 671 | ], 672 | "result": "Context added", 673 | "evaluation_strategy": "data_filtering", 674 | "evaluation_context": {}, 675 | "score_range": [ 676 | 0, 677 | 20 678 | ] 679 | }, 680 | { 681 | "parameters": [ 682 | { 683 | ".response[].Event.event_creator_email": { 684 | "comparison": "equals", 685 | "values": [ 686 | "{{user_email}}" 687 | ] 688 | } 689 | }, 690 | { 691 | ".response[].Event.Tag[].name | select((contains(\"misp-galaxy:mitre-attack-pattern\")))": { 692 | "extract_type": "all", 693 | "comparison": "count", 694 | "values": [ 695 | ">=3" 696 | ] 697 | } 698 | } 699 | ], 700 | "result": "", 701 | "evaluation_strategy": "query_search", 702 | "evaluation_context": { 703 | "request_is_rest": false, 704 | "query_context": { 705 | "url": "/events/restSearch", 706 | "request_method": "POST", 707 | "payload": { 708 | "timestamp": "2h" 709 | } 710 | } 711 | }, 712 | "score_range": [ 713 | 0, 714 | 20 715 | ] 716 | } 717 | ], 718 | "inject_evaluation_join_type": "OR" 719 | }, 720 | { 721 | "name": "Published", 722 | "action": "published", 723 | "target_tool": "MISP", 724 | "uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f", 725 | "description": null, 726 | "inject_evaluation": [ 727 | { 728 | "parameters": [ 729 | { 730 | ".Event.info": { 731 | "comparison": "contains", 732 | "values": [ 733 | "ransomware" 734 | ] 735 | } 736 | }, 737 | { 738 | ".Event.published": { 739 | "comparison": "equals", 740 | "values": [ 741 | "1" 742 | ] 743 | } 744 | } 745 | ], 746 | "result": "Event published", 747 | "evaluation_strategy": "data_filtering", 748 | "evaluation_context": {}, 749 | "score_range": [ 750 | 0, 751 | 20 752 | ] 753 | }, 754 | { 755 | "parameters": [ 756 | { 757 | ".response[].Event.event_creator_email": { 758 | "comparison": "equals", 759 | "values": [ 760 | "{{user_email}}" 761 | ] 762 | } 763 | }, 764 | { 765 | ".response[].Event.published": { 766 | "extract_type": "all", 767 | "comparison": "count", 768 | "values": [ 769 | ">0" 770 | ] 771 | } 772 | } 773 | ], 774 | "result": "", 775 | "evaluation_strategy": "query_search", 776 | "evaluation_context": { 777 | "request_is_rest": false, 778 | "query_context": { 779 | "url": "/events/restSearch", 780 | "request_method": "POST", 781 | "payload": { 782 | "timestamp": "2h" 783 | } 784 | } 785 | }, 786 | "score_range": [ 787 | 0, 788 | 20 789 | ] 790 | } 791 | ], 792 | "inject_evaluation_join_type": "OR" 793 | } 794 | ] 795 | } -------------------------------------------------------------------------------- /scenarios/scam-call-encoding.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "description": "MISP Encoding Exercise : Scam Call", 4 | "expanded": "MISP Encoding Exercise : Scam Call", 5 | "meta": { 6 | "author": "MISP Project", 7 | "level": "beginner", 8 | "priority": 5 9 | }, 10 | "name": "MISP Encoding Exercise : Scam Call", 11 | "namespace": "misp-only", 12 | "tags": [ 13 | "exercise:software-scope=\"misp\"", 14 | "state:production" 15 | ], 16 | "total_duration": "7200", 17 | "uuid": "6c61b3a5-a760-4bac-be23-de97af397c2f", 18 | "version": "202492" 19 | }, 20 | "inject_flow": [ 21 | { 22 | "description": "event-creation", 23 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd", 24 | "reporting_callback": [], 25 | "requirements": {}, 26 | "sequence": { 27 | "completion_trigger": [ 28 | "time_expiration", 29 | "completion" 30 | ], 31 | "followed_by": [], 32 | "trigger": [ 33 | "startex" 34 | ] 35 | }, 36 | "timing": { 37 | "triggered_at": null, 38 | "periodic_run_every": null 39 | } 40 | }, 41 | { 42 | "description": "IP-address", 43 | "inject_uuid": "cdf465dc-a859-43ed-b782-510427cfb451", 44 | "reporting_callback": [], 45 | "requirements": { 46 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 47 | }, 48 | "sequence": { 49 | "completion_trigger": [ 50 | "time_expiration", 51 | "completion" 52 | ], 53 | "followed_by": [], 54 | "trigger": [] 55 | }, 56 | "timing": { 57 | "triggered_at": null, 58 | "periodic_run_every": null 59 | } 60 | }, 61 | { 62 | "description": "malicious-payload", 63 | "inject_uuid": "79c8a538-28de-4edf-b0e2-253c59cbb973", 64 | "reporting_callback": [], 65 | "requirements": { 66 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 67 | }, 68 | "sequence": { 69 | "completion_trigger": [ 70 | "time_expiration", 71 | "completion" 72 | ], 73 | "followed_by": [], 74 | "trigger": [] 75 | }, 76 | "timing": { 77 | "triggered_at": null, 78 | "periodic_run_every": null 79 | } 80 | }, 81 | { 82 | "description": "Download URL", 83 | "inject_uuid": "60c6cfcc-99be-4b98-9eb7-e0a3e77bb449", 84 | "reporting_callback": [], 85 | "requirements": { 86 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 87 | }, 88 | "sequence": { 89 | "completion_trigger": [ 90 | "time_expiration", 91 | "completion" 92 | ], 93 | "followed_by": [], 94 | "trigger": [] 95 | }, 96 | "timing": { 97 | "triggered_at": null, 98 | "periodic_run_every": null 99 | } 100 | }, 101 | { 102 | "description": "IBAN Number", 103 | "inject_uuid": "ab32278b-a8e4-4539-8c1b-f262a2706ca8", 104 | "reporting_callback": [], 105 | "requirements": { 106 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 107 | }, 108 | "sequence": { 109 | "completion_trigger": [ 110 | "time_expiration", 111 | "completion" 112 | ], 113 | "followed_by": [], 114 | "trigger": [] 115 | }, 116 | "timing": { 117 | "triggered_at": null, 118 | "periodic_run_every": null 119 | } 120 | }, 121 | { 122 | "description": "Phone Number", 123 | "inject_uuid": "ee4a684e-2648-419a-bd65-29ab219660c4", 124 | "reporting_callback": [], 125 | "requirements": { 126 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 127 | }, 128 | "sequence": { 129 | "completion_trigger": [ 130 | "time_expiration", 131 | "completion" 132 | ], 133 | "followed_by": [], 134 | "trigger": [] 135 | }, 136 | "timing": { 137 | "triggered_at": null, 138 | "periodic_run_every": null 139 | } 140 | }, 141 | { 142 | "description": "Person", 143 | "inject_uuid": "14d11e1b-6609-47d5-9867-91996f432f34", 144 | "reporting_callback": [], 145 | "requirements": { 146 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 147 | }, 148 | "sequence": { 149 | "completion_trigger": [ 150 | "time_expiration", 151 | "completion" 152 | ], 153 | "followed_by": [], 154 | "trigger": [] 155 | }, 156 | "timing": { 157 | "triggered_at": null, 158 | "periodic_run_every": null 159 | } 160 | }, 161 | { 162 | "description": "Contextualization", 163 | "inject_uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9", 164 | "reporting_callback": [], 165 | "requirements": { 166 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 167 | }, 168 | "sequence": { 169 | "completion_trigger": [ 170 | "time_expiration", 171 | "completion" 172 | ], 173 | "followed_by": [], 174 | "trigger": [] 175 | }, 176 | "timing": { 177 | "triggered_at": null, 178 | "periodic_run_every": null 179 | } 180 | }, 181 | { 182 | "description": "Published", 183 | "inject_uuid": "68cc60ff-e659-4589-88e5-7490fa4e1dfa", 184 | "reporting_callback": [], 185 | "requirements": { 186 | "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 187 | }, 188 | "sequence": { 189 | "completion_trigger": [ 190 | "time_expiration", 191 | "completion" 192 | ], 193 | "followed_by": [], 194 | "trigger": [] 195 | }, 196 | "timing": { 197 | "triggered_at": null, 198 | "periodic_run_every": null 199 | } 200 | } 201 | ], 202 | "inject_payloads": [], 203 | "injects": [ 204 | { 205 | "action": "event-creation", 206 | "inject_evaluation": [ 207 | { 208 | "parameters": [ 209 | { 210 | ".Event.info": { 211 | "comparison": "contains", 212 | "values": [ 213 | "scam", 214 | "call" 215 | ] 216 | } 217 | } 218 | ], 219 | "result": "MISP Event created", 220 | "evaluation_strategy": "data_filtering", 221 | "evaluation_context": {}, 222 | "score_range": [ 223 | 0, 224 | 10 225 | ] 226 | } 227 | ], 228 | "name": "Event Creation", 229 | "target_tool": "MISP", 230 | "uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd" 231 | }, 232 | { 233 | "action": "ip-address", 234 | "inject_evaluation": [ 235 | { 236 | "parameters": [ 237 | { 238 | ".Event.info": { 239 | "comparison": "contains", 240 | "values": [ 241 | "scam", 242 | "call" 243 | ] 244 | } 245 | }, 246 | { 247 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select(.value == \"194.78.89.250\").to_ids": { 248 | "extract_type": "all", 249 | "comparison": "contains", 250 | "values": [ 251 | true, 252 | 1 253 | ] 254 | } 255 | } 256 | ], 257 | "result": "IP Address added", 258 | "evaluation_strategy": "data_filtering", 259 | "evaluation_context": {}, 260 | "score_range": [ 261 | 0, 262 | 20 263 | ] 264 | } 265 | ], 266 | "name": "IP Address", 267 | "target_tool": "MISP", 268 | "uuid": "cdf465dc-a859-43ed-b782-510427cfb451" 269 | }, 270 | { 271 | "action": "malware-sample", 272 | "inject_evaluation": [ 273 | { 274 | "parameters": [ 275 | { 276 | ".Event.info": { 277 | "comparison": "contains", 278 | "values": [ 279 | "scam", 280 | "call" 281 | ] 282 | } 283 | }, 284 | { 285 | ".Event.Object[].Attribute[] | select((.type == \"sha1\")).value": { 286 | "extract_type": "all", 287 | "comparison": "equals", 288 | "values": [ 289 | "04d496d39bc9409bfdabdeb07002b97093b58f77" 290 | ] 291 | } 292 | } 293 | ], 294 | "result": "Malware sample added", 295 | "evaluation_strategy": "data_filtering", 296 | "evaluation_context": {}, 297 | "score_range": [ 298 | 0, 299 | 20 300 | ] 301 | } 302 | ], 303 | "name": "Malware sample", 304 | "target_tool": "MISP", 305 | "uuid": "79c8a538-28de-4edf-b0e2-253c59cbb973" 306 | }, 307 | { 308 | "action": "url", 309 | "inject_evaluation": [ 310 | { 311 | "parameters": [ 312 | { 313 | ".Event.info": { 314 | "comparison": "contains", 315 | "values": [ 316 | "scam", 317 | "call" 318 | ] 319 | } 320 | }, 321 | { 322 | ".Event.Object[].Attribute[] | select((.type == \"url\")).value": { 323 | "extract_type": "all", 324 | "comparison": "equals", 325 | "values": [ 326 | "https://zdgyot.ugic0k.ru/assets/bin.exe" 327 | ] 328 | } 329 | }, 330 | { 331 | ".Event.Object[].Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": { 332 | "extract_type": "all", 333 | "comparison": "equals", 334 | "values": [ 335 | "zdgyot.ugic0k.ru" 336 | ] 337 | } 338 | } 339 | ], 340 | "result": "Download URL added", 341 | "evaluation_strategy": "data_filtering", 342 | "evaluation_context": {}, 343 | "score_range": [ 344 | 0, 345 | 20 346 | ] 347 | } 348 | ], 349 | "name": "Download URL", 350 | "target_tool": "MISP", 351 | "uuid": "60c6cfcc-99be-4b98-9eb7-e0a3e77bb449" 352 | }, 353 | { 354 | "action": "iban", 355 | "inject_evaluation": [ 356 | { 357 | "parameters": [ 358 | { 359 | ".Event.info": { 360 | "comparison": "contains", 361 | "values": [ 362 | "scam", 363 | "call" 364 | ] 365 | } 366 | }, 367 | { 368 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"iban\")).value": { 369 | "extract_type": "all", 370 | "comparison": "contains", 371 | "values": [ 372 | "GB29NWBK60161331926819" 373 | ] 374 | } 375 | } 376 | ], 377 | "result": "IBAN Number added", 378 | "evaluation_strategy": "data_filtering", 379 | "evaluation_context": {}, 380 | "score_range": [ 381 | 0, 382 | 20 383 | ] 384 | } 385 | ], 386 | "name": "IBAN Number", 387 | "target_tool": "MISP", 388 | "uuid": "ab32278b-a8e4-4539-8c1b-f262a2706ca8" 389 | }, 390 | { 391 | "action": "phone", 392 | "inject_evaluation": [ 393 | { 394 | "parameters": [ 395 | { 396 | ".Event.info": { 397 | "comparison": "contains", 398 | "values": [ 399 | "scam", 400 | "call" 401 | ] 402 | } 403 | }, 404 | { 405 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"phone-number\")).value": { 406 | "extract_type": "all", 407 | "comparison": "contains-regex", 408 | "values": [ 409 | "\\+?12243359185" 410 | ] 411 | } 412 | } 413 | ], 414 | "result": "Phone Number added", 415 | "evaluation_strategy": "data_filtering", 416 | "evaluation_context": {}, 417 | "score_range": [ 418 | 0, 419 | 20 420 | ] 421 | } 422 | ], 423 | "name": "Phone Number", 424 | "target_tool": "MISP", 425 | "uuid": "ee4a684e-2648-419a-bd65-29ab219660c4" 426 | }, 427 | { 428 | "action": "person", 429 | "inject_evaluation": [ 430 | { 431 | "parameters": [ 432 | { 433 | ".Event.info": { 434 | "comparison": "contains", 435 | "values": [ 436 | "scam", 437 | "call" 438 | ] 439 | } 440 | }, 441 | { 442 | ".Event.Object[] | select((.name == \"person\")).distribution": { 443 | "comparison": "equals_any", 444 | "values": [ 445 | "0", 446 | "1", 447 | "4" 448 | ] 449 | } 450 | } 451 | ], 452 | "result": "Person added", 453 | "evaluation_strategy": "data_filtering", 454 | "evaluation_context": {}, 455 | "score_range": [ 456 | 0, 457 | 20 458 | ] 459 | } 460 | ], 461 | "name": "Person", 462 | "target_tool": "MISP", 463 | "uuid": "14d11e1b-6609-47d5-9867-91996f432f34" 464 | }, 465 | { 466 | "action": "context", 467 | "inject_evaluation": [ 468 | { 469 | "parameters": [ 470 | { 471 | ".Event.info": { 472 | "comparison": "contains", 473 | "values": [ 474 | "scam", 475 | "call" 476 | ] 477 | } 478 | }, 479 | { 480 | ".Event.Tag | select(length > 0) | .[].name": { 481 | "extract_type": "all", 482 | "comparison": "count", 483 | "values": [ 484 | ">=3" 485 | ] 486 | } 487 | } 488 | ], 489 | "result": "Context added", 490 | "evaluation_strategy": "data_filtering", 491 | "evaluation_context": {}, 492 | "score_range": [ 493 | 0, 494 | 20 495 | ] 496 | } 497 | ], 498 | "name": "Contextualization", 499 | "target_tool": "MISP", 500 | "uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9" 501 | }, 502 | { 503 | "action": "published", 504 | "inject_evaluation": [ 505 | { 506 | "parameters": [ 507 | { 508 | ".Event.info": { 509 | "comparison": "contains", 510 | "values": [ 511 | "scam", 512 | "call" 513 | ] 514 | } 515 | }, 516 | { 517 | ".Event.published": { 518 | "comparison": "equals", 519 | "values": [ 520 | "1" 521 | ] 522 | } 523 | } 524 | ], 525 | "result": "Event published", 526 | "evaluation_strategy": "data_filtering", 527 | "evaluation_context": {}, 528 | "score_range": [ 529 | 0, 530 | 20 531 | ] 532 | } 533 | ], 534 | "name": "Published", 535 | "target_tool": "MISP", 536 | "uuid": "68cc60ff-e659-4589-88e5-7490fa4e1dfa" 537 | } 538 | ] 539 | } -------------------------------------------------------------------------------- /scenarios/spearphishing-incident.json: -------------------------------------------------------------------------------- 1 | { 2 | "exercise": { 3 | "description": "MISP Encoding Exercise : Spearphishing Incident", 4 | "expanded": "MISP Encoding Exercise : Spearphishing Incident", 5 | "meta": { 6 | "author": "MISP Project", 7 | "level": "beginner", 8 | "priority": 5 9 | }, 10 | "name": "MISP Encoding Exercise : Spearphishing Incident", 11 | "namespace": "misp-only", 12 | "tags": [ 13 | "exercise:software-scope=\"misp\"", 14 | "state:production" 15 | ], 16 | "total_duration": "7200", 17 | "uuid": "53b20321-ac8c-4a3e-9c56-e772caf669e6", 18 | "version": "202492" 19 | }, 20 | "inject_flow": [ 21 | { 22 | "description": "event-creation", 23 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd", 24 | "reporting_callback": [], 25 | "requirements": {}, 26 | "sequence": { 27 | "completion_trigger": [ 28 | "time_expiration", 29 | "completion" 30 | ], 31 | "followed_by": [], 32 | "trigger": [ 33 | "startex" 34 | ] 35 | }, 36 | "timing": { 37 | "triggered_at": null, 38 | "periodic_run_every": null 39 | } 40 | }, 41 | { 42 | "description": "IP-address", 43 | "inject_uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569", 44 | "reporting_callback": [], 45 | "requirements": { 46 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 47 | }, 48 | "sequence": { 49 | "completion_trigger": [ 50 | "time_expiration", 51 | "completion" 52 | ], 53 | "followed_by": [], 54 | "trigger": [] 55 | }, 56 | "timing": { 57 | "triggered_at": null, 58 | "periodic_run_every": null 59 | } 60 | }, 61 | { 62 | "description": "malicious-payloads", 63 | "inject_uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24", 64 | "reporting_callback": [], 65 | "requirements": { 66 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 67 | }, 68 | "sequence": { 69 | "completion_trigger": [ 70 | "time_expiration", 71 | "completion" 72 | ], 73 | "followed_by": [], 74 | "trigger": [] 75 | }, 76 | "timing": { 77 | "triggered_at": null, 78 | "periodic_run_every": null 79 | } 80 | }, 81 | { 82 | "description": "Download URL", 83 | "inject_uuid": "e849a314-3394-4501-a9e1-126e0e61f11d", 84 | "reporting_callback": [], 85 | "requirements": { 86 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 87 | }, 88 | "sequence": { 89 | "completion_trigger": [ 90 | "time_expiration", 91 | "completion" 92 | ], 93 | "followed_by": [], 94 | "trigger": [] 95 | }, 96 | "timing": { 97 | "triggered_at": null, 98 | "periodic_run_every": null 99 | } 100 | }, 101 | { 102 | "description": "CVE", 103 | "inject_uuid": "32141393-adce-4007-950c-77b4c7c60a39", 104 | "reporting_callback": [], 105 | "requirements": { 106 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 107 | }, 108 | "sequence": { 109 | "completion_trigger": [ 110 | "time_expiration", 111 | "completion" 112 | ], 113 | "followed_by": [], 114 | "trigger": [] 115 | }, 116 | "timing": { 117 | "triggered_at": null, 118 | "periodic_run_every": null 119 | } 120 | }, 121 | { 122 | "description": "C2", 123 | "inject_uuid": "a0d7f076-1737-4c1c-af36-c2717885299e", 124 | "reporting_callback": [], 125 | "requirements": { 126 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 127 | }, 128 | "sequence": { 129 | "completion_trigger": [ 130 | "time_expiration", 131 | "completion" 132 | ], 133 | "followed_by": [], 134 | "trigger": [] 135 | }, 136 | "timing": { 137 | "triggered_at": null, 138 | "periodic_run_every": null 139 | } 140 | }, 141 | { 142 | "description": "Person", 143 | "inject_uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9", 144 | "reporting_callback": [], 145 | "requirements": { 146 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 147 | }, 148 | "sequence": { 149 | "completion_trigger": [ 150 | "time_expiration", 151 | "completion" 152 | ], 153 | "followed_by": [], 154 | "trigger": [] 155 | }, 156 | "timing": { 157 | "triggered_at": null, 158 | "periodic_run_every": null 159 | } 160 | }, 161 | { 162 | "description": "Contextualization", 163 | "inject_uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24", 164 | "reporting_callback": [], 165 | "requirements": { 166 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 167 | }, 168 | "sequence": { 169 | "completion_trigger": [ 170 | "time_expiration", 171 | "completion" 172 | ], 173 | "followed_by": [], 174 | "trigger": [] 175 | }, 176 | "timing": { 177 | "triggered_at": null, 178 | "periodic_run_every": null 179 | } 180 | }, 181 | { 182 | "description": "Published", 183 | "inject_uuid": "930459b8-ed61-4e62-b072-071577ea0430", 184 | "reporting_callback": [], 185 | "requirements": { 186 | "inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 187 | }, 188 | "sequence": { 189 | "completion_trigger": [ 190 | "time_expiration", 191 | "completion" 192 | ], 193 | "followed_by": [], 194 | "trigger": [] 195 | }, 196 | "timing": { 197 | "triggered_at": null, 198 | "periodic_run_every": null 199 | } 200 | } 201 | ], 202 | "inject_payloads": [], 203 | "injects": [ 204 | { 205 | "action": "event-creation", 206 | "inject_evaluation": [ 207 | { 208 | "parameters": [ 209 | { 210 | ".Event.info": { 211 | "comparison": "regex", 212 | "values": [ 213 | ".*[sS]pear[-\\s]?phishing.*" 214 | ] 215 | } 216 | } 217 | ], 218 | "result": "MISP Event created", 219 | "evaluation_strategy": "data_filtering", 220 | "evaluation_context": {}, 221 | "score_range": [ 222 | 0, 223 | 10 224 | ] 225 | } 226 | ], 227 | "name": "Event Creation", 228 | "target_tool": "MISP", 229 | "uuid": "a95726bb-2761-442d-8b5c-842e384df2bd" 230 | }, 231 | { 232 | "action": "ip-address", 233 | "inject_evaluation": [ 234 | { 235 | "parameters": [ 236 | { 237 | ".Event.info": { 238 | "comparison": "regex", 239 | "values": [ 240 | ".*[sS]pear[-\\s]?phishing.*" 241 | ] 242 | } 243 | }, 244 | { 245 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select(.value == \"john.doe@luxembourg.edu\")": { 246 | "extract_type": "all", 247 | "comparison": "count", 248 | "values": [ 249 | ">0" 250 | ] 251 | } 252 | } 253 | ], 254 | "result": "Email address spoofed", 255 | "evaluation_strategy": "data_filtering", 256 | "evaluation_context": {}, 257 | "score_range": [ 258 | 0, 259 | 20 260 | ] 261 | } 262 | ], 263 | "name": "Email address", 264 | "target_tool": "MISP", 265 | "uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569" 266 | }, 267 | { 268 | "action": "malware-sample", 269 | "inject_evaluation": [ 270 | { 271 | "parameters": [ 272 | { 273 | ".Event.info": { 274 | "comparison": "regex", 275 | "values": [ 276 | ".*[sS]pear[-\\s]?phishing.*" 277 | ] 278 | } 279 | }, 280 | { 281 | ".Event.Object[].Attribute[].value": { 282 | "extract_type": "all", 283 | "comparison": "contains", 284 | "values": [ 285 | "7c08ddb3b57cf9a00f02a484e23a4b6c8a6d738d" 286 | ] 287 | } 288 | } 289 | ], 290 | "result": "Malware samples added", 291 | "evaluation_strategy": "data_filtering", 292 | "evaluation_context": {}, 293 | "score_range": [ 294 | 0, 295 | 20 296 | ] 297 | } 298 | ], 299 | "name": "Malware sample", 300 | "target_tool": "MISP", 301 | "uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24" 302 | }, 303 | { 304 | "action": "download url", 305 | "inject_evaluation": [ 306 | { 307 | "parameters": [ 308 | { 309 | ".Event.info": { 310 | "comparison": "regex", 311 | "values": [ 312 | ".*[sS]pear[-\\s]?phishing.*" 313 | ] 314 | } 315 | }, 316 | { 317 | ".Event.Object[].Attribute[] | select((.type == \"url\")).value": { 318 | "extract_type": "all", 319 | "comparison": "contains", 320 | "values": [ 321 | "https://evilprovider.com/this-is-not-malicious.exe" 322 | ] 323 | } 324 | }, 325 | { 326 | ".Event.Object[].Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": { 327 | "extract_type": "all", 328 | "comparison": "equals", 329 | "values": [ 330 | "evilprovider.com" 331 | ] 332 | } 333 | } 334 | ], 335 | "result": "Download URL added", 336 | "evaluation_strategy": "data_filtering", 337 | "evaluation_context": {}, 338 | "score_range": [ 339 | 0, 340 | 20 341 | ] 342 | } 343 | ], 344 | "name": "Download URL", 345 | "target_tool": "MISP", 346 | "uuid": "e849a314-3394-4501-a9e1-126e0e61f11d" 347 | }, 348 | { 349 | "action": "CVE", 350 | "inject_evaluation": [ 351 | { 352 | "parameters": [ 353 | { 354 | ".Event.info": { 355 | "comparison": "regex", 356 | "values": [ 357 | ".*[sS]pear[-\\s]?phishing.*" 358 | ] 359 | } 360 | }, 361 | { 362 | "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": { 363 | "extract_type": "all", 364 | "comparison": "contains", 365 | "values": [ 366 | "CVE-2015-5465" 367 | ] 368 | } 369 | } 370 | ], 371 | "result": "CVE", 372 | "evaluation_strategy": "data_filtering", 373 | "evaluation_context": {}, 374 | "score_range": [ 375 | 0, 376 | 20 377 | ] 378 | } 379 | ], 380 | "name": "CVE", 381 | "target_tool": "MISP", 382 | "uuid": "32141393-adce-4007-950c-77b4c7c60a39" 383 | }, 384 | { 385 | "action": "C2", 386 | "inject_evaluation": [ 387 | { 388 | "parameters": [ 389 | { 390 | ".Event.info": { 391 | "comparison": "regex", 392 | "values": [ 393 | ".*[sS]pear[-\\s]?phishing.*" 394 | ] 395 | } 396 | }, 397 | { 398 | ".Event.Object[] | select((.name == \"url\")).Attribute[] | select(.type == \"url\").value": { 399 | "extract_type": "all", 400 | "comparison": "contains-regex", 401 | "values": [ 402 | "https:\\/\\/another\\.evil\\.provider\\.com(:57666)?" 403 | ] 404 | } 405 | } 406 | ], 407 | "result": "C2 added", 408 | "evaluation_strategy": "data_filtering", 409 | "evaluation_context": {}, 410 | "score_range": [ 411 | 0, 412 | 20 413 | ] 414 | } 415 | ], 416 | "name": "C2", 417 | "target_tool": "MISP", 418 | "uuid": "a0d7f076-1737-4c1c-af36-c2717885299e" 419 | }, 420 | { 421 | "action": "Email Provider", 422 | "inject_evaluation": [ 423 | { 424 | "parameters": [ 425 | { 426 | ".Event.info": { 427 | "comparison": "regex", 428 | "values": [ 429 | ".*[sS]pear[-\\s]?phishing.*" 430 | ] 431 | } 432 | }, 433 | { 434 | "[(.Event.Object[] | select((.name == \"email\")).Attribute[]), .Event.Attribute[]] | .[].value": { 435 | "extract_type": "all", 436 | "comparison": "contains", 437 | "values": [ 438 | "throwaway-email-provider.com" 439 | ] 440 | } 441 | } 442 | ], 443 | "result": "Email Provider added", 444 | "evaluation_strategy": "data_filtering", 445 | "evaluation_context": {}, 446 | "score_range": [ 447 | 0, 448 | 20 449 | ] 450 | } 451 | ], 452 | "name": "Email Provider", 453 | "target_tool": "MISP", 454 | "uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9" 455 | }, 456 | { 457 | "action": "context", 458 | "inject_evaluation": [ 459 | { 460 | "parameters": [ 461 | { 462 | ".Event.info": { 463 | "comparison": "regex", 464 | "values": [ 465 | ".*[sS]pear[-\\s]?phishing.*" 466 | ] 467 | } 468 | }, 469 | { 470 | ".Event.Tag | select(length > 0) | .[].name": { 471 | "extract_type": "all", 472 | "comparison": "count", 473 | "values": [ 474 | ">=3" 475 | ] 476 | } 477 | } 478 | ], 479 | "result": "Context added", 480 | "evaluation_strategy": "data_filtering", 481 | "evaluation_context": {}, 482 | "score_range": [ 483 | 0, 484 | 20 485 | ] 486 | } 487 | ], 488 | "name": "Contextualization", 489 | "target_tool": "MISP", 490 | "uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24" 491 | }, 492 | { 493 | "action": "published", 494 | "inject_evaluation": [ 495 | { 496 | "parameters": [ 497 | { 498 | ".Event.info": { 499 | "comparison": "regex", 500 | "values": [ 501 | ".*[sS]pear[-\\s]?phishing.*" 502 | ] 503 | } 504 | }, 505 | { 506 | ".Event.published": { 507 | "comparison": "equals", 508 | "values": [ 509 | "1" 510 | ] 511 | } 512 | } 513 | ], 514 | "result": "Event published", 515 | "evaluation_strategy": "data_filtering", 516 | "evaluation_context": {}, 517 | "score_range": [ 518 | 0, 519 | 20 520 | ] 521 | } 522 | ], 523 | "name": "Published", 524 | "target_tool": "MISP", 525 | "uuid": "930459b8-ed61-4e62-b072-071577ea0430" 526 | } 527 | ] 528 | } -------------------------------------------------------------------------------- /template.env: -------------------------------------------------------------------------------- 1 | 2 | SKILLAEGIS_MISP_URL=https://localhost/ 3 | SKILLAEGIS_MISP_APIKEY=FI4gCRghRZvLVjlLPLTFZ852x2njkkgPSz0zQ3E0 4 | SKILLAEGIS_MISP_SKIPSSL=1 5 | 6 | --------------------------------------------------------------------------------