1 – Playbooks Base – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Mon, 02 Dec 2024 15:59:30 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://www.sgbox.eu/wp-content/uploads/2020/09/cropped-Logo-SGBox-Trasparente-NO-SCRITTA-150x150.webp 1 – Playbooks Base – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 Playbooks – Basic Authentication https://www.sgbox.eu/en/knowledge-base/playbooks-basic-authentication/ Thu, 23 Feb 2023 13:05:04 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=8452 Basic Authentication

Some application requires basic authentication to retrieve information.

curl --user "username:password" https://app.website.com/api...

Username and password should be pass in SGBox Playbook in the following way:

  1. Encode your username/password in base64. In our case will be: dXNlcm5hbWU6cGFzc3dvcmQ=
  2. Create a new Authorization header with value: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Playbooks - Basic Authentication

]]> Playbooks – Generic API https://www.sgbox.eu/en/knowledge-base/playbooks-generic-api/ Mon, 13 Jun 2022 10:17:25 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=7465 Generic API request

This node can be configured with url, headers and parameters to get the output from any HTTP API.

URL – if the complete url is already known, insert it into the Value field and select Fixed as type. Otherwise, the url can be composed of several concatenated url parts, added by
Each value have a type:

  • Fixed: for values already known
  • Fixed JSON: same as fixed, with the value in JSON format
  • Extract from previous output: if the value has to be extracted from the output of another node. E.g.: a token obtained as a response from a previous API call
  • Extract from previous response headers: as the previous one, but the value is in the headers of the response, not in the output.
  • Start Timestamp or End Timestamp: for requests with parameters that are time ranges and have to be updated at every request.
    Given the timestamp format and, if needed, a timezone and a number of seconds to add/subtract, the node will automatically compute the values, based on the last request.
    Build to be used in periodic requests to retrieve logs from an API.

When the value has to be extracted, a list of the other nodes is displayed. Choose one and you will get its output, from which to select the value. If no value is selected, the whole output of the node will be used, if possible.

The composition of headers and parameters is the same of the url parts one.All values can be preceded by a prefix or followed by a suffix.

Generic API request

Set url and parameters and make the request.
Playbooks - Generic API

Generic API request with a parameter extracted from a previous request. In this example, the previous request return 5 sgbox events. We selected type = “Extract from previous output”, selected the previous node and got its output on the right. Then from the JSON we clicked on the value for the “event_id” parameter of our request, i.e. the first patternid from the previous request, and the value field was filled with 0.patternid)

Playbooks - Generic API

Generic API request with Start and End timestamp to extract logs from an API. In this example, the API request has two parameters, start_ts and end_ts, that are re-calculated every time the node is executed or tested. In the dump section, you can see the values. In the second execution, the value of start_ts is the end_ts of the previous execution, while the value of end_ts is the current time.

Playbooks - Generic API
Download the PB module – samples package for examples.

]]> Playbooks – Base settings https://www.sgbox.eu/en/knowledge-base/playbooks/ Mon, 28 Mar 2022 11:52:05 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=7185 PLAYBOOKS

A playbook is used to perform a series of actions among the available ones, preserving the state and processing the result on each subsequent action.
Starting from version 5.4.1, playbooks can be used in combination with list feeds and to retrieve logs from any external API.

To associate a playbook with a list feed, go to the page SCM->Actions->List, click on the tab FEED and then create a new feed or edit one. To create a playbook, click on the + icon. XML advanced configuration is deprecated.

Playbooks - Base settings

As an alternative, a playbook can be created before and then associated to a feed. Go to the page PB->Playbooks to show the list of available playbooks.
In this page, playbooks can be executed and scheduled to be executed every minute or more.
Use the button NEW PLAYBOOK to create a new playbook.

Playbooks - Base settings

On the left, there is the list of available nodes. Every node is designed to perform a specific action and nodes are grouped by action category. Add a node to a playbook by clicking on the category, to expand its nodes, and then on the node.
Once added, nodes can be:

    • moved by dragging and dropping
    • connected by links. Click on the right arrow of any node to create a new link, then click on the left arrow of any other node to release the link.
    • set as start node by the Playbooks - Base settings icon. The node will be the first to be executed, others will follow according to the flow created by the links. The green icon indicates the current start nodePlaybooks - Base settings
    • tested with the Playbooks - Base settings icon. The result will popup next to the node configuration form.
    • edited with the Playbooks - Base settings icon. Node configuration form will popup.
    • permanently removed from the playbook, by the Playbooks - Base settingsicon

Playbooks - Base settings

The buttons TEST and SAVE on the bottom right of the page allows you to test the whole playbook and save it. Once saved, it will appear among the playbooks in the page and in the list inside the feed configuration form.

]]>