Tips-Of-Mine/soc-fortress
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first sync
Some checks failed
Deployment Verification / deploy-and-test (push) Failing after 29s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-03-04 07:59:21 +01:00
parent 9cdcf486b6
commit 506716e703
1450 changed files with 577316 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
shuffle/functions/usecases/README.md Normal file
View File

@ -0,0 +1,16 @@
# Mindmap exporter
Shuffle has a mindmap for Workflow use-cases. These can be changed and exported, with the most important piece being that they're explorable and editable. This has and will come in handy for us as we build it into the product.
https://www.mindmeister.com/map/2172644474
## Editing the Mindmap
There are a few categories. To edit them, click the small plus next to the branch you want to change.
## Exporting the Mindmap
Click "Export as RTF" in the top left corner of the URL. Download it there.
## Generating the Shuffle-comaptible mindmap
1. Move the rtf file here
2. Rename it categories.rtf
3. Run the read_categories.py file (python3 read_categories.py)
4. You now have a file called categories.json locally with all the categories in JSON format, ready to be used in graphs.

260
shuffle/functions/usecases/categories.json Normal file
View File

@ -0,0 +1,260 @@
[
{
"name": "1. Collect & Distribute",
"color": "#c51152",
"list": [
{
"name": "2-way Ticket synchronization",
"items": {}
},
{
"name": "Email management",
"items": {
"name": "Release a quarantined message",
"items": {}
}
},
{
"name": "EDR to ticket",
"items": {
"name": "Get host information",
"items": {}
}
},
{
"name": "SIEM to ticket",
"items": {}
},
{
"name": "ChatOps",
"items": {}
},
{
"name": "Threat Intel received",
"items": {}
},
{
"name": "Domain investigation with LetsEncrypt",
"items": {}
},
{
"name": "Botnet tracker",
"items": {}
},
{
"name": "Get running containers",
"items": {}
},
{
"name": "Assign tickets",
"items": {}
},
{
"name": "Firewall alerts",
"items": {
"name": "URL filtering",
"items": {}
}
},
{
"name": "IDS/IPS alerts",
"items": {
"name": "Manage policies",
"items": {}
}
},
{
"name": "Deduplicate information",
"items": {}
},
{
"name": "Correlate information",
"items": {}
}
]
},
{
"name": "2. Enrich",
"color": "#f4c20d",
"list": [
{
"name": "Internal Enrichment",
"items": {
"name": "...",
"items": {}
}
},
{
"name": "External historical Enrichment",
"items": {
"name": "...",
"items": {}
}
},
{
"name": "Realtime",
"items": {
"name": "Analyze screenshots",
"items": {}
}
},
{
"name": "Ticketing webhook verification",
"items": {}
}
]
},
{
"name": "3. Detect",
"color": "#3cba54",
"list": [
{
"name": "Search SIEM (Sigma)",
"items": {
"name": "Endpoint",
"items": {}
}
},
{
"name": "Search EDR (OSQuery)",
"items": {}
},
{
"name": "Search emails (Phish)",
"items": {
"name": "Check headers and IOCs",
"items": {}
}
},
{
"name": "Search IOCs (ioc-finder)",
"items": {}
},
{
"name": "Search files (Yara)",
"items": {}
},
{
"name": "Correlate tickets",
"items": {}
},
{
"name": "Honeypot access",
"items": {
"name": "...",
"items": {}
}
}
]
},
{
"name": "4. Respond",
"color": "#4a148c",
"list": [
{
"name": "Eradicate malware",
"items": {}
},
{
"name": "Quarantine host(s)",
"items": {}
},
{
"name": "Trigger scans",
"items": {}
},
{
"name": "Update indicators (FW, EDR, SIEM...)",
"items": {}
},
{
"name": "Autoblock activity when threat intel is received",
"items": {}
},
{
"name": "Lock/Delete/Reset account",
"items": {}
},
{
"name": "Lock vault",
"items": {}
},
{
"name": "Increase authentication",
"items": {}
},
{
"name": "Get policies from assets",
"items": {}
}
]
},
{
"name": "5. Verify",
"color": "#4885ed",
"list": [
{
"name": "Discover vulnerabilities",
"items": {}
},
{
"name": "Discover assets",
"items": {}
},
{
"name": "Ensure policies are followed",
"items": {}
},
{
"name": "Find Inactive users",
"items": {}
},
{
"name": "Ensure access rights match HR systems",
"items": {}
},
{
"name": "Ensure onboarding is followed",
"items": {}
},
{
"name": "Third party apps in SaaS",
"items": {}
},
{
"name": "Devices used for your cloud account",
"items": {}
},
{
"name": "Too much access in GCP/Azure/AWS/ other clouds",
"items": {}
},
{
"name": "Certificate validation",
"items": {}
},
{
"name": "Monitor new DNS entries for domain with passive DNS",
"items": {}
},
{
"name": "Monitor and track password dumps",
"items": {}
},
{
"name": "Monitor for mentions of domain on darknet sites",
"items": {}
},
{
"name": "Reporting",
"items": {
"name": "Monthly reports",
"items": {
"name": "...",
"items": {}
}
}
}
]
}
]

555
shuffle/functions/usecases/categories.rtf Normal file
View File

@ -0,0 +1,555 @@
{\rtf1\ansi\deff0\deflang2057\plain\fs24\fet1
{\fonttbl
{\f0\froman Arial;}
}
{\info
{\createim\yr2022\mo2\dy20\hr1\min15}
}
\paperw11907\paperh16840\margl1800\margr1800\margt1440\margb1440
\slmult0\ltrpar\li0
{\b\fs28
Shuffle categories
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
1. Collect & Distribute
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
2-way Ticket synchronization
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Email management
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Attachments
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Manage senders
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Manage URLs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Encode & Decode URLs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Release a quarantined message
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
EDR to ticket
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Fetch incidents & events
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Quarantine files
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Quarantine host (respond)
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get host information
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
SIEM to ticket
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
ChatOps
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Threat Intel received
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Domain investigation with LetsEncrypt
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Botnet tracker
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Get running containers
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Assign tickets
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Firewall alerts
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Block/accept policies
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Add addresses and ports to groups
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Support custom URL categories
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Fetch logs for specific address
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
URL filtering
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
IDS/IPS alerts
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get/Fetch alerts
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Receive alerts real-time
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get PCAP files
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get network logs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Manage policies
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Deduplicate information
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Correlate information
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
3. Detect
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search SIEM (Sigma)
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Network
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Endpoint
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search EDR (OSQuery)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search emails (Phish)
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Check malware
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Check targeted
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Check headers and IOCs
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search IOCs (ioc-finder)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search files (Yara)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Correlate tickets
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Honeypot access
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
S3 Honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
SSH Honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
FTP honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Network honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
rich
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
5. Verify
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Discover vulnerabilities
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Discover assets
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ensure policies are followed
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Find Inactive users
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ensure access rights match HR systems
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ensure onboarding is followed
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Third party apps in SaaS
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Devices used for your cloud account
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Too much access in GCP/Azure/AWS/ other clouds
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Certificate validation
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Monitor new DNS entries for domain with passive DNS
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Monitor and track password dumps
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Monitor for mentions of domain on darknet sites
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Reporting
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Automation time saved
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Automation money saved
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Incident response report
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Department cost
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Monthly reports
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
EDR alerts
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
SIEM alerts
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
Emails quarantined
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
4. Respond
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Eradicate malware
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Quarantine host(s)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Trigger scans
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Update indicators (FW, EDR, SIEM...)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Autoblock activity when threat intel is received
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Lock/Delete/Reset account
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Lock vault
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Increase authentication
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Get policies from assets
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
2. Enrich
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Internal Enrichment
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Users
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Hostnames
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
IPs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Departments
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Role
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Software
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
External historical Enrichment
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
IPs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
URLs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Hashes
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Files
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Realtime
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
File detonation
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
URL detonation
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
PCAP analysis
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Analyze screenshots
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ticketing webhook verification
}
\par\pard\plain
}

66
shuffle/functions/usecases/read_categories.py Normal file
View File

@ -0,0 +1,66 @@
data = ""
with open("categories.rtf", "r") as tmp:
data = tmp.read()
fixed_json = []
linearity = 0
heading = ""
subheading = ""
subsubheading = ""
cnt = -1
subcnt = -1
colors = ["#c51152", "#3cba54", "#4885ed", "#4a148c", "#f4c20d"]
for line in data.split("\n"):
if line == "rich":
continue
if "li" in line:
lisplit = line.split("\\")
try:
linearity = int(lisplit[-1][2])
except:
pass
#print("Linearity: %s" % linearity)
if line.startswith("{") or line.startswith("}"):
continue
if line.startswith("\\"):
continue
if linearity == 0:
continue
if linearity == 2:
#if cnt >= 0:
# for key, value in fixed_json[cnt].items():
# print(key, value)
cnt += 1
subcnt = -1
fixed_json.append({"name": line, "color": colors[cnt], "list": []})
heading = line
elif linearity == 4:
subheading = line
fixed_json[cnt]["list"].append({"name": line, "items": {}})
subcnt += 1
elif linearity == 6:
fixed_json[cnt]["list"][subcnt]["items"] = {"name": line, "items": {}}
elif linearity == 8:
fixed_json[cnt]["list"][subcnt]["items"]["items"] = {"name": line, "items": {}}
else:
print("No handler for %s" % line)
#print(line)
#print(data)
import json
filename = "categories.json"
fixed_json.sort(key=lambda x: x["name"])
with open(filename, "w+") as tmp:
tmp.write(json.dumps(fixed_json, indent=4))
print("Wrote to file %s" % filename)