From 4d0dfba818bf0a1589f6c12e4dc14ba7cd94aad9 Mon Sep 17 00:00:00 2001 From: Jonas Plum Date: Sat, 22 Oct 2022 21:32:18 +0200 Subject: [PATCH] Remove malware playbook (#540) * Remove malware playbook Co-authored-by: Jonas Plum --- database/migrations/content.go | 3 -- database/migrations/migrations.go | 1 - database/migrations/playbooks/malware.yml | 63 ---------------------- definition/playbooks.yaml | 3 -- generated/api/test_api.go | 2 +- generated/catalyst.json | 4 -- generated/catalyst.yml | 66 ----------------------- generated/community.json | 4 -- generated/community.yml | 66 ----------------------- 9 files changed, 1 insertion(+), 211 deletions(-) delete mode 100644 database/migrations/playbooks/malware.yml diff --git a/database/migrations/content.go b/database/migrations/content.go index 7e2c1b5..80042a4 100644 --- a/database/migrations/content.go +++ b/database/migrations/content.go @@ -14,9 +14,6 @@ var VTHashAutomation string //go:embed automations/comment.py var CommentAutomation string -//go:embed playbooks/malware.yml -var MalwarePlaybook string - //go:embed playbooks/phishing.yml var PhishingPlaybook string diff --git a/database/migrations/migrations.go b/database/migrations/migrations.go index fcd422e..7881ebe 100644 --- a/database/migrations/migrations.go +++ b/database/migrations/migrations.go @@ -36,7 +36,6 @@ func generateMigrations() ([]Migration, error) { &createDocument[busdb.Keyed[model.Automation]]{ID: "create-automation-vt.hash", Collection: "automations", Document: &busdb.Keyed[model.Automation]{Key: "vt.hash", Doc: &model.Automation{Image: "docker.io/python:3", Script: VTHashAutomation}}}, &createDocument[busdb.Keyed[model.Automation]]{ID: "create-automation-comment", Collection: "automations", Document: &busdb.Keyed[model.Automation]{Key: "comment", Doc: &model.Automation{Image: "docker.io/python:3", Script: CommentAutomation}}}, &createDocument[busdb.Keyed[model.Automation]]{ID: "create-automation-hash.sha1", Collection: "automations", Document: &busdb.Keyed[model.Automation]{Key: "hash.sha1", Doc: &model.Automation{Image: "docker.io/python:3", Script: SHA1HashAutomation}}}, - &createDocument[busdb.Keyed[model.PlaybookTemplate]]{ID: "create-playbook-malware", Collection: "playbooks", Document: &busdb.Keyed[model.PlaybookTemplate]{Key: "malware", Doc: &model.PlaybookTemplate{Name: "Malware", Yaml: MalwarePlaybook}}}, &createDocument[busdb.Keyed[model.PlaybookTemplate]]{ID: "create-playbook-phishing", Collection: "playbooks", Document: &busdb.Keyed[model.PlaybookTemplate]{Key: "phishing", Doc: &model.PlaybookTemplate{Name: "Phishing", Yaml: PhishingPlaybook}}}, &createDocument[busdb.Keyed[model.TicketType]]{ID: "create-tickettype-alert", Collection: "tickettypes", Document: &busdb.Keyed[model.TicketType]{Key: "alert", Doc: &model.TicketType{Name: "Alerts", Icon: "mdi-alert", DefaultTemplate: "default", DefaultPlaybooks: []string{}, DefaultGroups: nil}}}, &createDocument[busdb.Keyed[model.TicketType]]{ID: "create-tickettype-incident", Collection: "tickettypes", Document: &busdb.Keyed[model.TicketType]{Key: "incident", Doc: &model.TicketType{Name: "Incidents", Icon: "mdi-radioactive", DefaultTemplate: "default", DefaultPlaybooks: []string{}, DefaultGroups: nil}}}, diff --git a/database/migrations/playbooks/malware.yml b/database/migrations/playbooks/malware.yml deleted file mode 100644 index 8bbb3c8..0000000 --- a/database/migrations/playbooks/malware.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: Malware -tasks: - file-or-hash: - name: Do you have the file or the hash? - type: input - schema: - title: Malware - type: object - properties: - file: - type: string - title: "I have the" - enum: [ "File", "Hash" ] - next: - enter-hash: "file == 'Hash'" - upload: "file == 'File'" - - enter-hash: - name: Please enter the hash - type: input - schema: - title: Malware - type: object - properties: - hash: - type: string - title: Please enter the hash value - minlength: 32 - next: - virustotal: "hash != ''" - - upload: - name: Upload the malware - type: input - schema: - title: Malware - type: object - properties: - malware: - type: object - x-display: file - title: Please upload the malware - next: - hash: "malware" - - hash: - name: Hash the malware - type: automation - automation: hash.sha1 - payload: - default: "playbook.tasks['upload'].data['malware']" - next: - virustotal: - - virustotal: - name: Send hash to VirusTotal - type: automation - automation: vt.hash - args: - hash: "playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']" - # next: - # known-malware: "score > 5" - # sandbox: "score < 6" # unknown-malware diff --git a/definition/playbooks.yaml b/definition/playbooks.yaml index eeb6b36..2a92a67 100644 --- a/definition/playbooks.yaml +++ b/definition/playbooks.yaml @@ -13,9 +13,6 @@ paths: schema: { type: array, items: { $ref: "#/definitions/PlaybookTemplateResponse" } } examples: test: - - id: malware - name: Malware - yaml: "name: Malware\ntasks:\n file-or-hash:\n name: Do you have the file or the hash?\n type: input\n schema:\n title: Malware\n type: object\n properties:\n file:\n type: string\n title: \"I have the\"\n enum: [ \"File\", \"Hash\" ]\n next:\n enter-hash: \"file == 'Hash'\"\n upload: \"file == 'File'\"\n\n enter-hash:\n name: Please enter the hash\n type: input\n schema:\n title: Malware\n type: object\n properties:\n hash:\n type: string\n title: Please enter the hash value\n minlength: 32\n next:\n virustotal: \"hash != ''\"\n\n upload:\n name: Upload the malware\n type: input\n schema:\n title: Malware\n type: object\n properties:\n malware:\n type: object\n x-display: file\n title: Please upload the malware\n next:\n hash: \"malware\"\n\n hash:\n name: Hash the malware\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['upload'].data['malware']\"\n next:\n virustotal:\n\n virustotal:\n name: Send hash to VirusTotal\n type: automation\n automation: vt.hash\n args:\n hash: \"playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']\"\n # next:\n # known-malware: \"score > 5\"\n # sandbox: \"score < 6\" # unknown-malware\n" - id: phishing name: Phishing yaml: "name: Phishing\ntasks:\n board:\n name: Board Involvement?\n description: Is a board member involved?\n type: input\n schema:\n properties:\n boardInvolved:\n default: false\n title: A board member is involved.\n type: boolean\n required:\n - boardInvolved\n title: Board Involvement?\n type: object\n next:\n escalate: \"boardInvolved == true\"\n mail-available: \"boardInvolved == false\"\n\n escalate:\n name: Escalate to CISO\n description: Please escalate the task to the CISO\n type: task\n\n mail-available:\n name: Mail available\n type: input\n schema:\n oneOf:\n - properties:\n mail:\n title: Mail\n type: string\n x-display: textarea\n schemaKey:\n const: 'yes'\n type: string\n required:\n - mail\n title: 'Yes'\n - properties:\n schemaKey:\n const: 'no'\n type: string\n title: 'No'\n title: Mail available\n type: object\n next:\n block-sender: \"schemaKey == 'yes'\"\n extract-iocs: \"schemaKey == 'yes'\"\n search-email-gateway: \"schemaKey == 'no'\"\n\n search-email-gateway:\n name: Search email gateway\n description: Please search email-gateway for the phishing mail.\n type: task\n next:\n extract-iocs:\n\n block-sender:\n name: Block sender\n type: task\n next:\n extract-iocs:\n\n extract-iocs:\n name: Extract IOCs\n description: Please insert the IOCs\n type: input\n schema:\n properties:\n iocs:\n items:\n type: string\n title: IOCs\n type: array\n title: Extract IOCs\n type: object\n next:\n block-iocs:\n\n block-iocs:\n name: Block IOCs\n type: task\n" diff --git a/generated/api/test_api.go b/generated/api/test_api.go index ba871cc..2286176 100755 --- a/generated/api/test_api.go +++ b/generated/api/test_api.go @@ -194,7 +194,7 @@ var Tests = []struct { Args: Args{Method: "Get", URL: "/playbooks"}, Want: Want{ Status: 200, - Body: []any{map[string]any{"id": "malware", "name": "Malware", "yaml": "name: Malware\ntasks:\n file-or-hash:\n name: Do you have the file or the hash?\n type: input\n schema:\n title: Malware\n type: object\n properties:\n file:\n type: string\n title: \"I have the\"\n enum: [ \"File\", \"Hash\" ]\n next:\n enter-hash: \"file == 'Hash'\"\n upload: \"file == 'File'\"\n\n enter-hash:\n name: Please enter the hash\n type: input\n schema:\n title: Malware\n type: object\n properties:\n hash:\n type: string\n title: Please enter the hash value\n minlength: 32\n next:\n virustotal: \"hash != ''\"\n\n upload:\n name: Upload the malware\n type: input\n schema:\n title: Malware\n type: object\n properties:\n malware:\n type: object\n x-display: file\n title: Please upload the malware\n next:\n hash: \"malware\"\n\n hash:\n name: Hash the malware\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['upload'].data['malware']\"\n next:\n virustotal:\n\n virustotal:\n name: Send hash to VirusTotal\n type: automation\n automation: vt.hash\n args:\n hash: \"playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']\"\n # next:\n # known-malware: \"score > 5\"\n # sandbox: \"score < 6\" # unknown-malware\n"}, map[string]any{"id": "phishing", "name": "Phishing", "yaml": "name: Phishing\ntasks:\n board:\n name: Board Involvement?\n description: Is a board member involved?\n type: input\n schema:\n properties:\n boardInvolved:\n default: false\n title: A board member is involved.\n type: boolean\n required:\n - boardInvolved\n title: Board Involvement?\n type: object\n next:\n escalate: \"boardInvolved == true\"\n mail-available: \"boardInvolved == false\"\n\n escalate:\n name: Escalate to CISO\n description: Please escalate the task to the CISO\n type: task\n\n mail-available:\n name: Mail available\n type: input\n schema:\n oneOf:\n - properties:\n mail:\n title: Mail\n type: string\n x-display: textarea\n schemaKey:\n const: 'yes'\n type: string\n required:\n - mail\n title: 'Yes'\n - properties:\n schemaKey:\n const: 'no'\n type: string\n title: 'No'\n title: Mail available\n type: object\n next:\n block-sender: \"schemaKey == 'yes'\"\n extract-iocs: \"schemaKey == 'yes'\"\n search-email-gateway: \"schemaKey == 'no'\"\n\n search-email-gateway:\n name: Search email gateway\n description: Please search email-gateway for the phishing mail.\n type: task\n next:\n extract-iocs:\n\n block-sender:\n name: Block sender\n type: task\n next:\n extract-iocs:\n\n extract-iocs:\n name: Extract IOCs\n description: Please insert the IOCs\n type: input\n schema:\n properties:\n iocs:\n items:\n type: string\n title: IOCs\n type: array\n title: Extract IOCs\n type: object\n next:\n block-iocs:\n\n block-iocs:\n name: Block IOCs\n type: task\n"}, map[string]any{"id": "simple", "name": "Simple", "yaml": "name: Simple\ntasks:\n input:\n name: Enter something to hash\n type: input\n schema:\n title: Something\n type: object\n properties:\n something:\n type: string\n title: Something\n default: \"\"\n next:\n hash: \"something != ''\"\n\n hash:\n name: Hash the something\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['input'].data['something']\"\n next:\n comment: \"hash != ''\"\n\n comment:\n name: Comment the hash\n type: automation\n automation: comment\n payload:\n default: \"playbook.tasks['hash'].data['hash']\"\n next:\n done: \"done\"\n\n done:\n name: You can close this case now\n type: task\n"}}, + Body: []any{map[string]any{"id": "phishing", "name": "Phishing", "yaml": "name: Phishing\ntasks:\n board:\n name: Board Involvement?\n description: Is a board member involved?\n type: input\n schema:\n properties:\n boardInvolved:\n default: false\n title: A board member is involved.\n type: boolean\n required:\n - boardInvolved\n title: Board Involvement?\n type: object\n next:\n escalate: \"boardInvolved == true\"\n mail-available: \"boardInvolved == false\"\n\n escalate:\n name: Escalate to CISO\n description: Please escalate the task to the CISO\n type: task\n\n mail-available:\n name: Mail available\n type: input\n schema:\n oneOf:\n - properties:\n mail:\n title: Mail\n type: string\n x-display: textarea\n schemaKey:\n const: 'yes'\n type: string\n required:\n - mail\n title: 'Yes'\n - properties:\n schemaKey:\n const: 'no'\n type: string\n title: 'No'\n title: Mail available\n type: object\n next:\n block-sender: \"schemaKey == 'yes'\"\n extract-iocs: \"schemaKey == 'yes'\"\n search-email-gateway: \"schemaKey == 'no'\"\n\n search-email-gateway:\n name: Search email gateway\n description: Please search email-gateway for the phishing mail.\n type: task\n next:\n extract-iocs:\n\n block-sender:\n name: Block sender\n type: task\n next:\n extract-iocs:\n\n extract-iocs:\n name: Extract IOCs\n description: Please insert the IOCs\n type: input\n schema:\n properties:\n iocs:\n items:\n type: string\n title: IOCs\n type: array\n title: Extract IOCs\n type: object\n next:\n block-iocs:\n\n block-iocs:\n name: Block IOCs\n type: task\n"}, map[string]any{"id": "simple", "name": "Simple", "yaml": "name: Simple\ntasks:\n input:\n name: Enter something to hash\n type: input\n schema:\n title: Something\n type: object\n properties:\n something:\n type: string\n title: Something\n default: \"\"\n next:\n hash: \"something != ''\"\n\n hash:\n name: Hash the something\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['input'].data['something']\"\n next:\n comment: \"hash != ''\"\n\n comment:\n name: Comment the hash\n type: automation\n automation: comment\n payload:\n default: \"playbook.tasks['hash'].data['hash']\"\n next:\n done: \"done\"\n\n done:\n name: You can close this case now\n type: task\n"}}, }, }, diff --git a/generated/catalyst.json b/generated/catalyst.json index 8a58489..0c4490e 100644 --- a/generated/catalyst.json +++ b/generated/catalyst.json @@ -1013,10 +1013,6 @@ }, "test" : { "example" : [ { - "id" : "malware", - "name" : "Malware", - "yaml" : "name: Malware\ntasks:\n file-or-hash:\n name: Do you have the file or the hash?\n type: input\n schema:\n title: Malware\n type: object\n properties:\n file:\n type: string\n title: \"I have the\"\n enum: [ \"File\", \"Hash\" ]\n next:\n enter-hash: \"file == 'Hash'\"\n upload: \"file == 'File'\"\n\n enter-hash:\n name: Please enter the hash\n type: input\n schema:\n title: Malware\n type: object\n properties:\n hash:\n type: string\n title: Please enter the hash value\n minlength: 32\n next:\n virustotal: \"hash != ''\"\n\n upload:\n name: Upload the malware\n type: input\n schema:\n title: Malware\n type: object\n properties:\n malware:\n type: object\n x-display: file\n title: Please upload the malware\n next:\n hash: \"malware\"\n\n hash:\n name: Hash the malware\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['upload'].data['malware']\"\n next:\n virustotal:\n\n virustotal:\n name: Send hash to VirusTotal\n type: automation\n automation: vt.hash\n args:\n hash: \"playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']\"\n # next:\n # known-malware: \"score > 5\"\n # sandbox: \"score < 6\" # unknown-malware\n" - }, { "id" : "phishing", "name" : "Phishing", "yaml" : "name: Phishing\ntasks:\n board:\n name: Board Involvement?\n description: Is a board member involved?\n type: input\n schema:\n properties:\n boardInvolved:\n default: false\n title: A board member is involved.\n type: boolean\n required:\n - boardInvolved\n title: Board Involvement?\n type: object\n next:\n escalate: \"boardInvolved == true\"\n mail-available: \"boardInvolved == false\"\n\n escalate:\n name: Escalate to CISO\n description: Please escalate the task to the CISO\n type: task\n\n mail-available:\n name: Mail available\n type: input\n schema:\n oneOf:\n - properties:\n mail:\n title: Mail\n type: string\n x-display: textarea\n schemaKey:\n const: 'yes'\n type: string\n required:\n - mail\n title: 'Yes'\n - properties:\n schemaKey:\n const: 'no'\n type: string\n title: 'No'\n title: Mail available\n type: object\n next:\n block-sender: \"schemaKey == 'yes'\"\n extract-iocs: \"schemaKey == 'yes'\"\n search-email-gateway: \"schemaKey == 'no'\"\n\n search-email-gateway:\n name: Search email gateway\n description: Please search email-gateway for the phishing mail.\n type: task\n next:\n extract-iocs:\n\n block-sender:\n name: Block sender\n type: task\n next:\n extract-iocs:\n\n extract-iocs:\n name: Extract IOCs\n description: Please insert the IOCs\n type: input\n schema:\n properties:\n iocs:\n items:\n type: string\n title: IOCs\n type: array\n title: Extract IOCs\n type: object\n next:\n block-iocs:\n\n block-iocs:\n name: Block IOCs\n type: task\n" diff --git a/generated/catalyst.yml b/generated/catalyst.yml index df8e599..b780504 100644 --- a/generated/catalyst.yml +++ b/generated/catalyst.yml @@ -2171,72 +2171,6 @@ paths: description: successful operation examples: test: - - id: malware - name: Malware - yaml: | - name: Malware - tasks: - file-or-hash: - name: Do you have the file or the hash? - type: input - schema: - title: Malware - type: object - properties: - file: - type: string - title: "I have the" - enum: [ "File", "Hash" ] - next: - enter-hash: "file == 'Hash'" - upload: "file == 'File'" - - enter-hash: - name: Please enter the hash - type: input - schema: - title: Malware - type: object - properties: - hash: - type: string - title: Please enter the hash value - minlength: 32 - next: - virustotal: "hash != ''" - - upload: - name: Upload the malware - type: input - schema: - title: Malware - type: object - properties: - malware: - type: object - x-display: file - title: Please upload the malware - next: - hash: "malware" - - hash: - name: Hash the malware - type: automation - automation: hash.sha1 - payload: - default: "playbook.tasks['upload'].data['malware']" - next: - virustotal: - - virustotal: - name: Send hash to VirusTotal - type: automation - automation: vt.hash - args: - hash: "playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']" - # next: - # known-malware: "score > 5" - # sandbox: "score < 6" # unknown-malware - id: phishing name: Phishing yaml: | diff --git a/generated/community.json b/generated/community.json index bef3830..47cbeec 100644 --- a/generated/community.json +++ b/generated/community.json @@ -781,10 +781,6 @@ }, "test" : { "example" : [ { - "id" : "malware", - "name" : "Malware", - "yaml" : "name: Malware\ntasks:\n file-or-hash:\n name: Do you have the file or the hash?\n type: input\n schema:\n title: Malware\n type: object\n properties:\n file:\n type: string\n title: \"I have the\"\n enum: [ \"File\", \"Hash\" ]\n next:\n enter-hash: \"file == 'Hash'\"\n upload: \"file == 'File'\"\n\n enter-hash:\n name: Please enter the hash\n type: input\n schema:\n title: Malware\n type: object\n properties:\n hash:\n type: string\n title: Please enter the hash value\n minlength: 32\n next:\n virustotal: \"hash != ''\"\n\n upload:\n name: Upload the malware\n type: input\n schema:\n title: Malware\n type: object\n properties:\n malware:\n type: object\n x-display: file\n title: Please upload the malware\n next:\n hash: \"malware\"\n\n hash:\n name: Hash the malware\n type: automation\n automation: hash.sha1\n payload:\n default: \"playbook.tasks['upload'].data['malware']\"\n next:\n virustotal:\n\n virustotal:\n name: Send hash to VirusTotal\n type: automation\n automation: vt.hash\n args:\n hash: \"playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']\"\n # next:\n # known-malware: \"score > 5\"\n # sandbox: \"score < 6\" # unknown-malware\n" - }, { "id" : "phishing", "name" : "Phishing", "yaml" : "name: Phishing\ntasks:\n board:\n name: Board Involvement?\n description: Is a board member involved?\n type: input\n schema:\n properties:\n boardInvolved:\n default: false\n title: A board member is involved.\n type: boolean\n required:\n - boardInvolved\n title: Board Involvement?\n type: object\n next:\n escalate: \"boardInvolved == true\"\n mail-available: \"boardInvolved == false\"\n\n escalate:\n name: Escalate to CISO\n description: Please escalate the task to the CISO\n type: task\n\n mail-available:\n name: Mail available\n type: input\n schema:\n oneOf:\n - properties:\n mail:\n title: Mail\n type: string\n x-display: textarea\n schemaKey:\n const: 'yes'\n type: string\n required:\n - mail\n title: 'Yes'\n - properties:\n schemaKey:\n const: 'no'\n type: string\n title: 'No'\n title: Mail available\n type: object\n next:\n block-sender: \"schemaKey == 'yes'\"\n extract-iocs: \"schemaKey == 'yes'\"\n search-email-gateway: \"schemaKey == 'no'\"\n\n search-email-gateway:\n name: Search email gateway\n description: Please search email-gateway for the phishing mail.\n type: task\n next:\n extract-iocs:\n\n block-sender:\n name: Block sender\n type: task\n next:\n extract-iocs:\n\n extract-iocs:\n name: Extract IOCs\n description: Please insert the IOCs\n type: input\n schema:\n properties:\n iocs:\n items:\n type: string\n title: IOCs\n type: array\n title: Extract IOCs\n type: object\n next:\n block-iocs:\n\n block-iocs:\n name: Block IOCs\n type: task\n" diff --git a/generated/community.yml b/generated/community.yml index d5ad8b5..d929244 100644 --- a/generated/community.yml +++ b/generated/community.yml @@ -1900,72 +1900,6 @@ paths: description: successful operation examples: test: - - id: malware - name: Malware - yaml: | - name: Malware - tasks: - file-or-hash: - name: Do you have the file or the hash? - type: input - schema: - title: Malware - type: object - properties: - file: - type: string - title: "I have the" - enum: [ "File", "Hash" ] - next: - enter-hash: "file == 'Hash'" - upload: "file == 'File'" - - enter-hash: - name: Please enter the hash - type: input - schema: - title: Malware - type: object - properties: - hash: - type: string - title: Please enter the hash value - minlength: 32 - next: - virustotal: "hash != ''" - - upload: - name: Upload the malware - type: input - schema: - title: Malware - type: object - properties: - malware: - type: object - x-display: file - title: Please upload the malware - next: - hash: "malware" - - hash: - name: Hash the malware - type: automation - automation: hash.sha1 - payload: - default: "playbook.tasks['upload'].data['malware']" - next: - virustotal: - - virustotal: - name: Send hash to VirusTotal - type: automation - automation: vt.hash - args: - hash: "playbook.tasks['enter-hash'].data['hash'] || playbook.tasks['hash'].data['hash']" - # next: - # known-malware: "score > 5" - # sandbox: "score < 6" # unknown-malware - id: phishing name: Phishing yaml: |