Using the App creator, OpenAPI or Python, create these apps:

Minimal use-cases:

• Write text to someone
• Read chats
• List chats
• Send actionable buttons
• Send a file

Extra:

• Search through chat

Workflow example to add:

• Send a chat (comms) for every new email found (comms) every 5 minutes. Look for any IoC in it (shuffle-tools) and analyze it with Threat Intel.

Chat:

• Discord
• Slack
• MS Teams
• Skype
• Messenger
• SMS
• Whatsapp
• Line
• Signal
• Telegram
• Crypho

Phone:

• Send SMS
• Call

Email:

• Gmail
• Outlook
• IMAP
• AWS SES

Assistants (lol):

• Alexa
• Google Home

Scanners:

• Mailscanner
• Seceon
• Sublime
• Agari

Hello,

First of all great work frikky :)

Im trying this tools for integraton with theHive, at this moment I created worflows with these nodes:

https://pasteboard.co/JrFvpTLe.png

• getObservables: getting observables from case
• getIpAnalyzers: getting avaible analyzers for IP
• getDomainAnalyzers: getting avaible analyzers for domain
• runAnalyzers: run analyzers for $getObervables.#.id

"run analyzers" function of TheHive app works with single artifact_id but it dosen't work with multiple artifacts like array of artifact_id ( $getObservables.#.id)

Best regards
A.A.

search_alerts
search_cases

These should be tested properly and have more capabilities than just searching the title.

RE: Chat with @lusynda on Discord.

Using the App creator, OpenAPI or Python directly, create integrations with the ticketing platforms below.

Minimal use-cases:

• Open ticket
• Update ticket
• Comment ticket (if not an update)
• List Tickets
• Merge ticket
• Search for ticket(s)
• Upload file(s)
• Download file(s)

Optional if applicable:

• Add artifact / Indicator like IP and domain (security specific)

Workflow example to add:

• Syncronize tickets with another ticketing system (cases) every 5 minutes. When a new ticket comes, send a message to messaging app (communication)

Ticketing systems:

• Github Notifications
• MSSP (any you use / your own)
• TheHive
• ServiceNow
• Jira
• OTRS
• AlientVault USM
• Sumo Logic
• IBM resilient
• D3 Security
• Swimlane
• #265
• Secureworks
• HappyFox
• RTIR
• PagerDuty
• Zoho
• ConnectWise
• Computer Associates Service Desk
• #263
• CoDesk
• #264
• NinjaOne ticketing
• Jamf
• FreshService
• TOPDesk
• Pulseway
• N-central
• VIZOR
• Caspio
• OpsGenie
• AssetSonar

CI/CD:

• Gitlab
• Sonarqube
• Github actions
• GCP
• AWS

Apps in this category will typically be related to Endpoint Protection or Antivirus. This means they in most cases have an agent on each server, which reaches out to some endpoint where the alerts are stored. They may also just run locally (AV).

Antivirus: It's in the name. The point is to stop malicious software of any kind from running on your computer. This was typically based on banning of Hashes and very specific rules, but the ones we use today are further extended by AI, meaning we don't always know why exactly something happened. These generically create alerts somewhere that we can pick up.

Most used: Windows Defender. This can send alerts to SCCM or https://protection.office.com

Endpoint Protection (EDR/XDR):
It's kind of in the name. "Endpoint" means any kind of machine you have, whether it's a linux server, windows 10 laptop or a phone. These systems are typically built to handle millions of events by having the machines transfer a lot of the information to some cloud provider, which then processes the data, and performs some action. The data sent can be of network connections, processes, changed files, registry updates, and literally everything else that changes on a machine (what's sent differs by provider). This data in turn means you have a list of hostnames, an alert/ticketing system, a search mechanism, a way to interact with the host in realtime and much more. The hard thing about EDR is that you can do almost anything.

Common features:

• Ticketing system (list/create/edit alert)
• Search
• Find hostname
• Ban hash/ip/url/domain
• Isolate host
• Execute script on host
• Create rule

• VMware Carbon Black
• GoSecure
• Cylance
• InfoCyte
• Wazuh
• Windows Defender
• FSecure
• SCCM (can we connect?)
• Windows Defender ATP
• Kaspersky
• McAfee Endpoint Security
• Apex One
• CrowdStrike Falcon
• Malwarebytes
• FortiClient
• Fireeye HX
• Symantec Endpoint Protection
• Proofpoint TAP
• Carbon Black protection
• Carbon Black Defense
• Velociraptor
• Qualys EDR
• SentinelOne
• Harmony Endpoint
• Sophos Intercept
• Cybereason
• Cynet Breach Protection
• Cytomic Platform
• Trend Micro XDR
• Hybrid Analysis
• Palo Alto Networks

I'm doing some test with some nested list that requires some filtering and I'm having some issue.

The first issue is that json.loads fails to parse valid json (eg. one returned from extracted_archive results). I've added an eval() as workaround as done in other action and this behavior is somehow fixed.

Then I put 2 filter_list block and the second one was like this [notice the #]

This caused an error because - I think - shuffle considered that as a loop and wrapped the list in [].
So, I moved this block to a new subflow.

Now the block in the subflow is receiving directly a simple list of uid.
But the block requires a field as required parameter so it seems that works only for list of dict 😞

Should I change if to accept also blank field to operate on simple list?
Meanwhile I've seen that an opposite parameter has been added, should we remove duplicated possibilities? [eg, equal opposite - not equal]

Using the App creator, OpenAPI or Python directly:

Minimal use-cases (if possible):

• Search
• Send event TO SIEM
• Get Search results
• Create Saved Search
• Create Alert from Search (sends webhook / something else)

If applicable (same as case management):

• List Incidents
• Get Incident
• Update incident
• Add comment

Workflow example to add:

• Search for some data, then filter the data, before creating A ticket (cases) and sending messages (comms) for each result.

For each item in the list below, we want the following:

• A name with a link to the app on https://shuffler.io
• Whether it's been built at all (checkmark)
• A link to an input workflow (sending from SIEM to Shuffle)
• A search workflow for how to search in the SIEM

Items

• Splunk - Input Workflow - Search Workflow - Documentation - Public app
• QRadar
• ArcSight
• Elasticsearch (ELK)
• Logpoint
• MDATP
• Azure Sentinel
• Sumologic
• Logz.io
• RSA NetWitness
• #301
• Logarithm
• Security onion
• Rapid7 IDR
• FortiSIEM
• Securonix
• #298
• Seceon
• Microsoft Sentinel
• Fluency
• CyberShark
• ExaBeam
• AlertLogic
• ManageEngine EventLog Analyzer
• New Relic
• Logit.io
• Solarwinds Security Event Manager
• Sematext
• Servicepilot

Hello,

It could be great to have a PatrOwl in the available apps! API definitions are available here. I would be pleased to help in integration.

Thanks!

Cheers,
Nicolas

Threat Intel gives us an important insight into how the world outside our organization works - what incidents occurred etc.

Basic use-cases:

• Search for IP
• Search for Domain
• Search for URL
• Search for hash (md5, sha256...)
• Add IP / domain / url / hash to have been seen (sighted MISP)
• Search for CVE
• Search for Threat actor
• Get incidents

TI systems:

• MISP
• Passivetotal
• Recorded Future
• Secureworks
• Shodan
• Virustotal
• IBM xforce
• OpenCTI
• ATP
• Fireeye
• Have I been pwned
• IPVoid
• IPInfo
• IPstack
• Malshare
• Metadefender
• MxToolbox
• Pipl
• Phishing Initiative
• ThreatConnect
• ThreatMiner
• URLVoid
• Urlscan

https://github.com/TheHive-Project/TheHiveDocs/tree/master/api/connectors/misp

Add a way of comparing strings as timestamps.

Fields:

• Value 1
• Comparison (larger than / equal / less than..)
• Number (1,2,3,4)
• Specification (seconds/minutes/hours/days etc)
• Value 2

This wouldn't necessarily feel super good right now, but does the job for now. Should make a better "custom" GUI for it for later.

Alternative: make this possible with conditions.

Should have capabilities of both EDR and SIEM in one. Current usage requires a HTTP node to log in and get the bearer token, which is then passed to the app itself.

Should probably rebuild "Bearer auth" for Shuffle to be able to handle this with custom URL's and such.

curl -u user:user https://localhost:55000/security/user/authenticate?raw=true -k

I'd love to see Elasticsearch and Graylog apps added to be able to query these services and perform actions.

Say you have the datatype "md5", but need to use "hash". How can you know that it's md5? Use a translator of sorts!

Hash translator can take e.g. "md5,sha256,sha1" and translate them to "hash".
Needs three fields:

• Translate Data - e.g. "hello this is an md5"
• Translate From - e.g. "md5,sha256,sha1"
• Translate To - e.g. "hash"

Result for "hello this is an md5" should be "hello this is an hash"

Hello,

It could be great to have OpenCTI in the available apps!

Thanks!

Kind regards,
Samuel

The extract archive action of shuffle tools does not currently support extraction of tar.gz or .tgz files. Support these formats with the same action.

This already exists here https://github.com/frikky/Shuffle-apps/tree/master/splunk/1.0.0

Requires verification and updates according to #21

A yara app with a set of rules from somewhere that takes an item and reports back the findings

Asset management is anything that has to do with assets in general. This can also be endpoint detection platforms, but these are outlined under "Eradication" instead.

Basic use-cases:

• Find hostname
• Find Software by name
• Find IP
• Find hostname's owner

Vulnerability Management (VMS) use-cases (kind of like ticketing):

• Search for CVE
• List vulnerabilities by severity
• List vulnerabilities by host
• Get vulnerability
• Edit vulnerability
• Generate report (does this work?)

VMS systems:

• Nessus
• Tenable VMS
• Tenable Container security
• Rapid7 Nexpose
• Qualys
• Tripwire
• F-Secure Radar
• BreachLock
• Snyk
• Gitguardian
• VulnDB #158
• Intruder.io

Asset Mgmt:

• Snipe-it
• Sevco
• McAfee CHS

CMDB:

• Service Now

Apps related to identity access management go here. TBD!

Currently, when adding an App, as an admin, I was unable to find a reference on how to enable other users or admins to access this new app.

I can see the app listed as private, but it is not visible to other users or admins.

One consideration would be to enable visibility to all apps for admins, or enable an element to otherwise manage permissions and visibility as part of the "Edit" app UI.

• IP Sets
• Regex Patterns
• Web ACLs
• Specify per resource (e.g. EC2, specific machine etc)

https://console.aws.amazon.com/wafv2/homev2/start

In order to keep same behavior of the other nodes, it would be useful to have same output of emails app.

This is a tricky one, as they're basically an API themselves

#21

May be hard to do without an instance available.

#21

Make it possible to write scripts (bash/python) directly

When importing the Jira OpenAPI spec here: https://api.apis.guru/v2/specs/atlassian.com/jira/1001.0.0-SNAPSHOT/openapi.json

The following error occurred:

Workaround was the minimize the app by just registering only the required components for the flow.

In general, network devices are used to block or allow traffic in some way shape or form. There are some basic behaviors we want, while still keeping the apps SUPER easy to use.

Basic use-cases:

• Block IP
• Block domain
• Block URL
• Sinkhole IP
• Sinkhole domain
• Unblock (all of the above)
• Search for status with IP / domain..

Apps (not in order):

• Cloudflare
• Akamai
• Datadome
• AWS WAF
• Azure WAF
• Google Cloud Armor

Firewalls:

• Cisco
• Checkpoint
• Watchguard
• Palo Alto
• Fortinet
• SonicWall
• ForcePoint
• Barracuda
• Sophos
• Juniper
• Huawei USG
• AWS VPC FW
• Netscaler ADC
• ClearPass Aruba
• [ ]