Skip to content

Commit

Permalink
Merge pull request #934 from SEKOIA-IO/CharlesLR-sekoia-patch-1
Browse files Browse the repository at this point in the history 
Update whoIs.md
  • Loading branch information
@Men-hau
Men-hau authored Feb 21, 2024
2 parents f3d9905 + a146b3e commit 73373e2
Showing 1 changed file with 10 additions and 10 deletions.
20 changes: 10 additions & 10 deletions docs/xdr/usecases/playbook/whoIs.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# WHOIS MODULE CONFIGURATION
# Whois module configuration

This use case describes how to use WhoIs module in order to enrich an IP address, a domain name or a URL.
This use case describes how to use Whois module in order to enrich an IP address, a domain name or a URL.

## Prerequisites

Expand All @@ -24,12 +24,12 @@ You can find the configuration below:

| Module | Configuration |
| --- | --- |
| Alert webhook | configure module & trigger configuration |
| Get Alert | uuid = `alert_uuid` of Alert webhook |
| Get Events | earliest_time = `first_seen_at` of **Get alert**, latest_time = `last_seen_at` of **Get alert**, query = `short_id` of **Get alert** |
| Foreach | items = `Events` of Get Events |
| Store | item, append, `{{ node.x.default.value['source.ip'] }}` x is the node of ForEach (that can be found in the code tab) |
| Foreach | items = {{ store.item|unique|list }} |
| Whois | query = `Node.x.Domain.Whois.raw` x is the node of ForEach (that can be found in the code tab) |
| Comment alert | **content** = Domain Name : `{{ node.12['Domain']['Name'] }}`, uuid = `alert_uuid` of **Alert webhook** |
| Manual Trigger | configure module & trigger configuration |
| Get Alert | uuid = `alert_uuid` of the **Manual Trigger** module |
| Get Events | earliest_time = `first_seen_at` of the **Get alert** module, latest_time = `last_seen_at` of **Get alert**, query = `short_id` of **Get alert** |
| Foreach | items = `Events` of the **Get Events** module |
| Store | item, append, `{{ node.x.default.value['source.ip'] }}` x is the node number of the **ForEach** module (that can be found in the code tab) |
| Foreach | items = `{{ store.item|unique|list }}` |
| Whois | query = `Node.x.Domain.Whois.raw` x is the node number of the **ForEach** module (that can be found in the code tab) |
| Comment alert | content = Domain Name : `{{ node.12['Domain']['Name'] }}`, uuid = `alert_uuid` of **Manual Trigger** |

0 comments on commit 73373e2

Please sign in to comment.