Skip to content

Commit

Permalink
add playbooks SPL format JSON Schema and doc for third-party playbook…
Browse files Browse the repository at this point in the history 
… template contributors
  • Loading branch information
@jeromefellus-sekoia
jeromefellus-sekoia committed Oct 15, 2024
1 parent 0cd6095 commit e649d06
Show file tree
Hide file tree
Showing 4 changed files with 186 additions and 1 deletion.
Binary file added _shared_content/automate/img/playbook_code.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
88 changes: 88 additions & 0 deletions _shared_content/automate/playbooks_formats_json_schema.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Playbooks format JSON Schema

Sekoia.io playbooks are JSON documents, conforming to the following JSON schema.

You can freely use this open specification to share and publish playbook templates that will be instantly usable in a Sekoia.io community.

``` title="sekoiaio_playbooks.schema.json"
--8<-- "sekoiaio_playbooks.schema.json"
```

### Upload a JSON playbook to your Sekoia.io community

Active Sekoia.io Defend subscribers can upload a playbook from any source via [a POST API endpoint](https://docs.sekoia.io/xdr/develop/rest_api/playbooks/#tag/Playbooks/operation/post_playbooks_resource) or via copy-paste in the Code tab:

![](img/playbook_code.png)

```bash
curl -X POST https://api.sekoia.io/v1/symphony/playbooks \
-H "Authorization: Bearer <YOUR_API_KEY>" \
-H 'Content-Type: application/json; charset=utf-8' \
--data-binary @- << EOF
{
"name": "Manual e-mail notification on alert",
"tags": [
"alert",
"notification",
"webhook"
],
"nodes": {
"0": {
"name": "Manual trigger",
"type": "trigger",
"outputs": {
"default": [
"1"
]
},
"module_uuid": "92d8bb47-7c51-445d-81de-ae04edbb6f0a",
"trigger_uuid": "fc26eb9f-b272-4c15-b3bf-ace397c0dc57"
},
"1": {
"name": "Retrieve alert",
"type": "action",
"outputs": {
"default": [
"2"
]
},
"arguments": {
"stix": false,
"uuid": "{{ node.0['alert_uuid'] }}"
},
"action_uuid": "8d189665-5401-4098-8d60-944de9a6199a",
"module_uuid": "92d8bb47-7c51-445d-81de-ae04edbb6f0a"
},
"2": {
"name": "Send Message",
"type": "action",
"outputs": {
"default": []
},
"arguments": {
"async": false,
"message": {
"html": "<p>Hello, <br>This is a manual email alert notification.<br>A new alert has been declared: {{ node.1.rule.name }}.</p> <p>Description: {{ node.1.rule.description }}.</p> <p>Urgency: {{ node.1.urgency.current_value }}.</p> <p>More details:</p> <ul> \t <li>Entity name: {{ node.1.entity.name }}</li>\t <li>Alert type category: {{ node.1.alert_type.value }}</li> <li>Kill Chain: {{ node.1.kill_chain_short_id }}</li>\t <li>Created at: {{ node.1.created_at|timestamp_to_iso8601 }}</li> <li>Source: {{ node.1.source | replace(\".\", \"[.]\", 1) }}</li> \t <li>Target: {{ node.1.target | replace(\".\", \"[.]\", 1) }}</li> <li>Check https://app.sekoia.io/sic/alerts/{{ node.1.short_id }} for more information.</li> </ul><br> <ul><p>Commentaries:</p> {% for comment in node.1['comments'] %} <li>{{ comment.content }}</li> {% endfor %} </ul><br> <ul><p>Countermeasures:</p> {% for countermeasure in node.1['countermeasures'] %} <li>{{ countermeasure.description }}</li> {% endfor %} </ul><br>",
"merge": false,
"subject": "A new alert concerning rule {{ node.1.rule.name }} has been created.",
"auto_html": false,
"auto_text": false,
"from_name": "Example.fr",
"important": false,
"from_email": "[email protected]",
"track_opens": false,
"track_clicks": false,
"url_strip_qs": false,
"view_content_link": false,
"preserve_recipients": false
}
},
"action_uuid": "cb61842a-e09f-417d-acdf-34c818c61c87",
"module_uuid": "bc2699a6-93e5-4d74-816d-4186d6eb3ce8"
}
},
"description": "Send an email about an alert when receiving a webhook event",
"community_uuid": "3c780003-f368-464b-9712-f9d681fbba2a"
}
EOF
```
97 changes: 97 additions & 0 deletions _shared_content/automate/sekoiaio_playbooks.schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"description": "JSON format of a Sekoia.io Playbook (also known as SPL, Symphony Playbook Language). A playbook is a graph of nodes (of type 'action', 'trigger' or 'operator') found under the 'nodes' property, keyed by integer strings. Nodes can be connected to eachother via arguments and outputs, who can take JINJA 3 template values to refer to other nodes' data",
"properties": {
"name": {
"type": "string",
"description": "Name of the playbook template"
},
"uuid": {
"type": "string",
"format": "uuid",
"description": "A globally unique template identifier"
},
"nodes": {
"type": "object",
"patternProperties": {
"^[0-9]+$": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "User-defined node name"
},
"type": {
"type": "string",
"enum": ["trigger", "action", "operator"],
"description": "Type of the node, see https://docs.sekoia.io/xdr/features/automate/"
},
"icon": {
"type": "string",
"description": "Node icon's URI (can use Data URIs here)"
},
"outputs": {
"type": "object",
"properties": {
"default": {
"type": "object",
"description": "Default node output"
}
},
"description": "Node outputs, each output is a nested property"
},
"loop": {
"type": "array",
"items": {
"type": "string"
},
"description": "The number of loop iterations for Foreach-like operators"
},
"subtype": {
"type": "string",
"enum": ["foreach"],
"description": "When type is 'operator', this is the operator's type (e.g., foreach)"
},
"items": {
"type": "string",
"description": "For Foreach-like operators, a jinja expression to an array of items to iterate through"
},
"module_uuid": {
"type": "string",
"format": "uuid",
"description": "The UUID of a sekoia-automation-library module"
},
"trigger_uuid": {
"type": "string",
"format": "uuid",
"description": "(for triggers) the UUID of the sekoia-automation-library trigger"
},
"action_uuid": {
"type": "string",
"format": "uuid",
"description": "(for actions) the UUID of the sekoia-automation-library action"
},
"arguments": {
"type": "object",
"properties": {
},
"additionalProperties": true,
"description": "Input arguments to the action or trigger, conforming to the action's own arguments JSON schema"
}
},
"required": ["name", "type", "outputs"]
}
}
},
"workspace": {
"type": "string",
"description": "A category of automation this template is made for"
},
"description": {
"type": "string",
"description": "A comprehensive description of the process automated by this playbook"
}
},
"required": ["name", "uuid", "nodes", "workspace", "description"]
}
2 changes: 1 addition & 1 deletion _shared_content/intelligence_center/integrations/paloalto_xsoar.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Choose the "SEKOIAIntelligenceCenter" pack to open pack description and use the

Navigate to "Settings" where "SEKOIAIntelligenceCenter" should have appeared and clic the "Add instance" button to add a new instance.

![!Add a new instance of the integratino](paloalto_xsoar_images/add_instance.png)
![!Add a new instance of the integration](paloalto_xsoar_images/add_instance.png)

Input a Sekoia.io XDR API KEY and save your configuration.

Expand Down

0 comments on commit e649d06

Please sign in to comment.