diff --git a/_shared_content/automate/img/playbook_code.png b/_shared_content/automate/img/playbook_code.png new file mode 100644 index 0000000000..90b52d92db Binary files /dev/null and b/_shared_content/automate/img/playbook_code.png differ diff --git a/_shared_content/automate/playbooks_formats_json_schema.md b/_shared_content/automate/playbooks_formats_json_schema.md new file mode 100644 index 0000000000..04b9703258 --- /dev/null +++ b/_shared_content/automate/playbooks_formats_json_schema.md @@ -0,0 +1,88 @@ +# Playbooks format JSON Schema + +Sekoia.io playbooks are JSON documents, conforming to the following JSON schema. + +You can freely use this open specification to share and publish playbook templates that will be instantly usable in a Sekoia.io community. + +``` title="sekoiaio_playbooks.schema.json" +--8<-- "sekoiaio_playbooks.schema.json" +``` + +### Upload a JSON playbook to your Sekoia.io community + +Active Sekoia.io Defend subscribers can upload a playbook from any source via [a POST API endpoint](https://docs.sekoia.io/xdr/develop/rest_api/playbooks/#tag/Playbooks/operation/post_playbooks_resource) or via copy-paste in the Code tab: + +![](img/playbook_code.png) + +```bash +curl -X POST https://api.sekoia.io/v1/symphony/playbooks \ +-H "Authorization: Bearer " \ +-H 'Content-Type: application/json; charset=utf-8' \ +--data-binary @- << EOF +{ + "name": "Manual e-mail notification on alert", + "tags": [ + "alert", + "notification", + "webhook" + ], + "nodes": { + "0": { + "name": "Manual trigger", + "type": "trigger", + "outputs": { + "default": [ + "1" + ] + }, + "module_uuid": "92d8bb47-7c51-445d-81de-ae04edbb6f0a", + "trigger_uuid": "fc26eb9f-b272-4c15-b3bf-ace397c0dc57" + }, + "1": { + "name": "Retrieve alert", + "type": "action", + "outputs": { + "default": [ + "2" + ] + }, + "arguments": { + "stix": false, + "uuid": "{{ node.0['alert_uuid'] }}" + }, + "action_uuid": "8d189665-5401-4098-8d60-944de9a6199a", + "module_uuid": "92d8bb47-7c51-445d-81de-ae04edbb6f0a" + }, + "2": { + "name": "Send Message", + "type": "action", + "outputs": { + "default": [] + }, + "arguments": { + "async": false, + "message": { + "html": "

Hello,
This is a manual email alert notification.
A new alert has been declared: {{ node.1.rule.name }}.

Description: {{ node.1.rule.description }}.

Urgency: {{ node.1.urgency.current_value }}.

More details:




", + "merge": false, + "subject": "A new alert concerning rule {{ node.1.rule.name }} has been created.", + "auto_html": false, + "auto_text": false, + "from_name": "Example.fr", + "important": false, + "from_email": "no-reply@example.fr", + "track_opens": false, + "track_clicks": false, + "url_strip_qs": false, + "view_content_link": false, + "preserve_recipients": false + } + }, + "action_uuid": "cb61842a-e09f-417d-acdf-34c818c61c87", + "module_uuid": "bc2699a6-93e5-4d74-816d-4186d6eb3ce8" + } + }, + "description": "Send an email about an alert when receiving a webhook event", + "community_uuid": "3c780003-f368-464b-9712-f9d681fbba2a" +} +EOF +``` \ No newline at end of file diff --git a/_shared_content/automate/sekoiaio_playbooks.schema.json b/_shared_content/automate/sekoiaio_playbooks.schema.json new file mode 100644 index 0000000000..a328da81ee --- /dev/null +++ b/_shared_content/automate/sekoiaio_playbooks.schema.json @@ -0,0 +1,97 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "type": "object", + "description": "JSON format of a Sekoia.io Playbook (also known as SPL, Symphony Playbook Language). A playbook is a graph of nodes (of type 'action', 'trigger' or 'operator') found under the 'nodes' property, keyed by integer strings. Nodes can be connected to eachother via arguments and outputs, who can take JINJA 3 template values to refer to other nodes' data", + "properties": { + "name": { + "type": "string", + "description": "Name of the playbook template" + }, + "uuid": { + "type": "string", + "format": "uuid", + "description": "A globally unique template identifier" + }, + "nodes": { + "type": "object", + "patternProperties": { + "^[0-9]+$": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "User-defined node name" + }, + "type": { + "type": "string", + "enum": ["trigger", "action", "operator"], + "description": "Type of the node, see https://docs.sekoia.io/xdr/features/automate/" + }, + "icon": { + "type": "string", + "description": "Node icon's URI (can use Data URIs here)" + }, + "outputs": { + "type": "object", + "properties": { + "default": { + "type": "object", + "description": "Default node output" + } + }, + "description": "Node outputs, each output is a nested property" + }, + "loop": { + "type": "array", + "items": { + "type": "string" + }, + "description": "The number of loop iterations for Foreach-like operators" + }, + "subtype": { + "type": "string", + "enum": ["foreach"], + "description": "When type is 'operator', this is the operator's type (e.g., foreach)" + }, + "items": { + "type": "string", + "description": "For Foreach-like operators, a jinja expression to an array of items to iterate through" + }, + "module_uuid": { + "type": "string", + "format": "uuid", + "description": "The UUID of a sekoia-automation-library module" + }, + "trigger_uuid": { + "type": "string", + "format": "uuid", + "description": "(for triggers) the UUID of the sekoia-automation-library trigger" + }, + "action_uuid": { + "type": "string", + "format": "uuid", + "description": "(for actions) the UUID of the sekoia-automation-library action" + }, + "arguments": { + "type": "object", + "properties": { + }, + "additionalProperties": true, + "description": "Input arguments to the action or trigger, conforming to the action's own arguments JSON schema" + } + }, + "required": ["name", "type", "outputs"] + } + } + }, + "workspace": { + "type": "string", + "description": "A category of automation this template is made for" + }, + "description": { + "type": "string", + "description": "A comprehensive description of the process automated by this playbook" + } + }, + "required": ["name", "uuid", "nodes", "workspace", "description"] + } diff --git a/_shared_content/intelligence_center/integrations/paloalto_xsoar.md b/_shared_content/intelligence_center/integrations/paloalto_xsoar.md index af3b4b64fc..067c67db67 100644 --- a/_shared_content/intelligence_center/integrations/paloalto_xsoar.md +++ b/_shared_content/intelligence_center/integrations/paloalto_xsoar.md @@ -22,7 +22,7 @@ Choose the "SEKOIAIntelligenceCenter" pack to open pack description and use the Navigate to "Settings" where "SEKOIAIntelligenceCenter" should have appeared and clic the "Add instance" button to add a new instance. -![!Add a new instance of the integratino](paloalto_xsoar_images/add_instance.png) +![!Add a new instance of the integration](paloalto_xsoar_images/add_instance.png) Input a Sekoia.io XDR API KEY and save your configuration.