Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add a new modeling rule to shodan pack #37125

Open
wants to merge 15 commits into
base: master
Choose a base branch
from
+101 −2
Open

add a new modeling rule to shodan pack #37125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
d230e8b
add a new modeling rule to shodan pack
AviShakuri Nov 7, 2024
2ac48f4
change pack version
AviShakuri Nov 7, 2024
8c7c73b
change pack version to be 1.20
AviShakuri Nov 7, 2024
8afce6b
change pack version to be 1.22
AviShakuri Nov 7, 2024
02e82a7
change pack version to be 1.22
AviShakuri Nov 7, 2024
0968242
change pack version to be 1.2.0
AviShakuri Nov 7, 2024
2a4de43
Merge branch 'master' into ciac-137200
AviShakuri Nov 7, 2024
69d43c6
change pack version to be 1.2.2
AviShakuri Nov 7, 2024
ee7b706
change pack version to be 1.2.2
AviShakuri Nov 7, 2024
816abf7
change description formulate
AviShakuri Nov 10, 2024
e8f92ab
Update Packs/Shodan/README.md
AviShakuri Nov 10, 2024
f585f48
Update Packs/Shodan/README.md
AviShakuri Nov 10, 2024
514f246
change dm of shodan
AviShakuri Nov 11, 2024
fce66cf
change Shodan README
AviShakuri Nov 14, 2024
dc46220
add expiration fields and keywords
AviShakuri Nov 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions Packs/Shodan/ModelingRules/Shodan/Shodan.xif
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[MODEL:dataset = "shodan_banner_raw"]
alter
has_triggers_obj = object_create("has_triggers",has_triggers),
expires_obj = object_create("expires",expires),
expiration_obj = object_create("expiration",expiration),
triggers_obj = object_create("triggers",replex(triggers,"[\\\"]","")),
internal_ipv4 = arrayindex(regextract(json_extract(filters,"$.ip"),"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0)
| alter
xdm.alert.name = name,
xdm.session_context_id = id,
xdm.event.description = filters,
xdm.alert.description = object_merge(triggers_obj,has_triggers_obj,expires_obj,expiration_obj),
xdm.target.host.ipv4_addresses = arraycreate(internal_ipv4),
xdm.event.type = "NETWORK";
6 changes: 6 additions & 0 deletions Packs/Shodan/ModelingRules/Shodan/Shodan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
fromversion: 8.6.0 # Will be updated with XSIAM version updates
id: Shodan_Banner_ModelingRule
name: Shodan Banner Modeling Rule
rules: ''
schema: ''
tags: ''
44 changes: 44 additions & 0 deletions Packs/Shodan/ModelingRules/Shodan/Shodan_schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{
"shodan_banner_raw": {
"name": {
"type": "string",
"is_array": false
},
"expiration": {
"type": "string",
"is_array": false
},
"id": {
"type": "string",
"is_array": false
},
"size": {
"type": "int",
"is_array": false
},
"created": {
"type": "datetime",
"is_array": false
},
"expires": {
"type": "int",
"is_array": false
},
"filters": {
"type": "string",
"is_array": false
},
"triggers": {
"type": "string",
"is_array": false
},
"notifiers": {
"type": "string",
"is_array": false
},
"has_triggers": {
"type": "boolean",
"is_array": false
}
}
}
26 changes: 26 additions & 0 deletions Packs/Shodan/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Shodan Banner
Shodan is a search engine for Internet-connected devices. Unlike traditional search engines that index websites, Shodan indexes information about the devices connected to the internet, such as servers, routers, webcams, and other IoT devices.
<~XSIAM>

This pack includes Cortex XSIAM content.

## Configuration on Server Side
To enable the Shodan integration you need to have an API key,
which you can get for free by creating a Shodan account https://account.shodan.io/register
Once you have an API key you insert it into the API Key field and click the Test button.
eepstain marked this conversation as resolved.
Show resolved Hide resolved

## Configuration on Cortex XSIAM
&rarr;
1. Navigate to **settings** &rarr; **Configurations** &rarr; **Automation & Feeds**.
2. Search for Shodan v2.
3. Click **Add instance** to create and configure a new integration instance.

| **Parameter** | **Description** | **Required** |
| --- | --- | --- |
| API Key | | False |
| Base URL to Shodan API | | True |
| Trust any certificate (not secure) | | False |
| Use system proxy settings | | False |
| Source Reliability | Reliability of the source providing the intelligence data. | False |
| The maximum number of events per fetch | | False |
</~XSIAM>
6 changes: 6 additions & 0 deletions Packs/Shodan/ReleaseNotes/1_2_2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Modeling Rules

##### New: Shodan Banner Modeling Rule

<~XSIAM> Created Modeling Rules for Shodan Banner (Available from Cortex XSIAM v2.4).</~XSIAM>
7 changes: 5 additions & 2 deletions Packs/Shodan/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Shodan",
"description": "A search engine used for searching Internet-connected devices",
"support": "xsoar",
"currentVersion": "1.2.1",
"currentVersion": "1.2.2",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand All @@ -14,7 +14,10 @@
"Free Enricher"
],
"useCases": [],
"keywords": [],
"keywords": [
"Shodan",
"Banner"
],
"marketplaces": [
"xsoar",
"marketplacev2"
Expand Down
Loading