{ "name": "Tenable IO Security", "vendor_identifier": "Tenable IO", "comment": "Tenable IO scan assets by a security event", "version": "4.0", "type": "REST_EVENT", "event_type": [ "RPZ", "TUNNEL", "ADP" ], "content_type": "application/json", "headers": { "X-apikeys": "accessKey=${S:A:accessKey};secretKey=${S:A:secretKey}", "Content-Type": "application/json", "vendor": "Infoblox", "product": "Infoblox_Outbound_Notification", "build": "1.0.2" }, "steps": [{ "name": "assign_Time_Variable", "comment": "getting the time variable to check later if the asset was allready scaned within a certain time to stop it", "operation": "NOP", "body_list": [ "${XC:COPY:{L:ScanDate}:{UT:TIME}}${XC:FORMAT:TRUNCATE:{L:ScanDate}:{10t}}" ] }, { "name": "Debug#0", "operation": "NOP", "body": "${XC:DEBUG:{H:}}${XC:DEBUG:{E:}}${XC:DEBUG:{I:}}${XC:DEBUG:{L:}}${XC:DEBUG:{S:}}${XC:DEBUG:{P:}}${XC:DEBUG:{UT:}}${XC:DEBUG:{R:}}" }, { "name": "Get_IP", "comment": "assigning different values to different variable depending if the address is IPv4 or IPv6", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [{ "left": "${E:A:source_ip}", "op": "=~", "right": ":" }], "eval": "${XC:ASSIGN:{L:IPv}:{S:IPv6}}${XC:ASSIGN:{L:IPReq}:{S:ipv6address}}${XC:ASSIGN:{L:IPvTypeForRequests}:{S:ipv6addr}}${XC:COPY:{L:ThisIP}:{E:source_ip}}${XC:ASSIGN:{L:IPvTypeForAssets}:{S:ipv6}}${XC:ASSIGN:{L:mac_address}:{S:}}${XC:ASSIGN:{L:netbios_name}:{S:}}${XC:ASSIGN:{L:operating_system}:{S:}}", "else_eval": "${XC:ASSIGN:{L:IPv}:{S:IPv4}}${XC:ASSIGN:{L:IPReq}:{S:ipv4address}}${XC:ASSIGN:{L:IPvTypeForRequests}:{S:ipv4addr}}${XC:COPY:{L:ThisIP}:{E:source_ip}}${XC:ASSIGN:{L:IPvTypeForAssets}:{S:ipv4}}${XC:ASSIGN:{L:mac_address}:{S:}}${XC:ASSIGN:{L:netbios_name}:{S:}}${XC:ASSIGN:{L:operating_system}:{S:}}" } }, { "name": "Get_ref", "comment": "Get_ref", "operation": "GET", "transport": { "path": "${L:U:IPReq}?ip_address=${E:U:source_ip}&network_view=${E:U:network.network_view}" }, "wapi": "v2.7" }, { "name": "setRef", "comment": "Set the object reference(s) for later. Just use the first one for updating the timestamp - hence the [0]", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${P:A:PARSE[0]{objects}}", "op": "==", "right": "[]" } ], "else_eval": "${XC:COPY:{L:Ref}:{P:PARSE[0]{objects}[0]}}", "eval": "${XC:ASSIGN:{L:Ref}:{S:}}" } }, { "name": "Debug#1", "operation": "NOP", "body": "${XC:DEBUG:{H:}}${XC:DEBUG:{E:}}${XC:DEBUG:{I:}}${XC:DEBUG:{L:}}${XC:DEBUG:{S:}}${XC:DEBUG:{P:}}${XC:DEBUG:{UT:}}${XC:DEBUG:{R:}}" }, { "name": "check_EA_on_IP", "comment": "Checking if scan is wanted on the IP EA and if not there checking the Network EA", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${E:A:ip.extattrs{TNBL_IO_Scan}}", "op": "==", "right": "true" }, { "left": "${E:A:ip.extattrs{TNBL_IO_Scan_Template}}", "op": "!=", "right": "" } ], "eval": "${XC:COPY:{L:TNBL_IO_Scan_Template}:{E:ip.extattrs{TNBL_IO_Scan_Template}}}", "next": "check_EA_For_Last_Scan" } }, { "name": "check_EA_on_Net", "comment": "Checking if Scan is wanted on the Network EA if not then check for asset syncing", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [{ "left": "${E:A:network.extattrs{TNBL_IO_Scan}}", "op": "!=", "right": "true" }, { "left": "${E:A:network.extattrs{TNBL_IO_Scan_Template}}", "op": "==", "right": "" } ], "next": "verifyEAsforPostingAsset_IP", "else_eval": "${XC:COPY:{L:TNBL_IO_Scan_Template}:{E:network.extattrs{TNBL_IO_Scan_Template}}}" } }, { "name": "check_EA_For_Last_Scan", "comment": "Checking if the IP was ever scanned and if it was scanned we assign the time to the variable TNBL_IO_Last_Scan to compair with the variable ScanDate later", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${E:A:ip.extattrs{TNBL_IO_Last_Scan}}", "op": "==", "right": "" }], "next": "Get_Scan_List", "else_eval": "${XC:COPY:{L:LastScan}:{E:ip.extattrs{TNBL_IO_Last_Scan}}}${XC:FORMAT:TRUNCATE:{L:LastScan}:{10t}}" } }, { "name": "Check_if_allready_Scanned", "comment": "check if last scan was allready scanned and if so then stop template", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${L:A:LastScan}", "op": "==", "right": "${L:A:ScanDate}" }], "stop": true, "else_next": "Get_Scan_List" } }, { "name": "Get_Scan_List", "comment": "Grab all the scans available", "operation": "GET", "parse": "JSON", "transport": { "path": "scans" } }, { "name": "copy_over_scans_to_L_variable", "comment": "copy over scans to L namespace so that it can be used", "operation": "NOP", "body": "${XC:COPY:{L:Scans}:{P:scans}" }, { "name": "Check_if_Scan_list_is_empty", "comment": "Check to see if scans is empty after poping from the stack", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${L:L:Scans}", "op": "==", "right": "0" }], "stop": true } }, { "name": "Pop_asset_from_the_list", "comment": "pop top of scan list to use variable", "operation": "VARIABLEOP", "variable_ops": [{ "operation": "POP", "type": "DICTIONARY", "destination": "L:One_Scans", "source": "L:Scans" }] }, { "name": "Check_If_Correct_Scan", "comment": "check if the scan that was poped off the list is the correct scan to run", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${L:A:TNBL_IO_Scan_Template}", "op": "!=", "right": "${L:A:One_Scans{name}}" }], "next": "Check_if_Scan_list_is_empty", "else_eval": "${XC:COPY:{L:Scan_ID}:{L:One_Scans{id}}", "else_next": "Copy_Scan" } }, { "name": "Copy_Scan", "comment": "Copy_Scan", "operation": "POST", "parse": "JSON", "transport": { "path": "scans/${L:A:Scan_ID}/copy" } }, { "name": "Configure_Copied_Scan", "comment": "Configure_Copied_Scan", "operation": "PUT", "parse": "JSON", "transport": { "path": "scans/${P:A:id}/" }, "body_list": [ "{", "\"scan_id\":\"${P:A:id}\",", "\"settings\":{", "\"name\":\"Infoblox Scan for ${E:A:source_ip} on ${UT:A:TIME}\",", "\"description\": \"Scan occured because of a ${E:A:event_type} event\",", "\"enabled\":\"false\",", "\"text_targets\":\"${E:A:source_ip}\"", "}", "}" ] }, { "name": "Start_Copied_Scan", "comment": "Start_Scan", "operation": "POST", "parse": "JSON", "transport": { "path": "scans/${P:A:id}/launch" } }, { "name": "Check_if_an_object_list_is_empty", "comment": "Check_if_an_object_list_is_empty", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${L:A:Ref}", "op": "==", "right": "" }], "next": "verifyEAsforPostingAsset_IP" } }, { "name": "Update_extattrs_last_scan", "comment": "Update_extattrs_last_scan", "operation": "PUT", "transport": { "path": "${L:A:Ref}" }, "wapi": "v2.7", "wapi_quoting": "JSON", "body_list": [ "{\"extattrs+\":{\"TNBL_IO_Last_Scan\": { \"value\": \"${E:A:timestamp}\"}}}" ] }, { "name": "verifyEAsforPostingAsset_IP", "comment": "Verify EAs for posting asset from the IP.", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${E:A:ip.extattrs{TNBL_IO_Asset_Sync}}", "op": "==", "right": "true" } ], "next": "addAsset" } }, { "name": "verifyEAsforPostingAsset_Network", "comment": "Verify EAs for posting asset from the Network.", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [{ "left": "${E:A:network.extattrs{TNBL_IO_Asset_Sync}}", "op": "==", "right": "true" } ], "else_stop": true } }, { "name": "addAsset", "comment": "Add asset with a single IP (as usual).", "operation": "POST", "parse": "JSON", "transport": { "path": "import/assets" }, "body_list": ["{", "\"assets\": [{\"${L:A:IPvTypeForAssets}\": [\"${L:A:ThisIP}\"]}], \"source\": \"NIOS\"", "}" ] }, { "name": "isEmptyObj_ref", "comment": "Only when the Ref is not empty (something exists there) should we update its timestamp.", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "${L:A:Ref}", "op": "!=", "right": "" }], "else_stop": true } }, { "name": "updateAddAssetTimestamp", "comment": "Update TNBL_IO_Sync_Time of item with timestamp.", "operation": "PUT", "wapi": "v2.9", "wapi_quoting": "JSON", "transport": { "path": "${L:A:Ref}" }, "body_list": [ "{\"extattrs+\":{\"TNBL_IO_Sync_Time\": { \"value\": \"${E:A:timestamp}\"}}}" ] }, { "name": "FinExit", "comment": "Stop execution of the template.", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [{ "left": "1", "op": "==", "right": "1" }], "stop": true } } ] }