{ "version": "4.0", "name": "Tufin Security", "type": "REST_EVENT", "vendor_identifier": "Tufin", "event_type": [ "RPZ", "TUNNEL", "ADP" ], "content_type": "application/json", "steps": [ { "name": "DebugOnStart", "comment": "DebugOnStart", "operation": "NOP", "body": "${XC:DEBUG:{H:}}${XC:DEBUG:{E:}}${XC:DEBUG:{I:}}${XC:DEBUG:{L:}}${XC:DEBUG:{S:}}${XC:DEBUG:{P:}}${XC:DEBUG:{UT:}}" }, { "name": "assign_Time_Variable", "comment": "getting the time variable to check later if an incident was allready sent within a certain time to stop it", "operation": "NOP", "body_list": [ "${XC:COPY:{L:IncidentDate}:{UT:TIME}}${XC:FORMAT:TRUNCATE:{L:IncidentDate}:{10t}}" ] }, { "name": "check_EA_on_IP", "comment": "Checking if Incident is wanted on the IP EA and if not there checking the Network EA", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${E:A:ip.extattrs{Tufin_Send_Incident}}", "op": "!=", "right": "true" } ], "stop": true, "else_next": "check_EA_For_Last_Incident" } }, { "name": "check_EA_on_Net", "comment": "Checking if Incident is wanted on the Network EA if not then stop as IP EA was allready checked", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${E:A:network.extattrs{Tufin_Send_Incident}}", "op": "!=", "right": "true" } ], "stop": true, "else_next": "check_EA_For_Last_Incident" } }, { "name": "check_EA_For_Last_Incident", "comment": "Checking_if_the_IP_had_inscident_and_if_it_did_we_assign_the_time_to_the_variable_to_compair_with_the_current_variable_incident_time_later", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${E:A:ip.extattrs{Tufin_Last_Incident}}", "op": "==", "right": "" } ], "next": "Assign_Variables_Based_On_IP", "else_eval": "${XC:COPY:{L:LastIncident}:{E:ip.extattrs{Tufin_Last_Incident}}}${XC:FORMAT:TRUNCATE:{L:LastIncident}:{10t}}" } }, { "name": "Check_if_Incident_allready_Sent", "comment": "check if last incident was allready sent and if so then stop template", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${L:A:LastIncident}", "op": "==", "right": "${L:A:IncidentDate}" } ], "stop": true, "else_next": "Assign_Variables_Based_On_IP" } }, { "name": "Assign_Variables_Based_On_IP", "comment": "assigning different values to different variable depending if the address is IPv4 or IPv6", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${E:A:source_ip}", "op": "=~", "right": ":" } ], "eval": "${XC:ASSIGN:{L:IPReq}:{S:ipv6address}}", "else_eval": "${XC:ASSIGN:{L:IPReq}:{S:ipv4address}}" } }, { "name": "Assign_Variables_Based_On_Event_Type#1", "comment": "assigning_values_if_RPZ_Event", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${E:A:event_type}", "op": "=~", "right": "RPZ" } ], "eval": "${XC:COPY:{L:Target}:{E:query_name}}${XC:COPY:{L:Source}:{E:source_ip}}${XC:ASSIGN:{L:Event_Type}:{S:DNS Firewall}}", "next": "Post_Ticket" } }, { "name": "Assign_Variables_Based_On_Event_Type#2", "comment": "assigning_values_if_ADP_Or_Tunnel_Event", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${E:A:event_type}", "op": "=~", "right": "ADP" } ], "eval": "${XC:COPY:{L:Target}:{E:rule_name}}${XC:COPY:{L:Source}:{E:source_ip}}${XC:ASSIGN:{L:Event_Type}:{S:DNS Protection}}", "else_eval": "${XC:COPY:{L:Target}:{E:domain_name}}${XC:COPY:{L:Source}:{E:source_ip}}${XC:ASSIGN:{L:Event_Type}:{S:DNS Tunneling}}" } }, { "name": "Post_Ticket", "operation": "POST", "parse": "JSON", "transport": { "path": "securechangeworkflow/api/securechange/tickets" }, "body_list": [ "{ \"ticket\": { \"subject\": \"API WebApp\", \"requester\": \"api\", \"priority\": \"Normal\", \"domain_name\": \"Default\", \"workflow\": { \"name\": \"Close Policy\" }, \"steps\": { \"step\": [ { \"name\": \"Create request\", \"tasks\": { \"task\": { \"fields\": { \"field\": [ { \"@xsi.type\": \"multi_access_request\", \"name\": \"Flows\", \"access_request\": { \"targets\": { \"target\": { \"@type\": \"ANY\" } }, \"sources\": { \"source\": [ { \"@type\": \"IP\", \"ip_address\":${E::source_ip}, \"netmask\": \"32\" } ] }, \"destinations\": { \"destination\": [ { \"@type\": \"ANY\" } ] }, \"services\": { \"service\": [ { \"@type\": \"ANY\" } ] }, \"action\": \"Drop\", \"comment\": \"Infoblox ${L:A:Event_Type} Event\", \"labels\": \"\" } }, { \"@xsi.type\": \"text_area\", \"name\": \"Reason\", \"text\": \"Infoblox ${L:A:Event_Type} event from ${L:A:Source} to ${L:A:Target} at ${E:A:timestamp}\" } ] } } } } ] } }}" ] }, { "name": "Get_ref", "comment": "Get_ref", "operation": "GET", "transport": { "path": "${L:U:IPReq}?ip_address=${E:U:source_ip}&network_view=${E:U:network.network_view}" }, "wapi": "v2.7" }, { "name": "Check_if_IP_is_unmanaged", "comment": "Check_if_IP_is_unmanaged", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:PARSE[0]{types}[0]}", "op": "!=", "right": "UNMANAGED" }, { "left": "${P:A:PARSE[0]{objects}}", "op": "!=", "right": "" } ], "eval": "${XC:COPY:{L:Obj_refs}:{P:PARSE[0]{objects}}}" } }, { "name": "Check_if_an_object_list_is_empty", "comment": "Check_if_an_object_list_is_empty", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${L:A:Obj_refs[0]}", "op": "!=", "right": "" } ], "else_stop": true } }, { "name": "Pop_object_from_the_list", "comment": "Pop_object_from_the_list", "operation": "VARIABLEOP", "variable_ops": [ { "operation": "POP", "type": "SINGLE", "destination": "L:Ref", "source": "L:Obj_refs" } ] }, { "name": "check_an_obj_type", "comment": "check_an_obj_type", "operation": "CONDITION", "condition": { "statements": [ { "left": "${L:A:Ref}", "op": "=~", "right": "record:host.*" }, { "left": "${L:A:Ref}", "op": "=~", "right": "fixedaddress.*" }, { "left": "${L:A:Ref}", "op": "=~", "right": "ipv6fixedaddress.*" } ], "condition_type": "OR", "else_next": "Check_if_an_object_list_is_empty", "eval": "${XC:COPY:{L:Obj_ref}:{L:Ref}}" } }, { "name": "Update_extattrs_Last_Incident", "comment": "Update_extattrs_Last_Incident", "operation": "PUT", "transport": { "path": "${L:A:Obj_ref}" }, "wapi": "v2.7", "wapi_quoting": "JSON", "body_list": [ "{\"extattrs+\":{\"Tufin_Last_Incident\": { \"value\": \"${E:A:timestamp}\"}}}" ] }, { "name": "FinExit", "comment": "Stop execution of the template.", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "1", "op": "==", "right": "1" } ], "stop": true } } ] }