OpenDXL
Security Intelligence Sharing
Node-RED Flow: URL in Phishing E-mail To Cisco Threat Grid Submission 1.0.0
- brumleyscott
- 649 Downloads
- 0 Comments
This Node Red flow uses the Cisco Threat Grid node. It uses IMAP or POP3 to check an e-mail address where potential Phishing e-mails are sent for analysis. The flow then parses the e-mail for URLs and submits them to Threat Grid for analysis. The submission information is stored in the DXL topic, /cisco/threatgrid/urlresults for future reference.
The Cisco Threat Grid URL Submission node can be install natively in Node Red or via npm install. The name is node-red-contrib-threatgrid-urlsubmit. It will need and API Key from Threat Grid to work.
Prerequisites
- The Node-RED DXL client configuration step has been completed (see Client Configuration).
- The following Node-RED modules have been installed:
- DXL Node-RED nodes (included in OpenDXL Node-RED Docker image)
-
The Cisco Threat Grid URL Submission nodes for Node-RED
- The node is configured with an API Key from Threat Grid
- The node is configured with an API Key from Threat Grid
The Node-RED flow content for this solution:
Code: Node-RED Flow
- [
- {
- "id":"8a24b608.051698",
- "type":"tab",
- "label":"Threat Grid Submit URL",
- "disabled":false,
- "info":""
- },
- {
- "id":"79c98c99.c3bce4",
- "type":"e-mail in",
- "z":"8a24b608.051698",
- "name":"Check E-mail",
- "protocol":"IMAP",
- "server":"imap.gmail.com",
- "useSSL":true,
- "port":"993",
- "box":"INBOX",
- "disposition":"Read",
- "repeat":"300",
- "x":101.5,
- "y":74,
- "wires":[
- [
- "b0777422.85db38"
- ]
- ]
- },
- {
- "id":"b0777422.85db38",
- "type":"change",
- "z":"8a24b608.051698",
- "name":"Find URLs",
- "rules":[
- {
- "t":"set",
- "p":"urls",
- "pt":"msg",
- "to":"$match(payload,/(ftp|http|https):\\/\\/(\\w+:{0,1}\\w*@)?(\\S+)(:[0-9]+)?(\\/|\\/([\\w#!:.?+=&%@!\\-\\/]))?(\\S+)/)",
- "tot":"jsonata"
- }
- ],
- "action":"",
- "property":"",
- "from":"",
- "to":"",
- "reg":false,
- "x":480,
- "y":56,
- "wires":[
- [
- "3b0a07e7.af14a8"
- ]
- ]
- },
- {
- "id":"fe394f35.4d8ef",
- "type":"inject",
- "z":"8a24b608.051698",
- "name":"Test URL",
- "topic":"",
- "payload":"",
- "payloadType":"date",
- "repeat":"",
- "crontab":"",
- "once":false,
- "onceDelay":0.1,
- "x":98.5,
- "y":213,
- "wires":[
- [
- "114d833f.8be82d"
- ]
- ]
- },
- {
- "id":"3b0a07e7.af14a8",
- "type":"function",
- "z":"8a24b608.051698",
- "name":"Split URLs",
- "func":"if (msg.urls.length > 0){\n msg.urls.forEach(function(element) {\n node.send({\"payload\": element});\n });\n} else {\n node.send({\"payload\": msg.urls});\n}",
- "outputs":1,
- "noerr":0,
- "x":482,
- "y":107,
- "wires":[
- [
- "41fd188.1eaa0e8"
- ]
- ]
- },
- {
- "id":"2c66801a.4b5d1",
- "type":"comment",
- "z":"8a24b608.051698",
- "name":"Add Your E-mail Credentials Here",
- "info":"E-mail box where URLs will be sent for submission.",
- "x":156.5,
- "y":39,
- "wires":[
- ]
- },
- {
- "id":"17fd3a9f.ec66a5",
- "type":"change",
- "z":"8a24b608.051698",
- "name":"Output Match",
- "rules":[
- {
- "t":"set",
- "p":"url",
- "pt":"msg",
- "to":"payload.match",
- "tot":"msg"
- }
- ],
- "action":"",
- "property":"",
- "from":"",
- "to":"",
- "reg":false,
- "x":478.5,
- "y":214,
- "wires":[
- [
- "350b1645.3216ba"
- ]
- ]
- },
- {
- "id":"41fd188.1eaa0e8",
- "type":"json",
- "z":"8a24b608.051698",
- "name":"",
- "property":"payload",
- "action":"obj",
- "pretty":false,
- "x":471.5,
- "y":158,
- "wires":[
- [
- "17fd3a9f.ec66a5"
- ]
- ]
- },
- {
- "id":"a13c28b7.9bcfb8",
- "type":"json",
- "z":"8a24b608.051698",
- "name":"",
- "property":"payload",
- "action":"obj",
- "pretty":false,
- "x":434.5,
- "y":377,
- "wires":[
- [
- "ce23282a.754c98",
- "cd501fef.a7fe1"
- ]
- ]
- },
- {
- "id":"114d833f.8be82d",
- "type":"template",
- "z":"8a24b608.051698",
- "name":"Bad Guy URLs",
- "field":"payload",
- "fieldType":"msg",
- "format":"text",
- "syntax":"plain",
- "template":"This is a test e-mail. \nThis integration will parse for http and https\n\nhttp://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at_a_glance_c45-727153.pdf\n\nTesting just one",
- "output":"str",
- "x":240,
- "y":170,
- "wires":[
- [
- "b0777422.85db38"
- ]
- ]
- },
- {
- "id":"ce23282a.754c98",
- "type":"debug",
- "z":"8a24b608.051698",
- "name":"",
- "active":false,
- "tosidebar":true,
- "console":false,
- "tostatus":false,
- "complete":"true",
- "x":666.5,
- "y":441,
- "wires":[
- ]
- },
- {
- "id":"350b1645.3216ba",
- "type":"change",
- "z":"8a24b608.051698",
- "name":"Strip protocol",
- "rules":[
- {
- "t":"change",
- "p":"url",
- "pt":"msg",
- "from":"https://",
- "fromt":"str",
- "to":"",
- "tot":"str"
- },
- {
- "t":"change",
- "p":"url",
- "pt":"msg",
- "from":"http://",
- "fromt":"str",
- "to":"",
- "tot":"str"
- },
- {
- "t":"change",
- "p":"url",
- "pt":"msg",
- "from":"ftp://",
- "fromt":"str",
- "to":"",
- "tot":"str"
- }
- ],
- "action":"",
- "property":"",
- "from":"",
- "to":"",
- "reg":false,
- "x":315.5,
- "y":263,
- "wires":[
- [
- "83dbe130.6da7b"
- ]
- ]
- },
- {
- "id":"cd501fef.a7fe1",
- "type":"dxl-core-event out",
- "z":"8a24b608.051698",
- "name":"",
- "topic":"/cisco/threatgrid/urlresults",
- "client":"18c75246.09e8ae",
- "x":714,
- "y":381,
- "wires":[
- ]
- },
- {
- "id":"83dbe130.6da7b",
- "type":"threatgrid-urlsubmit",
- "z":"8a24b608.051698",
- "name":"Threat Grid URL Submit",
- "api":"",
- "x":279.5,
- "y":324,
- "wires":[
- [
- "a13c28b7.9bcfb8"
- ]
- ]
- },
- {
- "id":"1977cf4b.2f3061",
- "type":"comment",
- "z":"8a24b608.051698",
- "name":"DXL Topic for Submissions",
- "info":"When submitting to Threat Grid a JSON object is returned which gives information about the submission. This information is published to the DXL topic for later use.",
- "x":704,
- "y":341,
- "wires":[
- ]
- }
- ]
-
Version 1.0.0
- 649 Downloads