Node-RED Flow: URL in Phishing E-mail To Cisco Threat Grid Submission

brumleyscott added a new solution:

Quote

This Node Red flow uses the Cisco Threat Grid node. It uses IMAP or POP3 to check an e-mail address where potential Phishing e-mails are sent for analysis. The flow then parses the e-mail for URLs and submits them to Threat Grid for analysis. The submission information is stored in the DXL topic, /cisco/threatgrid/urlresults for future reference.

The Cisco Threat Grid URL Submission node can be install natively in Node Red or via npm install. The name is node-red-contrib-threatgrid-urlsubmit. It will need and API Key from Threat Grid to work.

Prerequisites

• The Node-RED DXL client configuration step has been completed (see Client Configuration).
• The following Node-RED modules have been installed:
  • DXL Node-RED nodes (included in OpenDXL Node-RED Docker image)
  • The Cisco Threat Grid URL Submission nodes for Node-RED
    • The node is configured with an API Key from Threat Grid
      

The Node-RED flow content for this solution:

Code: Node-RED Flow

1. [
2. {
3. "id":"8a24b608.051698",
4. "type":"tab",
5. "label":"Threat Grid Submit URL",
6. "disabled":false,
7. "info":""
8. },
9. {
10. "id":"79c98c99.c3bce4",
11. "type":"e-mail in",
12. "z":"8a24b608.051698",
13. "name":"Check E-mail",
14. "protocol":"IMAP",
15. "server":"imap.gmail.com",
16. "useSSL":true,
17. "port":"993",
18. "box":"INBOX",
19. "disposition":"Read",
20. "repeat":"300",
21. "x":101.5,
22. "y":74,
23. "wires":[
24. [
25. "b0777422.85db38"
26. ]
27. ]
28. },
29. {
30. "id":"b0777422.85db38",
31. "type":"change",
32. "z":"8a24b608.051698",
33. "name":"Find URLs",
34. "rules":[
35. {
36. "t":"set",
37. "p":"urls",
38. "pt":"msg",
39. "to":"$match(payload,/(ftp|http|https):\\/\\/(\\w+:{0,1}\\w*@)?(\\S+)(:[0-9]+)?(\\/|\\/([\\w#!:.?+=&%@!\\-\\/]))?(\\S+)/)",
40. "tot":"jsonata"
41. }
42. ],
43. "action":"",
44. "property":"",
45. "from":"",
46. "to":"",
47. "reg":false,
48. "x":480,
49. "y":56,
50. "wires":[
51. [
52. "3b0a07e7.af14a8"
53. ]
54. ]
55. },
56. {
57. "id":"fe394f35.4d8ef",
58. "type":"inject",
59. "z":"8a24b608.051698",
60. "name":"Test URL",
61. "topic":"",
62. "payload":"",
63. "payloadType":"date",
64. "repeat":"",
65. "crontab":"",
66. "once":false,
67. "onceDelay":0.1,
68. "x":98.5,
69. "y":213,
70. "wires":[
71. [
72. "114d833f.8be82d"
73. ]
74. ]
75. },
76. {
77. "id":"3b0a07e7.af14a8",
78. "type":"function",
79. "z":"8a24b608.051698",
80. "name":"Split URLs",
81. "func":"if (msg.urls.length > 0){\n msg.urls.forEach(function(element) {\n node.send({\"payload\": element});\n });\n} else {\n node.send({\"payload\": msg.urls});\n}",
82. "outputs":1,
83. "noerr":0,
84. "x":482,
85. "y":107,
86. "wires":[
87. [
88. "41fd188.1eaa0e8"
89. ]
90. ]
91. },
92. {
93. "id":"2c66801a.4b5d1",
94. "type":"comment",
95. "z":"8a24b608.051698",
96. "name":"Add Your E-mail Credentials Here",
97. "info":"E-mail box where URLs will be sent for submission.",
98. "x":156.5,
99. "y":39,
100. "wires":[
102. ]
103. },
104. {
105. "id":"17fd3a9f.ec66a5",
106. "type":"change",
107. "z":"8a24b608.051698",
108. "name":"Output Match",
109. "rules":[
110. {
111. "t":"set",
112. "p":"url",
113. "pt":"msg",
114. "to":"payload.match",
115. "tot":"msg"
116. }
117. ],
118. "action":"",
119. "property":"",
120. "from":"",
121. "to":"",
122. "reg":false,
123. "x":478.5,
124. "y":214,
125. "wires":[
126. [
127. "350b1645.3216ba"
128. ]
129. ]
130. },
131. {
132. "id":"41fd188.1eaa0e8",
133. "type":"json",
134. "z":"8a24b608.051698",
135. "name":"",
136. "property":"payload",
137. "action":"obj",
138. "pretty":false,
139. "x":471.5,
140. "y":158,
141. "wires":[
142. [
143. "17fd3a9f.ec66a5"
144. ]
145. ]
146. },
147. {
148. "id":"a13c28b7.9bcfb8",
149. "type":"json",
150. "z":"8a24b608.051698",
151. "name":"",
152. "property":"payload",
153. "action":"obj",
154. "pretty":false,
155. "x":434.5,
156. "y":377,
157. "wires":[
158. [
159. "ce23282a.754c98",
160. "cd501fef.a7fe1"
161. ]
162. ]
163. },
164. {
165. "id":"114d833f.8be82d",
166. "type":"template",
167. "z":"8a24b608.051698",
168. "name":"Bad Guy URLs",
169. "field":"payload",
170. "fieldType":"msg",
171. "format":"text",
172. "syntax":"plain",
173. "template":"This is a test e-mail. \nThis integration will parse for http and https\n\nhttp://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at_a_glance_c45-727153.pdf\n\nTesting just one",
174. "output":"str",
175. "x":240,
176. "y":170,
177. "wires":[
178. [
179. "b0777422.85db38"
180. ]
181. ]
182. },
183. {
184. "id":"ce23282a.754c98",
185. "type":"debug",
186. "z":"8a24b608.051698",
187. "name":"",
188. "active":false,
189. "tosidebar":true,
190. "console":false,
191. "tostatus":false,
192. "complete":"true",
193. "x":666.5,
194. "y":441,
195. "wires":[
197. ]
198. },
199. {
200. "id":"350b1645.3216ba",
201. "type":"change",
202. "z":"8a24b608.051698",
203. "name":"Strip protocol",
204. "rules":[
205. {
206. "t":"change",
207. "p":"url",
208. "pt":"msg",
209. "from":"https://",
210. "fromt":"str",
211. "to":"",
212. "tot":"str"
213. },
214. {
215. "t":"change",
216. "p":"url",
217. "pt":"msg",
218. "from":"http://",
219. "fromt":"str",
220. "to":"",
221. "tot":"str"
222. },
223. {
224. "t":"change",
225. "p":"url",
226. "pt":"msg",
227. "from":"ftp://",
228. "fromt":"str",
229. "to":"",
230. "tot":"str"
231. }
232. ],
233. "action":"",
234. "property":"",
235. "from":"",
236. "to":"",
237. "reg":false,
238. "x":315.5,
239. "y":263,
240. "wires":[
241. [
242. "83dbe130.6da7b"
243. ]
244. ]
245. },
246. {
247. "id":"cd501fef.a7fe1",
248. "type":"dxl-core-event out",
249. "z":"8a24b608.051698",
250. "name":"",
251. "topic":"/cisco/threatgrid/urlresults",
252. "client":"18c75246.09e8ae",
253. "x":714,
254. "y":381,
255. "wires":[
257. ]
258. },
259. {
260. "id":"83dbe130.6da7b",
261. "type":"threatgrid-urlsubmit",
262. "z":"8a24b608.051698",
263. "name":"Threat Grid URL Submit",
264. "api":"",
265. "x":279.5,
266. "y":324,
267. "wires":[
268. [
269. "a13c28b7.9bcfb8"
270. ]
271. ]
272. },
273. {
274. "id":"1977cf4b.2f3061",
275. "type":"comment",
276. "z":"8a24b608.051698",
277. "name":"DXL Topic for Submissions",
278. "info":"When submitting to Threat Grid a JSON object is returned which gives information about the submission. This information is published to the DXL topic for later use.",
279. "x":704,
280. "y":341,
281. "wires":[
283. ]
284. }
285. ]

Display More

Display More