Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update manual_readme_content #36

Merged
merged 2 commits into from
Jan 2, 2024
Merged

Update manual_readme_content #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bc1d0a6
Update manual_readme_content
briluza Dec 28, 2023
5024995
Update README.md
Dec 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 33 additions & 19 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,34 +27,49 @@ This app supports investigative actions to profile domain names, get risk scores

[comment]: # "Monitoring/Scheduling Playbook(s) feature"
## DomainTools Iris Investigate Monitoring Playbook Feature
This feature allows the user to schedule playbooks to run on an specified interval. Coupled with our reference playbooks, linked below, this can be a powerful tool to notify you of domain infrastructure changes, or when newly created domains match specific infrastructure you're monitoring. See the individual playbooks for more information. This readme covers how to set up Iris Monitoring for those playbooks.
This feature allows the user to schedule playbooks to run on an specified interval and run it on a specific container/event ID you provided on each row. Coupled with our reference playbooks, linked below, this can be a powerful tool to notify you of domain infrastructure changes, or when newly created domains match specific infrastructure you're monitoring. See the individual playbooks for more information. This readme covers how to set up Iris Monitoring for those playbooks.

### Configuration
This feature depends on the 2 asset configuration fields that are **required** when using this feature.
This feature depends on the 1 asset configuration fields that are **required** when using this feature.
| **Name** | **Description** | **Default Value** | **Required** |
| --- | --- | --- | --- |
| Monitoring Event ID | The numeric ID of a event for the playbook to insert its results. | None | Required |
| Splunk SOAR HTTPS port (default: 8443) | Splunk SOAR HTTP port if your instance uses one other than the default, 8443 | 8443 | Optional |
| Splunk SOAR HTTPS port (default: 8443) | Splunk SOAR HTTP port if your instance uses one other than the default, 8443 | 8443 | Yes |

### Dependencies
To configure this, you need to:
1. Go to **Apps**
2. Select **DomainTools Iris Investigate**
3. Select a configured asset or create one if you don't have any.
4. Go to **Asset Settings**
5. Look for `Splunk SOAR HTTPS port (default: 8443)` field. By default it contains `8443` value.


### Prerequisites
This feature uses a custom list named `domaintools_scheduled_playbooks`. <br>
A template was provided alongside the app named `domaintools_scheduled_playbooks.csv` which you can import on your Splunk SOAR instance. <br>
**Note:** The values of this list has 5 columns and the header should not be altered. The last 3 columns are intentionally left blank and used by the playbook scheduler.<br>
To generate the custom list, you need to:
1. Go to **Apps**
2. Select **DomainTools Iris Investigate**
3, Select a configured asset or create one if you don't have any.
4. Go to **Actions** dropdown then;
5. Select '`configure scheduled playbooks`' action, then;
6. Hit `Test Action`.

If you go back to custom list page. you should have the `domaintools_scheduled_playbooks` generated for you.

**Note:** The values of this list has 6 columns and the header should not be altered. The last 3 columns are intentionally left blank and used by the playbook scheduler.<br>
**Sample domaintools_scheduled_playbooks table:**
| **repo/playbook_name** | **interval (mins)** | **last_run (server time)** | **last_run_status** | **remarks** |
| --- | --- | --- | --- | --- |
| `local/DomainTools Monitor Domain Risk Score`| 1440 | | | |
| `local/DomainTools Monitor Domain Infrastructure`| 1440 | | | |
| `local/DomainTools Monitor Search Hash`| 1440 | | | |
| **repo/playbook_name** | **event_id** | **interval (mins)** | **last_run (server time)** | **last_run_status** | **remarks** |
| --- | --- | --- | --- | --- | --- |
| `local/DomainTools Monitor Domain Risk Score`| `<your_event_id>` | 1440 | | | |
| `local/DomainTools Monitor Domain Infrastructure`| `<your_event_id>` | 1440 | | | |
| `local/DomainTools Monitor Search Hash`| `<your_event_id>` | 1440 | | | |
In this example, we've specified to run three separate monitoring playbooks on daily schedules. Note that each scheduled lookup will consume Iris Investigate queries, depending how many domains or Iris search hashes are being monitored.<br>

### How to use monitoring/scheduling feature in DomainTools Iris Investigate App
1. Under Apps > DomainTools Iris Investigate > Asset Settings > Ingest Settings > **Label**, specify or select a label to apply to objects from this source. **Recommended:** Use a custom label rather using a predefined label like `events`.
2. Specify a polling interval to check if playbooks need to be run. Note that this is separate from the playbook run interval specified in step 4. We recommend running every minute for the most accurate scheduling.
3. Under the Asset Settings tab, specify a **Monitoring Event ID** for the playbook to run into. Optionally change Splunk SOAR HTTP Port if using the non-default 8443. <br>
**Note:** Make sure to label the event you inputted with the label that you selected in *Step 1*.
4. Under Custom Lists > `domaintools_scheduled_playbooks` input your desired playbook schedule following the example in the Configuration Section<br>
**Note:** Make sure the label of the playbook you inputted shares the label that you selected in *Step 1*. The `domaintools_scheduled_playbooks` custom list should have been created when you updated our installed the DomainTools app, but if you don't see it, you can manually create it using the `domaintools_scheduled_playbooks.csv` template bundled with this app.
1. Under **Apps** > **DomainTools Iris Investigate** > **Asset Settings** > **Ingest Settings** > **Label**, specify or select a label to apply to objects from this source. <br>
**Recommended:** Use a custom label rather using a predefined label like `events`.
2. Specify a polling interval to check if playbooks need to be run. Note that this is separate from the playbook run interval specified in step 4. We **recommend** running **every minute** for the most accurate scheduling.
3. Under Custom Lists > `domaintools_scheduled_playbooks` input your desired playbook schedule following the example in the Configuration Section<br>
**Note:** Make sure the label of the **playbook** and **event_id** you inputted shares the label that you selected in *Step 1*. The `domaintools_scheduled_playbooks` custom list should have been created when you updated our installed the DomainTools app, but if you don't see it, you can generate it by following the **Prerequisites** section of this page.

**Note:** For the DomainTools reference playbooks, see
[this](https://github.com/DomainTools/playbooks/tree/main/Splunk%20SOAR) Github repository.
Expand All @@ -76,7 +91,6 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
**custom_ssl_certificate** | optional | boolean | Use Custom SSL Certificate
**ssl** | optional | boolean | Use SSL
**custom_ssl_certificate_path** | optional | string | Custom SSL Certificate Path
**monitoring_event_id** | optional | string | Monitoring Event ID
**http_port** | optional | string | Splunk SOAR HTTPS port (default: 8443)

### Supported Actions
Expand Down
51 changes: 33 additions & 18 deletions manual_readme_content.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,34 +15,49 @@

[comment]: # "Monitoring/Scheduling Playbook(s) feature"
## DomainTools Iris Investigate Monitoring Playbook Feature
This feature allows the user to schedule playbooks to run on an specified interval. Coupled with our reference playbooks, linked below, this can be a powerful tool to notify you of domain infrastructure changes, or when newly created domains match specific infrastructure you're monitoring. See the individual playbooks for more information. This readme covers how to set up Iris Monitoring for those playbooks.
This feature allows the user to schedule playbooks to run on an specified interval and run it on a specific container/event ID you provided on each row. Coupled with our reference playbooks, linked below, this can be a powerful tool to notify you of domain infrastructure changes, or when newly created domains match specific infrastructure you're monitoring. See the individual playbooks for more information. This readme covers how to set up Iris Monitoring for those playbooks.

### Configuration
This feature depends on the 2 asset configuration fields that are **required** when using this feature.
This feature depends on the 1 asset configuration fields that are **required** when using this feature.
| **Name** | **Description** | **Default Value** | **Required** |
| --- | --- | --- | --- |
| Monitoring Event ID | The numeric ID of a event for the playbook to insert its results. | None | Required |
| Splunk SOAR HTTPS port (default: 8443) | Splunk SOAR HTTP port if your instance uses one other than the default, 8443 | 8443 | Optional |
| Splunk SOAR HTTPS port (default: 8443) | Splunk SOAR HTTP port if your instance uses one other than the default, 8443 | 8443 | Yes |

### Dependencies
To configure this, you need to:
1. Go to **Apps**
2. Select **DomainTools Iris Investigate**
3. Select a configured asset or create one if you don't have any.
4. Go to **Asset Settings**
5. Look for `Splunk SOAR HTTPS port (default: 8443)` field. By default it contains `8443` value.


### Prerequisites
This feature uses a custom list named `domaintools_scheduled_playbooks`. <br>
A template was provided alongside the app named `domaintools_scheduled_playbooks.csv` which you can import on your Splunk SOAR instance. <br>
**Note:** The values of this list has 5 columns and the header should not be altered. The last 3 columns are intentionally left blank and used by the playbook scheduler.<br>
To generate the custom list, you need to:
1. Go to **Apps**
2. Select **DomainTools Iris Investigate**
3, Select a configured asset or create one if you don't have any.
4. Go to **Actions** dropdown then;
5. Select '`configure scheduled playbooks`' action, then;
6. Hit `Test Action`.

If you go back to custom list page. you should have the `domaintools_scheduled_playbooks` generated for you.

**Note:** The values of this list has 6 columns and the header should not be altered. The last 3 columns are intentionally left blank and used by the playbook scheduler.<br>
**Sample domaintools_scheduled_playbooks table:**
| **repo/playbook_name** | **interval (mins)** | **last_run (server time)** | **last_run_status** | **remarks** |
| --- | --- | --- | --- | --- |
| `local/DomainTools Monitor Domain Risk Score`| 1440 | | | |
| `local/DomainTools Monitor Domain Infrastructure`| 1440 | | | |
| `local/DomainTools Monitor Search Hash`| 1440 | | | |
| **repo/playbook_name** | **event_id** | **interval (mins)** | **last_run (server time)** | **last_run_status** | **remarks** |
| --- | --- | --- | --- | --- | --- |
| `local/DomainTools Monitor Domain Risk Score`| `<your_event_id>` | 1440 | | | |
| `local/DomainTools Monitor Domain Infrastructure`| `<your_event_id>` | 1440 | | | |
| `local/DomainTools Monitor Search Hash`| `<your_event_id>` | 1440 | | | |
In this example, we've specified to run three separate monitoring playbooks on daily schedules. Note that each scheduled lookup will consume Iris Investigate queries, depending how many domains or Iris search hashes are being monitored.<br>

### How to use monitoring/scheduling feature in DomainTools Iris Investigate App
1. Under Apps > DomainTools Iris Investigate > Asset Settings > Ingest Settings > **Label**, specify or select a label to apply to objects from this source. **Recommended:** Use a custom label rather using a predefined label like `events`.
2. Specify a polling interval to check if playbooks need to be run. Note that this is separate from the playbook run interval specified in step 4. We recommend running every minute for the most accurate scheduling.
3. Under the Asset Settings tab, specify a **Monitoring Event ID** for the playbook to run into. Optionally change Splunk SOAR HTTP Port if using the non-default 8443. <br>
**Note:** Make sure to label the event you inputted with the label that you selected in *Step 1*.
4. Under Custom Lists > `domaintools_scheduled_playbooks` input your desired playbook schedule following the example in the Configuration Section<br>
**Note:** Make sure the label of the playbook you inputted shares the label that you selected in *Step 1*. The `domaintools_scheduled_playbooks` custom list should have been created when you updated our installed the DomainTools app, but if you don't see it, you can manually create it using the `domaintools_scheduled_playbooks.csv` template bundled with this app.
1. Under **Apps** > **DomainTools Iris Investigate** > **Asset Settings** > **Ingest Settings** > **Label**, specify or select a label to apply to objects from this source. <br>
**Recommended:** Use a custom label rather using a predefined label like `events`.
2. Specify a polling interval to check if playbooks need to be run. Note that this is separate from the playbook run interval specified in step 4. We **recommend** running **every minute** for the most accurate scheduling.
3. Under Custom Lists > `domaintools_scheduled_playbooks` input your desired playbook schedule following the example in the Configuration Section<br>
**Note:** Make sure the label of the **playbook** and **event_id** you inputted shares the label that you selected in *Step 1*. The `domaintools_scheduled_playbooks` custom list should have been created when you updated our installed the DomainTools app, but if you don't see it, you can generate it by following the **Prerequisites** section of this page.

**Note:** For the DomainTools reference playbooks, see
[this](https://github.com/DomainTools/playbooks/tree/main/Splunk%20SOAR) Github repository.
Loading