Artifacts White-list section

It would be great to have a section where to add artifacts values to be white-listed (maybe with the option to : prevent the artifact creation OR prevent the threat sources scanning ). So that we can parse automatically all artifacts without worring about possible false-positives.

  • Guest
  • Nov 27 2019
  • Future consideration
  • Attach files
  • Guest commented
    19 Mar, 2020 04:40pm

    Exactly: moreover it would be great if this list could be written using CIDRformat (e.g 192.168.0.0/24) or something to indicate a network range.

  • Admin
    Brenden Glynn commented
    5 Feb, 2020 11:49pm

    A extension to this would be to add the ability to specific specific Artifact Type Values, such as internal IP Address that you did not want to have Threat Sources evaluate. This would be good for two reasons:

     

    1. You control what Artifacts are being sent out internet

    2. You aren't wasting licensed scans/lookups on Artifacts that are likely not to/will not have intelligence as they are internal

  • Guest commented
    29 Nov, 2019 09:04am

    I have implemented something with the wiki look-up feature, currently having issues on it with "space" characters, also working on a de-duplicate function using the Utilities Search function (fully working).

    The package is currently on a more global package to use artifact look-up feature (attached)

    DO NOT INSTALL IT on your prod before reworking it on a test platform

     

     

    # Artifact Automation  - 24/11/2019 Good - TODO: DNS, EMAILs 
    # Needs Wiki (see wiki look-up fonction for sample)
    # Needs API key (work on Delete Fonction as detailled)
    # Needs Apps : fn-wiki-lookup, fn-utilities, fn-urlscanio, fn-query-tor-network, fn_task_utils, fn_cve, fn_utilities, fn_taskutils, fn_ipnfo, fn_ipvoid, fn_tor, fn_void, fn_scanio, fn_urltodns
    resilient-circuits extract \
    --script "Custom Task ID EMAILs verification" "Custom Task ID DNSs verification" "Custom Task ID URLs verification" "Custom Task ID IPs verification" "Custom Task ID CVEs verification" "Add Deleted Artifact in Table" "Verify the IP is Internal or External" \
    --workflow "artifact_automation_1" "artifact_automation_2" \
       "custom_artifact_task_look_ips" "enrichment_ipinfo" "enrichment_ipvoidip_reputation" "enrichment_tor_network" \
       "custom_artifact_task_look_url" "enrichment_expand_url" "enrichment_url_scanio" "enrichment_url_to_dns" \
       "custom_artifact_task_look_cve" "enrichment_cve_lookup" \
    --rule "ITSM: Ask IT to remove Malware or Reimage the endpoint" "Orga: VIP EXEC" "ORG: VIP type" \
       "Enrichment: IP Info" "Enrichment: IPVOID-IP Reputation" "Enrichment: TOR Network" \
       "Enrichment: Expand URL" "Enrichment: URL ScanIO" "Enrichment: URL to DNS " "Enrichment: URL Void Scan" \
       "Enrichment: CVE Look-up" "Artifact Automation #1" \
    --datatable "deleted_artifacts" \
    --field "custom_task_look_automation" "custom_task_id_look_urls" "custom_task_id_look_ips" "custom_task_id_look_emails" "custom_task_id_look_dnss" "custom_task_id_look_cves"  \
    -o config_Artifact_Automation.res --zip  --exportfile export.res

    if you want to exchange on it, please contact me at benoit dot rostagni at ibm