{%- macro artifact(type, value, description, properties=()) -%} {"value": "{{ value }}", "type": "{{ type }}", "description": "{{ description }}", "properties": [ {% for property in properties -%} {"name": "{{ property.name }}", "value": "{{ property.value }}" }{% if not(loop.last) %},{% endif %} {%- endfor %} ] } {%- endmacro %}{ "artifacts": [ {% set more_artifacts = (True or (True and offense.local_destination_addresses|length > 0) or True) %} {%- for value in offense.source_addresses %} {{ artifact("IP Address", value, "QRadar Offense Source Address", properties=[{"name": "source", "value": "true"}]) }} {%- if not(loop.last) or more_artifacts %},{% endif %} {%- endfor -%} {% set more_artifacts = (True or True) %} {%- for value in offense.local_destination_addresses %} {{ artifact("IP Address", value, "QRadar Offense Local Destination Address", properties=[{"name": "destination", "value": "true"}]) }} {%- if not(loop.last) or more_artifacts %},{% endif %} {%- endfor %}{% set description = "QRadar Offense Source: " ~ offense.offense_type_name %} {%- if offense.offense_type in (0, 10) -%} {{ artifact("IP Address", offense.offense_source, description, properties=[{"name": "source", "value": "true"}]) }} {% elif offense.offense_type in (1, 11) %} {{ artifact("IP Address", offense.offense_source, description, properties=[{"name": "destination", "value": "true"}]) }} {% elif offense.offense_type == 3 %} {{ artifact("User Account", offense.offense_source, description) }} {% elif offense.offense_type == 4 %} {{ artifact("MAC Address", offense.offense_source, description, properties=[{"name": "source", "value": "true"}]) }} {% elif offense.offense_type == 5 %} {{ artifact("MAC Address", offense.offense_source, description, properties=[{"name": "destination", "value": "true"}]) }} {% elif offense.offense_type == 7 %} {{ artifact("System Name", offense.offense_source, description) }} {% elif offense.offense_type == 8 %} {{ artifact("Port", offense.offense_source, description, properties=[{"name": "source", "value": "true"}]) }} {% elif offense.offense_type == 9 %} {{ artifact("Port", offense.offense_source, description, properties=[{"name": "destination", "value": "true"}]) }} {% else %} {{ artifact("String", offense.offense_source, description) }} {%- endif -%} , {"value": "{{ offense.URL }}", "type": "URL", "description": "", "properties": [ ] }, {"value": "{{ offense.UrlHost }}", "type": "URL", "description": "", "properties": [ ] }, {"value": "{{ offense.MWG_Dominio }}", "type": "URL", "description": "", "properties": [ ] } ], "confirmed": false, "description": { "content": "{{offense.event_count}} events in {{offense.category_count}} categories: {{offense.description}}", "format": "html" }, "discovered_date": {{ offense.start_time }}, "properties": { "clasificacin_de_informacion": ["SIN SELECCIONAR"], "implicacin": "N/A", "empresa": "YPF", "origen": "Qradar", "cola_de_atencion": "CRMC" }, "incident_type_ids": ["Bloqueo de usuario"], "members": ["CRMC"], "workspace": "CSIRT", "start_date": {{ offense.start_time }}, "name": "QRadar ID {{offense.id}} , {{offense.description}} - {{offense.offense_source}}" } FROZEN="incident_type_ids","properties.origen","name","properties.cola_de_atencion","properties.implicacin","properties.clasificacin_de_informacion","start_date","properties.empresa","members","confirmed","discovered_date","workspace"