×
Built-in: Broadcast Nodes

Overview

The Broadcast nodes provide the ability to gathering threat intelligence and to block or unblock any potential Indicator of Compromise (IoC).

Functionality

The Broadcast nodes expose the following functionality:

  • Gathering threat intelligence on a URL, Domain, IP, or Hash via the NL Broadcast Gather Threat Intelligence node.
  • Block or Unblock an IoC via the NL Broadcast IoC Action node.

The Broadcast capabilities provide a powerful mechanism to modify runtime behavior without direct modification to flows (playbooks) by creating Plugin Instances with broadcast capabilities enabled.

Flow Nodes

Node to broadcast an event to gather threat intelligence. When a message arrives, this node will use the Action setting to determine the behavior of the node. The behavior of the node changes based on the selected Action.
Property
Description

Name

The display name of the node within the flows.


DXL Fabric

The DXL (Data Exchange Layer) Broker the node will use.


Action

The action taken against the payload.

  • Search Within: Determines the report(s) to run based on a search of the contents within the Search Within field.
  • Domain Report: Broadcasts an event to gather threat intelligence on the domain configured by Domain.
  • File Report: Broadcasts an event to gather threat intelligence on the file configured by File Hash.
  • IP Address Report: Broadcasts an event to gather threat intelligence on the IP address configured by IP Address.
  • URL Report: Broadcasts an event to gather threat intelligence on the URL configured by URL.

IoC Search Location

Standard flows use the following locations for IoC analysis.

  • URLs: msg.payload.ioc.url
  • Domains: msg.payload.ioc.domain
  • IPs: msg.payload.ioc.ip
  • Hashes: msg.payload.ioc.md5, msg.payload.ioc.sha1, msg.payload.ioc.sha256

Batching

If Batch replies is checked, then all replies received within the configured time frame will be batched together and sent as one message. Replies that arrive after the configured time frame will be sent individually.


Batch Interval

The number of seconds the node waits before batching the messages received.

Node to broadcast an Indicator of Compromise block/unblock event. When a message arrives, this node will use the Action setting to determine the behavior of the node. The behavior of the node changes based on the selected Action.
Property
Description

Name

The display name of the node within the flows.


DXL Fabric

The DXL (Data Exchange Layer) Broker the node will use.


Action

The action taken against the payload.

  • Block/Unblock Within: Determines the block/unblock requests to run based on a search of the contents within the Block Within or Unblock Within field.
  • Block/Unblock Domain: Broadcasts an event to block/unblock the domain configured by Domain.
  • Block/Unblock File Hash: Broadcasts an event to block/unblock the file hash configured by File Hash.
  • Block/Unblock IP Address: Broadcasts an event to block/unblock the IP Address configured by IP Address.
  • Block/Unblock URL: Broadcasts an event to block/unblock the URL configured by URL.

IoC Block/Unblock Location

Standard flows use the following locations for IoC analysis.

  • URLs: msg.payload.ioc.url
  • Domains: msg.payload.ioc.domain
  • IPs: msg.payload.ioc.ip
  • Hashes: msg.payload.ioc.md5, msg.payload.ioc.sha1, msg.payload.ioc.sha256

Batching

If Batch replies is checked, then all replies received within the configured time frame will be batched together and sent as one message. Replies that arrive after the configured time frame will be sent individually.


Batch Interval

The number of seconds the node waits before batching the messages received.

Learn More

JSON Message Format

The following sample shows the JSON content, which conforms to Node Messaging Format.

Success

The italicized, green text is retrieved by the NL Broadcast Gather Threat Intelligence node. The NL Broadcast Gather Threat Intelligence node was configured to retrieve the Domain Report from all available threat Intel plugins. In this example it received responses from APIVoid, URL Scan, and Recorded Future.

"payload": {4 items
  "ioc": {
    "domain": "baddomain.com"
  },
  "apivoid": {...},
  "urlscan": {...},
  "recordedfuture": {...}
}

Error

The italicized, maroon text is retrieved by the NL Broadcast IoC Action node upon a failed request. Panorama is not setup in this example.

"payload": {
    "panorama": {
      "pano1": {
        "error": {
          "error_code": 5,
          "error_message": {
            "code": "ETIMEDOUT",
            "port": 443,
            "errno": "ETIMEDOUT",
            "address": "192.168.128.128",
            "syscall": "connect"
          }
        },
        "topic": "/nevelexlabs/event/71c5cbd1.c9118c/blockdomainreply"
      }
    }
  }
}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA