×
Built-In: Indicators of Compromise Nodes
Nevelex Labs Logo

Overview

The Security Flow IoC (Indicators of Compromise) nodes provide the ability to manage IoC information and route messages based on an IoC’s trust level. The IoCs and their trust level will display on the Incident Timeline when associated with an incident and the Indicators of Compromise widget.

Functionality

The Indicator of Compromise (IoC) nodes provide the following functionality:

  • Associate an IoC with an Incident via the NL-Associate-IoCs node.
  • Audit IoC information into the message traversing the flows via the NL-IoC-Audit-Into-Msg node.
  • Find an IoC from a Source in the incoming message via the NL-Find-IoCs node.
  • Set an IoC’s trust level via the NL-Set-IoC node.
  • Select pathways for IoCs by trust level or trust range via the NL-IoC-Switch node.
  • Route messages based on trust level rules by checking all IoCs associated with an Incident via the NL-IoCs-Trust-Level-Router node.

Flow Nodes

Associates an Indicator of Compromise (IoC) with the Incident at the IoC's existing trust level.
Property
Description

Name

The display name of the node within the flows.


Default Trust Level

If the IoC does not have an existing trust level, it will have its trust level set to the designated Default Trust Level.

  • 0 (Malicious)
  • 1
  • 2
  • 3
  • 4
  • 5 (Unknown)
  • 6
  • 7
  • 8
  • 9
  • 10 (Trusted)

Set URL Trust Level Based on Domain

If checked, it will set the URLs trust level based on the Domain’s trust level.


IoC Search Locations

The node is initially configured with the following IoC search locations for parsing.

  • Domain: msg.payload.ioc.domain The format of the domain can be just “domain.tld”. If domain is supplied as a URL, the domain will be parsed into “domain.tld”.
  • IP Address: msg.payload.ioc.ip
  • MD5: msg.payload.ioc.md5
  • SHA1: msg.payload.ioc.sha1
  • SHA256: msg.payload.ioc.sha256
  • URL: msg.payload.ioc.url Location of the URL. If Set URL Trust Level Based on Domain is checked, the default trust level of the URL IoC is set to the domain’s existing trust level. If the URL and domain are undefined, the trust level is set to the default trust level.
Finds all the current Incident's IoCs matching the configured trust level ranges and adds the IoCs' information into the message at the designated Output Field location as a list. The IoC information could be used for external notifications.
Property
Description

Name

The display name of the node within the flows.


Minimum Trust Level

The minimum trust level for the incoming IoCs.

  • 0 (Malicious)
  • 1
  • 2
  • 3
  • 4
  • 5 (Unknown)
  • 6
  • 7
  • 8
  • 9
  • 10 (Trusted)

Maximum Trust Level

The maximum trust level for the incoming IoCs.

  • 0 (Malicious)
  • 1
  • 2
  • 3
  • 4
  • 5 (Unknown)
  • 6
  • 7
  • 8
  • 9
  • 10 (Trusted)

Output Field

The information added at the Output Field location is a list (array) of IoCs which are currently associated with the Incident. The Output Field is relative to msg.payload. The default Output Field is associatedIoCs.
For example:

"payload": {
    "associatedIoCs": [
      {
        "ioc": "https://test10.com",
        "iocType": "url",
        "trustLevel": 0
      }
    ]
}
Utility Node for locating potential Indicators of Compromise (IoCs) from a Source in the incoming message and splitting the IoCs found into individual messages with the Output Field set to the current IoC artifact. Messages are routed out the appropriate output based on IoC type. This node is useful for operating on URLs and Domains, IPs (V4 & V6), and file hashes (MD5, SHA1, & SHA256). The dashboard's Inject IoC widget can be used to inject into the NL-Find-IoCs node, for more information see Dashboard Report-Inject IoC.
Property
Description

Name

The display name of the node within the flows.


Source

The Source may be any part of the incoming message. The IoC search scans the entire object hierarchy starting from the Source.
The following contexts are supported:

  • msg: This selects part of the incoming message as the source of the data. This is typical choice.
  • flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.

Include URLs

When Include URLs is enabled, this node will output URLs and Domains in the Output Field. When not checked, only Domains will be sent out. Additionally, enabling this feature enables a secondary URL option.


Remove Parameters from URLs

If enabled, Remove Parameters from URLs removes all the parameters from the URL. When disabled, the parameters remain as part of the URL and are alphabetized by name.


Ignore Special IPs

When Ignore Special IPs is enabled, all IPv4 and IPv6 addresses for local host (loopback), private ranges, link-local ranges, carrier-grade NAT, and reserved ranges are ignored. Additionally, URLs containing those types IPv4 addresses are ignored as well. There is currently no support for ignoring IPv6 addresses in URLs.


Output Field

The default Output Field is ioc and is placed within msg.payload.

Creates or updates an Indicator of Compromise and sets the trust level to this node's configured trust level.
Property
Description

Name

The display name of the node within the flows.


Trust Level

The trust level the incomimg IoCs are set to.

  • 0 (Malicious)
  • 1
  • 2
  • 3
  • 4
  • 5 (Unknown)
  • 6
  • 7
  • 8
  • 9
  • 10 (Trusted)

IoC Search Locations

The node is initially configured with the following IoC search locations for parsing.

  • Domain: Location of the Domain to set the trust level of. The format of the domain can be just “domain.tld”. If domain is supplied as a URL, the domain will be parsed into “domain.tld”.
  • IP Address: Location of the IP Address.
  • MD5: Location of the MD5 Hash.
  • SHA1: Location of the SHA1 Hash.
  • SHA256: Location of the SHA256 Hash.
  • URL: Location of the URL.
Selects pathways for Indicators of Compromise (IoCs) by trust level or trust level ranges. If multiple IoCs are located, a copy of the message is routed out the appropriate output based on the trust level of each IoC individually.
Property
Description

Name

The display name of the node within the flows.


Use Trust Level Range

When Use Trust Level Range is enabled, IoCs with a trust level greater than or equal to the Minimum Trust Level and less than or equal to the Maximum Trust Level are passed through the In Range output, IoCs with a trust level less than the Minimum Trust Level or greater than to the Maximum Trust Level are passed through the Outside Range output. IoCs without a set trust level are passed through the Undefined output.


Minimum Trust Level

By default, Use Trust Level Range is disabled. In this mode, IoCs with a trust level greater than or equal to the user defined Minimum Trust Level are passed through the In Range output. IoCs with a trust level less than the Minimum Trust Level are passed through the Outside Range output. IoCs without a set trust level are passed through the Undefined output.

  • 0 (Malicious)
  • 1
  • 2
  • 3
  • 4
  • 5 (Unknown)
  • 6
  • 7
  • 8
  • 9
  • 10 (Trusted)

IoC Search Locations

The node is initially configured with the following IoC search locations for parsing.

  • Domain: Location of the Domain to set the trust level of. The format of the domain can be just “domain.tld”. If domain is supplied as a URL, the domain will be parsed into “domain.tld”.
  • IP Address: Location of the IP Address.
  • MD5: Location of the MD5 Hash.
  • SHA1: Location of the SHA1 Hash.
  • SHA256: Location of the SHA256 Hash.
  • URL: Location of the URL.
Routes incoming messages by applying rules to all the Indicators of Compromise (IoCs) associated with the message's Incident based on the IoC trust levels. Because of the asynchronous nature of message objects traversing the flows, we recommend using a NL Sync node prior to using this node.
Property
Description

Name

The display name of the node within the flows.


Reference Trust Level

The IoCs are checked against the set trust level and passed through the appropriate output.

  • 0 (Malicious)
  • 1
  • 2
  • 3
  • 4
  • 5 (Unknown)
  • 6
  • 7
  • 8
  • 9
  • 10 (Trusted)

Message Routing

This node has the following set of available routing rules for processing the IoCs associated with the Incident.

  • All IoCs == Reference Trust Level: Every IoC has a trust level of Reference Trust Level. This is a default Message Routing entry of the node.
  • All IoCs < Reference Trust Level: Every IoC has a trust level less than the Reference Trust Level.
  • Any IoCs < Reference Trust Level: Any IoC has a trust level less than the Reference Trust Level. This is a default Message Routing entry of the node.
  • Most IoCs < Reference Trust Level: Most IoCs have a trust level less than the Reference Trust Level. If there are an even number of IoCs associated with the Incident, at least 1/2 the IoCs must have a trust level less than the Reference Trust Level.
  • All IoCs > Reference Trust Level: Every IoC has a trust level greater than the Reference Trust Level.
  • Any IoCs > Reference Trust Level: Any IoC has a trust level greater than the Reference Trust Level.
  • Most IoCs > Reference Trust Level: Most IoCs have a trust level greater than the Reference Trust Level. If there are an even number of IoCs associated with the Incident, at least 1/2 the IoCs must have a trust level greater than the Reference Trust Level. This is a default Message Routing entry of the node.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conforms to Node Messaging Format.

Success

The italicized, green text is inserted into the message payload upon request. The NL-IoC-Audit-Into-Msg node in the following sample was configured to minimum trust level 0 and maximum trust level 1.

"payload": {
    "associatedIoCs": [
      {
        "ioc": "https://test10.com",
        "iocType": "url",
        "trustLevel": 0
      },
      {
        "ioc": "https://test40.com/123413241324653674788547jtreftjhfhtry546dthnn65fduy54d6ydryhdr65y546hdh65y4htyj56y54yytrh546y5yjr6ij65eytjytdhd546yy65",
        "iocType": "url",
        "trustLevel": 0
      },
      {
        "ioc": "https://test20.com",
        "iocType": "url",
        "trustLevel": 0
      },
      {
        "ioc": "https://test30.com/1234/1234/1234/1234/1234/1324/1234/1324/1324/1234/1234/1324/2345/2345/2435/235/4325/2435/2435/2435/2543/2543/243/4325/5432/2543/4325/5432/5432",
        "iocType": "url",
        "trustLevel": 0
      }
    ]
  }
}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA