This playbook takes a list of JARM fingerprints. The local MISP events and the enabled OSINT feeds are queried for matches and reported in the playbook. It then creates a new MISP event with the JARM fingerprints. The playbook then queries Shodan and Censys for these matches and collects the hostname and the information in the common name field found in the certificates. These attributes are added to the MISP event. It then queries the local MISP events and the enabled OSINT feeds for matches with these hostnames/domains. These matches are reported in the playbook. A final summary is added at the end of the playbook and shared via Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
The title of the playbook
JARM verification
Purpose of the playbook
This playbook takes a list of JARM fingerprints. The local MISP events and the enabled OSINT feeds are queried for matches and reported in the playbook. It then creates a new MISP event with the JARM fingerprints. The playbook then queries Shodan and Censys for these matches and collects the hostname and the information in the common name field found in the certificates. These attributes are added to the MISP event. It then queries the local MISP events and the enabled OSINT feeds for matches with these hostnames/domains. These matches are reported in the playbook. A final summary is added at the end of the playbook and shared via Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation).
External resources used by this playbook
Shodan, Censys, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional)
Target audience
SOC, CSIRT, CTI
Breefly list the execution steps or workflow
No response