This repository has been archived by the owner on May 23, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 60
CIF Groups
Gabriel Iovino edited this page Jul 3, 2015
·
7 revisions
CIF supports the creation of groups (buckets) to segment observable's, by default CIF ships with the default users in the everyone group and all the default OSINT is placed in the everyone group.
Example of default users and their group membership:
$ /opt/cif/bin/cif-tokens
username description groups admin read write acl expires revoked token
root@localhost everyone yes yes 058f...
cif-smrt everyone yes c2fa...
cif-worker everyone yes yes 08b3...
Example of OSINT and it's group membership:
$ cif --otype ipv4 --provider spamhaus.org --limit 1
tlp |group |reporttime |observable |cc|asn |confidence|tags |description |rdata |provider |altid_tlp|altid
amber|everyone|2015-07-03T18:51:05Z|185.25.150.210|PL|198414|95 |exploit|CBL + customised NJABL. 3rd party exploits (proxies, trojans, etc.)|185.25.150.210|spamhaus.org|green |http://www.spamhaus.org/query/bl?ip=185.25.150.210
Group membership must be specified when the user is created, you cannot modify a users group membership after the user has been created. Here is an example of creating a user, adding an observable and querying the observable.
- Add user with membership in group01
$ /opt/cif/bin/cif-tokens --new --username john.smith@example.com --read --write --groups group01
- Add an observable with group01. Note: The user (API token) has read and write permissions to the group group01
$ echo '{"observable":"test.example.com","tlp":"amber","confidence":"25","tags":"malware","provider":"example.com","group":"group01"}' | cif -s --token ba3b...
- Query the observable with a user (API token) with membership in group01
$ cif --token ba3b... -q test.example.com
tlp |group |reporttime |observable |cc|asn|confidence|tags |description|rdata|provider |altid_tlp|altid
amber|group01|2015-07-03T19:54:25Z|test.example.com| | |25 |malware| | |example.com| |