[{"id":"bf547258.3071f","type":"echo-watch-list-get","z":"d2217a1e.7327b8","name":"Check if VPN","property":"vpn","propertyType":"str","value":"payload.ip","valueType":"msg","x":470,"y":360,"wires":[["86492330.22551"]]},{"id":"b6a188fb.2fefa8","type":"echo-ioc-check","z":"d2217a1e.7327b8","name":"Check if IOC","property":"ip","propertyType":"str","value":"payload.ip","valueType":"msg","x":470,"y":640,"wires":[["399bd4d9.4fa94c"]]},{"id":"e93785bc.d24118","type":"echo-watch-list-get","z":"d2217a1e.7327b8","name":"Check blacklist","property":"blacklist","propertyType":"str","value":"payload.ip","valueType":"msg","x":710,"y":640,"wires":[["399bd4d9.4fa94c"]]},{"id":"3f14bdbf.f33fe2","type":"echo-ioc-check","z":"d2217a1e.7327b8","name":"Check if TOR","property":"tor","propertyType":"str","value":"payload.ip","valueType":"msg","x":230,"y":640,"wires":[["399bd4d9.4fa94c"]]},{"id":"399bd4d9.4fa94c","type":"echo-collect","z":"d2217a1e.7327b8","name":"Wait for checks","waitForInputs":"2","x":470,"y":800,"wires":[["6ac0f118.b555a","a51f5fbc.2ae9b"]]},{"id":"a51f5fbc.2ae9b","type":"function","z":"d2217a1e.7327b8","name":"Should we trigger a detection?","func":"\nreturn msg;","outputs":2,"noerr":0,"x":510,"y":940,"wires":[["d26e8398.eb227","8e6ce52b.bbf2d8","30f9a3e0.2bb66c"],[]],"outputLabels":["Yes","No"]},{"id":"101e25dc.cae19a","type":"tcp out","z":"d2217a1e.7327b8","host":"arcsight.example.com","port":"1514","beserver":"client","base64":false,"end":false,"name":"Send to Arcsight","x":470,"y":1220,"wires":[]},{"id":"d26e8398.eb227","type":"function","z":"d2217a1e.7327b8","name":"Format an email","func":"\nreturn msg;","outputs":1,"noerr":0,"x":730,"y":1080,"wires":[["dbc4100a.b1cdd"]]},{"id":"dbc4100a.b1cdd","type":"e-mail","z":"d2217a1e.7327b8","server":"smtp.gmail.com","port":"465","secure":true,"name":"","dname":"Send alert email","x":730,"y":1220,"wires":[]},{"id":"8e6ce52b.bbf2d8","type":"echo-alert-add","z":"d2217a1e.7327b8","name":"","subject":"Malicious login","subjectType":"str","description":"We have identified a malicious login","descriptionType":"str","_category":"Login","_categoryType":"str","subcategory":"Remote Access Origin","subcategoryType":"str","rule":"Malicious Login Detected","ruleType":"str","severity":"high","severityType":"str","priority":"high","priorityType":"str","evidence":"event","evidenceType":"msg","tags":"login-attempt, detection","tagsType":"str","x":210,"y":1080,"wires":[[]]},{"id":"28880ac1.c18e36","type":"function","z":"d2217a1e.7327b8","name":"Extract IP","func":"msg.event = msg.payload;\nmsg.payload = {ip: msg.payload.sourceAddress};\nreturn msg;","outputs":1,"noerr":0,"x":470,"y":240,"wires":[["bf547258.3071f"]]},{"id":"6ac0f118.b555a","type":"debug","z":"d2217a1e.7327b8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","x":890,"y":940,"wires":[]},{"id":"688a58e.09322a8","type":"echo-subscribe","z":"d2217a1e.7327b8","name":"","tags":"login-attempt","x":470,"y":120,"wires":[["28880ac1.c18e36"]]},{"id":"86492330.22551","type":"function","z":"d2217a1e.7327b8","name":"Should we inspect this?","func":"if (msg.payload.watch_list.exists) {\n    return {\n        event: msg.event,\n        payload: {\n            ip:msg.payload.ip\n            \n        }\n    };    \n}\n","outputs":1,"noerr":0,"x":490,"y":500,"wires":[["e93785bc.d24118","3f14bdbf.f33fe2","b6a188fb.2fefa8"]]},{"id":"30f9a3e0.2bb66c","type":"syslog","z":"d2217a1e.7327b8","name":"","property":"payload","x":470,"y":1080,"wires":[["101e25dc.cae19a"]]}]