Small changes to the auto generate workflow system

Author: frikky

blobs.go

@@ -134,6 +134,8 @@ func GetDefaultWorkflowByType(workflow Workflow, orgId string, categoryAction Ca
 			Description: "List tickets from different systems and ingest them",
 			OrgId:       orgId,
 			Start:       startActionId,
+			UsecaseIds: []string{"SIEM to ticket"},
+			Tags: []string{"ingest", "automatic"},
 			Actions: []Action{
 				Action{
 					Name:        actionName,
@@ -184,10 +186,12 @@ func GetDefaultWorkflowByType(workflow Workflow, orgId string, categoryAction Ca
 	} else if parsedActiontype == "ingest_tickets_webhook" {
 
 		defaultWorkflow := Workflow{
-			Name:        actionType,
+			Name:        "Ingestion Webhook",
 			Description: "Ingest tickets through a webhook",
 			OrgId:       orgId,
 			Start:       startActionId,
+			UsecaseIds: []string{"SIEM to ticket"},
+			Tags: []string{"ingest", "webhook", "automatic"},
 			Actions: []Action{
 				Action{
 					Name:        "Translate standard",
@@ -326,6 +330,8 @@ func GetDefaultWorkflowByType(workflow Workflow, orgId string, categoryAction Ca
 			Description: "Monitor threatlists and ingest regularly",
 			OrgId:       orgId,
 			Start:       startActionId,
+			UsecaseIds: []string{"External Enrichment"},
+			Tags: []string{"ingest", "feeds", "automatic"},
 			Actions: []Action{
 				Action{
 					Name:        "GET",
@@ -1679,7 +1685,7 @@ func GetUsecaseData() string {
                 }
             },
             {
-                "name": "External historical Enrichment",
+                "name": "External Enrichment",
 				"priority": 90,
 				"type": "intel",
                 "items": {

codegen.go

@@ -8,7 +8,6 @@ import (
 	"compress/gzip"
 	"context"
 	"crypto/md5"
-	"crypto/sha1"
 	"crypto/sha256"
 	"encoding/json"
 	"errors"
@@ -30,7 +29,6 @@ import (
 	"cloud.google.com/go/storage"
 	docker "github.com/docker/docker/client"
 	"github.com/frikky/kin-openapi/openapi3"
-	uuid "github.com/satori/go.uuid"
 	"gopkg.in/yaml.v2"
 )
 
@@ -4774,61 +4772,29 @@ func handleRunDatastoreAutomation(cacheData CacheKeyData, automation DatastoreAu
 	}
 
 	if parsedName == "correlate_categories" {
-		if debug {
-		}
-
-		// Ensure the standard correlation-workflow exists
-		seedString := fmt.Sprintf("%s_correlate_categories", cacheData.OrgId)
-		hash := sha1.New()
-		hash.Write([]byte(seedString))
-		hashBytes := hash.Sum(nil)
-
-		uuidBytes := make([]byte, 16)
-		copy(uuidBytes, hashBytes)
-		workflowId := uuid.Must(uuid.FromBytes(uuidBytes)).String()
-
-		workflow, err := GetWorkflow(ctx, workflowId)
-		if err != nil || workflow.ID == "" || workflow.Name == "" {
-			log.Printf("[ERROR] Failed to get correlation workflow by ID %s: %s", workflowId, err)
-
-			categoryAction := CategoryAction{
-				Label: "correlate_categories",
-			}
-
-			workflow.ID = workflowId
-			newWorkflow, err := GetDefaultWorkflowByType(*workflow, cacheData.OrgId, categoryAction)
-			if err != nil || newWorkflow.ID == "" || newWorkflow.Name == "" {
-				log.Printf("[ERROR] Failed to get default workflow by type %s: %s", categoryAction.Label, err)
-				return errors.New(fmt.Sprintf("Failed to get default workflow by type %s: %s", categoryAction, err))
-			}
+		// Correlations don't matter anymore as ngrams are automatic. Cleaned up
+		// november 2025 after adding graphic system to datastore
+	} else if parsedName == "enrich" {
+		log.Printf("Should enrich the following data: %s", string(marshalledBody))
 
-			workflow = &newWorkflow
-			workflow.ID = workflowId
+		// Use key "enrichments" =>
+		// [{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
 
-			SetWorkflow(ctx, *workflow, workflowId)
-		}
+		// Send the data into shuffle_tools => parse_ioc?
+		// Or generate a subflow that runs for it? :thinking:
 
-		for _, option := range automation.Options {
-			if option.Key != "datastore_categories" {
-				continue
-			}
+		// Example process:
+		// 1. Ingest IOC (hash/IP/domain/alert) => inject into datastore category
+		// 2. Query reputation + passive DNS + WHOIS + SSL CT.
+		// 3. Run lookup in historic sightings (SIEM, MISP).
+		// 4. If file hash: submit to sandbox + static YARA.
+		// 5. Map results to ATT&CK techniques and assign a risk score.
+		// 6. Push enriched alert to SIEM/EDR/SOAR for automated playbook or analyst triage.
+		// 7. If high confidence, add to blocklists / trigger containment / share via STIX/TAXII or MISP.
 
-			if len(option.Value) == 0 {
-				continue
-			}
 
-			log.Printf("[DEBUG] Found datastore categories to correlate: %s. Workflow to run: %s", option.Value, workflow.ID)
-
-			//func handleDatastoreAutomationWebhook(ctx context.Context, marshalledBody []byte, cacheData CacheKeyData, automation DatastoreAutomation, url, runType  string) error {
-			go handleDatastoreAutomationWebhook(
-				ctx,
-				marshalledBody,
-				cacheData,
-				automation,
-				fmt.Sprintf("/api/v1/workflows/%s/execute", workflowId),
-				"run_workflow",
-			)
-		}
+		// Getting started:
+		// 1. Check for enrichments key. Stop if it exists.
 
 	} else if parsedName == "run_workflow" {
 		if debug {

db-connector.go

@@ -13475,7 +13475,7 @@ func SetDatastoreKeyBulk(ctx context.Context, allKeys []CacheKeyData) ([]Datasto
 					}
 
 					// Run the automation
-					// This should prolly make a notification if it fails
+					// This should make a notification if it fails
 					go func(cacheData CacheKeyData, automation DatastoreAutomation) {
 						err := handleRunDatastoreAutomation(cacheData, automation)
 						if err != nil {
@@ -13689,7 +13689,7 @@ func SetDatastoreKey(ctx context.Context, cacheData CacheKeyData) error {
 				}
 
 				// Run the automation
-				// This should prolly make a notification if it fails
+				// This should make a notification if it fails
 				go func(cacheData CacheKeyData, automation DatastoreAutomation) {
 					err := handleRunDatastoreAutomation(cacheData, automation)
 					if err != nil {