custom

flask-openapi-shuffle/.dockerignore

@@ -0,0 +1,6 @@
+__pycache__/
+*.pyc
+.pytest_cache/
+.venv/
+venv/
+.git/

flask-openapi-shuffle/Dockerfile

@@ -0,0 +1,16 @@
+FROM python:3.11-slim
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+WORKDIR /service
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY app ./app
+COPY app.py .
+
+EXPOSE 8000
+
+CMD ["python", "app.py"]

flask-openapi-shuffle/README.md

@@ -0,0 +1,34 @@
+# Flask OpenAPI Demo for Shuffle
+
+This project is an OpenAPI-first Flask service using Connexion.
+
+## Endpoints
+
+- `GET /health`
+- `POST /echo`
+- `GET /ioc/{value}`
+- Swagger UI: `GET /ui`
+- OpenAPI spec: `GET /openapi.json`
+
+## Run with Docker
+
+```bash
+cd /Users/simplicoltd./projects/soc/flask-openapi-shuffle
+docker compose up --build
+```
+
+Test quickly:
+
+```bash
+curl -s http://localhost:8000/health
+curl -s -X POST http://localhost:8000/echo -H 'Content-Type: application/json' -d '{"message":"hello"}'
+curl -s http://localhost:8000/ioc/8.8.8.8
+```
+
+## Use with Shuffle
+
+In Shuffle App Creator / OpenAPI import, use one of these URLs:
+
+- `http://localhost:8000/openapi.json` (if Shuffle can reach your host localhost)
+- `http://host.docker.internal:8000/openapi.json` (common when Shuffle runs in Docker on Mac/Windows)
+- `http://<your-host-ip>:8000/openapi.json` (Linux Docker or remote host)

flask-openapi-shuffle/app.py

@@ -0,0 +1,19 @@
+import connexion
+
+
+def create_app():
+    cnx_app = connexion.FlaskApp(
+        __name__,
+        specification_dir="app",
+    )
+    cnx_app.add_api(
+        "openapi.yaml",
+        strict_validation=True,
+        validate_responses=True,
+    )
+    return cnx_app
+
+
+if __name__ == "__main__":
+    app = create_app()
+    app.run(host="0.0.0.0", port=8000)

flask-openapi-shuffle/app/__init__.py

@@ -0,0 +1 @@
+# Package marker for Connexion operation imports.

flask-openapi-shuffle/app/handlers.py

@@ -0,0 +1,27 @@
+from datetime import datetime, timezone
+
+
+def health_check():
+    return {"status": "ok", "timestamp": datetime.now(timezone.utc).isoformat()}, 200
+
+
+def echo_body(body):
+    return {"received": body, "length": len(str(body))}, 200
+
+
+def lookup_ioc(value, ioc_type="auto"):
+    normalized = value.strip().lower()
+    verdict = "unknown"
+    if "." in normalized and " " not in normalized:
+        verdict = "domain-like"
+    if normalized.count(".") == 3 and all(part.isdigit() for part in normalized.split(".")):
+        verdict = "ipv4-like"
+    if len(normalized) in {32, 40, 64} and all(c in "0123456789abcdef" for c in normalized):
+        verdict = "hash-like"
+
+    return {
+        "input": value,
+        "type": ioc_type,
+        "verdict": verdict,
+        "source": "demo-local",
+    }, 200

flask-openapi-shuffle/app/openapi.yaml

@@ -0,0 +1,106 @@
+openapi: 3.0.3
+info:
+  title: SOC Demo Flask API
+  version: 1.0.0
+  description: OpenAPI-first Flask service for Shuffle testing.
+servers:
+  - url: http://localhost:8000
+paths:
+  /health:
+    get:
+      operationId: app.handlers.health_check
+      summary: Health check
+      responses:
+        "200":
+          description: Service is healthy
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/HealthResponse"
+  /echo:
+    post:
+      operationId: app.handlers.echo_body
+      summary: Echo request body
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/EchoRequest"
+      responses:
+        "200":
+          description: Echo response
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/EchoResponse"
+  /ioc/{value}:
+    get:
+      operationId: app.handlers.lookup_ioc
+      summary: Basic IOC classification demo
+      parameters:
+        - name: value
+          in: path
+          required: true
+          schema:
+            type: string
+        - name: ioc_type
+          in: query
+          required: false
+          schema:
+            type: string
+            default: auto
+      responses:
+        "200":
+          description: IOC lookup result
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/LookupResponse"
+components:
+  schemas:
+    HealthResponse:
+      type: object
+      properties:
+        status:
+          type: string
+          example: ok
+        timestamp:
+          type: string
+          format: date-time
+      required:
+        - status
+        - timestamp
+    EchoRequest:
+      type: object
+      additionalProperties: true
+      example:
+        message: test from Shuffle
+    EchoResponse:
+      type: object
+      properties:
+        received:
+          type: object
+          additionalProperties: true
+        length:
+          type: integer
+      required:
+        - received
+        - length
+    LookupResponse:
+      type: object
+      properties:
+        input:
+          type: string
+        type:
+          type: string
+        verdict:
+          type: string
+          example: domain-like
+        source:
+          type: string
+      required:
+        - input
+        - type
+        - verdict
+        - source

flask-openapi-shuffle/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  flask-openapi:
+    build: .
+    container_name: flask-openapi-shuffle
+    ports:
+      - "8000:8000"

flask-openapi-shuffle/requirements.txt

@@ -0,0 +1,3 @@
+connexion[flask,swagger-ui]==3.1.0
+flask==3.1.0
+uvicorn==0.34.0

run-combined-stack.sh

@@ -26,24 +26,27 @@ Usage:
 
 Commands:
   up           Start services (default: up -d when no args)
-  down         Stop services
+  down         Stop services (requires explicit target)
   logs         View logs
   status       Show container and endpoint status
   help         Show this help message
 
 Targets:
-  all|--all    All stacks (wazuh, iris, shuffle, pagerduty, integrator)
+  all|--all    All stacks (wazuh, iris, shuffle, pagerduty, integrator, flask-openapi-shuffle)
   wazuh        Wazuh single-node stack
   iris         IRIS-web stack
   shuffle      Shuffle stack
   pagerduty    PagerDuty stub
   integrator   SOC integrator stack
+  flask-openapi-shuffle  Flask OpenAPI demo stack
 
 Examples:
   ./run-combined-stack.sh
   ./run-combined-stack.sh up --all -d
   ./run-combined-stack.sh up iris -d
+  ./run-combined-stack.sh up flask-openapi-shuffle -d
   ./run-combined-stack.sh down shuffle
+  ./run-combined-stack.sh down --all
   ./run-combined-stack.sh logs integrator -f
   ./run-combined-stack.sh logs --all --tail 200
   ./run-combined-stack.sh status
@@ -104,6 +107,14 @@ run_soc_integrator() {
     "${COMMAND}" ${ARGS[@]+"${ARGS[@]}"}
 }
 
+run_flask_openapi_shuffle() {
+  docker compose \
+    --project-name flask-openapi-shuffle \
+    --project-directory "${ROOT_DIR}/flask-openapi-shuffle" \
+    -f "${ROOT_DIR}/flask-openapi-shuffle/docker-compose.yml" \
+    "${COMMAND}" ${ARGS[@]+"${ARGS[@]}"}
+}
+
 run_target() {
   local target="$1"
   case "${target}" in
@@ -122,9 +133,12 @@ run_target() {
     integrator)
       run_soc_integrator
       ;;
+    flask-openapi-shuffle)
+      run_flask_openapi_shuffle
+      ;;
     *)
       echo "Unknown target: ${target}"
-      echo "Use one of: wazuh, iris, shuffle, pagerduty, integrator"
+      echo "Use one of: wazuh, iris, shuffle, pagerduty, integrator, flask-openapi-shuffle"
       exit 1
       ;;
   esac
@@ -134,6 +148,7 @@ run_all() {
   local mode="$1"
 
   if [[ "${mode}" == "down" ]]; then
+    run_flask_openapi_shuffle
     run_soc_integrator
     run_pagerduty_stub
     run_shuffle
@@ -145,6 +160,7 @@ run_all() {
     run_shuffle
     run_pagerduty_stub
     run_soc_integrator
+    run_flask_openapi_shuffle
   fi
 }
 
@@ -157,6 +173,7 @@ follow_all_logs() {
   run_shuffle &
   run_pagerduty_stub &
   run_soc_integrator &
+  run_flask_openapi_shuffle &
 
   trap 'kill 0' INT TERM
   wait
@@ -180,25 +197,37 @@ run_logs_for_target() {
     integrator)
       run_soc_integrator
       ;;
+    flask-openapi-shuffle)
+      run_flask_openapi_shuffle
+      ;;
     all|--all)
       run_wazuh
       run_iris
       run_shuffle
       run_pagerduty_stub
       run_soc_integrator
+      run_flask_openapi_shuffle
       ;;
     *)
       echo "Unknown logs target: ${target}"
-      echo "Use one of: wazuh, iris, shuffle, pagerduty, integrator"
+      echo "Use one of: wazuh, iris, shuffle, pagerduty, integrator, flask-openapi-shuffle"
       exit 1
       ;;
   esac
 }
 
 if [[ "${COMMAND}" == "down" ]]; then
-  TARGET="${1:-all}"
+  TARGET="${1:-}"
+  if [[ -z "${TARGET}" ]]; then
+    echo "Refusing to run 'down' without a target."
+    echo "Use one of:"
+    echo "  ./run-combined-stack.sh down <wazuh|iris|shuffle|pagerduty|integrator|flask-openapi-shuffle>"
+    echo "  ./run-combined-stack.sh down --all"
+    exit 1
+  fi
+
   case "${TARGET}" in
-    wazuh|iris|shuffle|pagerduty|integrator)
+    wazuh|iris|shuffle|pagerduty|integrator|flask-openapi-shuffle)
       ARGS=("${ARGS[@]:1}")
       run_target "${TARGET}"
       ;;
@@ -213,7 +242,7 @@ if [[ "${COMMAND}" == "down" ]]; then
 elif [[ "${COMMAND}" == "logs" ]]; then
   LOGS_TARGET="${1:-all}"
   case "${LOGS_TARGET}" in
-    wazuh|iris|shuffle|pagerduty|integrator)
+    wazuh|iris|shuffle|pagerduty|integrator|flask-openapi-shuffle)
       ARGS=("${ARGS[@]:1}")
       run_logs_for_target "${LOGS_TARGET}"
       ;;
@@ -225,7 +254,7 @@ elif [[ "${COMMAND}" == "logs" ]]; then
       for arg in ${ARGS[@]+"${ARGS[@]}"}; do
         if [[ "${arg}" == "-f" || "${arg}" == "--follow" ]]; then
           echo "For follow mode, specify one target:"
-          echo "./run-combined-stack.sh logs <wazuh|iris|shuffle|pagerduty|integrator> -f"
+          echo "./run-combined-stack.sh logs <wazuh|iris|shuffle|pagerduty|integrator|flask-openapi-shuffle> -f"
           exit 1
         fi
       done
@@ -235,7 +264,7 @@ elif [[ "${COMMAND}" == "logs" ]]; then
 elif [[ "${COMMAND}" == "up" ]]; then
   TARGET="${1:-all}"
   case "${TARGET}" in
-    wazuh|iris|shuffle|pagerduty|integrator)
+    wazuh|iris|shuffle|pagerduty|integrator|flask-openapi-shuffle)
       ARGS=("${ARGS[@]:1}")
       run_target "${TARGET}"
       ;;

shuffle-workflows/sample-ip-ioc-check-workflow.json

@@ -0,0 +1,244 @@
+{
+  "workflow_as_code": false,
+  "actions": [
+    {
+      "app_name": "Shuffle Tools",
+      "app_version": "1.2.0",
+      "description": "Receive IP input from webhook payload.",
+      "app_id": "0671c57b-3af6-43f7-9501-b2f916c127c8",
+      "errors": [],
+      "id": "b6f4c2a8-3d6d-4d1f-8c70-03d09a1e6f11",
+      "is_valid": true,
+      "isStartNode": true,
+      "sharing": true,
+      "label": "Webhook Trigger (IP Input)",
+      "public": true,
+      "generated": false,
+      "large_image": "",
+      "environment": "Shuffle",
+      "name": "webhook",
+      "parameters": [
+        {
+          "name": "source_ip",
+          "value": "",
+          "description": "IP address to check as IOC.",
+          "required": true,
+          "multiline": false,
+          "multiselect": false,
+          "options": null,
+          "action_field": "",
+          "variant": "",
+          "configuration": false,
+          "tags": null,
+          "schema": {
+            "type": ""
+          },
+          "skip_multicheck": false,
+          "value_replace": null,
+          "unique_toggled": false,
+          "error": "",
+          "hidden": false
+        }
+      ],
+      "execution_variable": {
+        "description": "",
+        "id": "",
+        "name": "",
+        "value": ""
+      },
+      "position": {
+        "x": 100,
+        "y": 120
+      },
+      "authentication_id": "",
+      "category": "",
+      "reference_url": "",
+      "sub_action": false,
+      "run_magic_output": false,
+      "run_magic_input": false,
+      "execution_delay": 0,
+      "category_label": null,
+      "suggestion": false,
+      "parent_controlled": false,
+      "source_workflow": "",
+      "source_execution": ""
+    },
+    {
+      "app_name": "Shuffle Tools",
+      "app_version": "1.2.0",
+      "description": "Build request body for SOC IOC evaluation endpoint.",
+      "app_id": "0671c57b-3af6-43f7-9501-b2f916c127c8",
+      "errors": [],
+      "id": "e72dcb76-a265-4da1-a0dd-2f65f558b52f",
+      "is_valid": true,
+      "isStartNode": false,
+      "sharing": true,
+      "label": "Prepare IOC Check Payload",
+      "public": true,
+      "generated": false,
+      "large_image": "",
+      "environment": "Shuffle",
+      "name": "repeat_back_to_me",
+      "parameters": [
+        {
+          "name": "call",
+          "value": "{\"ioc_type\":\"ip\",\"ioc_value\":\"{{actions.b6f4c2a8-3d6d-4d1f-8c70-03d09a1e6f11.source_ip}}\",\"source_event\":{\"event_id\":\"shuffle-ip-check-sample\",\"network\":{\"src_ip\":\"{{actions.b6f4c2a8-3d6d-4d1f-8c70-03d09a1e6f11.source_ip}}\"}}}",
+          "description": "Use this JSON as body for POST /mvp/ioc/evaluate in a HTTP node.",
+          "required": false,
+          "multiline": true,
+          "multiselect": false,
+          "options": null,
+          "action_field": "",
+          "variant": "",
+          "configuration": false,
+          "tags": null,
+          "schema": {
+            "type": ""
+          },
+          "skip_multicheck": false,
+          "value_replace": null,
+          "unique_toggled": false,
+          "error": "",
+          "hidden": false
+        }
+      ],
+      "execution_variable": {
+        "description": "",
+        "id": "",
+        "name": "",
+        "value": ""
+      },
+      "position": {
+        "x": 430,
+        "y": 120
+      },
+      "authentication_id": "",
+      "category": "",
+      "reference_url": "",
+      "sub_action": false,
+      "run_magic_output": false,
+      "run_magic_input": false,
+      "execution_delay": 0,
+      "category_label": null,
+      "suggestion": false,
+      "parent_controlled": false,
+      "source_workflow": "",
+      "source_execution": ""
+    }
+  ],
+  "branches": [
+    {
+      "id": "branch-ip-ioc-1",
+      "source": "b6f4c2a8-3d6d-4d1f-8c70-03d09a1e6f11",
+      "destination": "e72dcb76-a265-4da1-a0dd-2f65f558b52f",
+      "success": true,
+      "label": ""
+    }
+  ],
+  "visual_branches": null,
+  "triggers": [],
+  "comments": [],
+  "configuration": {
+    "exit_on_error": false,
+    "start_from_top": false,
+    "skip_notifications": false
+  },
+  "created": 1771470000,
+  "edited": 1771470000,
+  "last_runtime": 0,
+  "due_date": 0,
+  "id": "d2ccf0bd-bf4d-4f77-8eea-c1a65f1ea3e9",
+  "is_valid": true,
+  "name": "Sample - IP IOC Check Payload Builder",
+  "description": "Sample Shuffle workflow JSON for IP IOC check integration. Trigger with source_ip, then pass generated JSON to HTTP POST /mvp/ioc/evaluate.",
+  "start": "b6f4c2a8-3d6d-4d1f-8c70-03d09a1e6f11",
+  "owner": "1050bd5b-b1bb-4c22-acfb-94156cdc0567",
+  "sharing": "private",
+  "execution_org": {
+    "name": "default",
+    "id": "03264040-f718-4a61-b9ac-61c7cac3fe99",
+    "users": [],
+    "role": "admin",
+    "child_orgs": null,
+    "region_url": "",
+    "is_partner": false,
+    "image": "",
+    "creator_org": "",
+    "branding": {
+      "enable_chat": false,
+      "home_url": "",
+      "theme": "",
+      "documentation_link": "",
+      "global_user": false,
+      "support_email": "",
+      "logout_url": "",
+      "brand_color": "",
+      "brand_name": ""
+    }
+  },
+  "org_id": "03264040-f718-4a61-b9ac-61c7cac3fe99",
+  "workflow_variables": null,
+  "execution_environment": "",
+  "previously_saved": true,
+  "categories": {
+    "intel": {
+      "name": "intel",
+      "count": 0,
+      "id": "",
+      "description": "",
+      "large_image": ""
+    }
+  },
+  "example_argument": "",
+  "public": false,
+  "default_return_value": "",
+  "contact_info": {
+    "name": "",
+    "url": ""
+  },
+  "published_id": "",
+  "revision_id": "",
+  "usecase_ids": null,
+  "input_questions": null,
+  "form_control": {
+    "input_markdown": "",
+    "output_yields": null,
+    "cleanup_actions": null,
+    "form_width": 0
+  },
+  "blogpost": "",
+  "video": "",
+  "status": "test",
+  "workflow_type": "",
+  "generated": false,
+  "hidden": false,
+  "background_processing": false,
+  "updated_by": "root",
+  "validated": false,
+  "validation": {
+    "valid": false,
+    "changed_at": 0,
+    "last_valid": 0,
+    "validation_ran": false,
+    "notifications_created": 0,
+    "environment": "",
+    "workflow_id": "",
+    "execution_id": "",
+    "node_id": "",
+    "total_problems": 0,
+    "errors": [],
+    "subflow_apps": []
+  },
+  "parentorg_workflow": "",
+  "childorg_workflow_ids": null,
+  "suborg_distribution": [],
+  "backup_config": {
+    "onprem_backup": false,
+    "upload_repo": "",
+    "upload_branch": "",
+    "upload_username": "",
+    "upload_token": "",
+    "tokens_encrypted": false
+  },
+  "auth_groups": null
+}