Skip to content

Commit

Permalink
#1731 Fix MISP synchronisation
Browse files Browse the repository at this point in the history
  • Loading branch information
@To-om
To-om committed Mar 18, 2021
1 parent 20a1679 commit 08062a9
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 21 deletions.
2 changes: 1 addition & 1 deletion misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ class MispClient(
val fromDate = (maxAge.map(a => System.currentTimeMillis() - a.toMillis).toSeq ++ publishDate.map(_.getTime))
.sorted(Ordering[Long].reverse)
.headOption
.map(d => "searchpublish_timestamp" -> JsNumber((d / 1000) + 1))
.map(d => "searchtimestamp" -> JsNumber((d / 1000) + 1))
val tagFilter = (whitelistTags ++ excludedTags.map("!" + _)).map(JsString.apply)
val organisationFilter = (whitelistOrganisations ++ excludedOrganisations.map("!" + _)).map(JsString.apply)
val query = JsObject
Expand Down
42 changes: 22 additions & 20 deletions misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,18 +181,20 @@ class MispImportSrv @Inject() (
): Option[Date] = {
val lastOrgSynchro = client
.organisationFilter(organisationSrv.startTraversal)
.group(
_.by,
_.by(
_.alerts
.filterBySource(mispOrganisation)
.filterByType("misp")
.value(a => a.lastSyncDate)
.max
)
)
.head
.values
.notAdmin
._id
.toIterator
.flatMap { orgId =>
alertSrv
.startTraversal
.filterBySource(mispOrganisation)
.filterByType("misp")
.has(_.organisationId, orgId)
.value(a => a.lastSyncDate)
.max
.headOption
}
.toSeq

if (lastOrgSynchro.size == organisations.size && organisations.nonEmpty) Some(lastOrgSynchro.min)
else None
Expand All @@ -213,8 +215,8 @@ class MispImportSrv @Inject() (
observableSrv
.startTraversal
.has(_.organisationIds, organisationSrv.currentId)
.has(_.relatedId, observable.relatedId)
.has(_.data, observable.data.get)
.has(_.relatedId, alert._id)
.has(_.data, data)
.richObservable
.getOrFail("Observable")
_ <-
Expand Down Expand Up @@ -273,7 +275,7 @@ class MispImportSrv @Inject() (
}
}

def importAttibutes(client: TheHiveMispClient, event: Event, alert: Alert with Entity, lastSynchro: Option[Date])(implicit
def importAttributes(client: TheHiveMispClient, event: Event, alert: Alert with Entity, lastSynchro: Option[Date])(implicit
graph: Graph,
authContext: AuthContext
): Unit = {
Expand Down Expand Up @@ -348,10 +350,10 @@ class MispImportSrv @Inject() (
)(implicit graph: Graph, authContext: AuthContext): Try[(Alert with Entity, JsObject)] = {
logger.debug(s"updateOrCreateAlert ${client.name}#${event.id} for organisation ${organisation.name}")
eventToAlert(client, event, organisation._id).flatMap { alert =>
organisationSrv
.get(organisation)
.alerts
alertSrv
.startTraversal
.getBySourceId("misp", mispOrganisation, event.id)
.has(_.organisationId, organisation._id)
.richAlert
.headOption match {
case None => // if the related alert doesn't exist, create it
Expand Down Expand Up @@ -404,7 +406,7 @@ class MispImportSrv @Inject() (

logger.debug(s"Get eligible organisations")
val organisations = db.roTransaction { implicit graph =>
client.organisationFilter(organisationSrv.startTraversal).toSeq
client.organisationFilter(organisationSrv.startTraversal).notAdmin.toSeq
}
val lastSynchro = db.roTransaction { implicit graph =>
getLastSyncDate(client, mispOrganisation, organisations)
Expand All @@ -423,7 +425,7 @@ class MispImportSrv @Inject() (
updateOrCreateAlert(client, organisation, mispOrganisation, event, caseTemplate)
.map {
case (alert, updatedFields) =>
importAttibutes(client, event, alert, if (alert._updatedBy.isEmpty) None else lastSynchro)
importAttributes(client, event, alert, if (alert._updatedBy.isEmpty) None else lastSynchro)
(alert, updatedFields)
}
.recoverWith {
Expand Down

0 comments on commit 08062a9

Please sign in to comment.