#52 Export case into MISP event

thehive-backend/app/controllers/AlertCtrl.scala

@@ -33,7 +33,11 @@ class AlertCtrl @Inject() (
 
   @Timed
   def create(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
-    alertSrv.create(request.body)
+    alertSrv.create(request.body
+      .unset("lastSyncDate")
+      .unset("case")
+      .unset("status")
+      .unset("follow"))
       .map(alert ⇒ renderer.toOutput(CREATED, alert))
   }
 

thehive-backend/app/models/Alert.scala

@@ -95,7 +95,7 @@ class AlertModel @Inject() (dblists: DBLists)
           val sourceRef = (attrs \ "sourceRef").asOpt[String].getOrElse("<null>")
           val _id = hasher.fromString(s"$tpe|$source|$sourceRef").head.toString()
           attrs + ("_id" → JsString(_id))
-        } - "lastSyncDate" - "case" - "status" - "follow"
+        }
       }
   }
 }

thehive-misp/app/connectors/misp/JsonFormat.scala

@@ -65,4 +65,13 @@ object JsonFormat {
       comment,
       value,
       tags :+ s"MISP:category$category" :+ s"MISP:type=$tpe"))
+
+  implicit val exportedAttributeWrites: Writes[ExportedMispAttribute] = Writes[ExportedMispAttribute] { attribute ⇒
+    Json.obj(
+      "category" → attribute.category,
+      "type" → attribute.tpe,
+      "value" → attribute.value.fold[String](identity, _.name),
+      "comment" → attribute.comment,
+      "status" → attribute.status)
+  }
 }

thehive-misp/app/connectors/misp/MispCtrl.scala

@@ -15,13 +15,15 @@ import play.api.libs.json.Json
 import play.api.mvc.{ Action, AnyContent, Controller }
 import play.api.routing.SimpleRouter
 import play.api.routing.sird.{ GET, UrlContext }
-import services.AlertTransformer
+import services.{ AlertTransformer, CaseSrv }
+import connectors.misp.JsonFormat.exportedAttributeWrites
 
 import scala.concurrent.{ ExecutionContext, Future }
 
 @Singleton
 class MispCtrl @Inject() (
     mispSrv: MispSrv,
+    caseSrv: CaseSrv,
     authenticated: Authenticated,
     eventSrv: EventSrv,
     implicit val ec: ExecutionContext) extends Controller with Connector with Status with AlertTransformer {
@@ -30,10 +32,11 @@ class MispCtrl @Inject() (
 
   private[MispCtrl] lazy val logger = Logger(getClass)
   val router = SimpleRouter {
-    case GET(p"/_syncAlerts")    ⇒ syncAlerts
-    case GET(p"/_syncAllAlerts") ⇒ syncAllAlerts
-    case GET(p"/_syncArtifacts") ⇒ syncArtifacts
-    case r                       ⇒ throw NotFoundError(s"${r.uri} not found")
+    case GET(p"/_syncAlerts")                 ⇒ syncAlerts
+    case GET(p"/_syncAllAlerts")              ⇒ syncAllAlerts
+    case GET(p"/_syncArtifacts")              ⇒ syncArtifacts
+    case GET(p"/export/$caseId/to/$mispName") ⇒ exportCase(mispName, caseId)
+    case r                                    ⇒ throw NotFoundError(s"${r.uri} not found")
   }
 
   @Timed
@@ -54,6 +57,18 @@ class MispCtrl @Inject() (
     Ok("")
   }
 
+  @Timed
+  def exportCase(mispName: String, caseId: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+    caseSrv
+      .get(caseId)
+      .flatMap { caze ⇒ mispSrv.export(mispName, caze) }
+      .map {
+        case (eventId, exportedAttributes) ⇒ Ok(Json.obj(
+          "eventId" → eventId,
+          "attributes" → exportedAttributes))
+      }
+  }
+
   override def createCase(alert: Alert, customCaseTemplate: Option[String])(implicit authContext: AuthContext): Future[Case] = {
     mispSrv.createCase(alert, customCaseTemplate)
   }