From 839a7e137909aca3d1d69a2612b3738fb041f84b Mon Sep 17 00:00:00 2001
From: Nabil Adouani <nabil.adouani@gmail.com>
Date: Fri, 29 Jan 2021 17:03:54 +0100
Subject: [PATCH] #1766 WIP: Add a section to manage attack pattern catalogs

---
 frontend/app/index.html                       |   2 +
 frontend/app/scripts/app.js                   |  15 ++
 .../admin/attack/AttackPatternListCtrl.js     | 159 ++++++++++++++++++
 .../scripts/services/api/AttackPatternSrv.js  |  52 ++++++
 .../views/components/header.component.html    |  19 ++-
 .../views/partials/admin/attack/import.html   |  22 +++
 .../app/views/partials/admin/attack/list.html |  96 +++++++++++
 .../partials/admin/attack/list/filters.html   |  38 +++++
 .../partials/admin/attack/list/toolbar.html   |  21 +++
 .../app/views/partials/admin/attack/view.html | 107 ++++++++++++
 10 files changed, 525 insertions(+), 6 deletions(-)
 create mode 100644 frontend/app/scripts/controllers/admin/attack/AttackPatternListCtrl.js
 create mode 100644 frontend/app/scripts/services/api/AttackPatternSrv.js
 create mode 100644 frontend/app/views/partials/admin/attack/import.html
 create mode 100644 frontend/app/views/partials/admin/attack/list.html
 create mode 100644 frontend/app/views/partials/admin/attack/list/filters.html
 create mode 100644 frontend/app/views/partials/admin/attack/list/toolbar.html
 create mode 100644 frontend/app/views/partials/admin/attack/view.html

diff --git a/frontend/app/index.html b/frontend/app/index.html
index 8e4642c44c..dfdb2865af 100644
--- a/frontend/app/index.html
+++ b/frontend/app/index.html
@@ -159,6 +159,7 @@
     <script src="scripts/controllers/admin/AdminCustomFieldsCtrl.js"></script>
     <script src="scripts/controllers/admin/AdminObservablesCtrl.js"></script>
     <script src="scripts/controllers/admin/AdminUiSettingsCtrl.js"></script>
+    <script src="scripts/controllers/admin/attack/AttackPatternListCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/case-template/AdminCaseTemplateImportCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/case-template/AdminCaseTemplateTasksCtrl.js"></script>
     <script src="scripts/controllers/admin/organisation/OrgDetailsCtrl.js"></script>
@@ -284,6 +285,7 @@
     <script src="scripts/services/api/AlertingSrv.js"></script>
     <script src="scripts/services/api/AnalyzerSrv.js"></script>
     <script src="scripts/services/api/AnalyzerTemplateSrv.js"></script>
+    <script src="scripts/services/api/AttackPatternSrv.js"></script>
     <script src="scripts/services/api/AuditSrv.js"></script>
     <script src="scripts/services/api/AuthenticationSrv.js"></script>
     <script src="scripts/services/api/CaseSrv.js"></script>
diff --git a/frontend/app/scripts/app.js b/frontend/app/scripts/app.js
index 80d8e764a0..9676fea0b4 100644
--- a/frontend/app/scripts/app.js
+++ b/frontend/app/scripts/app.js
@@ -232,6 +232,21 @@ angular.module('thehive', [
                     permissions: ['manageTaxonomy']
                 }
             })
+            .state('app.administration.attackPatterns', {
+                url: '/attack-patterns',
+                templateUrl: 'views/partials/admin/attack/list.html',
+                controller: 'AttackPatternListCtrl',
+                controllerAs: '$vm',
+                title: 'ATT&CK patterns administration',
+                resolve: {
+                    appConfig: function(VersionSrv) {
+                        return VersionSrv.get();
+                    }
+                }
+                // guard: {
+                //     permissions: ['manageTaxonomy']
+                // }
+            })
             .state('app.administration.organisations', {
                 url: '/organisations',
                 templateUrl: 'views/partials/admin/organisation/list.html',
diff --git a/frontend/app/scripts/controllers/admin/attack/AttackPatternListCtrl.js b/frontend/app/scripts/controllers/admin/attack/AttackPatternListCtrl.js
new file mode 100644
index 0000000000..2c91a1bdd3
--- /dev/null
+++ b/frontend/app/scripts/controllers/admin/attack/AttackPatternListCtrl.js
@@ -0,0 +1,159 @@
+(function() {
+    'use strict';
+
+    angular.module('theHiveControllers')
+        .controller('AttackPatternListCtrl', AttackPatternListCtrl)
+        .controller('AttackPatternDialogCtrl', AttackPatternDialogCtrl)
+        .controller('AttackPatternImportCtrl', AttackPatternImportCtrl);
+
+    function AttackPatternListCtrl($scope, $uibModal, PaginatedQuerySrv, FilteringSrv, AttackPatternSrv, NotificationSrv, ModalSrv, appConfig) {
+        var self = this;
+
+        this.appConfig = appConfig;
+
+        self.load = function() {
+            this.loading = true;
+
+            this.list = new PaginatedQuerySrv({
+                name: 'attack-patterns',
+                root: undefined,
+                objectType: 'pattern',
+                version: 'v1',
+                scope: $scope,
+                sort: self.filtering.context.sort,
+                loadAll: false,
+                pageSize: self.filtering.context.pageSize,
+                filter: this.filtering.buildQuery(),
+                baseFilter: {
+                    _field: 'patternType',
+                    _value:'attack-pattern'
+                },
+                operations: [
+                    {'_name': 'listPattern'}
+                ],
+                extraData: ['enabled'],
+                onUpdate: function() {
+                    self.loading = false;
+                }
+            });
+        };
+
+        self.show = function(patternId) {
+            $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/admin/attack/view.html',
+                controller: 'AttackPatternDialogCtrl',
+                controllerAs: '$modal',
+                size: 'max',
+                resolve: {
+                    pattern: function() {
+                        return AttackPatternSrv.get(patternId);
+                    }
+                }
+            });
+        };
+
+
+        self.import = function () {
+            var modalInstance = $uibModal.open({
+                animation: true,
+                templateUrl: 'views/partials/admin/attack/import.html',
+                controller: 'AttackPatternImportCtrl',
+                controllerAs: '$vm',
+                size: 'lg',
+                resolve: {
+                    appConfig: self.appConfig
+                }
+            });
+
+            modalInstance.result
+                .then(function() {
+                    self.load();
+                })
+                .catch(function(err){
+                    if(err && !_.isString(err)) {
+                        NotificationSrv.error('Pattern import', err.data, err.status);
+                    }
+                });
+        };
+
+        this.toggleFilters = function () {
+            this.filtering.toggleFilters();
+        };
+
+        this.filter = function () {
+            self.filtering.filter().then(this.applyFilters);
+        };
+
+        this.clearFilters = function () {
+            this.filtering.clearFilters()
+                .then(self.search);
+        };
+
+        this.removeFilter = function (index) {
+            self.filtering.removeFilter(index)
+                .then(self.search);
+        };
+
+        this.search = function () {
+            self.load();
+            self.filtering.storeContext();
+        };
+        this.addFilterValue = function (field, value) {
+            this.filtering.addFilterValue(field, value);
+            this.search();
+        };
+
+        self.$onInit = function() {
+            self.filtering = new FilteringSrv('pattern', 'attack-pattern.list', {
+                version: 'v1',
+                defaults: {
+                    showFilters: true,
+                    showStats: false,
+                    pageSize: 15,
+                    sort: ['+name']
+                },
+                defaultFilter: []
+            });
+
+            self.filtering.initContext('list')
+                .then(function() {
+                    self.load();
+
+                    $scope.$watch('$vm.list.pageSize', function (newValue) {
+                        self.filtering.setPageSize(newValue);
+                    });
+                });
+        };
+    }
+
+    function AttackPatternDialogCtrl($uibModalInstance, AttackPatternSrv, NotificationSrv, pattern) {
+        this.pattern = pattern;
+
+        this.ok = function () {
+            $uibModalInstance.close();
+        };
+
+        this.cancel = function () {
+            $uibModalInstance.dismiss('cancel');
+        };
+    }
+
+    function AttackPatternImportCtrl($uibModalInstance, AttackPatternSrv, NotificationSrv, appConfig) {
+        this.appConfig = appConfig;
+        this.formData = {};
+
+        this.ok = function () {
+            AttackPatternSrv.import(this.formData)
+                .then(function() {
+                    $uibModalInstance.close();
+                }, function(response) {
+                    NotificationSrv.error('AttackPatternImportCtrl', response.data, response.status);
+                });
+        };
+
+        this.cancel = function () {
+            $uibModalInstance.dismiss('cancel');
+        };
+    }
+})();
diff --git a/frontend/app/scripts/services/api/AttackPatternSrv.js b/frontend/app/scripts/services/api/AttackPatternSrv.js
new file mode 100644
index 0000000000..1979cfde9c
--- /dev/null
+++ b/frontend/app/scripts/services/api/AttackPatternSrv.js
@@ -0,0 +1,52 @@
+
+(function() {
+    'use strict';
+    angular.module('theHiveServices')
+        .service('AttackPatternSrv', function($http, QuerySrv) {
+            var baseUrl = './api/v1/pattern';
+
+            this.list = function() {
+                return QuerySrv.call('v1', [
+                    { _name: 'listPattern' }
+                ], {
+                    name:'list-attack-patterns'
+                });
+            };
+
+            this.get = function(id) {
+                return $http.get(baseUrl + '/' + id)
+                    .then(function(response){
+                        return response.data;
+                    });
+            };
+
+            this.import = function(post) {
+                var postData = {
+                    file: post.attachment
+                };
+
+                return $http({
+                    method: 'POST',
+                    url: baseUrl + '/import/attack',
+                    headers: {
+                        'Content-Type': undefined
+                    },
+                    transformRequest: function (data) {
+                        var formData = new FormData(),
+                            copy = angular.copy(data, {});
+
+                        angular.forEach(data, function (value, key) {
+                            if (Object.getPrototypeOf(value) instanceof Blob || Object.getPrototypeOf(value) instanceof File) {
+                                formData.append(key, value);
+                                delete copy[key];
+                            }
+                        });
+
+                        return formData;
+                    },
+                    data: postData
+                });
+            };
+        });
+
+})();
diff --git a/frontend/app/views/components/header.component.html b/frontend/app/views/components/header.component.html
index ca85b74689..fed26cd57f 100644
--- a/frontend/app/views/components/header.component.html
+++ b/frontend/app/views/components/header.component.html
@@ -98,12 +98,6 @@
                                 <span class="hpad5">Case custom fields</span>
                             </a>
                         </li>
-                        <li if-permission="manageTaxonomy">
-                            <a ui-sref="app.administration.taxonomies">
-                                <i class="fa fa-tags"></i>
-                                <span class="hpad5">Taxonomies</span>
-                            </a>
-                        </li>
                         <li if-permission="manageObservableTemplate">
                             <a ui-sref="app.administration.observables">
                                 <i class="glyphicon glyphicon-pushpin"></i>
@@ -116,6 +110,19 @@
                                 <span class="hpad5">Analyzer templates</span>
                             </a>
                         </li>
+                        <li class="divider"></li>
+                        <li if-permission="manageTaxonomy">
+                            <a ui-sref="app.administration.taxonomies">
+                                <i class="fa fa-tags"></i>
+                                <span class="hpad5">Taxonomies</span>
+                            </a>
+                        </li>
+                        <li>
+                            <a ui-sref="app.administration.attackPatterns">
+                                <i class="fa fa-tags"></i>
+                                <span class="hpad5">ATT&CK Patterns</span>
+                            </a>
+                        </li>
                         <!-- <li>
                             <a ui-sref="app.administration.ui-settings">
                                 <i class="fa fa-cogs"></i>
diff --git a/frontend/app/views/partials/admin/attack/import.html b/frontend/app/views/partials/admin/attack/import.html
new file mode 100644
index 0000000000..0a8fbc0786
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/import.html
@@ -0,0 +1,22 @@
+<form class="" name="form" ng-submit="$vm.ok()">
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">Import MITRE ATT&CK patterns</h3>
+    </div>
+    <div class="modal-body">
+
+        <div class="filter-panel mb-s">
+            <h4>Download the official MITRE ATT&CK library</h4>
+            <p>You can download the latest archive of the official MITRE ATT&CK patterns <a target="_blank" href="https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json?version=TheHive-{{$vm.appConfig.versions.TheHive}}">from here</a></p>
+        </div>
+
+        <div class="form-group">
+            <label class="control-label">MITRE ATT&CK patterns</label>
+            <input type="hidden" name="attachment" ng-model="$vm.formData.attachment.status" required>
+            <div file-chooser="" filemodel="$vm.formData.attachment"></div>
+        </div>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-default pull-left" type="button" ng-click="$vm.cancel()">Cancel</button>
+        <button class="btn btn-primary pull-right" type="submit" ng-disabled="form.$invalid">Yes, Import it</button>
+    </div>
+</form>
diff --git a/frontend/app/views/partials/admin/attack/list.html b/frontend/app/views/partials/admin/attack/list.html
new file mode 100644
index 0000000000..02ed890326
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/list.html
@@ -0,0 +1,96 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="box">
+            <div class="box-header with-border">
+                <h3 class="box-title">List of ATT&CK patterns</h3>
+            </div>
+            <div class="box-body">
+                <div ng-include="'views/partials/admin/attack/list/toolbar.html'"></div>
+
+                <div class="mt-xs filter-panel" ng-include="'views/partials/admin/attack/list/filters.html'" ng-show="$vm.filtering.context.showFilters"></div>
+
+                <div class="row mt-xs">
+                    <div class="col-md-12 clearfix">
+
+                        <filters-preview filters="$vm.filtering.context.filters"
+                            on-clear-item="$vm.removeFilter(field)"
+                            on-clear-all="$vm.clearFilters()"></filters-preview>
+                    </div>
+                </div>
+
+                <div class="row mv-s" ng-show="$vm.loading === false && $vm.list.values.length === 0">
+                    <div class="col-md-12">
+                        <div class="empty-message">No ATT&CK patterns found.</div>
+                    </div>
+                </div>
+
+                <div class="row mv-s" ng-show="$vm.loading === true">
+                    <div class="col-md-12">
+                        <div class="loading-message">
+                            <i class="fa fa-circle-o-notch fa-spin fa-fw"></i>
+                            <span>loading patterns...</span>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Datalist  -->
+                <div class="row mt-s" ng-if="$vm.loading === false && $vm.list.values.length > 0">
+                    <psearch control="$vm.list"></psearch>
+
+                    <div class="col-md-12">
+                        <table class="table table-striped case-list">
+                            <thead>
+                                <tr>
+                                    <th width="100">ID</th>
+                                    <th width="200">Name</th>
+                                    <th width="200">Sub-Technique of</th>
+                                    <th width="200">Tactics</th>
+                                    <th>Description</th>
+                                    <th width="120"></th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                                <tr ng-repeat="pattern in $vm.list.values">
+                                    <td>
+                                        <a href ng-click="$vm.show(pattern.patternId)">{{::pattern.patternId}}</a>
+                                    </td>
+                                    <td>{{::pattern.name}}</td>
+                                    <td>
+                                        <span ng-if="!pattern.parent">-</span>
+                                        <a ng-if="::pattern.parent" href ng-click="$vm.show(pattern.parent)">{{::pattern.parent}}</a>
+                                    </td>
+                                    <td>
+                                        <div ng-repeat="tactic in ::pattern.tactics" class="mb-xxs">
+                                            <span class="label label-default clickable" ng-click="$vm.addFilterValue('tactics', tactic)">{{tactic}}</span>
+                                        </div>
+                                    </td>
+                                    <td class="wrap">
+                                        {{::pattern.description | limitTo:250}}...
+                                    </td>
+                                    <td class="clearfix">
+                                        <div class="pull-right">
+                                            <a class="btn btn-icon btn-clear" href="{{::pattern.url}}" target="_blank">
+                                                <i class="text-primary fa fa-external-link"></i>
+                                            </a>
+
+                                            <a class="btn btn-icon btn-clear" href  ng-click="$vm.show(pattern)" uib-tooltip="Edit pattern">
+                                                <i class="text-primary fa fa-search"></i>
+                                            </a>
+
+                                            <a class="btn btn-icon btn-clear" href  ng-click="$vm.remove(pattern)" uib-tooltip="Delete pattern">
+                                                <i class="text-danger fa fa-trash"></i>
+                                            </a>
+                                        </div>
+
+                                    </td>
+                                </tr>
+                            </tbody>
+                        </table>
+                    </div>
+
+                    <psearch control="$vm.list"></psearch>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/attack/list/filters.html b/frontend/app/views/partials/admin/attack/list/filters.html
new file mode 100644
index 0000000000..431c826ca5
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/list/filters.html
@@ -0,0 +1,38 @@
+<div class="row">
+    <div class="col-md-12 active-filters">
+        <h4>Filters</h4>
+        <form ng-submit="$vm.search()">
+            <div class="row mb-xxxs" ng-repeat="filter in $vm.filtering.context.filters track by $index">
+                <div class="col-sm-4 col-md-4 col-lg-2">
+                    <div class="input-group">
+                        <span class="input-group-btn">
+                            <button class="btn btn-default" type="button" ng-click="$vm.removeFilter($index)">
+                                <i class="fa fa-times text-danger"></i>
+                            </button>
+                        </span>
+                        <select class="form-control" ng-model="filter.field"
+                            ng-options="item for item in $vm.filtering.attributeKeys"
+                            ng-change="$vm.filtering.setFilterField(filter, config.entity)"></select>
+                    </div>
+                </div>
+                <div class="col-sm-8 col-md-8 col-lg-6">
+                    <filter-editor metadata="$vm.filtering.metadata" filter="filter" entity="$vm.filtering.entity"></filter-editor>
+                </div>
+            </div>
+            <div class="mv-xs row">
+                <div class="col-sm-12 col-md-12 col-lg-8">
+                    <a href class="btn btn-sm  btn-link btn-clear" ng-click="$vm.filtering.addFilter()">
+                        <i class="fa fa-plus"></i> Add a filter
+                    </a>
+                    <a href class="btn btn-sm btn-danger" ng-click="$vm.clearFilters()" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-times"></i> Clear
+                    </a>
+                    <button href class="btn btn-sm btn-primary pull-right" type="submit" ng-if="$vm.filtering.context.filters.length > 0">
+                        <i class="fa fa-search"></i> Search
+                    </button>
+                </div>
+            </div>
+        </form>
+
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/attack/list/toolbar.html b/frontend/app/views/partials/admin/attack/list/toolbar.html
new file mode 100644
index 0000000000..96afe4ba9e
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/list/toolbar.html
@@ -0,0 +1,21 @@
+<div class="row">
+    <div class="col-md-12">
+        <div class="btn-toolbar" role="toolbar">
+            <div class="btn-group">
+                <button class="btn btn-sm btn-primary" type="button" ng-click="$vm.import()">
+                    <i class="fa fa-plus"></i>
+                    Import MITRE ATT&CK Patterns
+                </button>
+            </div>
+            <div class="btn-group pull-right" role="group">
+                <page-sizer collection="$vm.list" sizes="[10, 15, 30, 100]"></page-sizer>
+            </div>
+
+            <div class="btn-group pull-right" role="group">
+                <button class="btn btn-sm" ng-class="{true: 'btn-primary', false:'btn-default'}[$vm.filtering.context.showFilters]" type="button" ng-click="$vm.toggleFilters()">
+                    <i class="fa fa-search"></i> Filters
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/frontend/app/views/partials/admin/attack/view.html b/frontend/app/views/partials/admin/attack/view.html
new file mode 100644
index 0000000000..7a8250dd18
--- /dev/null
+++ b/frontend/app/views/partials/admin/attack/view.html
@@ -0,0 +1,107 @@
+<form class="form">
+
+    <div class="modal-header bg-primary">
+        <h3 class="modal-title">{{::$modal.pattern.parent ? 'Sub-technique' : 'Technique'}}: {{::$modal.pattern.name}}
+            <small class="ml-xxxs">(Version: {{::$modal.pattern.version}})</small>
+        </h3>
+    </div>
+
+    <div class="modal-body">
+        <div class="row">
+            <div class="col-sm-6">
+                <div class="form-group">
+                    <label>{{::$modal.pattern.parent ? 'Sub-technique' : 'Technique'}} Name</label>
+                    <div>{{::$modal.pattern.name}}</div>
+                </div>
+            </div>
+            <div class="col-sm-6" ng-if="::$modal.pattern.parent">
+                <div class="form-group">
+                    <label>Sub-Technique of</label>
+                    <div>{{::$modal.pattern.parent || '-'}}</div>
+                </div>
+            </div>
+        </div>
+
+        <div class="row">
+            <div class="col-sm-6">
+                <div class="form-group">
+                    <label>Tactics</label>
+                    <div ng-repeat="tactic in ::$modal.pattern.tactics" class="mb-xxs">
+                        <span class="label label-lg label-default">{{tactic}}</span>
+                    </div>
+                </div>
+            </div>
+            <div class="col-sm-6">
+                <div class="form-group">
+                    <label>Data Sources</label>
+                    <div ng-repeat="ds in ::$modal.pattern.dataSources" class="mb-xxs">
+                        <span class="label label-lg label-default">{{ds}}</span>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="row">
+            <div class="col-sm-6">
+                <div class="form-group">
+                    <label>URL</label>
+                    <div>
+                        <a href="{{::$modal.pattern.url}}" target="_blank">
+                            {{::$modal.pattern.url}}<i class="fa fa-external-link ml-xxxs"></i>
+                        </a>
+                    </div>
+                </div>
+            </div>
+            <div class="col-sm-6">
+                <div class="form-group">
+                    <label>Platforms</label>
+                    <div ng-repeat="platform in ::$modal.pattern.platforms" class="mb-xxs">
+                        <span class="label label-lg label-default">{{platform}}</span>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="form-group">
+            <label>Description</label>
+            <div>{{::$modal.pattern.description}}</div>
+        </div>
+
+        <div class="row">
+            <div class="col-sm-12">
+                <table class="table table-striped">
+                    <thead>
+                        <tr>
+                            <th class="pl-0" width="200">Tag</th>
+                            <th>Predicate</th>
+                            <th>Value</th>
+                            <th width="100">Color</th>
+                            <th width="10"></th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        <tr ng-repeat="tag in $modal.taxonomy.tags">
+                            <td>
+                                <span class="label">
+                                    <tag value="tag"></tag>
+                                </span>
+                            </td>
+                            <td>{{::tag.predicate}}</td>
+                            <td>{{::tag.value || '-'}}</td>
+                            <td>{{::tag.colour}}</td>
+                            <td>
+                                <span ng-if="::tag.description" uib-tooltip="{{::tag.description}}" tooltip-placement="left">
+                                    <i class="fa fa-question-circle"></i>
+                                </span>
+                            </td>
+                        </tr>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-default pull-left" type="button" ng-click="$modal.cancel()">Cancel</button>
+        <button class="btn btn-primary pull-right" type="button" ng-click="$modal.cancel()">Close</button>
+    </div>
+</form>