#1273 MISP: map "to_ids" to "ioc"

TheHive-Project · Apr 6, 2020 · 9ce3a18 · 9ce3a18
1 parent 32210eb
commit 9ce3a18
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 18 deletions.
diff --git a/thehive-misp/app/connectors/misp/JsonFormat.scala b/thehive-misp/app/connectors/misp/JsonFormat.scala
@@ -65,7 +65,8 @@ object JsonFormat {
         value    ← (json \ "value").validate[String]
         category ← (json \ "category").validate[String]
         tags     ← JsArray(json \ "EventTag" \\ "name").validate[Seq[String]]
-      } yield MispAttribute(id, category, tpe, date, comment, value, tags)
+        toIds    ← (json \ "to_ids").validate[Boolean]
+      } yield MispAttribute(id, category, tpe, date, comment, value, tags, toIds)
   )
 
   val tlpWrites: Writes[Long] = Writes[Long] {
@@ -82,7 +83,8 @@ object JsonFormat {
       "type"     → attribute.tpe,
       "value"    → attribute.value.fold[String](identity, _.name),
       "comment"  → attribute.comment,
-      "Tag"      → Json.arr(Json.obj("name" → tlpWrites.writes(attribute.tlp)))
+      "Tag"      → Json.arr(Json.obj("name" → tlpWrites.writes(attribute.tlp))),
+      "to_ids"   → attribute.artifact.ioc()
     )
   }
 
@@ -92,7 +94,8 @@ object JsonFormat {
       "message"   → artifact.message,
       "tlp"       → artifact.tlp,
       "tags"      → artifact.tags,
-      "startDate" → artifact.startDate
+      "startDate" → artifact.startDate,
+      "ioc"       → artifact.ioc
     ) + (artifact.value match {
       case SimpleArtifactData(data) ⇒ "data" → JsString(data)
       case RemoteAttachmentArtifact(filename, reference, tpe) ⇒

diff --git a/thehive-misp/app/connectors/misp/MispConverter.scala b/thehive-misp/app/connectors/misp/MispConverter.scala
@@ -12,7 +12,8 @@ trait MispConverter {
           message = mispAttribute.comment,
           tlp = 0,
           tags = tags ++ mispAttribute.tags,
-          startDate = mispAttribute.date
+          startDate = mispAttribute.date,
+          ioc = mispAttribute.toIds
         )
       )
     } else {
@@ -24,7 +25,8 @@ trait MispConverter {
           message = mispAttribute.comment,
           tlp = 0,
           tags = tags ++ mispAttribute.tags,
-          startDate = mispAttribute.date
+          startDate = mispAttribute.date,
+          ioc = mispAttribute.toIds
         )
 
       val types = mispAttribute.tpe.split('|').toSeq

diff --git a/thehive-misp/app/connectors/misp/MispExport.scala b/thehive-misp/app/connectors/misp/MispExport.scala
@@ -115,7 +115,7 @@ class MispExport @Inject()(
 
   def exportAttribute(mispConnection: MispConnection, eventId: String, attribute: ExportedMispAttribute): Future[Artifact] = {
     val mispResponse = attribute match {
-      case ExportedMispAttribute(_, _, _, _, Right(attachment), comment) ⇒
+      case ExportedMispAttribute(artifact, _, _, _, Right(attachment), comment) ⇒
         attachmentSrv
           .source(attachment.id)
           .runReduce(_ ++ _)
@@ -126,7 +126,8 @@ class MispExport @Inject()(
                 "category" → "Payload delivery",
                 "type"     → "malware-sample",
                 "comment"  → comment,
-                "files"    → Json.arr(Json.obj("filename" → attachment.name, "data" → b64data))
+                "files"    → Json.arr(Json.obj("filename" → attachment.name, "data" → b64data)),
+                "to_ids"   → artifact.ioc()
               )
             )
             mispConnection(s"events/upload_sample/$eventId").post(body)
@@ -205,9 +206,9 @@ class MispExport @Inject()(
           logger.debug(s"Updating MISP event $eventId")
           mispSrv.getAttributesFromMisp(mispConnection, eventId, None).map { attributes ⇒
             (eventId, Nil, attributes.map {
-              case MispArtifact(SimpleArtifactData(data), _, _, _, _, _)                             ⇒ Left(data)
-              case MispArtifact(RemoteAttachmentArtifact(filename, _, _), _, _, _, _, _)             ⇒ Right(filename)
-              case MispArtifact(AttachmentArtifact(Attachment(filename, _, _, _, _)), _, _, _, _, _) ⇒ Right(filename)
+              case MispArtifact(SimpleArtifactData(data), _, _, _, _, _, _)                             ⇒ Left(data)
+              case MispArtifact(RemoteAttachmentArtifact(filename, _, _), _, _, _, _, _, _)             ⇒ Right(filename)
+              case MispArtifact(AttachmentArtifact(Attachment(filename, _, _, _, _)), _, _, _, _, _, _) ⇒ Right(filename)
             })
           }
         }

diff --git a/thehive-misp/app/connectors/misp/MispModel.scala b/thehive-misp/app/connectors/misp/MispModel.scala
@@ -34,7 +34,7 @@ case class MispAlert(
     caseTemplate: String
 )
 
-case class MispAttribute(id: String, category: String, tpe: String, date: Date, comment: String, value: String, tags: Seq[String])
+case class MispAttribute(id: String, category: String, tpe: String, date: Date, comment: String, value: String, tags: Seq[String], toIds: Boolean)
 
 case class ExportedMispAttribute(
     artifact: Artifact,
@@ -45,6 +45,6 @@ case class ExportedMispAttribute(
     comment: Option[String]
 )
 
-case class MispArtifact(value: ArtifactData, dataType: String, message: String, tlp: Long, tags: Seq[String], startDate: Date)
+case class MispArtifact(value: ArtifactData, dataType: String, message: String, tlp: Long, tags: Seq[String], startDate: Date, ioc: Boolean)
 
 case class MispExportError(message: String, artifact: Artifact) extends ErrorWithObject(message, artifact.attributes)
diff --git a/thehive-misp/app/connectors/misp/MispSrv.scala b/thehive-misp/app/connectors/misp/MispSrv.scala
@@ -137,9 +137,9 @@ class MispSrv @Inject()(
           .filter(_.date after refDate)
           .flatMap(convertAttribute)
           .groupBy {
-            case MispArtifact(SimpleArtifactData(data), dataType, _, _, _, _)                             ⇒ dataType → Right(data)
-            case MispArtifact(RemoteAttachmentArtifact(filename, _, _), dataType, _, _, _, _)             ⇒ dataType → Left(filename)
-            case MispArtifact(AttachmentArtifact(Attachment(filename, _, _, _, _)), dataType, _, _, _, _) ⇒ dataType → Left(filename)
+            case MispArtifact(SimpleArtifactData(data), dataType, _, _, _, _, _)                             ⇒ dataType → Right(data)
+            case MispArtifact(RemoteAttachmentArtifact(filename, _, _), dataType, _, _, _, _, _)             ⇒ dataType → Left(filename)
+            case MispArtifact(AttachmentArtifact(Attachment(filename, _, _, _, _)), dataType, _, _, _, _, _) ⇒ dataType → Left(filename)
           }
           .values
           .map { mispArtifact ⇒

diff --git a/thehive-misp/app/connectors/misp/MispSynchro.scala b/thehive-misp/app/connectors/misp/MispSynchro.scala
@@ -114,12 +114,12 @@ class MispSynchro @Inject()(
         }
         .runWith(Sink.seq)
       newAttributes ← Future.traverse(mispArtifacts) {
-        case artifact @ MispArtifact(SimpleArtifactData(data), _, _, _, _, _) if !existingArtifacts.contains(Right(data)) ⇒
+        case artifact @ MispArtifact(SimpleArtifactData(data), _, _, _, _, _, _) if !existingArtifacts.contains(Right(data)) ⇒
           Future.successful(Fields(Json.toJson(artifact).as[JsObject]))
-        case artifact @ MispArtifact(AttachmentArtifact(Attachment(filename, _, _, _, _)), _, _, _, _, _)
+        case artifact @ MispArtifact(AttachmentArtifact(Attachment(filename, _, _, _, _)), _, _, _, _, _, _)
             if !existingArtifacts.contains(Left(filename)) ⇒
           Future.successful(Fields(Json.toJson(artifact).as[JsObject]))
-        case artifact @ MispArtifact(RemoteAttachmentArtifact(filename, reference, tpe), _, _, _, _, _)
+        case artifact @ MispArtifact(RemoteAttachmentArtifact(filename, reference, tpe), _, _, _, _, _, _)
             if !existingArtifacts.contains(Left(filename)) ⇒
           mispSrv
             .downloadAttachment(mispConnection, reference)