#221 Retrieve list of all MISP attributes for new event (remove filte…

…r on timestamp)
TheHive-Project · May 23, 2017 · ebd9b29 · ebd9b29
1 parent f4ae4a3
commit ebd9b29
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/thehive-misp/app/connectors/misp/JsonFormat.scala b/thehive-misp/app/connectors/misp/JsonFormat.scala
@@ -30,11 +30,13 @@ object JsonFormat {
       publishTimestamp ← (json \ "publish_timestamp").validate[String]
       publishDate = new Date(publishTimestamp.toLong * 1000)
       threatLevel ← (json \ "threat_level_id").validate[String]
+      isPublished ← (json \ "published").validate[Boolean]
     } yield MispAlert(
       org,
       eventId,
       date,
       publishDate,
+      isPublished,
       s"#$eventId ${info.trim}",
       s"Imported from MISP Event #$eventId, created at $date",
       threatLevel.toLong,
@@ -43,7 +45,7 @@ object JsonFormat {
       "")
   }
 
-  implicit val mispAlertWrites: Writes[MispAlert] = Json.writes[MispAlert]
+  implicit val mispAlertWrites: Writes[MispAlert] = Json.writes[MispAlert].transform((_: JsValue).asInstanceOf[JsObject] - "isPublished")
 
   implicit val attributeReads: Reads[MispAttribute] = Reads(json ⇒
     for {

diff --git a/thehive-misp/app/connectors/misp/MispModel.scala b/thehive-misp/app/connectors/misp/MispModel.scala
@@ -7,6 +7,7 @@ case class MispAlert(
   sourceRef: String,
   date: Date,
   lastSyncDate: Date,
+  isPublished: Boolean,
   title: String,
   description: String,
   severity: Long,

diff --git a/thehive-misp/app/connectors/misp/MispSrv.scala b/thehive-misp/app/connectors/misp/MispSrv.scala
@@ -170,19 +170,21 @@ class MispSrv @Inject() (
       // get related alert
       .mapAsyncUnordered(1) {
         case (mcfg, lastSyncDate, event) ⇒
+          logger.trace(s"Looking for alert misp:${event.source}:${event.sourceRef}")
           alertSrv.get("misp", event.source, event.sourceRef)
             .map(a ⇒ (mcfg, lastSyncDate, event, a))
       }
       .mapAsyncUnordered(1) {
         case (mcfg, lastSyncDate, event, alert) ⇒
+          logger.trace(s"MISP synchro ${mcfg.name} last sync at $lastSyncDate, event ${event.sourceRef}, alert ${alert.fold("no alert")("alert" + _.alertId())}")
           logger.info(s"getting MISP event ${event.sourceRef}")
-          getAttributes(mcfg, event.sourceRef, Some(lastSyncDate))
+          getAttributes(mcfg, event.sourceRef, alert.map(_ ⇒ lastSyncDate))
             .map((mcfg, event, alert, _))
       }
       .mapAsyncUnordered(1) {
         // if there is no related alert, create a new one
         case (mcfg, event, None, attrs) ⇒
-          logger.info(s"MISP event ${event.sourceRef} has no related alert, create it")
+          logger.info(s"MISP event ${event.sourceRef} has no related alert, create it with ${attrs.size} observable(s)")
           val alertJson = Json.toJson(event).as[JsObject] +
             ("type" → JsString("misp")) +
             ("caseTemplate" → mcfg.caseTemplate.fold[JsValue](JsNull)(JsString)) +
@@ -193,7 +195,7 @@ class MispSrv @Inject() (
 
         // if a related alert exists, update it
         case (_, event, Some(alert), attrs) ⇒
-          logger.info(s"MISP event ${event.sourceRef} has related alert, update it")
+          logger.info(s"MISP event ${event.sourceRef} has related alert, update it with ${attrs.size} observable(s)")
           val alertJson = Json.toJson(event).as[JsObject] -
             "type" -
             "source" -
@@ -247,7 +249,7 @@ class MispSrv @Inject() (
                 None
               }
           }
-          .filter(_.date after fromDate)
+          .filter(event ⇒ event.isPublished && event.date.after(fromDate))
 
         val eventJsonSize = eventJson.size
         val eventsSize = events.size