From a9a7401c2eae6ef12bb3f9c9928bae0c8911bf24 Mon Sep 17 00:00:00 2001
From: Nick Driver <driver.nick@gmail.com>
Date: Wed, 16 Oct 2019 16:34:40 -0400
Subject: [PATCH] Fix observable tagging for MISP export

Allows observable tags to be exported to MISP attributes
---
 .../app/connectors/misp/JsonFormat.scala         |  2 +-
 .../app/connectors/misp/MispConfig.scala         |  3 ++-
 .../app/connectors/misp/MispConnection.scala     |  3 ++-
 .../app/connectors/misp/MispExport.scala         | 16 ++++++++++++----
 thehive-misp/app/connectors/misp/MispModel.scala |  1 +
 thehive-misp/app/connectors/misp/MispSrv.scala   |  2 +-
 6 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/thehive-misp/app/connectors/misp/JsonFormat.scala b/thehive-misp/app/connectors/misp/JsonFormat.scala
index e2a80c652b..906ec3f2a2 100644
--- a/thehive-misp/app/connectors/misp/JsonFormat.scala
+++ b/thehive-misp/app/connectors/misp/JsonFormat.scala
@@ -82,7 +82,7 @@ object JsonFormat {
       "type"     → attribute.tpe,
       "value"    → attribute.value.fold[String](identity, _.name),
       "comment"  → attribute.comment,
-      "Tag"      → Json.arr(Json.obj("name" → tlpWrites.writes(attribute.tlp)))
+      "Tag" → JsArray((attribute.tags.map(JsString.apply) :+ tlpWrites.writes(attribute.tlp)).map(t ⇒ Json.obj("name" -> t)))
     )
   }
 
diff --git a/thehive-misp/app/connectors/misp/MispConfig.scala b/thehive-misp/app/connectors/misp/MispConfig.scala
index 31745af075..464969c7c5 100644
--- a/thehive-misp/app/connectors/misp/MispConfig.scala
+++ b/thehive-misp/app/connectors/misp/MispConfig.scala
@@ -59,7 +59,8 @@ class MispConfig(val interval: FiniteDuration, val connections: Seq[MispConnecti
         excludedTags,
         whitelistTags,
         purpose,
-        exportCaseTags
+        exportCaseTags,
+        exportAttributeTags
       )
     )
 
diff --git a/thehive-misp/app/connectors/misp/MispConnection.scala b/thehive-misp/app/connectors/misp/MispConnection.scala
index 486b6cb3cd..19f915acb7 100644
--- a/thehive-misp/app/connectors/misp/MispConnection.scala
+++ b/thehive-misp/app/connectors/misp/MispConnection.scala
@@ -29,7 +29,8 @@ case class MispConnection(
     excludedTags: Set[String],
     whitelistTags: Set[String],
     purpose: MispPurpose.Value,
-    exportCaseTags: Boolean
+    exportCaseTags: Boolean,
+    exportAttributeTags: Boolean
 ) {
 
   private[MispConnection] lazy val logger = Logger(getClass)
diff --git a/thehive-misp/app/connectors/misp/MispExport.scala b/thehive-misp/app/connectors/misp/MispExport.scala
index 3104c06f76..70ae845ede 100644
--- a/thehive-misp/app/connectors/misp/MispExport.scala
+++ b/thehive-misp/app/connectors/misp/MispExport.scala
@@ -115,7 +115,7 @@ class MispExport @Inject()(
 
   def exportAttribute(mispConnection: MispConnection, eventId: String, attribute: ExportedMispAttribute): Future[Artifact] = {
     val mispResponse = attribute match {
-      case ExportedMispAttribute(_, _, _, _, Right(attachment), comment) ⇒
+      case ExportedMispAttribute(_, _, _, _, _, Right(attachment), comment) ⇒
         attachmentSrv
           .source(attachment.id)
           .runReduce(_ ++ _)
@@ -138,11 +138,19 @@ class MispExport @Inject()(
       case response if response.status / 100 == 2 ⇒
         // then add tlp tag
         // doesn't work with file artifact (malware sample attribute)
-        (response.json \ "Attribute" \ "id")
+        (response.json \ "Attribute" \ "uuid")
           .asOpt[String]
           .foreach { attributeId ⇒
-            mispConnection("/attributes/addTag")
-              .post(Json.obj("attribute" → attributeId, "tag" → tlpWrites.writes(attribute.tlp)))
+            val attrib_tlp=tlpWrites.writes(attribute.tlp)
+            mispConnection(s"/tags/attachTagToObject/$attributeId/$attrib_tlp")
+              .post("")
+            if (mispConnection.exportAttributeTags){
+                for (tag <- attribute.tags){
+                    logger.debug(s"Sending POST request for ${tag}")
+                    mispConnection(s"/tags/attachTagToObject/$attributeId/$tag")
+                      .post("")
+            }
+            }
           }
         attribute.artifact
       case response ⇒
diff --git a/thehive-misp/app/connectors/misp/MispModel.scala b/thehive-misp/app/connectors/misp/MispModel.scala
index 05d42b4bb2..19bda01eba 100644
--- a/thehive-misp/app/connectors/misp/MispModel.scala
+++ b/thehive-misp/app/connectors/misp/MispModel.scala
@@ -40,6 +40,7 @@ case class ExportedMispAttribute(
     artifact: Artifact,
     tpe: String,
     category: String,
+    tags: Seq[String],
     tlp: Long,
     value: Either[String, Attachment],
     comment: Option[String]
diff --git a/thehive-misp/app/connectors/misp/MispSrv.scala b/thehive-misp/app/connectors/misp/MispSrv.scala
index 8e8da7c315..ed76d27cd8 100644
--- a/thehive-misp/app/connectors/misp/MispSrv.scala
+++ b/thehive-misp/app/connectors/misp/MispSrv.scala
@@ -109,7 +109,7 @@ class MispSrv @Inject()(
             logger.error(s"Artifact $artifact has neither data nor attachment")
             sys.error("???")
         }
-        ExportedMispAttribute(artifact, tpe, category, artifact.tlp(), value, artifact.message())
+        ExportedMispAttribute(artifact, tpe, category, artifact.tags(), artifact.tlp(), value, artifact.message())
       }
       .runWith(Sink.seq)
   }