MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [Event:_add] Added support of recursive capture of analyst data

notes
Sami Mokaddem 2024-02-14 09:48:11 +01:00
parent 714cb9ea78
commit 006c900c8e
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
5 changed files with 45 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
app/Model/AnalystData.php
View File

@ -256,6 +256,9 @@ class AnalystData extends AppModel
public function deduceAnalystDataType(array $analystData)
{
if (!empty($analystData['note_type_name']) && in_array($analystData['note_type_name'], self::ANALYST_DATA_TYPES)) {
return $analystData['note_type_name'];
}
foreach (self::ANALYST_DATA_TYPES as $type) {
if (isset($analystData[$type])) {
return $type;
@ -413,6 +416,9 @@ class AnalystData extends AppModel
{
$results = ['success' => false, 'imported' => 0, 'ignored' => 0, 'failed' => 0, 'errors' => []];
$type = $this->deduceAnalystDataType($analystData);
if (!isset($analystData[$type])) {
$analystData = [$type => $analystData];
}
$analystModel = ClassRegistry::init($type);
if ($fromPull && !empty($orgUUId)) {
@ -447,13 +453,9 @@ class AnalystData extends AppModel
if (!Configure::check('MISP.enableOrgBlocklisting') || Configure::read('MISP.enableOrgBlocklisting') !== false) {
$analystModel->OrgBlocklist = ClassRegistry::init('OrgBlocklist');
if (!isset($analystData[$type]['Orgc']['uuid'])) {
$orgc = $analystModel->Orgc->find('first', ['conditions' => ['Orgc.uuid' => $analystData[$type]['orgc_uuid']], 'fields' => ['Orgc.uuid'], 'recursive' => -1]);
} else {
$orgc = ['Orgc' => ['uuid' => $analystData[$type]['Orgc']['uuid']]];
}
if ($analystData[$type]['orgc_uuid'] != 0 && $analystModel->OrgBlocklist->hasAny(array('OrgBlocklist.org_uuid' => $orgc['Orgc']['uuid']))) {
$results['errors'][] = __('Organisation blocklisted (%s)', $orgc['Orgc']['uuid']);
$orgcUUID = $analystData[$type]['Orgc']['uuid'];
if ($analystData[$type]['orgc_uuid'] != 0 && $analystModel->OrgBlocklist->hasAny(array('OrgBlocklist.org_uuid' => $orgcUUID))) {
$results['errors'][] = __('Organisation blocklisted (%s)', $orgcUUID);
$results['ignored']++;
return $results;
}
@ -473,6 +475,7 @@ class AnalystData extends AppModel
unset($analystData[$type]['id']);
$analystModel->create();
$saveSuccess = $analystModel->save($analystData);
$saveSuccess = true;
} else {
if (!$existingAnalystData[$type]['locked'] && empty($server['Server']['internal'])) {
$results['errors'][] = __('Blocked an edit to an analyst data that was created locally. This can happen if a synchronised analyst data that was created on this instance was modified by an administrator on the remote side.');
@ -490,6 +493,17 @@ class AnalystData extends AppModel
}
if ($saveSuccess) {
$results['imported']++;
foreach (self::ANALYST_DATA_TYPES as $childType) {
if (!empty($analystData[$type][$childType])) {
foreach ($analystData[$type][$childType] as $childAnalystData) {
$captureResult = $this->captureAnalystData($user, $childAnalystData, $fromPull, $orgUUId, $server);
$results['imported'] += $captureResult['imported'];
$results['ignored'] += $captureResult['ignored'];
$results['failed'] += $captureResult['failed'];
$results['errors'] = array_merge($results['errors'], $captureResult['errors']);
}
}
}
} else {
$results['failed']++;
foreach ($analystModel->validationErrors as $validationError) {

1
app/Model/Attribute.php
View File

@ -2655,6 +2655,7 @@ class Attribute extends AppModel
if (!empty($attribute['Sighting'])) {
$this->Sighting->captureSightings($attribute['Sighting'], $this->id, $eventId, $user);
}
$this->Event->captureAnalystData($user, $attribute);
}
if (!empty($this->validationErrors)) {
$validationErrors = $this->validationErrors;

20
app/Model/Event.php
View File

@ -19,6 +19,9 @@ App::uses('ProcessTool', 'Tools');
* @property Organisation $Org
* @property Organisation $Orgc
* @property CryptographicKey $CryptographicKey
* @property Note $Note
* @property Opinion $Opinion
* @property Relationship $Relationship
*/
class Event extends AppModel
{
@ -3901,6 +3904,8 @@ class Event extends AppModel
if (isset($data['Sighting']) && !empty($data['Sighting'])) {
$this->Sighting->captureSightings($data['Sighting'], null, $this->id, $user);
}
$this->captureAnalystData($user, $data['Event']);
if ($fromXml) {
$created_id = $this->id;
}
@ -7968,6 +7973,21 @@ class Event extends AppModel
}
}
public function captureAnalystData($user, $data)
{
$types = ['Note', 'Opinion', 'Relationship'];
$this->Note = ClassRegistry::init('Note');
$this->Opinion = ClassRegistry::init('Opinion');
$this->Relationship = ClassRegistry::init('Relationship');
foreach ($types as $type) {
if (!empty($data[$type])) {
foreach ($data[$type] as $analystData) {
$this->{$type}->captureAnalystData($user, $analystData);
}
}
}
}
public function getTrendsForTags(array $user, array $eventFilters=[], int $baseDayRange, int $rollingWindows=3, $tagFilterPrefixes=null): array
{
$fullDayNumber = $baseDayRange + $baseDayRange * $rollingWindows;

2
app/Model/EventReport.php
View File

@ -119,6 +119,8 @@ class EventReport extends AppModel
__('Event Report dropped due to validation for Event report %s failed: %s', $this->data['EventReport']['uuid'], $this->data['EventReport']['name']),
__('Validation errors: %s.%sFull report: %s', json_encode($errors), PHP_EOL, json_encode($report['EventReport']))
);
} else {
$this->Event->captureAnalystData($user, $report);
}
return $errors;
}

1
app/Model/MispObject.php
View File

@ -1139,6 +1139,7 @@ class MispObject extends AppModel
$this->Attribute->captureAttribute($attribute, $eventId, $user, $objectId, false, $parentEvent);
}
}
$this->Event->captureAnalystData($user, $object['Object']);
return true;
}