mirror of https://github.com/MISP/MISP
Merge branch 'develop' of github.com:MISP/MISP into develop
commit
9898c68482
|
|
@ -29,6 +29,8 @@ class Ls22Shell extends AppShell
|
|||
|
||||
public function getOptionParser()
|
||||
{
|
||||
$this->stdout->styles('green', array('text' => 'green'));
|
||||
|
||||
$parser = parent::getOptionParser();
|
||||
$parser->addSubcommand('enableTaxonomy', [
|
||||
'help' => __('Enable a taxonomy with all its tags.'),
|
||||
|
|
@ -448,6 +450,8 @@ class Ls22Shell extends AppShell
|
|||
}
|
||||
$time_range[] = $this->param['to'];
|
||||
}
|
||||
$event_extended_uuids = [];
|
||||
$event_uuid_per_org = [];
|
||||
foreach ($org_mapping as $org_name => $org_id) {
|
||||
$time_range = [];
|
||||
$params = [
|
||||
|
|
@ -462,6 +466,7 @@ class Ls22Shell extends AppShell
|
|||
$results[$org_name] = [
|
||||
'attribute_count' => 0,
|
||||
'object_count' => 0,
|
||||
'event_count' => count($events['response']),
|
||||
'connected_elements' => 0,
|
||||
'event_tags' => 0,
|
||||
'attribute_tags' => 0,
|
||||
|
|
@ -470,9 +475,16 @@ class Ls22Shell extends AppShell
|
|||
'attribute_attack' => 0,
|
||||
'attribute_other' => 0,
|
||||
'score' => 0,
|
||||
'warnings' => 0
|
||||
'warnings' => 0,
|
||||
'events_extended' => 0,
|
||||
'extending_events' => 0,
|
||||
];
|
||||
foreach ($events['response'] as $event) {
|
||||
$event_uuid_per_org[$event['Event']['uuid']] = $org_name;
|
||||
if (!empty($event['Event']['extends_uuid'])) {
|
||||
$event_extended_uuids[$org_name] = $event['Event']['extends_uuid'];
|
||||
}
|
||||
|
||||
if (!empty($event['Event']['Tag'])) {
|
||||
foreach ($event['Event']['Tag'] as $tag) {
|
||||
if (substr($tag['name'], 0, 32) === 'misp-galaxy:mitre-attack-pattern') {
|
||||
|
|
@ -505,7 +517,7 @@ class Ls22Shell extends AppShell
|
|||
}
|
||||
}
|
||||
if (!empty($attribute['warnings'])) {
|
||||
$result[$org_name]['warnings'] += 1;
|
||||
$results[$org_name]['warnings'] += 1;
|
||||
}
|
||||
}
|
||||
$results[$org_name]['attribute_count'] += count($event['Event']['Attribute']);
|
||||
|
|
@ -532,6 +544,18 @@ class Ls22Shell extends AppShell
|
|||
|
||||
}
|
||||
}
|
||||
|
||||
foreach ($event_extended_uuids as $orgc => $uuid) {
|
||||
$org_name = $event_uuid_per_org[$uuid];
|
||||
if ($orgc != $org_name) {
|
||||
// Add point for org extending another event
|
||||
$results[$orgc]['extending_events'] += 1;
|
||||
// Add point for org getting their event extended
|
||||
$results[$org_name]['events_extended'] += 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$scores = [];
|
||||
foreach ($results as $k => $result) {
|
||||
$totalCount = $result['attribute_count'] + $result['object_count'];
|
||||
|
|
@ -546,8 +570,9 @@ class Ls22Shell extends AppShell
|
|||
$results[$k]['metrics']['connectedness'] = 100 * ($result['connected_elements'] / ($result['attribute_count'] + $result['object_count']));
|
||||
$results[$k]['metrics']['attack_weight'] = 100 * (2*($result['attack']) + $result['attribute_attack']) / ($result['attribute_count'] + $result['object_count']);
|
||||
$results[$k]['metrics']['other_weight'] = 100 * (2*($result['other']) + $result['attribute_other']) / ($result['attribute_count'] + $result['object_count']);
|
||||
$results[$k]['metrics']['collaboration'] = 100 * ((2*$result['events_extended'] + $result['extending_events']) / $result['event_count']);
|
||||
}
|
||||
foreach (['connectedness', 'attack_weight', 'other_weight', 'warnings'] as $metric) {
|
||||
foreach (['connectedness', 'attack_weight', 'other_weight', 'warnings', 'collaboration'] as $metric) {
|
||||
if (empty($results[$k]['metrics'][$metric])) {
|
||||
$results[$k]['metrics'][$metric] = 0;
|
||||
}
|
||||
|
|
@ -559,13 +584,15 @@ class Ls22Shell extends AppShell
|
|||
20 * $results[$k]['metrics']['warnings'] +
|
||||
20 * $results[$k]['metrics']['connectedness'] +
|
||||
40 * $results[$k]['metrics']['attack_weight'] +
|
||||
20 * $results[$k]['metrics']['other_weight']
|
||||
10 * $results[$k]['metrics']['other_weight'] +
|
||||
10 * $results[$k]['metrics']['collaboration']
|
||||
) / 100;
|
||||
$scores[$k]['total'] = $results[$k]['score'];
|
||||
$scores[$k]['warnings'] = round(20 * $results[$k]['metrics']['warnings']);
|
||||
$scores[$k]['connectedness'] = round(20 * $results[$k]['metrics']['connectedness']);
|
||||
$scores[$k]['attack_weight'] = round(40 * $results[$k]['metrics']['attack_weight']);
|
||||
$scores[$k]['other_weight'] = round(20 * $results[$k]['metrics']['other_weight']);
|
||||
$scores[$k]['other_weight'] = round(10 * $results[$k]['metrics']['other_weight']);
|
||||
$scores[$k]['collaboration'] = round(10 * $results[$k]['metrics']['collaboration']);
|
||||
}
|
||||
arsort($scores, SORT_DESC);
|
||||
$this->out(str_repeat('=', 128), 1, Shell::NORMAL);
|
||||
|
|
@ -581,15 +608,17 @@ class Ls22Shell extends AppShell
|
|||
$score_string[1] = str_repeat('█', round($score['connectedness']/100));
|
||||
$score_string[2] = str_repeat('█', round($score['attack_weight']/100));
|
||||
$score_string[3] = str_repeat('█', round($score['other_weight']/100));
|
||||
$score_string[4] = str_repeat('█', round($score['collaboration']/100));
|
||||
$this->out(sprintf(
|
||||
'| %s | %s | %s |',
|
||||
str_pad($org, 10, ' ', STR_PAD_RIGHT),
|
||||
sprintf(
|
||||
'<error>%s</error><warning>%s</warning><question>%s</question><info>%s</info>%s',
|
||||
'<error>%s</error><warning>%s</warning><question>%s</question><info>%s</info><green>%s</green>%s',
|
||||
$score_string[0],
|
||||
$score_string[1],
|
||||
$score_string[2],
|
||||
$score_string[3],
|
||||
$score_string[4],
|
||||
str_repeat(' ', 100 - mb_strlen(implode('', $score_string)))
|
||||
),
|
||||
str_pad($score['total'] . '%', 8, ' ', STR_PAD_RIGHT)
|
||||
|
|
@ -602,6 +631,7 @@ class Ls22Shell extends AppShell
|
|||
'<warning>█: Connectedness</warning>',
|
||||
'<question>█: ATT&CK context</question>',
|
||||
'<info>█: Other Context</info>',
|
||||
'<green>█: Collaboration</green>',
|
||||
str_repeat(' ', 52)
|
||||
), 1, Shell::NORMAL);
|
||||
$this->out(str_repeat('=', 128), 1, Shell::NORMAL);
|
||||
|
|
|
|||
|
|
@ -43,6 +43,14 @@ class Module_splunk_hec_export extends Module_webhook
|
|||
'type' => 'input',
|
||||
'placeholder' => '00000000-0000-0000-000000000000'
|
||||
],
|
||||
[
|
||||
'id' => 'source_type',
|
||||
'label' => __('Source Type'),
|
||||
'type' => 'select',
|
||||
'type' => 'input',
|
||||
'default' => '',
|
||||
'placeholder' => 'misp:event'
|
||||
],
|
||||
[
|
||||
'id' => 'event_per_attribute',
|
||||
'label' => __('Create one Splunk Event per Attribute'),
|
||||
|
|
@ -110,10 +118,10 @@ class Module_splunk_hec_export extends Module_webhook
|
|||
$splunk_events = $extracted_events;
|
||||
}
|
||||
|
||||
return $this->sendToSplunk($splunk_events, $params['hec_token']['value'], $params['url']['value']);
|
||||
return $this->sendToSplunk($splunk_events, $params['hec_token']['value'], $params['url']['value'], $params['source_type']['value']);
|
||||
}
|
||||
|
||||
protected function sendToSplunk(array $splunk_events, $token, $url): bool
|
||||
protected function sendToSplunk(array $splunk_events, $token, $url, $source_type): bool
|
||||
{
|
||||
foreach ($splunk_events as $splunk_event) {
|
||||
try {
|
||||
|
|
@ -123,12 +131,20 @@ class Module_splunk_hec_export extends Module_webhook
|
|||
$serverConfig = [
|
||||
'Server' => ['self_signed' => empty($params['verify_tls']['value'])]
|
||||
];
|
||||
|
||||
$hec_event = [
|
||||
'event' => $splunk_event
|
||||
];
|
||||
if (!empty($source_type)) {
|
||||
$hec_event['sourcetype'] = $source_type;
|
||||
}
|
||||
|
||||
$response = $this->doRequest(
|
||||
$url,
|
||||
'json',
|
||||
$splunk_event,
|
||||
$hec_event,
|
||||
$headers,
|
||||
$serverConfig,
|
||||
$serverConfig
|
||||
);
|
||||
if (!$response->isOk()) {
|
||||
if ($response->code === 403 || $response->code === 401) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue