mirror of https://github.com/MISP/MISP
Added more contextual info for the CSV exports, fixes #391
parent
b5be1a36fb
commit
fbca80d680
|
@ -1856,8 +1856,8 @@ class EventsController extends AppController {
|
||||||
// Usage: csv($key, $eventid) - key can be a valid auth key or the string 'download'. Download requires the user to be logged in interactively and will generate a .csv file
|
// Usage: csv($key, $eventid) - key can be a valid auth key or the string 'download'. Download requires the user to be logged in interactively and will generate a .csv file
|
||||||
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
|
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
|
||||||
// $ignore is a flag that allows the export tool to ignore the ids flag. 0 = only IDS signatures, 1 = everything.
|
// $ignore is a flag that allows the export tool to ignore the ids flag. 0 = only IDS signatures, 1 = everything.
|
||||||
public function csv($key, $eventid=false, $ignore=false, $tags = false, $category=false, $type=false, $includeInfo=false, $from=false, $to=false) {
|
public function csv($key, $eventid=false, $ignore=false, $tags = false, $category=false, $type=false, $includeContext=false, $from=false, $to=false) {
|
||||||
$simpleFalse = array('eventid', 'ignore', 'tags', 'category', 'type', 'includeInfo', 'from', 'to');
|
$simpleFalse = array('eventid', 'ignore', 'tags', 'category', 'type', 'includeContext', 'from', 'to');
|
||||||
foreach ($simpleFalse as $sF) {
|
foreach ($simpleFalse as $sF) {
|
||||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||||
}
|
}
|
||||||
|
@ -1898,13 +1898,17 @@ class EventsController extends AppController {
|
||||||
$list[] = $attribute['Attribute']['id'];
|
$list[] = $attribute['Attribute']['id'];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$attributes = $this->Event->csv($org, $isSiteAdmin, $eventid, $ignore, $list, $tags, $category, $type, $includeInfo, $from, $to);
|
$attributes = $this->Event->csv($org, $isSiteAdmin, $eventid, $ignore, $list, $tags, $category, $type, $includeContext, $from, $to);
|
||||||
$this->loadModel('Whitelist');
|
$this->loadModel('Whitelist');
|
||||||
$final = array();
|
$final = array();
|
||||||
$attributes = $this->Whitelist->removeWhitelistedFromArray($attributes, true);
|
$attributes = $this->Whitelist->removeWhitelistedFromArray($attributes, true);
|
||||||
foreach ($attributes as $attribute) {
|
foreach ($attributes as $attribute) {
|
||||||
$line = $attribute['Attribute']['uuid'] . ',' . $attribute['Attribute']['event_id'] . ',' . $attribute['Attribute']['category'] . ',' . $attribute['Attribute']['type'] . ',' . $attribute['Attribute']['value'] . ',' . intval($attribute['Attribute']['to_ids']) . ',' . $attribute['Attribute']['timestamp'];
|
$line = $attribute['Attribute']['uuid'] . ',' . $attribute['Attribute']['event_id'] . ',' . $attribute['Attribute']['category'] . ',' . $attribute['Attribute']['type'] . ',' . $attribute['Attribute']['value'] . ',' . intval($attribute['Attribute']['to_ids']) . ',' . $attribute['Attribute']['timestamp'];
|
||||||
if ($includeInfo) $line .= ',' . $attribute['Attribute']['event_info'];
|
if ($includeContext) {
|
||||||
|
foreach($this->Event->csv_event_context_fields_to_fetch as $field => $header) {
|
||||||
|
$line .= ',' . $attribute['Attribute'][$header];
|
||||||
|
}
|
||||||
|
}
|
||||||
$final[] = $line;
|
$final[] = $line;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1918,7 +1922,7 @@ class EventsController extends AppController {
|
||||||
}
|
}
|
||||||
$this->layout = 'text/default';
|
$this->layout = 'text/default';
|
||||||
$headers = array('uuid', 'event_id', 'category', 'type', 'value', 'to_ids', 'date');
|
$headers = array('uuid', 'event_id', 'category', 'type', 'value', 'to_ids', 'date');
|
||||||
if ($includeInfo) $headers[] = 'event_info';
|
if ($includeContext) $headers = array_merge($headers, array_values($this->Event->csv_event_context_fields_to_fetch));
|
||||||
$this->set('headers', $headers);
|
$this->set('headers', $headers);
|
||||||
$this->set('final', $final);
|
$this->set('final', $final);
|
||||||
}
|
}
|
||||||
|
|
|
@ -115,6 +115,16 @@ class Event extends AppModel {
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
public $csv_event_context_fields_to_fetch = array(
|
||||||
|
'info' => 'event_info',
|
||||||
|
'org' => 'event_member_org',
|
||||||
|
'orgc' => 'event_source_org',
|
||||||
|
'distribution' => 'event_distribution',
|
||||||
|
'threat_level_id' => 'event_threat_level_id',
|
||||||
|
'analysis' => 'event_analysis',
|
||||||
|
'date' => 'event_date',
|
||||||
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Validation rules
|
* Validation rules
|
||||||
*
|
*
|
||||||
|
@ -920,7 +930,7 @@ class Event extends AppModel {
|
||||||
}
|
}
|
||||||
return $results;
|
return $results;
|
||||||
}
|
}
|
||||||
public function csv($org, $isSiteAdmin, $eventid=false, $ignore=false, $attributeIDList = array(), $tags = false, $category = false, $type = false, $includeInfo = false, $from = false, $to = false) {
|
public function csv($org, $isSiteAdmin, $eventid=false, $ignore=false, $attributeIDList = array(), $tags = false, $category = false, $type = false, $includeContext = false, $from = false, $to = false) {
|
||||||
$final = array();
|
$final = array();
|
||||||
$attributeList = array();
|
$attributeList = array();
|
||||||
$conditions = array();
|
$conditions = array();
|
||||||
|
@ -996,26 +1006,51 @@ class Event extends AppModel {
|
||||||
$attribute['Attribute']['value'] = '"' . $attribute['Attribute']['value'] . '"';
|
$attribute['Attribute']['value'] = '"' . $attribute['Attribute']['value'] . '"';
|
||||||
$attribute['Attribute']['timestamp'] = date('Ymd', $attribute['Attribute']['timestamp']);
|
$attribute['Attribute']['timestamp'] = date('Ymd', $attribute['Attribute']['timestamp']);
|
||||||
}
|
}
|
||||||
if ($includeInfo) $attributes = $this->attachEventInfoToAttributes($attributes);
|
if ($includeContext) $attributes = $this->attachEventInfoToAttributes($attributes, $isSiteAdmin);
|
||||||
return $attributes;
|
return $attributes;
|
||||||
}
|
}
|
||||||
|
|
||||||
private function attachEventInfoToAttributes($attributes) {
|
private function attachEventInfoToAttributes($attributes, $isSiteAdmin) {
|
||||||
|
$TLs = $this->ThreatLevel->find('all', array(
|
||||||
|
'recursive' => -1,
|
||||||
|
));
|
||||||
$event_ids = array();
|
$event_ids = array();
|
||||||
foreach ($attributes as &$attribute) {
|
foreach ($attributes as &$attribute) {
|
||||||
if (!in_array($attribute['Attribute']['event_id'], $event_ids)) $event_ids[] = $attribute['Attribute']['event_id'];
|
if (!in_array($attribute['Attribute']['event_id'], $event_ids)) $event_ids[] = $attribute['Attribute']['event_id'];
|
||||||
}
|
}
|
||||||
|
$context_fields = array('id' => null);
|
||||||
|
$context_fields = array_merge($context_fields, $this->csv_event_context_fields_to_fetch);
|
||||||
|
if (!Configure::read('MISP.showorg') && !$isSiteAdmin) {
|
||||||
|
unset($context_fields['orgc']);
|
||||||
|
unset($context_fields['org']);
|
||||||
|
} else if (!Configure::read('MISP.showorgalternate') && !$isSiteAdmin) {
|
||||||
|
$context_fields['orgc'] = 'event_org';
|
||||||
|
$context_fields['org'] = 'event_owner_org';
|
||||||
|
unset($context_fields['orgc']);
|
||||||
|
}
|
||||||
|
|
||||||
$events = $this->find('all', array(
|
$events = $this->find('all', array(
|
||||||
'recursive' => -1,
|
'recursive' => -1,
|
||||||
'fields' => array('id', 'info'),
|
'fields' => array_keys($context_fields),
|
||||||
'conditions' => array('id' => $event_ids),
|
'conditions' => array('id' => $event_ids),
|
||||||
));
|
));
|
||||||
$event_id_info = array();
|
$event_id_data = array();
|
||||||
|
unset($context_fields['id']);
|
||||||
foreach ($events as $event) {
|
foreach ($events as $event) {
|
||||||
$event_id_info[$event['Event']['id']] = $event['Event']['info'];
|
foreach ($context_fields as $field => $header_name) $event_id_data[$event['Event']['id']][$header_name] = $event['Event'][$field];
|
||||||
}
|
}
|
||||||
foreach ($attributes as &$attribute) {
|
foreach ($attributes as &$attribute) {
|
||||||
$attribute['Attribute']['event_info'] = $event_id_info[$attribute['Attribute']['event_id']];
|
foreach ($context_fields as $field => $header_name) {
|
||||||
|
if ($header_name == 'event_threat_level_id') {
|
||||||
|
$attribute['Attribute'][$header_name] = $TLs[$event_id_data[$attribute['Attribute']['event_id']][$header_name]]['ThreatLevel']['name'];
|
||||||
|
} else if ($header_name == 'event_distribution') {
|
||||||
|
$attribute['Attribute'][$header_name] = $this->distributionLevels[$event_id_data[$attribute['Attribute']['event_id']][$header_name]];
|
||||||
|
} else if ($header_name == 'event_analysis') {
|
||||||
|
$attribute['Attribute'][$header_name] = $this->analysisLevels[$event_id_data[$attribute['Attribute']['event_id']][$header_name]];
|
||||||
|
} else {
|
||||||
|
$attribute['Attribute'][$header_name] = $event_id_data[$attribute['Attribute']['event_id']][$header_name];
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return $attributes;
|
return $attributes;
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,13 +43,16 @@ Use semicolons instead (the search will automatically search for colons instead)
|
||||||
<p>You can configure your tools to automatically download the following file:</p>
|
<p>You can configure your tools to automatically download the following file:</p>
|
||||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/</pre>
|
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/</pre>
|
||||||
<p>You can specify additional flags for CSV exports as follows::</p>
|
<p>You can specify additional flags for CSV exports as follows::</p>
|
||||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/[eventid]/[ignore]/[tags]/[category]/[type]/[includeInfo]/[from]/[to]</pre>
|
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/[eventid]/[ignore]/[tags]/[category]/[type]/[includeContext]/[from]/[to]</pre>
|
||||||
<p>
|
<p>
|
||||||
<b>eventid</b>: Restrict the download to a single event<br />
|
<b>eventid</b>: Restrict the download to a single event<br />
|
||||||
|
<b>ignore</b>: Setting this flag to true will include attributes that are not marked "to_ids".<br />
|
||||||
<b>tags</b>: To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'.
|
<b>tags</b>: To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'.
|
||||||
You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search.
|
You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
||||||
<b>ignore</b>: Setting this flag to true will include attributes that are not marked "to_ids".<br />
|
<b>category</b>: The attribute category, any valid MISP attribute category is accepted.<br />
|
||||||
|
<b>type</b>: The attribute type, any valid MISP attribute type is accepted.<br />
|
||||||
|
<b>includeContext</b>: Include the event data with each attribute.<br />
|
||||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||||
</p>
|
</p>
|
||||||
|
|
Loading…
Reference in New Issue