Skip to content

Commit

Permalink
Merge pull request #1067 from ninoseki/attribute-observable-level-tag…
Browse files Browse the repository at this point in the history
…ging

feat: attribute/observable level tagging
  • Loading branch information
ninoseki authored Mar 2, 2024
2 parents 9a6822b + 7a4521f commit ca1c27b
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 4 deletions.
8 changes: 8 additions & 0 deletions docs/emitters/hive.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,11 @@ api_key: ...
### API Key

`api_key` (`string`) is an API key. Optional. Configurable via `THEHIVE_API_KEY` environment variable.

### Observable Tags

`observable_tags` (`array[:string]`) is a list of observable tags. Optional. Defaults to `[]`.

!!! note

`tags` of a rule are set as tags of an alert.
8 changes: 8 additions & 0 deletions docs/emitters/misp.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,11 @@ api_key: ...
### API Key

`api_key` (`string`) is an API key. Optional. Configurable via `MISP_API_KEY` environment variable.

### Attribute Tags

`attribute_tags` (`array[:string]`) is a list of attribute tags. Optional. Defaults to `[]`.

!!! note

`tags` of a rule are set as tags of an event.
12 changes: 10 additions & 2 deletions lib/mihari/emitters/misp.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ class MISP < Base
# @return [String, nil]
attr_reader :api_key

# @return [Array<String>]
attr_reader :attribute_tags

# @return [Mihari::Rule]
attr_reader :rule

Expand All @@ -28,6 +31,7 @@ def initialize(rule:, options: nil, **params)

@url = params[:url] || Mihari.config.misp_url
@api_key = params[:api_key] || Mihari.config.misp_api_key
@attribute_tags = params[:attribute_tags] || []

@artifacts = []
end
Expand All @@ -51,7 +55,7 @@ def call(artifacts)
Event: {
info: rule.title,
Attribute: artifacts.map { |artifact| build_attribute(artifact) },
Tag: rule.tags.map { |tag| {name: tag} }
Tag: rule.tags.map { |tag| {name: tag.name} }
}
})
end
Expand All @@ -77,7 +81,11 @@ def client
# @return [Hash]
#
def build_attribute(artifact)
{value: artifact.data, type: to_misp_type(type: artifact.data_type, value: artifact.data)}
{
value: artifact.data,
type: to_misp_type(type: artifact.data_type, value: artifact.data),
Tag: attribute_tags.map { |tag| {name: tag} }
}
end

#
Expand Down
9 changes: 7 additions & 2 deletions lib/mihari/emitters/the_hive.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ class TheHive < Base
# @return [String, nil]
attr_reader :api_key

# @return [Array<String>]
attr_reader :observable_tags

# @return [Array<Mihari::Models::Artifact>]
attr_accessor :artifacts

Expand All @@ -22,6 +25,7 @@ def initialize(rule:, options: nil, **params)

@url = params[:url] || Mihari.config.thehive_url
@api_key = params[:api_key] || Mihari.config.thehive_api_key
@observable_tags = params[:observable_tags] || []

@artifacts = []
end
Expand Down Expand Up @@ -81,10 +85,11 @@ def payload
{
data: artifact.data,
data_type: artifact.data_type,
message: rule.description
message: rule.description,
tags: observable_tags
}
end,
tags: rule.tags,
tags: rule.tags.map(&:name),
type: "external",
source: "mihari",
source_ref: SecureRandom.uuid
Expand Down
3 changes: 3 additions & 0 deletions lib/mihari/models/tag.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ module Models
# Tag model
#
class Tag < ActiveRecord::Base
# @!attribute [rw] name
# @return [String]

has_many :taggings, dependent: :destroy

include SearchCop
Expand Down
2 changes: 2 additions & 0 deletions lib/mihari/schemas/emitter.rb
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,15 @@ module Emitters
required(:emitter).value(Types::String.enum(*Mihari::Emitters::MISP.keys))
optional(:url).filled(:string)
optional(:api_key).filled(:string)
optional(:attribute_tags).array { filled(:string) }.default([])
optional(:options).hash(EmitterOptions)
end

TheHive = Dry::Schema.Params do
required(:emitter).value(Types::String.enum(*Mihari::Emitters::TheHive.keys))
optional(:url).filled(:string)
optional(:api_key).filled(:string)
optional(:observable_tags).array { filled(:string) }.default([])
optional(:options).hash(EmitterOptions)
end

Expand Down

0 comments on commit ca1c27b

Please sign in to comment.