-
Notifications
You must be signed in to change notification settings - Fork 101
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1072 from ninoseki/yeti
feat: support Yeti
- Loading branch information
Showing
10 changed files
with
236 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Yeti | ||
|
||
- [https://yeti-platform.io/](https://yeti-platform.io/) | ||
|
||
This emitter creates observables on Yeti. | ||
|
||
```yaml | ||
emitter: yeti | ||
url: ... | ||
api_key: ... | ||
``` | ||
## Components | ||
### URL | ||
`url` (`string`) is a Yeti URL. Optional. Configurable via `YETI_URL` environment variable. | ||
|
||
### API Key | ||
|
||
`api_key` (`string`) is an API key. Optional. Configurable via `YETI_API_KEY` environment variable. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# frozen_string_literal: true | ||
|
||
module Mihari | ||
module Clients | ||
# | ||
# Yeti API client | ||
# | ||
class Yeti < Base | ||
# | ||
# @param [String] base_url | ||
# @param [String, nil] api_key | ||
# @param [Hash] headers | ||
# @param [Integer, nil] timeout | ||
# | ||
def initialize(base_url, api_key:, headers: {}, timeout: nil) | ||
raise(ArgumentError, "api_key is required") unless api_key | ||
|
||
headers["x-yeti-apikey"] = api_key | ||
super(base_url, headers:, timeout:) | ||
end | ||
|
||
def get_token | ||
res = post_json("/api/v2/auth/api-token") | ||
res["access_token"] | ||
end | ||
|
||
# | ||
# @param [Hash] json | ||
# | ||
# @return [Hash] | ||
# | ||
def create_observables(json) | ||
token = get_token | ||
post_json("/api/v2/observables/bulk", json:, headers: {authorization: "Bearer #{token}"}) | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
# frozen_string_literal: true | ||
|
||
module Mihari | ||
module Emitters | ||
class Yeti < Base | ||
# @return [String, nil] | ||
attr_reader :url | ||
|
||
# @return [String, nil] | ||
attr_reader :api_key | ||
|
||
# @return [Array<Mihari::Models::Artifact>] | ||
attr_accessor :artifacts | ||
|
||
# | ||
# @param [Mihari::Rule] rule | ||
# @param [Hash, nil] options | ||
# @param [Hash] params | ||
# | ||
def initialize(rule:, options: nil, **params) | ||
super(rule:, options:) | ||
|
||
@url = params[:url] || Mihari.config.yeti_url | ||
@api_key = params[:api_key] || Mihari.config.yeti_api_key | ||
|
||
@artifacts = [] | ||
end | ||
|
||
# | ||
# @return [Boolean] | ||
# | ||
def configured? | ||
api_key? && url? | ||
end | ||
|
||
# | ||
# Create a Hive alert | ||
# | ||
# @param [Array<Mihari::Models::Artifact>] artifacts | ||
# | ||
def call(artifacts) | ||
return if artifacts.empty? | ||
|
||
@artifacts = artifacts | ||
|
||
client.create_observables({observables:}) | ||
end | ||
|
||
# | ||
# @return [String] | ||
# | ||
def target | ||
URI(url).host || "N/A" | ||
end | ||
|
||
private | ||
|
||
def client | ||
Clients::Yeti.new(url, api_key:, timeout:) | ||
end | ||
|
||
# | ||
# Check whether a URL is set or not | ||
# | ||
# @return [Boolean] | ||
# | ||
def url? | ||
!url.nil? | ||
end | ||
|
||
def acceptable_artifacts | ||
artifacts.reject { |artifact| artifact.data_type == "mail" } | ||
end | ||
|
||
# | ||
# @param [Mihari::Models::Artifact] artifact | ||
# | ||
# @return [Hash] | ||
# | ||
def artifact_to_observable(artifact) | ||
convert_table = { | ||
domain: "hostname", | ||
ip: "ipv4" | ||
} | ||
|
||
type = lambda do | ||
detailed_type = DataType.detailed_type(artifact.data) | ||
convert_table[detailed_type.to_sym] || detailed_type || artifact.data_type | ||
end.call | ||
|
||
{ | ||
tags:, | ||
type:, | ||
value: artifact.data | ||
} | ||
end | ||
|
||
def tags | ||
@tags ||= rule.tags.map(&:name) | ||
end | ||
|
||
def observables | ||
acceptable_artifacts.map { |artifact| artifact_to_observable(artifact) } | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# frozen_string_literal: true | ||
|
||
RSpec.describe Mihari::Emitters::Yeti do | ||
subject(:emitter) { described_class.new(rule:) } | ||
|
||
include_context "with mocked logger" | ||
|
||
let_it_be(:rule) { Mihari::Rule.from_model FactoryBot.create(:rule) } | ||
let!(:artifacts) { [Mihari::Models::Artifact.new(data: "1.1.1.1")] } | ||
|
||
describe "#configured?" do | ||
it do | ||
expect(emitter.configured?).to be(true) | ||
end | ||
|
||
context "without YETI_URL" do | ||
before do | ||
allow(Mihari.config).to receive(:yeti_url).and_return(nil) | ||
end | ||
|
||
it do | ||
expect(emitter.configured?).to be(false) | ||
end | ||
end | ||
end | ||
|
||
describe "#call" do | ||
let!(:mock_client) { instance_double("client") } | ||
let!(:mocked_emitter) { described_class.new(rule:) } | ||
|
||
before do | ||
allow(mocked_emitter).to receive(:client).and_return(mock_client) | ||
allow(mock_client).to receive(:create_observables) | ||
end | ||
|
||
it do | ||
mocked_emitter.call artifacts | ||
expect(mock_client).to have_received(:create_observables) | ||
end | ||
end | ||
|
||
describe "#target" do | ||
it do | ||
expect(emitter.target).to be_a(String) | ||
end | ||
end | ||
end |