[Bps-public-commit] rtir-extension-misp branch master updated. 01bed9682c69df9435003604f1f8bf2868f82b13
BPS Git Server
git at git.bestpractical.com
Thu Oct 7 15:16:47 UTC 2021
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rtir-extension-misp".
The branch, master has been updated
via 01bed9682c69df9435003604f1f8bf2868f82b13 (commit)
via 208a66987f092b0c0e233cd8b379974c8306b8da (commit)
via 35e61a4b0532c911e7ca6d636e6fc8b2455191ce (commit)
via bb07101e47b31ea93b16fbe1c1bcf4eff46de066 (commit)
via 1a28b72717ce04b69d6e458ecd1cbba9866ae795 (commit)
from f626878577839fa9635838c6f8add47833c012a8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 01bed9682c69df9435003604f1f8bf2868f82b13
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Oct 7 22:54:37 2021 +0800
Clean up debug messages
diff --git a/lib/RTIR/Extension/MISP.pm b/lib/RTIR/Extension/MISP.pm
index ec99578..8c3e600 100644
--- a/lib/RTIR/Extension/MISP.pm
+++ b/lib/RTIR/Extension/MISP.pm
@@ -212,7 +212,6 @@ sub AddRTIRObjectToMISP {
my @attributes;
foreach my $attribute ( keys %attribute_fields ) {
- warn "for $attribute: " . $attribute_fields{$attribute};
next unless $attribute_fields{$attribute};
push @attributes, {
'uuid' => create_uuid_as_string(UUID_V4),
commit 208a66987f092b0c0e233cd8b379974c8306b8da
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Oct 7 22:54:03 2021 +0800
Support to create MISP events in RTIR
diff --git a/html/Callbacks/RTIR-Extension-MISP/Elements/Tabs/Privileged b/html/Callbacks/RTIR-Extension-MISP/Elements/Tabs/Privileged
index 21e6453..921ff2b 100644
--- a/html/Callbacks/RTIR-Extension-MISP/Elements/Tabs/Privileged
+++ b/html/Callbacks/RTIR-Extension-MISP/Elements/Tabs/Privileged
@@ -14,9 +14,17 @@ if ( $request_path =~ m{RTIR/Incident/Display\.html$} ) {
# my $actions_tab = PageMenu()->child( actions => title => loc('Actions'), sort_order => 95 );
- PageMenu()->child('actions')->child(
- update_misp_event => title => loc('Update MISP Event'),
- path => RT::IR->HREFTo("Incident/Display.html?id=$id&UpdateMISPEvent=1", IncludeWebPath => 0),
- );
+ if ( $ticket->FirstCustomFieldValue('MISP Event ID') ) {
+ PageMenu()->child('actions')->child(
+ update_misp_event => title => loc('Update MISP Event'),
+ path => RT::IR->HREFTo("Incident/Display.html?id=$id&UpdateMISPEvent=1", IncludeWebPath => 0),
+ );
+ }
+ else {
+ PageMenu()->child('actions')->child(
+ create_misp_event => title => loc('Create MISP Event'),
+ path => RT::IR->HREFTo("Incident/Display.html?id=$id&CreateMISPEvent=1", IncludeWebPath => 0),
+ );
+ }
}
</%init>
diff --git a/html/Callbacks/RTIR-Extension-MISP/RTIR/Incident/Display.html/ProcessArguments b/html/Callbacks/RTIR-Extension-MISP/RTIR/Incident/Display.html/ProcessArguments
index 4609e4c..f7b8fb6 100644
--- a/html/Callbacks/RTIR-Extension-MISP/RTIR/Incident/Display.html/ProcessArguments
+++ b/html/Callbacks/RTIR-Extension-MISP/RTIR/Incident/Display.html/ProcessArguments
@@ -1,12 +1,5 @@
<%init>
-if ( $ARGSRef->{UpdateMISPEvent} ) {
- my $event_id = $Ticket->FirstCustomFieldValue('MISP Event ID');
-
- if ( not $event_id ) {
- push @$Actions, 'No MISP Event ID found, nothing to update';
- return;
- }
-
+if ( $ARGSRef->{CreateMISPEvent} || $ARGSRef->{UpdateMISPEvent} ) {
my ($ok, $msg) = RTIR::Extension::MISP::AddRTIRObjectToMISP($Ticket);
push @$Actions, $msg;
diff --git a/lib/RTIR/Extension/MISP.pm b/lib/RTIR/Extension/MISP.pm
index 98e57a9..ec99578 100644
--- a/lib/RTIR/Extension/MISP.pm
+++ b/lib/RTIR/Extension/MISP.pm
@@ -180,6 +180,13 @@ sub AddRTIRObjectToMISP {
my $url = GetMISPBaseURL();
my $event_id = $ticket->FirstCustomFieldValue('MISP Event ID');
+ if ( !$event_id ) {
+ ( $event_id, my $msg ) = CreateMISPEvent($ticket);
+ if ( !$event_id ) {
+ RT->Logger->error("Couldn't load and create event: $msg");
+ return ( 0, 'MISP event update failed' );
+ }
+ }
# This is base object information defined in MISP
# See: https://github.com/MISP/misp-objects/blob/main/objects/rtir/definition.json
@@ -296,4 +303,34 @@ sub AddRTIRObjectToMISP {
return (1, 'MISP event updated');
}
+sub CreateMISPEvent {
+ my $ticket = shift;
+
+ my $ua = GetUserAgent();
+ my $url = GetMISPBaseURL();
+ my $json = encode_json(
+ {
+ info => $ticket->Subject,
+ }
+ );
+ my $response = $ua->post($url . "/events/add", Content => $json);
+ if ( $response->is_success ) {
+ my $content = decode_json( $response->decoded_content );
+ my ( $ret, $msg ) = $ticket->AddCustomFieldValue( Field => 'MISP Event ID', Value => $content->{Event}{id} );
+ if ( !$ret ) {
+ RT->Logger->error("Unable to update MISP Event ID to $content->{Event}{id}: $msg");
+ }
+
+ ( $ret, $msg ) = $ticket->AddCustomFieldValue( Field => 'MISP Event UUID', Value => $content->{Event}{uuid} );
+ if ( !$ret ) {
+ RT->Logger->error("Unable to update MISP Event UUID to $content->{Event}{uuid}: $msg");
+ }
+ return $ticket->FirstCustomFieldValue('MISP Event ID');
+ }
+ else {
+ RT->Logger->error('Unable to create event: ' . $response->status_line() . $response->decoded_content());
+ return (0, 'MISP event create failed');
+ }
+}
+
1;
commit 35e61a4b0532c911e7ca6d636e6fc8b2455191ce
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Oct 7 22:06:28 2021 +0800
Update existing RTIR object instead of creating a new one when possible
diff --git a/lib/RTIR/Extension/MISP.pm b/lib/RTIR/Extension/MISP.pm
index ab5b3ad..98e57a9 100644
--- a/lib/RTIR/Extension/MISP.pm
+++ b/lib/RTIR/Extension/MISP.pm
@@ -179,6 +179,8 @@ sub AddRTIRObjectToMISP {
my $ua = GetUserAgent();
my $url = GetMISPBaseURL();
+ my $event_id = $ticket->FirstCustomFieldValue('MISP Event ID');
+
# This is base object information defined in MISP
# See: https://github.com/MISP/misp-objects/blob/main/objects/rtir/definition.json
my %misp_data = (
@@ -216,12 +218,77 @@ sub AddRTIRObjectToMISP {
}
}
+ if ( my $object_id = $ticket->FirstCustomFieldValue('MISP RTIR Object ID') ) {
+ my $response = $ua->get( $url . '/objects/view/' . $object_id );
+ if ( $response->is_success ) {
+ my $content = decode_json( $response->decoded_content );
+ if ( $content->{Object}{deleted} ) {
+ RT->Logger->debug("Object $object_id has been deleted, will create a new one");
+ }
+ else {
+ my $failed;
+ for my $attribute ( @{ $content->{Object}{Attribute} } ) {
+ next if $attribute->{deleted};
+ my $name = $attribute->{object_relation};
+ if ( ( $attribute_fields{$name} // '' ) ne ( $attribute->{value} // '' ) ) {
+ my $json = encode_json( { value => $attribute_fields{$name} } );
+ my $response = $ua->put( $url . '/attributes/edit/' . $attribute->{id}, Content => $json );
+ if ( $response->is_success ) {
+ RT->Logger->debug("Updated attribute $attribute->{id}");
+ }
+ else {
+ RT->Logger->error( "Unable to update attribute $attribute->{id}: "
+ . $response->status_line()
+ . $response->decoded_content() );
+ $failed ||= 1;
+ }
+ }
+ delete $attribute_fields{$name};
+ }
+
+ for my $attribute ( keys %attribute_fields ) {
+ next unless $attribute_fields{$attribute};
+ my ($data) = grep { $_->{object_relation} eq $attribute } @attributes;
+ my $json = encode_json( { event_id => $event_id, object_id => $object_id, %$data } );
+ my $response = $ua->post( $url . '/attributes/add/' . $event_id, Content => $json );
+ if ( $response->is_success ) {
+ my $content = decode_json( $response->decoded_content );
+ RT->Logger->debug("Created attribute $content->{Attribute}{id}");
+ }
+ else {
+ RT->Logger->error(
+ "Unable to create attribute: " . $response->status_line() . $response->decoded_content() );
+ $failed ||= 1;
+ }
+ }
+
+ if ($failed) {
+ return ( 0, 'MISP event update failed' );
+ }
+ else {
+ return ( 1, 'MISP event updated' );
+ }
+ }
+ }
+ else {
+ RT->Logger->error( "Unable to get object $object_id: " . $response->status_line() . $response->decoded_content() );
+ return ( 0, 'MISP event update failed' );
+ }
+ }
+
$misp_data{'Attribute'} = \@attributes;
my $json = encode_json( \%misp_data );
- my $response = $ua->post($url . "/objects/add/" . $ticket->FirstCustomFieldValue("MISP Event ID"), Content => $json);
+ my $response = $ua->post($url . "/objects/add/" . $event_id, Content => $json);
- unless ( $response->is_success ) {
+ if ( $response->is_success ) {
+ my $content = decode_json( $response->decoded_content );
+ my ( $ret, $msg ) = $ticket->AddCustomFieldValue( Field => 'MISP RTIR Object ID', Value => $content->{Object}{id} );
+ if ( !$ret ) {
+ RT->Logger->error("Unable to update MISP RTIR Object ID to $content->{Object}{id}: $msg");
+ }
+ }
+ else {
RT->Logger->error('Unable to add object to event: ' . $response->status_line() . $response->decoded_content());
return (0, 'MISP event update failed');
}
commit bb07101e47b31ea93b16fbe1c1bcf4eff46de066
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Oct 7 21:51:26 2021 +0800
Add custom field "MISP RTIR Object ID" to keep track of RTIR ticket info in MISP
diff --git a/etc/initialdata b/etc/initialdata
index 75c1cc6..8b71cce 100644
--- a/etc/initialdata
+++ b/etc/initialdata
@@ -12,6 +12,11 @@ our @CustomFields = (
Disabled => 0,
Queue => 'Incidents',
},
+ { Name => 'MISP RTIR Object ID',
+ Type => 'FreeformSingle',
+ Disabled => 0,
+ Queue => 'Incidents',
+ },
);
1;
commit 1a28b72717ce04b69d6e458ecd1cbba9866ae795
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Oct 7 21:48:45 2021 +0800
Change to use Event ID to interact with MISP
Unlike UUID, Event ID doesn't change, so it's safer.
diff --git a/lib/RTIR/Extension/MISP.pm b/lib/RTIR/Extension/MISP.pm
index c0351f5..ab5b3ad 100644
--- a/lib/RTIR/Extension/MISP.pm
+++ b/lib/RTIR/Extension/MISP.pm
@@ -219,7 +219,7 @@ sub AddRTIRObjectToMISP {
$misp_data{'Attribute'} = \@attributes;
my $json = encode_json( \%misp_data );
- my $response = $ua->post($url . "/objects/add/" . $ticket->FirstCustomFieldValue("MISP Event UUID"), Content => $json);
+ my $response = $ua->post($url . "/objects/add/" . $ticket->FirstCustomFieldValue("MISP Event ID"), Content => $json);
unless ( $response->is_success ) {
RT->Logger->error('Unable to add object to event: ' . $response->status_line() . $response->decoded_content());
-----------------------------------------------------------------------
Summary of changes:
etc/initialdata | 5 +
.../RTIR-Extension-MISP/Elements/Tabs/Privileged | 16 ++-
.../RTIR/Incident/Display.html/ProcessArguments | 9 +-
lib/RTIR/Extension/MISP.pm | 109 ++++++++++++++++++++-
4 files changed, 124 insertions(+), 15 deletions(-)
hooks/post-receive
--
rtir-extension-misp
More information about the Bps-public-commit
mailing list