Merge pull request #540 from Security-Onion-Solutions/cogburn/sigma-d…

…escription Extract ElastAlert Description
Security-Onion-Solutions · Jun 11, 2024 · 3e1c59a · 3e1c59a
2 parents 4daff2e + 9fb833b
commit 3e1c59a
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
@@ -233,6 +233,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					}
 
 					break;
+				case 'elastalert':
+					const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+					if (yaml.description) {
+						this.extractedSummary = yaml.description;
+						break;
+					}
+					// else fall through
 				default:
 					if (this.detect.description) {
 						this.extractedSummary = this.detect.description;

diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js
@@ -76,7 +76,7 @@ test('extract elastalert', () => {
 	comp.extractLogic();
 	comp.extractDetails();
 
-	expect(comp.extractedSummary).toBe('Title');
+	expect(comp.extractedSummary).toBe('Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant');
 	expect(comp.extractedReferences).toEqual([
 		{ type: 'url', text: 'https://twitter.com/DrunkBinary/status/1063075530180886529', link: 'https://twitter.com/DrunkBinary/status/1063075530180886529' },
 		{ type: 'url', text: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign', link: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign' },
@@ -85,6 +85,21 @@ test('extract elastalert', () => {
 	expect(comp.extractedLogicClass).toBe('language-yaml');
 	expect(comp.extractedCreated).toBe('2018/11/20');
 	expect(comp.extractedUpdated).toBe('2023/02/20');
+
+	// content with no description
+	comp.detect.content = `title: APT29 2018 Phishing Campaign File Indicators\nid: 3a3f81ca-652c-482b-adeb-b1c804727f74\nrelated:\n  - id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation\n    type: derived\nstatus: stable\nreferences:\n  - https://twitter.com/DrunkBinary/status/1063075530180886529\n  - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nauthor: '@41thexplorer'\ndate: 2018/11/20\nmodified: 2023/02/20\ntags:\n  - attack.defense_evasion\n  - attack.t1218.011\n  - detection.emerging_threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n      - 'ds7002.lnk'\n      - 'ds7002.pdf'\n      - 'ds7002.zip'\n    condition: selection\nfalsepositives:\n  - Unlikely\nlevel: critical`;
+	comp.detect.description = 'Description'
+	comp.extractSummary();
+
+	// fallback first to detection Description...
+	expect(comp.extractedSummary).toBe('Description');
+
+	comp.detect.description = '';
+
+	comp.extractSummary();
+
+	// ... else fallback to title
+	expect(comp.extractedSummary).toBe('Title');
 });
 
 test('fixProtocol', () => {