From 9fb833bbcc9e888e1472a6b0ad9e0e81a414ff64 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 11 Jun 2024 13:20:16 -0600 Subject: [PATCH] Extract ElastAlert Description Check the yaml for an elastalert description. If not present, fall back to the Detection's description, and finally the Detection title. Updated test for various fallback scenarios. --- html/js/routes/detection.js | 7 +++++++ html/js/routes/detection.test.js | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js index 26061baa..c59abc81 100644 --- a/html/js/routes/detection.js +++ b/html/js/routes/detection.js @@ -233,6 +233,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: { } break; + case 'elastalert': + const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA }); + if (yaml.description) { + this.extractedSummary = yaml.description; + break; + } + // else fall through default: if (this.detect.description) { this.extractedSummary = this.detect.description; diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js index 1172844a..0b42e565 100644 --- a/html/js/routes/detection.test.js +++ b/html/js/routes/detection.test.js @@ -76,7 +76,7 @@ test('extract elastalert', () => { comp.extractLogic(); comp.extractDetails(); - expect(comp.extractedSummary).toBe('Title'); + expect(comp.extractedSummary).toBe('Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant'); expect(comp.extractedReferences).toEqual([ { type: 'url', text: 'https://twitter.com/DrunkBinary/status/1063075530180886529', link: 'https://twitter.com/DrunkBinary/status/1063075530180886529' }, { type: 'url', text: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign', link: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign' }, @@ -85,6 +85,21 @@ test('extract elastalert', () => { expect(comp.extractedLogicClass).toBe('language-yaml'); expect(comp.extractedCreated).toBe('2018/11/20'); expect(comp.extractedUpdated).toBe('2023/02/20'); + + // content with no description + comp.detect.content = `title: APT29 2018 Phishing Campaign File Indicators\nid: 3a3f81ca-652c-482b-adeb-b1c804727f74\nrelated:\n - id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation\n type: derived\nstatus: stable\nreferences:\n - https://twitter.com/DrunkBinary/status/1063075530180886529\n - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nauthor: '@41thexplorer'\ndate: 2018/11/20\nmodified: 2023/02/20\ntags:\n - attack.defense_evasion\n - attack.t1218.011\n - detection.emerging_threats\nlogsource:\n product: windows\n category: file_event\ndetection:\n selection:\n TargetFilename|contains:\n - 'ds7002.lnk'\n - 'ds7002.pdf'\n - 'ds7002.zip'\n condition: selection\nfalsepositives:\n - Unlikely\nlevel: critical`; + comp.detect.description = 'Description' + comp.extractSummary(); + + // fallback first to detection Description... + expect(comp.extractedSummary).toBe('Description'); + + comp.detect.description = ''; + + comp.extractSummary(); + + // ... else fallback to title + expect(comp.extractedSummary).toBe('Title'); }); test('fixProtocol', () => {