Merge pull request #345 from Security-Onion-Solutions/feature/process…

…-ancestry-action

FEATURE: Add new SOC action to show process ancestry Security-Onion-Solutions/securityonion#12345

html/js/app.js

@@ -197,6 +197,17 @@ $(document).ready(function() {
         }
         return content
       },
+      processAncestors(content) {
+        content = content.toString();
+        if (content.replace) {
+          try {
+            content = content.replace(/,/g, "\" OR process.entity_id:\"");
+          } catch (e) {
+            console.error("Failed to set process ancestors for content: " + e);
+          }
+        }
+        return content
+      },
       replaceActionVar(content, field, value, uriEncode) {
         if (value === undefined || value == null) return content;
 
@@ -211,6 +222,7 @@ $(document).ready(function() {
         content = content.replace("{" + field + "|base64}", encode(this.base64encode(value)));
         content = content.replace("{" + field + "|escape}", encode(this.escape(value)));
         content = content.replace("{" + field + "|escape|base64}", encode(this.base64encode(this.escape(value))));
+        content = content.replace("{" + field + "|processAncestors}", encode(this.processAncestors(value)));
         return content;
       },
       copyToClipboard(data, style) {

html/js/app.test.js

@@ -20,6 +20,12 @@ test('base64encode', () => {
   expect(app.base64encode('hello')).toBe('aGVsbG8=');
 });
 
+test('processAncestors', () => {
+  expect(app.processAncestors([])).toBe('');
+  expect(app.processAncestors(['asdf1'])).toBe('asdf1');
+  expect(app.processAncestors(['asdf1','asdf2','asdf3'])).toBe('asdf1\" OR process.entity_id:\"asdf2\" OR process.entity_id:\"asdf3');
+});
+
 test('replaceActionVar', () => {
   expect(app.replaceActionVar('test here', 'foo', 'bar', true)).toBe('test here');
   expect(app.replaceActionVar('test {bar} here', 'foo', 'bar', true)).toBe('test {bar} here');
@@ -30,15 +36,13 @@ test('replaceActionVar', () => {
   expect(app.replaceActionVar('test {foo|escape} here', 'foo', 'sand "bar\\bad"', true)).toBe('test sand%20%5C%22bar%5C%5Cbad%5C%22 here');
   expect(app.replaceActionVar('test {foo|escape|base64} here', 'foo', 'sand "bar\\bad"', false)).toBe('test c2FuZCBcImJhclxcYmFkXCI= here');
   expect(app.replaceActionVar('test {foo|escape|base64} here', 'foo', 'sand "bar\\bad"', true)).toBe('test c2FuZCBcImJhclxcYmFkXCI%3D here');
+  expect(app.replaceActionVar('test {foo|processAncestors} here', 'foo', '', true)).toBe('test  here');
+  expect(app.replaceActionVar('test {foo|processAncestors} here', 'foo', 'bar', true)).toBe('test bar here');
+  expect(app.replaceActionVar('test {foo|processAncestors} here', 'foo', ['asdf1','asdf2','asdf3'], true)).toBe('test asdf1%22%20OR%20process.entity_id%3A%22asdf2%22%20OR%20process.entity_id%3A%22asdf3 here');
   expect(app.replaceActionVar('test {foo} here', 'foo', null, true)).toBe('test {foo} here');
   expect(app.replaceActionVar('test {foo} here', 'foo', undefined, true)).toBe('test {foo} here');
 });
 
-test('base64encode', () => {
-  expect(app.base64encode('')).toBe('');
-  expect(app.base64encode('hello')).toBe('aGVsbG8=');
-});
-
 test('formatMarkdown', () => {
   expect(app.formatMarkdown('```code```')).toBe('<p><code>code</code></p>\n');
   expect(app.formatMarkdown('<scripts src="https://somebad.place"></script>bad')).toBe('<p>bad</p>\n');
@@ -461,4 +465,4 @@ test('checkForUnauthorized', () => {
   testCheckForUnauthorized('/foo/', {}, null, false);
   testCheckForUnauthorized('/login/banner.md', {}, '/blah', false);
   testCheckForUnauthorized('/auth/self-service/login/browser', {}, '/blah', true);
-});
+});

html/js/i18n.js

@@ -34,6 +34,10 @@ const i18n = {
       actionHuntHelp: 'Hunt for this field',
       actionPcap: 'PCAP',
       actionPcapHelp: 'Show PCAP for this event',
+      actionProcessAncestors: 'Process ancestors',
+      actionProcessAncestorsHelp: 'Show all parent processes for this process',
+      actionSublime: 'Sublime Platform Email Review',
+      actionSublimeHelp: 'Review email in Sublime Platform',
       actionSuccess: 'Action completed: ',
       actionVirusTotal: 'VirusTotal',
       actionVirusTotalHelp: 'Analyze this field at virustotal.com',