From 924821a6012c526751b8043141fd2c3ae2adeda8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Feb 2024 18:46:22 -0500 Subject: [PATCH 1/5] Add processAncestors to app.js --- html/js/app.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/html/js/app.js b/html/js/app.js index e58e6aa99..75c28329e 100644 --- a/html/js/app.js +++ b/html/js/app.js @@ -197,6 +197,17 @@ $(document).ready(function() { } return content }, + processAncestors(content) { + content = content.toString(); + if (content.replace) { + try { + content = content.replace(/,/g, "\" OR process.entity_id:\""); + } catch (e) { + console.error("Failed to set process ancestors for content: " + e); + } + } + return content + }, replaceActionVar(content, field, value, uriEncode) { if (value === undefined || value == null) return content; @@ -211,6 +222,7 @@ $(document).ready(function() { content = content.replace("{" + field + "|base64}", encode(this.base64encode(value))); content = content.replace("{" + field + "|escape}", encode(this.escape(value))); content = content.replace("{" + field + "|escape|base64}", encode(this.base64encode(this.escape(value)))); + content = content.replace("{" + field + "|processAncestors}", encode(this.processAncestors(value))); return content; }, copyToClipboard(data, style) { From 5767e1706e1379c8245428a020c877b1501008a2 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Feb 2024 18:47:06 -0500 Subject: [PATCH 2/5] Add actionProcessAncestors translations to i18n.js --- html/js/i18n.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/js/i18n.js b/html/js/i18n.js index 843d1c35d..d365fe796 100644 --- a/html/js/i18n.js +++ b/html/js/i18n.js @@ -34,6 +34,8 @@ const i18n = { actionHuntHelp: 'Hunt for this field', actionPcap: 'PCAP', actionPcapHelp: 'Show PCAP for this event', + actionProcessAncestors: 'Process ancestors', + actionProcessAncestorsHelp: 'Show all parent processes for this process', actionSuccess: 'Action completed: ', actionVirusTotal: 'VirusTotal', actionVirusTotalHelp: 'Analyze this field at virustotal.com', From 6252540b528f09a816f2d0e73c1ba64bc30091ca Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Feb 2024 18:50:18 -0500 Subject: [PATCH 3/5] Add actionSublime translations to i18n.js --- html/js/i18n.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/js/i18n.js b/html/js/i18n.js index d365fe796..385472ed2 100644 --- a/html/js/i18n.js +++ b/html/js/i18n.js @@ -36,6 +36,8 @@ const i18n = { actionPcapHelp: 'Show PCAP for this event', actionProcessAncestors: 'Process ancestors', actionProcessAncestorsHelp: 'Show all parent processes for this process', + actionSublime: 'Sublime Platform Email Review', + actionSublimeHelp: 'Review email in Sublime Platform', actionSuccess: 'Action completed: ', actionVirusTotal: 'VirusTotal', actionVirusTotalHelp: 'Analyze this field at virustotal.com', From 8f77774144b3dadc807ab1b843e236a8fc9d1d0f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Feb 2024 18:51:52 -0500 Subject: [PATCH 4/5] Add processAncestors tests to app.test.js --- html/js/app.test.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/html/js/app.test.js b/html/js/app.test.js index 10b8e8def..4dacb6ca8 100644 --- a/html/js/app.test.js +++ b/html/js/app.test.js @@ -20,6 +20,12 @@ test('base64encode', () => { expect(app.base64encode('hello')).toBe('aGVsbG8='); }); +test('processAncestors', () => { + expect(app.processAncestors([])).toBe(''); + expect(app.processAncestors(['asdf1'])).toBe('asdf1'); + expect(app.processAncestors(['asdf1','asdf2','asdf3'])).toBe('asdf1\" OR process.entity_id:\"asdf2\" OR process.entity_id:\"asdf3'); +}); + test('replaceActionVar', () => { expect(app.replaceActionVar('test here', 'foo', 'bar', true)).toBe('test here'); expect(app.replaceActionVar('test {bar} here', 'foo', 'bar', true)).toBe('test {bar} here'); @@ -30,6 +36,9 @@ test('replaceActionVar', () => { expect(app.replaceActionVar('test {foo|escape} here', 'foo', 'sand "bar\\bad"', true)).toBe('test sand%20%5C%22bar%5C%5Cbad%5C%22 here'); expect(app.replaceActionVar('test {foo|escape|base64} here', 'foo', 'sand "bar\\bad"', false)).toBe('test c2FuZCBcImJhclxcYmFkXCI= here'); expect(app.replaceActionVar('test {foo|escape|base64} here', 'foo', 'sand "bar\\bad"', true)).toBe('test c2FuZCBcImJhclxcYmFkXCI%3D here'); + expect(app.replaceActionVar('test {foo|processAncestors} here', 'foo', '', true)).toBe('test here'); + expect(app.replaceActionVar('test {foo|processAncestors} here', 'foo', 'bar', true)).toBe('test bar here'); + expect(app.replaceActionVar('test {foo|processAncestors} here', 'foo', ['asdf1','asdf2','asdf3'], true)).toBe('test asdf1%22%20OR%20process.entity_id%3A%22asdf2%22%20OR%20process.entity_id%3A%22asdf3 here'); expect(app.replaceActionVar('test {foo} here', 'foo', null, true)).toBe('test {foo} here'); expect(app.replaceActionVar('test {foo} here', 'foo', undefined, true)).toBe('test {foo} here'); }); @@ -461,4 +470,4 @@ test('checkForUnauthorized', () => { testCheckForUnauthorized('/foo/', {}, null, false); testCheckForUnauthorized('/login/banner.md', {}, '/blah', false); testCheckForUnauthorized('/auth/self-service/login/browser', {}, '/blah', true); -}); \ No newline at end of file +}); From e618b7db3e2daafd8a7ab40193f375c9a3e69fc4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Feb 2024 18:52:20 -0500 Subject: [PATCH 5/5] Remove duplicate base64encode test from app.test.js --- html/js/app.test.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/html/js/app.test.js b/html/js/app.test.js index 4dacb6ca8..21a9e3841 100644 --- a/html/js/app.test.js +++ b/html/js/app.test.js @@ -43,11 +43,6 @@ test('replaceActionVar', () => { expect(app.replaceActionVar('test {foo} here', 'foo', undefined, true)).toBe('test {foo} here'); }); -test('base64encode', () => { - expect(app.base64encode('')).toBe(''); - expect(app.base64encode('hello')).toBe('aGVsbG8='); -}); - test('formatMarkdown', () => { expect(app.formatMarkdown('```code```')).toBe('

code

\n'); expect(app.formatMarkdown('bad')).toBe('

bad

\n');