Extract ElastAlert Description

Check the yaml for an elastalert description. If not present, fall back to the Detection's description, and finally the Detection title. Updated test for various fallback scenarios.
Security-Onion-Solutions · Jun 11, 2024 · 9fb833b · 9fb833b
1 parent 4daff2e
commit 9fb833b
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js
@@ -233,6 +233,13 @@ routes.push({ path: '/detection/:id', name: 'detection', component: {
 					}
 
 					break;
+				case 'elastalert':
+					const yaml = jsyaml.load(this.detect.content, { schema: jsyaml.FAILSAFE_SCHEMA });
+					if (yaml.description) {
+						this.extractedSummary = yaml.description;
+						break;
+					}
+					// else fall through
 				default:
 					if (this.detect.description) {
 						this.extractedSummary = this.detect.description;

diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js
@@ -76,7 +76,7 @@ test('extract elastalert', () => {
 	comp.extractLogic();
 	comp.extractDetails();
 
-	expect(comp.extractedSummary).toBe('Title');
+	expect(comp.extractedSummary).toBe('Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant');
 	expect(comp.extractedReferences).toEqual([
 		{ type: 'url', text: 'https://twitter.com/DrunkBinary/status/1063075530180886529', link: 'https://twitter.com/DrunkBinary/status/1063075530180886529' },
 		{ type: 'url', text: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign', link: 'https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign' },
@@ -85,6 +85,21 @@ test('extract elastalert', () => {
 	expect(comp.extractedLogicClass).toBe('language-yaml');
 	expect(comp.extractedCreated).toBe('2018/11/20');
 	expect(comp.extractedUpdated).toBe('2023/02/20');
+
+	// content with no description
+	comp.detect.content = `title: APT29 2018 Phishing Campaign File Indicators\nid: 3a3f81ca-652c-482b-adeb-b1c804727f74\nrelated:\n  - id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation\n    type: derived\nstatus: stable\nreferences:\n  - https://twitter.com/DrunkBinary/status/1063075530180886529\n  - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nauthor: '@41thexplorer'\ndate: 2018/11/20\nmodified: 2023/02/20\ntags:\n  - attack.defense_evasion\n  - attack.t1218.011\n  - detection.emerging_threats\nlogsource:\n  product: windows\n  category: file_event\ndetection:\n  selection:\n    TargetFilename|contains:\n      - 'ds7002.lnk'\n      - 'ds7002.pdf'\n      - 'ds7002.zip'\n    condition: selection\nfalsepositives:\n  - Unlikely\nlevel: critical`;
+	comp.detect.description = 'Description'
+	comp.extractSummary();
+
+	// fallback first to detection Description...
+	expect(comp.extractedSummary).toBe('Description');
+
+	comp.detect.description = '';
+
+	comp.extractSummary();
+
+	// ... else fallback to title
+	expect(comp.extractedSummary).toBe('Title');
 });
 
 test('fixProtocol', () => {