-
Notifications
You must be signed in to change notification settings - Fork 0
/
indicator.go
125 lines (102 loc) · 3.01 KB
/
indicator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package main
import (
"fmt"
"net/url"
"strconv"
"strings"
"github.com/fatih/color"
"github.com/jakewarren/trustar-golang"
"github.com/rodaine/table"
"github.com/spf13/cobra"
)
var indicatorCmd = &cobra.Command{
Use: "indicator",
Short: "Manage indicators",
}
// https://docs.trustar.co/api/v13/indicators/search_indicators.html
var indicatorSearchCmd = &cobra.Command{
Use: "search [indicator]...",
Short: "Search indicators",
Run: func(cmd *cobra.Command, args []string) {
output := func(indicators []trustar.Indicator) {
for _, i := range indicators {
fmt.Println(i.GUID)
}
if len(indicators) == 0 {
fmt.Println("0 indicators found.")
}
}
indicators := make([]trustar.Indicator, 0)
if len(args) == 0 {
// run an empty search, essentially list all
i, err := runIndicatorSearch("")
if err != nil {
fmt.Println(err)
return
}
indicators = append(indicators, i.Items...)
}
for _, a := range args {
s.Suffix = " Searching..."
s.Start()
i, err := runIndicatorSearch(a)
s.Stop()
if err != nil {
fmt.Println(err)
return
}
indicators = append(indicators, i.Items...)
}
output(indicators)
},
}
func runIndicatorSearch(searchTerm string) (trustar.SearchIndicatorReponse, error) {
query := url.Values{}
if searchTerm != "" {
query.Add("searchTerm", searchTerm)
}
if len(config.indicatorSearch.enclaveIDs) > 0 {
query.Add("enclaveIds", strings.Join(config.indicatorSearch.enclaveIDs, ","))
}
query.Add("pageSize", strconv.Itoa(config.indicatorSearch.pageSize))
return c.SearchIndicators(query)
}
// https://docs.trustar.co/api/v13/reports/find_correlated_reports.html
var indicatorFindCorrelatedReportsCmd = &cobra.Command{
Use: "find-reports <indicator>...",
Short: "Find all correlated reports for an indicator",
Args: cobra.MinimumNArgs(1),
Run: func(cmd *cobra.Command, args []string) {
for _, a := range args {
// find correlated reports for a given indicator
query := url.Values{}
query.Add("indicators", a)
correlatedReports, err := c.FindCorrelatedReports(query)
if err != nil {
fmt.Println(err)
return
}
headerFmt := color.New(color.FgCyan, color.Underline).SprintfFunc()
columnFmt := color.New(color.FgYellow).SprintfFunc()
tbl := table.New("id", "title", "created", "updated", "enclave")
tbl.WithHeaderFormatter(headerFmt).WithFirstColumnFormatter(columnFmt)
formatTime := func(e int64) string {
t, _ := trustar.MsEpochToTime(e)
return t.Format("2006-01-02 15:04:05 MST")
}
dedupedReports := deduplicateReports(correlatedReports.Items)
for _, r := range dedupedReports {
associatedEnclaves := make([]string, 0)
for _, e := range r.EnclaveIds {
associatedEnclaves = append(associatedEnclaves, lookupEnclave(e))
}
tbl.AddRow(r.ID, r.Title, formatTime(r.Created), formatTime(r.Updated), strings.Join(associatedEnclaves, ", "))
}
if len(dedupedReports) > 0 {
tbl.Print()
} else {
fmt.Println("0 correlated reports found.")
}
}
},
}