-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathttp.go
139 lines (122 loc) · 4.12 KB
/
ttp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
/*
thehive5 implements functionality to interact with the most recent version of thehive.
https://www.strangebee.com/thehive/
*/
package thehive5
import (
"encoding/json"
"net/url"
"strconv"
"time"
)
// A Procedure contains TTPs
type Procedure struct {
PatternId string `json:"patternId"`
OccurDate time.Time `json:"occurDate"`
Tactic *string `json:"tactic,omitempty"`
Description *string `json:"description,omitempty"`
}
// Marshalling the alert requests
func (p *Procedure) MarshalJSON() ([]byte, error) {
type Alias Procedure
var occurdateInt64 int64
if !p.OccurDate.IsZero() {
// We ensure that all data sent to the hive is in UTC format
occurdateInt64 = p.OccurDate.UTC().UnixMilli()
}
return json.Marshal(&struct {
OccurDate *int64 `json:"occurDate,omitempty"`
*Alias
}{
OccurDate: &occurdateInt64,
Alias: (*Alias)(p),
})
}
// ProcedureResponse contains the values of the procedure/ttp operations
type ProcedureResponse struct {
Id string `json:"_id,"`
CreatedAt time.Time `json:"_createdAt"`
CreatedBy string `json:"_createdBy"`
UpdatedAt time.Time `json:"_updatedAt,omitempty"`
UpdatedBy string `json:"_updatedBy,omitempty"`
Description string `json:"description,omitempty"`
OccurDate time.Time `json:"occurDate"`
PatternID string `json:"patternId,omitempty"`
PatternName string `json:"patternName,omitempty"`
Tactic string `json:"tactic"`
TacticLabel string `json:"tacticLabel"`
ExtraData map[string]string `json:"extraData"`
}
// ProcedureResponse contains the values of the procedure/ttp operations
type shadowProcedureResponse struct {
Id string `json:"_id,"`
CreatedAt int64 `json:"_createdAt"`
CreatedBy string `json:"_createdBy"`
UpdatedAt int64 `json:"_updatedAt,omitempty"`
UpdatedBy string `json:"_updatedBy,omitempty"`
Description string `json:"description,omitempty"`
OccurDate int64 `json:"occurDate"`
PatternID string `json:"patternId,omitempty"`
PatternName string `json:"patternName,omitempty"`
Tactic string `json:"tactic"`
TacticLabel string `json:"tacticLabel"`
ExtraData map[string]string `json:"extraData"`
}
// shadow unmarshalling for ProcedureResponse
func (p *ProcedureResponse) UnmarshalJSON(data []byte) error {
shadow := new(shadowProcedureResponse)
err := json.Unmarshal(data, &shadow)
if err != nil {
return err
}
p.Id = shadow.Id
p.CreatedAt = convertInt64ToTime(shadow.CreatedAt)
p.CreatedBy = shadow.CreatedBy
p.UpdatedAt = convertInt64ToTime(shadow.UpdatedAt)
p.UpdatedBy = shadow.UpdatedBy
p.Description = shadow.Description
p.OccurDate = convertInt64ToTime(shadow.OccurDate)
p.PatternID = shadow.PatternID
p.PatternName = shadow.PatternName
p.Tactic = shadow.Tactic
p.TacticLabel = shadow.TacticLabel
p.ExtraData = shadow.ExtraData
return nil
}
// AddAlertProcedure adds a procedure to an existing alert
func (hive *Hivedata) AddAlertProcedure(alertId string, procedure *Procedure) (*ProcedureResponse, error) {
url, err := url.JoinPath(hive.Url, "/api/v1/alert", alertId, "/procedurej")
if err != nil {
return nil, err
}
jsonsearch, err := json.Marshal(procedure)
if err != nil {
return nil, err
}
ret, err := hive.webRequest(url, POST, jsonsearch)
if err != nil {
return nil, err
}
var parsedRet *ProcedureResponse
err = json.Unmarshal(ret, parsedRet)
return parsedRet, err
}
// AddCaseProcedure adds a procedure to an existing case
func (hive *Hivedata) AddCaseProcedure(caseId int, procedure *Procedure) (*ProcedureResponse, error) {
caseNumber := strconv.Itoa(caseId)
url, err := url.JoinPath(hive.Url, "/api/v1/case/", caseNumber, "/procedurej")
if err != nil {
return nil, err
}
jsonsearch, err := json.Marshal(procedure)
if err != nil {
return nil, err
}
ret, err := hive.webRequest(url, POST, jsonsearch)
if err != nil {
return nil, err
}
var parsedRet *ProcedureResponse
err = json.Unmarshal(ret, parsedRet)
return parsedRet, err
}