diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 521b079b6b93cdb120d0966c44700e1284cd13f4..84d605b7475c546285a802b78307b05764f975f6 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2,6 +2,11 @@ dslproxy: "<CHANGE_ME:hostname>" +# TheHive Button plugin +THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/" +THEHIVE_API_KEY: "5LymseWiurZBrQN8Kqp8O+9KniTL5cE0" +THEHIVE_OWNER: "admin" + soctools_netname: "soctoolsnet" repo: gn43-dsl diff --git a/roles/build/tasks/odfekibana.yml b/roles/build/tasks/odfekibana.yml index 8ca53578baceacba76726bece7c1dfbe7491c917..8e1980a7680f5f23b7370d61dba057e457430291 100644 --- a/roles/build/tasks/odfekibana.yml +++ b/roles/build/tasks/odfekibana.yml @@ -5,6 +5,9 @@ src: odfekibana/Dockerfile-kibana.j2 dest: "{{role_path}}/files/kibanaDockerfile" +- name: Copy tools to build path + command: "cp -av {{role_path}}/templates/odfekibana/thehive_button/ {{role_path}}/files/thehive_button/" + - name: Build kibana image command: docker build -t {{repo}}/kibana:{{version}}{{suffix}} -f {{role_path}}/files/kibanaDockerfile {{role_path}}/files diff --git a/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 b/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 index 8f72fd770ba85b5b54962fe96dd9bb5bbd898069..ee69568d34d6fe879de100414f8f3b96b2252d7f 100644 --- a/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 +++ b/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 @@ -11,5 +11,8 @@ RUN for PLUGIN in \ https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-index-management/opendistro_index_management_kibana-{{odfeplugin_version}}.zip; \ do bin/kibana-plugin install --allow-root ${PLUGIN}; done +ADD thehive_button /usr/share/kibana/plugins/thehive_button +RUN chown -R kibana:kibana /usr/share/kibana/plugins/thehive_button + USER kibana diff --git a/roles/build/templates/odfekibana/thehive_button/.eslintrc b/roles/build/templates/odfekibana/thehive_button/.eslintrc new file mode 100644 index 0000000000000000000000000000000000000000..64eba86220ec489c9c364e9a443941d14a8d3b16 --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/.eslintrc @@ -0,0 +1,7 @@ +--- +extends: "@elastic/kibana" + +settings: + import/resolver: + '@elastic/eslint-import-resolver-kibana': + rootPackageName: 'thehive_button' diff --git a/roles/build/templates/odfekibana/thehive_button/.kibana-plugin-helpers.json b/roles/build/templates/odfekibana/thehive_button/.kibana-plugin-helpers.json new file mode 100644 index 0000000000000000000000000000000000000000..2c63c0851048d8f7bff41ecf0f8cee05f52fd120 --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/.kibana-plugin-helpers.json @@ -0,0 +1,2 @@ +{ +} diff --git a/roles/build/templates/odfekibana/thehive_button/index.js b/roles/build/templates/odfekibana/thehive_button/index.js new file mode 100644 index 0000000000000000000000000000000000000000..fa69c75c30d7ee40f8d7089d6debd6cf69c8d402 --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/index.js @@ -0,0 +1,19 @@ +import newCaseRoute from './server/routes/newcase'; + +export default function (kibana) { + return new kibana.Plugin({ + require: [], //['elasticsearch'], + name: 'thehive_button', + uiExports: { + visTypes: [ + 'plugins/thehive_button/main', + ], + }, + + init(server, options) { // eslint-disable-line no-unused-vars + // Add server routes and initialize the plugin here + newCaseRoute(server); + } + }); +} + diff --git a/roles/build/templates/odfekibana/thehive_button/package.json b/roles/build/templates/odfekibana/thehive_button/package.json new file mode 100644 index 0000000000000000000000000000000000000000..e1c070d62c2e69b0f42fa4c5d47e1e8c0b408988 --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/package.json @@ -0,0 +1,35 @@ +{ + "name": "thehive_button", + "version": "1.0.0", + "description": "Visualisation plugin which creates a simple button to create a new case in The Hive.", + "main": "index.js", + "kibana": { + "version": "7.4.2" + }, + "scripts": { + "lint": "eslint .", + "start": "plugin-helpers start", + "build": "plugin-helpers build" + }, + "dependencies": { + "request": "^2.88.0", + "@elastic/eui": "10.4.2", + "react": "^16.8.0" + }, + "devDependencies": { + "@elastic/eslint-config-kibana": "link:../../packages/eslint-config-kibana", + "@elastic/eslint-import-resolver-kibana": "link:../../packages/kbn-eslint-import-resolver-kibana", + "@kbn/plugin-helpers": "link:../../packages/kbn-plugin-helpers", + "babel-eslint": "^9.0.0", + "eslint": "^5.6.0", + "eslint-plugin-babel": "^5.2.0", + "eslint-plugin-import": "^2.14.0", + "eslint-plugin-jest": "^21.26.2", + "eslint-plugin-jsx-a11y": "^6.1.2", + "eslint-plugin-mocha": "^5.2.0", + "eslint-plugin-no-unsanitized": "^3.0.2", + "eslint-plugin-prefer-object-spread": "^1.2.1", + "eslint-plugin-react": "^7.11.1", + "expect.js": "^0.3.1" + } +} diff --git a/roles/build/templates/odfekibana/thehive_button/public/create_case.js b/roles/build/templates/odfekibana/thehive_button/public/create_case.js new file mode 100644 index 0000000000000000000000000000000000000000..fc8edd6f6f1e4ccb1b24ec5554e55e2d6503cf6c --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/create_case.js @@ -0,0 +1,101 @@ +// Functions to send data to Kibana endpoints + +import chrome from 'ui/chrome'; + +// Create a new Case in The Hive via its API +// Return a Promise which resolves to object with ID of the new case ('id' attr) or error message ('error' attr) +export function createTheHiveCase(base_url, api_key, title, descr, severity, startDate, owner, flag, tlp, tags) { + // Prepare data + var data = JSON.stringify({ + "base_url": base_url, + "api_key": api_key, + "body": { + "title": title, + "description": descr, + "severity": severity, // number: 1=low, 2=medium, 3=high + "startDate": startDate, + "owner": owner, // user name the case will be assigned to + "flag": flag, // bool + "tlp": tlp, // number: 0=white, 1=green, 2=amber, 3=red + "tags": tags, // array of strings + } + }); + console.log("TheHiveButton: Sending request to API endpoint 'new_case':", data); + var kibana_endpoint_url = chrome.addBasePath('/api/thehive_button/new_case'); + + return new Promise(function (resolve, reject) { + // Create AJAX request + var xhr = new XMLHttpRequest(); + + // Listener to process reply + xhr.onreadystatechange = function () { + if (this.readyState != 4) { + return; // response not ready yet + } + if (this.status == 200) { + const resp = JSON.parse(this.responseText); + console.log("TheHiveButton: Response from backend:", resp); + if ("error" in resp) { + resolve({"error": resp.error}); + } + else if (resp.status_code != 201) { + resolve({"error": "Unexpected reply received from The Hive: [" + resp.status_code + "] " + resp.status_msg}); + } + else { + resolve({"id": resp.body.id}); // return ID of the new case + } + } + else { + console.log("TheHiveButton: Error " + this.status + ": " + this.statusText); + resolve({"error": "Error " + this.status + ": " + this.statusText}); + } + } + + // Send the AJAX request + xhr.open("POST", kibana_endpoint_url); + xhr.setRequestHeader("Content-Type", "application/json"); + xhr.setRequestHeader("kbn-xsrf", "thehive_plugin"); // this header must be set, although its content is probably irrelevant + xhr.send(data); + }); +} + +// Add observables to an existing Case in The Hive +// (send the list of observables to our backend endpoint, it pushes them to The Hive) +export function addCaseObservables(base_url, api_key, caseid, observables) { + const kibana_endpoint_url = chrome.addBasePath('/api/thehive_button/add_observables'); + const data = JSON.stringify({ + "base_url": base_url, + "api_key": api_key, + "caseid": caseid, + "observables": observables, + }); + console.log("TheHiveButton: Sending request to API endpoint 'add_observables':", data); + + return new Promise(function (resolve, reject) { + // Create AJAX request + var xhr = new XMLHttpRequest(); + + // Listener to process reply + xhr.onreadystatechange = function () { + if (this.readyState != 4) { + return; // response not ready yet + } + if (this.status == 200) { + const resp = JSON.parse(this.responseText); + console.log("TheHiveButton: Response from backend:", resp); + resolve(resp); + } + else { + console.log("TheHiveButton: Error " + this.status + ": " + this.statusText); + resolve({"error": "Error " + this.status + ": " + this.statusText}); + } + } + + // Send the AJAX request + xhr.open("POST", kibana_endpoint_url); + xhr.setRequestHeader("Content-Type", "application/json"); + xhr.setRequestHeader("kbn-xsrf", "thehive_plugin"); // this header must be set, although its content is probably irrelevant + xhr.send(data); + }); +} + diff --git a/roles/build/templates/odfekibana/thehive_button/public/env.js b/roles/build/templates/odfekibana/thehive_button/public/env.js new file mode 100644 index 0000000000000000000000000000000000000000..4321b85f5ee1682abd17871889a165ae8d96b465 --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/env.js @@ -0,0 +1,4 @@ +// Default plugin configuration +export const THEHIVE_URL = 'https://hive.gn4-3-wp8-soc.sunet.se/'; +export const THEHIVE_API_KEY = '5LymseWiurZBrQN8Kqp8O+9KniTL5cE0'; +export const THEHIVE_OWNER = 'admin'; // default owner account of the created cases diff --git a/roles/build/templates/odfekibana/thehive_button/public/main.js b/roles/build/templates/odfekibana/thehive_button/public/main.js new file mode 100644 index 0000000000000000000000000000000000000000..ee46d73170d4fb43739c58468e3396caace6dcbe --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/main.js @@ -0,0 +1,54 @@ +import { THEHIVE_API_KEY, THEHIVE_URL, THEHIVE_OWNER } from './env'; +import { TheHiveButtonVisComponent } from './vis_controller'; +import { theHiveButtonRequestHandlerProvider } from './request_handler'; +import { optionsEditor } from './options_editor'; + +import { VisFactoryProvider } from 'ui/vis/vis_factory'; +import { VisTypesRegistryProvider } from 'ui/registry/vis_types'; +import { DefaultEditorSize } from 'ui/vis/editor_size'; + + +function TheHiveButtonVisProvider(Private) { + const VisFactory = Private(VisFactoryProvider); + + //console.log("default URL:", THEHIVE_URL); + //console.log("default API key:", THEHIVE_API_KEY); + + return VisFactory.createReactVisualization({ + name: 'thehive_button', + title: 'The Hive Case', + icon: 'alert', + description: 'A button to create a new Case in The Hive.', + //requiresUpdateStatus: [Status.PARAMS, Status.RESIZE, Status.UI_STATE], + visConfig: { + component: TheHiveButtonVisComponent, + defaults: { + // add default parameters + url: THEHIVE_URL, + apikey: THEHIVE_API_KEY, + owner: THEHIVE_OWNER, + obsFields: [], // list of objects, e.g. {name: "clientip", type: "ip", cnt: 100} + } + }, + //editor: 'default', + editorConfig: { + optionTabs: [ + { + name: "options", + title: "Options", + editor: optionsEditor, + } + ], + defaultSize: DefaultEditorSize.LARGE, + }, +// optionsTemplate: optionsEditor, //optionsTemplate, +// //enableAutoApply: true, +// }, + requestHandler: 'theHiveButtonRequestHandler', // own request handler + responseHandler: 'none', // pass data as returned by requestHandler + }); +} + +// register the provider with the visTypes registry +VisTypesRegistryProvider.register(TheHiveButtonVisProvider); + diff --git a/roles/build/templates/odfekibana/thehive_button/public/options_editor.js b/roles/build/templates/odfekibana/thehive_button/public/options_editor.js new file mode 100644 index 0000000000000000000000000000000000000000..38762bd463115702a0c4f03f099434485f5d59dc --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/options_editor.js @@ -0,0 +1,176 @@ +import React from 'react'; +import { + EuiForm, + EuiFormRow, + EuiTitle, + EuiSpacer, + EuiFieldText, + EuiFieldNumber, + EuiSelect, + EuiFlexGroup, + EuiFlexItem, + EuiButton, + EuiButtonIcon, +} from '@elastic/eui'; + +// Default data types in The Hive +const DEFAULT_THE_HIVE_TYPES = [ + '', + 'autonomous-system', + 'domain', + 'file', + 'filename', + 'fqdn', + 'hash', + 'ip', + 'mail', + 'mail_subject', + 'regexp', + 'registry', + 'uri_path', + 'url', + 'user-agent', + 'other', +]; + +// Options for EuiSelect for selection of field's data type in TheHive +const typesOptions = DEFAULT_THE_HIVE_TYPES.map( dt => ({value: dt, text: dt}) ); + +export function optionsEditor(props) { + //console.log("editor render(), props:", props); + const { stateParams, setValue, setValidity, vis } = props; + + // onClick/onChange handlers + const obsAddNew = () => { + const newObsFields = [...stateParams.obsFields, {name: "", type: "", cnt: 100}]; + // For some reason, first click on the button after editor is loaded does + // nothing. Calling setValue twice here fixes it. + setValue("obsFields", newObsFields); + setValue("obsFields", newObsFields); +// setValidity(false); // since new row is empty, form is always invalid + }; + const obsRemove = (ix) => { + let newArray = [...stateParams.obsFields]; + newArray.splice(ix, 1); + setValue("obsFields", newArray); +// validate(); + } + const obsSetName = (ix, name) => { + let newArray = [...stateParams.obsFields]; + newArray[ix].name = name; + setValue("obsFields", newArray); +// validate(); + } + const obsSetType = (ix, type) => { + let newArray = [...stateParams.obsFields]; + newArray[ix].type = type; + setValue("obsFields", newArray); +// validate(); + } + const obsSetCnt = (ix, cnt) => { + let newArray = [...stateParams.obsFields]; + newArray[ix].cnt = parseInt(cnt); + setValue("obsFields", newArray); +// validate(); + } +// const validate = () => { +// let valid = true; +// for (let field of stateParams.obsFields) { +// if (field.name == "" || field.type == "" || field.cnt == "") { +// valid = false; +// break; +// } +// } +// // TODO check for duplicate fields +// setValidity(valid); +// } + + // Get list of all fields in index (except those beginning with "_" or "@") + // and create "options" parameter for EuiSelect. + // Also, fields with "aggregatable=false" are removed, as they can't be used + // with "terms" aggregation we need. + // See this for details: https://www.elastic.co/guide/en/elasticsearch/reference/7.x/fielddata.html + // Empty field is added at the beginning, meaning "no selection yet". + const fieldOptions = [{value: "", text: ""}].concat( + vis.indexPattern.fields.raw.filter( f => (f.name[0] != "_" && f.name[0] != "@" && f.aggregatable) ).map( f => ({value: f.name, text: `${f.name} (${f.type})`}) ) + ); + + return <EuiForm> + <EuiFormRow fullWidth={true} label="Base URL of The Hive"> + <EuiFieldText + fullWidth={true} + value={stateParams.url} + onChange={e => setValue('url', e.target.value)} + isInvalid={stateParams.url == ""} + /> + </EuiFormRow> + <EuiFlexGroup> + <EuiFlexItem grow={1}> + <EuiFormRow label="API key to access The Hive" helpText="API key of a user with write permission."> + <EuiFieldText + fullWidth={true} + value={stateParams.apikey} + onChange={e => setValue('apikey', e.target.value)} + isInvalid={stateParams.apikey == ""} + /> + </EuiFormRow> + </EuiFlexItem> + <EuiFlexItem grow={1}> + <EuiFormRow label="Assignee" helpText="User to assign created cases to. Must be a valid username from The Hive instance."> + <EuiFieldText + value={stateParams.owner} + onChange={e => setValue('owner', e.target.value)} + isInvalid={stateParams.owner == ""} + /> + </EuiFormRow> + </EuiFlexItem> + </EuiFlexGroup> + <EuiTitle size="s"><h3>Fields to get potential observables from ...</h3></EuiTitle> + <EuiSpacer size="s" /> + {stateParams.obsFields.map( (field, ix) => ( + <EuiFlexGroup key={ix} gutterSize="s"> + <EuiFlexItem grow={3}> + <EuiFormRow label="Field name"> + <EuiSelect + options={fieldOptions} + value={field.name} + onChange={ e => obsSetName(ix, e.target.value) } + isInvalid={field.name == ""} + /> + </EuiFormRow> + </EuiFlexItem> + <EuiFlexItem grow={2}> + <EuiFormRow label="Data type in The Hive"> + <EuiSelect + options={typesOptions} + value={field.type} + onChange={ e => obsSetType(ix, e.target.value) } + isInvalid={field.type == ""} + /> + </EuiFormRow> + </EuiFlexItem> + <EuiFlexItem grow={1}> + <EuiFormRow label="Max items shown"> + <EuiFieldNumber + min={1} + max={1000} + value={parseInt(field.cnt)} + onChange={ e => obsSetCnt(ix, e.target.value) } + isInvalid={!(field.cnt > 0)} + /> + </EuiFormRow> + </EuiFlexItem> + <EuiFlexItem grow={false}> + <EuiFormRow hasEmptyLabelSpace> + <EuiButtonIcon iconType="trash" iconSize="m" color="danger" aria-label="Remove field" onClick={ e => obsRemove(ix) } /> + </EuiFormRow> + </EuiFlexItem> + </EuiFlexGroup> + ))} + <EuiFlexGroup> + <EuiFlexItem grow={false}> + <EuiButton iconType="plusInCircleFilled" color="primary" onClick={obsAddNew}>Add new field ...</EuiButton> + </EuiFlexItem> + </EuiFlexGroup> + </EuiForm> +} diff --git a/roles/build/templates/odfekibana/thehive_button/public/options_template.html b/roles/build/templates/odfekibana/thehive_button/public/options_template.html new file mode 100644 index 0000000000000000000000000000000000000000..ef996577786150282c2ffb0d28652a3d1712842b --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/options_template.html @@ -0,0 +1,8 @@ +<div class="form-group"> + <p><label>Base URL of The Hive</label> + <input ng-model="editorState.params.url" class=form-control /></p> + <p><label>API key</label> + <input ng-model="editorState.params.apikey" class=form-control /></p> + <p><label>User name to use as the owner of cases created from here</label> + <input ng-model="editorState.params.owner" class=form-control /></p> +</div> diff --git a/roles/build/templates/odfekibana/thehive_button/public/request_handler.js b/roles/build/templates/odfekibana/thehive_button/public/request_handler.js new file mode 100644 index 0000000000000000000000000000000000000000..bdbb0f4ebee4ff5307a1bf549706bf1ecc92e11b --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/request_handler.js @@ -0,0 +1,195 @@ +import { CourierRequestHandlerProvider as courierRequestHandlerProvider } from 'ui/vis/request_handlers/courier'; +import { SearchSourceProvider } from 'ui/courier/search_source'; +import { RequestAdapter, DataAdapter } from 'ui/inspector/adapters'; +import { VisRequestHandlersRegistryProvider } from 'ui/registry/vis_request_handlers'; +import { AggConfig } from 'ui/vis/agg_config'; +import { AggConfigs } from 'ui/vis/agg_configs'; +import { getTime } from 'ui/timefilter/get_time'; +import { i18n } from '@kbn/i18n'; +import { has } from 'lodash'; +import { calculateObjectHash } from 'ui/vis/lib/calculate_object_hash'; +import { getRequestInspectorStats, getResponseInspectorStats } from 'ui/courier/utils/courier_inspector_utils'; +import chrome from 'ui/chrome'; + +// Maximum number of unique values of each field (observables) to fetch +const MAX_NUMBER_OF_TERMS = 5; + +const handleCourierRequest = courierRequestHandlerProvider().handler; + +// Register new RaquestHandlerProvider +const theHiveButtonRequestHandlerProvider = function () { + return { + name: 'theHiveButtonRequestHandler', + handler: theHiveButtonRequestHandler, + } +} +VisRequestHandlersRegistryProvider.register(theHiveButtonRequestHandlerProvider); + +export {theHiveButtonRequestHandlerProvider, theHiveButtonRequestHandler}; + + +// The request handler function itself +async function theHiveButtonRequestHandler(params) { + //console.log("theHiveButtonRequestHandler params:", params); + + let index = params.index; + let partialRows = params.partialRows; + let metricsAtAllLevels = params.metricsAtAllLevels; + let timeRange = params.timeRange; + let query = params.query; + let filters = params.filters; + let inspectorAdapters = params.inspectorAdapters; + let queryFilter = params.queryFilter; + let forceFetch = params.forceFetch; + // our own confiuration: + // list of fields to get potential observables from + // (each "field" is object {name: str, type: str, cnt: int}) + let obsFields = params.visParams.obsFields; + + // filter out invalid field specifications + obsFields = obsFields.filter( f => (f.name != "" && f.type != "" && f.cnt > 0) ); + + if (obsFields.length == 0) { + //console.log("theHiveButtonRequestHandler: Empty obsFields, nothing to do") + return {} // no fields specified, nothing to do + } + + // === Prepare request to ask for unique values of all selected fields === + + // Construct a query for ElasticSearch + // Get "terms" (most common unique values) for each field of obsFields + const aggs_dsl = {} + for (let field of obsFields) { + aggs_dsl[field.name] = { + terms: { + field: field.name, + size: field.cnt, + order: {_count: "desc"} + } + }; + } + //console.log("aggs_dsl:", aggs_dsl); + + // Create empty AggConfigs + // (We could pass specifications of a metric and the buckets here, + // but default processing functions assume multiple buckets are sub-buckets, + // which is not what we want. So we must do a "hack" and manually create + // query directly in format for ElasticSearch) + const aggs = new AggConfigs(params.index, []); + + // === Some magic to get searchSource object === + // (inspired by https://github.com/fbaligand/kibana-enhanced-table/blob/7.4/public/data_load/enhanced-table-request-handler.js) + // (I don't understand it, but it works) + + let $injector = await chrome.dangerouslyGetActiveInjector(); + let Private = $injector.get('Private'); + let SearchSource = Private(SearchSourceProvider); + let searchSource = new SearchSource(); + searchSource.setField('index', index); + searchSource.setField('size', 0); + + inspectorAdapters.requests = new RequestAdapter(); + inspectorAdapters.data = new DataAdapter(); + + + // === Execute query === + // We could call standard "courier" here, but it tries to convert the response + // to a table, which fails in our case, so we copied the main code of courier + // and modified it here. + + const abortSignal = false; + + const timeFilterSearchSource = searchSource.createChild({ callParentStartHandlers: true }); + const requestSearchSource = timeFilterSearchSource.createChild({ callParentStartHandlers: true }); + + aggs.setTimeRange(timeRange); + + // For now we need to mirror the history of the passed search source, since + // the request inspector wouldn't work otherwise. + Object.defineProperty(requestSearchSource, 'history', { + get() { + return searchSource.history; + }, + set(history) { + return searchSource.history = history; + } + }); + + // This has been modified to override DSL format by ours +// requestSearchSource.setField('aggs', function () { +// return aggs.toDsl(metricsAtAllLevels); +// }); + requestSearchSource.setField('aggs', aggs_dsl); + + requestSearchSource.onRequestStart((searchSource, searchRequest) => { + return aggs.onSearchRequestStart(searchSource, searchRequest); + }); + + if (timeRange) { + timeFilterSearchSource.setField('filter', () => { + return getTime(searchSource.getField('index'), timeRange); + }); + } + + requestSearchSource.setField('filter', filters); + requestSearchSource.setField('query', query); + + const reqBody = await requestSearchSource.getSearchRequestBody(); + + const queryHash = calculateObjectHash(reqBody); + // We only need to reexecute the query, if forceFetch was true or the hash of the request body has changed + // since the last request + const shouldQuery = forceFetch || (searchSource.lastQuery !== queryHash); + + if (shouldQuery) { + inspectorAdapters.requests.reset(); + const request = inspectorAdapters.requests.start( + i18n.translate('common.ui.vis.courier.inspector.dataRequest.title', { defaultMessage: 'Data' }), + { + description: i18n.translate('common.ui.vis.courier.inspector.dataRequest.description', + { defaultMessage: 'This request queries Elasticsearch to fetch the data for the visualization.' }), + } + ); + request.stats(getRequestInspectorStats(requestSearchSource)); + + try { + // Abort any in-progress requests before fetching again + if (abortSignal) { + abortSignal.addEventListener('abort', () => requestSearchSource.cancelQueued()); + } + + const response = await requestSearchSource.fetch(); + //console.log("raw response:", response); + + searchSource.lastQuery = queryHash; + + request + .stats(getResponseInspectorStats(searchSource, response)) + .ok({ json: response }); + + searchSource.rawResponse = response; + } catch(e) { + // Log any error during request to the inspector + request.error({ json: e }); + throw e; + } finally { + // Add the request body no matter if things went fine or not + requestSearchSource.getSearchRequestBody().then(req => { + request.json(req); + }); + } + } + + // === Copy of courier code ends here, now we parse the response === + + const resp = searchSource.rawResponse; + // Return as object containing a list of unique values (terms) for each + // requested field + let unique_values_lists = {} + for (let field of obsFields) { + unique_values_lists[field.name] = resp.aggregations[field.name].buckets.map( (x) => x.key ); + } + + //console.log("Final lists:", unique_values_lists); + return unique_values_lists; +} diff --git a/roles/build/templates/odfekibana/thehive_button/public/vis.less b/roles/build/templates/odfekibana/thehive_button/public/vis.less new file mode 100644 index 0000000000000000000000000000000000000000..b6f887afaef57a7674a0d0f06ee6f821a0fc015e --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/vis.less @@ -0,0 +1,3 @@ +.myvis-container-div { + padding: 1em; +} diff --git a/roles/build/templates/odfekibana/thehive_button/public/vis_controller.js b/roles/build/templates/odfekibana/thehive_button/public/vis_controller.js new file mode 100644 index 0000000000000000000000000000000000000000..8b23222700ab072c9665442851982e11cdc56788 --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/public/vis_controller.js @@ -0,0 +1,555 @@ +//import { Status } from 'ui/vis/update_status'; +import { toastNotifications } from 'ui/notify'; +import { createTheHiveCase, addCaseObservables } from './create_case'; +//import vis_template from './vis_template.html'; + +import React, { Component } from 'react'; +import { + EuiButton, + EuiButtonEmpty, + EuiModal, + EuiModalBody, + EuiModalFooter, + EuiModalHeader, + EuiModalHeaderTitle, + EuiOverlayMask, + EuiTitle, + EuiFlexGroup, + EuiFlexItem, + EuiSpacer, + EuiForm, + EuiFormRow, + EuiFieldText, + EuiTextArea, + EuiSuperSelect, + EuiBasicTable, + EuiCheckbox, + makeId, +} from '@elastic/eui'; + + +// ********** React components ********** + +// Main React component - the root of visualization +export class TheHiveButtonVisComponent extends Component { + render() { + //console.log("TheHiveButtonVisComponent.render(), props:", this.props); + return ( + <div> + <NewCaseButton params={this.props.vis.params} observables={this.props.visData} /> + </div> + ); + } + + componentDidMount() { + this.props.renderComplete(); + } + + componentDidUpdate() { + this.props.renderComplete(); + } +} + +// Button to show the pop-up window (modal) +// Props: +// .params - visualization parameters (from vis.params) +// .observables - object with lists of potential observables to add to the Case +// for each field in params.obsFields there should be a key in this object +// containing list of observables (this is returned by request_handler) +class NewCaseButton extends Component { + + constructor(props) { + super(props); + // Filter out invalid obsField specifications + this.obsFields = props.params.obsFields.filter( f => (f.name != "" && f.type != "" && f.cnt > 0) ); + //console.log("Filtered field specs:", this.obsFields); + + // The complete state is here, so it's kept even when modal is closed + this.state = { + isModalVisible: false, + isWorking: false, // used to show a spinner on submit button + ...this.create_initial_state(), + } + + this.resetCnt = 0; // used to change Modal component key on each form reset + + // Each handler function in a class (method) must be "binded" this way + this.closeModal = this.closeModal.bind(this); + this.showModal = this.showModal.bind(this); + this.resetForm = this.resetForm.bind(this); + + this.onTitleChange = this.onTitleChange.bind(this); + this.onSeverityChange = this.onSeverityChange.bind(this); + this.onTLPChange = this.onTLPChange.bind(this); + this.onDescriptionChange = this.onDescriptionChange.bind(this); + + this.onObsSelectionChange = this.onObsSelectionChange.bind(this); + this.onObsDataChange = this.onObsDataChange.bind(this); + + this.submitCase = this.submitCase.bind(this); + } + + create_initial_state() { + // create a new instance of initial state definition + let initial_state = { + // Case parameters + title: "", + description: "\n\n--\nCreated from Kibana", + severity: "2", // medium + tlp: "2", // amber + tags: [], // TODO (not implemented yet) + obsData: {}, // state of observables form fields (obsData->field->index->{descr,tlp,ioc,tags}) + obsSel: {}, // list of observable selections (obsSel->field->list_of_selected_indices) + } + // pre-fill state of each observable to defaults + const initial_field_data = {descr: "", tlp: 2, ioc: false, tags: []}; + for (let field of this.obsFields) { + const n_obs = this.props.observables[field.name].length; + // fill obsData with new copies of initial_field_data + initial_state.obsData[field.name] = new Array(n_obs).fill().map((_)=>({...initial_field_data})); + // nothing is selected + initial_state.obsSel[field.name] = new Array(); + } + return initial_state; + } + + componentDidUpdate(prevProps) { + // If list of observables was updated or obsFields setting has changed, + // reset the component state and precomputed variables. + if (this.props.observables != prevProps.observables) { + if (this.props.params.obsFields != prevProps.params.obsFields) { + // when obsFields change, observables must change as well, so this "if" + // can be inside the first one. + // Filter out invalid obsField specifications + this.obsFields = this.props.params.obsFields.filter( f => (f.name != "" && f.type != "" && f.cnt && f.cnt > 0) ); + //console.log("Filtered field specs:", this.obsFields); + } + //console.log("New list of observables, resetting form."); + this.resetForm(); + } + } + + resetForm() { + this.setState(this.create_initial_state()); + this.resetCnt += 1; // this changes the key of ModalContent, causing it to be replaced by new DOM elelments (otherwise, not all things are reset properly) + this.forceUpdate(); + } + + closeModal() { + this.setState({ isModalVisible: false }); + } + + showModal() { + this.setState({ isModalVisible: true }); + } + + // Event handlers for change of case parameter + onTitleChange(evt) { + this.setState({title: evt.target.value}); + } + onSeverityChange(value) { + this.setState({severity: value}); + } + onTLPChange(value) { + this.setState({tlp: value}); + } + onDescriptionChange(evt) { + this.setState({description: evt.target.value}); + } + + // Event handler for observable (de)selection + onObsSelectionChange(fieldName, selectedItems) { + // Extract indices from the items and store them into state + const selectedIndices = selectedItems.map(item4 => item4.i); + this.setState((state, props) => { + let newObsSel = {...this.state.obsSel}; + newObsSel[fieldName] = selectedIndices; + return {obsSel: newObsSel}; + }); + } + + // Event handler for edit of a form field in observable row + // - fieldName: which field (table of observables) + // - ix: index of the observable in the field's table + // - param: one of: descr,tlp,ioc,tags + // - value: new value of the form field + onObsDataChange(fieldName, ix, param, value) { + this.setState((state, props) => { + let newObsData = {...this.state.obsData}; + newObsData[fieldName][ix][param] = value; + return {obsData: newObsData}; + }); + } + + // Render function + render() { + let modal; + if (this.state.isModalVisible) { + modal = <ModalContent + resetCnt={this.resetCnt} // used to change "key" of modalBody, causing all form fields to be re-created (some things are not reset properly by reseting state only) + close={this.closeModal} + reset={this.resetForm} + fields={this.obsFields} + observables={this.props.observables} + // form state + title={this.state.title} + description={this.state.description} + severity={this.state.severity} + tlp={this.state.tlp} + tags={this.state.tags} + obsData={this.state.obsData} + obsSel={this.state.obsSel} + spinner={this.state.isWorking} + // event handlers + onTitleChange={this.onTitleChange} + onSeverityChange={this.onSeverityChange} + onTLPChange={this.onTLPChange} + onDescriptionChange={this.onDescriptionChange} + onObsSelectionChange={this.onObsSelectionChange} + onObsDataChange={this.onObsDataChange} + submitCase={this.submitCase} + />; + } + return ( + <div> + <EuiButton fill iconType="alert" color="danger" onClick={this.showModal}>Create new Case ...</EuiButton> + {modal} + </div> + ); + } + + // Submit case button handler + async submitCase(evt) { + const params = this.props.params; + + // Get case parameters + const title = this.state.title; + const descr = this.state.description; + const severity = parseInt(this.state.severity); + const start_date = null; + const owner = params.owner; + const flag = false; + const tlp = parseInt(this.state.tlp); + const tags = this.state.tags; + + if (!title) { + toastNotifications.addDanger("Title can't be empty"); + return; + } + + // Get list of selected observables and their params + let observables = []; + for (let field of this.obsFields) { + let selectionIndices = [...this.state.obsSel[field.name]]; // make a copy + selectionIndices.sort(); + for (let i = 0; i < selectionIndices.length; i++) { + const j = selectionIndices[i]; // index of a selected obs. in the list of all observables + // fill in observable definition according to model at + // https://github.com/TheHive-Project/TheHiveDocs/blob/master/api/artifact.md + const obs = { + dataType: field.type, + data: this.props.observables[field.name][j], + message: this.state.obsData[field.name][j].descr, + tlp: this.state.obsData[field.name][j].tlp, + ioc: this.state.obsData[field.name][j].ioc, + tags: this.state.obsData[field.name][j].tags, + }; + observables.push(obs); + } + } + + //console.log("Selected observables:", observables); + + // Check '/' at the end of base URL, add it if needed + let base_url = params.url; + if (base_url[base_url.length-1] != "/") { + base_url += "/"; + } + + // Show spinner at submit button + this.setState({isWorking: true}); + + // Submit request to create the case, handle response + let resp; + resp = await createTheHiveCase(base_url, params.apikey, title, descr, severity, start_date, owner, flag, tlp, tags); + + if ('error' in resp) { + // Error contacting The Hive + console.error("TheHiveButton: ERROR when trying to create new case:", resp.error); + toastNotifications.addDanger("ERROR: " + resp.error); + this.setState({isWorking: false}); // Hide spinner + return; + } + + console.log("TheHiveButton: Case created:", resp); + const case_id = resp.id; + const case_url = base_url + "index.html#/case/" + case_id + "/details"; + + // Show notification + let obs_text; + if (observables.length > 0) { + obs_text = "Adding " + observables.length + " observables in background ..."; + } + else { + obs_text = "(no observables added)"; + } + toastNotifications.add({ + title: "Case created", + color: "success", + iconType: "checkInCircleFilled", + text: ( + <div> + <p><b><a href={case_url} target="_blank">Edit the new Case</a></b></p> + <p>{obs_text}</p> + </div> + ), + }); + + // Close the popup window, reset form fields and hide spinner + this.closeModal(); + this.resetForm(); + this.setState({isWorking: false}); + + // Open a new window with the case in The Hive + // (adding observables may take some time, so the case is opened first; + // The Hive web is dynamic so the observables appear as they are added) + window.open(case_url, '_blank'); + + if (observables.length == 0) + return; + + // Submit request to add observables + console.log("TheHiveButton: adding " + observables.length + " observables ..."); + resp = await addCaseObservables(base_url, params.apikey, case_id, observables); + + if ('error' in resp) { + console.error("TheHiveButton: ERROR when trying to add observables: " + resp.error); + toastNotifications.addDanger("ERROR when trying to add observables: " + resp.error); + } + else { + console.log("TheHiveButton: Done, observables added."); + toastNotifications.add("Done, observables added."); + } + } +} + + +// The popup window with a form +// props: +// - spinner: when true, disable form and show a spinner over it +class ModalContent extends Component { + constructor(props) { + super(props); + // No state here, everything is in the parent class (NewCaseButton) + + // "Select" options + this.severityOptions = [ + {value: "1", inputDisplay: "low"}, + {value: "2", inputDisplay: "medium"}, + {value: "3", inputDisplay: "high"}, + ]; + this.tlpOptions = [ + {value: "0", inputDisplay: "white"}, + {value: "1", inputDisplay: "green"}, + {value: "2", inputDisplay: "amber"}, + {value: "3", inputDisplay: "red"}, + ]; + } + + // Main render function + render() { + // TODO: replace Modal with Flyout? + + // Note: onClick on EuiOverlayMask causes close of modal when clicked outside, + // implementation inspired by PR: https://github.com/elastic/eui/pull/3462/files#diff-c8fda532e48f75c94c343247cbc6b2d3R53-R60 + return ( + <EuiOverlayMask onClick={(evt) => {if (evt.target.classList.contains("euiOverlayMask")) this.props.close();} }> + <EuiModal onClose={this.props.close} maxWidth={false} initialFocus="[name=title]"> + <EuiModalHeader> + <EuiModalHeaderTitle>Create a new case in The Hive</EuiModalHeaderTitle> + </EuiModalHeader> + + <EuiModalBody key={this.props.resetCnt}> + <EuiForm style={{width: "800px"}}> + <EuiFlexGroup> + <EuiFlexItem grow={1}> + <EuiFormRow label="Title" fullWidth> + <EuiFieldText name="title" value={this.props.title} onChange={this.props.onTitleChange} required={true} fullWidth /> + </EuiFormRow> + </EuiFlexItem> + <EuiFlexItem grow={false}> + <EuiFormRow label="Severity"> + <EuiSuperSelect + options={this.severityOptions} + valueOfSelected={this.props.severity} + onChange={this.props.onSeverityChange} + /> + </EuiFormRow> + </EuiFlexItem> + <EuiFlexItem grow={false}> + <EuiFormRow label="TLP"> + <EuiSuperSelect + prepend="TLP" + options={this.tlpOptions} + valueOfSelected={this.props.tlp} + onChange={this.props.onTLPChange} + /> + </EuiFormRow> + </EuiFlexItem> + </EuiFlexGroup> + <EuiFormRow label="Description" fullWidth> + <EuiTextArea + defaultValue={this.props.description} + onChange={this.props.onDescriptionChange} + rows={4} + fullWidth + /> + </EuiFormRow> + + {this.props.fields.length > 0 && <EuiTitle size="s"><h3>Add observables from current query ...</h3></EuiTitle>} + {this.props.fields.map((field,ix) => ( + <ObservablesTable + key={field.name + ":" + this.props.resetCnt} + fieldName={field.name} + observables={this.props.observables[field.name]} + obsData={this.props.obsData[field.name]} + obsSel={this.props.obsSel[field.name]} + onObsSelectionChange={this.props.onObsSelectionChange} + onObsDataChange={this.props.onObsDataChange} + /> + ))} + </EuiForm> + </EuiModalBody> + + <EuiModalFooter> + <EuiButtonEmpty onClick={this.props.close}>Close</EuiButtonEmpty> + <EuiButtonEmpty onClick={this.props.reset}>Reset</EuiButtonEmpty> + <EuiButton onClick={this.props.submitCase} fill isLoading={this.props.spinner}>Create Case</EuiButton> + </EuiModalFooter> + </EuiModal> + </EuiOverlayMask> + ); + } +} + +// Table of potential observables taken from a given field, allowing to select +// which observables to send to The Hive. +// Props: +// fieldName - name of the field this table is for +// observables - list of observable IDs of this field +// obsData - array of objects specifying state of form fields in the table (.descr, .tlp, ...) +// obsSel - array of indices of selected observables +class ObservablesTable extends Component { + + constructor(props) { + super(props); + + // Table columns definition + this.columns = [ + { + field: "id", + name: "Observable", + }, + { + field: "descr", + name: "Description", + description: "Description of the observable in the context of the case", + render: (value, item1) => (<EuiFieldText + value={item1.descr} + onChange={(e) => this.props.onObsDataChange(props.fieldName, item1.i, "descr", e.target.value)} + disabled={!item1.selected} + />) + }, + /*{ + field: "tlp", + name: "TLP", + dataType: "number", + // TODO render and process changes + },*/ + { + field: "ioc", + name: "Is IOC", + dataType: "boolean", + description: "Indicates if the observable is an IOC", + render: (value, item2) => (<EuiCheckbox + id={"ioc-checkbox-"+item2.id} + checked={item2.ioc} + onChange={(e) => this.props.onObsDataChange(props.fieldName, item2.i, "ioc", e.target.checked)} + disabled={!item2.selected} + />) + }, + /*{ + field: "tags", + name: "Tags", + // TODO render and process changes + },*/ + ] + + // Create a reference to EuiBasicTable, so it's node can be accessed in componentDidMount + this.tableRef = React.createRef(); + } + + render() { + // Table data definition (convert props to format suitable for EuiBasicTable) + const n_obs = this.props.observables.length; + this.table_data = new Array(n_obs); + for (let i = 0; i < n_obs; i++) { + this.table_data[i] = { + id: this.props.observables[i], + descr: this.props.obsData[i].descr, + tlp: this.props.obsData[i].tlp, + ioc: this.props.obsData[i].ioc, + tags: this.props.obsData[i].tags, + // auxiliary fields, not shown in table: + i: i, // row index + selected: this.props.obsSel.includes(i), + }; + } + + return ( + <> + <EuiTitle size="xs"><h4>{this.props.fieldName}</h4></EuiTitle> + <EuiBasicTable + ref={this.tableRef} + columns={this.columns} + items={this.table_data} + itemId={(item3) => item3.id} + selection={ {onSelectionChange: (selectedItems) => this.props.onObsSelectionChange(this.props.fieldName, selectedItems) } } + noItemsMessage="No observables found" + rowProps={{ + // Hack to allow selection by clicking anywhere in the table row + // (except input elements) + onClick: (e) => { + if (e.target.tagName != "INPUT") { + // simulate click on the first checkbox in the row to (de)select the row + e.currentTarget.querySelector("input").click(); + e.currentTarget.blur(); // without this the focus remains on the row after click (results in different color) + } + }, + tabIndex: "-1", // prevents focus on row by keyboard navigation + }} + /> + <EuiSpacer size="l" /> + </> + ) + } + + componentDidMount() { + // There's no way to specify initially selected items in EuiBasicTable by + // props, but we may need to select some (in case a user selects some obs., + // closes the modal and opens it again). + // However, the selection is stored as a 'selection' field of table's state, + // so here we directly edit the state just after the table is created. + + // Prepare the 'selection' array - it should contain a list of selected row specifications + let selection = []; + for (let ix of this.props.obsSel) { + selection.push(this.table_data[ix]); + } + + // Get ref to EuiBasicTable element and update its state + const table_node = this.tableRef.current; + table_node.setState({selection: selection}); + } +} + diff --git a/roles/build/templates/odfekibana/thehive_button/server/routes/newcase.js b/roles/build/templates/odfekibana/thehive_button/server/routes/newcase.js new file mode 100644 index 0000000000000000000000000000000000000000..175dee818c5569a5e5e02db31a6e443abe5f03fb --- /dev/null +++ b/roles/build/templates/odfekibana/thehive_button/server/routes/newcase.js @@ -0,0 +1,153 @@ +const request = require('request'); +//const fs = require('fs'); +//const path = require('path'); + +//const caFile = path.resolve(__dirname, '../../ca.cert.pem'); // TODO resolve where the CA file should be located / configured + +export default function (server) { + server.route({ + path: '/api/thehive_button/new_case', + method: 'POST', + handler: newCaseHandler, + }); + server.route({ + path: '/api/thehive_button/add_observables', + method: 'POST', + handler: addObservablesHandler, + }); +} + +// Handler of ajax requests to create a new Case in The Hive +function newCaseHandler(req, resp) { + // Parse the request to get connection parameters + // (everything is configured in forntend and sent as part of the request, + // since I don't know how to configure the backend) + var base_url = req.payload['base_url']; + var api_key = req.payload['api_key']; + var req_body = req.payload['body']; + + // check it's a valid URL with slash at the end + if (!base_url) { + return {'error': 'Base URL not set'}; + } + if (!base_url.match(/https?:\/\/(([a-z\d.-]+)|((\d{1,3}\.){3}\d{1,3}))(\:\d+)?(\/[-a-z\d%_.~+]*)*\//i)) { + //if (!base_url.match(/https?:\/\/.*\//)) { + return {'error': 'Invalid base URL (it must begin with "http[s]" and end with "/")'}; + } + if (!api_key) { + return {'error': 'API key not set'}; + } + + return new Promise( function(resolve, reject) { + request({ + method: 'POST', + url: base_url + 'api/case', + auth: {'bearer': api_key}, + json: true, + body: req_body, + //ca: fs.readFileSync(caFile), // TODO resolve the issue with custom CA, where to get its cert? + rejectUnauthorized: false, + }, + // handler of the reply from The Hive - just return as reply + function (error, response, body) { + // TODO: find out how to set response code, for now we always return sucess and encode original status code in the content + if (error) { + console.error("ERROR when trying to send request to The Hive:", error); + resolve({'error': error.message}); + } + else { + if (response.statusCode < 200 || response.statusCode >= 300) { + console.error("ERROR Unexpected reply received from The Hive:", response.statusCode, response.statusMessage, "\n", body) + } + resolve({ + 'status_code': response.statusCode, + 'status_msg': response.statusMessage, + 'body': body + }); + } + } // handler function + ); // request() + }); // Promise() +} + +// Note: +// There are two ways to create multiple Observables (artifacts) via The Hive API: +// 1. post one request with an array of observables in "data" field +// - this allows to create all in one request, but doesn't allow to set +// different parameters (IOC, TLP, etc.) to different observables +// 2. post each observable in a separate request +// The second way is used here. + +// Handler of ajax requests to add Observables to a Case in The Hive +function addObservablesHandler(req, resp) { + // Parse the request to get connection parameters + // (everything is configured in forntend and sent as part of the request, + // since I don't know how to configure the backend) + var base_url = req.payload['base_url']; + var api_key = req.payload['api_key']; + + // check it's a valid URL with slash at the end + if (!base_url) { + return {'error': 'Base URL not set'}; + } + if (!base_url.match(/https?:\/\/(([a-z\d.-]+)|((\d{1,3}\.){3}\d{1,3}))(\:\d+)?(\/[-a-z\d%_.~+]*)*\//i)) { + //if (!base_url.match(/https?:\/\/.*\//)) { + return {'error': 'Invalid base URL (it must begin with "http[s]" and end with "/")'}; + } + // TODO add "/" to the end automatically + if (!api_key) { + return {'error': 'API key not set'}; + } + + const caseid = req.payload['caseid']; + const observables = req.payload['observables']; // array of obersvable specifications + + return new Promise( async function(resolve, reject) { + // Run one request for each observable + // (A way to run multiple async tasks sequentially inspired by: + // https://jrsinclair.com/articles/2019/how-to-run-async-js-in-parallel-or-sequential/ ) + const starterPromise = Promise.resolve(null); + await observables.reduce( + (p, obs) => p.then(() => addObservable(base_url, api_key, caseid, obs)), + starterPromise + ).catch((err_msg) => { + console.error(err_msg); // log whole message + resolve({'error': err_msg.split("\n", 1)[0]}); // send the first line to frontend + return; + } + ); + resolve({}); + }); +} + +function addObservable(base_url, api_key, caseid, obs) { + return new Promise( function(resolve, reject) { + //console.log("Adding observable:", obs); + request({ + method: 'POST', + url: base_url + 'api/case/' + caseid + "/artifact", + auth: {'bearer': api_key}, + json: true, + body: obs, + //ca: fs.readFileSync(caFile), // TODO resolve the issue with custom CA, where to get its cert? + rejectUnauthorized: false, + }, + // handler of the reply from The Hive - just return as reply + function (error, response, body) { + if (error) { + reject("ERROR when trying to send request to The Hive: " + error); + } + else if (response.statusCode < 200 || response.statusCode >= 300) { + reject("ERROR: Unexpected reply received from The Hive: " + response.statusCode + " " + response.statusMessage + "\n" + JSON.stringify(body)); + } + else { + // success - continue with the next observable + resolve("OK"); + resolve({}) + } + } // handler function + ); // request() + }); //Promise() +} + + diff --git a/roles/odfekibana/files/env.js.j2 b/roles/odfekibana/files/env.js.j2 new file mode 100644 index 0000000000000000000000000000000000000000..a075a2781bbbed7d80132a22a7544c7235041018 --- /dev/null +++ b/roles/odfekibana/files/env.js.j2 @@ -0,0 +1,4 @@ +// Default plugin configuration +export const THEHIVE_URL = '{{THEHIVE_URL}}'; +export const THEHIVE_API_KEY = '{{THEHIVE_API_KEY}}'; +export const THEHIVE_OWNER = '{{THEHIVE_OWNER}}'; // default owner account of the created cases diff --git a/roles/odfekibana/tasks/main.yml b/roles/odfekibana/tasks/main.yml index 04426116397d59bd5d241ac133e1c46e3e767c96..b43adc636da4070410828dfd35d1af920822146c 100644 --- a/roles/odfekibana/tasks/main.yml +++ b/roles/odfekibana/tasks/main.yml @@ -85,6 +85,17 @@ # tags: # - start + +- name: Generate configuration for thehive_button plugin + template: + src: files/env.js.j2 + dest: "/usr/share/kibana/plugins/thehive_button/public/env.js" + owner: kibana + group: kibana + tags: + - start + + - name: Start OpenDistro Kibana for Elasticsearch command: /usr/share/kibana/startkibana.sh #shell: exec /usr/share/kibana/bin/kibana -c config/kibana.yml & @@ -101,18 +112,14 @@ tags: - start -- name: kibana health - block: - - name: check kibana health - shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{dslproxy}}:5601/api/status" \ - | egrep status....overall....state...green' - rescue: - - name: wait for kibana to become ready - shell: 'sleep 180' - always: - - name: recheck kibana health - shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{dslproxy}}:5601/api/status" \ +- name: Check Kibana health + shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{dslproxy}}:5601/api/status" \ | egrep status....overall....state...green' + register: result + until: task_result.rc == 0 + retries: 90 + delay: 2 + ignore_errors: yes tags: - start @@ -150,11 +157,11 @@ tags: - start -- name: cleanup temporary files for kibana_graph import - shell: '/bin/rm -rf /tmp/cookie.txt /tmp/kibana_graphs.ndjson /tmp/tenant.json' - ignore_errors: true - tags: - - start +#- name: cleanup temporary files for kibana_graph import +# shell: '/bin/rm -rf /tmp/cookie.txt /tmp/kibana_graphs.ndjson /tmp/tenant.json' +# ignore_errors: true +# tags: +# - start #- name: check reachable hosts # gather_facts: no