Merge branch 'master' into issue-49

ace

@@ -166,6 +166,8 @@ def execute_hunt(args):
         exec_kwargs['start_time'] = start_time
         exec_kwargs['end_time'] = end_time
 
+        hunt.query_result_file = args.query_result_file
+
     if args.json_dir is not None:
         os.makedirs(args.json_dir, exist_ok=True)
 
@@ -243,6 +245,8 @@ execute_hunt_parser.add_argument('-d', '--details', required=False, default=Fals
     help="Include the details of the submissions in the output.")
 execute_hunt_parser.add_argument('--submit-alerts', required=False, default=None, 
     help="Submit as alerts to the given host[:port]")
+execute_hunt_parser.add_argument('--query-result-file', required=False, default=None,
+    help="Valid only for query hunts. Save the raw query results to the given file.")
 
 execute_hunt_parser.set_defaults(func=execute_hunt)
 
@@ -1018,9 +1022,9 @@ def execute_remediation(args):
     sys.exit(0)
 
 def execute_email_remediation(args):
-    import saq.remediation
+    from saq.remediation.email import create_email_remediation_key
     setattr(args, 'type', 'email')
-    setattr(args, 'targets', [saq.remediation.email.create_email_remediation_key(args.message_id, args.email_address)])
+    setattr(args, 'targets', [create_email_remediation_key(args.message_id, args.email_address)])
     execute_remediation(args)
 
 # most of the arguments are shared between the remove and restore action

app/analysis/views.py

@@ -2870,8 +2870,9 @@ def metrics():
         # First, alert quantities by disposition per month
         alert_df.set_index('month', inplace=True)
         months = alert_df.index.get_level_values('month').unique()
-
-        # if March 2015 alerts in our results then manually insert alert 
+
+        # Legacy -- remove?
+        # if March 2015 alerts in our results then manually insert alert
         # for https://wiki.local/display/integral/20150309+ctbCryptoLocker
         # No alert was ever put into ACE for this event
         if '201503' in months:
@@ -2972,37 +2973,45 @@ def metrics():
         # generate SIP ;-) indicator intel tables
         # XXX add support for using CRITS/SIP based on what ACE is configured to use
         if 'indicator_intel' in metric_actions:
-            try:
-                indicator_source_table, indicator_status_table = generate_intel_tables()
-                tables.append(indicator_source_table)
-                tables.append(indicator_status_table) 
-            except Exception as e:
-                flash("Problem generating overall source and status indicator tables : {0}".format(str(e)))
-            # Count all created indicators during daterange by their status
-            try:
-                created_indicators = get_created_OR_modified_indicators_during(daterange_start, daterange_end, created=True)
-                if created_indicators is not False:
-                    tables.append(created_indicators)
-            except Exception as e:
-                flash("Problem generating created indicator table: {0}".format(str(e)))
-            try:
-                modified_indicators = get_created_OR_modified_indicators_during(daterange_start, daterange_end, modified=True)
-                if modified_indicators is not False:
-                    tables.append(modified_indicators)
-            except Exception as e:
-                flash("Problem generating modified indicator table: {0}".format(str(e)))
+            if not (saq.CONFIG.get("crits", "mongodb_uri") or
+                    (saq.CONFIG.get("sip", "remote_address") or saq.CONFIG.get("sip", "api_key"))):
+                flash("intel source not configured; skipping indicator stats table generation")
+            else:
+                try:
+                    indicator_source_table, indicator_status_table = generate_intel_tables()
+                    tables.append(indicator_source_table)
+                    tables.append(indicator_status_table)
+                except Exception as e:
+                    flash("Problem generating overall source and status indicator tables : {0}".format(str(e)))
+                # Count all created indicators during daterange by their status
+                try:
+                    created_indicators = get_created_OR_modified_indicators_during(daterange_start, daterange_end, created=True)
+                    if created_indicators is not False:
+                        tables.append(created_indicators)
+                except Exception as e:
+                    flash("Problem generating created indicator table: {0}".format(str(e)))
+                try:
+                    modified_indicators = get_created_OR_modified_indicators_during(daterange_start, daterange_end, modified=True)
+                    if modified_indicators is not False:
+                        tables.append(modified_indicators)
+                except Exception as e:
+                    flash("Problem generating modified indicator table: {0}".format(str(e)))
 
     if download_results:
-        outBytes = io.BytesIO()
-        writer = pd.ExcelWriter(outBytes)
-        for table in tables:
-            table.to_excel(writer, table.name)
-        writer.close()
-        filename = company_name+"_metrics.xlsx" if company_name else "ACE_metrics.xlsx"
-        output = make_response(outBytes.getvalue())
-        output.headers["Content-Disposition"] = "attachment; filename="+filename
-        output.headers["Content-type"] = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
-        return output
+        if tables:
+            outBytes = io.BytesIO()
+            writer = pd.ExcelWriter(outBytes)
+            for table in tables:
+                table.to_excel(writer, table.name)
+            writer.close()
+            outBytes.seek(0)
+            filename = company_name+"_metrics.xlsx" if company_name else "ACE_metrics.xlsx"
+            output = make_response(outBytes.read())
+            output.headers["Content-Disposition"] = "attachment; filename="+filename
+            output.headers["Content-type"] = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
+            return output
+        else:
+            flash("No results; .xlsx could not be generated")
 
     return render_template(
         'analysis/metrics.html',

app/templates/analysis/event_edit.html

@@ -101,7 +101,7 @@
     </tr>
     <tr><th>Comment</th><td><input class="form-control" type="text" id="event_comment" name="event_comment" value="{{event.comment}}"></input></td></tr>
   </table><br>
-  <h4>Malware
+  <h4>Threat Name
     <button onclick="new_malware_option()" type="button" class="btn btn-default btn-sm"><span class="glyphicon glyphicon-plus-sign"></span> Add</button>
   </h4>
   {% for mal in malware %}
@@ -132,7 +132,7 @@ <h4>Malware
           <div class="col-xs-3"><input type="checkbox" name="threats_{{mal.id}}" value="ransomware"> ransomware</div>
           <div class="col-xs-3"><input type="checkbox" name="threats_{{mal.id}}" value="rat"> rat</div>
           <div class="col-xs-3"><input type="checkbox" name="threats_{{mal.id}}" value="rootkit"> rootkit</div>
-          <div class="col-xs-3"><input type="checkbox" name="threats_{{mal.id}}" value="unknown"> unknown</div>
+          <div class="col-xs-3"><input type="checkbox" name="threats_{{mal.id}}" value="customer threat"> customer threat</div>
         </td>
       </tr>
     </table>

app/templates/analysis/events.html

@@ -32,8 +32,8 @@
                         <th></th>
                         <th><span id='sort_by_date' style="cursor:pointer">Date{% if sort_by == "date" %}{% if sort_dir %}&darr;{% else %}&uarr;{% endif %}{% endif %}</span></th>
                         <th><span id='sort_by_event' style="cursor:pointer">Event{% if sort_by == "event" %}{% if sort_dir %}&darr;{% else %}&uarr;{% endif %}{% endif %}</span></th>
-                        <th><span>Threat</span></th>
-                        <th><span>Malware</span></th>
+                        <th><span>Threat Type</span></th>
+                        <th><span>Threat Name</span></th>
                         <th><span id='sort_by_campaign' style="cursor:pointer">Campaign{% if sort_by == "campaign" %}{% if sort_dir %}&darr;{% else %}&uarr;{% endif %}{% endif %}</span></th>
                         <th><span id='sort_by_disposition' style="cursor:pointer">Disposition{% if sort_by == "disposition" %}{% if sort_dir %}&darr;{% else %}&uarr;{% endif %}{% endif %}</span></th>
                         <th><span id='sort_by_prevention' style="cursor:pointer">Prevention{% if sort_by == "prevention" %}{% if sort_dir %}&darr;{% else %}&uarr;{% endif %}{% endif %}</span></th>
@@ -47,14 +47,18 @@
                         <td class="event-cell"><button onclick="load_event_alerts('{{event.id}}')" type="button" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-triangle-right"></span></button></td>
                         <td class="event-cell"><button onclick="edit_event('{{event.id}}')" type="button" class="btn btn-default btn-xs"><span class="glyphicon glyphicon-pencil"></span></button></td>
                         <td class="event-cell">{{event.creation_date}}</td>
-                        <td>
-                            <a target="_blank" href="{{event.wiki}}">{{event.type}} - {{event.vector}} - {{event.name}}</a>
-                            {% if event_tags[event.id]|length != 0 %}
-			      {% for tag in event_tags[event.id] %}
-                                {% if tag.display %}<span class="label {{tag.style}}" style="cursor:pointer">{{tag.name}}</span>{% endif %}
-                              {% endfor %}
-			    {% endif %}
-                        </td>
+                        {% if event.wiki %}
+                            <td>
+                                <a target="_blank" href="{{event.wiki}}">{{event.type}} - {{event.vector}} - {{event.name}}</a>
+                                {% if event_tags[event.id]|length != 0 %}
+                      {% for tag in event_tags[event.id] %}
+                                    {% if tag.display %}<span class="label {{tag.style}}" style="cursor:pointer">{{tag.name}}</span>{% endif %}
+                                  {% endfor %}
+                    {% endif %}
+                            </td>
+                        {% else %}
+                            <td class="event-cell">{{event.type}} - {{event.vector}} - {{event.name}}</td>
+                        {% endif %}
                         <td>
                             {% for t in event.threats %}
                             <span class="label label-default">{{t}}</span>
@@ -123,6 +127,7 @@ <h4 class="modal-title" id="filter_modal_label">Edit Filter</h4>
                             <option value="recon" {% if filter_state['filter_event_type'] == 'recon' %}SELECTED{% endif %}>recon</option>
                             <option value="host compromise" {% if filter_state['filter_event_type'] == 'host compromise' %}SELECTED{% endif %}>host compromise</option>
                             <option value="credential compromise" {% if filter_state['filter_event_type'] == 'credential compromise' %}SELECTED{% endif %}>credential compromise</option>
+                            <option value="web browsing" {% if filter_state['filter_event_type'] == 'web browsing' %}SELECTED{% endif %}>web browsing</option>
                         </select>
                       </td>
                     </tr>
@@ -169,7 +174,7 @@ <h4>Campaigns</h4>
                     <div class="col-xs-3"><input type="checkbox" name="campaign_{{campaign.id}}" {{filter_state['campaign_{}'.format(campaign.id)]}}> {{campaign.name}}</input></div>
                     {% endfor %}
                 </div></br>
-                <h4>Malware</h4>
+                <h4>Threat Name</h4>
                 <div class="row">
                     {% for mal in malware %}
                     <div class="col-xs-12"><input type="checkbox" name="malz_{{mal.id}}" {{filter_state['malz_{}'.format(mal.id)]}}> {{mal.name}}</input></div>

app/templates/analysis/metrics.html

@@ -49,7 +49,7 @@
                       <input class="form-check-input" type="checkbox" id="eventsCheckbox" name="metric_actions" value="events" checked> Events
                     </label>
                     <label class="form-check-label">
-                      <input class="form-check-input" type="checkbox" id="indicatorCheckbox" name="metric_actions" value="indicator_intel" checked> Indicator Stats
+                      <input class="form-check-input" type="checkbox" id="indicatorCheckbox" name="metric_actions" value="indicator_intel"> Indicator Stats
                     </label>
                   </div>
                 </div>

app/templates/analysis/new_malware_option.html

@@ -24,7 +24,7 @@
                                           <div class="col-xs-3"><input type="checkbox" name="threats_{{index}}" value="ransomware"> ransomware</div>
                                           <div class="col-xs-3"><input type="checkbox" name="threats_{{index}}" value="rat"> rat</div>
                                           <div class="col-xs-3"><input type="checkbox" name="threats_{{index}}" value="rootkit"> rootkit</div>
-                                          <div class="col-xs-3"><input type="checkbox" name="threats_{{index}}" value="unknown"> unknown</div>
+                                          <div class="col-xs-3"><input type="checkbox" name="threats_{{index}}" value="customer_threat"> customer threat</div>
                                         </td>
                                       </tr>
                                     </table>