threatgrid · mtyzz · Nov 26, 2024 · Nov 25, 2024 · Nov 25, 2024 · Nov 26, 2024
@@ -46,7 +46,7 @@ ctia:ctia:jar:1.1.1-SNAPSHOT
 +- metosin:schema-tools:jar:0.13.1:compile
 +- threatgrid:flanders:jar:1.0.2:compile
 |  \- org.clojure:core.match:jar:1.0.0:compile
-+- threatgrid:ctim:jar:1.3.20:compile
++- threatgrid:ctim:jar:1.3.21:compile
 |  +- org.mozilla:rhino:jar:1.7.7.1:compile
 |  \- kovacnica:clojure.network.ip:jar:0.1.3:compile
 |     \- org.clojure:clojurescript:jar:1.7.122:compile

@@ -478,7 +478,7 @@
     <dependency>
       <groupId>threatgrid</groupId>
       <artifactId>ctim</artifactId>
-      <version>1.3.20</version>
+      <version>1.3.21</version>
       <exclusions>
         <exclusion>
           <artifactId>slf4j-nop</artifactId>
@@ -2111,4 +2111,4 @@
       <scope>test</scope>
     </dependency>
   </dependencies>
-</project>
+</project>
@@ -88,7 +88,7 @@
                  [prismatic/schema "1.4.1"]
                  [metosin/schema-tools "0.13.1"]
                  [threatgrid/flanders "1.0.2"]
-                 [threatgrid/ctim "1.3.20"]
+                 [threatgrid/ctim "1.3.21-SNAPSHOT"]
-                 [threatgrid/ctim "1.3.21-SNAPSHOT"]
+                 [threatgrid/ctim "1.3.21"]
-                 [threatgrid/ctim "1.3.21-SNAPSHOT"]
+                 [threatgrid/ctim "1.3.21"]
                  [instaparse "1.4.10"] ;; com.gfredericks/test.chuck > threatgrid/ctim
                  [threatgrid/clj-momo "0.3.5"]
                  [threatgrid/ductile "0.5.0"]

@@ -240,6 +240,7 @@
       :discovery_method   em/token
       :intended_effect    em/token
       :assignees          em/token
+      :detection_sources  em/token
       :promotion_method   em/token
       :severity           em/token
       :tactics            em/token
@@ -275,6 +276,7 @@
            :discovery_method
            :intended_effect
            :assignees
+           :detection_sources
            :promotion_method
            :severity
            :tactics
@@ -339,6 +341,7 @@
 
 (def incident-enumerable-fields
   [:assignees
+   :detection_sources
    :categories
    :confidence
    :discovery_method
@@ -384,6 +387,7 @@
      :categories         s/Str
      :sort_by            (incident-sort-fields services)
      :assignees          s/Str
+     :detection_sources  s/Str
      :promotion_method   s/Str
      :severity           s/Str
      :tactics            [s/Str]

@@ -606,6 +606,43 @@
                                  (normalize parsed-body)))))))
                (finally (purge-incidents! app))))))))
 
+(deftest filter-incidents-by-sources-test
+  (es-helpers/for-each-es-version
+    "sort by tactics"
+    [7]
+    #(es-helpers/clean-es-state! % "ctia_*")
+    (helpers/with-properties (into ["ctia.auth.type" "allow-all"]
+                                   es-helpers/basic-auth-properties)
+      (helpers/fixture-ctia-with-app
+        (fn [app]
+          ;(helpers/set-capabilities! app "foouser" ["foogroup"] "user" all-capabilities)
+          ;(whoami-helpers/set-whoami-response app "45c1f5e3f05d0" "foouser" "foogroup" "user")
+          (try (let [incident1 (assoc (gen-new-incident) :detection_sources ["Crowdstrike for Endpoint" "Cisco XDR Detections" "TA0006"])
+                     incident2 (assoc (gen-new-incident) :detection_sources ["TA0004" "Cisco XDR Detections" "TA0008"])
+                     incident3 (assoc (gen-new-incident) :detection_sources ["TA0008" "Cisco XDR Detections" "TA0006" "Talnos, which is like Talos but weird"])
+                     normalize (fn [incidents]
+                                 (->> incidents
+                                      (map #(select-keys % [:title :tactics]))
+                                      (sort-by :tactics)))]
+                 (create-incidents app #{incident1 incident2 incident3})
+                 (testing "incident1"
+                   (let [{:keys [parsed-body] :as raw} (search-th/search-raw app :incident {:query "detection_sources:(\"Crowdstrike for Endpoint\")"})]
+                     (and (is (= 200 (:status raw)) (pr-str raw))
+                          (is (= (normalize [incident1])
+                                 (normalize parsed-body))
+                              (pr-str parsed-body)))))
+                 (testing "incident1+2+3"
+                   (let [{:keys [parsed-body] :as raw} (search-th/search-raw app :incident {:query "detection_sources:(\"Cisco XDR Detections\")"})]
+                     (and (is (= 200 (:status raw)) (pr-str raw))
+                          (is (= (normalize [incident1 incident2 incident3])
+                                 (normalize parsed-body))))))
+                 (testing "incident1+3 multi"
+                   (let [{:keys [parsed-body] :as raw} (search-th/search-raw app :incident {:query "detection_sources:(\"Crowdstrike for Endpoint\" || \"Talnos, which is like Talos but weird\")"}) ]
+                     (and (is (= 200 (:status raw)) (pr-str raw))
+                          (is (= (normalize [incident1 incident3])
+                                 (normalize parsed-body)))))))
+               (finally (purge-incidents! app))))))))
+
 (deftest filter-incidents-by-scores-range
   (es-helpers/for-each-es-version
     "filter by scores"