From 21c3c9bf4d897e8d87f9c66426183b70a467920f Mon Sep 17 00:00:00 2001 From: Shay Nehmad Date: Thu, 15 Aug 2019 12:27:21 +0300 Subject: [PATCH] Now returning full text data to the website --- monkey/common/data/zero_trust_consts.py | 51 +++++++++++++------ monkey/monkey_island/cc/models/finding.py | 4 +- .../reporting/test_zeroTrustService.py | 46 ++++++++--------- .../services/reporting/zero_trust_service.py | 6 +-- .../zerotrust/DirectivesStatusTable.js | 1 + 5 files changed, 64 insertions(+), 44 deletions(-) diff --git a/monkey/common/data/zero_trust_consts.py b/monkey/common/data/zero_trust_consts.py index c55ee160d..05edc4faa 100644 --- a/monkey/common/data/zero_trust_consts.py +++ b/monkey/common/data/zero_trust_consts.py @@ -47,54 +47,73 @@ DIRECTIVES = { POSSIBLE_STATUSES_KEY = u"possible_statuses" PILLARS_KEY = u"pillars" DIRECTIVE_KEY = u"directive_key" -FINDING_FORMAT_KEY = u"finding_format" -EXPLANATION_KEY = u"explanation" +FINDING_EXPLANATION_BY_STATUS_KEY = u"finding_explanation" +TEST_EXPLANATION_KEY = u"explanation" TESTS_MAP = { TEST_SEGMENTATION: { - EXPLANATION_KEY: u"The Monkey tried to scan and find machines that it can communicate with from the machine it's running on, that belong to different network segments.", - FINDING_FORMAT_KEY: u"The Monkey from {ORIGIN} communicated with a machine on a different segment.", + TEST_EXPLANATION_KEY: u"The Monkey tried to scan and find machines that it can communicate with from the machine it's running on, that belong to different network segments.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_CONCLUSIVE: "Monkey performed cross-segment communication. Check firewall rules and logs.", + STATUS_POSITIVE: "Monkey couldn't perform cross-segment communication. If relevant, check firewall logs." + }, DIRECTIVE_KEY: DIRECTIVE_SEGMENTATION, PILLARS_KEY: [NETWORKS], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_POSITIVE, STATUS_CONCLUSIVE] }, TEST_ACTIVITY_TIMELINE: { - EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.", - FINDING_FORMAT_KEY: u"Malicious activity performed by the Monkeys. See 'events' for detailed information.", + TEST_EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_INCONCLUSIVE: "Monkey performed malicious actions in the network. Check SOC logs and alerts." + }, DIRECTIVE_KEY: DIRECTIVE_ANALYZE_NETWORK_TRAFFIC, PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_INCONCLUSIVE] }, TEST_ENDPOINT_SECURITY_EXISTS: { - EXPLANATION_KEY: u"The Monkey checked if there is an active process of an endpoint security software.", - FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} found no active endpoint security processes.", + TEST_EXPLANATION_KEY: u"The Monkey checked if there is an active process of an endpoint security software.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_CONCLUSIVE: "Monkey didn't find ANY active endpoint security processes. Install and activate anti-virus software on endpoints.", + STATUS_POSITIVE: "Monkey found active endpoint security processes. Check their logs to see if Monkey was a security concern." + }, DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY, PILLARS_KEY: [DEVICES], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE] }, TEST_MACHINE_EXPLOITED: { - EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.", - FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} attempted to exploit a machine on {TARGET}.", + TEST_EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_CONCLUSIVE: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.", + STATUS_INCONCLUSIVE: "Monkey tried exploiting endpoints. Check IDS/IPS logs to see activity recognized." + }, DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY, PILLARS_KEY: [DEVICES], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_INCONCLUSIVE] }, TEST_SCHEDULED_EXECUTION: { - EXPLANATION_KEY: "The Monkey was executed in a scheduled manner.", - FINDING_FORMAT_KEY: "The Monkey on {ORIGIN} started running in an executed manner.", + TEST_EXPLANATION_KEY: "The Monkey was executed in a scheduled manner.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_INCONCLUSIVE: "Monkey was executed in a scheduled manner. Locate this activity in User-Behavior security software." + }, DIRECTIVE_KEY: DIRECTIVE_USER_BEHAVIOUR, PILLARS_KEY: [PEOPLE, NETWORKS], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_INCONCLUSIVE] }, TEST_DATA_ENDPOINT_ELASTIC: { - EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to ElasticSearch instances.", - FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} found an open ElasticSearch instance.", + TEST_EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to ElasticSearch instances.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_CONCLUSIVE: "Monkey accessed ElasticSearch instances. Limit access to data by encrypting it in in-transit.", + STATUS_POSITIVE: "Monkey didn't find open ElasticSearch instances. If you have such instances, look for alerts that indicate attempts to access them." + }, DIRECTIVE_KEY: DIRECTIVE_DATA_TRANSIT, PILLARS_KEY: [DATA], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE] }, TEST_DATA_ENDPOINT_HTTP: { - EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to HTTP servers.", - FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} found an open HTTP server.", + TEST_EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to HTTP servers.", + FINDING_EXPLANATION_BY_STATUS_KEY: { + STATUS_CONCLUSIVE: "Monkey accessed HTTP servers. Limit access to data by encrypting it in in-transit.", + STATUS_POSITIVE: "Monkey didn't find open HTTP servers. If you have such servers, look for alerts that indicate attempts to access them." + }, DIRECTIVE_KEY: DIRECTIVE_DATA_TRANSIT, PILLARS_KEY: [DATA], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE] diff --git a/monkey/monkey_island/cc/models/finding.py b/monkey/monkey_island/cc/models/finding.py index 5ee014cfb..77160534f 100644 --- a/monkey/monkey_island/cc/models/finding.py +++ b/monkey/monkey_island/cc/models/finding.py @@ -4,7 +4,7 @@ Define a Document Schema for Zero Trust findings. from mongoengine import Document, StringField, EmbeddedDocumentListField -from common.data.zero_trust_consts import ORDERED_TEST_STATUSES, TESTS, TESTS_MAP, EXPLANATION_KEY, PILLARS_KEY +from common.data.zero_trust_consts import ORDERED_TEST_STATUSES, TESTS, TESTS_MAP, TEST_EXPLANATION_KEY, PILLARS_KEY # Dummy import for mongoengine. # noinspection PyUnresolvedReferences from event import Event @@ -24,7 +24,7 @@ class Finding(Document): # LOGIC def get_test_explanation(self): - return TESTS_MAP[self.test][EXPLANATION_KEY] + return TESTS_MAP[self.test][TEST_EXPLANATION_KEY] def get_pillars(self): return TESTS_MAP[self.test][PILLARS_KEY] diff --git a/monkey/monkey_island/cc/services/reporting/test_zeroTrustService.py b/monkey/monkey_island/cc/services/reporting/test_zeroTrustService.py index 7e7df7ad0..6ec2651a0 100644 --- a/monkey/monkey_island/cc/services/reporting/test_zeroTrustService.py +++ b/monkey/monkey_island/cc/services/reporting/test_zeroTrustService.py @@ -110,88 +110,88 @@ class TestZeroTrustService(IslandTestCase): AUTOMATION_ORCHESTRATION: [], DATA: [ { - "directive": DIRECTIVE_DATA_TRANSIT, + "directive": DIRECTIVES[DIRECTIVE_DATA_TRANSIT], "status": STATUS_CONCLUSIVE, "tests": [ { "status": STATUS_UNEXECUTED, - "test": TEST_DATA_ENDPOINT_ELASTIC + "test": TESTS_MAP[TEST_DATA_ENDPOINT_ELASTIC][TEST_EXPLANATION_KEY] }, { "status": STATUS_CONCLUSIVE, - "test": TEST_DATA_ENDPOINT_HTTP + "test": TESTS_MAP[TEST_DATA_ENDPOINT_HTTP][TEST_EXPLANATION_KEY] } ] } ], DEVICES: [ { - "directive": "endpoint_security", - "status": "Conclusive", + "directive": DIRECTIVES[DIRECTIVE_ENDPOINT_SECURITY], + "status": STATUS_CONCLUSIVE, "tests": [ { - "status": "Conclusive", - "test": "endpoint_security_exists" + "status": STATUS_CONCLUSIVE, + "test": TESTS_MAP[TEST_ENDPOINT_SECURITY_EXISTS][TEST_EXPLANATION_KEY] }, { - "status": "Unexecuted", - "test": "machine_exploited" + "status": STATUS_UNEXECUTED, + "test": TESTS_MAP[TEST_MACHINE_EXPLOITED][TEST_EXPLANATION_KEY] } ] } ], NETWORKS: [ { - "directive": "segmentation", - "status": "Unexecuted", + "directive": DIRECTIVES[DIRECTIVE_SEGMENTATION], + "status": STATUS_UNEXECUTED, "tests": [ { - "status": "Unexecuted", - "test": "segmentation" + "status": STATUS_UNEXECUTED, + "test": TESTS_MAP[TEST_SEGMENTATION][TEST_EXPLANATION_KEY] } ] }, { - "directive": "user_behaviour", + "directive": DIRECTIVES[DIRECTIVE_USER_BEHAVIOUR], "status": STATUS_INCONCLUSIVE, "tests": [ { "status": STATUS_INCONCLUSIVE, - "test": TEST_SCHEDULED_EXECUTION + "test": TESTS_MAP[TEST_SCHEDULED_EXECUTION][TEST_EXPLANATION_KEY] } ] }, { - "directive": "analyze_network_traffic", - "status": "Unexecuted", + "directive": DIRECTIVES[DIRECTIVE_ANALYZE_NETWORK_TRAFFIC], + "status": STATUS_UNEXECUTED, "tests": [ { - "status": "Unexecuted", - "test": "malicious_activity_timeline" + "status": STATUS_UNEXECUTED, + "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY] } ] } ], PEOPLE: [ { - "directive": "user_behaviour", + "directive": DIRECTIVES[DIRECTIVE_USER_BEHAVIOUR], "status": STATUS_INCONCLUSIVE, "tests": [ { "status": STATUS_INCONCLUSIVE, - "test": TEST_SCHEDULED_EXECUTION + "test": TESTS_MAP[TEST_SCHEDULED_EXECUTION][TEST_EXPLANATION_KEY] } ] } ], "Visibility & Analytics": [ { - "directive": DIRECTIVE_ANALYZE_NETWORK_TRAFFIC, + "directive": DIRECTIVES[DIRECTIVE_ANALYZE_NETWORK_TRAFFIC], "status": STATUS_UNEXECUTED, "tests": [ { "status": STATUS_UNEXECUTED, - "test": TEST_ACTIVITY_TIMELINE + "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY] } ] } diff --git a/monkey/monkey_island/cc/services/reporting/zero_trust_service.py b/monkey/monkey_island/cc/services/reporting/zero_trust_service.py index bf2b9d6e8..1aa7291ed 100644 --- a/monkey/monkey_island/cc/services/reporting/zero_trust_service.py +++ b/monkey/monkey_island/cc/services/reporting/zero_trust_service.py @@ -50,7 +50,7 @@ class ZeroTrustService(object): for pillar in DIRECTIVES_TO_PILLARS[directive]: all_directive_statuses[pillar].append( { - "directive": directive, + "directive": DIRECTIVES[directive], "tests": ZeroTrustService.__get_tests_status(directive_tests), "status": ZeroTrustService.__get_directive_status(directive_tests) } @@ -78,7 +78,7 @@ class ZeroTrustService(object): test_findings = Finding.objects(test=test) results.append( { - "test": test, + "test": TESTS_MAP[test][TEST_EXPLANATION_KEY], "status": ZeroTrustService.__get_lcd_worst_status_for_test(test_findings) } ) @@ -104,7 +104,7 @@ class ZeroTrustService(object): test_info = TESTS_MAP[finding.test] enriched_finding = { # TODO add test explanation per status. - "test": test_info[EXPLANATION_KEY], + "test": test_info[FINDING_EXPLANATION_BY_STATUS_KEY][finding.status], "pillars": test_info[PILLARS_KEY], "status": finding.status, "events": ZeroTrustService.__get_events_as_dict(finding.events) diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/DirectivesStatusTable.js b/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/DirectivesStatusTable.js index 8b82761cc..ad1a815cb 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/DirectivesStatusTable.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/DirectivesStatusTable.js @@ -19,6 +19,7 @@ const columns = [ } }, { Header: 'Tests', id: 'tests', + style: {'whiteSpace': 'unset'}, // This enables word wrap accessor: x => { return ; }