From 63e64cbd7e45dde60a32e8c283ca805ae01ef8c1 Mon Sep 17 00:00:00 2001
From: itay <itay.mizeretz@guardicore.com>
Date: Tue, 11 Jun 2019 17:33:55 +0300
Subject: [PATCH] Add attack telemetries to feed and preprocessing dicts Fix
 1197 report processing

---
 monkey/monkey_island/cc/resources/telemetry.py       |  9 ++++++++-
 monkey/monkey_island/cc/resources/telemetry_feed.py  |  7 ++++++-
 .../cc/services/attack/technique_reports/T1197.py    | 12 ++++++------
 .../cc/services/attack/technique_reports/__init__.py |  4 ++--
 4 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/monkey/monkey_island/cc/resources/telemetry.py b/monkey/monkey_island/cc/resources/telemetry.py
index 04a6ddbd1..fd21104d1 100644
--- a/monkey/monkey_island/cc/resources/telemetry.py
+++ b/monkey/monkey_island/cc/resources/telemetry.py
@@ -263,6 +263,12 @@ class Telemetry(flask_restful.Resource):
             {'guid': telemetry_json['monkey_guid']},
             {'$push': {'pba_results': telemetry_json['data']}})
 
+    @staticmethod
+    def process_attack_telemetry(telemetry_json):
+        # No processing required
+        pass
+
+
 TELEM_PROCESS_DICT = \
     {
         'tunnel': Telemetry.process_tunnel_telemetry,
@@ -271,5 +277,6 @@ TELEM_PROCESS_DICT = \
         'scan': Telemetry.process_scan_telemetry,
         'system_info_collection': Telemetry.process_system_info_telemetry,
         'trace': Telemetry.process_trace_telemetry,
-        'post_breach': Telemetry.process_post_breach_telemetry
+        'post_breach': Telemetry.process_post_breach_telemetry,
+        'attack': Telemetry.process_attack_telemetry
     }
diff --git a/monkey/monkey_island/cc/resources/telemetry_feed.py b/monkey/monkey_island/cc/resources/telemetry_feed.py
index 01fdcc51c..de5ded887 100644
--- a/monkey/monkey_island/cc/resources/telemetry_feed.py
+++ b/monkey/monkey_island/cc/resources/telemetry_feed.py
@@ -86,6 +86,10 @@ class TelemetryFeed(flask_restful.Resource):
                                                                       telem['data']['hostname'],
                                                                       telem['data']['ip'])
 
+    @staticmethod
+    def get_attack_telem_brief(telem):
+        return 'Monkey collected MITRE ATT&CK info.'
+
 
 TELEM_PROCESS_DICT = \
     {
@@ -95,5 +99,6 @@ TELEM_PROCESS_DICT = \
         'scan': TelemetryFeed.get_scan_telem_brief,
         'system_info_collection': TelemetryFeed.get_systeminfo_telem_brief,
         'trace': TelemetryFeed.get_trace_telem_brief,
-        'post_breach': TelemetryFeed.get_post_breach_telem_brief
+        'post_breach': TelemetryFeed.get_post_breach_telem_brief,
+        'attack': TelemetryFeed.get_attack_telem_brief
     }
diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/T1197.py b/monkey/monkey_island/cc/services/attack/technique_reports/T1197.py
index 0aaab082b..dcad5bfd5 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/T1197.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/T1197.py
@@ -13,12 +13,12 @@ class T1197(AttackTechnique):
     @staticmethod
     def get_report_data():
         data = T1197.get_tech_base_data(T1197)
-        bits_results = mongo.db.attack_results.aggregate([{'$match': {'technique': T1197.tech_id}},
-                                                          {'$group': {'_id': {'ip_addr': '$machine.ip_addr', 'usage': '$usage'},
-                                                                      'ip_addr': {'$first': '$machine.ip_addr'},
-                                                                      'domain_name': {'$first': '$machine.domain_name'},
-                                                                      'usage': {'$first': '$usage'},
-                                                                      'time': {'$first': '$time'}}
+        bits_results = mongo.db.telemetry.aggregate([{'$match': {'telem_type': 'attack', 'data.technique': T1197.tech_id}},
+                                                          {'$group': {'_id': {'ip_addr': '$data.machine.ip_addr', 'usage': '$data.usage'},
+                                                                      'ip_addr': {'$first': '$data.machine.ip_addr'},
+                                                                      'domain_name': {'$first': '$data.machine.domain_name'},
+                                                                      'usage': {'$first': '$data.usage'},
+                                                                      'time': {'$first': '$timestamp'}}
                                                            }])
         bits_results = list(bits_results)
         data.update({'bits_jobs': bits_results})
diff --git a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py
index 0346a1857..d194fc221 100644
--- a/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py
+++ b/monkey/monkey_island/cc/services/attack/technique_reports/__init__.py
@@ -53,9 +53,9 @@ class AttackTechnique(object):
         :param technique: technique's id.
         :return: ScanStatus Enum object
         """
-        if mongo.db.attack_results.find_one({'status': ScanStatus.USED.value, 'technique': technique}):
+        if mongo.db.telemetry.find_one({'telem_type': 'attack', 'data.status': ScanStatus.USED.value, 'data.technique': technique}):
             return ScanStatus.USED
-        elif mongo.db.attack_results.find_one({'status': ScanStatus.SCANNED.value, 'technique': technique}):
+        elif mongo.db.telemetry.find_one({'telem_type': 'attack', 'data.status': ScanStatus.SCANNED.value, 'data.technique': technique}):
             return ScanStatus.SCANNED
         else:
             return ScanStatus.UNSCANNED