diff --git a/monkey/common/data/zero_trust_consts.py b/monkey/common/data/zero_trust_consts.py index 5e3791d40..a92e386fe 100644 --- a/monkey/common/data/zero_trust_consts.py +++ b/monkey/common/data/zero_trust_consts.py @@ -27,11 +27,11 @@ TEST_DATA_ENDPOINT_HTTP = u"unencrypted_data_endpoint_http" TEST_MACHINE_EXPLOITED = u"machine_exploited" TEST_ENDPOINT_SECURITY_EXISTS = u"endpoint_security_exists" TEST_SCHEDULED_EXECUTION = u"scheduled_execution" -TEST_ACTIVITY_TIMELINE = u"malicious_activity_timeline" +TEST_MALICIOUS_ACTIVITY_TIMELINE = u"malicious_activity_timeline" TEST_SEGMENTATION = u"segmentation" TESTS = ( TEST_SEGMENTATION, - TEST_ACTIVITY_TIMELINE, + TEST_MALICIOUS_ACTIVITY_TIMELINE, TEST_SCHEDULED_EXECUTION, TEST_ENDPOINT_SECURITY_EXISTS, TEST_MACHINE_EXPLOITED, @@ -68,7 +68,7 @@ TESTS_MAP = { PILLARS_KEY: [NETWORKS], POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_POSITIVE, STATUS_CONCLUSIVE] }, - TEST_ACTIVITY_TIMELINE: { + TEST_MALICIOUS_ACTIVITY_TIMELINE: { TEST_EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.", FINDING_EXPLANATION_BY_STATUS_KEY: { STATUS_INCONCLUSIVE: "Monkey performed malicious actions in the network. Check SOC logs and alerts." diff --git a/monkey/monkey_island/cc/models/zero_trust/event.py b/monkey/monkey_island/cc/models/zero_trust/event.py index 01c7f2f47..6ad728d66 100644 --- a/monkey/monkey_island/cc/models/zero_trust/event.py +++ b/monkey/monkey_island/cc/models/zero_trust/event.py @@ -23,9 +23,9 @@ class Event(EmbeddedDocument): # LOGIC @staticmethod - def create_event(title, message, event_type): + def create_event(title, message, event_type, timestamp=datetime.now()): event = Event( - timestamp=datetime.now(), + timestamp=timestamp, title=title, message=message, event_type=event_type diff --git a/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py b/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py index d3fe01db9..30a1a08fe 100644 --- a/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py +++ b/monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py @@ -165,7 +165,7 @@ class TestZeroTrustService(IslandTestCase): "tests": [ { "status": STATUS_UNEXECUTED, - "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY] + "test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY] } ] } @@ -189,7 +189,7 @@ class TestZeroTrustService(IslandTestCase): "tests": [ { "status": STATUS_UNEXECUTED, - "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY] + "test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY] } ] } diff --git a/monkey/monkey_island/cc/services/telemetry/processing/scan.py b/monkey/monkey_island/cc/services/telemetry/processing/scan.py index 4e34b9a19..3b532ff22 100644 --- a/monkey/monkey_island/cc/services/telemetry/processing/scan.py +++ b/monkey/monkey_island/cc/services/telemetry/processing/scan.py @@ -2,9 +2,15 @@ import copy from monkey_island.cc.database import mongo from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry +from monkey_island.cc.services.telemetry.zero_trust_tests.data_endpoints import test_open_data_endpoints def process_scan_telemetry(telemetry_json): + update_edges_and_nodes_based_on_scan_telemetry(telemetry_json) + test_open_data_endpoints(telemetry_json) + + +def update_edges_and_nodes_based_on_scan_telemetry(telemetry_json): edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json) data = copy.deepcopy(telemetry_json['data']['machine']) ip_address = data.pop("ip_addr") @@ -19,7 +25,6 @@ def process_scan_telemetry(telemetry_json): {"$push": {"scans": new_scan}, "$set": {"ip_address": ip_address, 'domain_name': domain_name}} ) - node = mongo.db.node.find_one({"_id": edge["to"]}) if node is not None: scan_os = new_scan["data"]["os"] diff --git a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py new file mode 100644 index 000000000..119871420 --- /dev/null +++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py @@ -0,0 +1,55 @@ +import json + +from common.data.zero_trust_consts import * +from monkey_island.cc.models import Monkey +from monkey_island.cc.models.zero_trust.event import Event +from monkey_island.cc.models.zero_trust.finding import Finding + +HTTP_SERVERS_SERVICES_NAMES = ['tcp-80'] + + +def test_open_data_endpoints(telemetry_json): + services = telemetry_json["data"]["machine"]["services"] + current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid']) + found_http_server_status = STATUS_POSITIVE + + events = [ + Event.create_event( + title="Scan Telemetry", + message="Monkey on {} tried to perform a network scan, the target was {}.".format( + current_monkey.hostname, + telemetry_json["data"]["machine"]["ip_addr"]), + event_type=EVENT_TYPE_MONKEY_NETWORK, + timestamp=telemetry_json["timestamp"] + ) + ] + + for service_name, service_data in services.items(): + events.append(Event.create_event( + title="Scan telemetry analysis", + message="Scanned service: {}.".format(service_name), + event_type=EVENT_TYPE_ISLAND + )) + if service_name in HTTP_SERVERS_SERVICES_NAMES: + found_http_server_status = STATUS_CONCLUSIVE + events.append(Event.create_event( + title="Scan telemetry analysis", + message="Service {} on {} recognized as an open data endpoint! Service details: {}".format( + service_data["display_name"], + telemetry_json["data"]["machine"]["ip_addr"], + json.dumps(service_data) + ), + event_type=EVENT_TYPE_ISLAND + )) + + Finding.save_finding( + test=TEST_DATA_ENDPOINT_HTTP, + status=found_http_server_status, + events=events + ) + + Finding.save_finding( + test=TEST_MALICIOUS_ACTIVITY_TIMELINE, + status=STATUS_INCONCLUSIVE, + events=events + ) diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/EventsTimeline.js b/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/EventsTimeline.js index 8ba994c65..9f9e1f899 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/EventsTimeline.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/EventsTimeline.js @@ -15,10 +15,10 @@ export default class EventsTimeline extends Component {
{ - this.props.events.map(event => { + this.props.events.map((event, index) => { const event_time = new Date(event.timestamp['$date']).toString(); return (}> diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/PillarOverview.js b/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/PillarOverview.js index 660e6ad5a..e2b16c91b 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/PillarOverview.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/PillarOverview.js @@ -21,7 +21,7 @@ const columns = [ class PillarOverview extends Component { render() { const data = this.props.grades.map((grade) => { - const newGrade = grade; + const newGrade = JSON.parse(JSON.stringify(grade)); newGrade.pillar = {name: grade.pillar, status: this.props.pillarsToStatuses[grade.pillar]}; return newGrade; });