From a6f661b2ee62ca6352045186440ee2242f3ba04c Mon Sep 17 00:00:00 2001
From: csavelief <csavelief@mncc.fr>
Date: Fri, 25 Oct 2024 17:43:56 +0200
Subject: [PATCH] Backport suspicious activity.

---
 app/Models/YnhOsquery.php                     |   4 +-
 app/View/Components/BigNumber.php             |   3 +
 app/View/Components/SuspiciousActivity.php    |  37 +++++
 resources/lang/fr.json                        |  11 ++
 resources/views/components/overview.blade.php |  33 ++--
 .../components/suspicious-activity.blade.php  | 154 ++++++++++++++++++
 6 files changed, 226 insertions(+), 16 deletions(-)
 create mode 100644 app/View/Components/SuspiciousActivity.php
 create mode 100644 resources/views/components/suspicious-activity.blade.php

diff --git a/app/Models/YnhOsquery.php b/app/Models/YnhOsquery.php
index b5d8585..42dded1 100644
--- a/app/Models/YnhOsquery.php
+++ b/app/Models/YnhOsquery.php
@@ -462,7 +462,7 @@ public static function suspiciousEvents(Collection $servers, Carbon $cutOffTime)
                         (Str::startsWith($event->columns['path'], '/run/docker/') && $event->columns['type'] === 'nsfs');
 
                     if (!$isDockerMountEvent) { // drop Docker-generated 'mounts' events
-                        if ($event->action === 'added') {
+                        /* if ($event->action === 'added') {
                             return [
                                 'id' => $event->id,
                                 'timestamp' => $event->calendar_time->format('Y-m-d H:i:s'),
@@ -478,7 +478,7 @@ public static function suspiciousEvents(Collection $servers, Carbon $cutOffTime)
                                 'ip' => $event->server->ip(),
                                 'message' => "Le répertoire {$event->columns['path']} ne pointe maintenant plus vers un système de fichiers de type {$event->columns['type']}.",
                             ];
-                        }
+                        } */
                     }
                 } elseif ($event->name === 'shell_check' || $event->name === 'sudoers_shell' || $event->name === 'sudoers_sha1') {
                     return [
diff --git a/app/View/Components/BigNumber.php b/app/View/Components/BigNumber.php
index c079fb4..d2b5806 100644
--- a/app/View/Components/BigNumber.php
+++ b/app/View/Components/BigNumber.php
@@ -36,6 +36,9 @@ private function icon(string $icon): string
         if ($icon === 'dns') {
             return '<svg  xmlns="http://www.w3.org/2000/svg"  width="24"  height="24"  viewBox="0 0 24 24"  fill="none"  stroke="currentColor"  stroke-width="1"  stroke-linecap="round"  stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z" fill="none"/><path d="M19.5 7a9 9 0 0 0 -7.5 -4a8.991 8.991 0 0 0 -7.484 4" /><path d="M11.5 3a16.989 16.989 0 0 0 -1.826 4" /><path d="M12.5 3a16.989 16.989 0 0 1 1.828 4" /><path d="M19.5 17a9 9 0 0 1 -7.5 4a8.991 8.991 0 0 1 -7.484 -4" /><path d="M11.5 21a16.989 16.989 0 0 1 -1.826 -4" /><path d="M12.5 21a16.989 16.989 0 0 0 1.828 -4" /><path d="M2 10l1 4l1.5 -4l1.5 4l1 -4" /><path d="M17 10l1 4l1.5 -4l1.5 4l1 -4" /><path d="M9.5 10l1 4l1.5 -4l1.5 4l1 -4" /></svg>';
         }
+        if ($icon === 'world') {
+            return '<svg  xmlns="http://www.w3.org/2000/svg"  width="24"  height="24"  viewBox="0 0 24 24"  fill="none"  stroke="currentColor"  stroke-width="1"  stroke-linecap="round"  stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z" fill="none"/><path d="M3 12a9 9 0 1 0 18 0a9 9 0 0 0 -18 0" /><path d="M3.6 9h16.8" /><path d="M3.6 15h16.8" /><path d="M11.5 3a17 17 0 0 0 0 18" /><path d="M12.5 3a17 17 0 0 1 0 18" /></svg>';
+        }
         if ($icon === 'server') {
             return '<svg  xmlns="http://www.w3.org/2000/svg"  width="24"  height="24"  viewBox="0 0 24 24"  fill="none"  stroke="currentColor"  stroke-width="1"  stroke-linecap="round"  stroke-linejoin="round"><path stroke="none" d="M0 0h24v24H0z" fill="none"/><path d="M3 4m0 3a3 3 0 0 1 3 -3h12a3 3 0 0 1 3 3v2a3 3 0 0 1 -3 3h-12a3 3 0 0 1 -3 -3z" /><path d="M3 12m0 3a3 3 0 0 1 3 -3h12a3 3 0 0 1 3 3v2a3 3 0 0 1 -3 3h-12a3 3 0 0 1 -3 -3z" /><path d="M7 8l0 .01" /><path d="M7 16l0 .01" /></svg>';
         }
diff --git a/app/View/Components/SuspiciousActivity.php b/app/View/Components/SuspiciousActivity.php
new file mode 100644
index 0000000..dbdb017
--- /dev/null
+++ b/app/View/Components/SuspiciousActivity.php
@@ -0,0 +1,37 @@
+<?php
+
+namespace App\View\Components;
+
+use App\Models\YnhOsquery;
+use App\Models\YnhServer;
+use App\Modules\AdversaryMeter\Models\Asset;
+use App\User;
+use Carbon\Carbon;
+use Closure;
+use Illuminate\Contracts\View\View;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\View\Component;
+
+class SuspiciousActivity extends Component
+{
+    public Collection $events;
+    public Collection $metrics;
+    public Collection $assetsDiscovered;
+
+    public function __construct()
+    {
+        /** @var User $user */
+        $user = Auth::user();
+        $servers = YnhServer::forUser($user);
+        $cutOffTime = Carbon::now()->subDay();
+        $this->events = YnhOsquery::suspiciousEvents($servers, $cutOffTime);
+        $this->metrics = YnhOsquery::suspiciousMetrics($servers, $cutOffTime);
+        $this->assetsDiscovered = Asset::where('created_at', '>=', $cutOffTime)->orderBy('asset')->get();
+    }
+
+    public function render(): View|Closure|string
+    {
+        return view('components.suspicious-activity');
+    }
+}
diff --git a/resources/lang/fr.json b/resources/lang/fr.json
index 6c446da..4c2a52a 100644
--- a/resources/lang/fr.json
+++ b/resources/lang/fr.json
@@ -23,7 +23,10 @@
     "Apply": "Appliquer",
     "Are you sure you want to delete this chunk?": "Êtes-vous sûr de vouloir supprimer ce chunk?",
     "Are you sure you want to delete this prompt?": "Êtes-vous sûr de vouloir supprimer ce prompt?",
+    "Asset": "Actif",
+    "Asset Type": "Type d'actif",
     "Assets": "Actifs",
+    "Assets Discovered During The Last 24 Hours": "Actifs découverts durant les dernières 24 heures",
     "Attackers": "Attaquants",
     "Authorized Keys (last :count events)": "Authorized Keys (:count derniers évènements)",
     "Backups": "Sauvegardes",
@@ -52,6 +55,8 @@
     "Delete": "Supprimer",
     "Deploy": "Déployer",
     "Desktop": "Bureau",
+    "Discovered Assets": "Actifs découverts",
+    "Discovery Date": "Date de découverte",
     "DNS Monitored": "DNS surveillés",
     "Domain": "Domaine",
     "Domains": "Domaines",
@@ -84,6 +89,8 @@
     "If you did not request a password reset, no further action is required.": "Si vous n'avez pas demandé de réinitialisation de mot de passe, vous pouvez ignorer ce message.",
     "If you're having trouble clicking the \":actionText\" button, copy and paste the URL below\ninto your web browser:": "Si vous avez des difficultés à cliquer sur le bouton \":actionText\", copiez et collez l'URL ci-dessous\ndans votre navigateur Web :",
     "Import your documents !": "Importez vos documents !",
+    "Important Metrics": "Métriques importantes",
+    "Important Metrics From The Last 24 Hours": "Métriques importantes des dernières 24h",
     "Imported At": "Importé le",
     "Imported By": "Importé par",
     "Integration Status": "Statut de l'intégration",
@@ -151,11 +158,13 @@
     "Reset Password Notification": "Notification de réinitialisation du mot de passe",
     "Resources Usage": "Utilisation des ressources",
     "results": "résultats",
+    "Scan Status": "Statut du scan",
     "Security": "Sécurité",
     "Security Rules": "Règles de sécurité",
     "Select or create collection...": "Sélectionnez ou créez une collection...",
     "Send Password Reset Link": "Envoyer le lien de réinitialisation du mot de passe",
     "Sentinel protects your internal perimeter": "Sentinel protège votre périmètre interne",
+    "Server": "Serveur",
     "Server Error": "Erreur serveur",
     "Server Settings": "Paramètres serveurs",
     "Servers": "Serveurs",
@@ -176,6 +185,8 @@
     "Subscriptions": "Souscriptions",
     "SUID Binaries (last :count events)": "Binaires SUID (:count derniers évènements)",
     "Summary": "Récapitulatif",
+    "Suspicious Activity From The Last 24 Hours": "Activité suspect des dernières 24h",
+    "Suspicious Events": "Évènements suspects",
     "System logins and logouts.": "Connexions et déconnexions système.",
     "Tax no.": "Numéro de TVA",
     "Terms": "Mentions Légales",
diff --git a/resources/views/components/overview.blade.php b/resources/views/components/overview.blade.php
index 6cee204..c572959 100644
--- a/resources/views/components/overview.blade.php
+++ b/resources/views/components/overview.blade.php
@@ -25,7 +25,7 @@
     <div class="col-6">
       <div class="row">
         <div class="col col-6 pr-0">
-            <?php $ip_monitored = $overview['ip_monitored'] ? $overview['ip_monitored'] : 0 ?>
+            <?php $ip_monitored = $overview['ip_monitored'] ?: 0 ?>
           <x-big-number
             :number="$ip_monitored"
             :title="__('IP Monitored')"
@@ -33,7 +33,7 @@
             color="var(--ds-background-brand-bold)"/>
         </div>
         <div class="col pr-0 pl-2">
-            <?php $dns_monitored = $overview['dns_monitored'] ? $overview['dns_monitored'] : 0 ?>
+            <?php $dns_monitored = $overview['dns_monitored'] ?: 0 ?>
           <x-big-number
             :number="$dns_monitored"
             :title="__('DNS Monitored')"
@@ -43,7 +43,7 @@
       </div>
     </div>
     <div class="col pl-2">
-        <?php $servers_monitored = $overview['servers_monitored'] ? $overview['servers_monitored'] : 0 ?>
+        <?php $servers_monitored = $overview['servers_monitored'] ?: 0 ?>
       <x-big-number
         :number="$servers_monitored"
         :title="__('Agents Deployed')"
@@ -55,7 +55,7 @@
     <div class="col-6 pr-0">
       <div class="row">
         <div class="col col-4 pr-0">
-            <?php $vulns_high = $overview['vulns_high'] ? $overview['vulns_high'] : 0 ?>
+            <?php $vulns_high = $overview['vulns_high'] ?: 0 ?>
           <x-big-number
             :number="$vulns_high"
             :title="__('High')"
@@ -63,7 +63,7 @@
             color="#dc3545"/>
         </div>
         <div class="col col-4 pl-2 pr-0">
-            <?php $vulns_medium = $overview['vulns_medium'] ? $overview['vulns_medium'] : 0 ?>
+            <?php $vulns_medium = $overview['vulns_medium'] ?: 0 ?>
           <x-big-number
             :number="$vulns_medium"
             :title="__('Medium')"
@@ -71,7 +71,7 @@
             color="#fd7e14"/>
         </div>
         <div class="col pl-2">
-            <?php $vulns_low = $overview['vulns_low'] ? $overview['vulns_low'] : 0 ?>
+            <?php $vulns_low = $overview['vulns_low'] ?: 0 ?>
           <x-big-number
             :number="$vulns_low"
             :title="__('Low')"
@@ -83,24 +83,29 @@
     <div class="col pl-2">
       <div class="row">
         <div class="col col-6 pr-0">
-            <?php $metrics_collected = $overview['metrics_collected'] ? $overview['metrics_collected'] : 0 ?>
+            <?php $events_collected = $overview['events_collected'] ?: 0 ?>
           <x-big-number
-            :number="$metrics_collected"
-            :title="__('Metrics Collected')"
-            icon="metric"
+            :number="$events_collected"
+            :title="__('Events Collected')"
+            icon="event"
             color="var(--ds-background-brand-bold)"/>
         </div>
         <div class="col pl-2">
-            <?php $events_collected = $overview['events_collected'] ? $overview['events_collected'] : 0 ?>
+            <?php $metrics_collected = $overview['metrics_collected'] ?: 0 ?>
           <x-big-number
-            :number="$events_collected"
-            :title="__('Events Collected')"
-            icon="event"
+            :number="$metrics_collected"
+            :title="__('Metrics Collected')"
+            icon="metric"
             color="var(--ds-background-brand-bold)"/>
         </div>
       </div>
     </div>
   </div>
+  @if(App\Modules\AdversaryMeter\Models\Asset::exists() > 0 || App\Models\YnhServer::exists() > 0)
+  <div class="row mt-2">
+    <x-suspicious-activity/>
+  </div>
+  @endif
   <div class="row mt-2">
     @if(Auth::user()->canUseAdversaryMeter())
     <div class="col col-6 pr-0">
diff --git a/resources/views/components/suspicious-activity.blade.php b/resources/views/components/suspicious-activity.blade.php
new file mode 100644
index 0000000..78597fc
--- /dev/null
+++ b/resources/views/components/suspicious-activity.blade.php
@@ -0,0 +1,154 @@
+<div class="container">
+  <div class="row">
+    <div class="col-4 pr-0">
+      <x-big-number
+        :number="$assetsDiscovered->count()"
+        :title="__('Discovered Assets') . ' / 24h'"
+        icon="world"
+        color="var(--ds-background-brand-bold)"/>
+    </div>
+    <div class="col-4 pl-2 pr-0">
+      <x-big-number
+        :number="$events->count()"
+        :title="__('Suspicious Events') . ' / 24h'"
+        icon="event"
+        color="var(--ds-background-brand-bold)"/>
+    </div>
+    <div class="col-4 pl-2">
+      <x-big-number
+        :number="$metrics->count()"
+        :title="__('Important Metrics') . ' / 24h'"
+        icon="metric"
+        color="var(--ds-background-brand-bold)"/>
+    </div>
+  </div>
+  <div class="card mt-2">
+    <div class="card-body">
+      <h6 class="card-title">{{ __('Assets Discovered During The Last 24 Hours') }}</h6>
+      @if($assetsDiscovered->isEmpty())
+      <div class="row">
+        <div class="col">
+          {{ __('None.') }}
+        </div>
+      </div>
+      @else
+      <table class="table table-hover no-bottom-margin">
+        <thead>
+        <tr>
+          <th style="width:165px">{{ __('Discovery Date') }}</th>
+          <th style="width:100px">{{ __('Asset Type') }}</th>
+          <th>{{ __('Asset') }}</th>
+          <th class="text-end">{{ __('Scan Status') }}</th>
+        </tr>
+        </thead>
+        <tbody>
+        @foreach($assetsDiscovered as $asset)
+        <tr>
+          <td>
+            {{ $asset->created_at->format('Y-m-d H:i') }}
+          </td>
+          <td>
+            <span class="lozenge new">
+              {{ $asset->type }}
+            </span>
+          </td>
+          <td>
+            {{ $asset->asset }}
+          </td>
+          <td class="text-end">
+            @if($asset->scanInProgress()->isEmpty())
+            <span class="lozenge success">
+              scan terminé
+            </span>
+            @else
+            <span class="lozenge error">
+              scan en cours
+            </span>
+            @endif
+          </td>
+        </tr>
+        @endforeach
+        </tbody>
+      </table>
+      @endif
+    </div>
+  </div>
+  <div class="card mt-2">
+    <div class="card-body">
+      <h6 class="card-title">{{ __('Suspicious Activity From The Last 24 Hours') }}</h6>
+      @if($events->isEmpty())
+      <div class="row">
+        <div class="col">
+          {{ __('None.') }}
+        </div>
+      </div>
+      @else
+      <table class="table table-hover no-bottom-margin">
+        <thead>
+        <tr>
+          <th style="width:165px">{{ __('Date') }}</th>
+          <th>{{ __('Server') }}</th>
+          <th style="width:75px">{{ __('IP') }}</th>
+          <th>{{ __('Message') }}</th>
+          <th class="text-end" style="width:100px">{{ __('Event Id') }}</th>
+        </tr>
+        </thead>
+        <tbody>
+        @foreach($events as $event)
+        <tr>
+          <td>{{ $event['timestamp'] }}</td>
+          <td>{{ $event['server'] }}</td>
+          <td>{{ $event['ip'] }}</td>
+          <td class="text-muted">{{ $event['message'] }}</td>
+          <td class="text-end">
+            <span class="lozenge new">
+              {{ Illuminate\Support\Number::format($event['id'], locale:'sv') }}
+            </span>
+          </td>
+        </tr>
+        @endforeach
+        </tbody>
+      </table>
+      @endif
+    </div>
+  </div>
+  <div class="card mt-2">
+    <div class="card-body">
+      <h6 class="card-title">{{ __('Important Metrics From The Last 24 Hours') }}</h6>
+      @if($metrics->isEmpty())
+      <div class="row">
+        <div class="col">
+          {{ __('None.') }}
+        </div>
+      </div>
+      @else
+      <table class="table table-hover no-bottom-margin">
+        <thead>
+        <tr>
+          <th style="width:165px">{{ __('Date') }}</th>
+          <th>{{ __('Server') }}</th>
+          <th style="width:75px">{{ __('IP') }}</th>
+          <th>{{ __('Message') }}</th>
+          <th class="text-end" style="width:100px">{{ __('Metric Id') }}</th>
+        </tr>
+        </thead>
+        <tbody>
+        @foreach($metrics as $metric)
+        <tr>
+          <td>{{ $metric['timestamp'] }}</td>
+          <td>{{ $metric['server'] }}</td>
+          <td>{{ $metric['ip'] }}</td>
+          <td class="text-muted">{{ $metric['message'] }}</td>
+          <td class="text-end">
+            <span class="lozenge new">
+            {{ Illuminate\Support\Number::format($metric['id'], locale:'sv') }}
+            </span>
+          </td>
+        </tr>
+        @endforeach
+        </tbody>
+      </table>
+      @endif
+    </div>
+  </div>
+</div>