admin / SAynapse-Horizon
publicSelf Hosted Cyber Threat Intelligence Hub
SAynapse-Horizon / Synapse-Horizon-v2 / backend / src / sources / demo.js
3507 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | import { makeIoc, SEVERITY } from '../normalize.js' // Synthetic fallback so the dashboard is usable before any live keys are added. // Enabled only when HORIZON_DEMO=1. Each demo record still flows through the same // normalization contract as live data. const pick = (a) => a[Math.floor(Math.random() * a.length)] const rand = (min, max) => Math.floor(Math.random() * (max - min + 1)) + min const ip = () => `${rand(1, 254)}.${rand(0, 254)}.${rand(0, 254)}.${rand(1, 254)}` const MALWARE = ['Cobalt Strike', 'IcedID', 'QakBot', 'Pikabot', 'RedLine Stealer', 'Latrodectus', 'DarkGate'] const RANSOMWARE = ['LockBit', 'BlackCat/ALPHV', 'Akira', 'Rhysida', 'Medusa'] const PRODUCTS = [ ['Ivanti Connect Secure', 'CVE-2024-21887'], ['Citrix NetScaler ADC', 'CVE-2023-4966'], ['Palo Alto PAN-OS', 'CVE-2024-3400'], ['Cisco IOS XE', 'CVE-2023-20198'], ] const ACTORS = ['APT29 (Cozy Bear)', 'Volt Typhoon', 'Scattered Spider', 'FIN7', 'Lazarus Group'] const builders = { threatfox() { const m = pick([...MALWARE, ...RANSOMWARE]) const ransom = RANSOMWARE.includes(m) const node = `${ip()}:${pick([443, 8080, 50050, 4444])}` return makeIoc('threatfox', { detectedAt: new Date(Date.now() - rand(0, 6e6)).toISOString(), severity: ransom ? SEVERITY.CRITICAL : SEVERITY.HIGH, category: 'Malware Infrastructure', indicator: node, indicatorType: 'ip:port', target: m, confidence: rand(80, 99), mitre: [{ id: 'T1583.004', name: 'Acquire Infrastructure: Server' }], headline: `Malware Infrastructure: Active ${m} C2 node identified on ${node} by ThreatFox`, raw: { ioc: node, malware: m, threat_type: 'botnet_cc', demo: true }, stix: { type: 'indicator', pattern: `[x-ioc:value = '${node}']`, pattern_type: 'stix', labels: ['command-and-control'] }, }) }, cisakev() { const [p, cve] = pick(PRODUCTS) return makeIoc('cisakev', { detectedAt: new Date(Date.now() - rand(0, 8e6)).toISOString(), severity: SEVERITY.CRITICAL, category: 'Active Exploitation', indicator: cve, indicatorType: 'cve', target: `${cve} · ${p}`, confidence: 100, mitre: [{ id: 'T1190', name: 'Exploit Public-Facing Application' }], headline: `Active Exploitation: ${cve} in ${p} added to CISA Known Exploited Vulnerabilities catalog`, raw: { cveID: cve, product: p, demo: true }, stix: { type: 'vulnerability', name: cve, labels: ['exploited-in-the-wild'] }, }) }, otx() { const a = pick(ACTORS) const node = ip() return makeIoc('otx', { detectedAt: new Date(Date.now() - rand(0, 7e6)).toISOString(), severity: SEVERITY.HIGH, category: 'Threat Pulse', indicator: node, indicatorType: 'IPv4', target: a, confidence: rand(65, 90), mitre: [{ id: 'T1071.001', name: 'Application Layer Protocol: Web Protocols' }], headline: `Threat Pulse: Host ${node} attributed to ${a} in an AlienVault OTX pulse`, raw: { adversary: a, indicator: node, demo: true }, stix: { type: 'indicator', pattern: `[ipv4-addr:value = '${node}']`, pattern_type: 'stix', labels: ['malicious-activity'] }, }) }, } /** Produce a demo batch for a single source key (falls back to threatfox shape). */ export function demoBatch(key, count = 4) { const build = builders[key] || builders.threatfox return Array.from({ length: count }, () => { const ioc = build() return { ...ioc, source: key, headline: ioc.headline.replace(/ThreatFox|CISA|AlienVault OTX/, key) } }) } |