Catalyst / admin/SAynapse-Horizon 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / SAynapse-Horizon

public

Self Hosted Cyber Threat Intelligence Hub

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
SAynapse-Horizon / Synapse-Horizon / backend / src / sources / demo.js 3507 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import { makeIoc, SEVERITY } from '../normalize.js'

// Synthetic fallback so the dashboard is usable before any live keys are added.
// Enabled only when HORIZON_DEMO=1. Each demo record still flows through the same
// normalization contract as live data.
const pick = (a) => a[Math.floor(Math.random() * a.length)]
const rand = (min, max) => Math.floor(Math.random() * (max - min + 1)) + min
const ip = () => `${rand(1, 254)}.${rand(0, 254)}.${rand(0, 254)}.${rand(1, 254)}`

const MALWARE = ['Cobalt Strike', 'IcedID', 'QakBot', 'Pikabot', 'RedLine Stealer', 'Latrodectus', 'DarkGate']
const RANSOMWARE = ['LockBit', 'BlackCat/ALPHV', 'Akira', 'Rhysida', 'Medusa']
const PRODUCTS = [
  ['Ivanti Connect Secure', 'CVE-2024-21887'],
  ['Citrix NetScaler ADC', 'CVE-2023-4966'],
  ['Palo Alto PAN-OS', 'CVE-2024-3400'],
  ['Cisco IOS XE', 'CVE-2023-20198'],
]
const ACTORS = ['APT29 (Cozy Bear)', 'Volt Typhoon', 'Scattered Spider', 'FIN7', 'Lazarus Group']

const builders = {
  threatfox() {
    const m = pick([...MALWARE, ...RANSOMWARE])
    const ransom = RANSOMWARE.includes(m)
    const node = `${ip()}:${pick([443, 8080, 50050, 4444])}`
    return makeIoc('threatfox', {
      detectedAt: new Date(Date.now() - rand(0, 6e6)).toISOString(),
      severity: ransom ? SEVERITY.CRITICAL : SEVERITY.HIGH,
      category: 'Malware Infrastructure',
      indicator: node, indicatorType: 'ip:port', target: m, confidence: rand(80, 99),
      mitre: [{ id: 'T1583.004', name: 'Acquire Infrastructure: Server' }],
      headline: `Malware Infrastructure: Active ${m} C2 node identified on ${node} by ThreatFox`,
      raw: { ioc: node, malware: m, threat_type: 'botnet_cc', demo: true },
      stix: { type: 'indicator', pattern: `[x-ioc:value = '${node}']`, pattern_type: 'stix', labels: ['command-and-control'] },
    })
  },
  cisakev() {
    const [p, cve] = pick(PRODUCTS)
    return makeIoc('cisakev', {
      detectedAt: new Date(Date.now() - rand(0, 8e6)).toISOString(),
      severity: SEVERITY.CRITICAL, category: 'Active Exploitation',
      indicator: cve, indicatorType: 'cve', target: `${cve} · ${p}`, confidence: 100,
      mitre: [{ id: 'T1190', name: 'Exploit Public-Facing Application' }],
      headline: `Active Exploitation: ${cve} in ${p} added to CISA Known Exploited Vulnerabilities catalog`,
      raw: { cveID: cve, product: p, demo: true },
      stix: { type: 'vulnerability', name: cve, labels: ['exploited-in-the-wild'] },
    })
  },
  otx() {
    const a = pick(ACTORS)
    const node = ip()
    return makeIoc('otx', {
      detectedAt: new Date(Date.now() - rand(0, 7e6)).toISOString(),
      severity: SEVERITY.HIGH, category: 'Threat Pulse',
      indicator: node, indicatorType: 'IPv4', target: a, confidence: rand(65, 90),
      mitre: [{ id: 'T1071.001', name: 'Application Layer Protocol: Web Protocols' }],
      headline: `Threat Pulse: Host ${node} attributed to ${a} in an AlienVault OTX pulse`,
      raw: { adversary: a, indicator: node, demo: true },
      stix: { type: 'indicator', pattern: `[ipv4-addr:value = '${node}']`, pattern_type: 'stix', labels: ['malicious-activity'] },
    })
  },
}

/** Produce a demo batch for a single source key (falls back to threatfox shape). */
export function demoBatch(key, count = 4) {
  const build = builders[key] || builders.threatfox
  return Array.from({ length: count }, () => {
    const ioc = build()
    return { ...ioc, source: key, headline: ioc.headline.replace(/ThreatFox|CISA|AlienVault OTX/, key) }
  })
}