align galaxy/cluster structure provided by MISP (web) to the MISP-galaxies

[cvandeplas]

Work environment

Questions	Answers
Type of issue	Bug
MISP version / git hash	latest

Expected behavior

The data format of a MISP cluster is different in a MISP event in json than the orginal misp-galaxy cluster format.

Actual behavior

Examples:

• cfr-suspected-state-sponsor : in misp-galaxies = string, in web_json = ["items"]
• cfr-type-of-incident : idem
• country : idem
• missing relations
• missing category (of the Galaxy, not the item itself)

Some are existing by MISP-web and not in the original json files, but I think that's not a problem.
examples: tag_name, tag_id, type, authors, collection_uuid, ...

Logs, screenshots, configuration dump, ...

[cvandeplas]

Another place where the output is different is the REST API / JSON export of the Galaxy/Cluster when browsing the galaxies.
I believe it should be aligned to the original JSON format of the galaxies.

Example http://172.16.40.144/galaxies/view/35.json gives a CakePHP representation of the Galaxy and Cluster:

{
    "Galaxy": {
        "id": "35",
        "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
        "name": "Stealer",
        "type": "stealer",
        "description": "Malware stealer galaxy.",
        "version": "1",
        "icon": "key",
        "namespace": "misp"
    },
    "GalaxyCluster": [
        {
            "id": "15793",
            "collection_uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
            "type": "stealer",
            "value": "Nocturnal Stealer",
            "tag_name": "misp-galaxy:stealer=\"Nocturnal Stealer\"",
            "description": "It is designed to steal data found within multiple Chromium and Firefox based browsers, it can also steal many popular cryptocurrency wallets as well as any saved FTP passwords within FileZilla. Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not limited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual machine registry keys, and checking for emulation software.",
            "galaxy_id": "35",
            "source": "Open Sources",
            "authors": [
                "raw-data"
            ],
            "version": "3",
            "uuid": "e7080bce-99b5-4615-a798-a192ed89bd5a",
            "GalaxyElement": [
                {
                    "id": "52244",
                    "galaxy_cluster_id": "15793",
                    "key": "date",
                    "value": "March 2018."
                },
                {
                    "id": "52245",
                    "galaxy_cluster_id": "15793",
                    "key": "refs",
                    "value": "https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/thief-night-new-nocturnal-stealer-grabs-data-cheap"
                }
            ]
        },
        {
            "id": "15794",

[cvandeplas]

Also, it's missing relations.

[cvandeplas]

The same for the objects/view/[object_id].json page, the output is different than what it is when included in the event view page. For example relations are missing.