From 5d5dfbf4aeb32f951917485845d77b90628a8642 Mon Sep 17 00:00:00 2001
From: Manuel Abascal <mjabascal10@gmail.com>
Date: Mon, 5 Feb 2024 17:48:47 +0200
Subject: [PATCH 1/6] Fixed Incident-response-trigger-select-cause-modal-scroll
 (#402)

---
 .../ir-create-rule.component.html               | 17 +++++++++--------
 .../ir-create-rule/ir-create-rule.component.ts  |  6 ++++--
 .../ir-summary/ir-summary.component.html        | 13 +++++++------
 3 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
index 8a0e774c3..7799ec61f 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
@@ -42,9 +42,9 @@
           <span class="text-blue-800 font-weight-bold step-title">
           Summary
         </span>
-        <div [ngClass]="isCompleted(4)?'step-success':step===3?'step-active':'step-inactive'"
+        <div [ngClass]="isCompleted(4) ? 'step-success':step === 4 ?'step-active' : 'step-inactive'"
              class="round-indicator">
-          <i class="step-icon"  [ngClass]="isCompleted(4)?'icon-checkmark3':'icon-eye'"></i>
+          <i class="step-icon"  [ngClass]="isCompleted(4) ? 'icon-checkmark3' : 'icon-eye'"></i>
         </div>
       </div>
     </div>
@@ -126,7 +126,7 @@
                        [loading]="loadingData(condition.get('field').value)"
                        [multiple]="false"
                        [searchable]="true"
-                       class="flex-grow-1"
+                       class="flex-grow-1 w-30"
                        formControlName="value"
                        id="values">
             </ng-select>
@@ -149,7 +149,7 @@
         </div>
       </div>
       <div class="d-flex mt-3 flex-column">
-        <div class="col-12 p-0">
+        <div class="col-6 p-0">
           <label class="pb-1" for="exclude">Agent platform is</label>
           <ng-select [clearable]="false"
                      [items]="platforms"
@@ -179,13 +179,15 @@
         </div>-->
       </div>
       <div class="d-flex mt-3 flex-column">
-        <div class="col-12">
           <app-utm-toggle (toggleChange)="formRule.get('agentType').setValue($event)"
                           [active]="formRule.get('agentType').value"
                           [emitAtStart]="false"
                           [customClass]="'pl-3'"
-                          [label]="'Select the agent handling strategy for the automation. By default, commands won\'t run on specified agents, even if the trigger conditions match. Alternatively, choose a default agent to run the automation if no other agent matches the criteria.'" class="mb-3"></app-utm-toggle>
-        </div>
+                          [label]="'Agent handling strategy for the automation'"></app-utm-toggle>
+            <div class="alert alert-info alert-styled-right mt-1 info-dismissible">
+              <span class="font-weight-semibold">Info! </span>
+              <span>Select the agent handling strategy for the automation. By default, commands won't run on specified agents, even if the trigger conditions match. Alternatively, choose a default agent to run the automation if no other agent matches the criteria.</span>
+            </div>
       </div>
       <div *ngIf="formRule.get('agentType').value" class="d-flex mt-3 flex-column">
         <div class="col-12 p-0">
@@ -294,7 +296,6 @@
 
     <button (click)="createRule()"
             *ngIf="step===4"
-            [disabled]="!command || command === ''"
             class="btn utm-button utm-button-primary ml-2">
       <i [ngClass]="creating?'icon-spinner2 spinner':'icon-terminal'"></i>
       {{rule ? 'Edit' : 'Create'}} automation&nbsp;
diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
index 8d5a9a163..2df0798e4 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
@@ -215,7 +215,7 @@ export class IrCreateRuleComponent implements OnInit {
     this.formRule.get('name').setValue(this.rulePrefix + this.formRule.get('name').value);
   }
 
- clearAgentTypeSelection(){
+ clearAgentTypeSelection() {
    if (!this.formRule.get('agentType').value) {
      this.formRule.get('excludedAgents').setValue([]);
    } else {
@@ -247,11 +247,13 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
   isDisable(step: number) {
+    console.log((!this.formRule.get('agentType').value && this.formRule.get('defaultAgent').value === ''));
     switch (step) {
       case 1:
         return !this.formRule.get('name').valid || !this.formRule.get('description').valid || this.exist;
       case 2:
-        return !this.formRule.get('agentPlatform').valid || this.ruleConditions.length === 0;
+        return !this.formRule.get('agentPlatform').valid || this.ruleConditions.length === 0
+            || (!this.formRule.get('agentType').value && !this.formRule.get('defaultAgent').value);
       case 3:
         return !this.command || this.command === '';
     }
diff --git a/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html b/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
index d3eef8c42..d7915de71 100644
--- a/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
+++ b/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
@@ -6,12 +6,13 @@
       It will evaluate the following conditions:
     </p>
 
-    <div class="alert-details mb-1 mt-1"
-         *ngFor="let condition of conditions">
-      <span class="text-blue-800 font-weight-light has-minimum-width">{{getFieldName(condition.field)}}</span>&nbsp;
-      <span class="font-weight-light  font-weight-semibold">{{getFilterName(condition.operator)}}</span>&nbsp;
-      <span class="">{{condition.value}}</span>&nbsp;
-    </div>
+    <ul class="mb-1 mt-1">
+      <li class="ml-2"  *ngFor="let condition of conditions">
+        <span class="text-blue-800 font-weight-light has-minimum-width">{{'- ' + getFieldName(condition.field)}}</span>&nbsp;
+        <span class="font-weight-light  font-weight-semibold">{{getFilterName(condition.operator)}}</span>&nbsp;
+        <span class="">{{condition.value}}</span>&nbsp;
+      </li>
+    </ul>
 
     <span>
       On agents operating on the <strong>{{ platform | capitalize }}</strong> platform.

From 21589e785b381de76d2ac62272da51980a54f482 Mon Sep 17 00:00:00 2001
From: Manuel Abascal <mjabascal10@gmail.com>
Date: Mon, 5 Feb 2024 20:12:54 +0200
Subject: [PATCH 2/6] Fixed Incident-response-trigger-select-cause-modal-scroll
 (#402)

---
 .../ir-create-rule.component.html             | 20 +++++++++----------
 .../ir-create-rule.component.ts               | 13 ++++++------
 .../ir-summary/ir-summary.component.html      |  6 +++---
 .../model/winevent/WinEventLog.java           |  3 ++-
 4 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
index 7799ec61f..1de1e11a1 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
@@ -95,7 +95,7 @@
                       [label]="'Incident response automation is active'">
       </app-utm-toggle>
     </div>
-    <div *ngIf="step===2" class="configure-step mt-3 mb-3 has-fixed-height overflow-auto">
+    <div *ngIf="step===2" class="configure-step mt-3 mb-3">
 
       <div class="w-100">
         <div formArrayName="conditions">
@@ -179,17 +179,17 @@
         </div>-->
       </div>
       <div class="d-flex mt-3 flex-column">
+        <div class="alert alert-info alert-styled-right mb-2 info-dismissible">
+          <span class="font-weight-semibold">Info! </span>
+          <span>Select the agent handling strategy for the automation. By default (not active), commands will run on specified platform agents if the trigger conditions and dataSource field value of the alert match. Alternatively, choose a default agent to run the automation if no other agent matches the criteria. If this option is active, commands will run only on specified platform agents if the trigger conditions and dataSource field value of the alert match, if not, the automation won't be executed.</span>
+        </div>
           <app-utm-toggle (toggleChange)="formRule.get('agentType').setValue($event)"
                           [active]="formRule.get('agentType').value"
                           [emitAtStart]="false"
                           [customClass]="'pl-3'"
-                          [label]="'Agent handling strategy for the automation'"></app-utm-toggle>
-            <div class="alert alert-info alert-styled-right mt-1 info-dismissible">
-              <span class="font-weight-semibold">Info! </span>
-              <span>Select the agent handling strategy for the automation. By default, commands won't run on specified agents, even if the trigger conditions match. Alternatively, choose a default agent to run the automation if no other agent matches the criteria.</span>
-            </div>
+                          [label]="'Run on specific agent'"></app-utm-toggle>
       </div>
-      <div *ngIf="formRule.get('agentType').value" class="d-flex mt-3 flex-column">
+      <div *ngIf="!formRule.get('agentType').value" class="d-flex mt-2 flex-column">
         <div class="col-12 p-0">
           <label class="pb-1" for="exclude">Exclude agents</label>
           <ng-select [clearable]="false"
@@ -212,9 +212,9 @@
           </div>
         </div>
       </div>
-      <div *ngIf="!formRule.get('agentType').value" class="d-flex mt-3 flex-column">
-        <div  class="col-12 p-0">
-          <label class="pb-1" for="exclude">Default agents</label>
+      <div *ngIf="formRule.get('agentType').value" class="d-flex mt-2 flex-column">
+        <div  class="col-6 p-0">
+          <label class="pb-1" for="exclude">Default agent</label>
           <ng-select [clearable]="false"
                      [items]="agents"
                      [placeholder]="'Select agent'"
diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
index 2df0798e4..34d7cac1d 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
@@ -54,7 +54,7 @@ export class IrCreateRuleComponent implements OnInit {
       conditions: this.fb.array([]),
       command: ['', Validators.required],
       active: [true],
-      agentType: [true],
+      agentType: [false],
       excludedAgents: [[]],
       defaultAgent: [''],
       agentPlatform: ['', Validators.required]
@@ -81,7 +81,7 @@ export class IrCreateRuleComponent implements OnInit {
         this.ruleConditions.push(ruleCondition);
         this.getAgents(this.formRule.get('agentPlatform').value);
         this.formRule.get('excludedAgents').setValue(this.rule.excludedAgents);
-        this.formRule.get('agentType').setValue(this.rule.excludedAgents.length > 0);
+        this.formRule.get('agentType').setValue(this.rule.excludedAgents.length === 0);
         this.formRule.get('defaultAgent').setValue(this.rule.defaultAgent);
       }
     } else if (this.alert) {
@@ -148,6 +148,9 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
   nextStep() {
+    if (this.step === 3) {
+      this.formRule.get('command').setValue(this.command);
+    }
     this.stepCompleted.push(this.step);
     this.step += 1;
   }
@@ -194,7 +197,6 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
   editRule() {
-    console.log('edit');
     const action = 'edited';
     const actionError = 'editing';
     this.clearAgentTypeSelection();
@@ -216,7 +218,7 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
  clearAgentTypeSelection() {
-   if (!this.formRule.get('agentType').value) {
+   if (this.formRule.get('agentType').value) {
      this.formRule.get('excludedAgents').setValue([]);
    } else {
      this.formRule.get('defaultAgent').setValue('');
@@ -247,13 +249,12 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
   isDisable(step: number) {
-    console.log((!this.formRule.get('agentType').value && this.formRule.get('defaultAgent').value === ''));
     switch (step) {
       case 1:
         return !this.formRule.get('name').valid || !this.formRule.get('description').valid || this.exist;
       case 2:
         return !this.formRule.get('agentPlatform').valid || this.ruleConditions.length === 0
-            || (!this.formRule.get('agentType').value && !this.formRule.get('defaultAgent').value);
+            || (this.formRule.get('agentType').value && !this.formRule.get('defaultAgent').value);
       case 3:
         return !this.command || this.command === '';
     }
diff --git a/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html b/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
index d7915de71..fd495e823 100644
--- a/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
+++ b/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
@@ -19,7 +19,7 @@
     </span>
 
 
-    <ng-container *ngIf="agentType">
+    <ng-container *ngIf="!agentType">
       <span>
         Importantly, the automation excludes designated agents, such as
       </span>
@@ -28,7 +28,7 @@
       </span>
     </ng-container>
 
-    <ng-container *ngIf="!agentType">
+    <ng-container *ngIf="agentType">
       <span>
         In case none of the agents satisfy the specified conditions, the automation will smoothly revert and execute on the default agent,
         <span class="badge p-1 border-1 badge-flat font-weight-light border-info-800 text-info-800 mr-2 mb-2">
@@ -44,7 +44,7 @@
     <span>
      Crucially, when these conditions are met, the automation will proceed to execute the following action:
     </span>
-    <app-utm-code-view [code]="command" [allowCopy]="true"></app-utm-code-view>
+    <app-utm-code-view class="w-100 mt-1" [code]="command" [allowCopy]="false"></app-utm-code-view>
   </div>
 </div>
 
diff --git a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
index 8f8d6945e..a8883a99f 100644
--- a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
+++ b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
@@ -19,6 +19,7 @@ public class WinEventLog{
     public ArrayList<String> keywords;
     public String level;
     public String log_name;
+    
     public String message;
     public String opcode;
     public int process_id;
@@ -27,7 +28,7 @@ public class WinEventLog{
     public String source_name;
     public ArrayList<String> tags;
     public String task;
-    public int thread_id;
+    public String thread_id;
     public int version;
 }
 

From 69c3efb32a9681c535e96d4a9fb5fc6cbb2ade98 Mon Sep 17 00:00:00 2001
From: Manuel Abascal <mjabascal10@gmail.com>
Date: Mon, 5 Feb 2024 20:34:10 +0200
Subject: [PATCH 3/6] Fixed Incident-response-trigger-select-cause-modal-scroll
 (#402)

---
 .../com/utmstack/userauditor/model/winevent/WinEventLog.java   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
index a8883a99f..8f8d6945e 100644
--- a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
+++ b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
@@ -19,7 +19,6 @@ public class WinEventLog{
     public ArrayList<String> keywords;
     public String level;
     public String log_name;
-    
     public String message;
     public String opcode;
     public int process_id;
@@ -28,7 +27,7 @@ public class WinEventLog{
     public String source_name;
     public ArrayList<String> tags;
     public String task;
-    public String thread_id;
+    public int thread_id;
     public int version;
 }
 

From ddda2fa5e793ba5a27481028f711c47180188104 Mon Sep 17 00:00:00 2001
From: Manuel Abascal <mjabascal10@gmail.com>
Date: Mon, 5 Feb 2024 21:01:42 +0200
Subject: [PATCH 4/6] Fixed Incident-response-trigger-select-cause-modal-scroll
 (#402)

---
 .../ir-create-rule/ir-create-rule.component.html       |  2 +-
 .../ir-create-rule/ir-create-rule.component.ts         | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
index 1de1e11a1..cde64423f 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
@@ -183,7 +183,7 @@
           <span class="font-weight-semibold">Info! </span>
           <span>Select the agent handling strategy for the automation. By default (not active), commands will run on specified platform agents if the trigger conditions and dataSource field value of the alert match. Alternatively, choose a default agent to run the automation if no other agent matches the criteria. If this option is active, commands will run only on specified platform agents if the trigger conditions and dataSource field value of the alert match, if not, the automation won't be executed.</span>
         </div>
-          <app-utm-toggle (toggleChange)="formRule.get('agentType').setValue($event)"
+          <app-utm-toggle (toggleChange)="onChangeToggle($event)"
                           [active]="formRule.get('agentType').value"
                           [emitAtStart]="false"
                           [customClass]="'pl-3'"
diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
index 34d7cac1d..6b44515da 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
@@ -254,6 +254,7 @@ export class IrCreateRuleComponent implements OnInit {
         return !this.formRule.get('name').valid || !this.formRule.get('description').valid || this.exist;
       case 2:
         return !this.formRule.get('agentPlatform').valid || this.ruleConditions.length === 0
+            || !this.ruleConditions.valid
             || (this.formRule.get('agentType').value && !this.formRule.get('defaultAgent').value);
       case 3:
         return !this.command || this.command === '';
@@ -284,8 +285,13 @@ export class IrCreateRuleComponent implements OnInit {
     });
   }
 
-  onChangeToggle() {
-
+  onChangeToggle($event) {
+    if ($event ) {
+      this.formRule.get('excludedAgents').setValue([]);
+    } else {
+      this.formRule.get('defaultAgent').setValue('');
+    }
+    this.formRule.get('agentType').setValue($event);
   }
 
 }

From 6fc796260d23fdd7166476a9b51856546af67961 Mon Sep 17 00:00:00 2001
From: Manuel Abascal <mjabascal10@gmail.com>
Date: Mon, 5 Feb 2024 23:30:29 +0200
Subject: [PATCH 5/6] Fixed Auditor crash try to parse (#405)

---
 .../utmstack/userauditor/model/winevent/WinEventLog.java | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
index 8f8d6945e..53d2859f9 100644
--- a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
+++ b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
@@ -19,16 +19,17 @@ public class WinEventLog{
     public ArrayList<String> keywords;
     public String level;
     public String log_name;
+
     public String message;
     public String opcode;
-    public int process_id;
+    public String process_id;
     public String provider_guid;
-    public int record_number;
+    public String record_number;
     public String source_name;
     public ArrayList<String> tags;
     public String task;
-    public int thread_id;
-    public int version;
+    public String thread_id;
+    public String version;
 }
 
 

From 471ca243c9860d2f9288fcaf64db8ad91e57877d Mon Sep 17 00:00:00 2001
From: Manuel Abascal <mjabascal10@gmail.com>
Date: Mon, 5 Feb 2024 23:44:58 +0200
Subject: [PATCH 6/6] Fixed Auditor crash try to parse (#405)

---
 .../com/utmstack/userauditor/model/winevent/WinEventLog.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
index 53d2859f9..c4773247f 100644
--- a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
+++ b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
@@ -20,7 +20,7 @@ public class WinEventLog{
     public String level;
     public String log_name;
 
-    public String message;
+    public String mesage;
     public String opcode;
     public String process_id;
     public String provider_guid;