From 1d63e831287aef080566e8bbc89e0a3117845b71 Mon Sep 17 00:00:00 2001 From: staycold666 Date: Tue, 7 Apr 2026 13:31:01 -0600 Subject: [PATCH 1/3] feat: initial SecureCatch application --- .env.local.example | 24 + .gitignore | 51 + AGENTS.md | 5 + CLAUDE.md | 1 + README.md | 36 + SETUP.md | 237 + app/alerts/[id]/page.tsx | 483 + app/api/alerts/[id]/route.ts | 38 + app/api/alerts/route.ts | 39 + app/api/analyze/[id]/route.ts | 110 + app/api/ingest/start/route.ts | 155 + app/api/remediate/[id]/route.ts | 176 + app/favicon.ico | Bin 0 -> 25931 bytes app/globals.css | 130 + app/layout.tsx | 37 + app/page.tsx | 28 + components.json | 25 + components/alert-queue.tsx | 132 + components/dashboard-header.tsx | 81 + components/remediate-dialog.tsx | 133 + components/status-badge.tsx | 44 + components/ui/badge.tsx | 52 + components/ui/button.tsx | 58 + components/ui/card.tsx | 103 + components/ui/dialog.tsx | 160 + components/ui/separator.tsx | 25 + components/ui/skeleton.tsx | 13 + components/ui/sonner.tsx | 49 + components/ui/table.tsx | 116 + components/ui/tabs.tsx | 82 + components/vt-score-card.tsx | 66 + eslint.config.mjs | 18 + lib/ai.ts | 189 + lib/db.ts | 18 + lib/google.ts | 300 + lib/jira.ts | 234 + lib/types.ts | 69 + lib/utils.ts | 6 + lib/virustotal.ts | 169 + next.config.ts | 7 + package-lock.json | 11344 ++++++++++++++++ package.json | 44 + postcss.config.mjs | 7 + prisma.config.ts | 14 + .../20260407185545_init/migration.sql | 35 + prisma/migrations/migration_lock.toml | 3 + prisma/schema.prisma | 60 + public/file.svg | 1 + public/globe.svg | 1 + public/next.svg | 1 + public/vercel.svg | 1 + public/window.svg | 1 + start.sh | 119 + tsconfig.json | 34 + 54 files changed, 15364 insertions(+) create mode 100644 .env.local.example create mode 100644 .gitignore create mode 100644 AGENTS.md create mode 100644 CLAUDE.md create mode 100644 README.md create mode 100644 SETUP.md create mode 100644 app/alerts/[id]/page.tsx create mode 100644 app/api/alerts/[id]/route.ts create mode 100644 app/api/alerts/route.ts create mode 100644 app/api/analyze/[id]/route.ts create mode 100644 app/api/ingest/start/route.ts create mode 100644 app/api/remediate/[id]/route.ts create mode 100644 app/favicon.ico create mode 100644 app/globals.css create mode 100644 app/layout.tsx create mode 100644 app/page.tsx create mode 100644 components.json create mode 100644 components/alert-queue.tsx create mode 100644 components/dashboard-header.tsx create mode 100644 components/remediate-dialog.tsx create mode 100644 components/status-badge.tsx create mode 100644 components/ui/badge.tsx create mode 100644 components/ui/button.tsx create mode 100644 components/ui/card.tsx create mode 100644 components/ui/dialog.tsx create mode 100644 components/ui/separator.tsx create mode 100644 components/ui/skeleton.tsx create mode 100644 components/ui/sonner.tsx create mode 100644 components/ui/table.tsx create mode 100644 components/ui/tabs.tsx create mode 100644 components/vt-score-card.tsx create mode 100644 eslint.config.mjs create mode 100644 lib/ai.ts create mode 100644 lib/db.ts create mode 100644 lib/google.ts create mode 100644 lib/jira.ts create mode 100644 lib/types.ts create mode 100644 lib/utils.ts create mode 100644 lib/virustotal.ts create mode 100644 next.config.ts create mode 100644 package-lock.json create mode 100644 package.json create mode 100644 postcss.config.mjs create mode 100644 prisma.config.ts create mode 100644 prisma/migrations/20260407185545_init/migration.sql create mode 100644 prisma/migrations/migration_lock.toml create mode 100644 prisma/schema.prisma create mode 100644 public/file.svg create mode 100644 public/globe.svg create mode 100644 public/next.svg create mode 100644 public/vercel.svg create mode 100644 public/window.svg create mode 100755 start.sh create mode 100644 tsconfig.json diff --git a/.env.local.example b/.env.local.example new file mode 100644 index 0000000..2e38651 --- /dev/null +++ b/.env.local.example @@ -0,0 +1,24 @@ +# Jira Configuration +JIRA_HOST=yourorg.atlassian.net +JIRA_EMAIL=service-account@yourorg.com +JIRA_API_TOKEN=your-jira-api-token +JIRA_SECOPS_PROJECT_KEY=SECOPS + +# Google Workspace Configuration +GOOGLE_CLIENT_EMAIL=service-account@your-project.iam.gserviceaccount.com +GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n" +GOOGLE_SUBJECT_EMAIL=admin@yourorg.com +GOOGLE_ADMIN_EMAIL=admin@yourorg.com + +# VirusTotal Configuration +VIRUSTOTAL_API_KEY=your-virustotal-api-key + +# OpenRouter Configuration +OPENROUTER_API_KEY=your-openrouter-api-key +OPENROUTER_MODEL=anthropic/claude-3.5-sonnet + +# Authentication (Future Use) +NEXTAUTH_SECRET=your-nextauth-secret + +# Database +DATABASE_URL=file:./dev.db diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1c9ad0b --- /dev/null +++ b/.gitignore @@ -0,0 +1,51 @@ +# See https://help.github.com/articles/ignoring-files/ for more about ignoring files. + +# dependencies +/node_modules +/.pnp +.pnp.* +.yarn/* +!.yarn/patches +!.yarn/plugins +!.yarn/releases +!.yarn/versions + +# testing +/coverage + +# next.js +/.next/ +/out/ + +# production +/build + +# misc +.DS_Store +*.pem + +# debug +npm-debug.log* +yarn-debug.log* +yarn-error.log* +.pnpm-debug.log* + +# env files — never commit real credentials +.env +.env.local +.env.*.local +# allow the example template +!.env.local.example + +# vercel +.vercel + +# typescript +*.tsbuildinfo +next-env.d.ts + +/lib/generated/prisma + +# Database +prisma/dev.db +prisma/dev.db-journal diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..8bd0e39 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,5 @@ + +# This is NOT the Next.js you know + +This version has breaking changes — APIs, conventions, and file structure may all differ from your training data. Read the relevant guide in `node_modules/next/dist/docs/` before writing any code. Heed deprecation notices. + diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..43c994c --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1 @@ +@AGENTS.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..e215bc4 --- /dev/null +++ b/README.md @@ -0,0 +1,36 @@ +This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app). + +## Getting Started + +First, run the development server: + +```bash +npm run dev +# or +yarn dev +# or +pnpm dev +# or +bun dev +``` + +Open [http://localhost:3000](http://localhost:3000) with your browser to see the result. + +You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file. + +This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel. + +## Learn More + +To learn more about Next.js, take a look at the following resources: + +- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API. +- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial. + +You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome! + +## Deploy on Vercel + +The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js. + +Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details. diff --git a/SETUP.md b/SETUP.md new file mode 100644 index 0000000..413c320 --- /dev/null +++ b/SETUP.md @@ -0,0 +1,237 @@ +# SecureCatch — Setup Guide + +## Prerequisites + +| Requirement | Version | +|-------------|---------| +| Node.js | v18+ (v20+ recommended) | +| npm | v9+ | +| Google Workspace | Admin with Domain-Wide Delegation access | +| Jira | Atlassian Cloud or Server with API token | +| VirusTotal | API key (free tier works) | +| OpenRouter | API key + model access | + +--- + +## 1. Clone & Install Dependencies + +```bash +git clone +cd SecureCatch +npm install +``` + +--- + +## 2. Configure Environment Variables + +Copy the template and fill in your real credentials: + +```bash +cp .env.local.example .env.local +``` + +Then edit `.env.local`: + +```bash +# Jira Configuration +JIRA_HOST=yourorg.atlassian.net # e.g. snapdocs.atlassian.net +JIRA_EMAIL=service-account@yourorg.com # Jira account email +JIRA_API_TOKEN=your-jira-api-token # From: id.atlassian.com → Security → API tokens +JIRA_SECOPS_PROJECT_KEY=SECOPS # Your Jira project key + +# Google Workspace Configuration +GOOGLE_CLIENT_EMAIL=service-account@your-project.iam.gserviceaccount.com +GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n" +GOOGLE_SUBJECT_EMAIL=admin@yourorg.com # Email to impersonate (must have Gmail + Alert Center access) +GOOGLE_ADMIN_EMAIL=admin@yourorg.com # Super Admin email for Directory API + +# VirusTotal +VIRUSTOTAL_API_KEY=your-virustotal-api-key + +# OpenRouter +OPENROUTER_API_KEY=your-openrouter-api-key +OPENROUTER_MODEL=anthropic/claude-3.5-sonnet + +# Database (SQLite — no changes needed for local dev) +DATABASE_URL=file:./dev.db +``` + +--- + +## 3. Google Workspace Service Account Setup + +SecureCatch uses a **Google Service Account with Domain-Wide Delegation** to access Gmail, Alert Center, and the Admin SDK on behalf of users. + +### 3a. Create a Service Account + +1. Go to [Google Cloud Console](https://console.cloud.google.com/) → **IAM & Admin → Service Accounts** +2. Click **Create Service Account** +3. Give it a name (e.g., `securecatch-soar`) +4. Click **Done** (no roles needed at this level) +5. Click on the new service account → **Keys** tab → **Add Key → Create new key → JSON** +6. Save the downloaded JSON file — you'll extract `client_email` and `private_key` from it + +### 3b. Enable Domain-Wide Delegation + +1. In the service account detail page, click **Edit** → check **Enable Google Workspace Domain-wide Delegation** +2. Save, then note the **Client ID** (numeric ID shown on the service account page) + +### 3c. Grant OAuth Scopes in Google Admin + +1. Go to [admin.google.com](https://admin.google.com) → **Security → API Controls → Domain-wide delegation** +2. Click **Add new** and enter: + - **Client ID:** (the numeric Client ID from step 3b) + - **OAuth Scopes:** + ``` + https://www.googleapis.com/auth/gmail.readonly, + https://www.googleapis.com/auth/gmail.modify, + https://www.googleapis.com/auth/admin.directory.user.readonly, + https://www.googleapis.com/auth/apps.alerts + ``` + +### 3d. Enable Required APIs + +In Google Cloud Console → **APIs & Services → Enable APIs**: +- Gmail API +- Google Workspace Alert Center API +- Admin SDK API + +### 3e. Set Environment Variables + +From the downloaded JSON key file: + +```bash +GOOGLE_CLIENT_EMAIL= +GOOGLE_PRIVATE_KEY= +GOOGLE_SUBJECT_EMAIL= +GOOGLE_ADMIN_EMAIL= +``` + +> **Note:** When pasting `GOOGLE_PRIVATE_KEY` into `.env.local`, keep it on one line with `\n` as literal characters (not real newlines), and wrap the whole value in double quotes. + +--- + +## 4. Jira API Token + +1. Go to [id.atlassian.com](https://id.atlassian.com) → **Security → API tokens → Create API token** +2. Copy the token and set it as `JIRA_API_TOKEN` +3. Set `JIRA_EMAIL` to the email of the Atlassian account the token belongs to +4. Set `JIRA_HOST` to your Atlassian subdomain (e.g., `yourorg.atlassian.net`) +5. Set `JIRA_SECOPS_PROJECT_KEY` to your SECOPS board project key + +--- + +## 5. VirusTotal API Key + +1. Create an account at [virustotal.com](https://www.virustotal.com) +2. Go to **Profile → API Key** +3. Copy the key and set it as `VIRUSTOTAL_API_KEY` + +> **Free tier limit:** 4 requests/minute, 500/day. The app automatically rate-limits URL checks. + +--- + +## 6. OpenRouter API Key + +1. Create an account at [openrouter.ai](https://openrouter.ai) +2. Go to **Keys → Create key** +3. Set it as `OPENROUTER_API_KEY` +4. Set `OPENROUTER_MODEL` to your preferred model: + - `anthropic/claude-3.5-sonnet` (recommended) + - `openai/gpt-4o` + - `google/gemini-flash-1.5` + +--- + +## 7. Initialize the Database + +The SQLite database is automatically created. Run migrations to set up the schema: + +```bash +npx prisma migrate deploy +``` + +To reset the database during development: + +```bash +npx prisma migrate reset +``` + +To inspect the database with a GUI: + +```bash +npx prisma studio +``` + +--- + +## 8. Start the Application + +```bash +# Development mode (with hot reload) +npm run dev + +# OR use the startup script (starts dev server + opens browser) +./start.sh +``` + +The app will be available at **http://localhost:3000** + +--- + +## Workflow + +``` +1. Open the dashboard at http://localhost:3000 +2. Click "Run Ingestion" — fetches unprocessed Jira SECOPS tickets +3. Click any alert row to open the detail view +4. Click "Run Analysis" — runs VirusTotal OSINT + AI classification +5. Review: AI reasoning, OSINT scores, raw email headers/body/links +6. Choose an action: + └── "Approve & Remediate" → domain-wide email purge + close Jira ticket + └── "Mark as Safe / Close" → false positive, close Jira ticket +``` + +--- + +## Production Deployment + +For production, switch from SQLite to PostgreSQL: + +1. Update `DATABASE_URL` in your environment: + ``` + DATABASE_URL=postgresql://user:password@host:5432/securecatch + ``` + +2. Update `prisma/schema.prisma` datasource provider: + ```prisma + datasource db { + provider = "postgresql" + } + ``` + +3. Run migrations: + ```bash + npx prisma migrate deploy + ``` + +4. Build and start: + ```bash + npm run build + npm run start + ``` + +--- + +## Troubleshooting + +| Issue | Solution | +|-------|----------| +| `Missing Jira configuration` | Ensure `JIRA_HOST`, `JIRA_EMAIL`, `JIRA_API_TOKEN` are set in `.env.local` | +| `Missing Google credentials` | Ensure `GOOGLE_CLIENT_EMAIL` and `GOOGLE_PRIVATE_KEY` are set | +| `Alert Center API failed` | Ensure the service account has the `apps.alerts` scope granted in Google Admin | +| `Gmail API failed` | Ensure Domain-Wide Delegation is enabled and `gmail.modify` scope is granted | +| `No tickets found` | Check that your Jira project key is correct and the filter matches your ticket format | +| `AI parse error` | The model returned malformed JSON — try a different `OPENROUTER_MODEL` | +| `Database errors` | Run `npx prisma migrate deploy` to ensure schema is up to date | diff --git a/app/alerts/[id]/page.tsx b/app/alerts/[id]/page.tsx new file mode 100644 index 0000000..1d6bb0a --- /dev/null +++ b/app/alerts/[id]/page.tsx @@ -0,0 +1,483 @@ +"use client"; + +import { useState, useEffect, use } from "react"; +import Link from "next/link"; +import { useRouter } from "next/navigation"; +import { + ArrowLeft, + ExternalLink, + Play, + AlertTriangle, + ShieldCheck, + Mail, + Globe, + Server, + Link2, + Brain, + Loader2, +} from "lucide-react"; +import { Button } from "@/components/ui/button"; +import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card"; +import { Separator } from "@/components/ui/separator"; +import { Skeleton } from "@/components/ui/skeleton"; +import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs"; +import { Badge } from "@/components/ui/badge"; +import { StatusBadge, ClassificationBadge } from "@/components/status-badge"; +import { VTScoreCard } from "@/components/vt-score-card"; +import { RemediateDialog } from "@/components/remediate-dialog"; +import type { AlertDetail } from "@/lib/types"; +import { toast } from "sonner"; +import { format } from "date-fns"; + +interface PageProps { + params: Promise<{ id: string }>; +} + +export default function AlertDetailPage({ params }: PageProps) { + const { id } = use(params); + const [alert, setAlert] = useState(null); + const [loading, setLoading] = useState(true); + const [analyzing, setAnalyzing] = useState(false); + const [error, setError] = useState(null); + const [dialogAction, setDialogAction] = useState<"REMEDIATE" | "CLOSE" | null>(null); + const router = useRouter(); + + async function fetchAlert() { + setLoading(true); + setError(null); + try { + const res = await fetch(`/api/alerts/${id}`); + if (!res.ok) throw new Error(`HTTP ${res.status}`); + const data = await res.json() as { alert: AlertDetail }; + setAlert(data.alert); + } catch (err) { + setError(String(err)); + } finally { + setLoading(false); + } + } + + useEffect(() => { + void fetchAlert(); + // eslint-disable-next-line react-hooks/exhaustive-deps + }, [id]); + + async function runAnalysis() { + setAnalyzing(true); + try { + const res = await fetch(`/api/analyze/${id}`, { method: "POST" }); + const data = await res.json() as { message?: string; error?: string }; + if (!res.ok) { + toast.error(data.error ?? "Analysis failed"); + return; + } + toast.success("Analysis complete"); + await fetchAlert(); + } catch (err) { + toast.error(`Network error: ${String(err)}`); + } finally { + setAnalyzing(false); + } + } + + if (loading) { + return ( +
+
+ + + +
+
+ ); + } + + if (error || !alert) { + return ( +
+
+

Failed to load alert

+

{error}

+ +
+
+ ); + } + + const isActionable = + alert.status === "AWAITING_REVIEW" || alert.status === "INGESTED" || alert.status === "ANALYZING"; + const isCompleted = alert.status === "REMEDIATED" || alert.status === "CLOSED"; + + return ( +
+ {/* Header */} +
+
+
+ + + +
+
+ + {alert.jiraTicketKey} + + +
+

{alert.jiraSummary}

+
+
+
+ {alert.jiraTicketUrl && ( + + + View in Jira + + )} + {!isCompleted && ( + + )} +
+
+
+ +
+ {/* Left: Alert Details + Actions */} +
+ {/* Alert Metadata */} + + + + Alert Details + + + +
+

Suspect Sender

+

{alert.actorEmail}

+
+ +
+

Reported By

+

{alert.reportedByEmail}

+
+ + {alert.activityDate && ( + <> +
+

Activity Date

+

+ {format(new Date(alert.activityDate), "MMM d, yyyy HH:mm")} UTC +

+
+ + + )} + {alert.rfc2822MessageId && ( +
+

RFC 2822 Message-ID

+

+ {alert.rfc2822MessageId} +

+
+ )} + + + + {/* AI Analysis */} + + + + + AI Analysis + + + + {alert.aiClassification ? ( + <> +
+ + + {alert.aiConfidenceScore}% confidence + +
+
+
+
+ {alert.aiReasoning && ( +
+

Reasoning

+

{alert.aiReasoning}

+
+ )} + + ) : ( +
+ +

No AI analysis yet

+

Click Run Analysis to classify this alert

+
+ )} + + + + {/* Actions */} + {!isCompleted && ( + + + + Available Actions + + + + + + {!isActionable && ( +

+ Run Analysis first to enable actions +

+ )} + + + )} + + {/* Completed State */} + {isCompleted && ( + + +
+ {alert.status === "REMEDIATED" ? ( + <> + +

Domain-Wide Purge Executed

+ {alert.purgeResults && ( +

+ Trashed from {alert.purgeResults.usersAffected.length} inbox(es) out of{" "} + {alert.purgeResults.usersSearched} users searched +

+ )} + + ) : ( + <> + +

Closed as False Positive

+ + )} + {alert.analystNote && ( +

+ “{alert.analystNote}” +

+ )} +
+ + + )} +
+ + {/* Right: Email + OSINT Details */} +
+ {/* OSINT Scores */} + + + + + OSINT Data (VirusTotal) + + + + {alert.vtSenderDomain || alert.vtSenderIp || alert.vtUrlScores.length > 0 ? ( +
+
+ {alert.vtSenderDomain && ( + + )} + {alert.vtSenderIp && ( + + )} +
+ {alert.vtUrlScores.length > 0 && ( +
+

+ + URL Scores +

+
+ {alert.vtUrlScores.map((result, i) => ( + + ))} +
+
+ )} +
+ ) : ( +
+ +

No OSINT data yet

+

Run Analysis to enrich with VirusTotal data

+
+ )} + + + + {/* Email Content */} + + + + + Raw Email + + + + {alert.rawEmailHeaders || alert.rawEmailBody ? ( + + + Headers + Body + + Links + {alert.extractedLinks.length > 0 && ( + + {alert.extractedLinks.length} + + )} + + + + +
+ {alert.rawEmailHeaders ? ( + + + {Object.entries(alert.rawEmailHeaders).map(([key, value]) => ( + + + + + ))} + +
+ {key}: + {value}
+ ) : ( +

No header data available

+ )} +
+ + + +
+ {alert.rawEmailBody ? ( + 
+                          {alert.rawEmailBody}
+
+ ) : ( +

No body content available

+ )} +
+ + + + {alert.extractedLinks.length > 0 ? ( +
+ {alert.extractedLinks.map((link, i) => ( +
+ + {link} +
+ ))} +
+ ) : ( +

+ No links extracted +

+ )} + + + ) : ( +
+ +

No email data available

+

+ Email data is fetched during ingestion via the Gmail API +

+
+ )} + + +
+
+ + setDialogAction(null)} + /> +
+ ); +} diff --git a/app/api/alerts/[id]/route.ts b/app/api/alerts/[id]/route.ts new file mode 100644 index 0000000..474caa6 --- /dev/null +++ b/app/api/alerts/[id]/route.ts @@ -0,0 +1,38 @@ +/** + * GET /api/alerts/[id] + * Returns full details for a single phishing alert. + */ + +import { NextRequest, NextResponse } from "next/server"; +import { db } from "@/lib/db"; + +export async function GET( + _request: NextRequest, + { params }: { params: Promise<{ id: string }> } +) { + const { id } = await params; + + try { + const alert = await db.phishingAlert.findUnique({ where: { id } }); + + if (!alert) { + return NextResponse.json({ error: "Alert not found" }, { status: 404 }); + } + + // Parse JSON fields for convenience + const parsed = { + ...alert, + rawEmailHeaders: alert.rawEmailHeaders ? JSON.parse(alert.rawEmailHeaders) : null, + extractedLinks: alert.extractedLinks ? JSON.parse(alert.extractedLinks) : [], + vtSenderDomainScore: alert.vtSenderDomainScore ? JSON.parse(alert.vtSenderDomainScore) : null, + vtSenderIpScore: alert.vtSenderIpScore ? JSON.parse(alert.vtSenderIpScore) : null, + vtUrlScores: alert.vtUrlScores ? JSON.parse(alert.vtUrlScores) : [], + purgeResults: alert.purgeResults ? JSON.parse(alert.purgeResults) : null, + }; + + return NextResponse.json({ alert: parsed }); + } catch (error) { + console.error("Failed to fetch alert:", error); + return NextResponse.json({ error: "Failed to fetch alert" }, { status: 500 }); + } +} diff --git a/app/api/alerts/route.ts b/app/api/alerts/route.ts new file mode 100644 index 0000000..38453bd --- /dev/null +++ b/app/api/alerts/route.ts @@ -0,0 +1,39 @@ +/** + * GET /api/alerts + * Returns all phishing alerts for the dashboard queue. + */ + +import { NextResponse } from "next/server"; +import { db } from "@/lib/db"; + +export async function GET() { + try { + const alerts = await db.phishingAlert.findMany({ + orderBy: { createdAt: "desc" }, + select: { + id: true, + createdAt: true, + updatedAt: true, + jiraTicketKey: true, + jiraTicketUrl: true, + jiraSummary: true, + actorEmail: true, + reportedByEmail: true, + activityDate: true, + googleMessageId: true, + rfc2822MessageId: true, + aiClassification: true, + aiConfidenceScore: true, + status: true, + analystAction: true, + remediatedAt: true, + closedAt: true, + }, + }); + + return NextResponse.json({ alerts }); + } catch (error) { + console.error("Failed to fetch alerts:", error); + return NextResponse.json({ error: "Failed to fetch alerts" }, { status: 500 }); + } +} diff --git a/app/api/analyze/[id]/route.ts b/app/api/analyze/[id]/route.ts new file mode 100644 index 0000000..e91f023 --- /dev/null +++ b/app/api/analyze/[id]/route.ts @@ -0,0 +1,110 @@ +/** + * POST /api/analyze/[id] + * + * Runs the analysis phase for a given alert: + * 1. VirusTotal OSINT enrichment (domain, IP, URLs) + * 2. OpenRouter AI classification + * 3. Updates the database with results + * 4. Sets status to AWAITING_REVIEW + */ + +import { NextRequest, NextResponse } from "next/server"; +import { db } from "@/lib/db"; +import { enrichWithOSINT } from "@/lib/virustotal"; +import { analyzeEmail } from "@/lib/ai"; + +export async function POST( + _request: NextRequest, + { params }: { params: Promise<{ id: string }> } +) { + const { id } = await params; + + try { + const alert = await db.phishingAlert.findUnique({ where: { id } }); + + if (!alert) { + return NextResponse.json({ error: "Alert not found" }, { status: 404 }); + } + + if (!alert.rawEmailHeaders && !alert.rawEmailBody) { + return NextResponse.json( + { error: "No email data available for analysis. Run ingestion first." }, + { status: 400 } + ); + } + + // Parse stored data + const headers = alert.rawEmailHeaders + ? (JSON.parse(alert.rawEmailHeaders) as Record) + : {}; + const extractedLinks = alert.extractedLinks + ? (JSON.parse(alert.extractedLinks) as string[]) + : []; + + // Step 1: OSINT Enrichment + let osintResults; + try { + osintResults = await enrichWithOSINT({ + senderDomain: alert.vtSenderDomain ?? alert.actorEmail.split("@")[1] ?? "", + senderIp: alert.vtSenderIp ?? null, + extractedLinks, + }); + } catch (osintError) { + console.warn("OSINT enrichment failed:", osintError); + osintResults = { + senderDomain: alert.vtSenderDomain ?? "", + senderDomainScore: null, + senderIp: alert.vtSenderIp ?? null, + senderIpScore: null, + urlResults: [], + }; + } + + // Step 2: AI Analysis + let aiResult; + try { + aiResult = await analyzeEmail({ + headers, + bodyText: alert.rawEmailBody ?? "", + bodyHtml: "", + extractedLinks, + osint: osintResults, + }); + } catch (aiError) { + console.error("AI analysis failed:", aiError); + return NextResponse.json( + { error: `AI analysis failed: ${String(aiError)}` }, + { status: 500 } + ); + } + + // Step 3: Update the database + const updated = await db.phishingAlert.update({ + where: { id }, + data: { + vtSenderDomain: osintResults.senderDomain, + vtSenderDomainScore: JSON.stringify(osintResults.senderDomainScore), + vtSenderIp: osintResults.senderIp ?? undefined, + vtSenderIpScore: JSON.stringify(osintResults.senderIpScore), + vtUrlScores: JSON.stringify(osintResults.urlResults), + aiClassification: aiResult.classification, + aiConfidenceScore: aiResult.confidence_score, + aiReasoning: aiResult.reasoning, + status: "AWAITING_REVIEW", + }, + }); + + return NextResponse.json({ + message: "Analysis complete", + alert: updated, + osint: osintResults, + ai: aiResult, + }); + } catch (error) { + console.error("Analysis error:", error); + return NextResponse.json( + { error: `Analysis failed: ${String(error)}` }, + { status: 500 } + ); + } +} diff --git a/app/api/ingest/start/route.ts b/app/api/ingest/start/route.ts new file mode 100644 index 0000000..ccfbe0b --- /dev/null +++ b/app/api/ingest/start/route.ts @@ -0,0 +1,155 @@ +/** + * POST /api/ingest/start + * + * Manual trigger endpoint for the phishing alert ingestion workflow. + * 1. Fetches open phishing tickets from Jira + * 2. Parses ticket descriptions to extract actor, reporter, date + * 3. Queries Google Alert Center for the exact messageId + * 4. Fetches the raw email via Gmail API + * 5. Stores all data in the database as a PhishingAlert record + */ + +import { NextResponse } from "next/server"; +import { db } from "@/lib/db"; +import { fetchPhishingTickets, parseTicketDescription } from "@/lib/jira"; +import { findAlertByActor, fetchEmailData } from "@/lib/google"; + +export async function POST() { + const results = { + processed: 0, + skipped: 0, + errors: [] as string[], + newAlerts: [] as string[], + }; + + try { + // Step 1: Fetch open phishing tickets from Jira + let tickets; + try { + tickets = await fetchPhishingTickets(); + } catch (error) { + return NextResponse.json( + { error: `Failed to fetch Jira tickets: ${String(error)}` }, + { status: 500 } + ); + } + + if (tickets.length === 0) { + return NextResponse.json({ + message: "No phishing tickets found in Jira", + ...results, + }); + } + + // Step 2: Process each ticket + for (const ticket of tickets) { + try { + // Check if we already have this ticket in the database + const existing = await db.phishingAlert.findUnique({ + where: { jiraTicketId: ticket.id }, + }); + + if (existing) { + results.skipped++; + continue; + } + + // Parse the ticket description + const parsed = parseTicketDescription(ticket.description); + + if (!parsed.actorEmail || !parsed.reportedByEmail) { + results.errors.push( + `Ticket ${ticket.key}: Could not parse actor/reporter from description` + ); + continue; + } + + // Create initial alert record + const alert = await db.phishingAlert.create({ + data: { + jiraTicketId: ticket.id, + jiraTicketKey: ticket.key, + jiraTicketUrl: ticket.url, + jiraSummary: ticket.summary, + actorEmail: parsed.actorEmail, + reportedByEmail: parsed.reportedByEmail, + activityDate: parsed.activityDate ?? undefined, + status: "INGESTED", + }, + }); + + // Step 3: Query Alert Center for messageId + let googleMessageId: string | null = null; + let rfc2822MessageId: string | null = null; + + try { + const alertResult = await findAlertByActor(parsed.actorEmail, parsed.activityDate); + if (alertResult) { + googleMessageId = alertResult.googleMessageId; + rfc2822MessageId = alertResult.rfc2822MessageId; + } + } catch (alertError) { + console.warn(`Alert Center lookup failed for ${ticket.key}:`, alertError); + // Continue without alert center data — we can still try Gmail search + } + + // Step 4: Fetch raw email via Gmail API + if (googleMessageId) { + try { + const emailData = await fetchEmailData(googleMessageId, parsed.reportedByEmail); + + await db.phishingAlert.update({ + where: { id: alert.id }, + data: { + googleMessageId: emailData.googleMessageId, + rfc2822MessageId: emailData.rfc2822MessageId, + rawEmailHeaders: JSON.stringify(emailData.headers), + rawEmailBody: emailData.bodyText || emailData.bodyHtml, + extractedLinks: JSON.stringify(emailData.extractedLinks), + vtSenderDomain: emailData.senderDomain, + vtSenderIp: emailData.senderIp ?? undefined, + status: "ANALYZING", + }, + }); + } catch (gmailError) { + console.warn(`Gmail fetch failed for ${ticket.key}:`, gmailError); + // Update status but keep the partial data + await db.phishingAlert.update({ + where: { id: alert.id }, + data: { + googleMessageId: googleMessageId ?? undefined, + rfc2822MessageId: rfc2822MessageId ?? undefined, + status: "INGESTED", + }, + }); + } + } else { + // No Google message ID found — store what we have + await db.phishingAlert.update({ + where: { id: alert.id }, + data: { + rfc2822MessageId: rfc2822MessageId ?? undefined, + status: "INGESTED", + }, + }); + } + + results.processed++; + results.newAlerts.push(ticket.key); + } catch (ticketError) { + results.errors.push(`Ticket ${ticket.key}: ${String(ticketError)}`); + } + } + + return NextResponse.json({ + message: `Ingestion complete. Processed ${results.processed} new alerts, skipped ${results.skipped} existing.`, + ...results, + }); + } catch (error) { + console.error("Ingestion error:", error); + return NextResponse.json( + { error: `Ingestion failed: ${String(error)}` }, + { status: 500 } + ); + } +} diff --git a/app/api/remediate/[id]/route.ts b/app/api/remediate/[id]/route.ts new file mode 100644 index 0000000..91abf98 --- /dev/null +++ b/app/api/remediate/[id]/route.ts @@ -0,0 +1,176 @@ +/** + * POST /api/remediate/[id] + * + * Handles analyst remediation actions: + * - action: "REMEDIATE" — Domain-wide purge (trash email from all user inboxes) + close Jira ticket + * - action: "CLOSE" — Mark as safe/false positive + close Jira ticket + */ + +import { NextRequest, NextResponse } from "next/server"; +import { db } from "@/lib/db"; +import { postJiraComment, closeJiraTicket } from "@/lib/jira"; +import { listAllDomainUsers, trashMessageForUser } from "@/lib/google"; + +type RemediateAction = "REMEDIATE" | "CLOSE"; + +export async function POST( + request: NextRequest, + { params }: { params: Promise<{ id: string }> } +) { + const { id } = await params; + const body = await request.json() as { action: RemediateAction; note?: string }; + const { action, note } = body; + + if (!action || !["REMEDIATE", "CLOSE"].includes(action)) { + return NextResponse.json( + { error: "Invalid action. Must be 'REMEDIATE' or 'CLOSE'" }, + { status: 400 } + ); + } + + try { + const alert = await db.phishingAlert.findUnique({ where: { id } }); + + if (!alert) { + return NextResponse.json({ error: "Alert not found" }, { status: 404 }); + } + + if (action === "REMEDIATE") { + return await handleRemediate(alert, note); + } else { + return await handleClose(alert, note); + } + } catch (error) { + console.error("Remediation error:", error); + return NextResponse.json( + { error: `Remediation failed: ${String(error)}` }, + { status: 500 } + ); + } +} + +async function handleRemediate( + alert: { + id: string; + jiraTicketKey: string; + rfc2822MessageId: string | null; + actorEmail: string; + aiClassification: string | null; + aiConfidenceScore: number | null; + aiReasoning: string | null; + }, + note?: string +) { + if (!alert.rfc2822MessageId) { + return NextResponse.json( + { error: "No RFC 2822 Message-ID available for domain-wide search. Run ingestion first." }, + { status: 400 } + ); + } + + // Step 1: Get all domain users + let allUsers: string[] = []; + try { + allUsers = await listAllDomainUsers(); + } catch (error) { + return NextResponse.json( + { error: `Failed to list domain users: ${String(error)}` }, + { status: 500 } + ); + } + + // Step 2: Search each user's inbox and trash the malicious email + const affectedUsers: string[] = []; + let usersSearched = 0; + + for (const userEmail of allUsers) { + const found = await trashMessageForUser(userEmail, alert.rfc2822MessageId); + usersSearched++; + if (found) { + affectedUsers.push(userEmail); + } + } + + const purgeResults = { usersSearched, usersAffected: affectedUsers }; + + // Step 3: Post Jira comment and close ticket + const aiSummary = alert.aiClassification + ? `Classification: ${alert.aiClassification} (${alert.aiConfidenceScore}% confidence)\n${alert.aiReasoning ?? ""}` + : "AI analysis was not completed."; + + const jiraComment = `Domain-wide purge executed. Triaged in SecureCatch dashboard, reviewed headers. +> checked OSINT on IoCs +> identified extent of compromise + +*Results* +${aiSummary} + +*Follow up actions taken* +Executed domain-wide search for RFC2822 Message-ID: ${alert.rfc2822MessageId} +Message successfully trashed from ${affectedUsers.length} affected user inbox(es) out of ${usersSearched} users searched. +Affected users: ${affectedUsers.length > 0 ? affectedUsers.join(", ") : "None found"} +${note ? `\nAnalyst Note: ${note}` : ""}`; + + try { + await postJiraComment(alert.jiraTicketKey, jiraComment); + await closeJiraTicket(alert.jiraTicketKey); + } catch (jiraError) { + console.warn("Jira update failed (non-fatal):", jiraError); + // Continue — the purge already happened + } + + // Step 4: Update the database + const updated = await db.phishingAlert.update({ + where: { id: alert.id }, + data: { + analystAction: "REMEDIATE", + analystNote: note ?? null, + status: "REMEDIATED", + remediatedAt: new Date(), + purgeResults: JSON.stringify(purgeResults), + }, + }); + + return NextResponse.json({ + message: `Domain-wide purge complete. Trashed email from ${affectedUsers.length} user(s) out of ${usersSearched} searched.`, + alert: updated, + purgeResults, + }); +} + +async function handleClose( + alert: { + id: string; + jiraTicketKey: string; + aiClassification: string | null; + }, + note?: string +) { + // Post false positive comment to Jira + const jiraComment = `Ticket closed as false positive via SecureCatch dashboard. +Classification: ${alert.aiClassification ?? "Not analyzed"} +${note ? `\nAnalyst Note: ${note}` : ""} +No remediation actions taken.`; + + try { + await postJiraComment(alert.jiraTicketKey, jiraComment); + await closeJiraTicket(alert.jiraTicketKey); + } catch (jiraError) { + console.warn("Jira update failed (non-fatal):", jiraError); + } + + const updated = await db.phishingAlert.update({ + where: { id: alert.id }, + data: { + analystAction: "CLOSE", + analystNote: note ?? null, + status: "CLOSED", + closedAt: new Date(), + }, + }); + + return NextResponse.json({ + message: "Alert closed as false positive", + alert: updated, + }); +} diff --git a/app/favicon.ico b/app/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..718d6fea4835ec2d246af9800eddb7ffb276240c GIT binary patch literal 25931 zcmeHv30#a{`}aL_*G&7qml|y<+KVaDM2m#dVr!KsA!#An?kSQM(q<_dDNCpjEux83 zLb9Z^XxbDl(w>%i@8hT6>)&Gu{h#Oeyszu?xtw#Zb1mO{pgX9699l+Qppw7jXaYf~-84xW z)w4x8?=youko|}Vr~(D$UXIbiXABHh`p1?nn8Po~fxRJv}|0e(BPs|G`(TT%kKVJAdg5*Z|x0leQq0 zkdUBvb#>9F()jo|T~kx@OM8$9wzs~t2l;K=woNssA3l6|sx2r3+kdfVW@e^8e*E}v zA1y5{bRi+3Z`uD3{F7LgFJDdvm;nJilkzDku>BwXH(8ItVCXk*-lSJnR?-2UN%hJ){&rlvg`CDTj z)Bzo!3v7Ou#83zEDEFcKt(f1E0~=rqeEbTnMvWR#{+9pg%7G8y>u1OVRUSoox-ovF z2Ydma(;=YuBY(eI|04{hXzZD6_f(v~H;C~y5=DhAC{MMS>2fm~1H_t2$56pc$NH8( z5bH|<)71dV-_oCHIrzrT`2s-5w_+2CM0$95I6X8p^r!gHp+j_gd;9O<1~CEQQGS8) zS9Qh3#p&JM-G8rHekNmKVewU;pJRcTAog68KYo^dRo}(M>36U4Us zfgYWSiHZL3;lpWT=zNAW>Dh#mB!_@Lg%$ms8N-;aPqMn+C2HqZgz&9~Eu z4|Kp<`$q)Uw1R?y(~S>ePdonHxpV1#eSP1B;Ogo+-Pk}6#0GsZZ5!||ev2MGdh}_m z{DeR7?0-1^zVs&`AV6Vt;r3`I`OI_wgs*w=eO%_#7Kepl{B@xiyCANc(l zzIyd4y|c6PXWq9-|KM8(zIk8LPk(>a)zyFWjhT!$HJ$qX1vo@d25W<fvZQ2zUz5WRc(UnFMKHwe1| zWmlB1qdbiA(C0jmnV<}GfbKtmcu^2*P^O?MBLZKt|As~ge8&AAO~2K@zbXelK|4T<{|y4`raF{=72kC2Kn(L4YyenWgrPiv z@^mr$t{#X5VuIMeL!7Ab6_kG$&#&5p*Z{+?5U|TZ`B!7llpVmp@skYz&n^8QfPJzL z0G6K_OJM9x+Wu2gfN45phANGt{7=C>i34CV{Xqlx(fWpeAoj^N0Biu`w+MVcCUyU* zDZuzO0>4Z6fbu^T_arWW5n!E45vX8N=bxTVeFoep_G#VmNlQzAI_KTIc{6>c+04vr zx@W}zE5JNSU>!THJ{J=cqjz+4{L4A{Ob9$ZJ*S1?Ggg3klFp!+Y1@K+pK1DqI|_gq z5ZDXVpge8-cs!o|;K73#YXZ3AShj50wBvuq3NTOZ`M&qtjj#GOFfgExjg8Gn8>Vq5 z`85n+9|!iLCZF5$HJ$Iu($dm?8~-ofu}tEc+-pyke=3!im#6pk_Wo8IA|fJwD&~~F zc16osQ)EBo58U7XDuMexaPRjU@h8tXe%S{fA0NH3vGJFhuyyO!Uyl2^&EOpX{9As0 zWj+P>{@}jxH)8|r;2HdupP!vie{sJ28b&bo!8`D^x}TE$%zXNb^X1p@0PJ86`dZyj z%ce7*{^oo+6%&~I!8hQy-vQ7E)0t0ybH4l%KltWOo~8cO`T=157JqL(oq_rC%ea&4 z2NcTJe-HgFjNg-gZ$6!Y`SMHrlj}Etf7?r!zQTPPSv}{so2e>Fjs1{gzk~LGeesX%r(Lh6rbhSo_n)@@G-FTQy93;l#E)hgP@d_SGvyCp0~o(Y;Ee8{ zdVUDbHm5`2taPUOY^MAGOw*>=s7=Gst=D+p+2yON!0%Hk` zz5mAhyT4lS*T3LS^WSxUy86q&GnoHxzQ6vm8)VS}_zuqG?+3td68_x;etQAdu@sc6 zQJ&5|4(I?~3d-QOAODHpZ=hlSg(lBZ!JZWCtHHSj`0Wh93-Uk)_S%zsJ~aD>{`A0~ z9{AG(e|q3g5B%wYKRxiL2Y$8(4w6bzchKuloQW#e&S3n+P- z8!ds-%f;TJ1>)v)##>gd{PdS2Oc3VaR`fr=`O8QIO(6(N!A?pr5C#6fc~Ge@N%Vvu zaoAX2&(a6eWy_q&UwOhU)|P3J0Qc%OdhzW=F4D|pt0E4osw;%<%Dn58hAWD^XnZD= z>9~H(3bmLtxpF?a7su6J7M*x1By7YSUbxGi)Ot0P77`}P3{)&5Un{KD?`-e?r21!4vTTnN(4Y6Lin?UkSM z`MXCTC1@4A4~mvz%Rh2&EwY))LeoT=*`tMoqcEXI>TZU9WTP#l?uFv+@Dn~b(>xh2 z;>B?;Tz2SR&KVb>vGiBSB`@U7VIWFSo=LDSb9F{GF^DbmWAfpms8Sx9OX4CnBJca3 zlj9(x!dIjN?OG1X4l*imJNvRCk}F%!?SOfiOq5y^mZW)jFL@a|r-@d#f7 z2gmU8L3IZq0ynIws=}~m^#@&C%J6QFo~Mo4V`>v7MI-_!EBMMtb%_M&kvAaN)@ZVw z+`toz&WG#HkWDjnZE!6nk{e-oFdL^$YnbOCN}JC&{$#$O27@|Tn-skXr)2ml2~O!5 zX+gYoxhoc7qoU?C^3~&!U?kRFtnSEecWuH0B0OvLodgUAi}8p1 zrO6RSXHH}DMc$&|?D004DiOVMHV8kXCP@7NKB zgaZq^^O<7PoKEp72kby@W0Z!Y*Ay{&vfg#C&gG@YVR9g?FEocMUi1gSN$+V+ayF45{a zuDZDTN}mS|;BO%gEf}pjBfN2-gIrU#G5~cucA;dokXW89%>AyXJJI z9X4UlIWA|ZYHgbI z5?oFk@A=Ik7lrEQPDH!H+b`7_Y~aDb_qa=B2^Y&Ow41cU=4WDd40dp5(QS-WMN-=Y z9g;6_-JdNU;|6cPwf$ak*aJIcwL@1n$#l~zi{c{EW?T;DaW*E8DYq?Umtz{nJ&w-M zEMyTDrC&9K$d|kZe2#ws6)L=7K+{ zQw{XnV6UC$6-rW0emqm8wJoeZK)wJIcV?dST}Z;G0Arq{dVDu0&4kd%N!3F1*;*pW zR&qUiFzK=@44#QGw7k1`3t_d8&*kBV->O##t|tonFc2YWrL7_eqg+=+k;!F-`^b8> z#KWCE8%u4k@EprxqiV$VmmtiWxDLgnGu$Vs<8rppV5EajBXL4nyyZM$SWVm!wnCj-B!Wjqj5-5dNXukI2$$|Bu3Lrw}z65Lc=1G z^-#WuQOj$hwNGG?*CM_TO8Bg-1+qc>J7k5c51U8g?ZU5n?HYor;~JIjoWH-G>AoUP ztrWWLbRNqIjW#RT*WqZgPJXU7C)VaW5}MiijYbABmzoru6EmQ*N8cVK7a3|aOB#O& zBl8JY2WKfmj;h#Q!pN%9o@VNLv{OUL?rixHwOZuvX7{IJ{(EdPpuVFoQqIOa7giLVkBOKL@^smUA!tZ1CKRK}#SSM)iQHk)*R~?M!qkCruaS!#oIL1c z?J;U~&FfH#*98^G?i}pA{ z9Jg36t4=%6mhY(quYq*vSxptes9qy|7xSlH?G=S@>u>Ebe;|LVhs~@+06N<4CViBk zUiY$thvX;>Tby6z9Y1edAMQaiH zm^r3v#$Q#2T=X>bsY#D%s!bhs^M9PMAcHbCc0FMHV{u-dwlL;a1eJ63v5U*?Q_8JO zT#50!RD619#j_Uf))0ooADz~*9&lN!bBDRUgE>Vud-i5ck%vT=r^yD*^?Mp@Q^v+V zG#-?gKlr}Eeqifb{|So?HM&g91P8|av8hQoCmQXkd?7wIJwb z_^v8bbg`SAn{I*4bH$u(RZ6*xUhuA~hc=8czK8SHEKTzSxgbwi~9(OqJB&gwb^l4+m`k*Q;_?>Y-APi1{k zAHQ)P)G)f|AyjSgcCFps)Fh6Bca*Xznq36!pV6Az&m{O8$wGFD? zY&O*3*J0;_EqM#jh6^gMQKpXV?#1?>$ml1xvh8nSN>-?H=V;nJIwB07YX$e6vLxH( zqYwQ>qxwR(i4f)DLd)-$P>T-no_c!LsN@)8`e;W@)-Hj0>nJ-}Kla4-ZdPJzI&Mce zv)V_j;(3ERN3_@I$N<^|4Lf`B;8n+bX@bHbcZTopEmDI*Jfl)-pFDvo6svPRoo@(x z);_{lY<;);XzT`dBFpRmGrr}z5u1=pC^S-{ce6iXQlLGcItwJ^mZx{m$&DA_oEZ)B{_bYPq-HA zcH8WGoBG(aBU_j)vEy+_71T34@4dmSg!|M8Vf92Zj6WH7Q7t#OHQqWgFE3ARt+%!T z?oLovLVlnf?2c7pTc)~cc^($_8nyKwsN`RA-23ed3sdj(ys%pjjM+9JrctL;dy8a( z@en&CQmnV(()bu|Y%G1-4a(6x{aLytn$T-;(&{QIJB9vMox11U-1HpD@d(QkaJdEb zG{)+6Dos_L+O3NpWo^=gR?evp|CqEG?L&Ut#D*KLaRFOgOEK(Kq1@!EGcTfo+%A&I z=dLbB+d$u{sh?u)xP{PF8L%;YPPW53+@{>5W=Jt#wQpN;0_HYdw1{ksf_XhO4#2F= zyPx6Lx2<92L-;L5PD`zn6zwIH`Jk($?Qw({erA$^bC;q33hv!d!>%wRhj# zal^hk+WGNg;rJtb-EB(?czvOM=H7dl=vblBwAv>}%1@{}mnpUznfq1cE^sgsL0*4I zJ##!*B?=vI_OEVis5o+_IwMIRrpQyT_Sq~ZU%oY7c5JMIADzpD!Upz9h@iWg_>>~j zOLS;wp^i$-E?4<_cp?RiS%Rd?i;f*mOz=~(&3lo<=@(nR!_Rqiprh@weZlL!t#NCc zO!QTcInq|%#>OVgobj{~ixEUec`E25zJ~*DofsQdzIa@5^nOXj2T;8O`l--(QyU^$t?TGY^7#&FQ+2SS3B#qK*k3`ye?8jUYSajE5iBbJls75CCc(m3dk{t?- zopcER9{Z?TC)mk~gpi^kbbu>b-+a{m#8-y2^p$ka4n60w;Sc2}HMf<8JUvhCL0B&Btk)T`ctE$*qNW8L$`7!r^9T+>=<=2qaq-;ll2{`{Rg zc5a0ZUI$oG&j-qVOuKa=*v4aY#IsoM+1|c4Z)<}lEDvy;5huB@1RJPquU2U*U-;gu z=En2m+qjBzR#DEJDO`WU)hdd{Vj%^0V*KoyZ|5lzV87&g_j~NCjwv0uQVqXOb*QrQ zy|Qn`hxx(58c70$E;L(X0uZZ72M1!6oeg)(cdKO ze0gDaTz+ohR-#d)NbAH4x{I(21yjwvBQfmpLu$)|m{XolbgF!pmsqJ#D}(ylp6uC> z{bqtcI#hT#HW=wl7>p!38sKsJ`r8}lt-q%Keqy%u(xk=yiIJiUw6|5IvkS+#?JTBl z8H5(Q?l#wzazujH!8o>1xtn8#_w+397*_cy8!pQGP%K(Ga3pAjsaTbbXJlQF_+m+-UpUUent@xM zg%jqLUExj~o^vQ3Gl*>wh=_gOr2*|U64_iXb+-111aH}$TjeajM+I20xw(((>fej-@CIz4S1pi$(#}P7`4({6QS2CaQS4NPENDp>sAqD z$bH4KGzXGffkJ7R>V>)>tC)uax{UsN*dbeNC*v}#8Y#OWYwL4t$ePR?VTyIs!wea+ z5Urmc)X|^`MG~*dS6pGSbU+gPJoq*^a=_>$n4|P^w$sMBBy@f*Z^Jg6?n5?oId6f{ z$LW4M|4m502z0t7g<#Bx%X;9<=)smFolV&(V^(7Cv2-sxbxopQ!)*#ZRhTBpx1)Fc zNm1T%bONzv6@#|dz(w02AH8OXe>kQ#1FMCzO}2J_mST)+ExmBr9cva-@?;wnmWMOk z{3_~EX_xadgJGv&H@zK_8{(x84`}+c?oSBX*Ge3VdfTt&F}yCpFP?CpW+BE^cWY0^ zb&uBN!Ja3UzYHK-CTyA5=L zEMW{l3Usky#ly=7px648W31UNV@K)&Ub&zP1c7%)`{);I4b0Q<)B}3;NMG2JH=X$U zfIW4)4n9ZM`-yRj67I)YSLDK)qfUJ_ij}a#aZN~9EXrh8eZY2&=uY%2N0UFF7<~%M zsB8=erOWZ>Ct_#^tHZ|*q`H;A)5;ycw*IcmVxi8_0Xk}aJA^ath+E;xg!x+As(M#0=)3!NJR6H&9+zd#iP(m0PIW8$ z1Y^VX`>jm`W!=WpF*{ioM?C9`yOR>@0q=u7o>BP-eSHqCgMDj!2anwH?s%i2p+Q7D zzszIf5XJpE)IG4;d_(La-xenmF(tgAxK`Y4sQ}BSJEPs6N_U2vI{8=0C_F?@7<(G; zo$~G=8p+076G;`}>{MQ>t>7cm=zGtfbdDXm6||jUU|?X?CaE?(<6bKDYKeHlz}DA8 zXT={X=yp_R;HfJ9h%?eWvQ!dRgz&Su*JfNt!Wu>|XfU&68iRikRrHRW|ZxzRR^`eIGt zIeiDgVS>IeExKVRWW8-=A=yA`}`)ZkWBrZD`hpWIxBGkh&f#ijr449~m`j6{4jiJ*C!oVA8ZC?$1RM#K(_b zL9TW)kN*Y4%^-qPpMP7d4)o?Nk#>aoYHT(*g)qmRUb?**F@pnNiy6Fv9rEiUqD(^O zzyS?nBrX63BTRYduaG(0VVG2yJRe%o&rVrLjbxTaAFTd8s;<<@Qs>u(<193R8>}2_ zuwp{7;H2a*X7_jryzriZXMg?bTuegABb^87@SsKkr2)0Gyiax8KQWstw^v#ix45EVrcEhr>!NMhprl$InQMzjSFH54x5k9qHc`@9uKQzvL4ihcq{^B zPrVR=o_ic%Y>6&rMN)hTZsI7I<3&`#(nl+3y3ys9A~&^=4?PL&nd8)`OfG#n zwAMN$1&>K++c{^|7<4P=2y(B{jJsQ0a#U;HTo4ZmWZYvI{+s;Td{Yzem%0*k#)vjpB zia;J&>}ICate44SFYY3vEelqStQWFihx%^vQ@Do(sOy7yR2@WNv7Y9I^yL=nZr3mb zXKV5t@=?-Sk|b{XMhA7ZGB@2hqsx}4xwCW!in#C zI@}scZlr3-NFJ@NFaJlhyfcw{k^vvtGl`N9xSo**rDW4S}i zM9{fMPWo%4wYDG~BZ18BD+}h|GQKc-g^{++3MY>}W_uq7jGHx{mwE9fZiPCoxN$+7 zrODGGJrOkcPQUB(FD5aoS4g~7#6NR^ma7-!>mHuJfY5kTe6PpNNKC9GGRiu^L31uG z$7v`*JknQHsYB!Tm_W{a32TM099djW%5e+j0Ve_ct}IM>XLF1Ap+YvcrLV=|CKo6S zb+9Nl3_YdKP6%Cxy@6TxZ>;4&nTneadr z_ES90ydCev)LV!dN=#(*f}|ZORFdvkYBni^aLbUk>BajeWIOcmHP#8S)*2U~QKI%S zyrLmtPqb&TphJ;>yAxri#;{uyk`JJqODDw%(Z=2`1uc}br^V%>j!gS)D*q*f_-qf8&D;W1dJgQMlaH5er zN2U<%Smb7==vE}dDI8K7cKz!vs^73o9f>2sgiTzWcwY|BMYHH5%Vn7#kiw&eItCqa zIkR2~Q}>X=Ar8W|^Ms41Fm8o6IB2_j60eOeBB1Br!boW7JnoeX6Gs)?7rW0^5psc- zjS16yb>dFn>KPOF;imD}e!enuIniFzv}n$m2#gCCv4jM#ArwlzZ$7@9&XkFxZ4n!V zj3dyiwW4Ki2QG{@i>yuZXQizw_OkZI^-3otXC{!(lUpJF33gI60ak;Uqitp74|B6I zgg{b=Iz}WkhCGj1M=hu4#Aw173YxIVbISaoc z-nLZC*6Tgivd5V`K%GxhBsp@SUU60-rfc$=wb>zdJzXS&-5(NRRodFk;Kxk!S(O(a0e7oY=E( zAyS;Ow?6Q&XA+cnkCb{28_1N8H#?J!*$MmIwLq^*T_9-z^&UE@A(z9oGYtFy6EZef LrJugUA?W`A8`#=m literal 0 HcmV?d00001 diff --git a/app/globals.css b/app/globals.css new file mode 100644 index 0000000..c56032b --- /dev/null +++ b/app/globals.css @@ -0,0 +1,130 @@ +@import "tailwindcss"; +@import "tw-animate-css"; +@import "shadcn/tailwind.css"; + +@custom-variant dark (&:is(.dark *)); + +@theme inline { + --color-background: var(--background); + --color-foreground: var(--foreground); + --font-sans: var(--font-sans); + --font-mono: var(--font-geist-mono); + --font-heading: var(--font-sans); + --color-sidebar-ring: var(--sidebar-ring); + --color-sidebar-border: var(--sidebar-border); + --color-sidebar-accent-foreground: var(--sidebar-accent-foreground); + --color-sidebar-accent: var(--sidebar-accent); + --color-sidebar-primary-foreground: var(--sidebar-primary-foreground); + --color-sidebar-primary: var(--sidebar-primary); + --color-sidebar-foreground: var(--sidebar-foreground); + --color-sidebar: var(--sidebar); + --color-chart-5: var(--chart-5); + --color-chart-4: var(--chart-4); + --color-chart-3: var(--chart-3); + --color-chart-2: var(--chart-2); + --color-chart-1: var(--chart-1); + --color-ring: var(--ring); + --color-input: var(--input); + --color-border: var(--border); + --color-destructive: var(--destructive); + --color-accent-foreground: var(--accent-foreground); + --color-accent: var(--accent); + --color-muted-foreground: var(--muted-foreground); + --color-muted: var(--muted); + --color-secondary-foreground: var(--secondary-foreground); + --color-secondary: var(--secondary); + --color-primary-foreground: var(--primary-foreground); + --color-primary: var(--primary); + --color-popover-foreground: var(--popover-foreground); + --color-popover: var(--popover); + --color-card-foreground: var(--card-foreground); + --color-card: var(--card); + --radius-sm: calc(var(--radius) * 0.6); + --radius-md: calc(var(--radius) * 0.8); + --radius-lg: var(--radius); + --radius-xl: calc(var(--radius) * 1.4); + --radius-2xl: calc(var(--radius) * 1.8); + --radius-3xl: calc(var(--radius) * 2.2); + --radius-4xl: calc(var(--radius) * 2.6); +} + +:root { + --background: oklch(1 0 0); + --foreground: oklch(0.145 0 0); + --card: oklch(1 0 0); + --card-foreground: oklch(0.145 0 0); + --popover: oklch(1 0 0); + --popover-foreground: oklch(0.145 0 0); + --primary: oklch(0.205 0 0); + --primary-foreground: oklch(0.985 0 0); + --secondary: oklch(0.97 0 0); + --secondary-foreground: oklch(0.205 0 0); + --muted: oklch(0.97 0 0); + --muted-foreground: oklch(0.556 0 0); + --accent: oklch(0.97 0 0); + --accent-foreground: oklch(0.205 0 0); + --destructive: oklch(0.577 0.245 27.325); + --border: oklch(0.922 0 0); + --input: oklch(0.922 0 0); + --ring: oklch(0.708 0 0); + --chart-1: oklch(0.87 0 0); + --chart-2: oklch(0.556 0 0); + --chart-3: oklch(0.439 0 0); + --chart-4: oklch(0.371 0 0); + --chart-5: oklch(0.269 0 0); + --radius: 0.625rem; + --sidebar: oklch(0.985 0 0); + --sidebar-foreground: oklch(0.145 0 0); + --sidebar-primary: oklch(0.205 0 0); + --sidebar-primary-foreground: oklch(0.985 0 0); + --sidebar-accent: oklch(0.97 0 0); + --sidebar-accent-foreground: oklch(0.205 0 0); + --sidebar-border: oklch(0.922 0 0); + --sidebar-ring: oklch(0.708 0 0); +} + +.dark { + --background: oklch(0.145 0 0); + --foreground: oklch(0.985 0 0); + --card: oklch(0.205 0 0); + --card-foreground: oklch(0.985 0 0); + --popover: oklch(0.205 0 0); + --popover-foreground: oklch(0.985 0 0); + --primary: oklch(0.922 0 0); + --primary-foreground: oklch(0.205 0 0); + --secondary: oklch(0.269 0 0); + --secondary-foreground: oklch(0.985 0 0); + --muted: oklch(0.269 0 0); + --muted-foreground: oklch(0.708 0 0); + --accent: oklch(0.269 0 0); + --accent-foreground: oklch(0.985 0 0); + --destructive: oklch(0.704 0.191 22.216); + --border: oklch(1 0 0 / 10%); + --input: oklch(1 0 0 / 15%); + --ring: oklch(0.556 0 0); + --chart-1: oklch(0.87 0 0); + --chart-2: oklch(0.556 0 0); + --chart-3: oklch(0.439 0 0); + --chart-4: oklch(0.371 0 0); + --chart-5: oklch(0.269 0 0); + --sidebar: oklch(0.205 0 0); + --sidebar-foreground: oklch(0.985 0 0); + --sidebar-primary: oklch(0.488 0.243 264.376); + --sidebar-primary-foreground: oklch(0.985 0 0); + --sidebar-accent: oklch(0.269 0 0); + --sidebar-accent-foreground: oklch(0.985 0 0); + --sidebar-border: oklch(1 0 0 / 10%); + --sidebar-ring: oklch(0.556 0 0); +} + +@layer base { + * { + @apply border-border outline-ring/50; + } + body { + @apply bg-background text-foreground; + } + html { + @apply font-sans; + } +} \ No newline at end of file diff --git a/app/layout.tsx b/app/layout.tsx new file mode 100644 index 0000000..531b7a0 --- /dev/null +++ b/app/layout.tsx @@ -0,0 +1,37 @@ +import type { Metadata } from "next"; +import { Geist, Geist_Mono } from "next/font/google"; +import "./globals.css"; +import { Toaster } from "@/components/ui/sonner"; + +const geistSans = Geist({ + variable: "--font-geist-sans", + subsets: ["latin"], +}); + +const geistMono = Geist_Mono({ + variable: "--font-geist-mono", + subsets: ["latin"], +}); + +export const metadata: Metadata = { + title: "SecureCatch — SOAR Platform", + description: "Security Orchestration, Automation, and Response for phishing alerts", +}; + +export default function RootLayout({ + children, +}: Readonly<{ + children: React.ReactNode; +}>) { + return ( + + + {children} + + + + ); +} diff --git a/app/page.tsx b/app/page.tsx new file mode 100644 index 0000000..af5ef03 --- /dev/null +++ b/app/page.tsx @@ -0,0 +1,28 @@ +"use client"; + +import { useState } from "react"; +import { DashboardHeader } from "@/components/dashboard-header"; +import { AlertQueue } from "@/components/alert-queue"; + +export default function DashboardPage() { + const [refreshKey, setRefreshKey] = useState(0); + + function handleRefresh() { + setRefreshKey((k) => k + 1); + } + + return ( +
+ +
+
+

Phishing Alert Queue

+

+ Active phishing investigations pulled from Jira SECOPS board +

+
+ +
+
+ ); +} diff --git a/components.json b/components.json new file mode 100644 index 0000000..f382eb7 --- /dev/null +++ b/components.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://ui.shadcn.com/schema.json", + "style": "base-nova", + "rsc": true, + "tsx": true, + "tailwind": { + "config": "", + "css": "app/globals.css", + "baseColor": "neutral", + "cssVariables": true, + "prefix": "" + }, + "iconLibrary": "lucide", + "rtl": false, + "aliases": { + "components": "@/components", + "utils": "@/lib/utils", + "ui": "@/components/ui", + "lib": "@/lib", + "hooks": "@/hooks" + }, + "menuColor": "default", + "menuAccent": "subtle", + "registries": {} +} diff --git a/components/alert-queue.tsx b/components/alert-queue.tsx new file mode 100644 index 0000000..f717484 --- /dev/null +++ b/components/alert-queue.tsx @@ -0,0 +1,132 @@ +"use client"; + +import { useState, useEffect, useCallback } from "react"; +import { useRouter } from "next/navigation"; +import { + Table, + TableBody, + TableCell, + TableHead, + TableHeader, + TableRow, +} from "@/components/ui/table"; +import { Skeleton } from "@/components/ui/skeleton"; +import { StatusBadge, ClassificationBadge } from "@/components/status-badge"; +import type { AlertSummary } from "@/lib/types"; +import { formatDistanceToNow } from "date-fns"; + +interface AlertQueueProps { + refreshKey: number; +} + +export function AlertQueue({ refreshKey }: AlertQueueProps) { + const [alerts, setAlerts] = useState([]); + const [loading, setLoading] = useState(true); + const [error, setError] = useState(null); + const router = useRouter(); + + const fetchAlerts = useCallback(async () => { + setLoading(true); + setError(null); + try { + const res = await fetch("/api/alerts"); + if (!res.ok) throw new Error(`HTTP ${res.status}`); + const data = await res.json() as { alerts: AlertSummary[] }; + setAlerts(data.alerts); + } catch (err) { + setError(String(err)); + } finally { + setLoading(false); + } + }, []); + + useEffect(() => { + void fetchAlerts(); + }, [fetchAlerts, refreshKey]); + + if (loading) { + return ( +
+ {Array.from({ length: 5 }).map((_, i) => ( + + ))} +
+ ); + } + + if (error) { + return ( +
+

Failed to load alerts

+

{error}

+
+ ); + } + + if (alerts.length === 0) { + return ( +
+

No alerts found

+

+ Click Run Ingestion to fetch phishing alerts from Jira. +

+
+ ); + } + + return ( +
+ + + + Ticket + Suspect Sender + Reporter + Classification + Status + Date + + + + {alerts.map((alert) => ( + router.push(`/alerts/${alert.id}`)} + > + + e.stopPropagation()} + className="text-blue-400 hover:text-blue-300 hover:underline" + > + {alert.jiraTicketKey} + + + + {alert.actorEmail} + + + {alert.reportedByEmail} + + + + + + + + + {formatDistanceToNow(new Date(alert.createdAt), { addSuffix: true })} + + + ))} + +
+
+ ); +} diff --git a/components/dashboard-header.tsx b/components/dashboard-header.tsx new file mode 100644 index 0000000..2516baa --- /dev/null +++ b/components/dashboard-header.tsx @@ -0,0 +1,81 @@ +"use client"; + +import { useState } from "react"; +import { ShieldAlert, RefreshCw, Play } from "lucide-react"; +import { Button } from "@/components/ui/button"; +import { toast } from "sonner"; + +interface DashboardHeaderProps { + onRefresh: () => void; +} + +export function DashboardHeader({ onRefresh }: DashboardHeaderProps) { + const [ingesting, setIngesting] = useState(false); + + async function runIngestion() { + setIngesting(true); + try { + const res = await fetch("/api/ingest/start", { method: "POST" }); + const data = await res.json() as { message?: string; error?: string; processed?: number; newAlerts?: string[] }; + + if (!res.ok) { + toast.error(data.error ?? "Ingestion failed"); + return; + } + + if ((data.processed ?? 0) > 0) { + toast.success(data.message ?? "Ingestion complete", { + description: `New alerts: ${(data.newAlerts ?? []).join(", ")}`, + }); + } else { + toast.info(data.message ?? "No new alerts found"); + } + + onRefresh(); + } catch (err) { + toast.error(`Network error: ${String(err)}`); + } finally { + setIngesting(false); + } + } + + return ( +
+
+
+
+ +
+
+

SecureCatch

+

SOAR Platform — Phishing Investigation

+
+
+
+ + +
+
+
+ ); +} diff --git a/components/remediate-dialog.tsx b/components/remediate-dialog.tsx new file mode 100644 index 0000000..07b9f77 --- /dev/null +++ b/components/remediate-dialog.tsx @@ -0,0 +1,133 @@ +"use client"; + +import { useState } from "react"; +import { useRouter } from "next/navigation"; +import { + Dialog, + DialogContent, + DialogDescription, + DialogFooter, + DialogHeader, + DialogTitle, +} from "@/components/ui/dialog"; +import { Button } from "@/components/ui/button"; +import { toast } from "sonner"; +import { AlertTriangle, ShieldCheck, Loader2 } from "lucide-react"; + +interface RemediateDialogProps { + alertId: string; + action: "REMEDIATE" | "CLOSE" | null; + onClose: () => void; +} + +export function RemediateDialog({ alertId, action, onClose }: RemediateDialogProps) { + const [loading, setLoading] = useState(false); + const [note, setNote] = useState(""); + const router = useRouter(); + + const isRemediate = action === "REMEDIATE"; + + async function handleConfirm() { + if (!action) return; + setLoading(true); + + try { + const res = await fetch(`/api/remediate/${alertId}`, { + method: "POST", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify({ action, note: note || undefined }), + }); + + const data = await res.json() as { message?: string; error?: string; purgeResults?: { usersSearched: number; usersAffected: string[] } }; + + if (!res.ok) { + toast.error(data.error ?? "Action failed"); + return; + } + + if (isRemediate) { + const { purgeResults } = data; + toast.success("Domain-wide purge complete", { + description: `Trashed from ${purgeResults?.usersAffected?.length ?? 0} inbox(es) out of ${purgeResults?.usersSearched ?? 0} users searched.`, + }); + } else { + toast.success("Alert closed as false positive"); + } + + onClose(); + router.push("/"); + router.refresh(); + } catch (err) { + toast.error(`Network error: ${String(err)}`); + } finally { + setLoading(false); + } + } + + return ( + !loading && onClose()}> + + + + {isRemediate ? ( + <> + + Approve & Remediate + + ) : ( + <> + + Mark as Safe / Close + + )} + + + {isRemediate + ? "This will execute a domain-wide purge — searching every user inbox and trashing the malicious email. This action cannot be undone." + : "This will close the ticket as a false positive. No remediation actions will be taken."} + + + +
+