Skip to content

Reporting rework #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 138 commits into
base: master
Choose a base branch
from
Draft

Reporting rework #24

wants to merge 138 commits into from

Conversation

rkoumis
Copy link
Owner

@rkoumis rkoumis commented Jan 27, 2025

Use pydantic to specify backend schema

@rkoumis rkoumis marked this pull request as draft January 27, 2025 19:49
@josh-feather josh-feather force-pushed the reporting-rework branch 2 times, most recently from 212895f to 58b4be1 Compare February 4, 2025 14:06
rkoumis and others added 25 commits February 5, 2025 09:48
@rkoumis
Refactoring of mongodb constants
eb0d875 
- Added a new file: mongodb_constants.py
- We'll use this new file whenever we're touching mongodb
- The new constants are collection names and some field names
@rkoumis
Tests for dev_utils/mongodb.py
9251026 
- A bit of refactoring to ensure testability.
@rkoumis
Add mongomock for testing MongoDB code
f2c376b 
- Using mongomock, write tests for web/analysis/views
@rkoumis
More tests with mongomock
25969fc 
- Add a test for report doc insert calls
- Add tests for perform_search
@nbargnesi @rkoumis
add reporting to core
de1b5ac 
This starts to migrate the reporting capabilities out of the processing
phase where it currently lives exclusively, to a core part of CAPE with
a few different backend stubs to start.
@nbargnesi @rkoumis
swap direct to MongoDB/ES for core.reporting
5ae420d
@nbargnesi @rkoumis
implement some APIs in the mongodb backend
2e0aa19
@rkoumis
Initial schema for summary
2b8308e
@nbargnesi @rkoumis
remove post_processing v2 API
0256bfe 
This was a (disabled) example of how easy it is to extend the Web GUI with
external tools. It conflicts with the goal of having well-defined
reporting API and schemas, so remove it for now. It can come back as
needed in the future with more up front thought.
@nbargnesi @rkoumis
remove Shrike support
cac7532 
Shrike is no longer used. Let's remove it to tighten up what's needed in
reporting functionality.

Note this requires a database migration. It should be the antithesis of
f111620bb8 which was added in add_shrike_and_parent_id_columns.py, but
there's a bug in the downgrade logic in that revision - "parent_sid" not
"parent_id".
@nbargnesi @rkoumis
add basic tests, use getattribute vice getattr
c96068f
@nbargnesi @rkoumis
use old Black line lengths with Ruff
f50f3b3 
The reporting changes will be substantial. This will keep diffs limited
ot the changes we care about, avoiding random line wraps because the
Python tooling ecosystem is obsessed with recreating the same thing over
and over again.
@nbargnesi @rkoumis
add a TODO ("delete_mongo")
11e7fed
@nbargnesi @rkoumis
Ruff is happy now 🐶
d0414fc
@nbargnesi @rkoumis
add a reporting behavior API
25d5ecb 
This will be used to get at process, process tree, and detection2pids
data.
@nbargnesi @rkoumis
add behavior backend impls
eae6389
@nbargnesi @rkoumis
start using the reporting behavior API
2c1e87c
@rkoumis
Added draft implementations and stub schema
5bcad79
@rkoumis
Get tests running again
b8e1281
@rkoumis
Address import error from elasticsearch
2b9fd8d
@rkoumis
Update test_web_utils.py
5ddb6c1 
- since shrike parameters were removed from parse_request_arguments
@rkoumis
Added two basic tests for MongoDBReports
6493fa6
@rkoumis
Added info schema nested in summary
9f9e6d3
@nbargnesi @rkoumis
add API dropped/memory/network/procdump/procmemory
3ad1d0e
@nbargnesi @rkoumis
simplify DISABLED_WEB using reporting.enabled
ce8cdce
rkoumis and others added 26 commits February 10, 2025 09:17
@rkoumis
removed Info from Behavior
7a735ce
@josh-feather
Refactor constants in lib.cuckoo.core.reporting.backends.mongodb
3a9a6b5
@josh-feather
Update MongoDBReporting.behavior method and add tests
abc5de8
@josh-feather
Add new API methods and update existing return types
a3b39a2
@josh-feather
Add SearchCategories enum and tests
d1bff74
@josh-feather
Update elasticsearch reporting API signatures
0d95df5
@josh-feather
Refactor mongodb reporting API and add new search calls
a384461
@josh-feather
Add/update reporting API tests for MongoDB
79e1527
@rkoumis
Initial stab at IOC and CAPE.Payload schema
cd53965
@nbargnesi
add a couple API requests for @josh-feather
f04a414
@nbargnesi
less CUCKOO_ROOT, more DRY
8600781
@josh-feather
Add MongoDBReporting.cape, MongoDBReporting.cape_payloads
98c8601
@josh-feather
Add MongoDBReporting.search_by_* methods
f46e17d
@rkoumis
Added DroppedFile and removed Info from CAPE
78f568b
@josh-feather
Fix syntax in schema.IOC
77f0eff
@rkoumis
Updated suricata files
564f9d3
@josh-feather
Fix Suricata reporting tests
b898e0e
@josh-feather
Remove todo
34a88c4
@rkoumis
Added more schema to IOC
1375041
@rkoumis
Updated Schema for IOC
4f49935
@rkoumis
Make ruff happy
d973bd1
@rkoumis
Tweaks to legacy mongo_hooks so tests can run
832367c
@josh-feather
Add reporting API IOC return type
067bdcd
@josh-feather
Include Calls objects in reporting API behavior retval
f3471ac
@josh-feather
Make ruff happy
246b5d9
@josh-feather
Simplify mongodb_populate_test_data
ca586c8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josh-feather josh-feather josh-feather left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rkoumis @josh-feather @nbargnesi