Skip to content

Reporting rework#24

Draft
rkoumis wants to merge 138 commits intomasterfrom
reporting-rework
Draft

Reporting rework#24
rkoumis wants to merge 138 commits intomasterfrom
reporting-rework

Conversation

@rkoumis
Copy link
Owner

@rkoumis rkoumis commented Jan 27, 2025

Use pydantic to specify backend schema

@rkoumis rkoumis marked this pull request as draft January 27, 2025 19:49
@josh-feather josh-feather force-pushed the reporting-rework branch 2 times, most recently from 212895f to 58b4be1 Compare February 4, 2025 14:06
josh-feather
josh-feather reviewed Feb 5, 2025
View reviewed changes
rkoumis and others added 25 commits February 5, 2025 09:48
@rkoumis
Refactoring of mongodb constants
eb0d875 
- Added a new file: mongodb_constants.py
- We'll use this new file whenever we're touching mongodb
- The new constants are collection names and some field names
@rkoumis
Tests for dev_utils/mongodb.py
9251026 
- A bit of refactoring to ensure testability.
@rkoumis
Add mongomock for testing MongoDB code
f2c376b 
- Using mongomock, write tests for web/analysis/views
@rkoumis
More tests with mongomock
25969fc 
- Add a test for report doc insert calls
- Add tests for perform_search
@rkoumis
add reporting to core
de1b5ac 
This starts to migrate the reporting capabilities out of the processing
phase where it currently lives exclusively, to a core part of CAPE with
a few different backend stubs to start.
@rkoumis
swap direct to MongoDB/ES for core.reporting
5ae420d
@rkoumis
implement some APIs in the mongodb backend
2e0aa19
@rkoumis
Initial schema for summary
2b8308e
@rkoumis
remove post_processing v2 API
0256bfe 
This was a (disabled) example of how easy it is to extend the Web GUI with
external tools. It conflicts with the goal of having well-defined
reporting API and schemas, so remove it for now. It can come back as
needed in the future with more up front thought.
@rkoumis
remove Shrike support
cac7532 
Shrike is no longer used. Let's remove it to tighten up what's needed in
reporting functionality.

Note this requires a database migration. It should be the antithesis of
f111620bb8 which was added in add_shrike_and_parent_id_columns.py, but
there's a bug in the downgrade logic in that revision - "parent_sid" not
"parent_id".
@rkoumis
add basic tests, use getattribute vice getattr
c96068f
@rkoumis
use old Black line lengths with Ruff
f50f3b3 
The reporting changes will be substantial. This will keep diffs limited
ot the changes we care about, avoiding random line wraps because the
Python tooling ecosystem is obsessed with recreating the same thing over
and over again.
@rkoumis
add a TODO ("delete_mongo")
11e7fed
@rkoumis
Ruff is happy now 🐶
d0414fc
@rkoumis
add a reporting behavior API
25d5ecb 
This will be used to get at process, process tree, and detection2pids
data.
@rkoumis
add behavior backend impls
eae6389
@rkoumis
start using the reporting behavior API
2c1e87c
@rkoumis
Added draft implementations and stub schema
5bcad79
@rkoumis
Get tests running again
b8e1281
@rkoumis
Address import error from elasticsearch
2b9fd8d
@rkoumis
Update test_web_utils.py
5ddb6c1 
- since shrike parameters were removed from parse_request_arguments
@rkoumis
Added two basic tests for MongoDBReports
6493fa6
@rkoumis
Added info schema nested in summary
9f9e6d3
@rkoumis
add API dropped/memory/network/procdump/procmemory
3ad1d0e
@rkoumis
simplify DISABLED_WEB using reporting.enabled
ce8cdce
rkoumis and others added 26 commits February 10, 2025 09:17
@rkoumis
removed Info from Behavior
7a735ce
@josh-feather
Refactor constants in lib.cuckoo.core.reporting.backends.mongodb
3a9a6b5
@josh-feather
Update MongoDBReporting.behavior method and add tests
abc5de8
@josh-feather
Add new API methods and update existing return types
a3b39a2
@josh-feather
Add SearchCategories enum and tests
d1bff74
@josh-feather
Update elasticsearch reporting API signatures
0d95df5
@josh-feather
Refactor mongodb reporting API and add new search calls
a384461
@josh-feather
Add/update reporting API tests for MongoDB
79e1527
@rkoumis
Initial stab at IOC and CAPE.Payload schema
cd53965
add a couple API requests for @josh-feather
f04a414
less CUCKOO_ROOT, more DRY
8600781
@josh-feather
Add MongoDBReporting.cape, MongoDBReporting.cape_payloads
98c8601
@josh-feather
Add MongoDBReporting.search_by_* methods
f46e17d
@rkoumis
Added DroppedFile and removed Info from CAPE
78f568b
@josh-feather
Fix syntax in schema.IOC
77f0eff
@rkoumis
Updated suricata files
564f9d3
@josh-feather
Fix Suricata reporting tests
b898e0e
@josh-feather
Remove todo
34a88c4
@rkoumis
Added more schema to IOC
1375041
@rkoumis
Updated Schema for IOC
4f49935
@rkoumis
Make ruff happy
d973bd1
@rkoumis
Tweaks to legacy mongo_hooks so tests can run
832367c
@josh-feather
Add reporting API IOC return type
067bdcd
@josh-feather
Include Calls objects in reporting API behavior retval
f3471ac
@josh-feather
Make ruff happy
246b5d9
@josh-feather
Simplify mongodb_populate_test_data
ca586c8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josh-feather josh-feather josh-feather left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rkoumis @josh-feather