From e30f387796d0d801793c7e794ee3c859ec6d52a2 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 1 Aug 2024 14:46:03 -0600 Subject: [PATCH 01/12] Majority of Work Each engine now keeps track of the AI Summaries generated for all the rules of that engine. When the module starts and during Syncs, an engine will update the AI repo and reload the YAML file. The UI will show the AI Summary if it is present and marked as reviewed. Otherwise, the UI falls back to the extracted description. On the detection getter, call the new MergeAuxilleryData function on the proper engine so that this AI info is present on the detection when requested. This is the only endpoint that returns AI data, searches will not contain these fields. readAiSummary is mocked to make progress. It will be implemented soon. All engines should be configured to put the AiRepo in the same location but this location should NOT be the same as Sigma's rule repos. This would present a problem if somebody didn't use SO's Sigma rules. --- html/css/app.css | 4 + html/index.html | 16 ++- html/js/i18n.js | 1 + html/js/routes/detection.js | 5 + html/js/routes/detection.test.js | 17 +++ model/detection.go | 8 ++ server/detectionengine.go | 1 + server/detectionhandler.go | 16 +++ server/modules/detections/ai.go | 124 ++++++++++++++++++ .../modules/detections/detengine_helpers.go | 3 +- .../detections/detengine_helpers_test.go | 4 +- server/modules/detections/sync.go | 12 +- server/modules/elastalert/elastalert.go | 81 ++++++++++-- server/modules/elastalert/elastalert_test.go | 77 ++++++++++- server/modules/strelka/strelka.go | 72 +++++++++- server/modules/strelka/strelka_test.go | 81 +++++++++++- server/modules/suricata/suricata.go | 61 +++++++++ server/modules/suricata/suricata_test.go | 77 ++++++++++- 18 files changed, 623 insertions(+), 37 deletions(-) create mode 100644 server/modules/detections/ai.go diff --git a/html/css/app.css b/html/css/app.css index 4b79ad05..c8a5af69 100644 --- a/html/css/app.css +++ b/html/css/app.css @@ -684,4 +684,8 @@ tbody tr:hover { .theme--light tbody tr:hover:nth-of-type(even) { background-color: rgba(230, 230, 230, 0.25) !important; +} + +.unset-vertical-align { + vertical-align: unset !important; } \ No newline at end of file diff --git a/html/index.html b/html/index.html index b3381cd9..90d8b7c0 100644 --- a/html/index.html +++ b/html/index.html @@ -1144,10 +1144,18 @@

{{ detect.title }}

-
{{i18n.summary}}
-
- {{ extractedSummary }} -
+ +
{{i18n.references}}
diff --git a/html/js/i18n.js b/html/js/i18n.js index 957aa2a2..b1d562c0 100644 --- a/html/js/i18n.js +++ b/html/js/i18n.js @@ -66,6 +66,7 @@ const i18n = { address: 'Address', advanced: 'Temporarily enable advanced interface features', ago: 'ago', + aiSummary: 'AI Summary', alertAcknowledge: 'Acknowledge', alertEscalated: 'This alert has already been escalated', alertUndoAcknowledge: 'Undo Acknowledge', diff --git a/html/js/routes/detection.js b/html/js/routes/detection.js index 83164cb5..7cf21f01 100644 --- a/html/js/routes/detection.js +++ b/html/js/routes/detection.js @@ -1469,6 +1469,11 @@ routes.push({ path: '/detection/:id', name: 'detection', component: { }, checkOverrideChangedKey(id, index, key) { return this.changedOverrideKeys?.[id]?.[index]?.includes(key); + }, + showAiSummary() { + if (!this.detect) return false; + + return !!(this.detect.aiSummary && this.detect.aiSummaryReviewed); } } }}); diff --git a/html/js/routes/detection.test.js b/html/js/routes/detection.test.js index 63cee55a..71ba052e 100644 --- a/html/js/routes/detection.test.js +++ b/html/js/routes/detection.test.js @@ -1179,4 +1179,21 @@ test('validateSuricata', () => { comp.detect.publicId = '999999'; msg = comp.validateSuricata(); expect(msg).toBe(null); +}); + +test('showAiSummary', () => { + comp.detect = null; + expect(comp.showAiSummary()).toBe(false); + + comp.detect = { engine: 'strelka' }; + expect(comp.showAiSummary()).toBe(false); + + comp.detect.aiSummary = 'aiSummary'; + expect(comp.showAiSummary()).toBe(false); + + comp.detect.aiSummaryReviewed = true; + expect(comp.showAiSummary()).toBe(true); + + comp.detect.aiSummary = ''; + expect(comp.showAiSummary()).toBe(false); }); \ No newline at end of file diff --git a/model/detection.go b/model/detection.go index 8073256b..ba1219d5 100644 --- a/model/detection.go +++ b/model/detection.go @@ -120,6 +120,14 @@ type Detection struct { // elastalert - sigma only Product string `json:"product,omitempty"` Service string `json:"service,omitempty"` + + // AI Description fields + *AiFields `json:",omitempty"` +} + +type AiFields struct { + AiSummary string `json:"aiSummary"` + AiSummaryReviewed bool `json:"aiSummaryReviewed"` } type DetectionComment struct { diff --git a/server/detectionengine.go b/server/detectionengine.go index 3c5b381e..f463b851 100644 --- a/server/detectionengine.go +++ b/server/detectionengine.go @@ -21,6 +21,7 @@ type DetectionEngine interface { GetState() *model.EngineState GenerateUnusedPublicId(ctx context.Context) (string, error) ApplyFilters(detect *model.Detection) (didFilterAct bool, err error) + MergeAuxilleryData(detect *model.Detection) error } type SyncStatus struct { diff --git a/server/detectionhandler.go b/server/detectionhandler.go index 3275107e..54cc6bd1 100644 --- a/server/detectionhandler.go +++ b/server/detectionhandler.go @@ -90,6 +90,22 @@ func (h *DetectionHandler) getDetection(w http.ResponseWriter, r *http.Request) return } + eng, ok := h.server.DetectionEngines[detect.Engine] + if !ok { + log.WithFields(log.Fields{ + "engine": detect.Engine, + "publicId": detectId, + }).Error("retrieved detection with unsupported engine") + } else { + err = eng.MergeAuxilleryData(detect) + if err != nil { + log.WithError(err).WithFields(log.Fields{ + "engine": detect.Engine, + "publicId": detectId, + }).Error("unable to merge auxillery data into detection") + } + } + web.Respond(w, r, http.StatusOK, detect) } diff --git a/server/modules/detections/ai.go b/server/modules/detections/ai.go new file mode 100644 index 00000000..9e9690b4 --- /dev/null +++ b/server/modules/detections/ai.go @@ -0,0 +1,124 @@ +package detections + +import ( + "errors" + "net/url" + "path" + "path/filepath" + "sync" + + "github.com/apex/log" + "github.com/security-onion-solutions/securityonion-soc/model" +) + +var aiRepoMutex = sync.Mutex{} + +type AiLoader interface { + LoadAuxilleryData(summaries []*AiSummary) error +} + +type AiSummary struct { + PublicId string `json:"public_id"` + Reviewed bool `json:"reviewed"` + Summary string `json:"summary"` +} + +func RefreshAiSummaries(eng AiLoader, isRunning *bool, aiRepoPath string, aiRepoUrl string, iom IOManager, logger *log.Entry) error { + err := updateAiRepo(isRunning, aiRepoPath, aiRepoUrl, iom) + if err != nil { + if errors.Is(err, ErrModuleStopped) { + return err + } + + logger.WithError(err).WithFields(log.Fields{ + "aiRepoUrl": aiRepoUrl, + "aiRepoPath": aiRepoPath, + }).Error("unable to update AI repo") + } + + parser, err := url.Parse(aiRepoUrl) + if err != nil { + log.WithError(err).WithField("aiRepoUrl", aiRepoUrl).Error("Failed to parse repo URL, doing nothing with it") + } else { + _, lastFolder := path.Split(parser.Path) + repoPath := filepath.Join(aiRepoPath, lastFolder) + + sums, err := readAiSummary(repoPath, model.EngineNameElastAlert, iom) + if err != nil { + logger.WithError(err).WithField("repoPath", repoPath).Error("unable to read AI summary") + } else { + err = eng.LoadAuxilleryData(sums) + if err != nil { + logger.WithError(err).Error("unable to load AI summaries") + } else { + logger.Info("successfully loaded AI summaries") + } + } + } + + return nil +} + +func updateAiRepo(isRunning *bool, baseRepoFolder string, repoUrl string, iom IOManager) error { + aiRepoMutex.Lock() + defer aiRepoMutex.Unlock() + + _, _, err := UpdateRepos(isRunning, baseRepoFolder, []*model.RuleRepo{ + { + Repo: repoUrl, + }, + }, iom) + + return err +} + +func readAiSummary(repoRoot string, engine model.EngineName, iom IOManager) (sums []*AiSummary, err error) { + aiRepoMutex.Lock() + defer aiRepoMutex.Unlock() + + _, _ = repoRoot, iom // will be used when this isn't mocked + + // TODO: Read the AI summary from the repoRoot + switch engine { + case model.EngineNameElastAlert: + sums = []*AiSummary{ + { + PublicId: "032f5fb3-d959-41a5-9263-4173c802dc2b", + Reviewed: true, + Summary: `This rule detects Formbook process executions that inject code into files within the System32 folder and execute commands to delete the dropper from the AppData Temp folder. It specifically monitors for parent processes with command lines starting with System32 or SysWOW64 directories and ending with '.exe'. Furthermore, it looks for command lines containing specific parameters related to deletion activities within the user's AppData Temp and Desktop directories. This helps to distinguish malicious activity from legitimate actions by ensuring the parent command line parameters do not indicate normal operations.`, + }, + { + PublicId: "36e35854-a11d-408d-a918-9d0fe7567766", + Reviewed: false, + Summary: "ElastAlert AI Rule Summary", + }, + } + case model.EngineNameSuricata: + sums = []*AiSummary{ + { + PublicId: "2015738", + Reviewed: true, + Summary: "Suricata AI Rule Summary", + }, + { + PublicId: "2016190", + Reviewed: false, + Summary: "Suricata AI Rule Summary", + }, + } + case model.EngineNameStrelka: + sums = []*AiSummary{ + { + PublicId: "Webshell_FOPO_Obfuscation_APT_ON_Nov17_1", + Reviewed: true, + Summary: "Strelka AI Rule Summary", + }, + { + PublicId: "Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167", + Reviewed: false, + Summary: "Strelka AI Rule Summary", + }, + } + } + return sums, nil +} diff --git a/server/modules/detections/detengine_helpers.go b/server/modules/detections/detengine_helpers.go index 69d8e4ba..8e580644 100644 --- a/server/modules/detections/detengine_helpers.go +++ b/server/modules/detections/detengine_helpers.go @@ -18,7 +18,6 @@ import ( "sync" "time" - "github.com/security-onion-solutions/securityonion-soc/config" "github.com/security-onion-solutions/securityonion-soc/model" "github.com/apex/log" @@ -122,7 +121,7 @@ type RepoOnDisk struct { WasModified bool } -func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, cfg *config.ServerConfig, iom IOManager) (allRepos []*RepoOnDisk, anythingNew bool, err error) { +func UpdateRepos(isRunning *bool, baseRepoFolder string, rulesRepos []*model.RuleRepo, iom IOManager) (allRepos []*RepoOnDisk, anythingNew bool, err error) { allRepos = make([]*RepoOnDisk, 0, len(rulesRepos)) // read existing repos diff --git a/server/modules/detections/detengine_helpers_test.go b/server/modules/detections/detengine_helpers_test.go index de90b179..6682d94c 100644 --- a/server/modules/detections/detengine_helpers_test.go +++ b/server/modules/detections/detengine_helpers_test.go @@ -13,7 +13,6 @@ import ( "testing" "time" - "github.com/security-onion-solutions/securityonion-soc/config" "github.com/security-onion-solutions/securityonion-soc/model" servermock "github.com/security-onion-solutions/securityonion-soc/server/mock" "github.com/security-onion-solutions/securityonion-soc/server/modules/detections/handmock" @@ -433,9 +432,8 @@ func TestUpdateRepos(t *testing.T) { Repo: "http://github.com/user/repo2", }, } - cfg := &config.ServerConfig{} - allRepos, anythingNew, err := UpdateRepos(&isRunning, "baseRepoFolder", repos, cfg, iom) + allRepos, anythingNew, err := UpdateRepos(&isRunning, "baseRepoFolder", repos, iom) assert.NoError(t, err) assert.Len(t, allRepos, len(repos)) assert.Equal(t, &RepoOnDisk{ diff --git a/server/modules/detections/sync.go b/server/modules/detections/sync.go index 466cd055..68f7b649 100644 --- a/server/modules/detections/sync.go +++ b/server/modules/detections/sync.go @@ -77,11 +77,11 @@ func SyncScheduler(e DetailedDetectionEngine, syncParams *SyncSchedulerParams, e } log.WithFields(log.Fields{ - "detectionEngine": engName, - "waitTimeSeconds": timerDur.Seconds(), - "forceSync": forceSync, - "lastSyncSuccess": lastSyncStatus, - "expectedStartTime": time.Now().Add(timerDur).Format(time.RFC3339), + "detectionEngine": engName, + "waitTimeSeconds": timerDur.Seconds(), + "forceSync": forceSync, + "lastSyncSuccess": lastSyncStatus, + "expectedStartTime": time.Now().Add(timerDur).Format(time.RFC3339), }).Info("waiting for next community rules sync") e.ResumeIntegrityChecker() @@ -107,7 +107,7 @@ func SyncScheduler(e DetailedDetectionEngine, syncParams *SyncSchedulerParams, e syncId := uuid.New().String() logger := log.WithFields(log.Fields{ "detectionEngine": engName, - "syncId": syncId, + "syncId": syncId, }) startTime := time.Now() diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go index 50827526..e96f4d3c 100644 --- a/server/modules/elastalert/elastalert.go +++ b/server/modules/elastalert/elastalert.go @@ -60,6 +60,18 @@ const ( DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS = 300 DEFAULT_FAIL_AFTER_CONSECUTIVE_ERROR_COUNT = 10 DEFAULT_INTEGRITY_CHECK_FREQUENCY_SECONDS = 600 + DEFAULT_AI_REPO = "https://github.com/Security-Onion-Solutions/securityonion-resources" + DEFAULT_AI_REPO_LOC = "/opt/sensoroni/repos" +) + +var ( // treat as constant + DEFAULT_RULES_REPOS = []*model.RuleRepo{ + { + Repo: "https://github.com/Security-Onion-Solutions/securityonion-resources", + License: "DRL", + Folder: util.Ptr("sigma/stable"), + }, + } ) var acceptedExtensions = map[string]bool{ @@ -87,6 +99,9 @@ type ElastAlertEngine struct { airgapEnabled bool notify bool writeNoRead *string + aiSummaries *sync.Map // map[string]*detections.AiSummary{} + aiRepoUrl string + aiRepoPath string detections.SyncSchedulerParams detections.IntegrityCheckerData detections.IOManager @@ -133,6 +148,7 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) (err error) { e.InterruptChan = make(chan bool, 1) e.IntegrityCheckerData.Thread = &sync.WaitGroup{} e.IntegrityCheckerData.Interrupt = make(chan bool, 1) + e.aiSummaries = &sync.Map{} e.airgapBasePath = module.GetStringDefault(config, "airgapBasePath", DEFAULT_AIRGAP_BASE_PATH) e.CommunityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECONDS) @@ -152,13 +168,7 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) (err error) { e.parseSigmaPackages(pkgs) e.reposFolder = module.GetStringDefault(config, "reposFolder", DEFAULT_REPOS_FOLDER) - e.rulesRepos, err = model.GetReposDefault(config, "rulesRepos", []*model.RuleRepo{ - { - Repo: "https://github.com/Security-Onion-Solutions/securityonion-resources", - License: "DRL", - Folder: util.Ptr("sigma/stable"), - }, - }) + e.rulesRepos, err = model.GetReposDefault(config, "rulesRepos", DEFAULT_RULES_REPOS) if err != nil { return fmt.Errorf("unable to parse ElastAlert's rulesRepos: %w", err) } @@ -171,6 +181,9 @@ func (e *ElastAlertEngine) Init(config module.ModuleConfig) (err error) { e.SyncSchedulerParams.StateFilePath = module.GetStringDefault(config, "stateFilePath", DEFAULT_STATE_FILE_PATH) + e.aiRepoUrl = module.GetStringDefault(config, "aiRepoUrl", DEFAULT_AI_REPO) + e.aiRepoPath = module.GetStringDefault(config, "aiRepoPath", DEFAULT_AI_REPO_LOC) + return nil } @@ -179,9 +192,26 @@ func (e *ElastAlertEngine) Start() error { e.isRunning = true e.IntegrityCheckerData.IsRunning = true + // start long running processes go detections.SyncScheduler(e, &e.SyncSchedulerParams, &e.EngineState, model.EngineNameElastAlert, &e.isRunning, e.IOManager) go detections.IntegrityChecker(model.EngineNameElastAlert, e, &e.IntegrityCheckerData, &e.EngineState.IntegrityFailure) + // update Ai Summaries once and don't block + go func() { + logger := log.WithField("detectionEngine", model.EngineNameElastAlert) + + err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + if err != nil { + if errors.Is(err, detections.ErrModuleStopped) { + return + } + + logger.WithError(err).Error("unable to refresh AI summaries") + } else { + logger.Info("successfully refreshed AI summaries") + } + }() + return nil } @@ -432,6 +462,17 @@ func (e *ElastAlertEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil + err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + if err != nil { + if errors.Is(err, detections.ErrModuleStopped) { + return err + } + + logger.WithError(err).Error("unable to refresh AI summaries") + } else { + logger.Info("successfully refreshed AI summaries") + } + // announce the beginning of the sync e.EngineState.Syncing = true @@ -473,7 +514,7 @@ func (e *ElastAlertEngine) Sync(logger *log.Entry, forceSync bool) error { } // ensure repos are up to date - dirtyRepos, repoChanges, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config, e.IOManager) + dirtyRepos, repoChanges, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.IOManager) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err @@ -1421,6 +1462,30 @@ func (e *ElastAlertEngine) DuplicateDetection(ctx context.Context, detection *mo return det, nil } +func (e *ElastAlertEngine) LoadAuxilleryData(summaries []*detections.AiSummary) error { + sum := &sync.Map{} + for _, summary := range summaries { + sum.Store(summary.PublicId, summary) + } + + e.aiSummaries = sum + + return nil +} + +func (e *ElastAlertEngine) MergeAuxilleryData(detect *model.Detection) error { + obj, ok := e.aiSummaries.Load(detect.PublicID) + if ok { + summary := obj.(*detections.AiSummary) + detect.AiFields = &model.AiFields{ + AiSummary: summary.Summary, + AiSummaryReviewed: summary.Reviewed, + } + } + + return nil +} + type CustomWrapper struct { DetectionTitle string `yaml:"detection_title"` DetectionPublicId string `yaml:"detection_public_id"` diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go index 1f6402b9..6b99c93d 100644 --- a/server/modules/elastalert/elastalert_test.go +++ b/server/modules/elastalert/elastalert_test.go @@ -1107,11 +1107,16 @@ func TestSyncIncrementalNoChanges(t *testing.T) { IntegrityCheckerData: detections.IntegrityCheckerData{ IsRunning: true, }, - IOManager: iom, + IOManager: iom, + aiRepoUrl: "aiRepoUrl", + aiRepoPath: "aiRepoPath", } logger := log.WithField("detectionEngine", "test-elastalert") + // RefreshAiSummaries + iom.EXPECT().ReadDir("aiRepoPath").Return([]fs.DirEntry{}, nil) + iom.EXPECT().CloneRepo(gomock.Any(), "aiRepoPath/aiRepoUrl", "aiRepoUrl").Return(nil) // checkSigmaPipelines iom.EXPECT().ReadFile("sigmaPipelineFinal").Return([]byte("data"), nil) iom.EXPECT().ReadFile("sigmaPipelineSO").Return([]byte("data"), nil) @@ -1200,7 +1205,9 @@ func TestSyncChanges(t *testing.T) { IntegrityCheckerData: detections.IntegrityCheckerData{ IsRunning: true, }, - IOManager: iom, + IOManager: iom, + aiRepoUrl: "aiRepoUrl", + aiRepoPath: "aiRepoPath", } logger := log.WithField("detectionEngine", "test-elastalert") @@ -1208,6 +1215,9 @@ func TestSyncChanges(t *testing.T) { workItems := []esutil.BulkIndexerItem{} auditItems := []esutil.BulkIndexerItem{} + // RefreshAiSummaries + iom.EXPECT().ReadDir("aiRepoPath").Return([]fs.DirEntry{}, nil) + iom.EXPECT().CloneRepo(gomock.Any(), "aiRepoPath/aiRepoUrl", "aiRepoUrl").Return(nil) // checkSigmaPipelines iom.EXPECT().ReadFile("sigmaPipelineFinal").Return([]byte("data"), nil) iom.EXPECT().ReadFile("sigmaPipelineSO").Return([]byte("data"), nil) @@ -1348,3 +1358,66 @@ func TestSyncChanges(t *testing.T) { assert.Equal(t, []string{"abc", "", "deleteme"}, workDocIds) // update has an id, create does not, delete does } + +func TestLoadAndMergeAuxilleryData(t *testing.T) { + tests := []struct { + Name string + PublicId string + ExpectedAiFields bool + ExpectedAiSummary string + ExpectedReviewed bool + }{ + { + Name: "No Auxillery Data", + PublicId: "bd82a1a6-7bac-401e-afcf-5adf07c0c035", + ExpectedAiFields: false, + }, + { + Name: "Data, Unreviewed", + PublicId: "67ee455d-099f-4048-b021-43bb91af9298", + ExpectedAiFields: true, + ExpectedAiSummary: "Summary for 67ee455d-099f-4048-b021-43bb91af9298", + ExpectedReviewed: false, + }, + { + Name: "Data, Reviewed", + PublicId: "83b3a29f-3009-4884-86c6-b6c3973788fa", + ExpectedAiFields: true, + ExpectedAiSummary: "Summary for 83b3a29f-3009-4884-86c6-b6c3973788fa", + ExpectedReviewed: true, + }, + } + + e := ElastAlertEngine{} + e.LoadAuxilleryData([]*detections.AiSummary{ + { + PublicId: "83b3a29f-3009-4884-86c6-b6c3973788fa", + Summary: "Summary for 83b3a29f-3009-4884-86c6-b6c3973788fa", + Reviewed: true, + }, + { + PublicId: "67ee455d-099f-4048-b021-43bb91af9298", + Summary: "Summary for 67ee455d-099f-4048-b021-43bb91af9298", + Reviewed: false, + }, + }) + + for _, test := range tests { + test := test + t.Run(test.Name, func(t *testing.T) { + det := &model.Detection{ + PublicID: test.PublicId, + } + + err := e.MergeAuxilleryData(det) + assert.NoError(t, err) + if test.ExpectedAiFields { + assert.NotNil(t, det.AiFields) + assert.Equal(t, test.ExpectedAiSummary, det.AiSummary) + assert.Equal(t, test.ExpectedReviewed, det.AiSummaryReviewed) + } else { + assert.Nil(t, det.AiFields) + } + }) + } +} diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go index 33d0f857..ff85d453 100644 --- a/server/modules/strelka/strelka.go +++ b/server/modules/strelka/strelka.go @@ -49,6 +49,8 @@ const ( DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS = 300 DEFAULT_FAIL_AFTER_CONSECUTIVE_ERROR_COUNT = 10 DEFAULT_INTEGRITY_CHECK_FREQUENCY_SECONDS = 600 + DEFAULT_AI_REPO = "https://github.com/Security-Onion-Solutions/securityonion-resources" + DEFAULT_AI_REPO_LOC = "/opt/sensoroni/repos" ) var titleUpdater = regexp.MustCompile(`(?im)rule\s+(\w+)(\s+:(\s*[^{]+))?(\s+)(//.*$)?(\n?){`) @@ -66,6 +68,9 @@ type StrelkaEngine struct { compileYaraPythonScriptPath string notify bool writeNoRead *string + aiSummaries *sync.Map // map[string]*detections.AiSummary{} + aiRepoUrl string + aiRepoPath string detections.SyncSchedulerParams detections.IntegrityCheckerData detections.IOManager @@ -103,6 +108,7 @@ func (e *StrelkaEngine) Init(config module.ModuleConfig) (err error) { e.InterruptChan = make(chan bool, 1) e.IntegrityCheckerData.Thread = &sync.WaitGroup{} e.IntegrityCheckerData.Interrupt = make(chan bool, 1) + e.aiSummaries = &sync.Map{} e.CommunityRulesImportFrequencySeconds = module.GetIntDefault(config, "communityRulesImportFrequencySeconds", DEFAULT_COMMUNITY_RULES_IMPORT_FREQUENCY_SECONDS) e.yaraRulesFolder = module.GetStringDefault(config, "yaraRulesFolder", DEFAULT_YARA_RULES_FOLDER) @@ -125,6 +131,9 @@ func (e *StrelkaEngine) Init(config module.ModuleConfig) (err error) { e.StateFilePath = module.GetStringDefault(config, "stateFilePath", DEFAULT_STATE_FILE_PATH) + e.aiRepoUrl = module.GetStringDefault(config, "aiRepoUrl", DEFAULT_AI_REPO) + e.aiRepoPath = module.GetStringDefault(config, "aiRepoPath", DEFAULT_AI_REPO_LOC) + return nil } @@ -132,9 +141,26 @@ func (e *StrelkaEngine) Start() error { e.srv.DetectionEngines[model.EngineNameStrelka] = e e.isRunning = true + // start long running processes go detections.SyncScheduler(e, &e.SyncSchedulerParams, &e.EngineState, model.EngineNameStrelka, &e.isRunning, e.IOManager) go detections.IntegrityChecker(model.EngineNameStrelka, e, &e.IntegrityCheckerData, &e.EngineState.IntegrityFailure) + // update Ai Summaries once and don't block + go func() { + logger := log.WithField("detectionEngine", model.EngineNameStrelka) + + err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + if err != nil { + if errors.Is(err, detections.ErrModuleStopped) { + return + } + + logger.WithError(err).Error("unable to refresh AI summaries") + } else { + logger.Info("successfully refreshed AI summaries") + } + }() + return nil } @@ -193,7 +219,7 @@ func (e *StrelkaEngine) IsRunning() bool { } func (e *StrelkaEngine) ValidateRule(data string) (string, error) { - _, err := e.parseYaraRules([]byte(data), false) + _, err := e.parseYaraRules([]byte(data)) if err != nil { return "", err } @@ -210,7 +236,7 @@ func (e *StrelkaEngine) ConvertRule(ctx context.Context, detect *model.Detection } func (s *StrelkaEngine) ExtractDetails(detect *model.Detection) error { - rules, err := s.parseYaraRules([]byte(detect.Content), false) + rules, err := s.parseYaraRules([]byte(detect.Content)) if err != nil { return err } @@ -258,10 +284,21 @@ func (e *StrelkaEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil + err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + if err != nil { + if errors.Is(err, detections.ErrModuleStopped) { + return err + } + + logger.WithError(err).Error("unable to refresh AI summaries") + } else { + logger.Info("successfully refreshed AI summaries") + } + e.EngineState.Syncing = true // ensure repos are up to date - allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.srv.Config, e.IOManager) + allRepos, anythingNew, err := detections.UpdateRepos(&e.isRunning, e.reposFolder, e.rulesRepos, e.IOManager) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err @@ -365,7 +402,7 @@ func (e *StrelkaEngine) Sync(logger *log.Entry, forceSync bool) error { return nil } - parsed, err := e.parseYaraRules(raw, true) + parsed, err := e.parseYaraRules(raw) if err != nil { logger.WithError(err).WithField("yaraRuleFile", path).Error("failed to parse yara rule file") return nil @@ -739,7 +776,7 @@ func (e *StrelkaEngine) Sync(logger *log.Entry, forceSync bool) error { return nil } -func (e *StrelkaEngine) parseYaraRules(data []byte, filter bool) ([]*YaraRule, error) { +func (e *StrelkaEngine) parseYaraRules(data []byte) ([]*YaraRule, error) { rules := []*YaraRule{} rule := &YaraRule{} @@ -1030,7 +1067,7 @@ func (e *StrelkaEngine) syncDetections(ctx context.Context) (err error) { } func (e *StrelkaEngine) DuplicateDetection(ctx context.Context, detection *model.Detection) (*model.Detection, error) { - rules, err := e.parseYaraRules([]byte(detection.Content), false) + rules, err := e.parseYaraRules([]byte(detection.Content)) if err != nil { return nil, err } @@ -1084,6 +1121,29 @@ func (e *StrelkaEngine) DuplicateDetection(ctx context.Context, detection *model return det, nil } +func (e *StrelkaEngine) LoadAuxilleryData(summaries []*detections.AiSummary) error { + sum := &sync.Map{} + for _, summary := range summaries { + sum.Store(summary.PublicId, summary) + } + + e.aiSummaries = sum + + return nil +} + +func (e *StrelkaEngine) MergeAuxilleryData(detect *model.Detection) error { + obj, ok := e.aiSummaries.Load(detect.PublicID) + if ok { + summary := obj.(*detections.AiSummary) + detect.AiFields = &model.AiFields{ + AiSummary: summary.Summary, + AiSummaryReviewed: summary.Reviewed, + } + } + + return nil +} func (e *StrelkaEngine) GenerateUnusedPublicId(ctx context.Context) (string, error) { // PublicIDs for Strelka are the rule name which should correlate with what the rule does. // Cannot generate arbitrary but still useful public IDs diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go index 4a372f44..d7e91540 100644 --- a/server/modules/strelka/strelka_test.go +++ b/server/modules/strelka/strelka_test.go @@ -563,7 +563,7 @@ func TestParseRule(t *testing.T) { t.Run(test.Name, func(t *testing.T) { t.Parallel() - rules, err := e.parseYaraRules([]byte(test.Input), true) + rules, err := e.parseYaraRules([]byte(test.Input)) if test.ExpectedError == nil { assert.NoError(t, err) assert.NotNil(t, rules) @@ -643,7 +643,7 @@ func TestToDetection(t *testing.T) { License: "license", } - rules, err := e.parseYaraRules([]byte(BasicRuleWMeta), false) + rules, err := e.parseYaraRules([]byte(BasicRuleWMeta)) assert.NoError(t, err) assert.NotEmpty(t, rules) assert.Equal(t, 1, len(rules)) @@ -996,6 +996,9 @@ func TestSyncIncrementalNoChanges(t *testing.T) { detStore := servermock.NewMockDetectionstore(ctrl) iom := mock.NewMockIOManager(ctrl) + // RefreshAiSummaries + iom.EXPECT().ReadDir("aiRepoPath").Return([]fs.DirEntry{}, nil) + iom.EXPECT().CloneRepo(gomock.Any(), "aiRepoPath/aiRepoUrl", "aiRepoUrl").Return(nil) // UpdateRepos iom.EXPECT().ReadDir("repos").Return([]fs.DirEntry{ &handmock.MockDirEntry{ @@ -1031,7 +1034,9 @@ func TestSyncIncrementalNoChanges(t *testing.T) { IntegrityCheckerData: detections.IntegrityCheckerData{ IsRunning: true, }, - IOManager: iom, + IOManager: iom, + aiRepoUrl: "aiRepoUrl", + aiRepoPath: "aiRepoPath", } logger := log.WithField("detectionEngine", "test-strelka") @@ -1080,7 +1085,9 @@ func TestSyncChanges(t *testing.T) { IntegrityCheckerData: detections.IntegrityCheckerData{ IsRunning: true, }, - IOManager: iom, + IOManager: iom, + aiRepoUrl: "aiRepoUrl", + aiRepoPath: "aiRepoPath", } logger := log.WithField("detectionEngine", "test-strelka") @@ -1088,6 +1095,9 @@ func TestSyncChanges(t *testing.T) { workItems := []esutil.BulkIndexerItem{} auditItems := []esutil.BulkIndexerItem{} + // RefreshAiSummaries + iom.EXPECT().ReadDir("aiRepoPath").Return([]fs.DirEntry{}, nil) + iom.EXPECT().CloneRepo(gomock.Any(), "aiRepoPath/aiRepoUrl", "aiRepoUrl").Return(nil) // UpdateRepos iom.EXPECT().ReadDir("repos").Return([]fs.DirEntry{ &handmock.MockDirEntry{ @@ -1237,3 +1247,66 @@ func TestSyncChanges(t *testing.T) { assert.Equal(t, []string{"abc", "", "deleteme"}, workDocIds) // update has an id, create does not, delete does } + +func TestLoadAndMergeAuxilleryData(t *testing.T) { + tests := []struct { + Name string + PublicId string + ExpectedAiFields bool + ExpectedAiSummary string + ExpectedReviewed bool + }{ + { + Name: "No Auxillery Data", + PublicId: "Webshell_FOPO_Obfuscation_APT_ON_Nov17_1", + ExpectedAiFields: false, + }, + { + Name: "Data, Unreviewed", + PublicId: "Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256", + ExpectedAiFields: true, + ExpectedAiSummary: "Summary for Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256", + ExpectedReviewed: false, + }, + { + Name: "Data, Reviewed", + PublicId: "_root_040_zip_Folder_deploy", + ExpectedAiFields: true, + ExpectedAiSummary: "Summary for _root_040_zip_Folder_deploy", + ExpectedReviewed: true, + }, + } + + e := StrelkaEngine{} + e.LoadAuxilleryData([]*detections.AiSummary{ + { + PublicId: "_root_040_zip_Folder_deploy", + Summary: "Summary for _root_040_zip_Folder_deploy", + Reviewed: true, + }, + { + PublicId: "Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256", + Summary: "Summary for Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256", + Reviewed: false, + }, + }) + + for _, test := range tests { + test := test + t.Run(test.Name, func(t *testing.T) { + det := &model.Detection{ + PublicID: test.PublicId, + } + + err := e.MergeAuxilleryData(det) + assert.NoError(t, err) + if test.ExpectedAiFields { + assert.NotNil(t, det.AiFields) + assert.Equal(t, test.ExpectedAiSummary, det.AiSummary) + assert.Equal(t, test.ExpectedReviewed, det.AiSummaryReviewed) + } else { + assert.Nil(t, det.AiFields) + } + }) + } +} diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go index 23eb4fb4..e4e646a3 100644 --- a/server/modules/suricata/suricata.go +++ b/server/modules/suricata/suricata.go @@ -55,6 +55,8 @@ const ( DEFAULT_COMMUNITY_RULES_IMPORT_ERROR_SECS = 300 DEFAULT_FAIL_AFTER_CONSECUTIVE_ERROR_COUNT = 10 DEFAULT_INTEGRITY_CHECK_FREQUENCY_SECONDS = 600 + DEFAULT_AI_REPO = "https://github.com/Security-Onion-Solutions/securityonion-resources" + DEFAULT_AI_REPO_LOC = "/opt/sensoroni/repos" CUSTOM_RULE_LOC = "/nsm/rules/detect-suricata/custom_temp" ) @@ -79,6 +81,9 @@ type SuricataEngine struct { checkMigrationsOnce func() enableRegex []*regexp.Regexp disableRegex []*regexp.Regexp + aiSummaries *sync.Map // map[string]*detections.AiSummary{} + aiRepoUrl string + aiRepoPath string detections.SyncSchedulerParams detections.IntegrityCheckerData detections.IOManager @@ -113,6 +118,7 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) { e.InterruptChan = make(chan bool, 1) e.IntegrityCheckerData.Thread = &sync.WaitGroup{} e.IntegrityCheckerData.Interrupt = make(chan bool, 1) + e.aiSummaries = &sync.Map{} e.communityRulesFile = module.GetStringDefault(config, "communityRulesFile", DEFAULT_COMMUNITY_RULES_FILE) e.allRulesFile = module.GetStringDefault(config, "allRulesFile", DEFAULT_ALL_RULES_FILE) @@ -155,6 +161,9 @@ func (e *SuricataEngine) Init(config module.ModuleConfig) (err error) { return fmt.Errorf("unable to get custom rulesets: %w", err) } + e.aiRepoUrl = module.GetStringDefault(config, "aiRepoUrl", DEFAULT_AI_REPO) + e.aiRepoPath = module.GetStringDefault(config, "aiRepoPath", DEFAULT_AI_REPO_LOC) + return nil } @@ -163,9 +172,26 @@ func (e *SuricataEngine) Start() error { e.isRunning = true e.IntegrityCheckerData.IsRunning = true + // start long running processes go detections.SyncScheduler(e, &e.SyncSchedulerParams, &e.EngineState, model.EngineNameSuricata, &e.isRunning, e.IOManager) go detections.IntegrityChecker(model.EngineNameSuricata, e, &e.IntegrityCheckerData, &e.EngineState.IntegrityFailure) + // update Ai Summaries once and don't block + go func() { + logger := log.WithField("detectionEngine", model.EngineNameSuricata) + + err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + if err != nil { + if errors.Is(err, detections.ErrModuleStopped) { + return + } + + logger.WithError(err).Error("unable to refresh AI summaries") + } else { + logger.Info("successfully refreshed AI summaries") + } + }() + return nil } @@ -318,6 +344,17 @@ func (e *SuricataEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil + err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + if err != nil { + if errors.Is(err, detections.ErrModuleStopped) { + return err + } + + logger.WithError(err).Error("unable to refresh AI summaries") + } else { + logger.Info("successfully refreshed AI summaries") + } + e.EngineState.Syncing = true rules, hash, err := e.readAndHash(e.communityRulesFile) @@ -1693,6 +1730,30 @@ func (e *SuricataEngine) DuplicateDetection(ctx context.Context, detection *mode return det, nil } +func (e *SuricataEngine) LoadAuxilleryData(summaries []*detections.AiSummary) error { + sum := &sync.Map{} + for _, summary := range summaries { + sum.Store(summary.PublicId, summary) + } + + e.aiSummaries = sum + + return nil +} + +func (e *SuricataEngine) MergeAuxilleryData(detect *model.Detection) error { + obj, ok := e.aiSummaries.Load(detect.PublicID) + if ok { + summary := obj.(*detections.AiSummary) + detect.AiFields = &model.AiFields{ + AiSummary: summary.Summary, + AiSummaryReviewed: summary.Reviewed, + } + } + + return nil +} + func (e *SuricataEngine) ReadCustomRulesets() (detects []*model.Detection, err error) { detects = []*model.Detection{} diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go index 6582f6e5..c114597b 100644 --- a/server/modules/suricata/suricata_test.go +++ b/server/modules/suricata/suricata_test.go @@ -2184,11 +2184,16 @@ func TestSyncIncrementalNoChanges(t *testing.T) { IntegrityCheckerData: detections.IntegrityCheckerData{ IsRunning: true, }, - IOManager: iom, + IOManager: iom, + aiRepoUrl: "aiRepoUrl", + aiRepoPath: "aiRepoPath", } logger := log.WithField("detectionEngine", "test-suricata") + // RefreshAiSummaries + iom.EXPECT().ReadDir("aiRepoPath").Return([]fs.DirEntry{}, nil) + iom.EXPECT().CloneRepo(gomock.Any(), "aiRepoPath/aiRepoUrl", "aiRepoUrl").Return(nil) // readAndHash iom.EXPECT().ReadFile("communityRulesFile").Return([]byte(SimpleRule), nil) // readFingerprint @@ -2254,7 +2259,9 @@ func TestSyncChanges(t *testing.T) { IntegrityCheckerData: detections.IntegrityCheckerData{ IsRunning: true, }, - IOManager: iom, + IOManager: iom, + aiRepoUrl: "aiRepoUrl", + aiRepoPath: "aiRepoPath", } logger := log.WithField("detectionEngine", "test-suricata") @@ -2262,6 +2269,9 @@ func TestSyncChanges(t *testing.T) { workItems := []esutil.BulkIndexerItem{} auditItems := []esutil.BulkIndexerItem{} + // RefreshAiSummaries + iom.EXPECT().ReadDir("aiRepoPath").Return([]fs.DirEntry{}, nil) + iom.EXPECT().CloneRepo(gomock.Any(), "aiRepoPath/aiRepoUrl", "aiRepoUrl").Return(nil) // readAndHash iom.EXPECT().ReadFile("communityRulesFile").Return([]byte(SimpleRule+"\n"+FlowbitsRuleA), nil) // syncCommunityDetections @@ -2484,3 +2494,66 @@ func toRegex(s ...string) []*regexp.Regexp { return r } + +func TestLoadAndMergeAuxilleryData(t *testing.T) { + tests := []struct { + Name string + PublicId string + ExpectedAiFields bool + ExpectedAiSummary string + ExpectedReviewed bool + }{ + { + Name: "No Auxillery Data", + PublicId: "100000", + ExpectedAiFields: false, + }, + { + Name: "Data, Unreviewed", + PublicId: "100002", + ExpectedAiFields: true, + ExpectedAiSummary: "Summary for 100002", + ExpectedReviewed: false, + }, + { + Name: "Data, Reviewed", + PublicId: "100001", + ExpectedAiFields: true, + ExpectedAiSummary: "Summary for 100001", + ExpectedReviewed: true, + }, + } + + e := SuricataEngine{} + e.LoadAuxilleryData([]*detections.AiSummary{ + { + PublicId: "100001", + Summary: "Summary for 100001", + Reviewed: true, + }, + { + PublicId: "100002", + Summary: "Summary for 100002", + Reviewed: false, + }, + }) + + for _, test := range tests { + test := test + t.Run(test.Name, func(t *testing.T) { + det := &model.Detection{ + PublicID: test.PublicId, + } + + err := e.MergeAuxilleryData(det) + assert.NoError(t, err) + if test.ExpectedAiFields { + assert.NotNil(t, det.AiFields) + assert.Equal(t, test.ExpectedAiSummary, det.AiSummary) + assert.Equal(t, test.ExpectedReviewed, det.AiSummaryReviewed) + } else { + assert.Nil(t, det.AiFields) + } + }) + } +} From 7303afd8920a83ec24fe831d26aa47e75e796029 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 5 Aug 2024 16:54:19 -0600 Subject: [PATCH 02/12] Rounded out Implementation, Added a Test Moved AiSummary from detections to model so I could mock AiLoader without creating an import cycle. To-do: 1) Ensure AiSummary's fields line up with the final model. 2) Ensure detections.readAiSummary looks for the summaries in the correct place. --- model/detection.go | 6 ++ server/modules/detections/ai.go | 71 +++++-------------- server/modules/detections/ai_test.go | 45 ++++++++++++ .../modules/detections/mock/mock_ailoader.go | 53 ++++++++++++++ server/modules/elastalert/elastalert.go | 8 +-- server/modules/elastalert/elastalert_test.go | 2 +- server/modules/strelka/strelka.go | 8 +-- server/modules/strelka/strelka_test.go | 2 +- server/modules/suricata/suricata.go | 8 +-- server/modules/suricata/suricata_test.go | 2 +- 10 files changed, 138 insertions(+), 67 deletions(-) create mode 100644 server/modules/detections/ai_test.go create mode 100644 server/modules/detections/mock/mock_ailoader.go diff --git a/model/detection.go b/model/detection.go index ba1219d5..91b452b5 100644 --- a/model/detection.go +++ b/model/detection.go @@ -361,3 +361,9 @@ type AuditInfo struct { Op string Detection *Detection } + +type AiSummary struct { + PublicId string `yaml:"public_id"` + Reviewed bool `yaml:"reviewed"` + Summary string `yaml:"summary"` +} diff --git a/server/modules/detections/ai.go b/server/modules/detections/ai.go index 9e9690b4..4f607fa0 100644 --- a/server/modules/detections/ai.go +++ b/server/modules/detections/ai.go @@ -2,6 +2,7 @@ package detections import ( "errors" + "fmt" "net/url" "path" "path/filepath" @@ -9,21 +10,18 @@ import ( "github.com/apex/log" "github.com/security-onion-solutions/securityonion-soc/model" + "gopkg.in/yaml.v3" ) var aiRepoMutex = sync.Mutex{} type AiLoader interface { - LoadAuxilleryData(summaries []*AiSummary) error + LoadAuxilleryData(summaries []*model.AiSummary) error } -type AiSummary struct { - PublicId string `json:"public_id"` - Reviewed bool `json:"reviewed"` - Summary string `json:"summary"` -} +//go:generate mockgen -destination mock/mock_ailoader.go -package mock . AiLoader -func RefreshAiSummaries(eng AiLoader, isRunning *bool, aiRepoPath string, aiRepoUrl string, iom IOManager, logger *log.Entry) error { +func RefreshAiSummaries(eng AiLoader, engName model.EngineName, isRunning *bool, aiRepoPath string, aiRepoUrl string, iom IOManager, logger *log.Entry) error { err := updateAiRepo(isRunning, aiRepoPath, aiRepoUrl, iom) if err != nil { if errors.Is(err, ErrModuleStopped) { @@ -43,7 +41,7 @@ func RefreshAiSummaries(eng AiLoader, isRunning *bool, aiRepoPath string, aiRepo _, lastFolder := path.Split(parser.Path) repoPath := filepath.Join(aiRepoPath, lastFolder) - sums, err := readAiSummary(repoPath, model.EngineNameElastAlert, iom) + sums, err := readAiSummary(repoPath, engName, iom) if err != nil { logger.WithError(err).WithField("repoPath", repoPath).Error("unable to read AI summary") } else { @@ -72,53 +70,22 @@ func updateAiRepo(isRunning *bool, baseRepoFolder string, repoUrl string, iom IO return err } -func readAiSummary(repoRoot string, engine model.EngineName, iom IOManager) (sums []*AiSummary, err error) { +func readAiSummary(repoRoot string, engine model.EngineName, iom IOManager) (sums []*model.AiSummary, err error) { aiRepoMutex.Lock() defer aiRepoMutex.Unlock() - _, _ = repoRoot, iom // will be used when this isn't mocked - - // TODO: Read the AI summary from the repoRoot - switch engine { - case model.EngineNameElastAlert: - sums = []*AiSummary{ - { - PublicId: "032f5fb3-d959-41a5-9263-4173c802dc2b", - Reviewed: true, - Summary: `This rule detects Formbook process executions that inject code into files within the System32 folder and execute commands to delete the dropper from the AppData Temp folder. It specifically monitors for parent processes with command lines starting with System32 or SysWOW64 directories and ending with '.exe'. Furthermore, it looks for command lines containing specific parameters related to deletion activities within the user's AppData Temp and Desktop directories. This helps to distinguish malicious activity from legitimate actions by ensuring the parent command line parameters do not indicate normal operations.`, - }, - { - PublicId: "36e35854-a11d-408d-a918-9d0fe7567766", - Reviewed: false, - Summary: "ElastAlert AI Rule Summary", - }, - } - case model.EngineNameSuricata: - sums = []*AiSummary{ - { - PublicId: "2015738", - Reviewed: true, - Summary: "Suricata AI Rule Summary", - }, - { - PublicId: "2016190", - Reviewed: false, - Summary: "Suricata AI Rule Summary", - }, - } - case model.EngineNameStrelka: - sums = []*AiSummary{ - { - PublicId: "Webshell_FOPO_Obfuscation_APT_ON_Nov17_1", - Reviewed: true, - Summary: "Strelka AI Rule Summary", - }, - { - PublicId: "Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167", - Reviewed: false, - Summary: "Strelka AI Rule Summary", - }, - } + filename := fmt.Sprintf("detections-ai-%s.yml", engine) + targetFile := filepath.Join(repoRoot, "detections-ai/", filename) + + raw, err := iom.ReadFile(targetFile) + if err != nil { + return nil, err } + + err = yaml.Unmarshal(raw, &sums) + if err != nil { + return nil, err + } + return sums, nil } diff --git a/server/modules/detections/ai_test.go b/server/modules/detections/ai_test.go new file mode 100644 index 00000000..e3234178 --- /dev/null +++ b/server/modules/detections/ai_test.go @@ -0,0 +1,45 @@ +package detections + +import ( + "io/fs" + "testing" + + "github.com/apex/log" + "github.com/security-onion-solutions/securityonion-soc/model" + "github.com/security-onion-solutions/securityonion-soc/server/modules/detections/mock" + + "github.com/tj/assert" + "go.uber.org/mock/gomock" +) + +func TestRefreshAiSummaries(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + isRunning := true + repo := "http://github.com/user/repo1" + summaries := `[{"public_id": "87e55c67-46f0-4a7b-a3c6-d473ab7e8392", "reviewed": false, "summary": "ai text goes here"}, { "public_id": "a23077fc-a5ef-427f-92ab-d3de7f56834d", "reviewed": true, "summary": "ai text goes here"}]` + + iom := mock.NewMockIOManager(ctrl) + loader := mock.NewMockAiLoader(ctrl) + + iom.EXPECT().ReadDir("baseRepoFolder").Return([]fs.DirEntry{}, nil) + iom.EXPECT().CloneRepo(gomock.Any(), "baseRepoFolder/repo1", repo).Return(nil) + iom.EXPECT().ReadFile("baseRepoFolder/repo1/detections-ai/detections-ai-elastalert.yml").Return([]byte(summaries), nil) + loader.EXPECT().LoadAuxilleryData([]*model.AiSummary{ + { + PublicId: "87e55c67-46f0-4a7b-a3c6-d473ab7e8392", + Summary: "ai text goes here", + }, + { + PublicId: "a23077fc-a5ef-427f-92ab-d3de7f56834d", + Reviewed: true, + Summary: "ai text goes here", + }, + }).Return(nil) + + logger := log.WithField("test", true) + + err := RefreshAiSummaries(loader, model.EngineNameElastAlert, &isRunning, "baseRepoFolder", repo, iom, logger) + assert.NoError(t, err) +} diff --git a/server/modules/detections/mock/mock_ailoader.go b/server/modules/detections/mock/mock_ailoader.go new file mode 100644 index 00000000..cc4a6ce1 --- /dev/null +++ b/server/modules/detections/mock/mock_ailoader.go @@ -0,0 +1,53 @@ +// Code generated by MockGen. DO NOT EDIT. +// Source: github.com/security-onion-solutions/securityonion-soc/server/modules/detections (interfaces: AiLoader) +// +// Generated by this command: +// +// mockgen -destination mock/mock_ailoader.go -package mock . AiLoader +// +// Package mock is a generated GoMock package. +package mock + +import ( + reflect "reflect" + + model "github.com/security-onion-solutions/securityonion-soc/model" + gomock "go.uber.org/mock/gomock" +) + +// MockAiLoader is a mock of AiLoader interface. +type MockAiLoader struct { + ctrl *gomock.Controller + recorder *MockAiLoaderMockRecorder +} + +// MockAiLoaderMockRecorder is the mock recorder for MockAiLoader. +type MockAiLoaderMockRecorder struct { + mock *MockAiLoader +} + +// NewMockAiLoader creates a new mock instance. +func NewMockAiLoader(ctrl *gomock.Controller) *MockAiLoader { + mock := &MockAiLoader{ctrl: ctrl} + mock.recorder = &MockAiLoaderMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockAiLoader) EXPECT() *MockAiLoaderMockRecorder { + return m.recorder +} + +// LoadAuxilleryData mocks base method. +func (m *MockAiLoader) LoadAuxilleryData(arg0 []*model.AiSummary) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "LoadAuxilleryData", arg0) + ret0, _ := ret[0].(error) + return ret0 +} + +// LoadAuxilleryData indicates an expected call of LoadAuxilleryData. +func (mr *MockAiLoaderMockRecorder) LoadAuxilleryData(arg0 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoadAuxilleryData", reflect.TypeOf((*MockAiLoader)(nil).LoadAuxilleryData), arg0) +} diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go index e96f4d3c..ba623fd1 100644 --- a/server/modules/elastalert/elastalert.go +++ b/server/modules/elastalert/elastalert.go @@ -200,7 +200,7 @@ func (e *ElastAlertEngine) Start() error { go func() { logger := log.WithField("detectionEngine", model.EngineNameElastAlert) - err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.EngineNameElastAlert, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return @@ -462,7 +462,7 @@ func (e *ElastAlertEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil - err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.EngineNameElastAlert, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err @@ -1462,7 +1462,7 @@ func (e *ElastAlertEngine) DuplicateDetection(ctx context.Context, detection *mo return det, nil } -func (e *ElastAlertEngine) LoadAuxilleryData(summaries []*detections.AiSummary) error { +func (e *ElastAlertEngine) LoadAuxilleryData(summaries []*model.AiSummary) error { sum := &sync.Map{} for _, summary := range summaries { sum.Store(summary.PublicId, summary) @@ -1476,7 +1476,7 @@ func (e *ElastAlertEngine) LoadAuxilleryData(summaries []*detections.AiSummary) func (e *ElastAlertEngine) MergeAuxilleryData(detect *model.Detection) error { obj, ok := e.aiSummaries.Load(detect.PublicID) if ok { - summary := obj.(*detections.AiSummary) + summary := obj.(*model.AiSummary) detect.AiFields = &model.AiFields{ AiSummary: summary.Summary, AiSummaryReviewed: summary.Reviewed, diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go index 6b99c93d..09420543 100644 --- a/server/modules/elastalert/elastalert_test.go +++ b/server/modules/elastalert/elastalert_test.go @@ -1389,7 +1389,7 @@ func TestLoadAndMergeAuxilleryData(t *testing.T) { } e := ElastAlertEngine{} - e.LoadAuxilleryData([]*detections.AiSummary{ + e.LoadAuxilleryData([]*model.AiSummary{ { PublicId: "83b3a29f-3009-4884-86c6-b6c3973788fa", Summary: "Summary for 83b3a29f-3009-4884-86c6-b6c3973788fa", diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go index ff85d453..9061eabd 100644 --- a/server/modules/strelka/strelka.go +++ b/server/modules/strelka/strelka.go @@ -149,7 +149,7 @@ func (e *StrelkaEngine) Start() error { go func() { logger := log.WithField("detectionEngine", model.EngineNameStrelka) - err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.EngineNameStrelka, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return @@ -284,7 +284,7 @@ func (e *StrelkaEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil - err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.EngineNameStrelka, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err @@ -1121,7 +1121,7 @@ func (e *StrelkaEngine) DuplicateDetection(ctx context.Context, detection *model return det, nil } -func (e *StrelkaEngine) LoadAuxilleryData(summaries []*detections.AiSummary) error { +func (e *StrelkaEngine) LoadAuxilleryData(summaries []*model.AiSummary) error { sum := &sync.Map{} for _, summary := range summaries { sum.Store(summary.PublicId, summary) @@ -1135,7 +1135,7 @@ func (e *StrelkaEngine) LoadAuxilleryData(summaries []*detections.AiSummary) err func (e *StrelkaEngine) MergeAuxilleryData(detect *model.Detection) error { obj, ok := e.aiSummaries.Load(detect.PublicID) if ok { - summary := obj.(*detections.AiSummary) + summary := obj.(*model.AiSummary) detect.AiFields = &model.AiFields{ AiSummary: summary.Summary, AiSummaryReviewed: summary.Reviewed, diff --git a/server/modules/strelka/strelka_test.go b/server/modules/strelka/strelka_test.go index d7e91540..0c12d882 100644 --- a/server/modules/strelka/strelka_test.go +++ b/server/modules/strelka/strelka_test.go @@ -1278,7 +1278,7 @@ func TestLoadAndMergeAuxilleryData(t *testing.T) { } e := StrelkaEngine{} - e.LoadAuxilleryData([]*detections.AiSummary{ + e.LoadAuxilleryData([]*model.AiSummary{ { PublicId: "_root_040_zip_Folder_deploy", Summary: "Summary for _root_040_zip_Folder_deploy", diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go index e4e646a3..99086da3 100644 --- a/server/modules/suricata/suricata.go +++ b/server/modules/suricata/suricata.go @@ -180,7 +180,7 @@ func (e *SuricataEngine) Start() error { go func() { logger := log.WithField("detectionEngine", model.EngineNameSuricata) - err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.EngineNameSuricata, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return @@ -344,7 +344,7 @@ func (e *SuricataEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil - err := detections.RefreshAiSummaries(e, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.EngineNameSuricata, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err @@ -1730,7 +1730,7 @@ func (e *SuricataEngine) DuplicateDetection(ctx context.Context, detection *mode return det, nil } -func (e *SuricataEngine) LoadAuxilleryData(summaries []*detections.AiSummary) error { +func (e *SuricataEngine) LoadAuxilleryData(summaries []*model.AiSummary) error { sum := &sync.Map{} for _, summary := range summaries { sum.Store(summary.PublicId, summary) @@ -1744,7 +1744,7 @@ func (e *SuricataEngine) LoadAuxilleryData(summaries []*detections.AiSummary) er func (e *SuricataEngine) MergeAuxilleryData(detect *model.Detection) error { obj, ok := e.aiSummaries.Load(detect.PublicID) if ok { - summary := obj.(*detections.AiSummary) + summary := obj.(*model.AiSummary) detect.AiFields = &model.AiFields{ AiSummary: summary.Summary, AiSummaryReviewed: summary.Reviewed, diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go index c114597b..e9857fa3 100644 --- a/server/modules/suricata/suricata_test.go +++ b/server/modules/suricata/suricata_test.go @@ -2525,7 +2525,7 @@ func TestLoadAndMergeAuxilleryData(t *testing.T) { } e := SuricataEngine{} - e.LoadAuxilleryData([]*detections.AiSummary{ + e.LoadAuxilleryData([]*model.AiSummary{ { PublicId: "100001", Summary: "Summary for 100001", From e3c770d6d03ad80f81fa50e807970f8b2ce0993b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 5 Aug 2024 17:01:56 -0600 Subject: [PATCH 03/12] Engine => Language Parameter Pass the language name instead of the engine name into RefreshAiSummaries to properly build the expected filename. --- server/modules/detections/ai.go | 8 ++++---- server/modules/detections/ai_test.go | 4 ++-- server/modules/elastalert/elastalert.go | 4 ++-- server/modules/strelka/strelka.go | 4 ++-- server/modules/suricata/suricata.go | 4 ++-- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/server/modules/detections/ai.go b/server/modules/detections/ai.go index 4f607fa0..1bc9d48b 100644 --- a/server/modules/detections/ai.go +++ b/server/modules/detections/ai.go @@ -21,7 +21,7 @@ type AiLoader interface { //go:generate mockgen -destination mock/mock_ailoader.go -package mock . AiLoader -func RefreshAiSummaries(eng AiLoader, engName model.EngineName, isRunning *bool, aiRepoPath string, aiRepoUrl string, iom IOManager, logger *log.Entry) error { +func RefreshAiSummaries(eng AiLoader, lang model.SigLanguage, isRunning *bool, aiRepoPath string, aiRepoUrl string, iom IOManager, logger *log.Entry) error { err := updateAiRepo(isRunning, aiRepoPath, aiRepoUrl, iom) if err != nil { if errors.Is(err, ErrModuleStopped) { @@ -41,7 +41,7 @@ func RefreshAiSummaries(eng AiLoader, engName model.EngineName, isRunning *bool, _, lastFolder := path.Split(parser.Path) repoPath := filepath.Join(aiRepoPath, lastFolder) - sums, err := readAiSummary(repoPath, engName, iom) + sums, err := readAiSummary(repoPath, lang, iom) if err != nil { logger.WithError(err).WithField("repoPath", repoPath).Error("unable to read AI summary") } else { @@ -70,11 +70,11 @@ func updateAiRepo(isRunning *bool, baseRepoFolder string, repoUrl string, iom IO return err } -func readAiSummary(repoRoot string, engine model.EngineName, iom IOManager) (sums []*model.AiSummary, err error) { +func readAiSummary(repoRoot string, lang model.SigLanguage, iom IOManager) (sums []*model.AiSummary, err error) { aiRepoMutex.Lock() defer aiRepoMutex.Unlock() - filename := fmt.Sprintf("detections-ai-%s.yml", engine) + filename := fmt.Sprintf("%s_summaries.yaml", lang) targetFile := filepath.Join(repoRoot, "detections-ai/", filename) raw, err := iom.ReadFile(targetFile) diff --git a/server/modules/detections/ai_test.go b/server/modules/detections/ai_test.go index e3234178..e2e1b454 100644 --- a/server/modules/detections/ai_test.go +++ b/server/modules/detections/ai_test.go @@ -25,7 +25,7 @@ func TestRefreshAiSummaries(t *testing.T) { iom.EXPECT().ReadDir("baseRepoFolder").Return([]fs.DirEntry{}, nil) iom.EXPECT().CloneRepo(gomock.Any(), "baseRepoFolder/repo1", repo).Return(nil) - iom.EXPECT().ReadFile("baseRepoFolder/repo1/detections-ai/detections-ai-elastalert.yml").Return([]byte(summaries), nil) + iom.EXPECT().ReadFile("baseRepoFolder/repo1/detections-ai/elastalert_summaries.yml").Return([]byte(summaries), nil) loader.EXPECT().LoadAuxilleryData([]*model.AiSummary{ { PublicId: "87e55c67-46f0-4a7b-a3c6-d473ab7e8392", @@ -40,6 +40,6 @@ func TestRefreshAiSummaries(t *testing.T) { logger := log.WithField("test", true) - err := RefreshAiSummaries(loader, model.EngineNameElastAlert, &isRunning, "baseRepoFolder", repo, iom, logger) + err := RefreshAiSummaries(loader, model.SigLangSigma, &isRunning, "baseRepoFolder", repo, iom, logger) assert.NoError(t, err) } diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go index ba623fd1..bbd88f6c 100644 --- a/server/modules/elastalert/elastalert.go +++ b/server/modules/elastalert/elastalert.go @@ -200,7 +200,7 @@ func (e *ElastAlertEngine) Start() error { go func() { logger := log.WithField("detectionEngine", model.EngineNameElastAlert) - err := detections.RefreshAiSummaries(e, model.EngineNameElastAlert, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.SigLangSigma, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return @@ -462,7 +462,7 @@ func (e *ElastAlertEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil - err := detections.RefreshAiSummaries(e, model.EngineNameElastAlert, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.SigLangSigma, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err diff --git a/server/modules/strelka/strelka.go b/server/modules/strelka/strelka.go index 9061eabd..759bb289 100644 --- a/server/modules/strelka/strelka.go +++ b/server/modules/strelka/strelka.go @@ -149,7 +149,7 @@ func (e *StrelkaEngine) Start() error { go func() { logger := log.WithField("detectionEngine", model.EngineNameStrelka) - err := detections.RefreshAiSummaries(e, model.EngineNameStrelka, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.SigLangYara, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return @@ -284,7 +284,7 @@ func (e *StrelkaEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil - err := detections.RefreshAiSummaries(e, model.EngineNameStrelka, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.SigLangYara, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err diff --git a/server/modules/suricata/suricata.go b/server/modules/suricata/suricata.go index 99086da3..36c4f884 100644 --- a/server/modules/suricata/suricata.go +++ b/server/modules/suricata/suricata.go @@ -180,7 +180,7 @@ func (e *SuricataEngine) Start() error { go func() { logger := log.WithField("detectionEngine", model.EngineNameSuricata) - err := detections.RefreshAiSummaries(e, model.EngineNameSuricata, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.SigLangSuricata, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return @@ -344,7 +344,7 @@ func (e *SuricataEngine) Sync(logger *log.Entry, forceSync bool) error { e.writeNoRead = nil - err := detections.RefreshAiSummaries(e, model.EngineNameSuricata, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) + err := detections.RefreshAiSummaries(e, model.SigLangSuricata, &e.isRunning, e.aiRepoPath, e.aiRepoUrl, e.IOManager, logger) if err != nil { if errors.Is(err, detections.ErrModuleStopped) { return err From caedf360fff4658ec518105f19094f6f8d66051f Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 6 Aug 2024 10:12:28 -0600 Subject: [PATCH 04/12] Updated AiSummary fields to match generated output. Refactored readAiSummary to work with publicId based dictionary. Updated test to properly simulate repo contents. --- model/detection.go | 6 +++--- server/modules/detections/ai.go | 9 ++++++++- server/modules/detections/ai_test.go | 4 ++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/model/detection.go b/model/detection.go index 91b452b5..ac211fea 100644 --- a/model/detection.go +++ b/model/detection.go @@ -363,7 +363,7 @@ type AuditInfo struct { } type AiSummary struct { - PublicId string `yaml:"public_id"` - Reviewed bool `yaml:"reviewed"` - Summary string `yaml:"summary"` + PublicId string + Reviewed bool `yaml:"Reviewed"` + Summary string `yaml:"Summary"` } diff --git a/server/modules/detections/ai.go b/server/modules/detections/ai.go index 1bc9d48b..3b502015 100644 --- a/server/modules/detections/ai.go +++ b/server/modules/detections/ai.go @@ -82,10 +82,17 @@ func readAiSummary(repoRoot string, lang model.SigLanguage, iom IOManager) (sums return nil, err } - err = yaml.Unmarshal(raw, &sums) + data := map[string]*model.AiSummary{} + + err = yaml.Unmarshal(raw, data) if err != nil { return nil, err } + for pid, sum := range data { + sum.PublicId = pid + sums = append(sums, sum) + } + return sums, nil } diff --git a/server/modules/detections/ai_test.go b/server/modules/detections/ai_test.go index e2e1b454..1da2e52b 100644 --- a/server/modules/detections/ai_test.go +++ b/server/modules/detections/ai_test.go @@ -18,14 +18,14 @@ func TestRefreshAiSummaries(t *testing.T) { isRunning := true repo := "http://github.com/user/repo1" - summaries := `[{"public_id": "87e55c67-46f0-4a7b-a3c6-d473ab7e8392", "reviewed": false, "summary": "ai text goes here"}, { "public_id": "a23077fc-a5ef-427f-92ab-d3de7f56834d", "reviewed": true, "summary": "ai text goes here"}]` + summaries := `{"87e55c67-46f0-4a7b-a3c6-d473ab7e8392": { "Reviewed": false, "Summary": "ai text goes here"}, "a23077fc-a5ef-427f-92ab-d3de7f56834d": { "Reviewed": true, "Summary": "ai text goes here" } }` iom := mock.NewMockIOManager(ctrl) loader := mock.NewMockAiLoader(ctrl) iom.EXPECT().ReadDir("baseRepoFolder").Return([]fs.DirEntry{}, nil) iom.EXPECT().CloneRepo(gomock.Any(), "baseRepoFolder/repo1", repo).Return(nil) - iom.EXPECT().ReadFile("baseRepoFolder/repo1/detections-ai/elastalert_summaries.yml").Return([]byte(summaries), nil) + iom.EXPECT().ReadFile("baseRepoFolder/repo1/detections-ai/sigma_summaries.yaml").Return([]byte(summaries), nil) loader.EXPECT().LoadAuxilleryData([]*model.AiSummary{ { PublicId: "87e55c67-46f0-4a7b-a3c6-d473ab7e8392", From 22f538c4c339796d83dffab49cc1891c0f563a72 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 6 Aug 2024 12:02:10 -0600 Subject: [PATCH 05/12] Ai Summary Stale Indicator Since the Ai Summary doc has the MD5 fingerprints of every rule to track when a rule changes and needs a new summary, I can use that on the backend to know if the summary applies to the latest rule or not. Because the rules don't change drastically, we'll continue to show the summary, but with an additional line that it might be old. Included a way for users to turn off AI summaries on a per engine basis. --- html/css/app.css | 5 ++ html/index.html | 3 + html/js/i18n.js | 1 + model/detection.go | 8 ++- server/modules/elastalert/elastalert.go | 70 ++++++++++++-------- server/modules/elastalert/elastalert_test.go | 50 ++++++++++---- server/modules/strelka/strelka.go | 70 ++++++++++++-------- server/modules/strelka/strelka_test.go | 49 ++++++++++---- server/modules/suricata/suricata.go | 70 ++++++++++++-------- server/modules/suricata/suricata_test.go | 50 ++++++++++---- 10 files changed, 250 insertions(+), 126 deletions(-) diff --git a/html/css/app.css b/html/css/app.css index c8a5af69..85073df4 100644 --- a/html/css/app.css +++ b/html/css/app.css @@ -688,4 +688,9 @@ tbody tr:hover { .unset-vertical-align { vertical-align: unset !important; +} + +.stale-summary { + font-size: 75%; + margin-top: 16px; } \ No newline at end of file diff --git a/html/index.html b/html/index.html index 90d8b7c0..7ba707fd 100644 --- a/html/index.html +++ b/html/index.html @@ -1149,6 +1149,9 @@

{{ detect.title }}

{{ detect.aiSummary }}
+
+ ({{ i18n.aiSummaryStale }}) +