mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-08 12:33:51 +00:00
Mick
7922de315e
MITRE ATT&CK heatmap: - _extract_mitre() helper extracts tactics/techniques from S1 API rules handling multiple field name conventions (tactic, mitreTechniques, etc.) - _import_from_api_rules and _import_detections now store tactics/techniques in raw JSON alongside data_sources - GET /api/coverage/mitre returns tactic/technique breakdown ordered by ATT&CK kill chain with coverage stats - New "Threat Coverage" tab in frontend: stat cards (total rules, MITRE mapped, tactics covered, techniques covered), tactic cards grid with left-border color coding and technique chips with "+N more" expander Detection rule firing status: - RuleFiringCache table tracks alert_count per rule_name - POST /api/coverage/sync-rule-firing queries SDL PowerQuery with 3 field-name patterns to find rule firing data; upserts into cache - GET /api/coverage/rule-firing-cache returns cache sorted by alert count - /map now includes alert_count per rule and firing_cache_populated flag - Coverage map Detections column: when cache populated, shows alert count in green or ⚠ amber for rules that have never fired Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
81 lines
2.6 KiB
Python
81 lines
2.6 KiB
Python
from fastapi import FastAPI
|
|
from fastapi.middleware.cors import CORSMiddleware
|
|
from db import engine, Base, get_db, ParsedRule, RuleFiringCache
|
|
from routers import coverage, ingest, settings, quality
|
|
|
|
Base.metadata.create_all(bind=engine)
|
|
|
|
# Runtime migration: add columns that didn't exist in earlier schema versions
|
|
from sqlalchemy import text
|
|
with engine.connect() as _conn:
|
|
_conn.execute(text(
|
|
"ALTER TABLE active_sources ADD COLUMN IF NOT EXISTS parser_detected INTEGER DEFAULT 0"
|
|
))
|
|
_conn.execute(text(
|
|
"ALTER TABLE active_sources ADD COLUMN IF NOT EXISTS unlabelled BOOLEAN DEFAULT FALSE"
|
|
))
|
|
_conn.execute(text(
|
|
"CREATE TABLE IF NOT EXISTS rule_firing_cache ("
|
|
"id SERIAL PRIMARY KEY, "
|
|
"rule_name VARCHAR UNIQUE, "
|
|
"alert_count INTEGER DEFAULT 0, "
|
|
"period_days INTEGER DEFAULT 30, "
|
|
"checked_at TIMESTAMP"
|
|
")"
|
|
))
|
|
_conn.commit()
|
|
|
|
app = FastAPI(title="SIEM Toolkit", version="1.0.0")
|
|
|
|
|
|
@app.on_event("startup")
|
|
async def auto_load_detections():
|
|
"""
|
|
Auto-load detection library rules on startup.
|
|
Tries the live S1 API first (accurate 'sources' field); falls back to extracted.json.
|
|
Skips if rules are already loaded — use the 'Sync Library' button to force a refresh.
|
|
"""
|
|
import os
|
|
from sqlalchemy.orm import Session
|
|
from services import s1_client
|
|
|
|
db: Session = next(get_db())
|
|
try:
|
|
existing = db.query(ParsedRule).filter_by(rule_type="library").count()
|
|
if existing > 0:
|
|
return # Already loaded — skip until user manually refreshes
|
|
|
|
# Try live API first
|
|
try:
|
|
rules = await s1_client.get_platform_rules()
|
|
if rules:
|
|
coverage._import_from_api_rules(db, rules)
|
|
return
|
|
except Exception:
|
|
pass
|
|
|
|
# Fall back to local file
|
|
detections_file = os.environ.get("DETECTIONS_FILE", "/app/data/detections.json")
|
|
if os.path.exists(detections_file):
|
|
coverage._import_detections(db, detections_file)
|
|
finally:
|
|
db.close()
|
|
|
|
app.add_middleware(
|
|
CORSMiddleware,
|
|
allow_origins=["http://localhost:3001"],
|
|
allow_credentials=True,
|
|
allow_methods=["*"],
|
|
allow_headers=["*"],
|
|
)
|
|
|
|
app.include_router(coverage.router, prefix="/api/coverage", tags=["Coverage"])
|
|
app.include_router(ingest.router, prefix="/api/ingest", tags=["Ingest"])
|
|
app.include_router(settings.router, prefix="/api/settings", tags=["Settings"])
|
|
app.include_router(quality.router, prefix="/api/quality", tags=["Quality"])
|
|
|
|
|
|
@app.get("/health")
|
|
def health():
|
|
return {"status": "ok"}
|