feat: Platform Improvements v3 - Clustering, Ownership, Correlation & More

[TerrifiedBug]

Summary

This PR implements Platform Improvements v3, adding several major features and bug fixes:

New Features

• Alert Ownership - Users can claim alerts with "Take Ownership" button, filter by "Assigned to Me"
• Alert Clustering - Group related alerts by rule ID to reduce alert fatigue (configurable in Settings)
• MITRE ATT&CK PDF Export - Generate coverage reports showing techniques mapped to rules
• Bulk Take Ownership - Assign multiple selected alerts to yourself at once
• Persistent "Assigned to Me" - Checkbox preference saved to localStorage across sessions

Bug Fixes

• Correlation Rules - Fixed .keyword suffix preventing entity value extraction; correlation now works correctly
• Webhook URLs - Discord/Slack notifications now include clickable "View Alert" links
• Alert Clustering Routes - Fixed routing order so settings endpoints work correctly

UI/UX Improvements

• Health Page - Indexes section now wrapped in Card matching External Services design
• Nginx Logging - Only logs 4xx/5xx responses to reduce noise from health checks

Technical Changes

• Rewrote correlation tests to properly test state machine logic
• Fixed SQLAlchemy query returning Row instead of model object
• Added localStorage persistence for filter preferences

Test plan

• Create two sigma rules that fire on related events
• Create a correlation rule linking them with entity field (e.g., Image)
• Trigger both rules - verify correlation alert is created
• Test webhook notifications show "View Alert" link in Discord/Slack
• Test bulk "Take Ownership" on Alerts page
• Navigate away and back to Alerts - verify "Assigned to Me" persists
• Check Health page - Indexes section should have Card wrapper with header
• Verify nginx logs only show errors (after rebuilding production image)

In general, the way to fix unused imports is to remove the identifiers that are not used anywhere in the file, or to delete the entire import statement if none of its symbols are used. This keeps the codebase cleaner and avoids unnecessary dependencies.

For this specific file backend/tests/services/test_alert_clustering.py, the best fix is to delete the from datetime import UTC, datetime, timedelta line entirely, because none of these three imported names are referenced in the shown tests, and they are likely not needed elsewhere in the file. No additional methods, imports, or definitions are required: this is a pure deletion that does not change any existing functionality, since the imported names are unused.

Concretely:

• In backend/tests/services/test_alert_clustering.py, remove line 3: from datetime import UTC, datetime, timedelta.
• Leave all the remaining imports (import pytest and from app.services.alerts import cluster_alerts) and test code unchanged.

In general, an unused-import issue is fixed by deleting the import statement for the unused symbol. This reduces unnecessary dependencies and noise in the file.

Here, the best minimal fix is to remove the line import pytest from backend/tests/services/test_alert_clustering.py, leaving the rest of the file unchanged. No other code changes or additional imports are required, since the tests use only built-in assert and cluster_alerts from app.services.alerts. The change is confined to line 5 in the provided snippet.

To fix an unused import in Python, you remove the unused symbol from the import statement (or, if none of the imported symbols are used, remove the entire import). This eliminates an unnecessary dependency and resolves the static analysis warning.

In this file (backend/tests/services/test_correlation.py), the single best fix is to edit the multi-line import on lines 10–15 so that it no longer imports resolve_entity_field. The other imported functions (check_correlation, cleanup_expired_states, get_nested_value) should remain untouched because they appear to be used in the tests. No new methods, imports, or definitions are required; this is purely a cleanup change to the existing import statement.

Concretely, in backend/tests/services/test_correlation.py, adjust the from app.services.correlation import (...) block to remove the resolve_entity_field line while keeping the rest exactly the same.

In general, to fix a “useless conditional” where a boolean is always false, you either (1) correctly wire the boolean so it reflects real state changes, or (2) remove or replace it with a meaningful condition. Since we can’t safely infer or modify logic outside the shown snippet, the safest fix inside this file is to stop depending on a boolean that is effectively constant and instead derive a clear loading condition from data we know is present: the health array.

In this component, the refresh button for “Indexes” is always enabled in practice (since isLoading is always false), and the icon never spins. For the “External Services” card, the author already uses a proper loading flag serviceHealthLoading to disable the button and show a spinner. We can mirror that pattern by computing a local, meaningful loading condition for the Indexes section based on the known data: for example, treating the “loading” state as “we haven’t received any health data yet.” Specifically:

• Replace disabled={isLoading} with a check that disables the button while no health data has been loaded, e.g. disabled={health.length === 0}.
• Replace the spinner condition isLoading ? 'animate-spin' : '' with the same condition so that the icon spins while we’re in that initial “no data” state.
• This change is fully contained within the shown snippet in frontend/src/pages/Health.tsx and requires no new imports or additional methods.

This preserves and clarifies functionality: the button is disabled and shows a spinner until health data exists, and once health data is present, the button is enabled and the icon is static. It also removes reliance on the dead isLoading flag, eliminating the useless conditional.