Skip to content

feat: permission improvements, correlation alerts, and audit logging#73

Merged
TerrifiedBug merged 7 commits intomainfrom
feat/permission-and-bug-fixes
Jan 30, 2026
Merged

feat: permission improvements, correlation alerts, and audit logging#73
TerrifiedBug merged 7 commits intomainfrom
feat/permission-and-bug-fixes

Conversation

@TerrifiedBug
Copy link
Owner

@TerrifiedBug TerrifiedBug commented Jan 30, 2026

Summary

  • Permission granularity: Separate manage_index_config from manage_settings for better access control
  • Correlation alert improvements: Add MITRE tags extraction, rule names display, consolidated UI
  • Audit logging: Add comprehensive audit trails for alert comments and ownership
  • CodeQL optimization: Exclude alembic migrations to reduce false positives

Changes

Permissions

  • Add manage_index_config permission for index pattern management
  • Update frontend route guards and navigation menu permissions
  • Restrict Health page to manage_settings, Field Mappings to manage_index_config

Correlation Alerts

  • Extract MITRE ATT&CK tags from linked sigma rules' YAML content
  • Display actual sigma rule names instead of "Rule A" / "Rule B"
  • Add links to source sigma rules and alerts in correlation alert details
  • Consolidate correlation rule link into the Correlation Alert Details box
  • Hide separate "Rule" card for correlation alerts (redundant)

Audit Logging

  • alert.comment_add - Track comment additions
  • alert.comment_edit - Track comment edits
  • alert.comment_delete - Track comment deletions
  • alert.assign - Track alert ownership assignments
  • alert.unassign - Track alert ownership releases

Bug Fixes

  • Fix "Assigned to me" pagination returning only 25 alerts (now fetches up to 1000)
  • Fix correlation alert entity_field and tags not populated (requires new alerts)

CodeQL

  • Exclude backend/alembic/versions/** from analysis (reduces FP noise)

Test plan

  • Verify permission separation works (index config vs settings)
  • Create new correlation alert and verify tags and rule names appear
  • Add/edit/delete comment on alert, check audit log
  • Assign/unassign alert, check audit log
  • Verify "Assigned to me" shows all assigned alerts

TerrifiedBug and others added 7 commits January 30, 2026 13:08
@TerrifiedBug
feat: permission improvements and bug fixes
abec9dc 
Backend changes:
- Fix correlation alert entity_field bug in logs.py (was using sigma_field)
- Add permission checks for viewer restrictions (comments, ownership)
- Add PATCH endpoint for users to edit their own comments
- Add logger import to alerts.py (was missing)
- Grant analysts manage_settings permission for Index Patterns, Field Mappings, Health
- Add updated_at field to alert comments model and schema
- Create migration for alert_comments.updated_at column

Frontend changes:
- Add permission checks to bulk action buttons in Alerts page
- Add edit/delete functionality for comments in AlertDetail
- Hide add comment section for viewers (no manage_alerts permission)
- Disable Take Ownership button for viewers
- Show edit button only for own comments, delete only for admins
- Add useAuth hook to Alerts page for permission checking
@TerrifiedBug
feat: enhance correlation alerts and fix permission/pagination issues
eb68776 
- Add MITRE tags from linked sigma rules to correlation alerts
- Add links to source sigma rules in correlation alert UI
- Fix "Assigned to me" pagination to show all assigned alerts
- Create manage_index_config permission separate from manage_settings
- Allow viewers to see Health page (read-only)
- Restrict analyst Settings page access while keeping Index Patterns/Field Mappings
- Fix admin delete comment button using isAdmin hook
- Suppress ssl_context warning from opensearch-py
@TerrifiedBug
fix: extract tags from YAML content for correlation alerts
edc9a93 
The Rule model doesn't have a tags attribute - tags are stored
in the YAML content. Parse the yaml_content to extract tags
from both linked sigma rules for correlation alerts.
@TerrifiedBug
fix: consolidate correlation rule link into alert details box
176c928 
- Add correlation rule link to CorrelationAlertDetails component
- Hide separate Rule card for correlation alerts
- Shows correlation rule name if available, otherwise 'View Rule'
@TerrifiedBug
feat: add audit logging for alert comments and ownership
45d9a9f 
- Add audit logging for comment add/edit/delete operations
- Add audit logging for alert assign/unassign operations
- Exclude alembic/versions from CodeQL analysis (reduces FPs)

New audit actions:
- alert.comment_add
- alert.comment_edit
- alert.comment_delete
- alert.assign
- alert.unassign
@TerrifiedBug
feat: display actual rule names in correlation alert details
d085e72 
- Store rule_a_title and rule_b_title in correlation alert data
- Display actual sigma rule titles instead of "Rule A"/"Rule B"
- Falls back to generic labels for legacy alerts without titles
@TerrifiedBug
Merge branch 'main' into feat/permission-and-bug-fixes
728c5bf
@TerrifiedBug TerrifiedBug merged commit b50e781 into main Jan 30, 2026
13 checks passed
@TerrifiedBug TerrifiedBug deleted the feat/permission-and-bug-fixes branch January 30, 2026 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TerrifiedBug