Conversation
…n query templates **Added:** - Introduced `src/ares/core/remote.py` for remote command execution on the Kali attack box via AWS SSM, including SSO credential validation, error handling, and a `run_remote` convenience function - Added `QueryTemplateTools` to `src/ares/tools/blue/query_templates.py`, providing MITRE-mapped LogQL query templates for detecting red team attack patterns and AD attacks - Registered `QueryTemplateTools` in blue team toolset and included in agent factory for investigation agent - Added `boto3>=1.42.25` as a dependency for AWS API integration **Changed:** - Updated all red team network toolsets in `src/ares/tools/red/network.py` to execute commands remotely via SSM instead of subprocess, centralizing command execution and error handling - Refactored Taskfile and documentation defaults: lowered polling mode steps to 50 and once mode steps to 15 for agent timeouts; clarified timeout behaviors in `README.md` and `docs/taskfile_usage.md` - Updated AWS region defaults in `Taskfile.yaml` from `us-west-2` to `us-west-1` - In red team orchestrator, added fail-fast SSO credential validation before starting operations - Improved admin access finding validation in red team reporting to reject error-containing results and require success indicators - Improved blue agent orchestrator with a hard signal-based timeout and robust MCP connection handling - Registered new blue team tools and query templates in import/export lists - Updated dependency and lock files (`pyproject.toml`, `uv.lock`) to add and pin `boto3` and compatible AWS packages, and remove unused aiobotocore/aioitertools - Cleaned up subprocess error handling in red team tools, removing timeouts and local file usage in favor of remote SSM execution **Removed:** - Eliminated all local subprocess execution for red team operations in favor of SSM-based remote execution - Removed unused and incompatible `aiobotocore` and `aioitertools` packages from lock file
…igation agent **Added:** - Introduced `WatchdogTimer` class for enforcing hard investigation timeout using a background thread, enabling forced exit and partial report generation even if the event loop is blocked **Changed:** - Replaced Unix-only signal-based hard timeout with cross-platform watchdog thread in `InvestigationOrchestrator` - Updated timeout handling logic to use the new watchdog and improved partial report generation upon timeout - Cleaned up code by removing signal handler setup and exception raising for timeout, delegating forced exit to the watchdog - Adjusted logging to reflect new watchdog mechanism and clarify timeout events **Removed:** - Removed dependency on `signal` module and associated signal handler logic for timeouts - Eliminated `InvestigationTimeoutError` usage and related exception handling from the orchestration flow - Removed code for restoring old signal handlers and alarm cleanup, as they're no longer needed
…vestigation flow **Added:** - Introduced /logs/ directory for agent log files and updated .gitignore to exclude it - Added log directory configuration and automatic log file creation for blue and red team tasks in Taskfile.yaml - Implemented Taskfile log management tasks: list, tail (latest/all/blue/red), and clean - Added log management usage docs to `docs/taskfile_usage.md` - Created timeline event from alert at investigation start for improved reporting - Added `reset_query_tracking()` and query counting utilities to blue_factory to enforce query and tool call limits per investigation - Wrapped Grafana MCP query tools with rate limiting and duplicate query detection - Added max queries/tool calls stop conditions to investigation agent - Blue `record_evidence()` tool now resolves and caches MITRE technique names/tactics - Red agent event logging now debounces rapid/duplicate events for cleaner logs - Red team `secretsdump` tool now includes SMB connectivity check, dc_ip param, and connection timeouts **Changed:** - Default max_steps for blue investigation agent lowered from 150 to 30 for tighter control - Updated all relevant blue and red team tasks to log to per-run logfiles in /logs/ - Blue team investigation flow now enforces strict query and tool call limits; agent is forced to complete if limits are hit - Blue `complete_investigation()` tool now auto-extracts recommendations from alert annotations if none provided, generates fallback synopsis from evidence, and logs more completion details - Enhanced evidence recording: technique metadata resolved and timeline event auto-added from alert - Initial alert prompt and system instructions templates now emphasize query limits, correct IOC extraction, and completion criteria; anti-patterns highlighted - Investigation docs and usage updated to clarify new stop conditions, log management, and completion requirements - Improved blue investigation docs and templates to stress the importance of IOC extraction, evidence recording, and attack synopsis requirements **Removed:** - Removed unused/obsolete warnings and manual validations from blue completion tool - Legacy query loop detection logic replaced by new global query/tool call limiters
…and query resilience **Added:** - Introduced a Red-Blue Correlation Engine for mapping red team activities to blue team detections, generating coverage metrics and detailed markdown reports (`src/ares/core/correlation.py`) - Implemented a persistence layer for storing investigation results, tracking query effectiveness, and similarity-based lookup for new alerts (`src/ares/core/persistence.py`) - Added query resilience module to provide automatic retry, time range reduction, and chunking for large queries to Loki/Prometheus backends (`src/ares/core/query_resilience.py`) - Added `LearningTools` agent toolset to expose past investigation data, effective queries, false positive patterns, and statistics to the agent (`src/ares/tools/blue/learning.py`) - Introduced workflow for generating and updating coverage badge in CI (`.github/workflows/coverage-badge.yaml`) - Added static badge for code coverage to repo (`.github/badges/coverage.svg`) - Added comprehensive test suites for correlation, learning, persistence, and query resilience modules (`tests/test_correlation.py`, `tests/test_learning.py`, `tests/test_persistence.py`, `tests/test_query_resilience.py`) **Changed:** - Extended `InvestigationOrchestrator` to persist all completed, escalated, timed out, and failed investigations for later learning and analysis - Updated query tool wrapping in `blue_factory.py` to integrate rate limiting, duplicate detection, and resilient execution via the new resilience module - Added `LearningTools` to agent toolset for blue investigations - Updated `.pre-commit-config.yaml` to exclude `tests/` from mypy type checks - Modified test workflow to output coverage as XML and upload coverage artifact for badge generation (`.github/workflows/tests.yaml`) - Updated `src/ares/tools/blue/__init__.py` to export new learning tools - Various code comments and docstrings cleaned up for clarity and conciseness **Removed:** - None
**Changed:** - Refactored LearningTools to use a public `store` attribute instead of a private `_store` with property logic, simplifying initialization and access - Replaced all direct store accesses with a `get_store()` method to ensure store is initialized when needed - Updated tests to use the public `store` attribute and `get_store()` method, reflecting the new initialization and access pattern - Improved class and attribute documentation for clarity
CAP-822 Add AWS SSM Remote Execution & Enhance Blue/Red Tooling
Description: Objective: Enable remote command execution on EC2 instances via AWS SSM, enhance blue team investigation capabilities with new query templates and SOC tools, improve red team network scanning, and update configuration defaults and documentation for better usability. Scope of Work:
Dependencies:
Acceptance Criteria:
Additional Notes:
|
dreadnode-renovate-bot
Bot
added
area/docs
…enhance-bluered-tooling
dreadnode-renovate-bot
Bot
added
area/templates
l50
deleted the
jayson/cap-822-add-aws-ssm-remote-execution-enhance-bluered-tooling
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
Added:
src/ares/core/correlation.pyparses red and blue reports, correlates activities to detections, generates gap/coverage reports, and outputs markdownsrc/ares/core/persistence.pyprovides SQLite-backed storage for investigation results, query effectiveness stats, and similarity lookupsrc/ares/tools/blue/learning.pyexposes tools for querying historical investigations, effective queries, and false positive patterns for agent learningsrc/ares/core/query_resilience.pyadds automatic retry, time range reduction, and chunking for large log queriessrc/ares/core/remote.pyenables AWS SSM-based remote execution for red team tools, with robust SSO credential validationtests/test_correlation.py,tests/test_persistence.py,tests/test_learning.py,tests/test_query_resilience.pysrc/ares/tools/blue/query_templates.pyprovides pre-built LogQL queries mapped to MITRE techniquesChanged:
boto3as a required dependencyRemoved: