-
-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Playbooks (automated scripts) #628
Comments
yeah it does make sense. In particular because now we have so many analyzers that it is difficult for people to understand which one to use or not. The first instinct is to just run all the analyzers. Also, experienced users could create custom playbooks to have a flow that they can easily repeat each time. Plus, I would create 2 different levels:
|
I have been thinking about this issue. The one problem I always tend to get stuck on is how would you let the users parse the varied API responses safely. 1. How would we even let the users parse this data:What I mean is: One analyzer might return something like: To pass this on to the next analyzer, we would require letting people be able to select this data. How would that be precisely implemented in the safest way possible technically? There isn't much I can myself come up with other than developing a light parsing "language" of sorts. Is there something already available like this which is safer? 2. The analyzer responses can be complicated:There are analyzers that often respond with nested dictionaries and lists. For example, Something like For these data structures, We might end up being slightly limited. They might need a more advanced parsing language to allow looping as well. Fitting this in the workflow might get too complicated. To be fair, for the time being we can start with something simpler and just tackle the former problem. Tl;Dr Where do we define the limits for this idea? And how do we even get our hands on a "parsing language" of sorts to get this done safely? My assumption for these points is that we are treating these playbooks as YAML files that users can upload directly on IntelOwl (this made sense from @eshaan7's description. Even something pluggable makes sense really. Depends on how you folks would like to pursue this project further.) 3. Where would we want to implement this?Should we focus these "playbooks" to be a frontend feature or a backend one? Because all our APIs are nicely in place. We can make it so that the frontend maps the flow with the analyzers and connectors, and does the job while saving the playbook script as an option to be rerun in the future for only that particular user. We can do the same but make it do all this work in the backend. This is doable as well. We will have to decide which option is more convenient w.r.t the amount of potential work to be done, security, scalability..etc. Another way is to make it one file that the admin can plug into their backend. But this suggestion doesn't seem all that convenient. cc: @mlodic |
I really love your participation. First, to be more clear, in my comment I suggested 2 levels ("playbooks", first one, and "investigations", second one): we also split this issue here #680. So, in some way, I think it could be possible to tackle one issue at a time. First, the "easier" playbooks, then the investigations. The "investigation feature" is the most complicated one but also maybe the most important for the future of the project. Then, regarding your considerations:
|
Thank you for the clarification Matteo! I think I confused myself between what a "Playbook" was in here and what an "Investigation" was. So basically,
|
exactly! |
@0x0elliot - I like how well you articulated the potential issues/considerations that have to be taken care of as we implement this feature. These are issues that I have thought of already but were at the back-of-my-mind and did not get time to publicly explain here but you did a great job so kudos for that.
Backend. A
The playbooks will be another type of "plugin" so that means each playbook configuration will be stored in JSON file and will have a corresponding python class (referenced in |
Thanks for clearing things up further! I appreciate it. |
Continuing this thread, I would like to clear up two more things @mlodic and @eshaan7 The presence of a
|
I have the same doubts of @0x0elliot. Maybe @eshaan7 could clarify them to us.
imho definitively too much hacky. I have also said something in the #433 about. I think that, generally, we should start to move away JSON configuration files as much as possible. In my opinion, it would make sense to have the playbooks managed regularly with the Postgres DB. The user would choose which ones to create, keep and mantain. We would just provide the tool to do that. |
I agree with Matteo here. In my opinion, We should write new serializers for playbooks separately and avoid using a JSON config file for the time being. We should start with simply letting people either:
In either case, We can let the frontend take care of the parsing and send the data in the appropriate format to the backend where this data would be stored in the database for My only solvable concern with this approach is what the most appropriate structure for the database models would look like. As in, How we would map the |
I am not in favor of moving away from the JSON configuration files. In my opinion, that is one of the most important USP of IntelOwl i.e. dead simple customization. This is why, ideally, we want one solution that allows us store these 3 configurations (analyzer, connector, playbook) as JSON files but also allows the user to manage these configurations from the GUI/API. Furthermore, #433 is the issue for this problem. Whatever solution we design should be made thinking of all 3 plugin types since this is not a playbooks specific thing. Obviously I am open to the all kinds of new ideas (including dropping JSON files but only if I hear a viable and future-proof alternative).
I agree with you. You can think of it this way -- we can optionally allow I feel strongly that the role of IntelOwl is to only lay the foundations in fetching and sending data while providing maximum customization in parsing and ordering of data in each step. But to play the devil's advocate, my thinking here is without taking into consideration the 2nd part which is "investigations" - it could make total sense to not allow custom logic in playbooks and leave that part completely to #680. |
Yeah, I don't want to drop any actual feature that allows customization.
This is smart idea. |
This is a pretty good idea! I think this discussion by now has cleared a lot of technicalities of what a playbook class if implemented, should look like to me. As for investigations, what I understood from this discussion is that I should first have the playbooks feature properly implemented and then move further to |
* Initialising work on Playbooks * Setting up playbook_config.json * Setting up playbook_config.json * Debugging playbook dataclass file * Debugging playbook serializer file * Debugging playbook serializer file * Debugging playbook serializer file * Debugging core serializer file for playbooks * Debugging core serializer file for playbooks * Setting up test cases, urls and views for playbooks * Fixing playbook tests * Adding playbooks urls * Fixing playbooks urls * Debugging playbooks python_module * Saving progress * Analyze request update. * Updated Job models * Cleaning playbooks_manager * Cleaning playbooks_manager * Adding test playbook values * Cleaning playbooks dataclass * Updating playbook_config.json for testin * Debugging controller file * Debugging controller file * Debugging controller file * Debugging controller file * Adding playbook specific responses * Debugging backend * Optimising job reports for playbooks * Adding frontend scanning support for IntelOwl. * Adding frontend scanning support for IntelOwl. * Adding scan all support for IntelOwl * Getting plugins page ready * Setting up job results page * Refactoring playbook scanform * Fixing runtime_configuration bug * Fixing job status update bug to set job status to running for Playbooks * Fixing job status update bug for playbooks * Fixing job status update bug for playbooks using chords * populating analyzers_to_execute and connectors_to_execute in Playbook APIs * Adding proper logging to Playbooks * Taking care of conflicts * Making it work after taking care of conflicts. * Fixing scanform changes * Fixing scanform changes * Fixing the frontend after merging Playbooks branch * Removing grouping of Playbooks for now * Adding backend changes to support the additions of multiple observables * Taking care of errors in adding Backend support * Fixing dataclass errors after merge * Fixing dataclass errors after merge [All parameters] * Fixing the frontend after taking care of backend merge conflicts * Fixing frontend bugs * Acting on FFlake8 suggestions * Making requested changes (cleaning up the code mostly) * Fixing circular imports issue * Fixing circular import issues by creating a utility.py file * Fixing circular import issues by creating a utility.py file and importing tasks inside the functions themselves. * Fixing invalid arguments bug for filter_playbooks() * Fixing cleaning data in from_dict() for PlaybookConfig * Fixing cleaning data in from_dict() for PlaybookConfig [1] (pop error) * Fixing cleaning data in from_dict() for PlaybookConfig [2] (dictionary iteration error) * Fixing cleaning data in from_dict() for PlaybookConfig [3] (dictionary creation error) * Fixing cleaning data in from_dict() for PlaybookConfig [4] (dictionary creation error) * Returning appropriate response for Playbook endpoints * Cleaning up API response for Playbook endpoints * Fixing up the frontend to show jobIds and redirect accordingly. * Fixing scanpage frontend and backend API bugs * Fixing package.json format * Fixing up the frontend to show jobIds and redirect accordingly [1] * Fixing backend type errors * Adding migrations * Adding migrations * Adding FREE_TO_USE_ANALYZERS Playbooks * Adding Playbook tests. * Adding Playbook tests and removing comments which were for me * Adding playbook test cases * Fixing frontend bugs * Fixing frontend bugs [2] * Fixing frontend bugs [3] * Fixing frontend bugs [4] * Fixing frontend bugs [5] * Fixing frontend bugs where plugins other than Playbooks weren't loading * Fixing import error for logging * Removing utility.py and making all it's functions classmethods/staticmethods of appropriate classes * Fixing logging library's import error * Fixing backend API bugs [1] * fixing uuid import error * Adding pre-commit suggested changes * Fixing frontend bug where requests for files were sent to observable endpoint instead * Fixing frontend bug where requests for files were sent to observable endpoint instead [1] * Fixing frontend bug where requests for files were sent to observable endpoint instead [2] * Fixing parent_playbook=null issue * Fixing parent_playbook=null issue [1] * Adding free to use playbooks with all free analyzers, Fixing supports' * Fixing ObservableTypeWithFile inheritence errors * Adding 'AllTypes' as an ENUM for choices in Playbooks * Fixing inheritence errors in AllTypes * Fixing issue where backend runs any observable for playbooks whether supported or not * Fixing issue where backend runs any observable for playbooks whether supported or not [1] * Adding linting * Enabling multiple observable job results in playbook analyze scan result and adding CodeDoctor suggestions. * Fixing migrations * Untracking yarn.lock * Adding test case for stack_analyzers and fixing AnalyzerActionViewSet perform_retry errors * Adding test cases and fixing frontend bugs * Adding linting * Adding linting * Fixing test cases * Fixing test cases [1] and adding linting * Fixing test cases [2] and adding linting * Fixing test cases [3] and adding linting * Fixing test cases [4] and adding linting * Fixing test cases [5] and adding linting * Fixing test cases [5] and adding linting * Adding suggestions for the frontend. * Adding suggestions for the frontend [1] * Adding suggestions for the frontend [2] * Reducing Description max length * Reducing Description minWidth for Playbooks plugin page * Reducing Description minWidth for Playbooks plugin page [1] * Reducing Description minWidth for Playbooks plugin page [2] * Adding the handling of analyzer/connector report numbers differently on the frontend when playbooks are run * Fixing package.json changes * Fixing test case breaking changes * Fixing test case breaking changes [1] * Fixing the number of analyzers, connectors and playbooks that show up on 'Plugins Executed' * Adding analyzer/connector to playbook toggle through radio buttons * Removing frontend comments * Wrapping up frontend for Playbooks feature along with all known bugs 🎉 * Fixing pre-commit errors * Disabling run_all * Adding frontend support for disabling run_all for playbooks * improving UX for playbooks * Rewriting playbook serializers * Fixing Serializers * Fixing lint errors * Fixing status code 500 for playbook APIs * Fixing bug in playbook serializers that led to no analyzers/connectors being run * Fixing 500 bugs in playbook run APIs * Fixing start_playbook() related errors * Fixing playbook file scan errors * Fixing playbook file scan errors [1] * Fixing playbook file scan errors [2] * Fixing playbook file scan errors [3] * Fixing playbook file scan errors [4] * Fixing serializers and frontend * Fixing serializers [Analyzers and connectors] and frontend * Revert "Fixing serializers and frontend" This reverts commit e7fc34b. * Reverting * Fixing serializers * Fixing serializers * Fixing serializers [1] * Fixing serializers [2] * Fixing serializers validation * Fixing serializers validation for connectors * Adding playbook documentation * Fixing bug where error led to parent_playbook remaining empty * Making it necessary for playbooks to be not empty * Minor fix for the last commit * Making parent_playbook nullable * Adding new migrations and model changes * Fixing multiple values for argument errors * Adding support for playbooks and custom configs & fixing bugs * Fixing response bugs * Fixing response serializer bugs [1] * Fixing tasks for playbooks * Removing unnecessary warnings from showing up on the UI * Adding warning changes for all serializers and optimising filter_connectors * Fixing playbook related model values and optimising before_run() methods * Fixing not null errors due to parent_playbook value * Adding better logging in test cases * Adding debugging logs for test cases * Adding debugging logs for test cases [fixing linting] * Adding debugging logs for test cases [1] * Fixing connector checks during CI checks * Fixing connector serializer * Optimising connector support in playbooks * Fixing CI related connector test case issues * Fixing before_run function for files * Fixing typo in controller function start_playbook() * Adding changes for playbooks * Adding test cases for playbooks * Updating tests for playbooks * Fixing tests * Fixing auto-imports * Fixing test_start_playbooks_observable * Adding TEST_PLAYBOOKS for ci * Adding debugging logs for playbook tests * Handling exceptions in playbook serializers * Fixing linting errors * Moving playbooks up for a while * Covering edge cases for playbooks * Moving playbook test workflow up and covering edge cases for playbooks * Debugging tests for playbooks * Fixing playbook tests * Making playbook tests for a single playbook * Fixing bugs in playbook tests * Fixing bugs in playbook tests [1] * Fixing bugs in playbook tests [2] * Adding documentation and playbook test case for files * Fixing tests for playbook files * Fixing tests for playbook files [adding querydict] * Fixing bugs in tests for playbook files * Removing failing integrations * Removing failing integrations * Removing useless f strings * Removing analyzers which took too long from free playbook provided * Pushing playbooks down in github workflows * Fixing frontend warnings * Bump django from 3.2.14 to 3.2.15 in /requirements (#1144) Bumps [django](https://github.com/django/django) from 3.2.14 to 3.2.15. - [Release notes](https://github.com/django/django/releases) - [Commits](django/django@3.2.14...3.2.15) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Adding PR suggested changes * Adding instructions for contributors to add free analyzers in free analyzers playbooks * Adding instructions for contributors to add free analyzers in free analyzers playbooks * Letting analyzers fail in playbook tests * Fixing linting * fixing playbook tests * fixing linting errors * Squashing migrations together * Adding instructions in PR templates * adjusted migrations Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Matteo Lodi <30625432+mlodic@users.noreply.github.com>
closed with #1238 |
Description:
Playbooks could be high-level abstraction to an IntelOwl analysis. Pre-written playbooks that define a flow like:
For example, if a user wants that: given an IP: get the netblocks -> the AS Number -> BGP peering data, etc. Then a playbook could be written by them or included directly in IntelOwl to automate such a flow.
Implementation Idea:
Playbook
could be another type ofPlugin
class.I do think this could be a great addition to IntelOwl.
Nothing about the implementation is final because this idea is still very fresh (we can even think of a different name other than "playbook") so I wish to encourage everyone to discuss about this in detail below.
The text was updated successfully, but these errors were encountered: