Feature Request: Search box on Investigations and Incidents pages

[Phrozyn]

When attempting to look for an incident or investigation that occurred in the past, it can be somewhat difficult. Having a search box to easily match on the content you are looking for could alleviate the issue.

[ajomadlabs]

Can I also be part of this ? I am really interested to take up this. Could you explain more on this feature.

[Phrozyn]

@ajomadlabs Of course you can!

I'll work up some screenshots to post to this thread and explain later this evening.

[ajomadlabs]

@Phrozyn Thank you

[Phrozyn]

@ajomadlabs

This is what the page looks like as far as layout now. This can fill up over the course of a year, and if you ever wanted to go back and reference an investigation or incident, there's no way to actively search for it.

The code for MozDef UI lies in the meteor directory here:
https://github.com/mozilla/MozDef/tree/master/meteor

The investigations and incidents code is here:
https://github.com/mozilla/MozDef/blob/master/meteor/app/client/investigations.js
https://github.com/mozilla/MozDef/blob/master/meteor/app/client/investigationTable.html
https://github.com/mozilla/MozDef/blob/master/meteor/app/client/incidents.js
https://github.com/mozilla/MozDef/blob/master/meteor/app/client/incidentTable.html

Ultimately, we'd like a search feature that will allow us to:

• search for events based on a word or IP stored in the event (summary, or date stored in any tab within the event)
• find events entered by a specific user
• find events between certain dates.
• find events that match a specific phase/status (closed, holding, identification, escalation, evidence)

Let me know if this information helps, or if you need more!

[ajomadlabs]

@Phrozyn Can you assign me this issue ?

[Phrozyn]

@ajomadlabs Have you forked the repo?
We've assigned you as a collaborator.

You'd have to accept the collaboration request before we can assign I think.

[ajomadlabs]

@Phrozyn I have forked the repo and accepted the collaboration request

[Phrozyn]

I've assigned you to the issue!

Thanks for the help! Let us know if you have any further questions :)

[ajomadlabs]

@Phrozyn Thanks.

[ajomadlabs]

@Phrozyn Can I know where I should start from

[ajomadlabs]

@Phrozyn Can you provide me with docs on how I could run this locally.

[pwnbus]

@ajomadlabs We have docker containers that you can build (we don't push them to a registry yet) that will stand up a local instance. Would that work for ya?

[ajomadlabs]

@pwnbus So how should I start, any specific guidelines

[pwnbus]

@ajomadlabs How would you get started with Docker or how would you get started with MozDef using docker?

[ajomadlabs]

@pwnbus Can I get some guidance in both, starting with Docker as well as MozDef using a Docker

[pwnbus]

For docker, they have some good docs for folks starting out, I'd recommend looking at https://docs.docker.com/get-started/#setup

For running MozDef in docker, simply run
make simple-build
make simple-run

And if you want to shutdown the container:
make simple-stop

Once those commands finish (should take ~10 minutes to build), simply visit "http://127.0.0.1" for the web ui, and "http://127.0.0.1:9090/app/kibana" for the kibana interface.

[pwnbus]

FYI the docker stuff is quite recent for us, so we haven't properly added documentation for it, so let me know if you run into any problems!

[ajomadlabs]

@pwnbus I am bit slow as I am just catching up with Docker.

[pwnbus]

@ajomadlabs Not a problem! Take however long you need. If you get stuck, let me know!