Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correlations #2455

Merged
merged 19 commits into from
Jul 22, 2022
Merged

Correlations #2455

merged 19 commits into from
Jul 22, 2022

Conversation

jameskerr
Copy link
Member

@jameskerr jameskerr commented Jul 20, 2022
edited
Loading

fixes #2443

This is exciting. We've heard from users who want to add custom correlation queries to brim. Before this PR, each correlation (zeek, suricata, md5) was implemented slightly differently and was hard-coded. This unifies the implementation and takes a huge step towards third-party correlations.

A significant change was extending the "Results" state slice. Now it can hold results for any number of queries, not just the main query. You provide an "id" whenever you set or select results.

I also created a simple api.query method on our BrimApi class. It cleans up after itself so that you don't have to think about it.

Finally, I've made a correlations/run() thunk that uses the above two features. Each correlation is given an id, the query is issued, and the results are saved to the Results state slice under that id.

Each correlation React component looks up the results by the relevant id.

The last piece of the puzzle is converting the brimcap-plugin to a new system. It currently relies on a thunk fetchCorrelation that needs to be deleted. We need to decide if we should issue a new query, or wait for the zeek query to find the conn record.

UPDATE:

  1. All of the correlations now live in the plugins folder. 🎉
  2. The brimcap plugin has been updated to not rely on the fetchCorrelation.

There is now a new api section called correlations.

It works like this:

// myplugin.ts

const md5Correlation: Correlation = {
  id: "zui-zeek/md5-correlation",
  when: hasMd5,
  query: (api) => {
    const md5 = api.current.value.get("md5").toJS()
    return zql`
        from ${api.current.poolName} 
        | md5==${md5} 
        | count() by md5 
        | sort -r 
        | head 5`
  },
}

api.correlations.add(md5Correlation)

Whenever the current value (selected) changes, we call dispatch(runCorrelations()). It will grab all the correlation objects off the api, loop through them, check if they should run with the when property, then run the query returned from the query property.

The results get saved to the results slice under the id correlation property.

Next Steps

To allow third-party javascript to add their own correlations, we only need to do two things:

  1. Pick a "plugins folder" for the app to look for this code
  2. Update the UI to loop through the configured correlation configurations and create the components automatically based off the configuration. We'll need to add more properties to the correlation configs like, title, caption, type, and so on. At first we'll just have two types: table and timeline. Each one will have its own configuration properties.

@jameskerr jameskerr requested a review from mason-fish July 22, 2022 17:31
mason-fish
mason-fish approved these changes Jul 22, 2022
View reviewed changes
Copy link
Contributor

@mason-fish mason-fish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome, nice work!! 🔥

src/js/state/Results/reducer.ts Outdated
s.status = "ERROR"
},
error: (s, a: Pay<{id: string; error: any; tabId: string}>) => {
console.log(a)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still want this?

src/plugins/brimcap/brimcap-plugin.ts Outdated
id: `brimcap/try-conn-${queryId}`,
})
const [conn] = await res.zed()
console.log(conn)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🪵

src/plugins/brimcap/brimcap-plugin.ts
@@ -83,12 +84,15 @@ export default class BrimcapPlugin {
this.updateSuricata()
}

private async tryConn(detail: zed.Record, eventId: string) {
// TODO: dispatch is only temporarily public to plugins, so this won't always be needed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So happy this is now handled by this PR :)

src/js/api/index.ts
public getState: () => State

constructor() {}
private dispatch: AppDispatch
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👏

@jameskerr jameskerr merged commit 3e0bfbc into main Jul 22, 2022
@jameskerr jameskerr deleted the correlation-refactor branch July 22, 2022 19:34
@philrz philrz mentioned this pull request Aug 8, 2022
Closed
@philrz philrz mentioned this pull request Sep 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mason-fish mason-fish mason-fish approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

connCorrelation query misses Suricata alerts due to timestamps (regression at b819d7e)
2 participants
@jameskerr @mason-fish