Merge branch 'incident-management' of https://github.com/socfortress/…

…CoPilot into incident-management

backend/app/incidents/routes/db_operations.py

@@ -30,7 +30,7 @@
 from app.incidents.schema.db_operations import AlertContextResponse
 from app.incidents.schema.db_operations import AlertCreate
 from app.incidents.schema.db_operations import AlertOut
-from app.incidents.schema.db_operations import AlertOutResponse
+from app.incidents.schema.db_operations import AlertOutResponse, SocfortressRecommendsWazuhFieldNames, SocfortressRecommendsWazuhAssetName, SocfortressRecommendsWazuhTimeFieldName, SocfortressRecommendsWazuhAlertTitleName, SocfortressRecommendsWazuhResponse
 from app.incidents.schema.db_operations import AlertResponse
 from app.incidents.schema.db_operations import AlertStatus
 from app.incidents.schema.db_operations import AlertTagCreate
@@ -92,7 +92,7 @@
 from app.incidents.services.db_operations import list_alerts_by_asset_name
 from app.incidents.services.db_operations import list_alerts_by_tag
 from app.incidents.services.db_operations import list_cases
-from app.incidents.services.db_operations import list_cases_by_assigned_to
+from app.incidents.services.db_operations import list_cases_by_assigned_to, list_alerts_by_title
 from app.incidents.services.db_operations import list_cases_by_status
 from app.incidents.services.db_operations import replace_alert_title_name
 from app.incidents.services.db_operations import replace_asset_name
@@ -130,6 +130,18 @@ async def get_available_indices(source: str, session: AsyncSession = Depends(get
         message="Indices retrieved successfully",
     )
 
+@incidents_db_operations_router.get("/socfortress/recommends/wazuh", response_model=SocfortressRecommendsWazuhResponse)
+async def get_socfortress_recommends_wazuh(session: AsyncSession = Depends(get_db)):
+    return SocfortressRecommendsWazuhResponse(
+        field_names=[field.value for field in SocfortressRecommendsWazuhFieldNames],
+        asset_name=SocfortressRecommendsWazuhAssetName.agent_name.value,
+        timefield_name=SocfortressRecommendsWazuhTimeFieldName.timestamp_utc.value,
+        alert_title_name=SocfortressRecommendsWazuhAlertTitleName.rule_description.value,
+        source="wazuh",
+        success=True,
+        message="Field names and asset names retrieved successfully",
+    )
+
 
 @incidents_db_operations_router.get("/configured/sources", response_model=ConfiguredSourcesResponse)
 async def get_configured_sources(session: AsyncSession = Depends(get_db)):
@@ -408,6 +420,16 @@ async def list_alerts_by_asset_name_endpoint(
 ):
     return AlertOutResponse(alerts=await list_alerts_by_asset_name(asset_name, db, page=page, page_size=page_size), success=True, message="Alerts retrieved successfully")
 
+@incidents_db_operations_router.get("/alerts/title/{title}", response_model=AlertOutResponse)
+async def list_alerts_by_title_endpoint(
+    title: str,
+    page: int = Query(1, ge=1),
+    page_size: int = Query(25, ge=1),
+    db: AsyncSession = Depends(get_db)
+):
+    return AlertOutResponse(alerts=await list_alerts_by_title(title, db, page=page, page_size=page_size), success=True, message="Alerts retrieved successfully")
+
+
 @incidents_db_operations_router.get("/cases", response_model=CaseOutResponse)
 async def list_cases_endpoint(db: AsyncSession = Depends(get_db)):
     return CaseOutResponse(cases=await list_cases(db), success=True, message="Cases retrieved successfully")

backend/app/incidents/routes/incident_alert.py

@@ -97,7 +97,6 @@ async def create_alert_route(
         CreateAlertResponse: The response object containing the result of the alert creation.
     """
     logger.info(f"Creating alert {create_alert_request.alert_id} in CoPilot")
-    # return await create_alert(create_alert_request, session)
     return CreateAlertResponse(success=True, message="Alert created in CoPilot", alert_id=await create_alert(create_alert_request, session))
 
 

backend/app/incidents/schema/db_operations.py

@@ -15,6 +15,46 @@
 from app.incidents.models import Comment
 
 
+class SocfortressRecommendsWazuhFieldNames(Enum):
+    # ! Windows Events
+    data_win_eventdata_commandLine = "data_win_eventdata_commandLine"
+    data_win_eventdata_parentCommandLine = "data_win_eventdata_parentCommandLine"
+    data_win_eventdata_parentImage = "data_win_eventdata_parentImage"
+    data_win_eventdata_parentUser = "data_win_eventdata_parentUser"
+    data_win_eventdata_image = "data_win_eventdata_image"
+    data_win_eventdata_user = "data_win_eventdata_user"
+    rule_mitre_id = "rule_mitre_id"
+    rule_mitre_tactic = "rule_mitre_tactic"
+    rule_mitre_technique = "rule_mitre_technique"
+    data_win_eventdata_company = "data_win_eventdata_company"
+    data_win_eventdata_hashes = "data_win_eventdata_hashes"
+    data_win_eventdata_currentDirectory = "data_win_eventdata_currentDirectory"
+    data_win_eventdata_originalFileName = "data_win_eventdata_originalFileName"
+    # ! Windows SIGCHECK HITS
+    data_Path = "data_Path"
+    # ! Extra Use for Within CoPilot
+    process_id = "process_id"
+    sha256 = "sha256"
+
+class SocfortressRecommendsWazuhAssetName(Enum):
+    agent_name = "agent_name"
+
+class SocfortressRecommendsWazuhTimeFieldName(Enum):
+    timestamp_utc = "timestamp_utc"
+
+class SocfortressRecommendsWazuhAlertTitleName(Enum):
+    rule_description = "rule_description"
+
+class SocfortressRecommendsWazuhResponse(BaseModel):
+    field_names: List[str]
+    asset_name: str
+    timefield_name: str
+    alert_title_name: str
+    source: str
+    success: bool
+    message: str
+
+
 class AvailableSourcesResponse(BaseModel):
     source: str
     success: bool

backend/app/incidents/services/db_operations.py

@@ -919,6 +919,43 @@ async def list_alert_by_assigned_to(assigned_to: str, db: AsyncSession, page: in
         alerts_out.append(alert_out)
     return alerts_out
 
+async def list_alerts_by_title(alert_title: str, db: AsyncSession, page: int = 1, page_size: int = 25) -> List[AlertOut]:
+    offset = (page - 1) * page_size
+    result = await db.execute(
+        select(Alert)
+        .where(Alert.alert_name.like(f"%{alert_title}%"))
+        .options(
+            selectinload(Alert.comments),
+            selectinload(Alert.assets),
+            selectinload(Alert.cases),
+            selectinload(Alert.tags).selectinload(AlertToTag.tag),
+        )
+        .offset(offset)
+        .limit(page_size)
+    )
+    alerts = result.scalars().all()
+    alerts_out = []
+    for alert in alerts:
+        comments = [CommentBase(**comment.__dict__) for comment in alert.comments]
+        assets = [AssetBase(**asset.__dict__) for asset in alert.assets]
+        tags = [AlertTagBase(**alert_to_tag.tag.__dict__) for alert_to_tag in alert.tags]
+        alert_out = AlertOut(
+            id=alert.id,
+            alert_creation_time=alert.alert_creation_time,
+            time_closed=alert.time_closed,
+            alert_name=alert.alert_name,
+            alert_description=alert.alert_description,
+            status=alert.status,
+            customer_code=alert.customer_code,
+            source=alert.source,
+            assigned_to=alert.assigned_to,
+            comments=comments,
+            assets=assets,
+            tags=tags,
+        )
+        alerts_out.append(alert_out)
+    return alerts_out
+
 
 async def delete_comments(alert_id: int, db: AsyncSession):
     result = await db.execute(select(Comment).where(Comment.alert_id == alert_id))