Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Add support for structured levels of alerts, detections and logging #431

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

DonnchaC
Copy link
Collaborator

Currently MVT only supports one level of "detected" events. This binary choice of detected or not detected can be limited as we may want to highlight certain suspicious events requiring manual analysis or review.

We currently log warning for certain events. This however is limited as these warnings will only be visible transiently in the command log and not be stored in JSON for later parsing or analysis.

This is an early work-in-progress to test a possible design.

Copy link
Contributor

github-actions bot commented Nov 28, 2023

Coverage

Coverage Report
FileStmtsMissCoverMissing
mvt/android
   cli.py1575466%49, 57, 92–124, 164–188, 228–229, 236, 288–289, 296, 354–355, 362, 389–396, 408–409
   cmd_check_adb.py10370%26–37
   cmd_check_androidqf.py34585%57–60, 64
   cmd_check_backup.py631871%60, 69–70, 78–79, 85–88, 95–108, 112
   cmd_check_bugreport.py39782%51, 54–57, 70, 76
   cmd_download_apks.py866821%38–42, 51–53, 63–97, 103–110, 114–170, 173–175, 178–182
   utils.py7529%10–19
mvt/android/artifacts
   dumpsys_appops.py90693%23, 89–90, 138–140, 146
   dumpsys_battery_daily.py42295%42–43
   dumpsys_battery_history.py48785%47–55, 68
   dumpsys_dbinfo.py42588%60–65
   dumpsys_package_activities.py40392%64, 70–71
   dumpsys_receivers.py57689%24, 29, 34, 97, 103–104
   getprop.py31390%40, 48, 51
   processes.py34974%20, 24–25, 31, 55, 59, 63–65
mvt/android/modules/adb
   base.py14711124%51–61, 66–73, 77–138, 142, 146–148, 157, 166–167, 171–172, 185, 198–200, 218–224, 234–269, 282–306, 309–352, 356
   chrome_history.py362336%30–38, 41, 50–55, 63–97, 100–109
   dumpsys_accessibility.py15847%26, 36–47
   dumpsys_activities.py14750%28–37, 40–45
   dumpsys_appops.py14657%28, 38–44
   dumpsys_battery_daily.py13654%26, 36–42
   dumpsys_battery_history.py13654%26, 36–42
   dumpsys_dbinfo.py14657%28, 38–44
   dumpsys_full.py16944%25, 35–45
   dumpsys_receivers.py14750%26–35, 38–44
   files.py725721%37–45, 48–56, 59–70, 73–88, 93–121, 124–155
   getprop.py14750%26–35, 38–43
   logcat.py211433%25, 35–57
   packages.py17214814%100–108, 111–133, 136–170, 174–223, 227–237, 240–271, 274–371
   processes.py13654%26, 36–42
   root_binaries.py251828%24, 34–36, 39–70
   selinux_status.py171041%26–35, 38–48
   settings.py251828%26–35, 38–58
   sms.py765725%56–65, 68–69, 77–89, 97–124, 134–148, 151–176
   whatsapp.py523827%31, 41–42, 50–59, 67–102, 105–112
mvt/android/modules/androidqf
   dumpsys_packages.py56689%59–65, 108–109, 112
   settings.py24292%51–52
   sms.py491667%46–51, 56–57, 73–78, 81, 85–91, 96–97
mvt/android/modules/backup
   base.py33294%64–65
   helpers.py22195%26
   sms.py32875%38–47
mvt/android/modules/bugreport
   accessibility.py17382%38–42, 51
   activities.py16288%42–46
   appops.py15287%38–42
   base.py521767%48–49, 54–55, 62–67, 71, 86–95
   battery_daily.py15287%38–42
   battery_history.py15287%38–42
   dbinfo.py16288%40–44
   getprop.py26773%40–44, 51–52, 57–60
   packages.py581181%67–73, 78–82, 87–91, 125
   receivers.py16288%40–44
mvt/android/parsers
   backup.py107992%62, 102–103, 109, 129, 132, 175, 190–191
   dumpsys.py85495%68, 89, 115, 122
mvt/common
   alerting.py38380%5–131
   artifact.py10280%22, 28
   cmd_check_iocs.py382924%26–36, 39–80
   command.py1194661%67–73, 79–88, 94–100, 109–137, 143–147, 150–152, 158, 171, 184–185, 188, 192–193
   indicators.py2586973%37–39, 53, 116, 120, 124, 128, 153–158, 227, 269–272, 289, 303–321, 325–340, 348, 370, 401, 408, 420, 435–441, 454–462, 473, 485, 497, 522, 531–538, 553, 578–591, 601–614, 649
   logo.py332815%14–60, 64–71
   module.py1193769%71–75, 80–84, 99–119, 160, 169, 174, 184, 203–204, 212, 220–221, 237–246
   options.py13377%27–33
   updates.py14311817%26–33, 38–51, 56–64, 67–69, 72–80, 83–85, 88–100, 103–118, 121–159, 166–195, 198–208, 211–241
   url.py25676%259, 302, 308–312
   utils.py1063567%48–50, 92–93, 121–122, 161–178, 193–194, 207–208, 215–224, 239, 249, 257
   virustotal.py231343%25–52
mvt/ios
   cli.py1396355%52, 60, 97–141, 167–191, 234–235, 242, 272–293, 320–327, 339–340
   cmd_check_fs.py13469%28–40, 43
   decrypt.py1149219%33–36, 39, 48–56, 61–64, 73–123, 131–181, 192–221, 227–231, 244–255
   versions.py32391%21, 30, 48
mvt/ios/modules
   base.py882275%60, 67–92, 110, 118, 125, 133–134, 153–156, 191–192
   net_base.py1194661%74–75, 156–211, 226–237, 249, 294–295, 303–304, 308
mvt/ios/modules/backup
   backup_info.py29293%43, 79
   configuration_profiles.py674631%43–48, 60–88, 103–178
   manifest.py81890%59, 66, 110–117, 122, 168–169
   profile_events.py513237%44, 57–67, 71–97, 103–110, 113
mvt/ios/modules/fs
   analytics.py675222%34, 44, 52–83, 86–144, 147–150, 153–159
   analytics_ios_versions.py362628%30, 40, 48–86
   cache_files.py463524%24, 34–45, 48–62, 65–80, 92–99
   filesystem.py42881%52, 56–57, 61, 77–78, 89–90
   net_netusage.py181044%34, 44–57
   safari_favicon.py372630%31, 41, 50–60, 63–115, 118–124
   shutdownlog.py514022%30, 40, 49–69, 72–106, 109–112
   version_history.py20955%32, 42, 50–65
   webkit_base.py221627%17–24, 27–38
   webkit_indexeddb.py13469%34, 44, 53–54
   webkit_localstorage.py12467%32, 42, 51–52
   webkit_safariviewservice.py10370%32, 42–43
mvt/ios/modules/mixed
   applications.py744638%44–51, 55–93, 99–107, 113–118, 128–140, 146, 148–150
   calendar.py49296%75–78
   calls.py221055%41, 53–82
   chrome_favicon.py352237%42, 50–60, 66–104
   chrome_history.py301743%44, 54–61, 67–102
   contacts.py281739%45–75
   firefox_favicon.py321941%43, 52–62, 68–106
   firefox_history.py301743%47, 55–62, 68–101
   global_preferences.py25196%45
   idstatuscache.py563930%46, 55–72, 75–105, 110–120
   interactionc.py554027%251–275, 281–320
   locationd.py836522%58–70, 73–133, 136–155, 160–172
   osanalytics_addaily.py311745%45, 56–63, 70–98
   safari_browserstate.py732960%67–75, 96–98, 112–132, 167, 173–180
   safari_history.py704437%48, 59–98, 109–113, 116–151, 163–171
   shortcuts.py695225%47–55, 71–78, 84–152
   sms.py651380%66, 79, 103–120, 133, 147
   sms_attachments.py402245%44, 57–68, 91–122
   tcc.py802865%68, 85, 108–125, 140–143, 163–205
   webkit_resource_load_statistics.py521473%61–66, 91–92, 126–133
   webkit_session_resource_log.py755231%56–66, 72–113, 119–149, 156–173
   whatsapp.py513825%43–48, 56–63, 69–135
TOTAL5713244057% 

Tests Skipped Failures Errors Time
89 0 💤 0 ❌ 0 🔥 5.785s ⏱️

Copy link
Contributor

@roaree roaree left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Comment on lines +108 to +111
class Alert(object):
"""
An alert generated by an MVT module.
"""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making this a dataclass might be a good idea

Comment on lines +10 to +14
informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules.
low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn’t be necessary, but a regular review is recommended.
medium: Relevant event that should be reviewed manually on a more frequent basis.
high: Relevant event that should trigger an internal alert and requires a prompt review.
critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might want to tweak some of the language here around interpreting the levels for our specific case

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes definitely. I think we should include some similar descriptions in our documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants