foxsec-pipeline
foxsec-pipeline copied to clipboard
Log analysis pipeline utilizing Apache Beam
Creating as a draft for now, This removes the thread sleep from the `UnboundedSource` `advance` interface. This seems to not be required, however the behavior of the advance method is...
Currently when bmo audit logs are consumed we just have the type as either auth (login) or auth session. If it's an existing session, we don't have any additional context...
The output path of the pipelines is currently limited to ingestion of `Alert` objects. This makes it difficult to persist other types of data from the pipeline that are not...
As an example, have a link to https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html within the alert body (https://bugzilla.mozilla.org/show_bug.cgi?id=1626813#c35) since the finding type is `Stealth:IAMUser/CloudTrailLoggingDisabled`
A new parser should be created to handle messages from Azure EventHub
The function should read events from EventHub and write them to GCP logging, similar to our other ingestion functions. An example we can start from: https://github.com/hwine/azure-notes/blob/master/log_scripts/log-relay
Provide a link with notification that results in a query to pull up applicable alerts.
Prefer `NEWVERSION` over `FILEUPLOADMNT`, and make use of new fields in alerts if possible
Add support for filtering out certain alerts within the alert summary analysis in post processing. Then, filter out `amo_cloud_submission` alerts specifically.
It would be nice to be able to view metrics on how our code coverage is doing across our unit tests. If we have a tool that can support multiple...