kestrel-lang icon indicating copy to clipboard operation
kestrel-lang copied to clipboard

Published 20 hours ago verified publisher icon opencybersecurityalliance

Change config on the fly

Open pcoccoli opened this issue 4 years ago • 4 comments

Is your feature request related to a problem? Please describe. For some features that are configured in kestrel.toml, it may be convenient to (temporarily) change config from inside a notebook.

Example: I may want to change stixquery.timerange_start_offset but don't want to shut down jupyter and re-run my hunt.

Describe the solution you'd like A simple syntax for changing a config value in the session:

CONFIG stixquery.timerange_start_offset = -600

Grammar rule would be something like

config_stmt: "CONFIG"i config_section "." config_value "=" JSON_LITERAL

pcoccoli avatar Oct 14 '21 17:10 pcoccoli

Maybe SET stixquery.timerange_start_offset = -600 instead? Then we could do SHOW stixquery.timerange_start_offset to see the current value.

pcoccoli avatar Oct 14 '21 17:10 pcoccoli

Good point. I think SET/SHOW is a better choice. And I suggest we have some ways to distinguish it from normal hunt steps/commands. Otherwise, people may try SHOW var ... even we can avoid using GET or DISP for showing config values.

Three options:

  1. Use #! before the config values to set them like #!stixquery.timerange_start_offset = -600. We may need to find other symbols to be more pleasant to human and the parser. However, it does not have the display/show functionality.
  2. Treat _config as a special variable with type CONFIG and a single instance/entity/object, so we allow users to SET or DISP the object attributes like:
SET _config.stixquery.timerange_start_offset = -600
DISP _config ATTR stixquery.timerange_start_offset
  1. Have dedicated syntax for config-related commands (to avoid confusion with hunting commands) like:
CONFIG SET stixquery.timerange_start_offset = -600
CONFIG GET stixquery.timerange_start_offset

Currently I prefer the last option.

When thinking about this syntax, we may also think about one future syntax to dynamically config data source in addition to loading from environment variables. We may enable similar things in SET (if we support loading data source from config).

subbyte avatar Oct 14 '21 20:10 subbyte

I think I prefer that last option too.

pcoccoli avatar Oct 14 '21 20:10 pcoccoli

Also we may add the support of adding/changing data source interface on the fly if we have #119 realized. Something like

CONFIG SET datasource.stixshifter.host101 = "elastic_ecs" '{"host":"elastic.securitylog.company.com", "port":9200, "indices":"host101"}' '{"auth":{"id":"VuaCfGcBCdbkQm-e5aOx", "api_key":"ui2lp2axTNmsyakw9tvNnw"}}'

The single/double quotes does not look good.

subbyte avatar Oct 16 '21 02:10 subbyte