Add threat hunting, suppressions, audit UI, API tokens, SSE, MITRE tagging#40
Merged
Merged
Conversation
…gging Ships eight user-mode EDR features that close the largest gaps below kernel work: - Threat hunting (/hunt) with a small KQL-style DSL, saved queries that can be scheduled to emit alerts, and execution history. HuntQueryParser and HuntExecutor live in Tawny.Infrastructure so both Api and Jobs can reuse them; ScheduledHuntsJob runs every 5 minutes. - MITRE ATT&CK tagging on alert rules and saved hunts. SigmaRuleImporter now extracts `attack.tNNNN` tags. Dashboard renders a 7-day technique heatmap built from alerts attached to tagged rules. - Alert suppression rules (/suppressions). SuppressionEvaluator runs inside AlertRuleEvaluator after a candidate alert is built, before it's persisted; counters track how often each rule fires. - Server-Sent Events for live agent telemetry (replaces 2s dashboard polling). AgentEventBroker is an in-process pub/sub fed by the telemetry ingest path; subscribers get one frame per event plus 15s keep-alives. - Cross-host pivot (/pivot): paste a hash, IP, or domain and find every agent whose telemetry references it in the last N days. - Process tree view on the agent detail page, built from existing PPID data — collapsible per-process lineage, with name/pid/command filter. - Audit log UI (/audit) with substring filter on the action column. - Programmatic API tokens (/api-tokens) — bearer tokens prefixed `twny_` authed by a new ApiToken scheme; admin/viewer roles, optional expiry, one-time display on creation. Schema: one new migration (`AddHuntingAndGovernance`) adds SavedHunts, HuntRuns, SuppressionRules, ApiTokens and a MitreTechniques column on AlertRules. Snapshot kept in lockstep. https://claude.ai/code/session_01DqLy7vdV9S4prUF9sz2Ehp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ships eight user-mode EDR features that close the largest gaps below kernel
work:
Threat hunting (/hunt) with a small KQL-style DSL, saved queries that can
be scheduled to emit alerts, and execution history. HuntQueryParser and
HuntExecutor live in Tawny.Infrastructure so both Api and Jobs can reuse
them; ScheduledHuntsJob runs every 5 minutes.
MITRE ATT&CK tagging on alert rules and saved hunts. SigmaRuleImporter
now extracts
attack.tNNNNtags. Dashboard renders a 7-day techniqueheatmap built from alerts attached to tagged rules.
Alert suppression rules (/suppressions). SuppressionEvaluator runs
inside AlertRuleEvaluator after a candidate alert is built, before it's
persisted; counters track how often each rule fires.
Server-Sent Events for live agent telemetry (replaces 2s dashboard
polling). AgentEventBroker is an in-process pub/sub fed by the telemetry
ingest path; subscribers get one frame per event plus 15s keep-alives.
Cross-host pivot (/pivot): paste a hash, IP, or domain and find every
agent whose telemetry references it in the last N days.
Process tree view on the agent detail page, built from existing PPID
data — collapsible per-process lineage, with name/pid/command filter.
Audit log UI (/audit) with substring filter on the action column.
Programmatic API tokens (/api-tokens) — bearer tokens prefixed
twny_authed by a new ApiToken scheme; admin/viewer roles, optional expiry,
one-time display on creation.
Schema: one new migration (
AddHuntingAndGovernance) adds SavedHunts,HuntRuns, SuppressionRules, ApiTokens and a MitreTechniques column on
AlertRules. Snapshot kept in lockstep.
https://claude.ai/code/session_01DqLy7vdV9S4prUF9sz2Ehp