PyPI - howler-api - Versions diffs - 4.0.0.dev803__tar.gz → 4.0.0.dev841__tar.gz - Mend

howler-api 4.0.0.dev803tar.gz → 4.0.0.dev841tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (220) hide show

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: howler-api
-Version: 4.0.0.dev803
+Version: 4.0.0.dev841
 Summary: Howler - API server
 License: MIT
 Keywords: howler,alerting,gc,canada,cse-cst,cse,cst,cyber,cccs

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/api/socket.py RENAMED Viewed

@@ -28,7 +28,12 @@ tracer = trace.get_tracer(__name__)
 @tracer.start_as_current_span(f"{__name__}.emit")
 @socket_api.route("/emit/<event>", methods=["POST"])
 def emit(event: str):
-    """Emit an event to all listening websockets"""
+    """Emit an event to all listening websockets.
+    .. deprecated::
+        This endpoint is deprecated. Events are now propagated via Redis pubsub
+        and no longer require a dedicated websocket pod.
+    """
     if "Authorization" not in request.headers:
         return unauthorized(err="Missing authorization header")

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/api/v2/case.py RENAMED Viewed

@@ -290,7 +290,7 @@ def delete_item(case_id: str, **kwargs):
 @generate_swagger_docs()
-@case_api.route("/<case_id>/items", methods=["PATCH"])
+@case_api.route("/<case_id>/items", methods=["PUT"])
 @api_login(required_priv=["R", "W"])
 def rename_item(case_id: str, **kwargs):
     """Rename (re-path) an item within a case
@@ -331,3 +331,105 @@ def rename_item(case_id: str, **kwargs):
         return internal_error(err=str(e))
     except (InvalidDataException, NotFoundException) as e:
         return bad_request(err=str(e))
+@generate_swagger_docs()
+@case_api.route("/<id>/rules", methods=["POST"])
+@api_login(required_priv=["R", "W"])
+def add_rule(id: str, user: User, **kwargs):
+    """Add a correlation rule to a case
+    Creates a new correlation rule that will match incoming alerts into the case.
+    The rule's id and author are generated server-side.
+    Variables:
+    id       => The id of the case to add a rule to
+    Arguments:
+    None
+    Data Block:
+    {
+        "query": "howler.analytic:Suspicious*",
+        "destination": "alerts/{{howler.analytic}}",
+        "timeframe": "2026-05-06T00:00:00Z"   // optional, null means no expiry
+    }
+    Result Example:
+    {
+        ...case     # The updated case data
+    }
+    """
+    body = request.json
+    if not body or not isinstance(body, dict):
+        return bad_request(err="Request body must be a JSON object with rule data.")
+    try:
+        return ok(case_service.add_case_rule(id, body, user))
+    except NotFoundException as e:
+        return not_found(err=str(e))
+    except InvalidDataException as e:
+        return bad_request(err=str(e))
+@generate_swagger_docs()
+@case_api.route("/<id>/rules/<rule_id>", methods=["DELETE"])
+@api_login(required_priv=["R", "W"])
+def delete_rule(id: str, rule_id: str, user: User, **kwargs):
+    """Delete a correlation rule from a case
+    Variables:
+    id        => The id of the case
+    rule_id   => The id of the rule to delete
+    Arguments:
+    None
+    Result Example:
+    {
+        ...case     # The updated case data
+    }
+    """
+    try:
+        return ok(case_service.remove_case_rule(id, rule_id, user))
+    except NotFoundException as e:
+        return not_found(err=str(e))
+@generate_swagger_docs()
+@case_api.route("/<id>/rules/<rule_id>", methods=["PUT"])
+@api_login(required_priv=["R", "W"])
+def update_rule(id: str, rule_id: str, user: User, **kwargs):
+    """Update a correlation rule on a case
+    Allows updating individual fields on a rule: enabled, query, destination, timeframe.
+    Variables:
+    id        => The id of the case
+    rule_id   => The id of the rule to update
+    Arguments:
+    None
+    Data Block:
+    {
+        "enabled": false
+    }
+    Result Example:
+    {
+        ...case     # The updated case data
+    }
+    """
+    body = request.json
+    if not body or not isinstance(body, dict):
+        return bad_request(err="Request body must be a JSON object with fields to update.")
+    try:
+        return ok(case_service.update_case_rule(id, rule_id, body, user))
+    except NotFoundException as e:
+        return not_found(err=str(e))
+    except InvalidDataException as e:
+        return bad_request(err=str(e))

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/api/v2/ingest.py RENAMED Viewed

@@ -9,6 +9,7 @@ from howler.common.exceptions import HowlerException, HowlerValueError
 from howler.common.loader import datastore
 from howler.common.logging import get_logger
 from howler.common.swagger import generate_swagger_docs
+from howler.config import config
 from howler.datastore.collection import ESCollection
 from howler.datastore.exceptions import DataStoreException
 from howler.datastore.howler_store import INDEXES
@@ -16,6 +17,7 @@ from howler.datastore.operations import OdmHelper, OdmUpdateOperation
 from howler.odm.models.hit import Hit
 from howler.odm.models.observable import Observable
 from howler.odm.models.user import User
+from howler.remote.datatypes.queues.named import NamedQueue
 from howler.security import api_login
 from howler.services import hit_service, observable_service
 from howler.utils.dict_utils import flatten
@@ -32,6 +34,24 @@ logger = get_logger(__file__)
 hit_helper = OdmHelper(Hit)
+# Persistent queue for the correlation worker to consume newly ingested hit IDs.
+_ingestion_queue: NamedQueue[str] | None = None
+def _get_ingestion_queue() -> NamedQueue[str]:
+    """Return the shared ingestion queue, creating it on first use."""
+    global _ingestion_queue
+    if _ingestion_queue is None:
+        _ingestion_queue = NamedQueue(
+            "howler.ingestion_queue",
+            host=config.core.redis.persistent.host,
+            port=config.core.redis.persistent.port,
+            private=False,
+        )
+    return _ingestion_queue
 @generate_swagger_docs()
 @ingest_api.route("/<index>", methods=["POST"])
@@ -93,6 +113,13 @@ def create(index: str, user: User, **kwargs):
             logger.exception("Ingestion failed.")
             return bad_request(err=f"Ingestion failure on record at index {i}: {e}")
+    # Enqueue newly created hit IDs for the correlation worker.
+    if ids:
+        try:
+            _get_ingestion_queue().push(*ids)
+        except Exception:
+            logger.exception("Failed to enqueue hit IDs for correlation")
     return created(ids, warnings=warnings)

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/app.py RENAMED Viewed

@@ -174,6 +174,11 @@ else:
 if HWL_USE_WEBSOCKET_API or DEBUG:
     logger.debug("Enabled Websocket API")
     app.register_blueprint(socket_api)
+    # Start the Redis pubsub watcher so this pod receives events from all pods
+    import howler.services.event_service as event_service
+    event_service.start_watcher()
 else:
     logger.info("Disabled Websocket API")

howler_api-4.0.0.dev841/howler/cronjobs/correlation.py ADDED Viewed

@@ -0,0 +1,36 @@
+"""Correlation cronjob — starts the correlation worker thread.
+Auto-discovered by ``howler.cronjobs.setup_jobs`` when ``HWL_USE_JOB_SYSTEM``
+is enabled.  Instead of scheduling a periodic APScheduler job, this module
+starts a long-running daemon thread that drains the ingestion queue.
+"""
+import threading
+from apscheduler.schedulers.base import BaseScheduler
+from howler.common.logging import get_logger
+from howler.odm.models.config import config
+logger = get_logger(__file__)
+_thread: threading.Thread | None = None
+def setup_job(sched: BaseScheduler):
+    """Start the correlation worker thread if correlation is enabled."""
+    global _thread
+    if not config.system.correlation.enabled:
+        logger.info("Correlation worker disabled by configuration")
+        return
+    if _thread is not None and _thread.is_alive():
+        logger.debug("Correlation worker thread already running")
+        return
+    from howler.services.correlation_service import run_worker
+    _thread = threading.Thread(target=run_worker, name="correlation-worker", daemon=True)
+    _thread.start()
+    logger.info("Correlation worker thread started")

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/datastore/collection.py RENAMED Viewed

@@ -1365,6 +1365,7 @@ class ESCollection(Generic[ModelType]):
                     extra_fields["_index"] = result["_index"]
                 if "*" in fields:
                     fields = None
                 return self.model_class(source_data, mask=fields, docid=item_id, extra_fields=extra_fields)
             else:
                 source_data = recursive_update(source_data, extra_fields, allow_recursion=False)
@@ -1692,6 +1693,32 @@ class ESCollection(Generic[ModelType]):
         return ret_data
+    @overload
+    def stream_search(
+        self,
+        query: str,
+        fl: str | None = None,
+        filters: list[str] | str | None = None,
+        access_control: typing.Any = None,
+        item_buffer_size: int = 200,
+        *,
+        as_obj: Literal[True] = True,
+        use_archive: bool = False,
+    ) -> typing.Generator[ModelType, None, None]: ...
+    @overload
+    def stream_search(
+        self,
+        query: str,
+        fl: str | None = None,
+        filters: list[str] | str | None = None,
+        access_control: typing.Any = None,
+        item_buffer_size: int = 200,
+        *,
+        as_obj: Literal[False],
+        use_archive: bool = False,
+    ) -> typing.Generator[dict[str, typing.Any], None, None]: ...
     def stream_search(
         self,
         query,

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/odm/models/case.py RENAMED Viewed

@@ -8,6 +8,19 @@ from howler.utils.compat import StrEnum
 CASE_ITEM_TYPES = {"observable", "hit", "case", "lead", "reference"}
+RULE_INDEX_TYPES = {"hit", "observable"}
+class RuleIndexTypes(StrEnum):
+    """Enumeration of valid index types for case rules.
+    Determines which Elasticsearch indexes a case rule query runs against
+    during correlation.
+    """
+    HIT = "hit"
+    OBSERVABLE = "observable"
 class CaseItemTypes(StrEnum):
     """Enumeration of valid case item types.
@@ -69,8 +82,20 @@ class CaseItem(odm.Model):
 @odm.model(index=True, store=True, description="Rule used to place/query data into case paths.")
 class CaseRule(odm.Model):
+    rule_id: str = odm.UUID(description="Unique rule identifier.")
     destination: str = odm.Keyword(description="Destination case path template.")
     query: str = odm.Keyword(description="Lucene query used by this rule.")
+    author: str = odm.Keyword(description="Username who created the rule.")
+    enabled: bool = odm.Boolean(default=True, description="Whether the rule is currently active.")
+    timeframe: Optional[str] = odm.Optional(
+        odm.Date(description="ISO datetime when rule expires. Null means no expiry."),
+        default=None,
+    )
+    indexes: list[str] = odm.List(
+        odm.Enum(values=RuleIndexTypes),
+        default=[RuleIndexTypes.HIT],
+        description="Indexes to run this rule against (hit, observable, or both).",
+    )
 @odm.model(index=True, store=True, description="Task associated with a case item path.")

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/odm/models/config.py RENAMED Viewed

@@ -353,6 +353,18 @@ class ViewCleanup(BaseModel):
     )
+class Correlation(BaseModel):
+    """Correlation worker configuration.
+    Controls the background worker that matches newly ingested alerts
+    against active case rules.
+    """
+    enabled: bool = Field(default=True, description="Enable the correlation worker?")
+    batch_size: int = Field(default=100, description="Max alerts per batch.")
+    batch_timeout: int = Field(default=10, description="Seconds to wait before flushing a partial batch.")
 class System(BaseModel):
     """System-level configuration for Howler.
@@ -366,6 +378,8 @@ class System(BaseModel):
     "Retention Configuration"
     view_cleanup: ViewCleanup = ViewCleanup()
     "View Cleanup Configuration"
+    correlation: Correlation = Correlation()
+    "Correlation Worker Configuration"
 class UI(BaseModel):

{howler_api-4.0.0.dev803 → howler_api-4.0.0.dev841}/howler/odm/random_data.py RENAMED Viewed

@@ -19,7 +19,7 @@ import importlib
 import json
 import random
 import textwrap
-from datetime import datetime
+from datetime import datetime, timedelta
 from random import choice, randint, sample
 from typing import Any, Callable, cast
 from uuid import uuid4
@@ -866,9 +866,35 @@ def create_cases(ds: HowlerDatastore, num_cases: int = 5):
                 "enrichments": [],
                 "rules": [
                     {
-                        "destination": "alerts/{{howler.id}}",
-                        "query": f"destination.domain:{choice(threat_pool)}",
+                        "destination": choice(
+                            [
+                                "alerts/{{howler.analytic}}",
+                                "incoming/{{event.kind}}",
+                                "alerts/{{howler.analytic}}/{{event.category}}",
+                                "correlated/{{source.ip}}",
+                                "triage/{{howler.escalation}}",
+                            ]
+                        ),
+                        "query": choice(
+                            [
+                                f"destination.domain:{choice(threat_pool)}",
+                                "source.ip:10.0.0.0/8 AND howler.analytic:Suspicious*",
+                                "event.category:authentication AND event.outcome:failure",
+                                "howler.escalation:focus OR howler.escalation:crisis",
+                                f"destination.domain:{choice(threat_pool)} AND event.kind:alert",
+                            ]
+                        ),
+                        "author": choice(selected_participants or ["admin"]),
+                        "enabled": choice([True, True, True, False]),
+                        "timeframe": choice(
+                            [
+                                (datetime.now() + timedelta(days=randint(7, 28))).isoformat(),
+                                (datetime.now() + timedelta(days=randint(7, 28))).isoformat(),
+                                None,
+                            ]
+                        ),
                     }
+                    for _ in range(randint(1, 3))
                 ],
                 "tasks": tasks,
             }

howler-api 4.0.0.dev803__tar.gz → 4.0.0.dev841__tar.gz

howler-api 4.0.0.dev803tar.gz → 4.0.0.dev841tar.gz