Add script to build narratives from event logs#11691
Merged
Conversation
* Allow sourcing events from stdin It may be useful sometimes to take a local cache of cloudwatch events and pipe them into this command. [skip changelog] * Add 'limit: 10000' to CW query This is required for `complete` to work
* Add ExampleMatcher Add an example matcher that just counts events and outputs how many it saw. [skip changelog] * Remove excess whitespace * Add frozen_string_literal: true
* Initial crack at an IdV matcher Matcher is a state machine that collects IDV "attempts" as they happen and tries to suss out interesting things about them. [skip changelog] * removed unused method --------- Co-authored-by: Douglas Price <douglas.price@gsa.gov>
* Normalize @timestamp to UTC for each event Pre-parse it in the script so that matchers don't have to worry about it * Slightly improve output - Include timestamps where possible [skip changelog]
* Don't crash if no events found * Tweak handling of --end-date - Use a dash rather than underscore - Make sure we respect it if it's passed in * Sort events on stdin before processing Events from Cloudwatch queries will be sorted, but stdin is not guaranteed. Processing unsorted events can lead to weird, weird, outcomes
If the user: - Has not completed the initial workflow and - Does not have an idv-related event new that 1 hour Call their attempt abandoned
* include timestamp * add account deletion narrative matcher * remove unneeded matcher requirement * add deletion matcher * lint * rename account deletion
[HACKATHON] Enable user narrative script to work with `binding.pry`
lib/event_summarizer/vendor_result_evaluators/instant_verify.rb
Outdated
Show resolved
Hide resolved
lib/event_summarizer/vendor_result_evaluators/instant_verify.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
Add some specs around option parsing, time parsing, and actually running the program
matthinz
force-pushed
the
login-hackathon-2024-user-narrative
branch
from
b59136d to
93b9b3e
Compare
solipet
approved these changes
Jan 8, 2025
Contributor
solipet
left a comment
solipet
left a comment
There was a problem hiding this comment.
What we came up with a great start that is already useful in its initial state. Plenty of room to build on in future PRs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This script is the output of the
#login-hackathon-2024-build-user-narrativesteam.The idea is that, given a UUID, we can scan event logs and try to build a human-readable narrative for what happened to that user.
Here's an example invocation with the resulting output (UUID replaced with a random one):
The output is rendered as Markdown to the terminal.
Extensibility
The script relies on a set of
Matcherinstances, which are classes that provide two methods:handle_cloudwatch_event(event)is called for every event in the user's event stream (in order).finishis called at the end of processing all events, and allows theMatcherto provide structure summarizing what it thinks happened