Operation event log report style

[uruwhy]

Description

Users can now choose a second report style when outputting operation results. The second format follows event-based logging and returns a JSON list of events, where each event represents a link that was run in the operation chain. Links that were discarded or marked as high visibility are not included, since they were not actually meant to deliver to an agent.

Each event JSON dict contains the following information:

• command: base64-encoded command that was assigned to the agent
• delegated_timestamp: timestamp in YYYY-MM-DD HH:MM:SS format that indicates when the operation made the link available for collection
• collected_timestamp: timestamp in YYYY-MM-DD HH:MM:SS format that indicates when the agent collected the link available for collection
• finished_timestamp: timestamp in YYYY-MM-DD HH:MM:SS format that indicates when the agent submitted the link execution results to the C2 server.
• status: link execution status
• platform: target platform for the agent running the link (e.g. "windows")
• executor: executor used to run the link command (e.g. "psh" for powershell)
• pid: process ID for the link
• agent_metadata: dictionary containing the following information for the agent that ran the link:
  • paw
  • group
  • architecture
  • username
  • location
  • pid
  • ppid
  • privilege
  • host
  • contact
  • created timestamp
• ability metadata: dictionary containing the ability ID, name, and description for the link ability.
• operation_metadata: dictionary containing the operation name, start timestamp, and adversary name for the overall operation that generated the link
• attack_metadata: dictionary containing the ATT&CK tactic, technique ID, and technique name for the ability associated with the link.
• output: if the user selected "include agent output" when downloading the operation event logs, this field will contain the agent-provided output from running the command.

Will add a PR for documentation changes in the fieldmanual plugin once this PR is approved.

Type of change

• New feature (non-breaking change which adds functionality)
• This change requires a documentation update

How Has This Been Tested?

Created a test that generates an operation with a fake agent, adversary, abilities, and 3 links (2 of which successfully ran, and the 3rd was discarded). The test makes sure that the generated event logs contain the correct information for the 2 links that successfully ran and ignore the discarded link.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[codecov]

Codecov Report

Merging #2045 (ea9aeff) into master (165153b) will increase coverage by 0.04%.
The diff coverage is 66.66%.

@@            Coverage Diff             @@
##           master    #2045      +/-   ##
==========================================
+ Coverage   64.55%   64.60%   +0.04%     
==========================================
  Files          61       61              
  Lines        4672     4701      +29     
==========================================
+ Hits         3016     3037      +21     
- Misses       1656     1664       +8     

Impacted Files	Coverage Δ
app/service/rest_svc.py	42.18% <0.00%> (-0.67%)	⬇️
app/objects/c_operation.py	56.34% <90.90%> (+3.09%)	⬆️
app/objects/secondclass/c_link.py	78.01% <0.00%> (+0.70%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f4b645a...b458a73. Read the comment docs.