cqrenet/aoc
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity

31 Releases 41 Tags

RSS Feed
  • v1.5.0 47e0dfc2ca
    Compare

    v1.5.0 — Saved Searches, AI Explain & Privacy Gating
    CI / lint-and-test (push) Successful in 37s
    Details
    Release / build-and-push (push) Successful in 1m51s
    Details
    Stable

    tomas.kracmar released this 2026-04-22 06:30:20 +00:00 | 44 commits to main since this release

    What's New

    Saved Searches (Bookmarks)

    • Save filter combinations with a name and recall them instantly.
    • Save filters button in the filters panel.
    • Saved searches appear as pill chips — click to apply, × to delete.
    • Scoped per user (created_by from token sub).

    AI Event Explanation with GUID Resolution

    • New POST /api/events/{id}/explain endpoint sends an event + related events to the LLM for a security-focused explanation.
    • GUID resolution: extracts UUIDs from the raw event and resolves them via Microsoft Graph (users, groups, service principals, devices) before sending to the LLM.
    • The LLM now sees human-readable names instead of raw GUIDs.

    Operation-Level Privacy Gating

    • Replaced broad service-level blocking with fine-grained operation-level privacy controls.
    • PRIVACY_SENSITIVE_OPERATIONS hides specific operations (e.g. MailItemsAccessed, Send, Search-Mailbox) across all services.
    • PRIVACY_SERVICES still available for broad service-level blocking if needed.
    • Both gated by PRIVACY_SERVICE_ROLES (e.g. SecurityAdministrator, ComplianceAdministrator).
    • Unauthorized users still see admin actions like Add-MailboxPermission and Set-Mailbox, but not email reading/sending logs.

    UI Polish

    • Teams added to default noisy service exclusion alongside Exchange and SharePoint.
    • Filter state persisted to localStorage and restored on reload.
    • Result pills now treat "True" as green (success).
    • Copy and Explain buttons in the raw event modal.

    Upgrade Notes

    docker compose pull && docker compose up -d

    Optional: configure privacy gating in .env:

    PRIVACY_SENSITIVE_OPERATIONS=MailItemsAccessed,Search-Mailbox,Send,ChatMessageRead
PRIVACY_SERVICE_ROLES=SecurityAdministrator,ComplianceAdministrator
    Downloads
  • v1.4.0 05f5f07e7b
    Compare

    v1.4.0 — Filter Persistence & Smarter Defaults
    CI / lint-and-test (push) Successful in 30s
    Details
    Release / build-and-push (push) Successful in 1m24s
    Details
    Stable

    tomas.kracmar released this 2026-04-22 04:48:47 +00:00 | 49 commits to main since this release

    What's New

    Filter Persistence

    • Filter state is now saved to localStorage and restored on page reload.
    • Includes: actor, services, operation, result, time range, tags, limit, and search.
    • Saved services are validated against current API options — stale entries are silently dropped.

    Smarter Defaults

    • Exchange and SharePoint are now unchecked by default.
    • These services generate extremely high volumes of noise (e.g. MailItemsAccessed) and are rarely relevant for security investigations.
    • The Clear button resets to this default set rather than selecting all services.

    UI Polish

    • Result pills now treat "True" as a success state (green) in addition to success, succeeded, ok, and passed.
    • This fixes the orange pill colour on common Exchange admin events.

    Upgrade Notes

    docker compose pull && docker compose up -d

    No configuration changes required.

    Downloads
  • v1.3.2 fb5d45dfb3
    Compare

    v1.3.2 — AI Event Explanation & Copy Raw Event
    CI / lint-and-test (push) Successful in 23s
    Details
    Release / build-and-push (push) Successful in 1m38s
    Details
    Stable

    tomas.kracmar released this 2026-04-21 20:28:52 +00:00 | 51 commits to main since this release

    What's New

    AI Event Explanation

    • New POST /api/events/{id}/explain endpoint sends an audit event (plus up to 10 related events from the last 24h) to the LLM for a security-focused explanation.
    • The LLM explains what happened, who performed the action, whether it's typical or suspicious, any security implications, and recommended next steps.
    • Available in the raw event modal — click Explain when viewing any event.
    • Gracefully falls back when LLM_API_KEY is not configured.

    Copy Raw Event

    • New Copy button in the raw event modal copies the full JSON to the clipboard.

    Upgrade Notes

    docker compose pull && docker compose up -d

    No configuration changes required.

    Downloads
  • v1.3.1 a5db0d363d
    Compare

    v1.3.1 — MCP over SSE + UI Polish
    Release / build-and-push (push) Successful in 1m16s
    Details
    CI / lint-and-test (push) Successful in 25s
    Details
    Stable

    tomas.kracmar released this 2026-04-21 09:28:32 +00:00 | 53 commits to main since this release

    What's New

    MCP Server over SSE (production-ready)

    • New HTTP/SSE MCP transport at GET /mcp/sse and POST /mcp/messages/
    • Reuses existing OIDC Bearer token validation — requires a valid Entra token when AUTH_ENABLED=true
    • Same four tools as the stdio server: search_events, get_event, get_summary, ask
    • Shared tool handlers extracted to mcp_common.py (used by both stdio and SSE transports)
    • Mounted inside FastAPI when AI_FEATURES_ENABLED=true

    UI Polish

    • Page title changed from "AOC Events" → "Admin Operations Center"
    • Hero heading changed from "Directory Audit Explorer" → "Audit Log Explorer"
    • Subtitle updated to mention all data sources: Entra, Intune, Exchange, SharePoint, Teams
    • Filter section moved before the Ask panel for better flow

    Upgrade Notes

    docker compose pull && docker compose up -d

    No configuration changes required.

    Downloads
  • v1.3.0 60b6ad15c4
    Compare

    v1.3.0 — AI Feature Flag & MCP Server
    CI / lint-and-test (push) Successful in 45s
    Details
    Release / build-and-push (push) Successful in 1m34s
    Details
    Stable

    tomas.kracmar released this 2026-04-20 16:11:31 +00:00 | 58 commits to main since this release

    What's New

    AI Feature Flag (AI_FEATURES_ENABLED)

    • Gate all AI/natural-language features with a single environment variable.
    • When false, the /api/ask endpoint is completely unregistered and the "Ask a question" panel is hidden from the UI.
    • New GET /api/config/features endpoint exposes feature flags to the frontend.

    MCP Server (backend/mcp_server.py)

    • Standalone Model Context Protocol server for Claude Desktop, Cursor, and other MCP clients.
    • Connects directly to MongoDB (bypasses FastAPI auth layer — run only in trusted environments).
    • Exposes four tools:
      • search_events — filter by entity, service, operation, result, and time range.
      • get_event — retrieve raw event JSON by ID.
      • get_summary — aggregated activity summary (by service, operation, result, top actors) for the last N days.
      • ask — natural language query that returns recent matching events.

    Natural Language Query (/api/ask)

    • Ask questions like "What happened to device ABC123 in the last 3 days?"
    • Intent-aware service filtering: broad queries automatically exclude high-volume Exchange/SharePoint noise.
    • Smart sampling: when datasets are large, failures and high-value services are prioritized for LLM context.
    • Aggregated overviews for datasets with >50 events.
    • Respects active UI filters (services, actor, operation, result, tags).
    • Azure OpenAI / MS Foundry compatible (api-key header, api-version, max_completion_tokens).

    Version Endpoint

    • GET /api/version returns the running version (baked into the Docker image at build time).
    • Displayed as a badge in the UI header.

    Upgrade Notes

    1. Pull the new image: docker compose pull && docker compose up -d
    2. Optionally set AI_FEATURES_ENABLED=false in .env to disable AI features.
    3. Optionally configure LLM_API_KEY, LLM_BASE_URL, LLM_MODEL for the /api/ask endpoint.
    4. For MCP: install mcp from requirements.txt and configure your MCP client to run python backend/mcp_server.py.
    Downloads
  • v1.2.7 b4e504a87b
    Compare

    AOC v1.2.7
    Release / build-and-push (push) Successful in 1m31s
    Details
    CI / lint-and-test (push) Successful in 34s
    Details
    Stable

    tomas.kracmar released this 2026-04-20 15:41:21 +00:00 | 59 commits to main since this release

    Intent-aware querying

    • Questions like 'what happened to my laptop' automatically scope to Intune/Device events
    • 'Any new users' scopes to Directory/UserManagement
    • Broad questions ('what happened last week') exclude noisy Exchange/SharePoint logs by default

    Smart sampling

    • MongoDB fetches up to 1000 events, then curates the best 200 for the LLM
    • Failures are always included
    • High-admin-value services (Intune, Directory, Device) are prioritised
    • Exchange/SharePoint only included when explicitly asked for

    Docker image: git.cqre.net/cqrenet/aoc-backend:v1.2.7

    Downloads
  • v1.2.6 d100388c7d
    Compare

    AOC v1.2.6
    CI / lint-and-test (push) Successful in 31s
    Details
    Release / build-and-push (push) Successful in 1m17s
    Details
    Stable

    tomas.kracmar released this 2026-04-20 15:29:10 +00:00 | 61 commits to main since this release

    What's new

    • Natural language query with Azure OpenAI / MS Foundry support
    • Filter-aware queries
    • Aggregated event overviews for large result sets
    • Version badge in header
    • Production hardening: non-root container, Gunicorn, nginx, internal-only MongoDB

    Docker image: git.cqre.net/cqrenet/aoc-backend:v1.2.6

    Downloads
  • v1.2.5 11fd87411d
    Compare

    AOC v1.2.5
    Release / build-and-push (push) Successful in 1m18s
    Details
    CI / lint-and-test (push) Successful in 20s
    Details
    Stable

    tomas.kracmar released this 2026-04-20 15:24:20 +00:00 | 63 commits to main since this release

    Natural language query (/api/ask)

    Ask plain-English questions and get AI-generated answers backed by audit logs. Supports OpenAI, Azure OpenAI, and MS Foundry.

    Filter-aware queries

    The ask endpoint respects the UI filter panel.

    Scales to thousands of events

    Large result sets are pre-aggregated (counts by service/action/result/actor + failure highlights + 50 recent samples).

    Version display

    Badge in the header shows the running version.

    Production hardening

    Non-root container, Gunicorn workers, internal-only MongoDB, nginx reverse proxy.

    Downloads
  • v1.0.3 86966bb57f
    Compare

    v1.0.3
    CI / lint-and-test (push) Failing after 21s
    Details
    Release / build-and-push (push) Failing after 23s
    Details
    Stable

    tomas.kracmar released this 2026-04-16 16:51:14 +00:00 | 84 commits to main since this release

    Release v1.0.3 - Bulk tagging and tag-based filtering

    Added

    • include_tags / exclude_tags query params for /api/events
    • POST /api/events/bulk-tags endpoint for bulk tagging matching events
    • Frontend tag filters (Include tags / Exclude tags)
    • Frontend Bulk tag matching button with append/replace modes

    Changed

    • Improved filter panel layout
    Downloads
  • v1.0.2 6d00d7cf32
    Compare

    v1.0.2
    CI / lint-and-test (push) Failing after 2m40s
    Details
    Release / build-and-push (push) Failing after 20s
    Details
    Stable

    tomas.kracmar released this 2026-04-16 10:13:36 +00:00 | 86 commits to main since this release

    Release v1.0.2 - First automated Gitea registry build

    Changed

    • CI/CD: release workflow now pushes Docker images to git.cqre.net/cqrenet/aoc-backend
    • docker-compose.yml pulls images from Gitea container registry
    • Migrated all workflows from GitHub Actions to Gitea Actions
    Downloads