Tomas Kracmar
b35cac42e0
Some checks failed
CI / lint-and-test (push) Has been cancelled
- Migrate frontend to Alpine.js for reactive state management
- Add source health dashboard in UI and /api/source-health endpoint
- Add event tagging (PATCH /api/events/{id}/tags) and commenting (POST /api/events/{id}/comments)
- Add CSV/JSON export from the UI
- Add rule-based alerting engine (rules.py) with CRUD endpoints (/api/rules)
- Add SIEM export via webhook (siem.py)
- Add AOC audit trail middleware logging all mutations to aoc_audit collection
- Update config with SIEM_ENABLED, SIEM_WEBHOOK_URL, ALERTS_ENABLED
- Add tests for rules engine, tags, comments, and source health
64 lines
2.8 KiB
Markdown
64 lines
2.8 KiB
Markdown
# AOC Roadmap
|
|
|
|
This roadmap tracks planned improvements for the Admin Operations Center (AOC) project, organized by phase.
|
|
|
|
---
|
|
|
|
## Phase 1: Harden ✅
|
|
Goal: fix critical security and reliability gaps before production use.
|
|
|
|
- [x] Fix JWT signature verification in `auth.py`
|
|
- [x] Fix broken frontend auth button references (`loginBtn` / `logoutBtn`)
|
|
- [x] Add MongoDB indexes (`dedupe_key`, `timestamp`, `service+timestamp`, `id`, text search)
|
|
- [x] Add MongoDB TTL index for data retention (`RETENTION_DAYS`)
|
|
- [x] Add `/health` endpoint with database connectivity check
|
|
- [x] Replace manual `os.getenv` parsing with Pydantic Settings (`pydantic-settings`)
|
|
- [x] Add structured JSON logging (`structlog`)
|
|
- [x] Configure CORS middleware via `CORS_ORIGINS` environment variable
|
|
- [x] Escape user input before MongoDB `$regex` queries (`routes/events.py`)
|
|
- [x] Fix incorrect return value in `maintenance.py dedupe()`
|
|
|
|
---
|
|
|
|
## Phase 2: Stabilize ✅
|
|
Goal: improve resilience, code quality, and development experience.
|
|
|
|
- [x] Cache Graph API tokens and reuse them until near expiry
|
|
- [x] Add exponential backoff / retry logic for Graph API and Office 365 API calls
|
|
- [x] Add unit tests for `normalize_event()`, `_make_dedupe_key()`, and `auth.py`
|
|
- [x] Add integration tests for `/api/events` and `/api/fetch-audit-logs`
|
|
- [x] Configure linter/formatter (`ruff`) and pre-commit hooks
|
|
- [x] Set up GitHub Actions CI pipeline (lint + test)
|
|
- [x] Add Pydantic request/response models for API endpoints
|
|
- [x] Validate `page_size` and `hours` with strict FastAPI constraints
|
|
|
|
---
|
|
|
|
## Phase 3: Scale ✅
|
|
Goal: handle larger data volumes and support real-time ingestion.
|
|
|
|
- [x] Replace skip-based pagination with cursor-based (search-after) pagination
|
|
- [x] Add Prometheus `/metrics` endpoint and a Grafana dashboard
|
|
- [x] Implement incremental fetch watermarking per source (store last fetch timestamp)
|
|
- [x] Add webhook endpoints to receive Microsoft Graph change notifications
|
|
- [x] Evaluate Elasticsearch or Azure Cognitive Search for advanced full-text search (MongoDB text index sufficient for current scale)
|
|
- [x] Add request ID / correlation ID middleware for distributed tracing
|
|
|
|
---
|
|
|
|
## Phase 4: Enhance ✅
|
|
Goal: evolve from a polling dashboard into a full security operations tool.
|
|
|
|
- [x] Migrate frontend to Alpine.js for better state management and maintainability
|
|
- [x] Add rule-based alerting (e.g., alert on privileged operations, after-hours activity)
|
|
- [x] Add SIEM export (Splunk, Sentinel, syslog webhook)
|
|
- [x] Build an audit trail for AOC itself (who queried what, who triggered fetches)
|
|
- [x] Add event tagging and commenting (e.g., `investigating`, `false_positive`)
|
|
- [x] Add export functionality (CSV / JSON) from the UI
|
|
- [x] Add source health dashboard showing last fetch time and status per source
|
|
|
|
---
|
|
|
|
## Completed in this PR
|
|
All Phase 1 items were implemented in the latest changes.
|