sandialabs
diff --git a/‎content/administration/enrichments.md‎
Lines changed: 109 additions & 0 deletions b/‎content/administration/enrichments.md‎
Lines changed: 109 additions & 0 deletions
diff --git a/‎content/releases/4.2.md‎
Lines changed: 30 additions & 0 deletions b/‎content/releases/4.2.md‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎content/releases/4.3.md‎
Lines changed: 44 additions & 0 deletions b/‎content/releases/4.3.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎content/usage/FavoritesPopularity.md‎
Lines changed: 35 additions & 0 deletions b/‎content/usage/FavoritesPopularity.md‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎content/usage/Notifications.md‎
Lines changed: 45 additions & 0 deletions b/‎content/usage/Notifications.md‎
Lines changed: 45 additions & 0 deletions
@@ -0,0 +1,109 @@
++++
+title = "Creating Enrichments"
+description = "Enrich entity data using SCOT with Airflow"
+weight = 3
++++
+
+## SCOT enrichments
+SCOT entity enrichments provide the capability to incorporate data enrichment or other actions on flaired entities. These actions occur automatically when an entity is flaired. Actions can be anything from gathering data associated with the entity for display within the entity's flair pane in SCOT, or other types of action that can be taken outside of SCOT. SCOT works with the open-source workflow management platform, **Apache Airflow**, to launch actions based on the entity's type. 
+
+## The enrichment workflow
+- In the SCOT API configuration file, specify the following required fields:
+    - enrichmentApiJobEndpoint (must be in this format WITH PLACEHOLDER INCLUDED): "/api/v1/dags/scot_entity_[ENTITY_TYPE_PLACEHOLDER]_enrichment/dagRuns"
+    - enrichmentHost (your deployed airflow instance url): "https://airflow.example.com"
+    - enrichmentUsername: "scot4-enrichment-account-name"
+    - enrichmentPassword: "scot4-enrichment-account-password"
+    - enrichmentTypes (semicolon-delimited list of entity types): "ipaddr;domain;email;etc"
+- In Airflow, jobs are defined as Python scripts called a DAG. Each DAG you create corresponds to the workflow of enrichment(s) you want performed on a given entity type. 
+- when an entity is newly created and flaired, SCOT automatically checks the entity type and, if it matches any of the types specified in the enrichment configuration, it will send a request to your Airflow server with the entity information and a callback URL to capture results
+- Airflow uses the endpoint specified in the request (scot4_entity_[ENTITY]_enrichment) to match against the names of the DAGs you've created (NOTE: the name you give your created DAGs must match this same scheme) and will trigger the DAG.
+- Once the DAG completes, Airflow will make a POST request back to SCOT's /entity/enrichment endpoint, including any collected data as directed by the DAG (exmaple below).
+- SCOT will add the enrichment data to the entity.
+- In SCOT, you can click on the flaired entity to open the flair pane. In the flair pane, you will see the enrichment name(s) appear as tabs. Click on each enrichment tab to see the latest enrichment data for this entity. From this view you can also view previous enrichment data results, and now send a new enrichment request for potentially updated data.
+
+## Deploying Apache Airflow
+Directions for deploying an Airflow instance can be found at https://airflow.apache.org/
+
+## Creating a new DAG in Airflow
+You can review the docs for making DAG workflows at https://airflow.apache.org/docs/apache-airflow/stable/index.html.
+SCOT enrichments are designed such that one DAG corresponds to one entity type. Within that one DAG, you can have one or more tasks (python functions with an @Task decorator) defined for that enrichment type, for example:
+
+A DAG to enrich an IPv4 entity can have:
+1. A task to collect enrichment data from an external 3rd party source
+2. A task to collect enrichment data from an internal source
+3. A task to add the IP to an internal blocklist if the enrichment data meets certain criteria
+4. A task that returns new entity class IDs to the /entity/{entity_id}/entity_class endpoint in SCOT based on enrichment data
+
+You are limited only by what you can do programmatically in python and using APIs
+
+## Sample DAG
+Below is a simple DAG workflow you can use as a starting place. It's made for enrichment of an IPv4 address (but could be modified for any entity type). Based on how you set up your Airflow instance and define your DAG endpoints, you should name this script to match the endpoint. In this case, where we define the endpoint (see workflow above) as `/api/v1/dags/scot_entity_[ENTITY_TYPE_PLACEHOLDER]_enrichment/dagRuns`, and assuming you have an entity type named `ipaddr`, your DAG should be named: `scot_entity_ipaddr_enrichment`
+
+```
+import os 
+import json
+import pendulum
+
+from airflow.utils.task_group import TaskGroup
+from airflow.decorators import task, dag, task_group
+from airflow.models import Variable
+from airflow.operators.bash import BashOperator
+from airflow.operators.python import get_current_context
+from airflow.models.log import Log
+from airflow.utils.db import create_session
+from airflow.models import Variable
+
+@dag(
+    schedule_interval=None,
+    start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
+    catchup=False,
+    tags=['author:user', 'scot4_enrichment'],
+    doc_md=open(f"{os.path.dirname(os.path.realpath(__file__))}/README.md").read(),
+    params={'entity_id': None, 'entity_value': '192.168.1.1', 'callback_url':None}
+)
+def scot4_entity_ipaddr_enrichment():
+    @task
+    def task1_enrichment():
+        import pandas as pd
+        # get the IP address from the Airflow context
+        context = get_current_context()
+        ip_addr = context['params'].get('entity_value')
+        # query enrichment data for IP from 3rd party API service
+        enr_data = get_data_from_api(ip_addr)
+        # convert any results to markdown so SCOT can parse it
+        markdown = pd.DataFrame.from_records([enr_data]).T.to_markdown()
+        # use this schema for SCOT parsing (title value = tab name in the flair pane)
+        enrichment_data = { 'title': 'Data Enrichment Summary',
+                            'enrichment_class': 'markdown',
+                            'description': 'Summary from API being used',
+                            'data': {'markdown': markdown,}
+                            }
+        return {'entity_class_ids': entity_class_ids, 'enrichment_data': [enrichment_data]}
+
+
+    @task          
+    def add_enrichment_to_scot(results):
+        import requests
+
+        context = get_current_context()
+        callback_url = context['params'].get('callback_url')
+        api_key = Variable.get('scot4-instance-api-key')
+
+        if callback_url is not None and results.get('enrichment_data') is not None and len(results['enrichment_data']) > 0:
+            for enrichment_data in results['enrichment_data']:
+                context = get_current_context()
+                entity_id = context['params'].get('entity_id')
+                url = f"{callback_url}/entity/{entity_id}/enrichment"
+                res = requests.post(url, data=json.dumps(enrichment_data), headers=
+                    'Content-Type':'application/json',
+                    'Authorization': f'apikey {api_key}',
+                })
+                if not res.ok:
+                    raise Exception(f"Request to {url} failed: {res.status_code} {res.reason}: {res.text}")
+
+
+    task1_results = task1_enrichment()
+    add_enrichment_to_scot(task1_results)
+
+dag = scot4_entity_ipaddr_enrichment()
+```
@@ -0,0 +1,30 @@
++++
+title = "4.2.1 Release"
+description = "4.2.1 Release Notes"
+weight = 2
++++
+
+## Features 
+
+* Vulnerability Section added to track incoming vulnerability reports.
+
+
+## Fixes
+
+* re-added ability to source images (and only images) via a base64 data url
+* cleaned up several things for open source
+* improved search indexing performance
+* fixed process for adding user-defined flair entities
+* re-added ability to source images (and only images) via a base64 data url
+* cleaned up several things for open source
+* improved search indexing performance
+* fixed process for adding user-defined flair entities
+* multi-row sparklines now support by flair engine
+* Minion job control protected by auth
+* fixed errors in multi-word user defined flair
+* fixed error in user defined flair creation
+* fixed checks on permitted sender in inbox processor
+* helm chart clean up and refinement
+
+
+
@@ -0,0 +1,44 @@
++++
+title = "4.3.0 Release"
+description = "4.3.0 Release Notes"
+weight = 3
++++
+
+## Features 
+
+* Notification System
+    
+    Administrators can now send messages to all users. 
+    Users can also mark items to be notified when changes occur to them.
+
+* Favorites
+
+    Users can now favorite items within SCOT which acts like a bookmark and allows for easy navigation back to favorited items.
+
+* Popularity
+
+    Users can now upvote/downvote items in SCOT. This is currently an optional feature that can be hidden by the user.
+    
+* Entity Pane Enhancements
+
+    In the Entity Pane, users can now select multiple Entities for copy or bulk addition of class and tag attributes.  Users can also view GeoIP locations on a map.
+
+* Internal References
+    
+    Users can now create an interal link to other sections of SCOT within Entries.  By entering the phrase "SCOT-Event-123" into an entry, the flair engine will create an internal link to Event 123.  This will work with Alertgroups, Events, Incidents, Dispatches, Intels, Reports, etc.  Flair will also detect the URL https://yourhostname/#/intel/987 and rewrite that to a link to SCOT-Intel-987.
+
+* Core Entities Documented
+
+    SCOT now has documentation on the Core Entities.  If you create a regex that would be a useful additions to this set, let us know and we will add it.
+
+
+## Fixes
+
+* Matomo removed
+* Creating an alertgroup with tags via the API now works as expected
+* Bug in associating new entity classes with existing entities fixed
+* Flair engine can now replace images in Alertgroups with local copies
+* Dockerfile improvements for container creation
+* Improvements to local password lockout and recovery
+* Alertgroups with underscores in the subject now link to signatures/guides correctly
+* Fixed ordering of items in flair appearances pane
@@ -0,0 +1,35 @@
++++
+title = "Favorites and Popularity"
+description = "Bookmarking and Voting"
+weight = 8
++++
+
+SCOT allows you to flag items (Events, Incidents, Dispatches, Intel, Reports, Entries, and Guides) as a "favorite."  This acts like a bookmark, allowing you to quickly find and return to flagged items.
+
+To mark an item, click on the "heart" icon.
+
+![Unselected Favorite Heart](/images/heart-unselected.png)
+
+Selected as a Favorite:
+
+![Selected Favorite heart](/images/heart-selected.png)
+
+To view all items you have flagged as favorites, go to the User menu in far upper right, click and then select "Favorites/Subscriptions".
+
+![Subscription Menu](/images/SubscriptionMenu.png)
+
+You will then be presented with a pop-up like this:
+
+![Favorite Popup](/images/favoritePopup.png)
+
+that allows you to hyperlink to an item.  To remove an item from your favorites, click the heart icon again and it will be removed.
+
+## Popularity
+
+Users can toggle the popularity view and controls by selecting to "Dispaly Popularity" in the Settings menu accessed by clicking on the Gear Icon in the upper right.
+
+![Popularity Toggle](/images/popularityToggle.png)
+
+Turning on the popularity features will present upvote and downvote buttons on most items.  User then can upvote or downvote as they wish.  The number in the middel of the control represents the number of upvotes minus the number of downvotes.
+
+![Popularity Control](/images/popularityControl.png)
@@ -0,0 +1,45 @@
++++
+title = "Notifications"
+description = "Getting Up to date with Notifications"
+weight = 8
++++
+
+SCOT allows you to flag items (Events, Incidents, Dispatches, Intel, Reports, Entries, and Guides) so that you will receive notifications within SCOT when changes are made to that item.
+
+To mark an item, click on the "bell" icon.
+
+![Unselected Notificaton Bell](/images/bell-unselected.png)
+
+Selected for Notifications
+
+![Selected Notification Bell](/images/bell-selected.png)
+
+To view all items you have flagged for notifications, go to the User menu in far upper right, click and then select "Favorites/Subscriptions".
+
+![Subscription Menu](/images/SubscriptionMenu.png)
+
+You will then be presented with a pop-up like this:
+
+![Subscription Popup](/images/subscriptionPopup.png)
+
+that allows you to hyperlink to an item or unflag it for notifications.
+
+## Global Notifications
+
+The SCOT administrator can send Global Announcements to all users.  To send an global notification, select the User icon in the upper right and then select "Administration."
+
+![Admin Pull Down](/images/administrationMenu.png)
+
+You will then be presented with the following:
+
+![Send Global Announcement](/images/sendGlobalNotificaton.png)
+
+Fill out the form and press "Submit Announcement" to send notification.
+
+## Receiving Notifications
+
+Announcements will automatically pop up as small toasts in the upper right section of the browser window.  Notifications typically have an expiration time and will auto clear at the end of that expiration.  To view expired notices, click on the "Bell" icon on the upper right of the SCOT window and you will see a listing of past notifications:
+
+![Announcement Example](/images/announcement.png)
+
+