Spaces:

minhan6559
/

Log-Analysis-MultiAgent

Sleeping

App Files Files Community

Log-Analysis-MultiAgent / src /agents /database_agent /agent.py

minhan6559

Upload 102 files

9e3d618 verified about 1 month ago

raw

history blame contribute delete

16 kB

	"""
	Database Agent - A specialized ReAct agent for MITRE ATT&CK technique retrieval

	This agent provides semantic search capabilities over the MITRE ATT&CK knowledge base
	with support for filtered searches by tactics, platforms, and other metadata.
	"""

	import os
	import json
	import sys
	import time
	from typing import List, Dict, Any, Optional, Literal
	from pathlib import Path

	# LangGraph and LangChain imports
	from langchain_core.tools import tool
	from langchain_core.messages import HumanMessage, AIMessage
	from langchain.chat_models import init_chat_model
	from langchain_core.language_models.chat_models import BaseChatModel
	from langchain_text_splitters import TokenTextSplitter
	from langgraph.prebuilt import create_react_agent

	# LangSmith imports
	from langsmith import traceable, Client, get_current_run_tree

	# Import prompts from the separate file
	from src.agents.database_agent.prompts import DATABASE_AGENT_SYSTEM_PROMPT

	# Import the cyber knowledge base
	try:
	from src.knowledge_base.cyber_knowledge_base import CyberKnowledgeBase
	except Exception as e:
	print(
	f"[WARNING] Could not import CyberKnowledgeBase. Please adjust import paths. {e}"
	)
	sys.exit(1)

	ls_client = Client(api_key=os.getenv("LANGSMITH_API_KEY"))


	def truncate_to_tokens(text: str, max_tokens: int) -> str:
	"""
	Truncate text to a maximum number of tokens using LangChain's TokenTextSplitter.

	Args:
	text: The text to truncate
	max_tokens: Maximum number of tokens

	Returns:
	Truncated text within the token limit
	"""
	if not text:
	return ""

	# Clean the text by replacing newlines with spaces
	cleaned_text = text.replace("\n", " ")

	# Use TokenTextSplitter to split by tokens
	splitter = TokenTextSplitter(
	encoding_name="o200k_base", chunk_size=max_tokens, chunk_overlap=0
	)

	chunks = splitter.split_text(cleaned_text)
	return chunks[0] if chunks else ""


	class DatabaseAgent:
	"""
	A specialized ReAct agent for MITRE ATT&CK technique retrieval and search.

	This agent provides intelligent search capabilities over the MITRE ATT&CK knowledge base,
	including semantic search, filtered search, and multi-query search with RRF fusion.
	"""

	def __init__(
	self,
	kb_path: str = "./cyber_knowledge_base",
	llm_client: BaseChatModel = None,
	):
	"""
	Initialize the Database Agent.

	Args:
	kb_path: Path to the cyber knowledge base directory
	llm_client: LLM model to use for the agent
	"""
	self.kb_path = kb_path
	self.kb = self._init_knowledge_base()

	if llm_client:
	self.llm = llm_client
	else:
	self.llm = init_chat_model(
	"google_genai:gemini-2.0-flash",
	temperature=0.1,
	)
	print(
	f"[INFO] Database Agent: Using default LLM model: google_genai:gemini-2.0-flash"
	)
	# Create tools
	self.tools = self._create_tools()

	# Create ReAct agent
	self.agent = self._create_react_agent()

	@traceable(name="database_agent_init_kb")
	def _init_knowledge_base(self) -> CyberKnowledgeBase:
	"""Initialize and load the cyber knowledge base."""
	kb = CyberKnowledgeBase()

	if kb.load_knowledge_base(self.kb_path):
	print("[SUCCESS] Database Agent: Loaded existing knowledge base")
	return kb
	else:
	print(
	f"[ERROR] Database Agent: Could not load knowledge base from {self.kb_path}"
	)
	print("Please ensure the knowledge base is built and available.")
	raise RuntimeError("Knowledge base not available")

	@traceable(name="database_agent_format_results")
	def _format_results_as_json(self, results) -> List[Dict[str, Any]]:
	"""Format search results as structured JSON."""
	output = []
	for doc in results:
	technique_info = {
	"attack_id": doc.metadata.get("attack_id", "Unknown"),
	"name": doc.metadata.get("name", "Unknown"),
	"tactics": [
	t.strip()
	for t in doc.metadata.get("tactics", "").split(",")
	if t.strip()
	],
	"platforms": [
	p.strip()
	for p in doc.metadata.get("platforms", "").split(",")
	if p.strip()
	],
	"description": truncate_to_tokens(doc.page_content, 300),
	"relevance_score": doc.metadata.get("relevance_score", None),
	"rrf_score": doc.metadata.get("rrf_score", None),
	"mitigation_count": doc.metadata.get("mitigation_count", 0),
	# "mitigations": truncate_to_tokens(
	# doc.metadata.get("mitigations", ""), 50
	# ),
	}
	output.append(technique_info)
	return output

	def _log_search_metrics(
	self,
	search_type: str,
	query: str,
	results_count: int,
	execution_time: float,
	success: bool,
	):
	"""Log search performance metrics to LangSmith."""
	try:
	current_run = get_current_run_tree()
	if current_run:
	ls_client.create_feedback(
	run_id=current_run.id,
	key="database_search_performance",
	score=1.0 if success else 0.0,
	value={
	"search_type": search_type,
	"query": query,
	"results_count": results_count,
	"execution_time": execution_time,
	"success": success,
	},
	)
	except Exception as e:
	print(f"Failed to log search metrics: {e}")

	def _log_agent_performance(
	self, query: str, message_count: int, execution_time: float, success: bool
	):
	"""Log overall agent performance metrics."""
	try:
	current_run = get_current_run_tree()
	if current_run:
	ls_client.create_feedback(
	run_id=current_run.id,
	key="database_agent_performance",
	score=1.0 if success else 0.0,
	value={
	"query": query,
	"message_count": message_count,
	"execution_time": execution_time,
	"success": success,
	"agent_type": "database_search",
	},
	)
	except Exception as e:
	print(f"Failed to log agent metrics: {e}")

	def _create_tools(self):
	"""Create the search tools for the Database Agent."""

	@tool
	@traceable(name="database_search_techniques")
	def search_techniques(query: str, top_k: int = 5) -> str:
	"""
	Search for MITRE ATT&CK techniques using semantic search.

	Args:
	query: Search query string
	top_k: Number of results to return (default: 5, max: 20)

	Returns:
	JSON string with search results containing technique details
	"""
	start_time = time.time()
	try:
	# Limit top_k for performance
	top_k = min(max(top_k, 1), 20) # Ensure top_k is between 1 and 20

	# Single query search
	results = self.kb.search(query, top_k=top_k)
	techniques = self._format_results_as_json(results)

	execution_time = time.time() - start_time
	self._log_search_metrics(
	"single_query", query, len(techniques), execution_time, True
	)

	return json.dumps(
	{
	"search_type": "single_query",
	"query": query,
	"techniques": techniques,
	"total_results": len(techniques),
	},
	indent=2,
	)

	except Exception as e:
	execution_time = time.time() - start_time
	self._log_search_metrics(
	"single_query", query, 0, execution_time, False
	)

	return json.dumps(
	{
	"error": str(e),
	"techniques": [],
	"message": "Error occurred during search",
	},
	indent=2,
	)

	@tool
	@traceable(name="database_search_techniques_filtered")
	def search_techniques_filtered(
	query: str,
	top_k: int = 5,
	filter_tactics: Optional[List[str]] = None,
	filter_platforms: Optional[List[str]] = None,
	) -> str:
	"""
	Search for MITRE ATT&CK techniques with metadata filters.

	Args:
	query: Search query string
	top_k: Number of results to return (default: 5, max: 20)
	filter_tactics: Filter by specific tactics (e.g., ['defense-evasion', 'privilege-escalation'])
	filter_platforms: Filter by platforms (e.g., ['Windows', 'Linux'])

	Returns:
	JSON string with filtered search results

	Examples of tactics: initial-access, execution, persistence, privilege-escalation,
	defense-evasion, credential-access, discovery, lateral-movement, collection,
	command-and-control, exfiltration, impact

	Examples of platforms: Windows, macOS, Linux, AWS, Azure, GCP, SaaS, Network,
	Containers, Android, iOS
	"""
	start_time = time.time()
	try:
	# Limit top_k for performance
	top_k = min(max(top_k, 1), 20)

	# Single query search with filters
	results = self.kb.search(
	query,
	top_k=top_k,
	filter_tactics=filter_tactics,
	filter_platforms=filter_platforms,
	)
	techniques = self._format_results_as_json(results)

	execution_time = time.time() - start_time
	self._log_search_metrics(
	"filtered_query", query, len(techniques), execution_time, True
	)

	return json.dumps(
	{
	"search_type": "single_query_filtered",
	"query": query,
	"filters": {
	"tactics": filter_tactics,
	"platforms": filter_platforms,
	},
	"techniques": techniques,
	"total_results": len(techniques),
	},
	indent=2,
	)

	except Exception as e:
	execution_time = time.time() - start_time
	self._log_search_metrics(
	"filtered_query", query, 0, execution_time, False
	)

	return json.dumps(
	{
	"error": str(e),
	"techniques": [],
	"message": "Error occurred during filtered search",
	},
	indent=2,
	)

	# return [search_techniques, search_techniques_filtered]
	return [search_techniques]

	def _create_react_agent(self):
	"""Create the ReAct agent with the search tools using the prompt from prompts.py."""
	return create_react_agent(
	model=self.llm,
	tools=self.tools,
	prompt=DATABASE_AGENT_SYSTEM_PROMPT,
	name="database_agent",
	)

	@traceable(name="database_agent_search")
	def search(self, query: str, **kwargs) -> Dict[str, Any]:
	"""
	Search for techniques using the agent's capabilities.

	Args:
	query: The search query or question
	**kwargs: Additional parameters passed to the agent

	Returns:
	Dictionary with the agent's response
	"""
	start_time = time.time()
	try:
	messages = [HumanMessage(content=query)]
	response = self.agent.invoke({"messages": messages}, **kwargs)

	execution_time = time.time() - start_time
	self._log_agent_performance(
	query, len(response.get("messages", [])), execution_time, True
	)

	return {
	"success": True,
	"messages": response["messages"],
	"final_response": (
	response["messages"][-1].content if response["messages"] else ""
	),
	}
	except Exception as e:
	execution_time = time.time() - start_time
	self._log_agent_performance(query, 0, execution_time, False)

	return {
	"success": False,
	"error": str(e),
	"messages": [],
	"final_response": f"Error during search: {str(e)}",
	}

	@traceable(name="database_agent_stream_search")
	def stream_search(self, query: str, **kwargs):
	"""
	Stream the agent's search process for real-time feedback.

	Args:
	query: The search query or question
	**kwargs: Additional parameters passed to the agent

	Yields:
	Streaming responses from the agent
	"""
	try:
	messages = [HumanMessage(content=query)]
	for chunk in self.agent.stream({"messages": messages}, **kwargs):
	yield chunk
	except Exception as e:
	yield {"error": str(e)}


	@traceable(name="database_agent_test")
	def test_database_agent():
	"""Test function to demonstrate Database Agent capabilities."""
	print("Testing Database Agent...")

	# Initialize agent
	try:
	agent = DatabaseAgent()
	print("Database Agent initialized successfully")
	except Exception as e:
	print(f"Failed to initialize Database Agent: {e}")
	return

	# Test queries
	test_queries = [
	"Find techniques related to credential dumping and LSASS memory access",
	"What are Windows-specific privilege escalation techniques?",
	"Search for defense evasion techniques that work on Linux platforms",
	"Find lateral movement techniques involving SMB or WMI",
	"What techniques are used for persistence on macOS systems?",
	]

	for i, query in enumerate(test_queries, 1):
	print(f"\n--- Test Query {i} ---")
	print(f"Query: {query}")
	print("-" * 50)

	# Test regular search
	result = agent.search(query)
	if result["success"]:
	print("Search completed successfully")
	# Print last AI message (the summary)
	for msg in reversed(result["messages"]):
	if isinstance(msg, AIMessage) and not hasattr(msg, "tool_calls"):
	print(f"Response: {msg.content[:300]}...")
	break
	else:
	print(f"Search failed: {result['error']}")


	if __name__ == "__main__":
	test_database_agent()