Hugging Face's logo

Spaces:
minhan6559
/
Log-Analysis-MultiAgent
Running

App Files Community
Log-Analysis-MultiAgent / src /agents /database_agent /agent.py
minhan6559's picture
minhan6559
Upload 102 files
9e3d618 verified
raw
history blame contribute delete
16 kB
"""
Database Agent - A specialized ReAct agent for MITRE ATT&CK technique retrieval
This agent provides semantic search capabilities over the MITRE ATT&CK knowledge base
with support for filtered searches by tactics, platforms, and other metadata.
"""
import os
import json
import sys
import time
from typing import List, Dict, Any, Optional, Literal
from pathlib import Path
# LangGraph and LangChain imports
from langchain_core.tools import tool
from langchain_core.messages import HumanMessage, AIMessage
from langchain.chat_models import init_chat_model
from langchain_core.language_models.chat_models import BaseChatModel
from langchain_text_splitters import TokenTextSplitter
from langgraph.prebuilt import create_react_agent
# LangSmith imports
from langsmith import traceable, Client, get_current_run_tree
# Import prompts from the separate file
from src.agents.database_agent.prompts import DATABASE_AGENT_SYSTEM_PROMPT
# Import the cyber knowledge base
try:
from src.knowledge_base.cyber_knowledge_base import CyberKnowledgeBase
except Exception as e:
print(
f"[WARNING] Could not import CyberKnowledgeBase. Please adjust import paths. {e}"
)
sys.exit(1)
ls_client = Client(api_key=os.getenv("LANGSMITH_API_KEY"))
def truncate_to_tokens(text: str, max_tokens: int) -> str:
"""
Truncate text to a maximum number of tokens using LangChain's TokenTextSplitter.
Args:
text: The text to truncate
max_tokens: Maximum number of tokens
Returns:
Truncated text within the token limit
"""
if not text:
return ""
# Clean the text by replacing newlines with spaces
cleaned_text = text.replace("\n", " ")
# Use TokenTextSplitter to split by tokens
splitter = TokenTextSplitter(
encoding_name="o200k_base", chunk_size=max_tokens, chunk_overlap=0
)
chunks = splitter.split_text(cleaned_text)
return chunks[0] if chunks else ""
class DatabaseAgent:
"""
A specialized ReAct agent for MITRE ATT&CK technique retrieval and search.
This agent provides intelligent search capabilities over the MITRE ATT&CK knowledge base,
including semantic search, filtered search, and multi-query search with RRF fusion.
"""
def __init__(
self,
kb_path: str = "./cyber_knowledge_base",
llm_client: BaseChatModel = None,
):
"""
Initialize the Database Agent.
Args:
kb_path: Path to the cyber knowledge base directory
llm_client: LLM model to use for the agent
"""
self.kb_path = kb_path
self.kb = self._init_knowledge_base()
if llm_client:
self.llm = llm_client
else:
self.llm = init_chat_model(
"google_genai:gemini-2.0-flash",
temperature=0.1,
)
print(
f"[INFO] Database Agent: Using default LLM model: google_genai:gemini-2.0-flash"
)
# Create tools
self.tools = self._create_tools()
# Create ReAct agent
self.agent = self._create_react_agent()
@traceable(name="database_agent_init_kb")
def _init_knowledge_base(self) -> CyberKnowledgeBase:
"""Initialize and load the cyber knowledge base."""
kb = CyberKnowledgeBase()
if kb.load_knowledge_base(self.kb_path):
print("[SUCCESS] Database Agent: Loaded existing knowledge base")
return kb
else:
print(
f"[ERROR] Database Agent: Could not load knowledge base from {self.kb_path}"
)
print("Please ensure the knowledge base is built and available.")
raise RuntimeError("Knowledge base not available")
@traceable(name="database_agent_format_results")
def _format_results_as_json(self, results) -> List[Dict[str, Any]]:
"""Format search results as structured JSON."""
output = []
for doc in results:
technique_info = {
"attack_id": doc.metadata.get("attack_id", "Unknown"),
"name": doc.metadata.get("name", "Unknown"),
"tactics": [
t.strip()
for t in doc.metadata.get("tactics", "").split(",")
if t.strip()
],
"platforms": [
p.strip()
for p in doc.metadata.get("platforms", "").split(",")
if p.strip()
],
"description": truncate_to_tokens(doc.page_content, 300),
"relevance_score": doc.metadata.get("relevance_score", None),
"rrf_score": doc.metadata.get("rrf_score", None),
"mitigation_count": doc.metadata.get("mitigation_count", 0),
# "mitigations": truncate_to_tokens(
# doc.metadata.get("mitigations", ""), 50
# ),
}
output.append(technique_info)
return output
def _log_search_metrics(
self,
search_type: str,
query: str,
results_count: int,
execution_time: float,
success: bool,
):
"""Log search performance metrics to LangSmith."""
try:
current_run = get_current_run_tree()
if current_run:
ls_client.create_feedback(
run_id=current_run.id,
key="database_search_performance",
score=1.0 if success else 0.0,
value={
"search_type": search_type,
"query": query,
"results_count": results_count,
"execution_time": execution_time,
"success": success,
},
)
except Exception as e:
print(f"Failed to log search metrics: {e}")
def _log_agent_performance(
self, query: str, message_count: int, execution_time: float, success: bool
):
"""Log overall agent performance metrics."""
try:
current_run = get_current_run_tree()
if current_run:
ls_client.create_feedback(
run_id=current_run.id,
key="database_agent_performance",
score=1.0 if success else 0.0,
value={
"query": query,
"message_count": message_count,
"execution_time": execution_time,
"success": success,
"agent_type": "database_search",
},
)
except Exception as e:
print(f"Failed to log agent metrics: {e}")
def _create_tools(self):
"""Create the search tools for the Database Agent."""
@tool
@traceable(name="database_search_techniques")
def search_techniques(query: str, top_k: int = 5) -> str:
"""
Search for MITRE ATT&CK techniques using semantic search.
Args:
query: Search query string
top_k: Number of results to return (default: 5, max: 20)
Returns:
JSON string with search results containing technique details
"""
start_time = time.time()
try:
# Limit top_k for performance
top_k = min(max(top_k, 1), 20) # Ensure top_k is between 1 and 20
# Single query search
results = self.kb.search(query, top_k=top_k)
techniques = self._format_results_as_json(results)
execution_time = time.time() - start_time
self._log_search_metrics(
"single_query", query, len(techniques), execution_time, True
)
return json.dumps(
{
"search_type": "single_query",
"query": query,
"techniques": techniques,
"total_results": len(techniques),
},
indent=2,
)
except Exception as e:
execution_time = time.time() - start_time
self._log_search_metrics(
"single_query", query, 0, execution_time, False
)
return json.dumps(
{
"error": str(e),
"techniques": [],
"message": "Error occurred during search",
},
indent=2,
)
@tool
@traceable(name="database_search_techniques_filtered")
def search_techniques_filtered(
query: str,
top_k: int = 5,
filter_tactics: Optional[List[str]] = None,
filter_platforms: Optional[List[str]] = None,
) -> str:
"""
Search for MITRE ATT&CK techniques with metadata filters.
Args:
query: Search query string
top_k: Number of results to return (default: 5, max: 20)
filter_tactics: Filter by specific tactics (e.g., ['defense-evasion', 'privilege-escalation'])
filter_platforms: Filter by platforms (e.g., ['Windows', 'Linux'])
Returns:
JSON string with filtered search results
Examples of tactics: initial-access, execution, persistence, privilege-escalation,
defense-evasion, credential-access, discovery, lateral-movement, collection,
command-and-control, exfiltration, impact
Examples of platforms: Windows, macOS, Linux, AWS, Azure, GCP, SaaS, Network,
Containers, Android, iOS
"""
start_time = time.time()
try:
# Limit top_k for performance
top_k = min(max(top_k, 1), 20)
# Single query search with filters
results = self.kb.search(
query,
top_k=top_k,
filter_tactics=filter_tactics,
filter_platforms=filter_platforms,
)
techniques = self._format_results_as_json(results)
execution_time = time.time() - start_time
self._log_search_metrics(
"filtered_query", query, len(techniques), execution_time, True
)
return json.dumps(
{
"search_type": "single_query_filtered",
"query": query,
"filters": {
"tactics": filter_tactics,
"platforms": filter_platforms,
},
"techniques": techniques,
"total_results": len(techniques),
},
indent=2,
)
except Exception as e:
execution_time = time.time() - start_time
self._log_search_metrics(
"filtered_query", query, 0, execution_time, False
)
return json.dumps(
{
"error": str(e),
"techniques": [],
"message": "Error occurred during filtered search",
},
indent=2,
)
# return [search_techniques, search_techniques_filtered]
return [search_techniques]
def _create_react_agent(self):
"""Create the ReAct agent with the search tools using the prompt from prompts.py."""
return create_react_agent(
model=self.llm,
tools=self.tools,
prompt=DATABASE_AGENT_SYSTEM_PROMPT,
name="database_agent",
)
@traceable(name="database_agent_search")
def search(self, query: str, **kwargs) -> Dict[str, Any]:
"""
Search for techniques using the agent's capabilities.
Args:
query: The search query or question
**kwargs: Additional parameters passed to the agent
Returns:
Dictionary with the agent's response
"""
start_time = time.time()
try:
messages = [HumanMessage(content=query)]
response = self.agent.invoke({"messages": messages}, **kwargs)
execution_time = time.time() - start_time
self._log_agent_performance(
query, len(response.get("messages", [])), execution_time, True
)
return {
"success": True,
"messages": response["messages"],
"final_response": (
response["messages"][-1].content if response["messages"] else ""
),
}
except Exception as e:
execution_time = time.time() - start_time
self._log_agent_performance(query, 0, execution_time, False)
return {
"success": False,
"error": str(e),
"messages": [],
"final_response": f"Error during search: {str(e)}",
}
@traceable(name="database_agent_stream_search")
def stream_search(self, query: str, **kwargs):
"""
Stream the agent's search process for real-time feedback.
Args:
query: The search query or question
**kwargs: Additional parameters passed to the agent
Yields:
Streaming responses from the agent
"""
try:
messages = [HumanMessage(content=query)]
for chunk in self.agent.stream({"messages": messages}, **kwargs):
yield chunk
except Exception as e:
yield {"error": str(e)}
@traceable(name="database_agent_test")
def test_database_agent():
"""Test function to demonstrate Database Agent capabilities."""
print("Testing Database Agent...")
# Initialize agent
try:
agent = DatabaseAgent()
print("Database Agent initialized successfully")
except Exception as e:
print(f"Failed to initialize Database Agent: {e}")
return
# Test queries
test_queries = [
"Find techniques related to credential dumping and LSASS memory access",
"What are Windows-specific privilege escalation techniques?",
"Search for defense evasion techniques that work on Linux platforms",
"Find lateral movement techniques involving SMB or WMI",
"What techniques are used for persistence on macOS systems?",
]
for i, query in enumerate(test_queries, 1):
print(f"\n--- Test Query {i} ---")
print(f"Query: {query}")
print("-" * 50)
# Test regular search
result = agent.search(query)
if result["success"]:
print("Search completed successfully")
# Print last AI message (the summary)
for msg in reversed(result["messages"]):
if isinstance(msg, AIMessage) and not hasattr(msg, "tool_calls"):
print(f"Response: {msg.content[:300]}...")
break
else:
print(f"Search failed: {result['error']}")
if __name__ == "__main__":
test_database_agent()