CERT-Polska/mwdb-core

Consider adding a QueryResultOptions component for actions on query results

yankovs opened this issue · 0 comments

yankovs commented

Feature Category

  • Correctness
  • User Interface / User Experience
  • Performance
  • Other (please explain)

Describe the problem

Today in MWDB, after a query is done, the user doesn't have many ways to interact with the results. Sometimes, a user may want to do some post processing on the results they've found. For example, this can include:

  • Download a JSON containing all of the samples they've found, or just a list of hashes, for whatever reason
  • Batch Karton reanalysis of all of the results of the query. For example, some analyst may want to reanalyze all Emotet samples that entered MWDB between the 8th and the 21st of May this year. With this feature, he could do a simple query and be done
  • Users of MWDB developing a custom plugin that can send query results to further processing on internal systems

Describe the solution you'd like

There are a couple of steps I think are logical in such implementation:

  • Make a QueryResultOptions component that is essentially a list of actions to be performed after a query is complete. Make sure this list is extendable so it can be used by plugins 😉
  • Each action should be a custom component, similar to actions in ObjectView
  • Place this component in RecentView with conditional rendering only if the query is submitted and done, and make any changes necessary for it in RecentView
  • Since each item in QueryResultOptions would need to know the actual result of the query, consider making a QueryContext similar to ObjectContext. When a query is complete, it can return an iterator to the results. Not sure this is the best solution react-wise, since if no query is submitted it can still probably be accessed, but maybe returning null when accessing the iterator in such a case is enough

Another, maybe better and more straightforward approach, would be to add this QueryResultOptions as part of RecentViewList. This way there's no need for a context, since this now has access to the elements. Also, I believe this would make it render only after a query is done like needed.