Added dynamic form definition for the feature extraction analyzer. (#1055)

* Adding dynamic form definition for the feature extraction analyzer.

* Making changes to dynamic forms

* Removing UI bit flip

* Minor linter

* Adding a bit more assistance into the sketch object for the API client.

Author: kiddinn

api_client/python/timesketch_api_client/sketch.py

@@ -439,6 +439,17 @@ def run_analyzer(
         resource_url = '{0:s}/sketches/{1:d}/analyzer/'.format(
             self.api.api_root, self.id)
 
+        # The analyzer_kwargs is expected to be a dict with the key
+        # being the analyzer name, and the value being the key/value dict
+        # with parameters for the analyzer.
+        if analyzer_kwargs:
+            if not isinstance(analyzer_kwargs, dict):
+                return (
+                    'Unable to run analyzer, analyzer kwargs needs to be a '
+                    'dict')
+            if analyzer_name not in analyzer_kwargs:
+                analyzer_kwargs = {analyzer_name: analyzer_kwargs}
+
         if timeline_name:
             sketch = self.lazyload_data()
             timelines = []

timesketch/lib/analyzers/feature_extraction.py

@@ -11,32 +11,129 @@
 from timesketch.lib.analyzers import manager
 
 
+RE_FLAGS = [
+    're.ASCII',
+    're.IGNORECASE',
+    're.LOCALE',
+    're.MULTILINE',
+    're.DOTALL',
+    're.VERBOSE',
+]
+
+
 class FeatureExtractionSketchPlugin(interface.BaseSketchAnalyzer):
     """Sketch analyzer for FeatureExtraction."""
 
     NAME = 'feature_extraction'
 
     CONFIG_FILE = 'features.yaml'
 
-    def __init__(self, index_name, sketch_id):
+    FORM_FIELDS = [
+        {
+            'name': 'query_string',
+            'type': 'ts-dynamic-form-text-input',
+            'label': 'The filter query to narrow down the result set',
+            'placeholder': 'Query',
+            'default_value': ''
+        },
+        {
+            'name': 'query_dsl',
+            'type': 'ts-dynamic-form-text-input',
+            'label': 'The filter query DSL to narrow down the result',
+            'placeholder': 'Query DSL',
+            'default_value': ''
+        },
+        {
+            'name': 'attribute',
+            'type': 'ts-dynamic-form-text-input',
+            'label': 'Name of the field to apply regular expression against',
+            'placeholder': 'Field Name',
+            'default_value': ''
+        },
+        {
+            'name': 'store_as',
+            'type': 'ts-dynamic-form-text-input',
+            'label': 'Name of the field to store the extracted results in',
+            'placeholder': 'Store results as field name',
+            'default_value': ''
+        },
+        {
+            'name': 're',
+            'type': 'ts-dynamic-form-text-input',
+            'label': 'The regular expression to extract data from field',
+            'placeholder': 'Regular Expression',
+            'default_value': ''
+        },
+        {
+            'name': 're_flags',
+            'type': 'ts-dynamic-form-multi-select-input',
+            'label': 'List of flags to pass to the regular expression',
+            'placeholder': 'Regular Expression flags',
+            'default_value': [],
+            'options': RE_FLAGS,
+            'optional': True,
+        },
+        {
+            'name': 'emojis',
+            'type': 'ts-dynamic-form-multi-select-input',
+            'label': 'List of emojis to add to events with matches',
+            'placeholder': 'Emojis to add to events',
+            'default_value': [],
+            'options': [x.code for x in emojis.EMOJI_MAP.values()],
+            'options-label': [
+                '{0:s} - {1:s}'.format(
+                    x, y.help) for x, y in emojis.EMOJI_MAP.items()],
+            'optional': True,
+        },
+        {
+            'name': 'tags',
+            'type': 'ts-dynamic-form-text-input',
+            'label': 'Tag to add to events with matches',
+            'placeholder': 'Tag to add to events',
+            'default_value': '',
+            'optional': True,
+        },
+        {
+            'name': 'create_view',
+            'type': 'ts-dynamic-form-boolean',
+            'label': 'Should a view be created if there is a match',
+            'placeholder': 'Create a view',
+            'default_value': False,
+            'optional': True,
+        },
+        {
+            'name': 'aggregate',
+            'type': 'ts-dynamic-form-boolean',
+            'label': 'Should results be aggregated if there is a match',
+            'placeholder': 'Aggregate results',
+            'default_value': False,
+            'optional': True,
+        },
+    ]
+
+
+    def __init__(self, index_name, sketch_id, config=None):
         """Initialize The Sketch Analyzer.
 
         Args:
             index_name: Elasticsearch index name
             sketch_id: Sketch ID
+            config: Optional dict that contains the configuration for the
+                analyzer. If not provided, the default YAML file will be
+                loaded up.
         """
         self.index_name = index_name
         super(FeatureExtractionSketchPlugin, self).__init__(
             index_name, sketch_id)
+        self._config = config
 
     def run(self):
         """Entry point for the analyzer.
 
         Returns:
             String with summary of the analyzer result.
         """
-        config = interface.get_yaml_config(self.CONFIG_FILE)
-
+        config = self._config or interface.get_yaml_config(self.CONFIG_FILE)
         if not config:
             return 'Unable to parse the config file.'
 

timesketch/lib/analyzers/interface.py

@@ -361,6 +361,9 @@ class BaseIndexAnalyzer(object):
     # the indexer names.
     DEPENDENCIES = frozenset()
 
+    # Used as hints to the frontend UI in order to render input forms.
+    FORM_FIELDS = []
+
     def __init__(self, index_name):
         """Initialize the analyzer object.