Major refactor to add structured alerting and typed indicators

This commit makes a structural change to MVT by changing binary detected/not detected logic into a structured multi-level system of alerts. This gives far more power to extend MVT and manage alerts. This commit also begins the process of adding proper typing for key objects used in MVT including Indicators, IndicatorMatches, and ModuleResults. This will also be keep to programmatically using the output of MVT.
2026-06-06 15:03:54 +02:00 · 2025-02-16 00:10:44 +01:00
parent 6bac787cb5
commit 1b03002a00
11 changed files with 544 additions and 263 deletions
@@ -91,7 +91,8 @@ class TestAndroidqfPackages:
        assert len(possible_detected_app) == 1
        assert possible_detected_app[0]["name"] == "com.malware.blah"
        assert (
-            possible_detected_app[0]["matched_indicator"]["value"] == "com.malware.blah"
+            possible_detected_app[0]["matched_indicator"].ioc.value
+            == "com.malware.blah"
        )

    def test_packages_ioc_sha256(self, module, indicators_factory):
@@ -109,7 +110,7 @@ class TestAndroidqfPackages:
        assert len(possible_detected_app) == 1
        assert possible_detected_app[0]["name"] == "com.malware.muahaha"
        assert (
-            possible_detected_app[0]["matched_indicator"]["value"]
+            possible_detected_app[0]["matched_indicator"].ioc.value
            == "31037a27af59d4914906c01ad14a318eee2f3e31d48da8954dca62a99174e3fa"
        )

@@ -128,6 +129,6 @@ class TestAndroidqfPackages:
        assert len(possible_detected_app) == 1
        assert possible_detected_app[0]["name"] == "com.malware.muahaha"
        assert (
-            possible_detected_app[0]["matched_indicator"]["value"]
+            possible_detected_app[0]["matched_indicator"].ioc.value
            == "c7e56178748be1441370416d4c10e34817ea0c961eb636c8e9d98e0fd79bf730"
        )