move indicator_match to alert object

src/mvt/android/utils.py

@@ -6,14 +6,13 @@ from datetime import datetime, timedelta
 from typing import List
 
 
-def warn_android_patch_level(patch_level: str, log) -> str:
+def warn_android_patch_level(patch_level: str, log) -> str | bool:
     """Alert if Android patch level out-of-date"""
     patch_date = datetime.strptime(patch_level, "%Y-%m-%d")
     if (datetime.now() - patch_date) > timedelta(days=6 * 31):
         warning_message = (
             f"This phone has not received security updates "
-            f"for more than six months (last update: {patch_level}).",
-            patch_level,
+            f"for more than six months (last update: {patch_level})."
         )
         return warning_message
 

src/mvt/common/command.py

@@ -8,7 +8,7 @@ import logging
 import os
 import sys
 from datetime import datetime
-from typing import Optional
+from typing import Any, Optional
 
 from rich.console import Console
 from rich.panel import Panel
@@ -43,7 +43,7 @@ class Command:
         disable_indicator_check: bool = False,
     ) -> None:
         self.name = ""
-        self.modules = []
+        self.modules: list[Any] = []
 
         self.target_path = target_path
         self.results_path = results_path
@@ -62,10 +62,10 @@ class Command:
 
         # This list will contain all executed modules.
         # We can use this to reference e.g. self.executed[0].results.
-        self.executed = []
+        self.executed: list[Any] = []
         self.hashes = hashes
-        self.hash_values = []
-        self.timeline = []
+        self.hash_values: list[dict[str, Any]] = []
+        self.timeline: list[dict[str, Any]] = []
 
         # Load IOCs
         self._create_storage()
@@ -158,7 +158,7 @@ class Command:
         if self.target_path:
             target_path = os.path.abspath(self.target_path)
 
-        info = {
+        info: dict[str, Any] = {
             "target_path": target_path,
             "mvt_version": MVT_VERSION,
             "date": convert_datetime_to_iso(datetime.now()),

src/mvt/ios/modules/mixed/global_preferences.py

@@ -42,14 +42,9 @@ class GlobalPreferences(IOSExtraction):
         for entry in self.results:
             if entry["entry"] == "LDMGlobalEnabled":
                 if entry["value"]:
-                    self.alertstore.info(
-                        self.get_slug(), "Lockdown mode enabled", "", None
-                    )
+                    self.alertstore.info("Lockdown mode enabled", "", None)
                 else:
-                    self.alertstore.low(
-                        self.get_slug(), "Lockdown mode disabled", "", None
-                    )
-                    self.alertstore.log_latest()
+                    self.alertstore.low("Lockdown mode disabled", "", None)
                     continue
 
     def process_file(self, file_path: str) -> None:

src/mvt/ios/modules/mixed/tcc.py

@@ -7,12 +7,12 @@ import logging
 import sqlite3
 from typing import Optional
 
-from mvt.common.utils import convert_unix_to_iso
 from mvt.common.module_types import (
     ModuleAtomicResult,
-    ModuleSerializedResult,
     ModuleResults,
+    ModuleSerializedResult,
 )
+from mvt.common.utils import convert_unix_to_iso
 
 from ..base import IOSExtraction
 
@@ -96,8 +96,9 @@ class TCC(IOSExtraction):
         for result in self.results:
             ioc_match = self.indicators.check_process(result["client"])
             if ioc_match:
-                result["matched_indicator"] = ioc_match.ioc
-                self.alertstore.critical(self.get_slug(), ioc_match.message, "", result)
+                self.alertstore.critical(
+                    ioc_match.message, "", result, matched_indicator=ioc_match.ioc
+                )
 
     def process_db(self, file_path):
         conn = self._open_sqlite_db(file_path)

tests/android/test_artifact_dumpsys_appops.py

@@ -48,7 +48,7 @@ class TestDumpsysAppopsArtifact:
         detected_by_ioc = [
             alert
             for alert in da.alertstore.alerts
-            if "matched_indicator" in alert.event
+            if alert.matched_indicator is not None
         ]
         detected_by_permission_heuristic = [
             alert
@@ -62,4 +62,5 @@ class TestDumpsysAppopsArtifact:
         ]
         assert len(da.alertstore.alerts) == 3
         assert len(detected_by_ioc) == 1
+        assert detected_by_ioc[0].matched_indicator is not None
         assert len(detected_by_permission_heuristic) == 2

tests/android_androidqf/test_packages.py

@@ -89,10 +89,7 @@ class TestAndroidqfPackages:
         ]
         assert len(possible_detected_app) == 1
         assert possible_detected_app[0].event["name"] == "com.malware.blah"
-        assert (
-            possible_detected_app[0].event["matched_indicator"].value
-            == "com.malware.blah"
-        )
+        assert possible_detected_app[0].matched_indicator.value == "com.malware.blah"
 
     def test_packages_ioc_sha256(self, module, indicators_factory):
         module.indicators = indicators_factory(
@@ -111,7 +108,7 @@ class TestAndroidqfPackages:
         assert len(possible_detected_app) == 1
         assert possible_detected_app[0].event["name"] == "com.malware.muahaha"
         assert (
-            possible_detected_app[0].event["matched_indicator"].value
+            possible_detected_app[0].matched_indicator.value
             == "31037a27af59d4914906c01ad14a318eee2f3e31d48da8954dca62a99174e3fa"
         )
 
@@ -132,6 +129,6 @@ class TestAndroidqfPackages:
         assert len(possible_detected_app) == 1
         assert possible_detected_app[0].event["name"] == "com.malware.muahaha"
         assert (
-            possible_detected_app[0].event["matched_indicator"].value
+            possible_detected_app[0].matched_indicator.value
             == "c7e56178748be1441370416d4c10e34817ea0c961eb636c8e9d98e0fd79bf730"
         )