[backend] Adapt changes and build history on top (#8237)

[richard-julien]

Target

The primary target of this pull request is the History and Audit system within the OpenCTI backend and frontend. It aims to standardize how data changes are tracked, stored, and visualized, shifting the resolution of human-readable messages from write-time to read-time.

Improvements

• Read-Time Batch Resolution: The generation of human-readable history messages and change values is now performed at read-time using a dataloader (logContextDataBatchLoader). This significantly improves write performance by removing the need to synchronously resolve entity names during ingestion.
• Combined Resolution: The batchContextDataForLog function efficiently resolves all entity IDs involved in a batch of logs in a single pass (attributesChangesResolver), reducing database round-trips.
• Standardized Change Tracking: Introduced a new, unified structure for tracking changes (changes_added and changes_removed) replacing the legacy mix of previous, new, added, and removed.
• Centralized Logic: Moved history message generation and change humanization into a new dedicated module data-changes.ts, removing the legacy generate-message.js.
• Enhanced Search: Updated the search engine (engine.ts) to support searching within the new history structure, including specific fields like changes_added.raw and changes_removed.raw.
• Frontend Modernization: Refactored HistoryDrawer and related components to consume the new data structure, simplifying the view to "Added" vs "Removed" columns and using GraphQL queries for data fetching.
• Type Safety: Improved type definitions in attribute-definition.ts (e.g., specific IdAttribute, TextAttribute), enhancing code reliability.

Impact Analysis

Backend

• Data Structure: The context_data.history_changes in logs now strictly follows the { field, changes_added, changes_removed } format.
• Performance:
  • Write Path: Faster log creation as name resolution is skipped.
  • Read Path: Optimized resolution via Dataloaders, preventing N+1 problems when viewing lists of history events.
• Compatibility: The new enrichContextDataWithMessageAndChanges function includes logic to handle legacy history formats, ensuring backward compatibility for existing logs.
• Search: Search queries involving history will now look into the nested context_data.history_changes structure.

Frontend

• History Drawer: Users will see a simplified and clearer generic history view with "Removed" and "Added" columns.
• Performance: History details are now fetched on-demand (lazy loaded) via HistoryDrawerQuery using the log ID, reducing initial load weight.

[codecov]

Codecov Report

❌ Patch coverage is 63.98779% with 354 lines in your changes missing coverage. Please review.
✅ Project coverage is 31.13%. Comparing base (15ab1d4) to head (9e3a4c1).
⚠️ Report is 16 commits behind head on master.

Files with missing lines	Patch %	Lines
...ti-platform/opencti-graphql/src/database/engine.ts	28.48%	118 Missing ⚠️
...tform/opencti-graphql/src/database/data-changes.ts	83.77%	68 Missing ⚠️
...components/settings/activity/audit/AuditDrawer.tsx	0.00%	31 Missing ⚠️
opencti-platform/opencti-graphql/src/domain/log.ts	37.83%	23 Missing ⚠️
...private/components/common/drawer/HistoryDrawer.tsx	0.00%	21 Missing ⚠️
...ate/components/common/drawer/TruncatedRawValue.tsx	0.00%	12 Missing ⚠️
...cti-platform/opencti-graphql/src/utils/humanize.ts	50.00%	11 Missing ⚠️
...relationships/StixCoreRelationshipHistoryLines.jsx	0.00%	9 Missing ⚠️
...pencti-platform/opencti-front/src/private/Root.tsx	0.00%	8 Missing ⚠️
...n/stix_core_objects/StixCoreObjectHistoryLines.tsx	0.00%	8 Missing ⚠️
... and 12 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #13775      +/-   ##
==========================================
+ Coverage   31.12%   31.13%   +0.01%     
==========================================
  Files        2923     2927       +4     
  Lines      193813   194227     +414     
  Branches    39564    39596      +32     
==========================================
+ Hits        60317    60468     +151     
- Misses     133496   133759     +263     

Flag	Coverage Δ
opencti	31.13% <63.98%> (+0.01%)	⬆️
opencti-front	2.47% <5.60%> (-0.02%)	⬇️
opencti-graphql	68.41% <72.49%> (-0.11%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR refactors the history and audit system to use a new change tracking structure (history_changes with history_added/history_removed) replacing the previous changes structure (previous/new/added/removed). The changes enable better tracking of modifications with both raw and translated values, improved permission filtering for history entries, and enhanced UI components for displaying audit details.

Key changes:

• Replaced Change interface fields (previous, new, added, removed) with history_added and history_removed arrays containing ChangeValue objects with raw and optional translated fields
• Updated GraphQL schema to reflect new HistoryChange and DataChange types
• Added permission-based filtering for history entries through historyFiltering option
• Refactored frontend components to use new drawer components and query individual logs by ID

Reviewed changes

Copilot reviewed 41 out of 43 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
opencti-platform/opencti-graphql/src/types/event.d.ts	Updated Change interface structure
opencti-platform/opencti-graphql/src/database/middleware.js	Refactored buildChanges and removed generateUpdateMessage
opencti-platform/opencti-graphql/src/database/generate-message.ts	Completely rewritten message generation logic
opencti-platform/opencti-graphql/src/database/engine.ts	Added history filtering restrictions and inner hits support
opencti-platform/opencti-graphql/src/domain/log.ts	Added new query functions with history filtering
opencti-platform/opencti-graphql/config/schema/opencti.graphql	Updated GraphQL schema types
opencti-platform/opencti-front/src/private/components/common/drawer/HistoryDrawer.tsx	Complete rewrite to use lazy loading with new schema
opencti-platform/opencti-front/src/private/components/settings/activity/audit/AuditDrawer.tsx	New component for audit detail display

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Archidoit]

In Data > Activity, in a platform with only 'old events', I checked 'include knowledge' and add a filter, an error occurs.

[Archidoit]

The list of events in Data > Activity is blocked after a few lines, we can't go below (it happens only if 'include knowledge' is checked):

[Archidoit]

The messaging refacto is great ! It will improve lots of things and make readability better.

We are ok that this PR does not fix any attribute access rights in history messages?

[Archidoit]

'Shared with' history lines are visible for users without the 'Restrict organization access' capability

[richard-julien]

@Archidoit, global approach is now changed. You can review again. Thanks

[Archidoit]

(Only a UI small comment that is only my opinion): In knowledge log details, when we hover a line, its color changes whereas we can't click on it. I think the color shouln't change since a line is not clickable

[Archidoit]

When we add a user in Assignee, the history line display 'adds...'. Whereas when we add an individual in Author, the history line display 'replaces...' even if there were no author before.

Same for all the fields with single values (working well for fields with multiple values, like labels or markings).

[Archidoit]

Boolean values history message are not correct. There are always 'No replaced by No'.

Example in a malware, the 'is family' field was set to True and I turned it to False. The log displayed is :

--> Same log display if I change the value from False to True

[Archidoit]

I think a user with SETACCESSES or ACTIVITY can't view audit logs (but only history logs) if he has not the SECURITYACTIVITY capability.

[richard-julien]

I apply the same security as audits, i dont think there is any issue with that

[Archidoit]

For dates, if the field has no value before and we add a new value, a fake 'removed' value is displayed (origin 1970 or 5138 value) :