@cyvest/cyvest-js 3.2.0 → 4.0.0

package/dist/index.d.mts

@@ -1,3 +1,7 @@
+/**
+ * Optional human-readable investigation name.
+ */
+type InvestigationName = string | null;
 /**
  * Security level classification for checks, observables, and threat intelligence.
  *
@@ -9,6 +13,15 @@ type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 type Whitelists = InvestigationWhitelist[];
+type Actor = string | null;
+type Reason = string | null;
+type Tool = string | null;
+type ObjectType = string | null;
+type ObjectKey = string | null;
+/**
+ * Append-only investigation audit log.
+ */
+type EventLog = AuditEvent[];
 type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -16,14 +29,14 @@ type ThreatIntels = string[];
 type RelationshipDirection = "outbound" | "inbound" | "bidirectional";
 type Relationships = Relationship[];
 /**
- * Checks that generated this observable.
+ * Checks that currently link to this observable (navigation-only).
  */
-type GeneratedByChecks = string[];
-type Observables1 = string[];
+type CheckLinks = string[];
 /**
- * Controls how a check reacts to linked observables.
+ * Controls how a Check↔Observable link propagates across merged investigations.
  */
-type CheckScorePolicy = "auto" | "manual";
+type PropagationMode = "LOCAL_ONLY" | "GLOBAL";
+type ObservableLinks = ObservableLink[];
 type Taxonomies = {
     [k: string]: unknown;
 }[];
@@ -47,6 +60,11 @@ type ScoreMode = "max" | "sum";
  * schemas matching the actual model_dump() output.
  */
 interface CyvestInvestigation {
+    /**
+     * Stable investigation identity (ULID).
+     */
+    investigation_id: string;
+    investigation_name?: InvestigationName;
     /**
      * Investigation start time (UTC).
      */
@@ -61,6 +79,7 @@ interface CyvestInvestigation {
      */
     whitelisted: boolean;
     whitelists: Whitelists;
+    event_log?: EventLog;
     observables: Observables;
     checks: Checks;
     checks_by_level: ChecksByLevel;
@@ -84,6 +103,24 @@ interface InvestigationWhitelist {
     justification?: Justification;
     [k: string]: unknown;
 }
+/**
+ * Centralized audit event for investigation-level changes.
+ */
+interface AuditEvent {
+    event_id: string;
+    timestamp: string;
+    event_type: string;
+    actor?: Actor;
+    reason?: Reason;
+    tool?: Tool;
+    object_type?: ObjectType;
+    object_key?: ObjectKey;
+    details?: Details;
+    [k: string]: unknown;
+}
+interface Details {
+    [k: string]: unknown;
+}
 /**
  * Observables keyed by their unique key.
  */
@@ -108,7 +145,7 @@ interface Observable {
     threat_intels: ThreatIntels;
     relationships: Relationships;
     key: string;
-    generated_by_checks: GeneratedByChecks;
+    check_links: CheckLinks;
     score_display: string;
     [k: string]: unknown;
 }
@@ -144,8 +181,8 @@ interface Check {
     extra: Extra1;
     score: number;
     level: Level;
-    observables: Observables1;
-    score_policy?: CheckScorePolicy;
+    origin_investigation_id: string;
+    observable_links: ObservableLinks;
     key: string;
     score_display: string;
     [k: string]: unknown;
@@ -153,6 +190,13 @@ interface Check {
 interface Extra1 {
     [k: string]: unknown;
 }
+/**
+ * Edge metadata for a Check↔Observable association.
+ */
+interface ObservableLink {
+    observable_key: string;
+    propagation_mode?: PropagationMode;
+}
 /**
  * Check keys organized by level name.
  */
@@ -954,13 +998,6 @@ declare function findChecksAtLeast(inv: CyvestInvestigation, minLevel: Level): C
  * @returns Array of matching checks
  */
 declare function findChecksByCheckId(inv: CyvestInvestigation, checkId: string): Check[];
-/**
- * Find checks with score policy set to manual.
- *
- * @param inv - The investigation to search
- * @returns Array of manually scored checks
- */
-declare function findManuallyScored(inv: CyvestInvestigation): Check[];
 /**
  * Find all threat intel from a specific source.
  *
@@ -1334,4 +1371,4 @@ declare function getRelationshipsForObservable(inv: CyvestInvestigation, observa
     }>;
 };
 
-export { type Check, type CheckScorePolicy, type Checks, type Checks1, type ChecksByLevel, type ChecksByLevel1, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Enrichment, type Enrichments, type Extra, type Extra1, type Extra2, type GeneratedByChecks, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type Observable, type Observables, type Observables1, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type StatsChecksSchema, type SubContainers, type Taxonomies, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findManuallyScored, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getStatsChecks, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };
+export { type Actor, type AuditEvent, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByLevel1, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type EventLog, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type StatsChecksSchema, type SubContainers, type Taxonomies, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getStatsChecks, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };

package/dist/index.d.ts

@@ -1,3 +1,7 @@
+/**
+ * Optional human-readable investigation name.
+ */
+type InvestigationName = string | null;
 /**
  * Security level classification for checks, observables, and threat intelligence.
  *
@@ -9,6 +13,15 @@ type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 type Whitelists = InvestigationWhitelist[];
+type Actor = string | null;
+type Reason = string | null;
+type Tool = string | null;
+type ObjectType = string | null;
+type ObjectKey = string | null;
+/**
+ * Append-only investigation audit log.
+ */
+type EventLog = AuditEvent[];
 type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -16,14 +29,14 @@ type ThreatIntels = string[];
 type RelationshipDirection = "outbound" | "inbound" | "bidirectional";
 type Relationships = Relationship[];
 /**
- * Checks that generated this observable.
+ * Checks that currently link to this observable (navigation-only).
  */
-type GeneratedByChecks = string[];
-type Observables1 = string[];
+type CheckLinks = string[];
 /**
- * Controls how a check reacts to linked observables.
+ * Controls how a Check↔Observable link propagates across merged investigations.
  */
-type CheckScorePolicy = "auto" | "manual";
+type PropagationMode = "LOCAL_ONLY" | "GLOBAL";
+type ObservableLinks = ObservableLink[];
 type Taxonomies = {
     [k: string]: unknown;
 }[];
@@ -47,6 +60,11 @@ type ScoreMode = "max" | "sum";
  * schemas matching the actual model_dump() output.
  */
 interface CyvestInvestigation {
+    /**
+     * Stable investigation identity (ULID).
+     */
+    investigation_id: string;
+    investigation_name?: InvestigationName;
     /**
      * Investigation start time (UTC).
      */
@@ -61,6 +79,7 @@ interface CyvestInvestigation {
      */
     whitelisted: boolean;
     whitelists: Whitelists;
+    event_log?: EventLog;
     observables: Observables;
     checks: Checks;
     checks_by_level: ChecksByLevel;
@@ -84,6 +103,24 @@ interface InvestigationWhitelist {
     justification?: Justification;
     [k: string]: unknown;
 }
+/**
+ * Centralized audit event for investigation-level changes.
+ */
+interface AuditEvent {
+    event_id: string;
+    timestamp: string;
+    event_type: string;
+    actor?: Actor;
+    reason?: Reason;
+    tool?: Tool;
+    object_type?: ObjectType;
+    object_key?: ObjectKey;
+    details?: Details;
+    [k: string]: unknown;
+}
+interface Details {
+    [k: string]: unknown;
+}
 /**
  * Observables keyed by their unique key.
  */
@@ -108,7 +145,7 @@ interface Observable {
     threat_intels: ThreatIntels;
     relationships: Relationships;
     key: string;
-    generated_by_checks: GeneratedByChecks;
+    check_links: CheckLinks;
     score_display: string;
     [k: string]: unknown;
 }
@@ -144,8 +181,8 @@ interface Check {
     extra: Extra1;
     score: number;
     level: Level;
-    observables: Observables1;
-    score_policy?: CheckScorePolicy;
+    origin_investigation_id: string;
+    observable_links: ObservableLinks;
     key: string;
     score_display: string;
     [k: string]: unknown;
@@ -153,6 +190,13 @@ interface Check {
 interface Extra1 {
     [k: string]: unknown;
 }
+/**
+ * Edge metadata for a Check↔Observable association.
+ */
+interface ObservableLink {
+    observable_key: string;
+    propagation_mode?: PropagationMode;
+}
 /**
  * Check keys organized by level name.
  */
@@ -954,13 +998,6 @@ declare function findChecksAtLeast(inv: CyvestInvestigation, minLevel: Level): C
  * @returns Array of matching checks
  */
 declare function findChecksByCheckId(inv: CyvestInvestigation, checkId: string): Check[];
-/**
- * Find checks with score policy set to manual.
- *
- * @param inv - The investigation to search
- * @returns Array of manually scored checks
- */
-declare function findManuallyScored(inv: CyvestInvestigation): Check[];
 /**
  * Find all threat intel from a specific source.
  *
@@ -1334,4 +1371,4 @@ declare function getRelationshipsForObservable(inv: CyvestInvestigation, observa
     }>;
 };
 
-export { type Check, type CheckScorePolicy, type Checks, type Checks1, type ChecksByLevel, type ChecksByLevel1, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Enrichment, type Enrichments, type Extra, type Extra1, type Extra2, type GeneratedByChecks, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type Observable, type Observables, type Observables1, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type StatsChecksSchema, type SubContainers, type Taxonomies, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findManuallyScored, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getStatsChecks, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };
+export { type Actor, type AuditEvent, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByLevel1, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type EventLog, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type StatsChecksSchema, type SubContainers, type Taxonomies, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getStatsChecks, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };

package/dist/index.js

@@ -45,7 +45,6 @@ __export(index_exports, {
   findExternalObservables: () => findExternalObservables,
   findInternalObservables: () => findInternalObservables,
   findLeafObservables: () => findLeafObservables,
-  findManuallyScored: () => findManuallyScored,
   findObservablesAtLeast: () => findObservablesAtLeast,
   findObservablesByLevel: () => findObservablesByLevel,
   findObservablesByType: () => findObservablesByType,
@@ -140,6 +139,97 @@ var import_ajv_formats = __toESM(require("ajv-formats"));
 // ../../../schema/cyvest.schema.json
 var cyvest_schema_default = {
   $defs: {
+    AuditEvent: {
+      additionalProperties: true,
+      description: "Centralized audit event for investigation-level changes.",
+      properties: {
+        event_id: {
+          title: "Event Id",
+          type: "string"
+        },
+        timestamp: {
+          format: "date-time",
+          title: "Timestamp",
+          type: "string"
+        },
+        event_type: {
+          title: "Event Type",
+          type: "string"
+        },
+        actor: {
+          anyOf: [
+            {
+              type: "string"
+            },
+            {
+              type: "null"
+            }
+          ],
+          default: null,
+          title: "Actor"
+        },
+        reason: {
+          anyOf: [
+            {
+              type: "string"
+            },
+            {
+              type: "null"
+            }
+          ],
+          default: null,
+          title: "Reason"
+        },
+        tool: {
+          anyOf: [
+            {
+              type: "string"
+            },
+            {
+              type: "null"
+            }
+          ],
+          default: null,
+          title: "Tool"
+        },
+        object_type: {
+          anyOf: [
+            {
+              type: "string"
+            },
+            {
+              type: "null"
+            }
+          ],
+          default: null,
+          title: "Object Type"
+        },
+        object_key: {
+          anyOf: [
+            {
+              type: "string"
+            },
+            {
+              type: "null"
+            }
+          ],
+          default: null,
+          title: "Object Key"
+        },
+        details: {
+          additionalProperties: true,
+          title: "Details",
+          type: "object"
+        }
+      },
+      required: [
+        "event_id",
+        "timestamp",
+        "event_type"
+      ],
+      title: "AuditEvent",
+      type: "object"
+    },
     Check: {
       description: "Represents a verification step in the investigation.\n\nA check validates a specific aspect of the data under investigation\nand contributes to the overall investigation score.",
       properties: {
@@ -171,17 +261,17 @@ var cyvest_schema_default = {
         level: {
           $ref: "#/$defs/Level"
         },
-        observables: {
+        origin_investigation_id: {
+          title: "Origin Investigation Id",
+          type: "string"
+        },
+        observable_links: {
           items: {
-            type: "string"
+            $ref: "#/$defs/ObservableLink"
           },
-          title: "Observables",
+          title: "Observable Links",
           type: "array"
         },
-        score_policy: {
-          $ref: "#/$defs/CheckScorePolicy",
-          default: "auto"
-        },
         key: {
           title: "Key",
           type: "string"
@@ -200,22 +290,14 @@ var cyvest_schema_default = {
         "extra",
         "score",
         "level",
-        "observables",
+        "origin_investigation_id",
+        "observable_links",
         "key",
         "score_display"
       ],
       title: "Check",
       type: "object"
     },
-    CheckScorePolicy: {
-      description: "Controls how a check reacts to linked observables.",
-      enum: [
-        "auto",
-        "manual"
-      ],
-      title: "CheckScorePolicy",
-      type: "string"
-    },
     Container: {
       additionalProperties: false,
       description: "Groups checks and sub-containers for hierarchical organization.\n\nContainers allow structuring the investigation into logical sections\nwith aggregated scores and levels.",
@@ -425,13 +507,13 @@ var cyvest_schema_default = {
           title: "Key",
           type: "string"
         },
-        generated_by_checks: {
-          description: "Checks that generated this observable.",
+        check_links: {
+          description: "Checks that currently link to this observable (navigation-only).",
           items: {
             type: "string"
           },
           readOnly: true,
-          title: "Generated By Checks",
+          title: "Check Links",
           type: "array"
         },
         score_display: {
@@ -452,12 +534,40 @@ var cyvest_schema_default = {
         "threat_intels",
         "relationships",
         "key",
-        "generated_by_checks",
+        "check_links",
         "score_display"
       ],
       title: "Observable",
       type: "object"
     },
+    ObservableLink: {
+      additionalProperties: false,
+      description: "Edge metadata for a Check\u2194Observable association.",
+      properties: {
+        observable_key: {
+          title: "Observable Key",
+          type: "string"
+        },
+        propagation_mode: {
+          $ref: "#/$defs/PropagationMode",
+          default: "LOCAL_ONLY"
+        }
+      },
+      required: [
+        "observable_key"
+      ],
+      title: "ObservableLink",
+      type: "object"
+    },
+    PropagationMode: {
+      description: "Controls how a Check\u2194Observable link propagates across merged investigations.",
+      enum: [
+        "LOCAL_ONLY",
+        "GLOBAL"
+      ],
+      title: "PropagationMode",
+      type: "string"
+    },
     Relationship: {
       description: "Represents a relationship between observables.",
       properties: {
@@ -704,6 +814,24 @@ var cyvest_schema_default = {
   additionalProperties: false,
   description: "Schema for a complete serialized investigation.\n\nThis model describes the output of `serialize_investigation()` from\n`cyvest.io_serialization`. It is the top-level schema for exported investigations.\n\nEntity types reference the runtime models directly. When generating schemas with\n`mode='serialization'`, Pydantic respects field_serializer decorators and produces\nschemas matching the actual model_dump() output.",
   properties: {
+    investigation_id: {
+      description: "Stable investigation identity (ULID).",
+      title: "Investigation Id",
+      type: "string"
+    },
+    investigation_name: {
+      anyOf: [
+        {
+          type: "string"
+        },
+        {
+          type: "null"
+        }
+      ],
+      default: null,
+      description: "Optional human-readable investigation name.",
+      title: "Investigation Name"
+    },
     started_at: {
       description: "Investigation start time (UTC).",
       format: "date-time",
@@ -732,6 +860,14 @@ var cyvest_schema_default = {
       title: "Whitelists",
       type: "array"
     },
+    event_log: {
+      description: "Append-only investigation audit log.",
+      items: {
+        $ref: "#/$defs/AuditEvent"
+      },
+      title: "Event Log",
+      type: "array"
+    },
     observables: {
       additionalProperties: {
         $ref: "#/$defs/Observable"
@@ -806,6 +942,7 @@ var cyvest_schema_default = {
     }
   },
   required: [
+    "investigation_id",
     "started_at",
     "score",
     "level",
@@ -1300,17 +1437,6 @@ function findChecksByCheckId(inv, checkId) {
   }
   return result;
 }
-function findManuallyScored(inv) {
-  const result = [];
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      if (check.score_policy === "manual") {
-        result.push(check);
-      }
-    }
-  }
-  return result;
-}
 function findThreatIntelBySource(inv, source) {
   const normalizedSource = source.trim().toLowerCase();
   return Object.values(inv.threat_intels).filter(
@@ -1353,13 +1479,32 @@ function findContainersAtLeast(inv, minLevel2) {
 }
 function getChecksForObservable(inv, observableKey) {
   const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  const checkLookup = /* @__PURE__ */ new Map();
   for (const checks of Object.values(inv.checks)) {
     for (const check of checks) {
-      if (check.observables.includes(observableKey)) {
+      checkLookup.set(check.key, check);
+    }
+  }
+  const observable = inv.observables[observableKey];
+  if (observable) {
+    for (const checkKey of observable.check_links) {
+      const check = checkLookup.get(checkKey);
+      if (check && !seen.has(check.key)) {
         result.push(check);
+        seen.add(check.key);
       }
     }
   }
+  for (const check of checkLookup.values()) {
+    if (seen.has(check.key)) {
+      continue;
+    }
+    if (check.observable_links.some((link) => link.observable_key === observableKey)) {
+      result.push(check);
+      seen.add(check.key);
+    }
+  }
   return result;
 }
 function getThreatIntelsForObservable(inv, observableKey) {
@@ -1375,7 +1520,11 @@ function getObservablesForCheck(inv, checkKey) {
   for (const checks of Object.values(inv.checks)) {
     for (const check of checks) {
       if (check.key === checkKey) {
-        return check.observables.map((obsKey) => inv.observables[obsKey]).filter((obs) => obs !== void 0);
+        const keys = /* @__PURE__ */ new Set();
+        for (const link of check.observable_links) {
+          keys.add(link.observable_key);
+        }
+        return Array.from(keys).map((obsKey) => inv.observables[obsKey]).filter((obs) => obs !== void 0);
       }
     }
   }
@@ -1748,7 +1897,6 @@ function getRelationshipsForObservable(inv, observableKey) {
   findExternalObservables,
   findInternalObservables,
   findLeafObservables,
-  findManuallyScored,
   findObservablesAtLeast,
   findObservablesByLevel,
   findObservablesByType,