@cyvest/cyvest-js 4.3.0 → 4.4.1

package/dist/{index.mjs → index.cjs}

@@ -1,6 +1,140 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  LEVEL_COLORS: () => LEVEL_COLORS,
+  LEVEL_ORDER: () => LEVEL_ORDER,
+  LEVEL_VALUES: () => LEVEL_VALUES,
+  areConnected: () => areConnected,
+  compareLevels: () => compareLevels,
+  countRelationshipsByType: () => countRelationshipsByType,
+  findChecksAtLeast: () => findChecksAtLeast,
+  findChecksByCheckId: () => findChecksByCheckId,
+  findChecksByLevel: () => findChecksByLevel,
+  findChecksByScope: () => findChecksByScope,
+  findContainersAtLeast: () => findContainersAtLeast,
+  findContainersByLevel: () => findContainersByLevel,
+  findExternalObservables: () => findExternalObservables,
+  findInternalObservables: () => findInternalObservables,
+  findLeafObservables: () => findLeafObservables,
+  findObservablesAtLeast: () => findObservablesAtLeast,
+  findObservablesByLevel: () => findObservablesByLevel,
+  findObservablesByType: () => findObservablesByType,
+  findObservablesByValue: () => findObservablesByValue,
+  findObservablesContaining: () => findObservablesContaining,
+  findObservablesMatching: () => findObservablesMatching,
+  findObservablesWithThreatIntel: () => findObservablesWithThreatIntel,
+  findOrphanObservables: () => findOrphanObservables,
+  findPath: () => findPath,
+  findRootObservables: () => findRootObservables,
+  findThreatIntelAtLeast: () => findThreatIntelAtLeast,
+  findThreatIntelByLevel: () => findThreatIntelByLevel,
+  findThreatIntelBySource: () => findThreatIntelBySource,
+  findWhitelistedObservables: () => findWhitelistedObservables,
+  generateCheckKey: () => generateCheckKey,
+  generateContainerKey: () => generateContainerKey,
+  generateEnrichmentKey: () => generateEnrichmentKey,
+  generateObservableKey: () => generateObservableKey,
+  generateThreatIntelKey: () => generateThreatIntelKey,
+  getAllChecks: () => getAllChecks,
+  getAllContainers: () => getAllContainers,
+  getAllEnrichments: () => getAllEnrichments,
+  getAllObservableTypes: () => getAllObservableTypes,
+  getAllObservables: () => getAllObservables,
+  getAllRelationshipTypes: () => getAllRelationshipTypes,
+  getAllScopes: () => getAllScopes,
+  getAllThreatIntelSources: () => getAllThreatIntelSources,
+  getAllThreatIntels: () => getAllThreatIntels,
+  getCheck: () => getCheck,
+  getCheckByIdScope: () => getCheckByIdScope,
+  getChecksForContainer: () => getChecksForContainer,
+  getChecksForObservable: () => getChecksForObservable,
+  getColorForLevel: () => getColorForLevel,
+  getColorForScore: () => getColorForScore,
+  getContainer: () => getContainer,
+  getContainerByPath: () => getContainerByPath,
+  getCounts: () => getCounts,
+  getDataExtraction: () => getDataExtraction,
+  getEnrichment: () => getEnrichment,
+  getEnrichmentByName: () => getEnrichmentByName,
+  getEntityLevel: () => getEntityLevel,
+  getHighestScoringChecks: () => getHighestScoringChecks,
+  getHighestScoringObservables: () => getHighestScoringObservables,
+  getLevelFromScore: () => getLevelFromScore,
+  getMaliciousChecks: () => getMaliciousChecks,
+  getMaliciousObservables: () => getMaliciousObservables,
+  getObservable: () => getObservable,
+  getObservableByTypeValue: () => getObservableByTypeValue,
+  getObservableChildren: () => getObservableChildren,
+  getObservableGraph: () => getObservableGraph,
+  getObservableParents: () => getObservableParents,
+  getObservablesForCheck: () => getObservablesForCheck,
+  getReachableObservables: () => getReachableObservables,
+  getRelatedObservables: () => getRelatedObservables,
+  getRelatedObservablesByDirection: () => getRelatedObservablesByDirection,
+  getRelatedObservablesByType: () => getRelatedObservablesByType,
+  getRelationshipsForObservable: () => getRelationshipsForObservable,
+  getStartedAt: () => getStartedAt,
+  getStats: () => getStats,
+  getSuspiciousChecks: () => getSuspiciousChecks,
+  getSuspiciousObservables: () => getSuspiciousObservables,
+  getThreatIntel: () => getThreatIntel,
+  getThreatIntelBySourceObservable: () => getThreatIntelBySourceObservable,
+  getThreatIntelsForObservable: () => getThreatIntelsForObservable,
+  getWhitelists: () => getWhitelists,
+  hasLevel: () => hasLevel,
+  isCyvest: () => isCyvest,
+  isLevelAtLeast: () => isLevelAtLeast,
+  isLevelHigherThan: () => isLevelHigherThan,
+  isLevelLowerThan: () => isLevelLowerThan,
+  isValidLevel: () => isValidLevel,
+  maxLevel: () => maxLevel,
+  minLevel: () => minLevel,
+  normalizeLevel: () => normalizeLevel,
+  parseCheckKey: () => parseCheckKey,
+  parseCyvest: () => parseCyvest,
+  parseKeyType: () => parseKeyType,
+  parseObservableKey: () => parseObservableKey,
+  parseThreatIntelKey: () => parseThreatIntelKey,
+  sortChecksByLevel: () => sortChecksByLevel,
+  sortChecksByScore: () => sortChecksByScore,
+  sortObservablesByLevel: () => sortObservablesByLevel,
+  sortObservablesByScore: () => sortObservablesByScore,
+  validateKey: () => validateKey
+});
+module.exports = __toCommonJS(index_exports);
+
 // src/helpers.ts
-import Ajv2020 from "ajv/dist/2020";
-import addFormats from "ajv-formats";
+var import__ = __toESM(require("ajv/dist/2020"), 1);
+var import_ajv_formats = __toESM(require("ajv-formats"), 1);
 
 // ../../../schema/cyvest.schema.json
 var cyvest_schema_default = {
@@ -707,12 +841,6 @@ var cyvest_schema_default = {
       description: "Optional human-readable investigation name.",
       title: "Investigation Name"
     },
-    started_at: {
-      description: "Investigation start time (UTC).",
-      format: "date-time",
-      title: "Started At",
-      type: "string"
-    },
     score: {
       description: "Global investigation score.",
       title: "Score",
@@ -735,13 +863,20 @@ var cyvest_schema_default = {
       title: "Whitelists",
       type: "array"
     },
-    event_log: {
-      description: "Append-only investigation audit log.",
-      items: {
-        $ref: "#/$defs/AuditEvent"
-      },
-      title: "Event Log",
-      type: "array"
+    audit_log: {
+      anyOf: [
+        {
+          items: {
+            $ref: "#/$defs/AuditEvent"
+          },
+          type: "array"
+        },
+        {
+          type: "null"
+        }
+      ],
+      description: "Append-only investigation audit log. Null when serialization disabled audit.",
+      title: "Audit Log"
     },
     observables: {
       additionalProperties: {
@@ -803,7 +938,6 @@ var cyvest_schema_default = {
   },
   required: [
     "investigation_id",
-    "started_at",
     "score",
     "level",
     "whitelisted",
@@ -822,8 +956,8 @@ var cyvest_schema_default = {
 };
 
 // src/helpers.ts
-var ajv = new Ajv2020({ allErrors: true });
-addFormats(ajv);
+var ajv = new import__.default({ allErrors: true });
+(0, import_ajv_formats.default)(ajv);
 var validateFn = null;
 function getValidator() {
   if (!validateFn) {
@@ -1199,6 +1333,12 @@ function getCounts(inv) {
     whitelists: inv.whitelists.length
   };
 }
+function getStartedAt(inv) {
+  const event = inv.audit_log?.find(
+    (e) => e.event_type === "INVESTIGATION_STARTED"
+  );
+  return event?.timestamp;
+}
 
 // src/finders.ts
 function findObservablesByType(inv, type) {
@@ -1735,7 +1875,8 @@ function getRelationshipsForObservable(inv, observableKey) {
     ]
   };
 }
-export {
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
   LEVEL_COLORS,
   LEVEL_ORDER,
   LEVEL_VALUES,
@@ -1808,6 +1949,7 @@ export {
   getRelatedObservablesByDirection,
   getRelatedObservablesByType,
   getRelationshipsForObservable,
+  getStartedAt,
   getStats,
   getSuspiciousChecks,
   getSuspiciousObservables,
@@ -1834,4 +1976,4 @@ export {
   sortObservablesByLevel,
   sortObservablesByScore,
   validateKey
-};
+});

package/dist/{index.d.mts → index.d.cts}

@@ -13,15 +13,15 @@ type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 type Whitelists = InvestigationWhitelist[];
+/**
+ * Append-only investigation audit log. Null when serialization disabled audit.
+ */
+type AuditLog = AuditEvent[] | null;
 type Actor = string | null;
 type Reason = string | null;
 type Tool = string | null;
 type ObjectType = string | null;
 type ObjectKey = string | null;
-/**
- * Append-only investigation audit log.
- */
-type EventLog = AuditEvent[];
 type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -63,10 +63,6 @@ interface CyvestInvestigation {
      */
     investigation_id: string;
     investigation_name?: InvestigationName;
-    /**
-     * Investigation start time (UTC).
-     */
-    started_at: string;
     /**
      * Global investigation score.
      */
@@ -77,7 +73,7 @@ interface CyvestInvestigation {
      */
     whitelisted: boolean;
     whitelists: Whitelists;
-    event_log?: EventLog;
+    audit_log?: AuditLog;
     observables: Observables;
     checks: Checks;
     threat_intels: ThreatIntels1;
@@ -842,6 +838,23 @@ interface InvestigationCounts {
  * @returns Object with counts for each entity type
  */
 declare function getCounts(inv: CyvestInvestigation): InvestigationCounts;
+/**
+ * Get the investigation start time from the event log.
+ *
+ * Looks for the INVESTIGATION_STARTED event and returns its timestamp.
+ *
+ * @param inv - The investigation
+ * @returns The start timestamp string or undefined if not found
+ *
+ * @example
+ * ```ts
+ * const startedAt = getStartedAt(investigation);
+ * if (startedAt) {
+ *   console.log(`Started: ${startedAt}`);
+ * }
+ * ```
+ */
+declare function getStartedAt(inv: CyvestInvestigation): string | undefined;
 
 /**
  * Finder utilities for querying and filtering Cyvest Investigation data.
@@ -1355,4 +1368,4 @@ declare function getRelationshipsForObservable(inv: CyvestInvestigation, observa
     }>;
 };
 
-export { type Actor, type AuditEvent, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type EventLog, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };
+export { type Actor, type AuditEvent, type AuditLog, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStartedAt, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };

package/dist/index.d.ts

@@ -13,15 +13,15 @@ type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 type Whitelists = InvestigationWhitelist[];
+/**
+ * Append-only investigation audit log. Null when serialization disabled audit.
+ */
+type AuditLog = AuditEvent[] | null;
 type Actor = string | null;
 type Reason = string | null;
 type Tool = string | null;
 type ObjectType = string | null;
 type ObjectKey = string | null;
-/**
- * Append-only investigation audit log.
- */
-type EventLog = AuditEvent[];
 type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -63,10 +63,6 @@ interface CyvestInvestigation {
      */
     investigation_id: string;
     investigation_name?: InvestigationName;
-    /**
-     * Investigation start time (UTC).
-     */
-    started_at: string;
     /**
      * Global investigation score.
      */
@@ -77,7 +73,7 @@ interface CyvestInvestigation {
      */
     whitelisted: boolean;
     whitelists: Whitelists;
-    event_log?: EventLog;
+    audit_log?: AuditLog;
     observables: Observables;
     checks: Checks;
     threat_intels: ThreatIntels1;
@@ -842,6 +838,23 @@ interface InvestigationCounts {
  * @returns Object with counts for each entity type
  */
 declare function getCounts(inv: CyvestInvestigation): InvestigationCounts;
+/**
+ * Get the investigation start time from the event log.
+ *
+ * Looks for the INVESTIGATION_STARTED event and returns its timestamp.
+ *
+ * @param inv - The investigation
+ * @returns The start timestamp string or undefined if not found
+ *
+ * @example
+ * ```ts
+ * const startedAt = getStartedAt(investigation);
+ * if (startedAt) {
+ *   console.log(`Started: ${startedAt}`);
+ * }
+ * ```
+ */
+declare function getStartedAt(inv: CyvestInvestigation): string | undefined;
 
 /**
  * Finder utilities for querying and filtering Cyvest Investigation data.
@@ -1355,4 +1368,4 @@ declare function getRelationshipsForObservable(inv: CyvestInvestigation, observa
     }>;
 };
 
-export { type Actor, type AuditEvent, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type EventLog, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };
+export { type Actor, type AuditEvent, type AuditLog, type Check, type CheckLinks, type Checks, type Checks1, type ChecksByLevel, type ChecksByScope, type Container, type Containers, type CyvestInvestigation, type Data, type DataExtractionSchema, type Details, type Enrichment, type Enrichments, type Extra, type Extra1, type Extra2, type GraphEdge, type GraphNode, type InvestigationCounts, type InvestigationGraph, type InvestigationName, type InvestigationWhitelist, type Justification, type KeyType, LEVEL_COLORS, LEVEL_ORDER, LEVEL_VALUES, type Level, type ObjectKey, type ObjectType, type Observable, type ObservableLink, type ObservableLinks, type Observables, type ObservablesByLevel, type ObservablesByType, type ObservablesByTypeAndLevel, type PropagationMode, type Reason, type Relationship, type RelationshipDirection, type Relationships, type RootType, type ScoreMode, type StatisticsSchema, type SubContainers, type Taxonomies, type Taxonomy, type ThreatIntel, type ThreatIntelByLevel, type ThreatIntelBySource, type ThreatIntels, type ThreatIntels1, type Tool, type Whitelists, areConnected, compareLevels, countRelationshipsByType, findChecksAtLeast, findChecksByCheckId, findChecksByLevel, findChecksByScope, findContainersAtLeast, findContainersByLevel, findExternalObservables, findInternalObservables, findLeafObservables, findObservablesAtLeast, findObservablesByLevel, findObservablesByType, findObservablesByValue, findObservablesContaining, findObservablesMatching, findObservablesWithThreatIntel, findOrphanObservables, findPath, findRootObservables, findThreatIntelAtLeast, findThreatIntelByLevel, findThreatIntelBySource, findWhitelistedObservables, generateCheckKey, generateContainerKey, generateEnrichmentKey, generateObservableKey, generateThreatIntelKey, getAllChecks, getAllContainers, getAllEnrichments, getAllObservableTypes, getAllObservables, getAllRelationshipTypes, getAllScopes, getAllThreatIntelSources, getAllThreatIntels, getCheck, getCheckByIdScope, getChecksForContainer, getChecksForObservable, getColorForLevel, getColorForScore, getContainer, getContainerByPath, getCounts, getDataExtraction, getEnrichment, getEnrichmentByName, getEntityLevel, getHighestScoringChecks, getHighestScoringObservables, getLevelFromScore, getMaliciousChecks, getMaliciousObservables, getObservable, getObservableByTypeValue, getObservableChildren, getObservableGraph, getObservableParents, getObservablesForCheck, getReachableObservables, getRelatedObservables, getRelatedObservablesByDirection, getRelatedObservablesByType, getRelationshipsForObservable, getStartedAt, getStats, getSuspiciousChecks, getSuspiciousObservables, getThreatIntel, getThreatIntelBySourceObservable, getThreatIntelsForObservable, getWhitelists, hasLevel, isCyvest, isLevelAtLeast, isLevelHigherThan, isLevelLowerThan, isValidLevel, maxLevel, minLevel, normalizeLevel, parseCheckKey, parseCyvest, parseKeyType, parseObservableKey, parseThreatIntelKey, sortChecksByLevel, sortChecksByScore, sortObservablesByLevel, sortObservablesByScore, validateKey };

package/dist/index.js

@@ -1,139 +1,6 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
-  LEVEL_COLORS: () => LEVEL_COLORS,
-  LEVEL_ORDER: () => LEVEL_ORDER,
-  LEVEL_VALUES: () => LEVEL_VALUES,
-  areConnected: () => areConnected,
-  compareLevels: () => compareLevels,
-  countRelationshipsByType: () => countRelationshipsByType,
-  findChecksAtLeast: () => findChecksAtLeast,
-  findChecksByCheckId: () => findChecksByCheckId,
-  findChecksByLevel: () => findChecksByLevel,
-  findChecksByScope: () => findChecksByScope,
-  findContainersAtLeast: () => findContainersAtLeast,
-  findContainersByLevel: () => findContainersByLevel,
-  findExternalObservables: () => findExternalObservables,
-  findInternalObservables: () => findInternalObservables,
-  findLeafObservables: () => findLeafObservables,
-  findObservablesAtLeast: () => findObservablesAtLeast,
-  findObservablesByLevel: () => findObservablesByLevel,
-  findObservablesByType: () => findObservablesByType,
-  findObservablesByValue: () => findObservablesByValue,
-  findObservablesContaining: () => findObservablesContaining,
-  findObservablesMatching: () => findObservablesMatching,
-  findObservablesWithThreatIntel: () => findObservablesWithThreatIntel,
-  findOrphanObservables: () => findOrphanObservables,
-  findPath: () => findPath,
-  findRootObservables: () => findRootObservables,
-  findThreatIntelAtLeast: () => findThreatIntelAtLeast,
-  findThreatIntelByLevel: () => findThreatIntelByLevel,
-  findThreatIntelBySource: () => findThreatIntelBySource,
-  findWhitelistedObservables: () => findWhitelistedObservables,
-  generateCheckKey: () => generateCheckKey,
-  generateContainerKey: () => generateContainerKey,
-  generateEnrichmentKey: () => generateEnrichmentKey,
-  generateObservableKey: () => generateObservableKey,
-  generateThreatIntelKey: () => generateThreatIntelKey,
-  getAllChecks: () => getAllChecks,
-  getAllContainers: () => getAllContainers,
-  getAllEnrichments: () => getAllEnrichments,
-  getAllObservableTypes: () => getAllObservableTypes,
-  getAllObservables: () => getAllObservables,
-  getAllRelationshipTypes: () => getAllRelationshipTypes,
-  getAllScopes: () => getAllScopes,
-  getAllThreatIntelSources: () => getAllThreatIntelSources,
-  getAllThreatIntels: () => getAllThreatIntels,
-  getCheck: () => getCheck,
-  getCheckByIdScope: () => getCheckByIdScope,
-  getChecksForContainer: () => getChecksForContainer,
-  getChecksForObservable: () => getChecksForObservable,
-  getColorForLevel: () => getColorForLevel,
-  getColorForScore: () => getColorForScore,
-  getContainer: () => getContainer,
-  getContainerByPath: () => getContainerByPath,
-  getCounts: () => getCounts,
-  getDataExtraction: () => getDataExtraction,
-  getEnrichment: () => getEnrichment,
-  getEnrichmentByName: () => getEnrichmentByName,
-  getEntityLevel: () => getEntityLevel,
-  getHighestScoringChecks: () => getHighestScoringChecks,
-  getHighestScoringObservables: () => getHighestScoringObservables,
-  getLevelFromScore: () => getLevelFromScore,
-  getMaliciousChecks: () => getMaliciousChecks,
-  getMaliciousObservables: () => getMaliciousObservables,
-  getObservable: () => getObservable,
-  getObservableByTypeValue: () => getObservableByTypeValue,
-  getObservableChildren: () => getObservableChildren,
-  getObservableGraph: () => getObservableGraph,
-  getObservableParents: () => getObservableParents,
-  getObservablesForCheck: () => getObservablesForCheck,
-  getReachableObservables: () => getReachableObservables,
-  getRelatedObservables: () => getRelatedObservables,
-  getRelatedObservablesByDirection: () => getRelatedObservablesByDirection,
-  getRelatedObservablesByType: () => getRelatedObservablesByType,
-  getRelationshipsForObservable: () => getRelationshipsForObservable,
-  getStats: () => getStats,
-  getSuspiciousChecks: () => getSuspiciousChecks,
-  getSuspiciousObservables: () => getSuspiciousObservables,
-  getThreatIntel: () => getThreatIntel,
-  getThreatIntelBySourceObservable: () => getThreatIntelBySourceObservable,
-  getThreatIntelsForObservable: () => getThreatIntelsForObservable,
-  getWhitelists: () => getWhitelists,
-  hasLevel: () => hasLevel,
-  isCyvest: () => isCyvest,
-  isLevelAtLeast: () => isLevelAtLeast,
-  isLevelHigherThan: () => isLevelHigherThan,
-  isLevelLowerThan: () => isLevelLowerThan,
-  isValidLevel: () => isValidLevel,
-  maxLevel: () => maxLevel,
-  minLevel: () => minLevel,
-  normalizeLevel: () => normalizeLevel,
-  parseCheckKey: () => parseCheckKey,
-  parseCyvest: () => parseCyvest,
-  parseKeyType: () => parseKeyType,
-  parseObservableKey: () => parseObservableKey,
-  parseThreatIntelKey: () => parseThreatIntelKey,
-  sortChecksByLevel: () => sortChecksByLevel,
-  sortChecksByScore: () => sortChecksByScore,
-  sortObservablesByLevel: () => sortObservablesByLevel,
-  sortObservablesByScore: () => sortObservablesByScore,
-  validateKey: () => validateKey
-});
-module.exports = __toCommonJS(index_exports);
-
 // src/helpers.ts
-var import__ = __toESM(require("ajv/dist/2020"));
-var import_ajv_formats = __toESM(require("ajv-formats"));
+import Ajv2020 from "ajv/dist/2020";
+import addFormats from "ajv-formats";
 
 // ../../../schema/cyvest.schema.json
 var cyvest_schema_default = {
@@ -840,12 +707,6 @@ var cyvest_schema_default = {
       description: "Optional human-readable investigation name.",
       title: "Investigation Name"
     },
-    started_at: {
-      description: "Investigation start time (UTC).",
-      format: "date-time",
-      title: "Started At",
-      type: "string"
-    },
     score: {
       description: "Global investigation score.",
       title: "Score",
@@ -868,13 +729,20 @@ var cyvest_schema_default = {
       title: "Whitelists",
       type: "array"
     },
-    event_log: {
-      description: "Append-only investigation audit log.",
-      items: {
-        $ref: "#/$defs/AuditEvent"
-      },
-      title: "Event Log",
-      type: "array"
+    audit_log: {
+      anyOf: [
+        {
+          items: {
+            $ref: "#/$defs/AuditEvent"
+          },
+          type: "array"
+        },
+        {
+          type: "null"
+        }
+      ],
+      description: "Append-only investigation audit log. Null when serialization disabled audit.",
+      title: "Audit Log"
     },
     observables: {
       additionalProperties: {
@@ -936,7 +804,6 @@ var cyvest_schema_default = {
   },
   required: [
     "investigation_id",
-    "started_at",
     "score",
     "level",
     "whitelisted",
@@ -955,8 +822,8 @@ var cyvest_schema_default = {
 };
 
 // src/helpers.ts
-var ajv = new import__.default({ allErrors: true });
-(0, import_ajv_formats.default)(ajv);
+var ajv = new Ajv2020({ allErrors: true });
+addFormats(ajv);
 var validateFn = null;
 function getValidator() {
   if (!validateFn) {
@@ -1332,6 +1199,12 @@ function getCounts(inv) {
     whitelists: inv.whitelists.length
   };
 }
+function getStartedAt(inv) {
+  const event = inv.audit_log?.find(
+    (e) => e.event_type === "INVESTIGATION_STARTED"
+  );
+  return event?.timestamp;
+}
 
 // src/finders.ts
 function findObservablesByType(inv, type) {
@@ -1868,8 +1741,7 @@ function getRelationshipsForObservable(inv, observableKey) {
     ]
   };
 }
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
+export {
   LEVEL_COLORS,
   LEVEL_ORDER,
   LEVEL_VALUES,
@@ -1942,6 +1814,7 @@ function getRelationshipsForObservable(inv, observableKey) {
   getRelatedObservablesByDirection,
   getRelatedObservablesByType,
   getRelationshipsForObservable,
+  getStartedAt,
   getStats,
   getSuspiciousChecks,
   getSuspiciousObservables,
@@ -1968,4 +1841,4 @@ function getRelationshipsForObservable(inv, observableKey) {
   sortObservablesByLevel,
   sortObservablesByScore,
   validateKey
-});
+};

package/package.json

@@ -1,9 +1,22 @@
 {
   "name": "@cyvest/cyvest-js",
-  "version": "4.3.0",
+  "version": "4.4.1",
+  "type": "module",
   "main": "dist/index.cjs",
-  "module": "dist/index.mjs",
+  "module": "dist/index.js",
   "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
   "sideEffects": false,
   "dependencies": {
     "ajv": "^8.17.1",

package/src/getters.ts

@@ -397,3 +397,26 @@ export function getCounts(inv: CyvestInvestigation): InvestigationCounts {
     whitelists: inv.whitelists.length,
   };
 }
+
+/**
+ * Get the investigation start time from the event log.
+ *
+ * Looks for the INVESTIGATION_STARTED event and returns its timestamp.
+ *
+ * @param inv - The investigation
+ * @returns The start timestamp string or undefined if not found
+ *
+ * @example
+ * ```ts
+ * const startedAt = getStartedAt(investigation);
+ * if (startedAt) {
+ *   console.log(`Started: ${startedAt}`);
+ * }
+ * ```
+ */
+export function getStartedAt(inv: CyvestInvestigation): string | undefined {
+  const event = inv.audit_log?.find(
+    (e) => e.event_type === "INVESTIGATION_STARTED"
+  );
+  return event?.timestamp;
+}

package/src/types.generated.ts

@@ -15,15 +15,15 @@ export type Justification = string | null;
  * List of whitelist entries applied to this investigation.
  */
 export type Whitelists = InvestigationWhitelist[];
+/**
+ * Append-only investigation audit log. Null when serialization disabled audit.
+ */
+export type AuditLog = AuditEvent[] | null;
 export type Actor = string | null;
 export type Reason = string | null;
 export type Tool = string | null;
 export type ObjectType = string | null;
 export type ObjectKey = string | null;
-/**
- * Append-only investigation audit log.
- */
-export type EventLog = AuditEvent[];
 export type ThreatIntels = string[];
 /**
  * Direction of a relationship between observables.
@@ -66,10 +66,6 @@ export interface CyvestInvestigation {
    */
   investigation_id: string;
   investigation_name?: InvestigationName;
-  /**
-   * Investigation start time (UTC).
-   */
-  started_at: string;
   /**
    * Global investigation score.
    */
@@ -80,7 +76,7 @@ export interface CyvestInvestigation {
    */
   whitelisted: boolean;
   whitelists: Whitelists;
-  event_log?: EventLog;
+  audit_log?: AuditLog;
   observables: Observables;
   checks: Checks;
   threat_intels: ThreatIntels1;

package/tests/getters-finders.test.ts

@@ -18,6 +18,7 @@ import {
   getAllContainers,
   getAllObservables,
   getCounts,
+  getStartedAt,
   // Finders
   findObservablesByType,
   findObservablesByLevel,
@@ -43,11 +44,19 @@ function createTestInvestigation(): CyvestInvestigation {
   return {
     investigation_id: "01HXYZTESTINVESTIGATION",
     investigation_name: "Test Investigation",
-    started_at: "2024-01-01T00:00:00Z",
     score: 7.5,
     score_display: "7.50",
     level: "MALICIOUS",
     whitelisted: false,
+    audit_log: [
+      {
+        event_id: "01HXYZTESTEVENT001",
+        timestamp: "2024-01-01T00:00:00Z",
+        event_type: "INVESTIGATION_STARTED",
+        object_type: "investigation",
+        object_key: "01HXYZTESTINVESTIGATION",
+      },
+    ],
     whitelists: [
       {
         identifier: "wl-1",
@@ -340,6 +349,25 @@ describe("Getters", () => {
       expect(counts.whitelists).toBe(1);
     });
   });
+
+  describe("getStartedAt", () => {
+    it("returns timestamp from INVESTIGATION_STARTED event", () => {
+      const startedAt = getStartedAt(inv);
+      expect(startedAt).toBe("2024-01-01T00:00:00Z");
+    });
+
+    it("returns undefined when no audit_log", () => {
+      const invWithoutAuditLog = { ...inv, audit_log: undefined };
+      const startedAt = getStartedAt(invWithoutAuditLog);
+      expect(startedAt).toBeUndefined();
+    });
+
+    it("returns undefined when no INVESTIGATION_STARTED event", () => {
+      const invWithEmptyLog = { ...inv, audit_log: [] };
+      const startedAt = getStartedAt(invWithEmptyLog);
+      expect(startedAt).toBeUndefined();
+    });
+  });
 });
 
 describe("Finders", () => {

package/tests/graph.test.ts

@@ -22,11 +22,19 @@ function createGraphTestInvestigation(): CyvestInvestigation {
   return {
     investigation_id: "01HXYZGRAPHINVESTIGATION",
     investigation_name: "Graph Test Investigation",
-    started_at: "2024-01-01T00:00:00Z",
     score: 5,
     score_display: "5.00",
     level: "MALICIOUS",
     whitelisted: false,
+    audit_log: [
+      {
+        event_id: "01HXYZTESTEVENT001",
+        timestamp: "2024-01-01T00:00:00Z",
+        event_type: "INVESTIGATION_STARTED",
+        object_type: "investigation",
+        object_key: "01HXYZGRAPHINVESTIGATION",
+      },
+    ],
     whitelists: [],
     observables: {
       "obs:email-message:msg1": {