@cyvest/cyvest-js 4.4.0 → 5.0.0

package/dist/index.js

@@ -1,140 +1,6 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
-  LEVEL_COLORS: () => LEVEL_COLORS,
-  LEVEL_ORDER: () => LEVEL_ORDER,
-  LEVEL_VALUES: () => LEVEL_VALUES,
-  areConnected: () => areConnected,
-  compareLevels: () => compareLevels,
-  countRelationshipsByType: () => countRelationshipsByType,
-  findChecksAtLeast: () => findChecksAtLeast,
-  findChecksByCheckId: () => findChecksByCheckId,
-  findChecksByLevel: () => findChecksByLevel,
-  findChecksByScope: () => findChecksByScope,
-  findContainersAtLeast: () => findContainersAtLeast,
-  findContainersByLevel: () => findContainersByLevel,
-  findExternalObservables: () => findExternalObservables,
-  findInternalObservables: () => findInternalObservables,
-  findLeafObservables: () => findLeafObservables,
-  findObservablesAtLeast: () => findObservablesAtLeast,
-  findObservablesByLevel: () => findObservablesByLevel,
-  findObservablesByType: () => findObservablesByType,
-  findObservablesByValue: () => findObservablesByValue,
-  findObservablesContaining: () => findObservablesContaining,
-  findObservablesMatching: () => findObservablesMatching,
-  findObservablesWithThreatIntel: () => findObservablesWithThreatIntel,
-  findOrphanObservables: () => findOrphanObservables,
-  findPath: () => findPath,
-  findRootObservables: () => findRootObservables,
-  findThreatIntelAtLeast: () => findThreatIntelAtLeast,
-  findThreatIntelByLevel: () => findThreatIntelByLevel,
-  findThreatIntelBySource: () => findThreatIntelBySource,
-  findWhitelistedObservables: () => findWhitelistedObservables,
-  generateCheckKey: () => generateCheckKey,
-  generateContainerKey: () => generateContainerKey,
-  generateEnrichmentKey: () => generateEnrichmentKey,
-  generateObservableKey: () => generateObservableKey,
-  generateThreatIntelKey: () => generateThreatIntelKey,
-  getAllChecks: () => getAllChecks,
-  getAllContainers: () => getAllContainers,
-  getAllEnrichments: () => getAllEnrichments,
-  getAllObservableTypes: () => getAllObservableTypes,
-  getAllObservables: () => getAllObservables,
-  getAllRelationshipTypes: () => getAllRelationshipTypes,
-  getAllScopes: () => getAllScopes,
-  getAllThreatIntelSources: () => getAllThreatIntelSources,
-  getAllThreatIntels: () => getAllThreatIntels,
-  getCheck: () => getCheck,
-  getCheckByIdScope: () => getCheckByIdScope,
-  getChecksForContainer: () => getChecksForContainer,
-  getChecksForObservable: () => getChecksForObservable,
-  getColorForLevel: () => getColorForLevel,
-  getColorForScore: () => getColorForScore,
-  getContainer: () => getContainer,
-  getContainerByPath: () => getContainerByPath,
-  getCounts: () => getCounts,
-  getDataExtraction: () => getDataExtraction,
-  getEnrichment: () => getEnrichment,
-  getEnrichmentByName: () => getEnrichmentByName,
-  getEntityLevel: () => getEntityLevel,
-  getHighestScoringChecks: () => getHighestScoringChecks,
-  getHighestScoringObservables: () => getHighestScoringObservables,
-  getLevelFromScore: () => getLevelFromScore,
-  getMaliciousChecks: () => getMaliciousChecks,
-  getMaliciousObservables: () => getMaliciousObservables,
-  getObservable: () => getObservable,
-  getObservableByTypeValue: () => getObservableByTypeValue,
-  getObservableChildren: () => getObservableChildren,
-  getObservableGraph: () => getObservableGraph,
-  getObservableParents: () => getObservableParents,
-  getObservablesForCheck: () => getObservablesForCheck,
-  getReachableObservables: () => getReachableObservables,
-  getRelatedObservables: () => getRelatedObservables,
-  getRelatedObservablesByDirection: () => getRelatedObservablesByDirection,
-  getRelatedObservablesByType: () => getRelatedObservablesByType,
-  getRelationshipsForObservable: () => getRelationshipsForObservable,
-  getStartedAt: () => getStartedAt,
-  getStats: () => getStats,
-  getSuspiciousChecks: () => getSuspiciousChecks,
-  getSuspiciousObservables: () => getSuspiciousObservables,
-  getThreatIntel: () => getThreatIntel,
-  getThreatIntelBySourceObservable: () => getThreatIntelBySourceObservable,
-  getThreatIntelsForObservable: () => getThreatIntelsForObservable,
-  getWhitelists: () => getWhitelists,
-  hasLevel: () => hasLevel,
-  isCyvest: () => isCyvest,
-  isLevelAtLeast: () => isLevelAtLeast,
-  isLevelHigherThan: () => isLevelHigherThan,
-  isLevelLowerThan: () => isLevelLowerThan,
-  isValidLevel: () => isValidLevel,
-  maxLevel: () => maxLevel,
-  minLevel: () => minLevel,
-  normalizeLevel: () => normalizeLevel,
-  parseCheckKey: () => parseCheckKey,
-  parseCyvest: () => parseCyvest,
-  parseKeyType: () => parseKeyType,
-  parseObservableKey: () => parseObservableKey,
-  parseThreatIntelKey: () => parseThreatIntelKey,
-  sortChecksByLevel: () => sortChecksByLevel,
-  sortChecksByScore: () => sortChecksByScore,
-  sortObservablesByLevel: () => sortObservablesByLevel,
-  sortObservablesByScore: () => sortObservablesByScore,
-  validateKey: () => validateKey
-});
-module.exports = __toCommonJS(index_exports);
-
 // src/helpers.ts
-var import__ = __toESM(require("ajv/dist/2020"));
-var import_ajv_formats = __toESM(require("ajv-formats"));
+import Ajv2020 from "ajv/dist/2020";
+import addFormats from "ajv-formats";
 
 // ../../../schema/cyvest.schema.json
 var cyvest_schema_default = {
@@ -233,12 +99,8 @@ var cyvest_schema_default = {
     Check: {
       description: "Represents a verification step in the investigation.\n\nA check validates a specific aspect of the data under investigation\nand contributes to the overall investigation score.",
       properties: {
-        check_id: {
-          title: "Check Id",
-          type: "string"
-        },
-        scope: {
-          title: "Scope",
+        check_name: {
+          title: "Check Name",
           type: "string"
         },
         description: {
@@ -283,8 +145,7 @@ var cyvest_schema_default = {
         }
       },
       required: [
-        "check_id",
-        "scope",
+        "check_name",
         "description",
         "comment",
         "extra",
@@ -298,59 +159,6 @@ var cyvest_schema_default = {
       title: "Check",
       type: "object"
     },
-    Container: {
-      additionalProperties: false,
-      description: "Groups checks and sub-containers for hierarchical organization.\n\nContainers allow structuring the investigation into logical sections\nwith aggregated scores and levels.",
-      properties: {
-        path: {
-          title: "Path",
-          type: "string"
-        },
-        description: {
-          default: "",
-          title: "Description",
-          type: "string"
-        },
-        checks: {
-          items: {
-            type: "string"
-          },
-          title: "Checks",
-          type: "array"
-        },
-        sub_containers: {
-          additionalProperties: {
-            $ref: "#/$defs/Container"
-          },
-          title: "Sub Containers",
-          type: "object"
-        },
-        key: {
-          title: "Key",
-          type: "string"
-        },
-        aggregated_score: {
-          readOnly: true,
-          title: "Aggregated Score",
-          type: "number"
-        },
-        aggregated_level: {
-          $ref: "#/$defs/Level",
-          description: "Calculate the aggregated level from the aggregated score.\n\nReturns:\n    Level based on aggregated score",
-          readOnly: true
-        }
-      },
-      required: [
-        "path",
-        "checks",
-        "sub_containers",
-        "key",
-        "aggregated_score",
-        "aggregated_level"
-      ],
-      title: "Container",
-      type: "object"
-    },
     DataExtractionSchema: {
       additionalProperties: false,
       description: "Schema for data extraction metadata.",
@@ -675,16 +483,6 @@ var cyvest_schema_default = {
           title: "Applied Checks",
           type: "integer"
         },
-        checks_by_scope: {
-          additionalProperties: {
-            items: {
-              type: "string"
-            },
-            type: "array"
-          },
-          title: "Checks By Scope",
-          type: "object"
-        },
         checks_by_level: {
           additionalProperties: {
             items: {
@@ -716,9 +514,9 @@ var cyvest_schema_default = {
           title: "Threat Intel By Level",
           type: "object"
         },
-        total_containers: {
+        total_tags: {
           minimum: 0,
-          title: "Total Containers",
+          title: "Total Tags",
           type: "integer"
         }
       },
@@ -730,11 +528,57 @@ var cyvest_schema_default = {
         "total_checks",
         "applied_checks",
         "total_threat_intel",
-        "total_containers"
+        "total_tags"
       ],
       title: "StatisticsSchema",
       type: "object"
     },
+    Tag: {
+      additionalProperties: false,
+      description: 'Groups checks for categorical organization.\n\nTags allow structuring the investigation into logical sections\nwith aggregated scores and levels. Hierarchy is automatic based on\nthe ":" delimiter in tag names (e.g., "header:auth:dkim").',
+      properties: {
+        name: {
+          title: "Name",
+          type: "string"
+        },
+        description: {
+          default: "",
+          title: "Description",
+          type: "string"
+        },
+        checks: {
+          items: {
+            type: "string"
+          },
+          title: "Checks",
+          type: "array"
+        },
+        key: {
+          title: "Key",
+          type: "string"
+        },
+        direct_score: {
+          description: "Calculate the score from direct checks only (no hierarchy).\n\nFor hierarchical aggregation (including descendant tags), use\nInvestigation.get_tag_aggregated_score() or TagProxy.get_aggregated_score().\n\nReturns:\n    Total score from direct checks",
+          readOnly: true,
+          title: "Direct Score",
+          type: "number"
+        },
+        direct_level: {
+          $ref: "#/$defs/Level",
+          description: "Calculate the level from direct checks only (no hierarchy).\n\nFor hierarchical aggregation (including descendant tags), use\nInvestigation.get_tag_aggregated_level() or TagProxy.get_aggregated_level().\n\nReturns:\n    Level based on direct score",
+          readOnly: true
+        }
+      },
+      required: [
+        "name",
+        "checks",
+        "key",
+        "direct_score",
+        "direct_level"
+      ],
+      title: "Tag",
+      type: "object"
+    },
     Taxonomy: {
       additionalProperties: false,
       description: "Represents a structured taxonomy entry for threat intelligence.",
@@ -888,12 +732,9 @@ var cyvest_schema_default = {
     },
     checks: {
       additionalProperties: {
-        items: {
-          $ref: "#/$defs/Check"
-        },
-        type: "array"
+        $ref: "#/$defs/Check"
       },
-      description: "Checks organized by scope.",
+      description: "Checks keyed by their unique key.",
       title: "Checks",
       type: "object"
     },
@@ -913,12 +754,12 @@ var cyvest_schema_default = {
       title: "Enrichments",
       type: "object"
     },
-    containers: {
+    tags: {
       additionalProperties: {
-        $ref: "#/$defs/Container"
+        $ref: "#/$defs/Tag"
       },
-      description: "Containers keyed by their unique key.",
-      title: "Containers",
+      description: "Tags keyed by their unique key.",
+      title: "Tags",
       type: "object"
     },
     stats: {
@@ -946,7 +787,7 @@ var cyvest_schema_default = {
     "checks",
     "threat_intels",
     "enrichments",
-    "containers",
+    "tags",
     "stats",
     "data_extraction",
     "score_display"
@@ -956,8 +797,8 @@ var cyvest_schema_default = {
 };
 
 // src/helpers.ts
-var ajv = new import__.default({ allErrors: true });
-(0, import_ajv_formats.default)(ajv);
+var ajv = new Ajv2020({ allErrors: true });
+addFormats(ajv);
 var validateFn = null;
 function getValidator() {
   if (!validateFn) {
@@ -996,10 +837,9 @@ function generateObservableKey(obsType, value) {
   const normalizedValue = normalizeValue(value);
   return `obs:${normalizedType}:${normalizedValue}`;
 }
-function generateCheckKey(checkId, scope) {
-  const normalizedId = normalizeValue(checkId);
-  const normalizedScope = normalizeValue(scope);
-  return `chk:${normalizedId}:${normalizedScope}`;
+function generateCheckKey(checkName) {
+  const normalizedName = normalizeValue(checkName);
+  return `chk:${normalizedName}`;
 }
 function generateThreatIntelKey(source, observableKey) {
   const normalizedSource = normalizeValue(source);
@@ -1013,15 +853,32 @@ function generateEnrichmentKey(name, context) {
   }
   return `enr:${normalizedName}`;
 }
-function generateContainerKey(path) {
-  let normalizedPath = path.replace(/\\/g, "/").replace(/^\/+|\/+$/g, "");
-  normalizedPath = normalizeValue(normalizedPath);
-  return `ctr:${normalizedPath}`;
+function generateTagKey(name) {
+  const normalizedName = normalizeValue(name);
+  return `tag:${normalizedName}`;
+}
+function getTagAncestors(name) {
+  const parts = name.split(":");
+  const ancestors = [];
+  for (let i = 0; i < parts.length - 1; i++) {
+    ancestors.push(parts.slice(0, i + 1).join(":"));
+  }
+  return ancestors;
+}
+function isTagChildOf(childName, parentName) {
+  if (!childName.startsWith(parentName + ":")) {
+    return false;
+  }
+  const remaining = childName.slice(parentName.length + 1);
+  return !remaining.includes(":");
+}
+function isTagDescendantOf(descendantName, ancestorName) {
+  return descendantName.startsWith(ancestorName + ":");
 }
 function parseKeyType(key) {
   if (key.includes(":")) {
     const prefix = key.split(":", 1)[0];
-    if (["obs", "chk", "ti", "enr", "ctr"].includes(prefix)) {
+    if (["obs", "chk", "ti", "enr", "tag"].includes(prefix)) {
       return prefix;
     }
   }
@@ -1059,10 +916,9 @@ function parseCheckKey(key) {
     return null;
   }
   const parts = key.split(":");
-  if (parts.length >= 3) {
+  if (parts.length >= 2) {
     return {
-      checkId: parts[1],
-      scope: parts.slice(2).join(":")
+      checkName: parts.slice(1).join(":")
     };
   }
   return null;
@@ -1179,10 +1035,10 @@ function hasLevel(obj) {
   return typeof obj === "object" && obj !== null && "level" in obj && typeof obj.level === "string" && isValidLevel(obj.level);
 }
 function getEntityLevel(entity) {
-  if ("aggregated_level" in entity) {
-    const aggregatedLevel = entity.aggregated_level;
-    if (typeof aggregatedLevel === "string" && isValidLevel(aggregatedLevel)) {
-      return aggregatedLevel;
+  if ("direct_level" in entity) {
+    const directLevel = entity.direct_level;
+    if (typeof directLevel === "string" && isValidLevel(directLevel)) {
+      return directLevel;
     }
   }
   if ("level" in entity && isValidLevel(entity.level)) {
@@ -1205,40 +1061,24 @@ function getObservableByTypeValue(inv, type, value) {
   }
   return void 0;
 }
-function getCheck(inv, key) {
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      if (check.key === key) {
-        return check;
-      }
-    }
+function getRootObservable(inv) {
+  const rootType = inv.data_extraction.root_type;
+  if (!rootType) {
+    return void 0;
   }
-  return void 0;
+  const rootKey = generateObservableKey(rootType, "root");
+  return inv.observables[rootKey];
 }
-function getCheckByIdScope(inv, checkId, scope) {
-  const normalizedId = checkId.trim().toLowerCase();
-  const normalizedScope = scope.trim().toLowerCase();
-  const scopeChecks = inv.checks[normalizedScope] || inv.checks[scope];
-  if (scopeChecks) {
-    return scopeChecks.find(
-      (c) => c.check_id.toLowerCase() === normalizedId
-    );
-  }
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      if (check.check_id.toLowerCase() === normalizedId && check.scope.toLowerCase() === normalizedScope) {
-        return check;
-      }
-    }
-  }
-  return void 0;
+function getCheck(inv, key) {
+  return inv.checks[key];
+}
+function getCheckByName(inv, checkName) {
+  const normalizedName = checkName.trim().toLowerCase();
+  const key = `chk:${normalizedName}`;
+  return inv.checks[key];
 }
 function getAllChecks(inv) {
-  const result = [];
-  for (const checks of Object.values(inv.checks)) {
-    result.push(...checks);
-  }
-  return result;
+  return Object.values(inv.checks);
 }
 function getThreatIntel(inv, key) {
   return inv.threat_intels[key];
@@ -1270,46 +1110,16 @@ function getEnrichmentByName(inv, name) {
 function getAllEnrichments(inv) {
   return Object.values(inv.enrichments);
 }
-function getContainer(inv, key) {
-  if (inv.containers[key]) {
-    return inv.containers[key];
-  }
-  function searchSubContainers(containers) {
-    for (const container of Object.values(containers)) {
-      if (container.key === key) {
-        return container;
-      }
-      const found = searchSubContainers(container.sub_containers);
-      if (found) return found;
-    }
-    return void 0;
-  }
-  return searchSubContainers(inv.containers);
-}
-function getContainerByPath(inv, path) {
-  const normalizedPath = path.replace(/\\/g, "/").replace(/^\/+|\/+$/g, "").toLowerCase();
-  function searchContainers(containers) {
-    for (const container of Object.values(containers)) {
-      if (container.path.toLowerCase() === normalizedPath) {
-        return container;
-      }
-      const found = searchContainers(container.sub_containers);
-      if (found) return found;
-    }
-    return void 0;
-  }
-  return searchContainers(inv.containers);
+function getTag(inv, key) {
+  return inv.tags[key];
 }
-function getAllContainers(inv) {
-  const result = [];
-  function collectContainers(containers) {
-    for (const container of Object.values(containers)) {
-      result.push(container);
-      collectContainers(container.sub_containers);
-    }
-  }
-  collectContainers(inv.containers);
-  return result;
+function getTagByName(inv, name) {
+  const normalizedName = name.trim().toLowerCase();
+  const key = `tag:${normalizedName}`;
+  return inv.tags[key];
+}
+function getAllTags(inv) {
+  return Object.values(inv.tags);
 }
 function getAllObservables(inv) {
   return Object.values(inv.observables);
@@ -1329,7 +1139,7 @@ function getCounts(inv) {
     checks: getAllChecks(inv).length,
     threatIntels: Object.keys(inv.threat_intels).length,
     enrichments: Object.keys(inv.enrichments).length,
-    containers: getAllContainers(inv).length,
+    tags: getAllTags(inv).length,
     whitelists: inv.whitelists.length
   };
 }
@@ -1339,6 +1149,28 @@ function getStartedAt(inv) {
   );
   return event?.timestamp;
 }
+function getTagChildren(inv, tagName) {
+  return Object.values(inv.tags).filter((tag) => isTagChildOf(tag.name, tagName));
+}
+function getTagDescendants(inv, tagName) {
+  const prefix = tagName + ":";
+  return Object.values(inv.tags).filter((tag) => tag.name.startsWith(prefix));
+}
+function getTagAggregatedScore(inv, tagName) {
+  const tag = getTagByName(inv, tagName);
+  if (!tag) {
+    return 0;
+  }
+  let total = tag.direct_score;
+  const children = getTagChildren(inv, tagName);
+  for (const child of children) {
+    total += getTagAggregatedScore(inv, child.name);
+  }
+  return total;
+}
+function getTagAggregatedLevel(inv, tagName) {
+  return getLevelFromScore(getTagAggregatedScore(inv, tagName));
+}
 
 // src/finders.ts
 function findObservablesByType(inv, type) {
@@ -1386,51 +1218,19 @@ function findObservablesWithThreatIntel(inv) {
     (obs) => obs.threat_intels.length > 0
   );
 }
-function findChecksByScope(inv, scope) {
-  const normalizedScope = scope.trim().toLowerCase();
-  if (inv.checks[scope]) {
-    return inv.checks[scope];
-  }
-  for (const [key, checks] of Object.entries(inv.checks)) {
-    if (key.toLowerCase() === normalizedScope) {
-      return checks;
-    }
-  }
-  return [];
-}
 function findChecksByLevel(inv, level) {
-  const result = [];
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      if (check.level === level) {
-        result.push(check);
-      }
-    }
-  }
-  return result;
+  return Object.values(inv.checks).filter((check) => check.level === level);
 }
 function findChecksAtLeast(inv, minLevel2) {
-  const result = [];
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      if (isLevelAtLeast(check.level, minLevel2)) {
-        result.push(check);
-      }
-    }
-  }
-  return result;
+  return Object.values(inv.checks).filter(
+    (check) => isLevelAtLeast(check.level, minLevel2)
+  );
 }
-function findChecksByCheckId(inv, checkId) {
-  const normalizedId = checkId.trim().toLowerCase();
-  const result = [];
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      if (check.check_id.toLowerCase() === normalizedId) {
-        result.push(check);
-      }
-    }
-  }
-  return result;
+function findCheckByName(inv, checkName) {
+  const normalizedName = checkName.trim().toLowerCase();
+  return Object.values(inv.checks).find(
+    (check) => check.check_name.toLowerCase() === normalizedName
+  );
 }
 function findThreatIntelBySource(inv, source) {
   const normalizedSource = source.trim().toLowerCase();
@@ -1446,52 +1246,31 @@ function findThreatIntelAtLeast(inv, minLevel2) {
     (ti) => isLevelAtLeast(ti.level, minLevel2)
   );
 }
-function findContainersByLevel(inv, level) {
-  const result = [];
-  function searchContainers(containers) {
-    for (const container of Object.values(containers)) {
-      if (container.aggregated_level === level) {
-        result.push(container);
-      }
-      searchContainers(container.sub_containers);
-    }
-  }
-  searchContainers(inv.containers);
-  return result;
+function findTagsByLevel(inv, level) {
+  return Object.values(inv.tags).filter((tag) => tag.direct_level === level);
 }
-function findContainersAtLeast(inv, minLevel2) {
-  const result = [];
-  function searchContainers(containers) {
-    for (const container of Object.values(containers)) {
-      if (isLevelAtLeast(container.aggregated_level, minLevel2)) {
-        result.push(container);
-      }
-      searchContainers(container.sub_containers);
-    }
-  }
-  searchContainers(inv.containers);
-  return result;
+function findTagsAtLeast(inv, minLevel2) {
+  return Object.values(inv.tags).filter(
+    (tag) => isLevelAtLeast(tag.direct_level, minLevel2)
+  );
+}
+function findTagsByNamePattern(inv, pattern) {
+  return Object.values(inv.tags).filter((tag) => pattern.test(tag.name));
 }
-function getChecksForObservable(inv, observableKey) {
+function findChecksForObservable(inv, observableKey) {
   const result = [];
   const seen = /* @__PURE__ */ new Set();
-  const checkLookup = /* @__PURE__ */ new Map();
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      checkLookup.set(check.key, check);
-    }
-  }
   const observable = inv.observables[observableKey];
   if (observable) {
     for (const checkKey of observable.check_links) {
-      const check = checkLookup.get(checkKey);
+      const check = inv.checks[checkKey];
       if (check && !seen.has(check.key)) {
         result.push(check);
         seen.add(check.key);
       }
     }
   }
-  for (const check of checkLookup.values()) {
+  for (const check of Object.values(inv.checks)) {
     if (seen.has(check.key)) {
       continue;
     }
@@ -1502,7 +1281,7 @@ function getChecksForObservable(inv, observableKey) {
   }
   return result;
 }
-function getThreatIntelsForObservable(inv, observableKey) {
+function findThreatIntelsForObservable(inv, observableKey) {
   const observable = inv.observables[observableKey];
   if (observable) {
     return observable.threat_intels.map((tiKey) => inv.threat_intels[tiKey]).filter((ti) => ti !== void 0);
@@ -1511,51 +1290,41 @@ function getThreatIntelsForObservable(inv, observableKey) {
     (ti) => ti.observable_key === observableKey
   );
 }
-function getObservablesForCheck(inv, checkKey) {
-  for (const checks of Object.values(inv.checks)) {
-    for (const check of checks) {
-      if (check.key === checkKey) {
-        const keys = /* @__PURE__ */ new Set();
-        for (const link of check.observable_links) {
-          keys.add(link.observable_key);
-        }
-        return Array.from(keys).map((obsKey) => inv.observables[obsKey]).filter((obs) => obs !== void 0);
-      }
+function findObservablesForCheck(inv, checkKey) {
+  const check = inv.checks[checkKey];
+  if (check) {
+    const keys = /* @__PURE__ */ new Set();
+    for (const link of check.observable_links) {
+      keys.add(link.observable_key);
     }
+    return Array.from(keys).map((obsKey) => inv.observables[obsKey]).filter((obs) => obs !== void 0);
   }
   return [];
 }
-function getChecksForContainer(inv, containerKey, recursive = false) {
+function findChecksForTag(inv, tagKey, recursive = false) {
   const result = [];
-  function findContainer(containers) {
-    for (const container2 of Object.values(containers)) {
-      if (container2.key === containerKey) {
-        return container2;
-      }
-      const found = findContainer(container2.sub_containers);
-      if (found) return found;
+  const tag = inv.tags[tagKey];
+  if (!tag) {
+    return result;
+  }
+  for (const checkKey of tag.checks) {
+    const check = inv.checks[checkKey];
+    if (check) {
+      result.push(check);
     }
-    return void 0;
   }
-  function collectChecks(container2) {
-    for (const checkKey of container2.checks) {
-      for (const checks of Object.values(inv.checks)) {
-        for (const check of checks) {
-          if (check.key === checkKey) {
+  if (recursive) {
+    const prefix = tag.name + ":";
+    for (const otherTag of Object.values(inv.tags)) {
+      if (otherTag.name.startsWith(prefix)) {
+        for (const checkKey of otherTag.checks) {
+          const check = inv.checks[checkKey];
+          if (check) {
             result.push(check);
           }
         }
       }
     }
-    if (recursive) {
-      for (const subContainer of Object.values(container2.sub_containers)) {
-        collectChecks(subContainer);
-      }
-    }
-  }
-  const container = findContainer(inv.containers);
-  if (container) {
-    collectChecks(container);
   }
   return result;
 }
@@ -1575,29 +1344,25 @@ function sortChecksByLevel(checks) {
     (a, b) => LEVEL_VALUES[b.level] - LEVEL_VALUES[a.level]
   );
 }
-function getHighestScoringObservables(inv, n = 10) {
+function findHighestScoringObservables(inv, n = 10) {
   return sortObservablesByScore(Object.values(inv.observables)).slice(0, n);
 }
-function getHighestScoringChecks(inv, n = 10) {
-  const allChecks = [];
-  for (const checks of Object.values(inv.checks)) {
-    allChecks.push(...checks);
-  }
-  return sortChecksByScore(allChecks).slice(0, n);
+function findHighestScoringChecks(inv, n = 10) {
+  return sortChecksByScore(Object.values(inv.checks)).slice(0, n);
 }
-function getMaliciousObservables(inv) {
+function findMaliciousObservables(inv) {
   return findObservablesByLevel(inv, "MALICIOUS");
 }
-function getSuspiciousObservables(inv) {
+function findSuspiciousObservables(inv) {
   return findObservablesByLevel(inv, "SUSPICIOUS");
 }
-function getMaliciousChecks(inv) {
+function findMaliciousChecks(inv) {
   return findChecksByLevel(inv, "MALICIOUS");
 }
-function getSuspiciousChecks(inv) {
+function findSuspiciousChecks(inv) {
   return findChecksByLevel(inv, "SUSPICIOUS");
 }
-function getAllScopes(inv) {
+function getAllCheckKeys(inv) {
   return Object.keys(inv.checks);
 }
 function getAllObservableTypes(inv) {
@@ -1734,7 +1499,7 @@ function getObservableGraph(inv) {
   }
   return { nodes, edges };
 }
-function findRootObservables(inv) {
+function findSourceObservables(inv) {
   const targetKeys = /* @__PURE__ */ new Set();
   for (const obs of Object.values(inv.observables)) {
     for (const rel of obs.relationships) {
@@ -1875,93 +1640,100 @@ function getRelationshipsForObservable(inv, observableKey) {
     ]
   };
 }
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
+export {
   LEVEL_COLORS,
   LEVEL_ORDER,
   LEVEL_VALUES,
   areConnected,
   compareLevels,
   countRelationshipsByType,
+  findCheckByName,
   findChecksAtLeast,
-  findChecksByCheckId,
   findChecksByLevel,
-  findChecksByScope,
-  findContainersAtLeast,
-  findContainersByLevel,
+  findChecksForObservable,
+  findChecksForTag,
   findExternalObservables,
+  findHighestScoringChecks,
+  findHighestScoringObservables,
   findInternalObservables,
   findLeafObservables,
+  findMaliciousChecks,
+  findMaliciousObservables,
   findObservablesAtLeast,
   findObservablesByLevel,
   findObservablesByType,
   findObservablesByValue,
   findObservablesContaining,
+  findObservablesForCheck,
   findObservablesMatching,
   findObservablesWithThreatIntel,
   findOrphanObservables,
   findPath,
-  findRootObservables,
+  findSourceObservables,
+  findSuspiciousChecks,
+  findSuspiciousObservables,
+  findTagsAtLeast,
+  findTagsByLevel,
+  findTagsByNamePattern,
   findThreatIntelAtLeast,
   findThreatIntelByLevel,
   findThreatIntelBySource,
+  findThreatIntelsForObservable,
   findWhitelistedObservables,
   generateCheckKey,
-  generateContainerKey,
   generateEnrichmentKey,
   generateObservableKey,
+  generateTagKey,
   generateThreatIntelKey,
+  getAllCheckKeys,
   getAllChecks,
-  getAllContainers,
   getAllEnrichments,
   getAllObservableTypes,
   getAllObservables,
   getAllRelationshipTypes,
-  getAllScopes,
+  getAllTags,
   getAllThreatIntelSources,
   getAllThreatIntels,
   getCheck,
-  getCheckByIdScope,
-  getChecksForContainer,
-  getChecksForObservable,
+  getCheckByName,
   getColorForLevel,
   getColorForScore,
-  getContainer,
-  getContainerByPath,
   getCounts,
   getDataExtraction,
   getEnrichment,
   getEnrichmentByName,
   getEntityLevel,
-  getHighestScoringChecks,
-  getHighestScoringObservables,
   getLevelFromScore,
-  getMaliciousChecks,
-  getMaliciousObservables,
   getObservable,
   getObservableByTypeValue,
   getObservableChildren,
   getObservableGraph,
   getObservableParents,
-  getObservablesForCheck,
   getReachableObservables,
   getRelatedObservables,
   getRelatedObservablesByDirection,
   getRelatedObservablesByType,
   getRelationshipsForObservable,
+  getRootObservable,
   getStartedAt,
   getStats,
-  getSuspiciousChecks,
-  getSuspiciousObservables,
+  getTag,
+  getTagAggregatedLevel,
+  getTagAggregatedScore,
+  getTagAncestors,
+  getTagByName,
+  getTagChildren,
+  getTagDescendants,
   getThreatIntel,
   getThreatIntelBySourceObservable,
-  getThreatIntelsForObservable,
   getWhitelists,
   hasLevel,
   isCyvest,
   isLevelAtLeast,
   isLevelHigherThan,
   isLevelLowerThan,
+  isTagChildOf,
+  isTagDescendantOf,
   isValidLevel,
   maxLevel,
   minLevel,
@@ -1976,4 +1748,4 @@ function getRelationshipsForObservable(inv, observableKey) {
   sortObservablesByLevel,
   sortObservablesByScore,
   validateKey
-});
+};