assemblyline 4.6.1.dev166__tar.gz → 4.7.0.dev7__tar.gz

{assemblyline-4.6.1.dev166/assemblyline.egg-info → assemblyline-4.7.0.dev7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: assemblyline
-Version: 4.6.1.dev166
+Version: 4.7.0.dev7
 Summary: Assemblyline 4 - Automated malware analysis framework
 Home-page: https://github.com/CybercentreCanada/assemblyline-base
 Author: CCCS Assemblyline development team
@@ -11,10 +11,10 @@ Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
 Classifier: Topic :: Software Development :: Libraries
 Classifier: License :: OSI Approved :: MIT License
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Description-Content-Type: text/markdown
 License-File: LICENCE.md
 Requires-Dist: arrow

assemblyline-4.7.0.dev7/assemblyline/VERSION

@@ -0,0 +1 @@
+4.7.0.dev7

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/common/bundling.py

@@ -1,4 +1,3 @@
-
 import json
 import logging
 import os
@@ -206,7 +205,7 @@ def create_bundle(sid, working_dir=WORK_DIR, use_alert=False, user_classificatio
                         submission['metadata']['bundle.classification'] = submission['classification']
 
                     results, supplementary = get_results(submission.get("results", []), file_infos, datastore,
-                                                          user_classification)
+                                                         user_classification)
                     supp_info, _ = get_file_infos(copy(supplementary), datastore)
                     file_infos.update(supp_info)
 
@@ -258,8 +257,18 @@ def create_bundle(sid, working_dir=WORK_DIR, use_alert=False, user_classificatio
 
 
 # noinspection PyBroadException,PyProtectedMember
-def import_bundle(path, working_dir=WORK_DIR, min_classification=Classification.UNRESTRICTED, allow_incomplete=False,
-                  rescan_services=None, exist_ok=False, cleanup=True, identify=None, reclassification=None):
+def import_bundle(
+    path,
+    working_dir=WORK_DIR,
+    min_classification=Classification.UNRESTRICTED,
+    allow_incomplete=False,
+    rescan_services=None,
+    exist_ok=False,
+    cleanup=True,
+    identify=None,
+    reclassification=None,
+    to_ingest=False,
+):
     with forge.get_datastore(archive_access=True) as datastore:
         current_working_dir = os.path.join(working_dir, get_random_id())
         res_file = os.path.join(current_working_dir, "results.json")
@@ -382,8 +391,16 @@ def import_bundle(path, working_dir=WORK_DIR, min_classification=Classification.
                             }
                             with SubmissionClient(datastore=datastore, filestore=filestore,
                                                   config=config, identify=identify) as sc:
-                                sc.rescan(submission, results['results'], extracted_file_infos,
-                                          files['tree'], list(errors['errors'].keys()), rescan_services)
+
+                                sc.rescan(
+                                    submission,
+                                    results["results"],
+                                    extracted_file_infos,
+                                    files["tree"],
+                                    list(errors["errors"].keys()),
+                                    rescan_services,
+                                    to_ingest=to_ingest,
+                                )
                 elif not exist_ok:
                     raise SubmissionAlreadyExist("Submission %s already exists." % sid)
 

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/common/classification.py

@@ -342,9 +342,11 @@ class Classification(object):
 
         # Swap to long format if required
         if long_format:
-            return sorted(
-                [self.groups_map_stl.get(r, r) for r in g1_set]), sorted(
-                [self.subgroups_map_stl[r] for r in g2_set]), list(others)
+            return (
+                sorted([self.groups_map_stl.get(r, r) for r in g1_set]),
+                sorted([self.subgroups_map_stl[r] for r in g2_set]),
+                list(others)
+            )
         return sorted(list(g1_set)), sorted(list(g2_set)), list(others)
 
     @staticmethod

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/common/dict_utils.py

@@ -11,7 +11,8 @@ def strip_nulls(d):
         for k, v in list(d.items()):
             v = strip_nulls(v) if v is not None else None
             # Assess if stripped value is null, if not then add it to the new dictionary returned
-            if v:
+            # allow empty value
+            if v is not None:
                 new_dict[k] = v
         return new_dict
     elif isinstance(d, list):

assemblyline-4.7.0.dev7/assemblyline/common/dispatcher.py

@@ -0,0 +1,39 @@
+from redis import Redis
+
+from assemblyline.remote.datatypes.hash import Hash
+from assemblyline.remote.datatypes.queues.named import NamedQueue
+
+
+DISPATCH_TASK_ASSIGNMENT = 'dispatcher-tasks-assigned-to-'
+TASK_ASSIGNMENT_PATTERN = DISPATCH_TASK_ASSIGNMENT + '*'
+DISPATCH_START_EVENTS = 'dispatcher-start-events-'
+DISPATCH_RESULT_QUEUE = 'dispatcher-results-'
+DISPATCH_COMMAND_QUEUE = 'dispatcher-commands-'
+DISPATCH_DIRECTORY = 'dispatchers-directory'
+
+
+class Dispatcher:
+    """A utility class for fetching information about the dispatchers running in the system."""
+    @staticmethod
+    def all_instances(persistent_redis: Redis) -> list[str]:
+        """List all dispatchers who have created a listing for themselves."""
+        return Hash(DISPATCH_DIRECTORY, host=persistent_redis).keys()
+
+    @staticmethod
+    def instance_assignment_size(persistent_redis: Redis, instance_id: str):
+        """Get the number of submissions assigned to a given dispatcher instance."""
+        return Hash(DISPATCH_TASK_ASSIGNMENT + instance_id, host=persistent_redis).length()
+
+    @staticmethod
+    def instance_assignment(persistent_redis: Redis, instance_id: str) -> list[str]:
+        """List the submissions assigned to a given dispatcher instance."""
+        return Hash(DISPATCH_TASK_ASSIGNMENT + instance_id, host=persistent_redis).keys()
+
+    @staticmethod
+    def all_queue_lengths(redis: Redis, instance_id: str):
+        """Get the queue lengths for a given dispatcher instance."""
+        return {
+            'start': NamedQueue(DISPATCH_START_EVENTS + instance_id, host=redis).length(),
+            'result': NamedQueue(DISPATCH_RESULT_QUEUE + instance_id, host=redis).length(),
+            'command': NamedQueue(DISPATCH_COMMAND_QUEUE + instance_id, host=redis).length()
+        }

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/common/log.py

@@ -3,7 +3,7 @@ import logging.config
 import logging.handlers
 
 from traceback import format_exception
-from typing import Optional
+from typing import Optional, Union
 
 import json
 import os
@@ -65,7 +65,7 @@ class JsonFormatter(logging.Formatter):
         return ''.join(format_exception(*exc_info))
 
 
-def init_logging(name: str, config: Config = None, log_level: Optional[str] = None):
+def init_logging(name: str, config: Config = None, log_level: Optional[Union[str, int]] = None):
     logger = logging.getLogger('assemblyline')
 
     # If the environment has a log level override, use it.

assemblyline-4.7.0.dev7/assemblyline/common/version.py

@@ -0,0 +1,20 @@
+"""
+Try to find the version of the code base that is running or assume an arbitrary one for testing.
+"""
+import os
+import re
+
+
+ASSEMBLYLINE_VERSION = os.environ.get('ASSEMBLYLINE_VERSION', "4.0.0.dev0")
+
+PATTERN = r'v?(?P<framework>[0-9]+)\.(?P<system>[0-9]+)\.(?P<minor>[0-9]+)\.(?P<channel>dev|stable)?(?P<build>[0-9]+)'
+
+matching = re.match(PATTERN, ASSEMBLYLINE_VERSION, re.IGNORECASE)
+if matching:
+    groups = matching.groupdict()
+else:
+    raise EnvironmentError("Could not process the ASSEMBLYLINE_VERSION variable to extract a release version.")
+
+FRAMEWORK_VERSION = int(groups['framework'])
+SYSTEM_VERSION = int(groups['system'])
+BUILD_MINOR = int(groups['minor'])

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/datastore/collection.py

@@ -7,29 +7,45 @@ import re
 import time
 import typing
 import warnings
-
+from copy import deepcopy
 from datetime import datetime
 from enum import Enum
 from os import environ
-from typing import Dict, Any, Union, TypeVar, Generic, Optional
-from copy import deepcopy
+from typing import Any, Dict, Generic, Optional, TypeVar, Union
 
-from datemath import dm
-from datemath.helpers import DateMathException
 import elasticsearch
 import elasticsearch.helpers
+from datemath import dm
+from datemath.helpers import DateMathException
 
 from assemblyline import odm
-from assemblyline.common.isotime import now_as_iso
 from assemblyline.common.dict_utils import recursive_update
+from assemblyline.common.isotime import now_as_iso
 from assemblyline.datastore.bulk import ElasticBulkPlan
 from assemblyline.datastore.exceptions import (
-    DataStoreException, MultiKeyError, SearchException, ArchiveDisabled, VersionConflictException)
+    ArchiveDisabled,
+    DataStoreException,
+    MultiKeyError,
+    SearchException,
+    VersionConflictException,
+)
 from assemblyline.datastore.support.build import back_mapping, build_mapping
-from assemblyline.datastore.support.schemas import (default_dynamic_strings, default_dynamic_templates,
-                                                    default_index, default_mapping)
-from assemblyline.odm.base import BANNED_FIELDS, Keyword, Integer, List, Mapping, Model, ClassificationObject, _Field
-
+from assemblyline.datastore.support.schemas import (
+    default_dynamic_strings,
+    default_dynamic_templates,
+    default_index,
+    default_mapping,
+)
+from assemblyline.odm.base import (
+    BANNED_FIELDS,
+    ClassificationObject,
+    Integer,
+    Keyword,
+    List,
+    Mapping,
+    Model,
+    _Field,
+)
 
 if typing.TYPE_CHECKING:
     from .store import ESStore
@@ -737,7 +753,6 @@ class ESCollection(Generic[ModelType]):
                     # copy backup to replace deleted index
                     self._safe_index_copy(self.datastore.client.indices.clone, backup_index, index,
                                           settings=self._get_index_settings(archive=archive))
-
                 finally:
                     # Unblock write to the index
                     self.with_retries(self.datastore.client.indices.put_settings,
@@ -1055,7 +1070,7 @@ class ESCollection(Generic[ModelType]):
         :return: True if the document was saved properly
         """
         if " " in key:
-            raise DataStoreException("You are not allowed to use spaces in datastore keys.")
+            raise DataStoreException(f'You are not allowed to use spaces in datastore keys: "{key}"')
 
         data = self.normalize(data)
 
@@ -2115,7 +2130,7 @@ class ESCollection(Generic[ModelType]):
         matching = set(fields.keys()) & set(model.keys())
         for field_name in matching:
             if fields[field_name]['indexed'] != model[field_name].index and model[field_name].index:
-                log.warning("Field %s should be indexed but is not.", field_name)
+                log.warning("Field %s of '%s' index should be indexed but is not.", field_name, self.name)
 
             possible_field_types = self.__get_possible_fields(model[field_name].__class__)
 

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/datastore/helper.py

@@ -48,8 +48,19 @@ config = forge.get_config()
 
 THREAD_POOL_SIZE = int(os.environ.get("POOL_SIZE", 20))
 
-JSON_SECTIONS = ["GRAPH_DATA", "URL", "JSON", "KEY_VALUE", "PROCESS_TREE",
-                 "TABLE", "IMAGE", "MULTI", "ORDERED_KEY_VALUE", "TIMELINE"]
+JSON_SECTIONS = [
+    "GRAPH_DATA",
+    "IMAGE",
+    "JSON",
+    "KEY_VALUE",
+    "MULTI",
+    "ORDERED_KEY_VALUE",
+    "PROCESS_TREE",
+    "SANDBOX",
+    "TABLE",
+    "TIMELINE"
+    "URL",
+]
 
 
 class AssemblylineDatastore(object):
@@ -1166,9 +1177,25 @@ class AssemblylineDatastore(object):
                                                        as_obj=False, as_dictionary=False)]
 
         # Recursively update the service data with the service delta while stripping nulls
-        services = [recursive_update(data.as_primitives(strip_null=True), delta.as_primitives(strip_null=True),
-                                     stop_keys=['config'])
-                    for data, delta in zip(service_data, service_delta)]
+        services = []
+        for data, delta in zip(service_data, service_delta):
+            data = data.as_primitives(strip_null=True)
+            delta = delta.as_primitives(strip_null=True)
+            service = recursive_update(data, delta, stop_keys=['config'])
+
+            # Check if there's any configurations that were removed in the delta based on the current version of the service
+            for key in list(service.get('config', {}).keys()):
+                if key not in data.get('config', {}):
+                    service['config'].pop(key, None)
+
+            # Check for any submission parameters that aren't applicable to the current version of the service
+            if data.get('submission_params'):
+                current_params = [param['name'] for param in data['submission_params']]
+                for param in list(service.get('submission_params', [])):
+                    if param['name'] not in current_params:
+                        service['submission_params'].remove(param)
+
+            services.append(service)
 
         # Return as an objet if needs be...
         if as_obj:

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/filestore/__init__.py

@@ -77,7 +77,8 @@ def create_transport(url, connection_attempts=None):
         sftp: private_key (string), private_key_pass (string), validate_host (bool)
         s3: aws_region (string), s3_bucket (string), use_ssl (bool), verify (bool)
         file: normalize (bool)
-        azure: access_key (string), tenant_id (string), client_id (string), client_secret (string), allow_directory_access (bool), use_default_credentials (bool)
+        azure: access_key (string), tenant_id (string), client_id (string), client_secret (string), 
+               allow_directory_access (bool), use_default_credentials (bool), initalize_container (bool)
 
     """
 
@@ -137,7 +138,7 @@ def create_transport(url, connection_attempts=None):
 
     elif scheme == 'azure':
         valid_str_keys = ['access_key', 'tenant_id', 'client_id', 'client_secret']
-        valid_bool_keys = ['allow_directory_access', 'use_default_credentials']
+        valid_bool_keys = ['allow_directory_access', 'use_default_credentials', 'initalize_container']
         extras = _get_extras(parse_qs(parsed.query), valid_str_keys=valid_str_keys, valid_bool_keys=valid_bool_keys)
 
         t = TransportAzure(base=base, host=host, connection_attempts=connection_attempts, **extras)

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/filestore/transport/azure.py

@@ -29,7 +29,8 @@ This class assumes a flat file structure in the Azure storage blob.
 class TransportAzure(Transport):
 
     def __init__(self, base=None, access_key=None, tenant_id=None, client_id=None, client_secret=None,
-                host=None, connection_attempts=None, allow_directory_access=False, use_default_credentials=False):
+                 host=None, connection_attempts=None, allow_directory_access=False, use_default_credentials=False,
+                 initalize_container=True):
         self.log = logging.getLogger('assemblyline.transport.azure')
         self.read_only = False
         self.connection_attempts: Optional[int] = connection_attempts
@@ -69,18 +70,19 @@ class TransportAzure(Transport):
         self.container_client = self.service_client.get_container_client(self.blob_container)
 
         # Init
-        try:
-            self.with_retries(self.container_client.get_container_properties)
-        except TransportException as e:
-            if not isinstance(e.cause, ResourceNotFoundError):
-                raise
+        if initalize_container:
             try:
-                self.with_retries(self.container_client.create_container)
-            except TransportException as error:
-                if not isinstance(error.cause, ResourceNotFoundError):
+                self.with_retries(self.container_client.get_container_properties)
+            except TransportException as e:
+                if not isinstance(e.cause, ResourceNotFoundError):
                     raise
-                self.log.info('Failed to create container, we\'re most likely in read only mode')
-                self.read_only = True
+                try:
+                    self.with_retries(self.container_client.create_container)
+                except TransportException as error:
+                    if not isinstance(error.cause, ResourceNotFoundError):
+                        raise
+                    self.log.info('Failed to create container, we\'re most likely in read only mode')
+                    self.read_only = True
 
         def azure_normalize(path):
             # flatten path to just the basename
@@ -115,7 +117,7 @@ class TransportAzure(Transport):
                 raise
 
             except Exception as e:
-                self.log.warning(f"No connection to Azure transport "
+                self.log.warning(f"Could not run {func}, No connection to Azure transport "
                                  f"{os.path.join(self.endpoint_url, self.blob_container)}, retrying... "
                                  f"[{e.__class__.__name__}: {str(e)}]")
                 time.sleep(0.25)

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/odm/messages/submission.py

@@ -21,6 +21,10 @@ class Submission(odm.Model):
     notification: Notification = odm.Compound(Notification, default={}, description="Notification queue parameters")
     params: SubmissionParams = odm.Compound(SubmissionParams, description="Parameters of the submission")
     scan_key: Opt[str] = odm.Optional(odm.Keyword())
+    file_tree = odm.Any(default={}, description="File tree of the files in this submission")
+    file_infos = odm.Mapping(odm.Any(), default={}, description="SHA256 and file information in the file.")
+    errors = odm.List(odm.Keyword(), default=[], description="List of error keys")
+    results = odm.Mapping(odm.Any(), default={}, description="Result key value mapping")
 
 
 def from_datastore_submission(submission: DatabaseSubmission):
@@ -28,19 +32,22 @@ def from_datastore_submission(submission: DatabaseSubmission):
     A helper to convert between database model version of Submission
     and the message version of Submission.
     """
-    return Submission({
-        'sid': submission.sid,
-        'files': submission.files,
-        'metadata': submission.metadata,
-        'params': submission.params,
-        'scan_key': submission.scan_key
-    })
+    return Submission(
+        {
+            "sid": submission.sid,
+            "files": submission.files,
+            "metadata": submission.metadata,
+            "params": submission.params,
+            "scan_key": submission.scan_key,
+        }
+    )
 
 
 @odm.model(description="Model of Submission Message")
 class SubmissionMessage(odm.Model):
     msg = odm.Compound(Submission, description="Body of the message")
-    msg_loader = odm.Enum(values={LOADER_CLASS}, default=LOADER_CLASS,
-                          description="Class to use to load the message as an object")   #
+    msg_loader = odm.Enum(
+        values={LOADER_CLASS}, default=LOADER_CLASS, description="Class to use to load the message as an object"
+    )  #
     msg_type = odm.Enum(values=MSG_TYPES, description="Type of message")
     sender = odm.Keyword(description="Sender of the message")

{assemblyline-4.6.1.dev166 → assemblyline-4.7.0.dev7}/assemblyline/odm/models/alert.py

@@ -21,14 +21,25 @@ def merge_extended_scan(a: str, b: str) -> str:
     raise ValueError(f"Invalid program state. scan state {a} {b}")
 
 
+DetailedItemSubtype = odm.Enum(
+    [
+        'CFG',  # Configuration blocks
+        'EXP',  # Exploits
+        'IMP',  # Implants
+        'OB',   # Obfuscation methods
+        'TA',   # Threat actors
+    ],
+    description="Specifies the item's subtype (e.g., EXP, CFG, OB, IMP, TA)."
+)
+
 @odm.model(index=True, store=False, description="""Represents a granular element within the detailed analysis results, providing specific insights into the analysis findings.
 """)
 class DetailedItem(odm.Model):
     type = odm.Keyword(description="Defines the specific attribute or aspect of the analysis that this detailed item pertains to.")
     value = odm.Keyword(description="The specific value or identifier for the detail item.")
-    verdict = odm.Enum(['safe', 'info', 'suspicious', 'malicious'], description="Represents the security assessment or classification of the detailed item, indicating its potential threat level.")
-    subtype = odm.Optional(odm.Enum(['EXP', 'CFG', 'OB', 'IMP', 'CFG', 'TA']), description="Adds further specificity to the detailed item, elaborating on its role or nature within the broader type category.  Supported subtypes include configuration blocks (CFG), exploits (EXP), implants (IMP), obfuscation methods (OB), and threat actors (TA).")
-
+    verdict = odm.Enum(['safe', 'info', 'suspicious', 'highly suspicious', 'malicious'], description="Security assessment of the detailed item.")
+    subtype = odm.Optional(DetailedItemSubtype, description="Specifies the item's subtype (e.g., CFG, EXP, IMP, OB, TA).")
+    
     def __hash__(self) -> int:
         return hash(tuple(sorted(self.as_primitives().items())))
 
@@ -57,16 +68,16 @@ class Screenshot(odm.Model):
 @odm.model(index=True, store=False, description="""Provides a comprehensive breakdown of specific attributes and their associated analysis results.
 """)
 class DetailedResults(odm.Model):
-    attack_pattern = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed information on MITRE ATT&CK® framework patterns identified in the analysis.")
-    attack_category = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed information on MITRE ATT&CK® framework categories associated with the alert.")
-    attrib = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed attribution information that provides context by suggesting associations with known malware families, suspected threat actors, or ongoing campaigns.")
-    av = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed information on antivirus signature matches.")
-    behavior = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed descriptions of the behaviors exhibited by the analyzed file or artifact that led to the alert.")
-    domain = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed domain information related to the alert.")
-    heuristic = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed heuristic information that triggered the alert.")
-    ip = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed IP address information related to the alert.")
-    uri = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed URI information related to the alert.")
-    yara = odm.List(odm.Compound(DetailedItem), default=[], description="Detailed information on YARA rule matches that contributed to the alert.")
+    attack_pattern = odm.List(odm.Compound(DetailedItem), default=[], description="MITRE ATT&CK® framework patterns identified in the analysis.")
+    attack_category = odm.List(odm.Compound(DetailedItem), default=[], description="MITRE ATT&CK® framework categories associated with the alert.")
+    attrib = odm.List(odm.Compound(DetailedItem), default=[], description="Attribution information that provides context by suggesting associations with known malware families, suspected threat actors, or ongoing campaigns.")
+    av = odm.List(odm.Compound(DetailedItem), default=[], description="Information on antivirus signature matches.")
+    behavior = odm.List(odm.Compound(DetailedItem), default=[], description="Descriptions of the behaviors exhibited by the analyzed file or artifact that led to the alert.")
+    domain = odm.List(odm.Compound(DetailedItem), default=[], description="Domain information related to the alert.")
+    heuristic = odm.List(odm.Compound(DetailedItem), default=[], description="Heuristic information that triggered the alert.")
+    ip = odm.List(odm.Compound(DetailedItem), default=[], description="IP address information related to the alert.")
+    uri = odm.List(odm.Compound(DetailedItem), default=[], description="URI information related to the alert.")
+    yara = odm.List(odm.Compound(DetailedItem), default=[], description="Information on YARA rule matches that contributed to the alert.")
 
     def update(self, other: DetailedResults) -> None:
         for field in self.fields().keys():
@@ -128,16 +139,16 @@ class File(odm.Model):
 @odm.model(index=True, store=False, description="""The Verdict submodel captures the conclusions drawn by users regarding the nature of a submission. It lists user identifiers for those who have deemed the submission as either malicious or non-malicious, representing a collective assessment of the threat.
 """)
 class Verdict(odm.Model):
-    malicious = odm.List(odm.Keyword(), default=[], description="User identifiers of those who have marked the submission as malicious.")
+    malicious = odm.List(odm.Keyword(), default=[], description="User IDs of those who have marked the alert as malicious.")
     non_malicious = odm.List(odm.Keyword(), default=[],
-                             description="User identifiers of those who have marked the submission as non-malicious.")
+                             description="User IDs of those who have marked the alert as non-malicious.")
 
     def update(self, other: Verdict) -> None:
         self.malicious = list(set(self.malicious + other.malicious))
         self.non_malicious = list(set(self.non_malicious + other.non_malicious))
 
 
-@odm.model(index=True, store=False, description="""Summarizes the heuristic rules triggered during the analysis. These rules are part of the detection logic used by Assemblyline to identify suspicious or malicious behavior in the analyzed file.
+@odm.model(index=True, store=False, description="""Summarizes the heuristics that were triggered during the analysis. These heuristics are part of the detection logic used by Assemblyline to identify suspicious or malicious behavior in the analyzed file.
 """)
 class Heuristic(odm.Model):
     name = odm.List(odm.Keyword(), default=[], description="Names of the heuristics that have been matched in the analysis.")
@@ -195,7 +206,7 @@ class Alert(odm.Model):
     al = odm.compound(ALResults, description="Contains the results of the Assemblyline analysis for the alert.")
     archive_ts = odm.Optional(odm.Date(), description="Timestamp indicating when the alert was archived in the system.")
     attack = odm.Compound(Attack, description="Structured data representing MITRE ATT&CK information associated with the alert.")
-    classification = odm.Classification(description="Security classification level of the alert.")
+    classification = odm.Classification(description="Security classification assigned to the alert based on its contents and context.")
     expiry_ts = odm.Optional(odm.Date(store=False), description="Timestamp indicating when the alert is scheduled to expire from the system.")
     extended_scan = odm.Enum(values=EXTENDED_SCAN_VALUES, description="Indicates the status of an extended scan, if applicable. Extended scans are additional analyses performed after the initial analysis.")
     file = odm.Compound(File, description="Information about the file associated with the alert.")