cartography 0.107.0rc2__py3-none-any.whl → 0.108.0__py3-none-any.whl

cartography/intel/sentinelone/application.py

@@ -0,0 +1,248 @@
+import logging
+from typing import Any
+
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.intel.sentinelone.api import get_paginated_results
+from cartography.intel.sentinelone.utils import get_application_id
+from cartography.intel.sentinelone.utils import get_application_version_id
+from cartography.models.sentinelone.application import S1ApplicationSchema
+from cartography.models.sentinelone.application_version import (
+    S1ApplicationVersionSchema,
+)
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get_application_data(
+    account_id: str, api_url: str, api_token: str
+) -> list[dict[str, Any]]:
+    """
+    Get application data from SentinelOne API
+    :param account_id: SentinelOne account ID
+    :param api_url: SentinelOne API URL
+    :param api_token: SentinelOne API token
+    :return: A list of application data dictionaries
+    """
+    logger.info(f"Retrieving SentinelOne application data for account {account_id}")
+    applications = get_paginated_results(
+        api_url=api_url,
+        endpoint="/web/api/v2.1/application-management/inventory",
+        api_token=api_token,
+        params={
+            "accountIds": account_id,
+            "limit": 1000,
+        },
+    )
+
+    logger.info(f"Retrieved {len(applications)} applications from SentinelOne")
+    return applications
+
+
+@timeit
+def get_application_installs(
+    app_inventory: list[dict[str, Any]], account_id: str, api_url: str, api_token: str
+) -> list[dict[str, Any]]:
+    """
+    Get application installs from SentinelOne API
+    :param app_inventory: List of applications to get installs for
+    :param account_id: SentinelOne account ID
+    :param api_url: SentinelOne API URL
+    :param api_token: SentinelOne API token
+    :return: A list of application installs data dictionaries
+    """
+    logger.info(
+        f"Retrieving SentinelOne application installs for "
+        f"{len(app_inventory)} applications in account "
+        f"{account_id}",
+    )
+
+    application_installs = []
+    for i, app in enumerate(app_inventory):
+        logger.info(
+            f"Retrieving SentinelOne installs for {app.get('applicationName')} "
+            f"{app.get('applicationVendor')} ({i + 1}/{len(app_inventory)})",
+        )
+        name = app["applicationName"]
+        vendor = app["applicationVendor"]
+        app_installs = get_paginated_results(
+            api_url=api_url,
+            endpoint="/web/api/v2.1/application-management/inventory/endpoints",
+            api_token=api_token,
+            params={
+                "accountIds": account_id,
+                "limit": 1000,
+                "applicationName": name,
+                "applicationVendor": vendor,
+            },
+        )
+
+        # Replace applicationVendor and applicationName with original values
+        # for consistency with the application data
+        for app_install in app_installs:
+            app_install["applicationVendor"] = vendor
+            app_install["applicationName"] = name
+        application_installs.extend(app_installs)
+
+    return application_installs
+
+
+def transform_applications(
+    applications_list: list[dict[str, Any]],
+) -> list[dict[str, Any]]:
+    """
+    Transform SentinelOne application data for loading into Neo4j
+    :param applications_list: Raw application data from the API
+    :return: Transformed application data
+    """
+    transformed_data = []
+    for app in applications_list:
+        vendor = app["applicationVendor"].strip()
+        name = app["applicationName"].strip()
+        app_id = get_application_id(name, vendor)
+        transformed_app = {
+            "id": app_id,
+            "name": name,
+            "vendor": vendor,
+        }
+        transformed_data.append(transformed_app)
+
+    return transformed_data
+
+
+def transform_application_versions(
+    application_installs_list: list[dict[str, Any]],
+) -> list[dict[str, Any]]:
+    """
+    Transform SentinelOne application installs for loading into Neo4j
+    :param application_installs_list: Raw application installs data from the API
+    :return: Transformed application installs data
+    """
+    transformed_data = []
+    for installed_version in application_installs_list:
+        app_name = installed_version["applicationName"]
+        app_vendor = installed_version["applicationVendor"]
+        version = installed_version["version"]
+
+        transformed_version = {
+            "id": get_application_version_id(
+                app_name,
+                app_vendor,
+                version,
+            ),
+            "application_id": get_application_id(
+                app_name,
+                app_vendor,
+            ),
+            "application_name": app_name,
+            "application_vendor": app_vendor,
+            "agent_uuid": installed_version.get("endpointUuid"),
+            "installation_path": installed_version.get("applicationInstallationPath"),
+            "installed_dt": installed_version.get("applicationInstallationDate"),
+            "version": version,
+        }
+        transformed_data.append(transformed_version)
+
+    return transformed_data
+
+
+@timeit
+def load_application_data(
+    neo4j_session: neo4j.Session,
+    data: list[dict[str, Any]],
+    account_id: str,
+    update_tag: int,
+) -> None:
+    """
+    Load SentinelOne application data into Neo4j
+    :param neo4j_session: Neo4j session
+    :param data: The transformed application data
+    :param account_id: The SentinelOne account ID
+    :param update_tag: Update tag to set on the nodes
+    :return: None
+    """
+    logger.info(f"Loading {len(data)} SentinelOne applications into Neo4j")
+    load(
+        neo4j_session,
+        S1ApplicationSchema(),
+        data,
+        lastupdated=update_tag,
+        S1_ACCOUNT_ID=account_id,
+    )
+
+
+@timeit
+def load_application_versions(
+    neo4j_session: neo4j.Session,
+    data: list[dict[str, Any]],
+    account_id: str,
+    update_tag: int,
+) -> None:
+    logger.info(f"Loading {len(data)} SentinelOne application versions into Neo4j")
+    load(
+        neo4j_session,
+        S1ApplicationVersionSchema(),
+        data,
+        lastupdated=update_tag,
+        S1_ACCOUNT_ID=account_id,
+    )
+
+
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session, common_job_parameters: dict[str, Any]
+) -> None:
+    logger.debug("Running SentinelOne S1Application cleanup")
+    GraphJob.from_node_schema(S1ApplicationSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    logger.debug("Running SentinelOne S1ApplicationVersion cleanup")
+    GraphJob.from_node_schema(S1ApplicationVersionSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    """
+    Sync SentinelOne applications
+    :param neo4j_session: Neo4j session
+    :param common_job_parameters: Common job parameters containing API_URL, API_TOKEN, etc.
+    :return: None
+    """
+    logger.info("Syncing SentinelOne application data")
+    account_id = str(common_job_parameters["S1_ACCOUNT_ID"])
+    api_url = str(common_job_parameters["API_URL"])
+    api_token = str(common_job_parameters["API_TOKEN"])
+
+    applications = get_application_data(account_id, api_url, api_token)
+    application_versions = get_application_installs(
+        applications, account_id, api_url, api_token
+    )
+    transformed_applications = transform_applications(applications)
+    transformed_application_versions = transform_application_versions(
+        application_versions
+    )
+
+    load_application_data(
+        neo4j_session,
+        transformed_applications,
+        account_id,
+        common_job_parameters["UPDATE_TAG"],
+    )
+
+    load_application_versions(
+        neo4j_session,
+        transformed_application_versions,
+        account_id,
+        common_job_parameters["UPDATE_TAG"],
+    )
+
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/sentinelone/utils.py

@@ -2,8 +2,27 @@ import re
 
 
 def get_application_id(name: str, vendor: str) -> str:
+    """
+    Generate a normalized unique identifier for an application.
+    :param name: Application name
+    :param vendor: Application vendor/publisher
+    :return: Normalized unique identifier in format 'vendor:name'
+    """
     name_normalized = name.strip().lower().replace(" ", "_")
     vendor_normalized = vendor.strip().lower().replace(" ", "_")
     name_normalized = re.sub(r"[^\w]", "", name_normalized)
-    vendor_normalized = re.sub(r"[^\w\s]", "", vendor_normalized)
+    vendor_normalized = re.sub(r"[^\w]", "", vendor_normalized)
     return f"{vendor_normalized}:{name_normalized}"
+
+
+def get_application_version_id(name: str, vendor: str, version: str) -> str:
+    """
+    Generate a unique identifier for an application version
+    :param name: Application name
+    :param vendor: Application vendor
+    :param version: Application version
+    :return: Unique identifier for the application version in format 'vendor:name:version'
+    """
+    app_id = get_application_id(name, vendor)
+    version_normalized = version.strip().lower().replace(" ", "_")
+    return f"{app_id}:{version_normalized}"

cartography/models/aws/cloudtrail/management_events.py

@@ -29,12 +29,6 @@ class AssumedRoleRelProperties(CartographyRelProperties):
     times_used: PropertyRef = PropertyRef("times_used")
     first_seen_in_time_window: PropertyRef = PropertyRef("first_seen_in_time_window")
 
-    # Event type tracking properties
-    event_types: PropertyRef = PropertyRef("event_types")
-    assume_role_count: PropertyRef = PropertyRef("assume_role_count")
-    saml_count: PropertyRef = PropertyRef("saml_count")
-    web_identity_count: PropertyRef = PropertyRef("web_identity_count")
-
 
 @dataclass(frozen=True)
 class AssumedRoleMatchLink(CartographyRelSchema):
@@ -62,3 +56,98 @@ class AssumedRoleMatchLink(CartographyRelSchema):
     direction: LinkDirection = LinkDirection.OUTWARD
     rel_label: str = "ASSUMED_ROLE"
     properties: AssumedRoleRelProperties = AssumedRoleRelProperties()
+
+
+@dataclass(frozen=True)
+class AssumedRoleWithSAMLRelProperties(CartographyRelProperties):
+    """
+    Properties for the ASSUMED_ROLE_WITH_SAML relationship representing SAML-based role assumption events.
+    Focuses specifically on SAML federated identity role assumptions.
+    """
+
+    # Mandatory fields for MatchLinks
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    _sub_resource_label: PropertyRef = PropertyRef(
+        "_sub_resource_label", set_in_kwargs=True
+    )
+    _sub_resource_id: PropertyRef = PropertyRef("_sub_resource_id", set_in_kwargs=True)
+
+    # CloudTrail-specific relationship properties
+    last_used: PropertyRef = PropertyRef("last_used")
+    times_used: PropertyRef = PropertyRef("times_used")
+    first_seen_in_time_window: PropertyRef = PropertyRef("first_seen_in_time_window")
+
+
+@dataclass(frozen=True)
+class AssumedRoleWithSAMLMatchLink(CartographyRelSchema):
+    """
+    MatchLink schema for ASSUMED_ROLE_WITH_SAML relationships from CloudTrail SAML events.
+    Creates relationships like: (AWSRole)-[:ASSUMED_ROLE_WITH_SAML]->(AWSRole)
+
+    This MatchLink handles SAML-based role assumption relationships discovered via CloudTrail
+    AssumeRoleWithSAML events. It creates separate relationships from regular AssumeRole events
+    to preserve visibility into authentication methods used.
+    """
+
+    # MatchLink-specific fields
+    source_node_label: str = "AWSSSOUser"  # Match against AWS SSO User nodes
+    source_node_matcher: SourceNodeMatcher = make_source_node_matcher(
+        {"user_name": PropertyRef("source_principal_arn")},
+    )
+
+    # Standard CartographyRelSchema fields
+    target_node_label: str = "AWSRole"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"arn": PropertyRef("destination_principal_arn")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ASSUMED_ROLE_WITH_SAML"
+    properties: AssumedRoleWithSAMLRelProperties = AssumedRoleWithSAMLRelProperties()
+
+
+@dataclass(frozen=True)
+class AssumeRoleWithWebIdentityRelProperties(CartographyRelProperties):
+    """
+    Properties for the ASSUMED_ROLE_WITH_WEB_IDENTITY relationship representing web identity-based role assumption events.
+    Focuses specifically on web identity federation role assumptions (Google, Amazon, Facebook, etc.).
+    """
+
+    # Mandatory fields for MatchLinks
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    _sub_resource_label: PropertyRef = PropertyRef(
+        "_sub_resource_label", set_in_kwargs=True
+    )
+    _sub_resource_id: PropertyRef = PropertyRef("_sub_resource_id", set_in_kwargs=True)
+
+    # CloudTrail-specific relationship properties
+    last_used: PropertyRef = PropertyRef("last_used")
+    times_used: PropertyRef = PropertyRef("times_used")
+    first_seen_in_time_window: PropertyRef = PropertyRef("first_seen_in_time_window")
+
+
+@dataclass(frozen=True)
+class GitHubRepoAssumeRoleWithWebIdentityMatchLink(CartographyRelSchema):
+    """
+    MatchLink schema for ASSUMED_ROLE_WITH_WEB_IDENTITY relationships from GitHub Actions to AWS roles.
+    Creates relationships like: (GitHubRepository)-[:ASSUMED_ROLE_WITH_WEB_IDENTITY]->(AWSRole)
+
+    This MatchLink provides granular visibility into which specific GitHub repositories are assuming
+    AWS roles via GitHub Actions OIDC, rather than just showing provider-level relationships.
+    """
+
+    # MatchLink-specific fields for GitHub repositories
+    source_node_label: str = "GitHubRepository"
+    source_node_matcher: SourceNodeMatcher = make_source_node_matcher(
+        {"fullname": PropertyRef("source_repo_fullname")},
+    )
+
+    # Standard CartographyRelSchema fields
+    target_node_label: str = "AWSRole"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"arn": PropertyRef("destination_principal_arn")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ASSUMED_ROLE_WITH_WEB_IDENTITY"
+    properties: AssumeRoleWithWebIdentityRelProperties = (
+        AssumeRoleWithWebIdentityRelProperties()
+    )

cartography/models/aws/cloudtrail/trail.py

@@ -73,6 +73,26 @@ class CloudTrailTrailToS3BucketRel(CartographyRelSchema):
     )
 
 
+@dataclass(frozen=True)
+class CloudTrailTrailToCloudWatchLogGroupRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudTrailTrailToCloudWatchLogGroupRel(CartographyRelSchema):
+    target_node_label: str = "CloudWatchLogGroup"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "id": PropertyRef("CloudWatchLogsLogGroupArn"),
+        }
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "SENDS_LOGS_TO_CLOUDWATCH"
+    properties: CloudTrailTrailToCloudWatchLogGroupRelProperties = (
+        CloudTrailTrailToCloudWatchLogGroupRelProperties()
+    )
+
+
 @dataclass(frozen=True)
 class CloudTrailTrailSchema(CartographyNodeSchema):
     label: str = "CloudTrailTrail"
@@ -81,5 +101,6 @@ class CloudTrailTrailSchema(CartographyNodeSchema):
     other_relationships: OtherRelationships = OtherRelationships(
         [
             CloudTrailTrailToS3BucketRel(),
+            CloudTrailTrailToCloudWatchLogGroupRel(),
         ]
     )

cartography/models/aws/cloudwatch/log_metric_filter.py

@@ -0,0 +1,79 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class CloudWatchLogMetricFilterNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    arn: PropertyRef = PropertyRef("filterName", extra_index=True)
+    region: PropertyRef = PropertyRef("Region", set_in_kwargs=True)
+    filter_name: PropertyRef = PropertyRef("filterName")
+    filter_pattern: PropertyRef = PropertyRef("filterPattern")
+    log_group_name: PropertyRef = PropertyRef("logGroupName")
+    metric_name: PropertyRef = PropertyRef("metricName")
+    metric_namespace: PropertyRef = PropertyRef("metricNamespace")
+    metric_value: PropertyRef = PropertyRef("metricValue")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudWatchLogMetricFilterToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudWatchLogMetricFilterToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: CloudWatchLogMetricFilterToAwsAccountRelProperties = (
+        CloudWatchLogMetricFilterToAwsAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class CloudWatchLogMetricFilterToCloudWatchLogGroupRelProperties(
+    CartographyRelProperties
+):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudWatchLogMetricFilterToCloudWatchLogGroupRel(CartographyRelSchema):
+    target_node_label: str = "CloudWatchLogGroup"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"log_group_name": PropertyRef("logGroupName")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "METRIC_FILTER_OF"
+    properties: CloudWatchLogMetricFilterToCloudWatchLogGroupRelProperties = (
+        CloudWatchLogMetricFilterToCloudWatchLogGroupRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class CloudWatchLogMetricFilterSchema(CartographyNodeSchema):
+    label: str = "CloudWatchLogMetricFilter"
+    properties: CloudWatchLogMetricFilterNodeProperties = (
+        CloudWatchLogMetricFilterNodeProperties()
+    )
+    sub_resource_relationship: CloudWatchLogMetricFilterToAWSAccountRel = (
+        CloudWatchLogMetricFilterToAWSAccountRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            CloudWatchLogMetricFilterToCloudWatchLogGroupRel(),
+        ]
+    )

cartography/models/aws/cloudwatch/metric_alarm.py

@@ -0,0 +1,53 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class CloudWatchMetricAlarmNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("AlarmArn")
+    arn: PropertyRef = PropertyRef("AlarmArn", extra_index=True)
+    alarm_name: PropertyRef = PropertyRef("AlarmName")
+    alarm_description: PropertyRef = PropertyRef("AlarmDescription")
+    state_value: PropertyRef = PropertyRef("StateValue")
+    state_reason: PropertyRef = PropertyRef("StateReason")
+    actions_enabled: PropertyRef = PropertyRef("ActionsEnabled")
+    comparison_operator: PropertyRef = PropertyRef("ComparisonOperator")
+    region: PropertyRef = PropertyRef("Region", set_in_kwargs=True)
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudWatchMetricAlarmToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudWatchMetricAlarmToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: CloudWatchMetricAlarmToAwsAccountRelProperties = (
+        CloudWatchMetricAlarmToAwsAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class CloudWatchMetricAlarmSchema(CartographyNodeSchema):
+    label: str = "CloudWatchMetricAlarm"
+    properties: CloudWatchMetricAlarmNodeProperties = (
+        CloudWatchMetricAlarmNodeProperties()
+    )
+    sub_resource_relationship: CloudWatchMetricAlarmToAWSAccountRel = (
+        CloudWatchMetricAlarmToAWSAccountRel()
+    )

cartography/models/aws/ec2/networkinterfaces.py

@@ -44,7 +44,9 @@ class EC2NetworkInterfaceNodeProperties(CartographyNodeProperties):
     requester_id: PropertyRef = PropertyRef("RequesterId", extra_index=True)
     requester_managed: PropertyRef = PropertyRef("RequesterManaged")
     source_dest_check: PropertyRef = PropertyRef("SourceDestCheck")
+    # TODO: remove subnetid once we have migrated to subnet_id
     subnetid: PropertyRef = PropertyRef("SubnetId", extra_index=True)
+    subnet_id: PropertyRef = PropertyRef("SubnetId", extra_index=True)
 
 
 @dataclass(frozen=True)

cartography/models/aws/ec2/security_group_rules.py

@@ -0,0 +1,109 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class IpRuleNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("RuleId")
+    ruleid: PropertyRef = PropertyRef("RuleId", extra_index=True)
+    groupid: PropertyRef = PropertyRef("GroupId", extra_index=True)
+    protocol: PropertyRef = PropertyRef("Protocol")
+    fromport: PropertyRef = PropertyRef("FromPort")
+    toport: PropertyRef = PropertyRef("ToPort")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class IpRuleToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class IpRuleToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)}
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: IpRuleToAWSAccountRelProperties = IpRuleToAWSAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class IpRuleToSecurityGroupRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class IpRuleToSecurityGroupRel(CartographyRelSchema):
+    target_node_label: str = "EC2SecurityGroup"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"groupid": PropertyRef("GroupId")}
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "MEMBER_OF_EC2_SECURITY_GROUP"
+    properties: IpRuleToSecurityGroupRelProperties = (
+        IpRuleToSecurityGroupRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class IpRangeNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("RangeId")
+    range: PropertyRef = PropertyRef("RangeId")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class IpRangeToIpRuleRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class IpRangeToIpRuleRel(CartographyRelSchema):
+    target_node_label: str = "IpRule"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"ruleid": PropertyRef("RuleId")}
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "MEMBER_OF_IP_RULE"
+    properties: IpRangeToIpRuleRelProperties = IpRangeToIpRuleRelProperties()
+
+
+@dataclass(frozen=True)
+class IpRuleSchema(CartographyNodeSchema):
+    label: str = "IpRule"
+    properties: IpRuleNodeProperties = IpRuleNodeProperties()
+    sub_resource_relationship: IpRuleToAWSAccountRel = IpRuleToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [IpRuleToSecurityGroupRel()]
+    )
+
+
+@dataclass(frozen=True)
+class IpPermissionInboundSchema(CartographyNodeSchema):
+    label: str = "IpRule"
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["IpPermissionInbound"])
+    properties: IpRuleNodeProperties = IpRuleNodeProperties()
+    sub_resource_relationship: IpRuleToAWSAccountRel = IpRuleToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [IpRuleToSecurityGroupRel()]
+    )
+
+
+@dataclass(frozen=True)
+class IpRangeSchema(CartographyNodeSchema):
+    label: str = "IpRange"
+    properties: IpRangeNodeProperties = IpRangeNodeProperties()
+    sub_resource_relationship: IpRuleToAWSAccountRel = IpRuleToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships([IpRangeToIpRuleRel()])