contentctl 4.3.4__py3-none-any.whl → 4.4.0__py3-none-any.whl

contentctl/objects/dashboard.py

@@ -0,0 +1,100 @@
+from typing import Any
+from pydantic import Field, Json, model_validator
+
+import pathlib
+from jinja2 import Environment
+import json
+from contentctl.objects.security_content_object import SecurityContentObject
+from contentctl.objects.config import build
+from enum import StrEnum
+
+DEFAULT_DASHBAORD_JINJA2_TEMPLATE = '''<dashboard version="2" theme="{{ dashboard.theme }}">
+    <label>{{ dashboard.label(config) }}</label>
+    <description></description>
+    <definition><![CDATA[
+{{ dashboard.pretty_print_json_obj() }}
+    ]]></definition>
+    <meta type="hiddenElements"><![CDATA[
+{
+	"hideEdit": false,
+	"hideOpenInSearch": false,
+	"hideExport": false
+}
+    ]]></meta>
+</dashboard>'''
+
+class DashboardTheme(StrEnum):
+    light = "light"
+    dark = "dark"
+
+class Dashboard(SecurityContentObject):
+    j2_template: str = Field(default=DEFAULT_DASHBAORD_JINJA2_TEMPLATE, description="Jinja2 Template used to construct the dashboard")
+    description: str = Field(...,description="A description of the dashboard. This does not have to match "
+                             "the description of the dashboard in the JSON file.", max_length=10000)
+    theme: DashboardTheme = Field(default=DashboardTheme.light, description="The theme of the dashboard. Choose between 'light' and 'dark'.")
+    json_obj: Json[dict[str,Any]] = Field(..., description="Valid JSON object that describes the dashboard")
+    
+    
+    
+    def label(self, config:build)->str:
+        return f"{config.app.label} - {self.name}"
+    
+    @model_validator(mode="before")
+    @classmethod
+    def validate_fields_from_json(cls, data:Any)->Any:
+        yml_file_name:str|None = data.get("file_path", None)
+        if yml_file_name is None:
+            raise ValueError("File name not passed to dashboard constructor")
+        yml_file_path = pathlib.Path(yml_file_name)
+        json_file_path = yml_file_path.with_suffix(".json")
+
+        if not json_file_path.is_file():
+            raise ValueError(f"Required file {json_file_path} does not exist.")
+        
+        with open(json_file_path,'r') as jsonFilePointer:
+            try:
+                json_obj:dict[str,Any] = json.load(jsonFilePointer)
+            except Exception as e:
+                raise ValueError(f"Unable to load data from {json_file_path}: {str(e)}")
+
+        name_from_file = data.get("name",None)
+        name_from_json  = json_obj.get("title",None)
+
+        errors:list[str] = []
+        if name_from_json is None:
+            errors.append(f"'title' field is missing from {json_file_path}")
+        elif name_from_json != name_from_file:
+            errors.append(f"The 'title' field in the JSON file [{json_file_path}] does not match the 'name' field in the YML object [{yml_file_path}]. These two MUST match:\n    "
+                          f"title in JSON : {name_from_json}\n    "
+                          f"title in YML  : {name_from_file}\n    ")
+        
+        description_from_json = json_obj.get("description",None)
+        if description_from_json is None:
+            errors.append("'description' field is missing from field 'json_object'")
+        
+        if len(errors) > 0 :
+            err_string = "\n  - ".join(errors)
+            raise ValueError(f"Error(s) validating dashboard:\n  - {err_string}")
+        
+        data['name'] = name_from_file
+        data['json_obj'] = json.dumps(json_obj)
+        return data
+
+    
+    def pretty_print_json_obj(self):
+        return json.dumps(self.json_obj, indent=4)
+    
+    def getOutputFilepathRelativeToAppRoot(self, config:build)->pathlib.Path:
+        filename = f"{self.file_path.stem}.xml".lower()
+        return pathlib.Path("default/data/ui/views")/filename
+    
+    
+    def writeDashboardFile(self, j2_env:Environment, config:build):
+        template = j2_env.from_string(self.j2_template)
+        dashboard_text = template.render(config=config, dashboard=self)
+
+        with open(config.getPackageDirectoryPath()/self.getOutputFilepathRelativeToAppRoot(config), 'a') as f:
+            output_xml = dashboard_text.encode('utf-8', 'ignore').decode('utf-8')
+            f.write(output_xml)
+
+

contentctl/objects/deployment.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
-from pydantic import Field, computed_field, model_validator,ValidationInfo, model_serializer
-from typing import Optional,Any
-
+from pydantic import Field, computed_field,ValidationInfo, model_serializer, NonNegativeInt
+from typing import Any
+import uuid
+import datetime
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.deployment_scheduling import DeploymentScheduling
 from contentctl.objects.alert_action import AlertAction
@@ -15,9 +16,13 @@ class Deployment(SecurityContentObject):
     #author: str = None
     #description: str = None
     #contentType: SecurityContentType = SecurityContentType.deployments
+    
+    
     scheduling: DeploymentScheduling = Field(...)
     alert_action: AlertAction = AlertAction()
     type: DeploymentType = Field(...)
+    author: str = Field(...,max_length=255)
+    version: NonNegativeInt = 1
 
     #Type was the only tag exposed and should likely be removed/refactored.
     #For transitional reasons, provide this as a computed_field in prep for removal
@@ -25,7 +30,8 @@ class Deployment(SecurityContentObject):
     @property
     def tags(self)->dict[str,DeploymentType]:
         return {"type": self.type}
-    
+
+        
     @staticmethod
     def getDeployment(v:dict[str,Any], info:ValidationInfo)->Deployment:
         if v != {}:
@@ -36,8 +42,17 @@ class Deployment(SecurityContentObject):
             detection_name = info.data.get("name", None)
             if detection_name is None:
                 raise ValueError("Could not create inline deployment - Baseline or Detection lacking 'name' field,")
+
+            # Add a number of static values            
+            v.update({
+              'name': f"{detection_name} - Inline Deployment",
+              'id':uuid.uuid4(),
+              'date': datetime.date.today(),
+              'description': "Inline deployment created at runtime.",
+              'author': "contentctl tool"
+            })
+
             
-            v['name'] = f"{detection_name} - Inline Deployment"
             # This constructs a temporary in-memory deployment,
             # allowing the deployment to be easily defined in the 
             # detection on a per detection basis.

contentctl/objects/detection_metadata.py

@@ -0,0 +1,71 @@
+import uuid
+from typing import Any
+
+from pydantic import BaseModel, Field, field_validator
+
+
+class DetectionMetadata(BaseModel):
+    """
+    A model of the metadata line in a detection stanza in savedsearches.conf
+    """
+    # A bool indicating whether the detection is deprecated (serialized as an int, 1 or 0)
+    deprecated: bool = Field(...)
+
+    # A UUID identifying the detection
+    detection_id: uuid.UUID = Field(...)
+
+    # The version of the detection
+    detection_version: int = Field(...)
+
+    # The time the detection was published. **NOTE** This field was added to the metadata in ESCU
+    # as of v4.39.0
+    publish_time: float = Field(...)
+
+    class Config:
+        # Allowing for future fields that may be added to the metadata JSON
+        extra = "allow"
+
+    @field_validator("deprecated", mode="before")
+    @classmethod
+    def validate_deprecated(cls, v: Any) -> Any:
+        """
+        Convert str to int, and then ints to bools for deprecated; raise if not 0 or 1 in the case
+        of an int, or if str cannot be converted to int.
+
+        :param v: the value passed
+        :type v: :class:`typing.Any`
+
+        :returns: the value
+        :rtype: :class:`typing.Any`
+        """
+        if isinstance(v, str):
+            try:
+                v = int(v)
+            except ValueError as e:
+                raise ValueError(f"Cannot convert str value ({v}) to int: {e}") from e
+        if isinstance(v, int):
+            if not (0 <= v <= 1):
+                raise ValueError(
+                    f"Value for field 'deprecated' ({v}) must be 0 or 1, if not a bool."
+                )
+            v = bool(v)
+        return v
+
+    @field_validator("detection_version", mode="before")
+    @classmethod
+    def validate_detection_version(cls, v: Any) -> Any:
+        """
+        Convert str to int; raise if str cannot be converted to int.
+
+        :param v: the value passed
+        :type v: :class:`typing.Any`
+
+        :returns: the value
+        :rtype: :class:`typing.Any`
+        """
+        if isinstance(v, str):
+            try:
+                v = int(v)
+            except ValueError as e:
+                raise ValueError(f"Cannot convert str value ({v}) to int: {e}") from e
+        return v

contentctl/objects/detection_stanza.py

@@ -0,0 +1,79 @@
+from typing import ClassVar
+import hashlib
+from functools import cached_property
+
+from pydantic import BaseModel, Field, computed_field
+
+from contentctl.objects.detection_metadata import DetectionMetadata
+
+
+class DetectionStanza(BaseModel):
+    """
+    A model representing a stanza for a detection in savedsearches.conf
+    """
+    # The lines that comprise this stanza, in the order they appear in the conf
+    lines: list[str] = Field(...)
+
+    # The full name of the detection (e.g. "ESCU - My Detection - Rule")
+    name: str = Field(...)
+
+    # The key prefix indicating the metadata attribute
+    METADATA_LINE_PREFIX: ClassVar[str] = "action.correlationsearch.metadata = "
+
+    @computed_field
+    @cached_property
+    def metadata(self) -> DetectionMetadata:
+        """
+        The metadata extracted from the stanza. Using the provided lines, parse out the metadata
+
+        :returns: the detection stanza's metadata
+        :rtype: :class:`contentctl.objects.detection_metadata.DetectionMetadata`
+        """
+        # Set a variable to store the metadata line in
+        meta_line: str | None = None
+
+        # Iterate over the lines to look for the metadata line
+        for line in self.lines:
+            if line.startswith(DetectionStanza.METADATA_LINE_PREFIX):
+                # If we find a matching line more than once, we've hit an error
+                if meta_line is not None:
+                    raise Exception(
+                        f"Metadata for detection '{self.name}' found twice in stanza."
+                    )
+                meta_line = line
+
+        # Report if we could not find the metadata line
+        if meta_line is None:
+            raise Exception(f"No metadata for detection '{self.name}' found in stanza.")
+
+        # Parse the metadata JSON into a model
+        return DetectionMetadata.model_validate_json(meta_line[len(DetectionStanza.METADATA_LINE_PREFIX):])
+
+    @computed_field
+    @cached_property
+    def hash(self) -> str:
+        """
+        The SHA256 hash of the lines of the stanza, excluding the metadata line
+
+        :returns: hexdigest
+        :rtype: str
+        """
+        hash = hashlib.sha256()
+        for line in self.lines:
+            if not line.startswith(DetectionStanza.METADATA_LINE_PREFIX):
+                hash.update(line.encode("utf-8"))
+        return hash.hexdigest()
+
+    def version_should_be_bumped(self, previous: "DetectionStanza") -> bool:
+        """
+        A helper method that compares this stanza against the same stanza from a previous build;
+        returns True if the version still needs to be bumped (e.g. the detection was changed but
+        the version was not), False otherwise.
+
+        :param previous: the previous build's DetectionStanza for comparison
+        :type previous: :class:`contentctl.objects.detection_stanza.DetectionStanza`
+
+        :returns: True if the version still needs to be bumped
+        :rtype: bool
+        """
+        return (self.hash != previous.hash) and (self.metadata.detection_version <= previous.metadata.detection_version)

contentctl/objects/detection_tags.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 import uuid
-from typing import TYPE_CHECKING, List, Optional, Annotated, Union
+from typing import TYPE_CHECKING, List, Optional, Union
 from pydantic import (
     BaseModel,
     Field,
@@ -16,6 +16,7 @@ from pydantic import (
     model_validator
 )
 from contentctl.objects.story import Story
+from contentctl.objects.throttling import Throttling
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
@@ -29,10 +30,9 @@ from contentctl.objects.enums import (
     RiskSeverity,
     KillChainPhase,
     NistCategory,
-    RiskLevel,
     SecurityContentProductName
 )
-from contentctl.objects.atomic import AtomicTest
+from contentctl.objects.atomic import AtomicEnrichment, AtomicTest
 from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE, CVE_TYPE
 
 # TODO (#266): disable the use_enum_values configuration
@@ -49,6 +49,23 @@ class DetectionTags(BaseModel):
     @property
     def risk_score(self) -> int:
         return round((self.confidence * self.impact)/100)
+    
+    @computed_field
+    @property
+    def severity(self)->RiskSeverity:
+        if 0 <= self.risk_score <= 20:
+            return RiskSeverity.INFORMATIONAL
+        elif 20 < self.risk_score <= 40:
+            return RiskSeverity.LOW
+        elif 40 < self.risk_score <= 60:
+            return RiskSeverity.MEDIUM
+        elif 60 < self.risk_score <= 80:
+            return RiskSeverity.HIGH
+        elif 80 < self.risk_score <= 100:
+            return RiskSeverity.CRITICAL
+        else:
+            raise Exception(f"Error getting severity - risk_score must be between 0-100, but was actually {self.risk_score}")
+
 
     mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
@@ -58,31 +75,16 @@ class DetectionTags(BaseModel):
     message: str = Field(...)
     product: list[SecurityContentProductName] = Field(..., min_length=1)
     required_fields: list[str] = Field(min_length=1)
-
+    throttling: Optional[Throttling] = None
     security_domain: SecurityDomain = Field(...)
-
-    @computed_field
-    @property
-    def risk_severity(self) -> RiskSeverity:
-        if self.risk_score >= 80:
-            return RiskSeverity('high')
-        elif (self.risk_score >= 50 and self.risk_score <= 79):
-            return RiskSeverity('medium')
-        else:
-            return RiskSeverity('low')
-
     cve: List[CVE_TYPE] = []
     atomic_guid: List[AtomicTest] = []
-    drilldown_search: Optional[str] = None
+    
 
     # enrichment
     mitre_attack_enrichments: List[MitreAttackEnrichment] = Field([], validate_default=True)
     confidence_id: Optional[PositiveInt] = Field(None, ge=1, le=3)
     impact_id: Optional[PositiveInt] = Field(None, ge=1, le=5)
-    # context_ids: list = None
-    risk_level_id: Optional[NonNegativeInt] = Field(None, le=4)
-    risk_level: Optional[RiskLevel] = None
-    # observable_str: str = None
     evidence_str: Optional[str] = None
 
     @computed_field
@@ -112,7 +114,7 @@ class DetectionTags(BaseModel):
 
     # TODO (#268): Validate manual_test has length > 0 if not None
     manual_test: Optional[str] = None
-
+    
     # The following validator is temporarily disabled pending further discussions
     # @validator('message')
     # def validate_message(cls,v,values):
@@ -158,7 +160,7 @@ class DetectionTags(BaseModel):
             "message": self.message,
             "risk_score": self.risk_score,
             "security_domain": self.security_domain,
-            "risk_severity": self.risk_severity,
+            "risk_severity": self.severity,
             "mitre_attack_id": self.mitre_attack_id,
             "mitre_attack_enrichments": self.mitre_attack_enrichments
         }
@@ -240,7 +242,7 @@ class DetectionTags(BaseModel):
         if output_dto is None:
             raise ValueError("Context not provided to detection.detection_tags.atomic_guid validator")
 
-        all_tests: None | List[AtomicTest] = output_dto.atomic_tests
+        atomic_enrichment: AtomicEnrichment = output_dto.atomic_enrichment
 
         matched_tests: List[AtomicTest] = []
         missing_tests: List[UUID4] = []
@@ -254,7 +256,7 @@ class DetectionTags(BaseModel):
                 badly_formatted_guids.append(str(atomic_guid_str))
                 continue
             try:
-                matched_tests.append(AtomicTest.getAtomicByAtomicGuid(atomic_guid, all_tests))
+                matched_tests.append(atomic_enrichment.getAtomic(atomic_guid))
             except Exception:
                 missing_tests.append(atomic_guid)
 
@@ -265,7 +267,7 @@ class DetectionTags(BaseModel):
                 f"\n\tPlease review the output above for potential exception(s) when parsing the "
                 "Atomic Red Team Repo."
                 "\n\tVerify that these auto_generated_guid exist and try updating/pulling the "
-                f"repo again.: {[str(guid) for guid in missing_tests]}"
+                f"repo again: {[str(guid) for guid in missing_tests]}"
             )
         else:
             missing_tests_string = ""
@@ -278,6 +280,6 @@ class DetectionTags(BaseModel):
             raise ValueError(f"{bad_guids_string}{missing_tests_string}")
 
         elif len(missing_tests) > 0:
-            print(missing_tests_string)
+            raise ValueError(missing_tests_string)
 
         return matched_tests + [AtomicTest.AtomicTestWhenTestIsMissing(test) for test in missing_tests]

contentctl/objects/drilldown.py

@@ -0,0 +1,70 @@
+from __future__ import annotations
+from pydantic import BaseModel, Field, model_serializer
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from contentctl.objects.detection import Detection
+from contentctl.objects.enums import AnalyticsType
+DRILLDOWN_SEARCH_PLACEHOLDER = "%original_detection_search%"
+EARLIEST_OFFSET = "$info_min_time$"
+LATEST_OFFSET = "$info_max_time$"
+RISK_SEARCH = "index = risk  starthoursago = 168 endhoursago = 0 | stats count values(search_name) values(risk_message) values(analyticstories) values(annotations._all) values(annotations.mitre_attack.mitre_tactic) "
+
+class Drilldown(BaseModel):
+    name: str = Field(..., description="The name of the drilldown search", min_length=5)
+    search: str = Field(..., description="The text of a drilldown search. This must be valid SPL.", min_length=1)
+    earliest_offset:None | str = Field(..., 
+                                description="Earliest offset time for the drilldown search. "
+                                f"The most common value for this field is '{EARLIEST_OFFSET}', "
+                                "but it is NOT the default value and must be supplied explicitly.", 
+                                min_length= 1)
+    latest_offset:None | str = Field(..., 
+                              description="Latest offset time for the driolldown search. "
+                              f"The most common value for this field is '{LATEST_OFFSET}', "
+                              "but it is NOT the default value and must be supplied explicitly.", 
+                              min_length= 1)
+
+    @classmethod
+    def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldown]:
+        victim_observables = [o for o in detection.tags.observable if o.role[0] == "Victim"] 
+        if len(victim_observables) == 0 or detection.type == AnalyticsType.Hunting:
+            # No victims, so no drilldowns
+            return []
+        print(f"Adding default drilldowns for [{detection.name}]")
+        variableNamesString = ' and '.join([f"${o.name}$" for o in victim_observables])
+        nameField = f"View the detection results for {variableNamesString}"
+        appendedSearch =  " | search " + ' '.join([f"{o.name} = ${o.name}$" for o in victim_observables])
+        search_field = f"{detection.search}{appendedSearch}"
+        detection_results = cls(name=nameField, earliest_offset=EARLIEST_OFFSET, latest_offset=LATEST_OFFSET, search=search_field)
+        
+        
+        nameField = f"View risk events for the last 7 days for {variableNamesString}"
+        fieldNamesListString = ', '.join([o.name for o in victim_observables])
+        search_field = f"{RISK_SEARCH}by {fieldNamesListString} {appendedSearch}"
+        risk_events_last_7_days = cls(name=nameField, earliest_offset=None, latest_offset=None, search=search_field)
+
+        return [detection_results,risk_events_last_7_days]
+    
+
+    def perform_search_substitutions(self, detection:Detection)->None:
+        """Replaces the field DRILLDOWN_SEARCH_PLACEHOLDER (%original_detection_search%)
+        with the search contained in the detection. We do this so that the YML does not
+        need the search copy/pasted from the search field into the drilldown object.
+
+        Args:
+            detection (Detection): Detection to be used to update the search field of the drilldown
+        """             
+        self.search = self.search.replace(DRILLDOWN_SEARCH_PLACEHOLDER, detection.search)
+    
+
+    @model_serializer
+    def serialize_model(self) -> dict[str,str]:
+        #Call serializer for parent
+        model:dict[str,str] = {}
+
+        model['name'] = self.name
+        model['search'] = self.search
+        if self.earliest_offset is not None:
+            model['earliest_offset'] = self.earliest_offset
+        if self.latest_offset is not None:
+            model['latest_offset'] = self.latest_offset
+        return model

contentctl/objects/enums.py

@@ -54,8 +54,9 @@ class SecurityContentType(enum.Enum):
     deployments = 7
     investigations = 8
     unit_tests = 9
-    ssa_detections = 10
     data_sources = 11
+    dashboards = 12
+
 
 # Bringing these changes back in line will take some time after
 # the initial merge is complete
@@ -69,7 +70,6 @@ class SecurityContentType(enum.Enum):
 
 class SecurityContentProduct(enum.Enum):
     SPLUNK_APP = 1
-    SSA = 2
     API = 3
     CUSTOM = 4
 
@@ -197,21 +197,21 @@ class KillChainPhase(str, enum.Enum):
 class DataSource(str,enum.Enum):
     OSQUERY_ES_PROCESS_EVENTS = "OSQuery ES Process Events"
     POWERSHELL_4104 = "Powershell 4104"
-    SYSMON_EVENT_ID_1 = "Sysmon Event ID 1"
-    SYSMON_EVENT_ID_10 = "Sysmon Event ID 10"
-    SYSMON_EVENT_ID_11 = "Sysmon Event ID 11"
-    SYSMON_EVENT_ID_13 = "Sysmon Event ID 13"
-    SYSMON_EVENT_ID_15 = "Sysmon Event ID 15"
-    SYSMON_EVENT_ID_20 = "Sysmon Event ID 20"
-    SYSMON_EVENT_ID_21 = "Sysmon Event ID 21"
-    SYSMON_EVENT_ID_22 = "Sysmon Event ID 22"
-    SYSMON_EVENT_ID_23 = "Sysmon Event ID 23"
-    SYSMON_EVENT_ID_3 = "Sysmon Event ID 3"
-    SYSMON_EVENT_ID_5 = "Sysmon Event ID 5"
-    SYSMON_EVENT_ID_6 = "Sysmon Event ID 6"
-    SYSMON_EVENT_ID_7 = "Sysmon Event ID 7"
-    SYSMON_EVENT_ID_8 = "Sysmon Event ID 8"
-    SYSMON_EVENT_ID_9 = "Sysmon Event ID 9"
+    SYSMON_EVENT_ID_1 = "Sysmon EventID 1"
+    SYSMON_EVENT_ID_3 = "Sysmon EventID 3"
+    SYSMON_EVENT_ID_5 = "Sysmon EventID 5"
+    SYSMON_EVENT_ID_6 = "Sysmon EventID 6"
+    SYSMON_EVENT_ID_7 = "Sysmon EventID 7"
+    SYSMON_EVENT_ID_8 = "Sysmon EventID 8"
+    SYSMON_EVENT_ID_9 = "Sysmon EventID 9"
+    SYSMON_EVENT_ID_10 = "Sysmon EventID 10"
+    SYSMON_EVENT_ID_11 = "Sysmon EventID 11"
+    SYSMON_EVENT_ID_13 = "Sysmon EventID 13"
+    SYSMON_EVENT_ID_15 = "Sysmon EventID 15"
+    SYSMON_EVENT_ID_20 = "Sysmon EventID 20"
+    SYSMON_EVENT_ID_21 = "Sysmon EventID 21"
+    SYSMON_EVENT_ID_22 = "Sysmon EventID 22"
+    SYSMON_EVENT_ID_23 = "Sysmon EventID 23"
     WINDOWS_SECURITY_4624 = "Windows Security 4624"
     WINDOWS_SECURITY_4625 = "Windows Security 4625"
     WINDOWS_SECURITY_4648 = "Windows Security 4648"
@@ -407,14 +407,16 @@ class NistCategory(str, enum.Enum):
     RC_IM = "RC.IM"
     RC_CO = "RC.CO"
 
-class RiskLevel(str,enum.Enum):
-    INFO = "Info"
-    LOW = "Low"
-    MEDIUM = "Medium"
-    HIGH = "High"
-    CRITICAL = "Critical"
-
 class RiskSeverity(str,enum.Enum):
+    # Levels taken from the following documentation link
+    # https://docs.splunk.com/Documentation/ES/7.3.2/User/RiskScoring
+    # 20 - info (0-20 for us)
+    # 40 - low (21-40 for us)
+    # 60 - medium (41-60 for us)
+    # 80 - high (61-80 for us)
+    # 100 - critical (81 - 100 for us)
+    INFORMATIONAL = "informational"
     LOW = "low"
     MEDIUM = "medium"
     HIGH = "high"
+    CRITICAL = "critical"