psengine 2.0.4__py3-none-any.whl

psengine/playbook_alerts/models/panel_status.py

@@ -0,0 +1,70 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+import contextlib
+from datetime import datetime
+from typing import Optional, Union
+
+from pydantic import model_validator
+
+from ...common_models import RFBaseModel
+from ..models.common_models import ResolvedEntity
+
+
+class Organisation(RFBaseModel):
+    organisation_id: str
+    organisation_name: str
+
+
+class OwnerOrganisationDetails(RFBaseModel):
+    organisations: list[Organisation]
+    enterprise_id: str
+    enterprise_name: str
+
+
+class PanelStatus(RFBaseModel):
+    status: str
+    priority: str
+    reopen: Optional[str] = None
+    assignee_name: Optional[str] = None
+    assignee_id: Optional[str] = None
+    created: datetime
+    updated: datetime
+    case_rule_id: Optional[str] = None
+    case_rule_label: Optional[str] = None
+    creator_name: Optional[str] = None
+    creator_id: Optional[str] = None
+    owner_organisation_details: Optional[OwnerOrganisationDetails] = None
+    entity_id: Optional[str] = None
+    entity_name: Optional[str] = None
+    actions_taken: list[str]
+    targets: Optional[list[Union[ResolvedEntity, str]]] = []
+
+    @model_validator(mode='before')
+    @classmethod
+    def rm_deprecated(cls, data):
+        """Remove deprecated fields."""
+        for key in ('owner_id', 'owner_name', 'organisation_id', 'organisation_name'):
+            with contextlib.suppress(KeyError):
+                del data[key]
+        return data
+
+
+class PanelAction(RFBaseModel):
+    action: Optional[str] = None
+    updated: Optional[datetime] = None
+    assignee_name: Optional[str] = None
+    assignee_id: Optional[str] = None
+    status: Optional[str] = None
+    description: Optional[str] = None
+    link: Optional[str] = None

psengine/playbook_alerts/models/pba_code_repo_leak.py

@@ -0,0 +1,52 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+from datetime import datetime
+from typing import Optional
+
+from pydantic import Field, HttpUrl
+
+from ...common_models import RFBaseModel
+from ..models.common_models import ResolvedEntity
+from ..models.panel_status import PanelStatus
+
+
+class CodeRepoPanelStatus(PanelStatus):
+    risk_score: Optional[int] = None
+    entity_criticality: Optional[str] = None
+    targets: Optional[list[ResolvedEntity]] = []
+
+
+class Repository(RFBaseModel):
+    id_: str = Field(alias='id', default=None)
+    name: Optional[str] = None
+    owner: Optional[ResolvedEntity] = None
+
+
+class Assessment(RFBaseModel):
+    id_: str = Field(alias='id')
+    title: Optional[str] = None
+    value: Optional[str] = None
+
+
+class Evidence(RFBaseModel):
+    assessments: list[Assessment]
+    targets: list[ResolvedEntity]
+    url: Optional[HttpUrl] = None
+    content: str
+    published: datetime
+
+
+class CodeRepoEvidencePanel(RFBaseModel):
+    repository: Optional[Repository] = Field(default_factory=Repository)
+    evidence: Optional[list[Evidence]] = []

psengine/playbook_alerts/models/pba_cyber_vulnerability.py

@@ -0,0 +1,53 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+from datetime import datetime
+from typing import Optional
+
+from pydantic import Field
+
+from ...common_models import RFBaseModel
+from ..models.common_models import ResolvedEntity
+from ..models.panel_status import PanelStatus
+
+
+class CyberVulnerabilityPanelStatus(PanelStatus):
+    risk_score: Optional[int] = None
+    entity_criticality: Optional[str] = None
+    targets: Optional[list[ResolvedEntity]] = []
+    lifecycle_stage: Optional[str] = None
+
+
+class VulnerabilityRiskRules(RFBaseModel):
+    rule: str
+    description: str
+
+
+class VulnerabilitySummary(RFBaseModel):
+    targets: Optional[list[ResolvedEntity]] = []
+    lifecycle_stage: Optional[str] = None
+    risk_rules: Optional[list[VulnerabilityRiskRules]] = []
+
+
+class InsiktNote(RFBaseModel):
+    id_: str = Field(alias='id')
+    title: str
+    published: datetime
+    topic: str
+    fragment: str
+
+
+class CyberVulnerabilityEvidencePanel(RFBaseModel):
+    summary: Optional[VulnerabilitySummary] = Field(default_factory=VulnerabilitySummary)
+    affected_products: Optional[list[ResolvedEntity]] = []
+    insikt_notes: Optional[list[InsiktNote]] = []

psengine/playbook_alerts/models/pba_domain_abuse.py

@@ -0,0 +1,139 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+from datetime import datetime
+from typing import Optional, Union
+
+from pydantic import Field
+
+from ...common_models import IdNameType, RFBaseModel
+from ..models.panel_status import PanelStatus
+
+
+class Context(RFBaseModel):
+    context: str
+
+
+class DomainAbusePanelStatus(PanelStatus):
+    entity_criticality: Optional[str] = None
+    risk_score: Optional[int] = None
+    context_list: Optional[list[Context]] = []
+    targets: Optional[list[str]] = []
+
+
+class ResolvedRecord(RFBaseModel):
+    entity: Optional[str] = None
+    record: Optional[str] = None
+    risk_score: Optional[int] = None
+    criticality: Optional[str] = None
+    record_type: Optional[str] = None
+    context_list: Optional[list[Context]] = []
+
+
+class Reregistration(RFBaseModel):
+    registrar: Optional[str] = None
+    registrar_name: Optional[str] = None
+    expiration: Optional[datetime] = None
+
+
+class MentionedEntity(RFBaseModel):
+    entity: Optional[IdNameType] = Field(default_factory=IdNameType)
+    reference: str
+    fragment: str
+
+
+class MentionedKeyword(RFBaseModel):
+    entity: Optional[IdNameType] = Field(default_factory=IdNameType)
+    reference: str
+    fragment: str
+    keyword: str
+
+
+class ScreenshotMention(RFBaseModel):
+    url: Optional[str] = None
+    screenshot: Optional[str] = None
+    document: Optional[str] = None
+    analyzed: Optional[str] = None
+    mentioned_entities: Optional[list[MentionedEntity]] = []
+    mentioned_custom_keywords: Optional[list[MentionedKeyword]] = []
+
+
+class KeywordInDomain(RFBaseModel):
+    word: Optional[str] = None
+    domain: Optional[str] = None
+
+
+class Keywords(RFBaseModel):
+    security_keywords_in_domain_name: Optional[list[KeywordInDomain]] = []
+    payment_keywords_in_domain_name: Optional[list[KeywordInDomain]] = []
+
+
+class Screenshot(RFBaseModel):
+    description: str
+    image_id: str
+    created: datetime
+    tag: Optional[str] = None
+
+
+class DomainAbuseEvidenceSummary(RFBaseModel):
+    explanation: Optional[str] = None
+    resolved_record_list: Optional[list[ResolvedRecord]] = []
+    screenshots: Optional[list[Screenshot]] = []
+    reregistration: Optional[Reregistration] = Field(default_factory=Reregistration)
+    screenshot_mentions: Optional[list[ScreenshotMention]] = []
+    keywords_in_domain_name: Optional[Keywords] = Field(default_factory=Keywords)
+
+
+class DomainAbuseEvidenceDns(RFBaseModel):
+    ip_list: Optional[list[ResolvedRecord]] = []
+    mx_list: Optional[list[ResolvedRecord]] = []
+    ns_list: Optional[list[ResolvedRecord]] = []
+
+
+class ValueServer(RFBaseModel):
+    status: Optional[str] = None
+    registrar_name: Optional[str] = Field(alias='registrarName', default=None)
+    private_registration: Optional[bool] = Field(alias='privateRegistration', default=None)
+    name_servers: Optional[list[str]] = Field(alias='nameServers', default=[])
+    contact_email: Optional[str] = Field(alias='contactEmail', default=None)
+    created_date: Optional[datetime] = Field(alias='createdDate', default=None)
+    updated_date: Optional[datetime] = Field(alias='updatedDate', default=None)
+    expires_date: Optional[datetime] = Field(alias='expiresDate', default=None)
+
+
+class ValueLocation(RFBaseModel):
+    type_: str = Field(alias='type', default=None)
+    telephone: Optional[str] = None
+    street1: Optional[str] = None
+    state: Optional[str] = None
+    postal_code: Optional[str] = Field(alias='postalCode', default=None)
+    organization: Optional[str] = None
+    name: Optional[str] = None
+    fax: Optional[str] = None
+    email: Optional[str] = None
+    country_code: Optional[str] = Field(alias='countryCode', default=None)
+    country: Optional[str] = None
+    city: Optional[str] = None
+
+
+class WhoisAttribute(RFBaseModel):
+    provider: str
+    entity: str
+    attribute: str
+    value: Union[ValueServer, ValueLocation]
+    added: datetime = None
+    removed: Optional[datetime] = None
+
+
+class DomainAbuseEvidenceWhois(RFBaseModel):
+    body: Optional[list[WhoisAttribute]] = []

psengine/playbook_alerts/models/pba_identity_exposures.py

@@ -0,0 +1,93 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+from datetime import datetime
+from typing import Optional
+
+from pydantic import Field, IPvAnyAddress
+
+from ...common_models import RFBaseModel
+from ..models.common_models import ResolvedEntity
+from ..models.panel_status import PanelStatus
+
+
+class Assessment(RFBaseModel):
+    name: str
+    criticality: str
+
+
+class PasswordDetails(RFBaseModel):
+    properties: Optional[list[str]] = []
+    rank: Optional[list[str]] = []
+    clear_text_value: Optional[str] = None
+    clear_text_hint: Optional[str] = None
+
+
+class PasswordHash(RFBaseModel):
+    algorithm: str
+    hash_: Optional[str] = Field(alias='hash', default=None)
+    hash_prefix: Optional[str] = None
+
+
+class ExposedSecret(RFBaseModel):
+    type_: str = Field(alias='type', default=None)
+    effectively_clear: Optional[bool] = None
+    hashes: Optional[list[PasswordHash]] = []
+    details: Optional[PasswordDetails] = Field(default_factory=PasswordDetails)
+
+
+class Dump(RFBaseModel):
+    name: Optional[str] = None
+    description: Optional[str] = None
+
+
+class MalwareFamily(RFBaseModel):
+    id_: str = Field(alias='id', default=None)
+    name: Optional[str] = None
+
+
+class Infrastructure(RFBaseModel):
+    ip: Optional[IPvAnyAddress] = None
+
+
+class Technology(RFBaseModel):
+    name: str
+    id_: Optional[str] = Field(alias='id', default=None)
+    category: Optional[str] = None
+
+
+class CompromisedHost(RFBaseModel):
+    exfiltration_date: Optional[datetime] = None
+    os: Optional[str] = None
+    os_username: Optional[str] = None
+    malware_file: Optional[str] = None
+    timezone: Optional[str] = None
+    computer_name: Optional[str] = None
+    uac: Optional[str] = None
+    antivirus: Optional[list[str]] = []
+
+
+class IdentityPanelStatus(PanelStatus):
+    targets: Optional[list[ResolvedEntity]] = []
+
+
+class IdentityEvidencePanel(RFBaseModel):
+    assessments: Optional[list[Assessment]] = []
+    subject: Optional[str] = None
+    exposed_secret: Optional[ExposedSecret] = Field(default_factory=ExposedSecret)
+    dump: Optional[Dump] = Field(default_factory=Dump)
+    authorization_url: Optional[str] = None
+    compromised_host: Optional[CompromisedHost] = Field(default_factory=CompromisedHost)
+    malware_family: Optional[MalwareFamily] = Field(default_factory=MalwareFamily)
+    infrastructure: Optional[Infrastructure] = Field(default_factory=Infrastructure)
+    technologies: Optional[list[Technology]] = []

psengine/playbook_alerts/models/pba_third_party_risk.py

@@ -0,0 +1,103 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+from datetime import datetime
+from typing import Optional
+
+from pydantic import Field, model_validator
+
+from ...common_models import RFBaseModel
+from ..models.common_models import ResolvedEntity
+from ..models.panel_status import PanelStatus
+
+
+class TPRPanelStatus(PanelStatus):
+    risk_score: Optional[int] = None
+    entity_criticality: Optional[str] = None
+    targets: Optional[list[ResolvedEntity]] = []
+
+
+class InsiktNote(RFBaseModel):
+    id_: str = Field(alias='id')
+    title: Optional[str] = None
+    published: Optional[datetime] = None
+    topic: Optional[str] = None
+    fragment: Optional[str] = None
+
+
+class ObservedNetworkTraffic(RFBaseModel):
+    recent_timestamp: datetime
+    malware_family: Optional[str] = None
+    client_ip_address: Optional[str] = None
+    malware_ip_address: Optional[str] = None
+
+
+class SummaryString(RFBaseModel):
+    data: list
+    summary: str
+
+
+class Reference(RFBaseModel):
+    title: Optional[str] = None
+    fragment: Optional[str] = None
+    published: datetime
+    document_url: Optional[str] = None
+    source: Optional[str] = None
+
+
+class IpRule(RFBaseModel):
+    name: str
+    criticality: int
+    number_of_ip_addresses: int
+
+
+class CyberTrend(RFBaseModel):
+    date: datetime
+    criticality: int
+    number_of_references: int
+
+
+class Evidence(RFBaseModel):
+    summary: str
+    type_: str = Field(alias='type')
+    data: list
+
+    @model_validator(mode='after')
+    @classmethod
+    def check_data_type(cls, evidence: 'Evidence'):
+        """Check if evidence type is supported and validate it."""
+        type_mapping = {
+            'ip_rule': IpRule,
+            'cyber_trend': CyberTrend,
+            'insikt_note': InsiktNote,
+            'reference': Reference,
+            'hosts_communication': ObservedNetworkTraffic,
+            'summary_string': SummaryString,
+        }
+        evidence.data = [
+            model.model_validate(obj)
+            for obj in evidence.data
+            if (model := type_mapping.get(evidence.type_))
+        ]
+        return evidence
+
+
+class Assessment(RFBaseModel):
+    risk_rule: str
+    level: int
+    added: datetime
+    evidence: Evidence
+
+
+class TPREvidencePanel(RFBaseModel):
+    assessments: Optional[list[Assessment]] = []

psengine/playbook_alerts/models/search_endpoint.py

@@ -0,0 +1,68 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+import contextlib
+from datetime import datetime
+from typing import Optional
+
+from pydantic import Field, model_validator
+
+from ...common_models import RFBaseModel
+from ..models.panel_status import OwnerOrganisationDetails
+
+
+class DatetimeRange(RFBaseModel):
+    from_: Optional[datetime] = Field(alias='from', default=None)
+    until: Optional[datetime] = None
+
+
+class SearchStatus(RFBaseModel):
+    status_code: str
+    status_message: str
+
+
+class SearchData(RFBaseModel):
+    playbook_alert_id: str
+    status: str
+    priority: str
+    reopen: Optional[str] = None
+    created: datetime
+    updated: datetime
+    category: str
+    title: str
+    assignee_name: Optional[str] = None
+    assignee_id: Optional[str] = None
+    owner_organisation_details: Optional[OwnerOrganisationDetails] = None
+    actions_taken: list[str]
+
+    @model_validator(mode='before')
+    @classmethod
+    def rm_deprecated(cls, data):
+        """Remove deprecated fields."""
+        for key in ('owner_id', 'owner_name', 'organisation_id', 'organisation_name'):
+            with contextlib.suppress(KeyError):
+                del data[key]
+        return data
+
+
+class SearchCounts(RFBaseModel):
+    returned: int
+    total: int
+
+
+class SearchResponse(RFBaseModel):
+    """Model for payload received by /search endpoint."""
+
+    status: SearchStatus
+    data: list[SearchData]
+    counts: SearchCounts

psengine/playbook_alerts/pa_category.py

@@ -0,0 +1,37 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+from enum import Enum
+
+
+class PACategory(Enum):
+    """Playbook Alert categories as Enum."""
+
+    def __str__(self):
+        """String representation of the enum value."""
+        return str(self.value)
+
+    def lower(self):
+        """Return the lower case version of the enum value.
+
+        Returns:
+            str: lower case version of the enum value
+        """
+        return self.value.lower()
+
+    DOMAIN_ABUSE = 'domain_abuse'
+    CYBER_VULNERABILITY = 'cyber_vulnerability'
+    THIRD_PARTY_RISK = 'third_party_risk'
+    CODE_REPO_LEAKAGE = 'code_repo_leakage'
+    IDENTITY_NOVEL_EXPOSURES = 'identity_novel_exposures'
+    UNMAPPED_ALERT = 'unmapped_alert'