psengine 2.0.5__tar.gz → 2.0.7__tar.gz

{psengine-2.0.5 → psengine-2.0.7}/PKG-INFO

@@ -1,11 +1,11 @@
 Metadata-Version: 2.4
 Name: psengine
-Version: 2.0.5
+Version: 2.0.7
 Summary: psengine is a simple, yet elegant, library for rapid development of integrations with Recorded Future.
 Author-email: Moise Medici <moise.medici@recordedfuture.com>, Patrick Kinsella <patrick.kinsella@recordedfuture.com>, Ernest Bartosevic <ernest.bartosevic@recordedfuture.com>
 License-Expression: MIT
 Project-URL: Homepage, https://github.com/RecordedFuture-ProfessionalServices/psengine
-Project-URL: Changelog, https://github.com/RecordedFuture-ProfessionalServices/psengine/CHANGELOG.rst
+Project-URL: Changelog, https://github.com/RecordedFuture-ProfessionalServices/psengine/blob/main/CHANGELOG.rst
 Keywords: API,Recorded Future,Cyber Security Engineering,Threat Intelligence
 Requires-Python: <3.14,>=3.9
 Description-Content-Type: text/x-rst
@@ -28,7 +28,7 @@ Requires-Dist: pytest-random-order==1.1.1; extra == "dev"
 Requires-Dist: pytest-vcr==1.0.2; extra == "dev"
 Requires-Dist: pytest-watch==4.2.0; extra == "dev"
 Requires-Dist: requests==2.29.0; extra == "dev"
-Requires-Dist: ruff~=0.7.0; extra == "dev"
+Requires-Dist: ruff~=0.11.0; extra == "dev"
 Requires-Dist: wheel==0.37.1; extra == "dev"
 Requires-Dist: setuptools==61.0.0; extra == "dev"
 Requires-Dist: Sphinx==7.1.2; extra == "dev"

{psengine-2.0.5 → psengine-2.0.7}/psengine/_version.py

@@ -11,4 +11,4 @@
 # accessed from any third party API.                                                         #
 ##############################################################################################
 
-__version__ = '2.0.5'
+__version__ = '2.0.7'

psengine-2.0.7/psengine/analyst_notes/markdown.py

@@ -0,0 +1,216 @@
+##################################### TERMS OF USE ###########################################
+# The following code is provided for demonstration purpose only, and should not be used      #
+# without independent verification. Recorded Future makes no representations or warranties,  #
+# express, implied, statutory, or otherwise, regarding any aspect of this code or of the     #
+# information it may retrieve, and provides it both strictly “as-is” and without assuming    #
+# responsibility for any information it may retrieve. Recorded Future shall not be liable    #
+# for, and you assume all risk of using, the foregoing. By using this code, Customer         #
+# represents that it is solely responsible for having all necessary licenses, permissions,   #
+# rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
+# for having all necessary licenses, permissions, rights, and/or consents to any data        #
+# accessed from any third party API.                                                         #
+##############################################################################################
+
+import re
+from collections import defaultdict
+from itertools import chain
+from typing import TYPE_CHECKING
+
+from markdown_strings import bold, unordered_list
+
+from ..constants import TIMESTAMP_STR
+from ..endpoints import EP_ANALYST_NOTE_LOOKUP
+from ..markdown.markdown import MarkdownMaker, divider, html_collapsible
+
+if TYPE_CHECKING:
+    from ..analyst_notes import AnalystNote
+
+EXTRACTED_KEYS = {
+    'AttackVector': 'Attack Vector',
+    'Malware': 'Malware',
+    'MalwareCategory': 'Malware Category',
+    'WinRegKey': 'Windows Registry Key',
+    'Hash': 'Hash',
+}
+
+
+def _cleanup_insikt_note_text(note_text: str) -> str:
+    """Clean up insikt note text to avoid markdown rendering issues."""
+    translation = {
+        r'\•': '+ ',
+        r'--+': '',
+        r'>>+': '',
+        r'<<+': '',
+        r'\*\*': '••',
+        r'#': '\\#',
+        r'_': '\\_',
+    }
+    for k, v in translation.items():
+        note_text = re.sub(k, v, note_text)
+
+    return note_text
+
+
+def _entity_by_type_list(entities: list, entity_type: str) -> list:
+    """Extract all the related entities by type."""
+    return sorted({entity.name for entity in entities if entity.type_ == entity_type})
+
+
+def _vuln_list(entities: list) -> list:
+    """Extract all the vulnerabilities and add the description if present."""
+    vulns = [entity for entity in entities if entity.type_ == 'CyberVulnerability']
+
+    texts = []
+    for vuln in sorted(vulns, key=lambda x: x.name):
+        text = bold(vuln.name)
+        if vuln.description:
+            descr = vuln.description.replace('\n', ' ')
+            text = f'{text}: {descr}'
+        texts.append(text)
+
+    return texts
+
+
+def _add_extra_entities(note: 'AnalystNote', html_tags: bool, md_maker: MarkdownMaker):
+    """Add the Entities Extracted block for EXTRACTED_KEYS types."""
+    data = defaultdict(list)
+    entities = list(chain(note.attributes.note_entities, note.attributes.context_entities))
+
+    for entity_type, clean_entity_type in EXTRACTED_KEYS.items():
+        if extracted := _entity_by_type_list(entities, entity_type):
+            data[clean_entity_type].extend(extracted)
+
+    if vulns := _vuln_list(entities):
+        data['Vulnerability'].extend(vulns)
+
+    data = dict(sorted(data.items()))
+    if data:
+        if html_tags:
+            md_maker.add_section(
+                'Entities',
+                [
+                    html_collapsible(f'<b>{k}</b>', '\n\n' + unordered_list(v, esc=False)) + '\n'
+                    if len(v) > 5
+                    else f'{bold(k)}\n{unordered_list(v, esc=False)}\n\n'
+                    for k, v in data.items()
+                ],
+            )
+        else:
+            md_maker.add_section(
+                'Entities',
+                [
+                    '\n'.join([bold(f'{k}:'), unordered_list(v, esc=False) + '\n'])
+                    for k, v in data.items()
+                ],
+            )
+
+
+def _add_diamond_model(
+    note: 'AnalystNote',
+    html_tags: bool,
+    defang_malicious_infrastructure: bool,
+    md_maker: MarkdownMaker,
+):
+    """Add all the Diamond Models if present.
+
+    Since a note can have more than one Diamond model for different targets/methods all will be
+    displayed.
+    The collapsible is only applied to the title (ie. Diamond Model 1) and each section that has
+    more than 5 entries.
+
+    """
+    html_title = '<h4>Cyber Attack'
+    diamond_models, data = [], []
+    for diamond_model in note.attributes.diamond_model:
+        model = {
+            'Malicious Infrastructure': [e.name for e in diamond_model.malicious_infrastructure],
+            'Capabilities': [e.name for e in diamond_model.capabilities],
+            'Adversary': [e.name for e in diamond_model.adversary],
+            'Target': [f'{e.name} ({e.type_})' for e in diamond_model.target],
+        }
+        if defang_malicious_infrastructure:
+            iocs = [ioc.replace('.', '[.]') for ioc in model['Malicious Infrastructure']]
+            model['Malicious Infrastructure'] = iocs
+
+        diamond_models.append({k: v for k, v in model.items() if v})
+
+    if html_tags:
+        data = [
+            html_collapsible(
+                f'{html_title} {i}{": " + model["Adversary"][0] if model.get("Adversary") else ""}',
+                '\n\n'
+                + ''.join(
+                    html_collapsible(f'<b>{section}</b>', f'\n\n{unordered_list(sorted(entities))}')
+                    + '\n'
+                    if len(entities) > 5
+                    else f'\n{bold(section)}\n\n{unordered_list(sorted(entities))}\n\n'
+                    for section, entities in model.items()
+                )
+                + f'\n{divider()}',
+            )
+            + '\n'
+            for i, model in enumerate(diamond_models, 1)
+        ]
+
+    else:
+        data = [
+            '\n'
+            + bold(
+                f'Cyber Attack {i}{": " + model["Adversary"][0] if model.get("Adversary") else ""}'
+            )
+            + '\n'
+            + '\n\n'.join(
+                [
+                    '\n' + section + ':\n' + unordered_list(sorted(entities))
+                    for section, entities in model.items()
+                ]
+            )
+            + f'\n{divider()}\n'
+            for i, model in enumerate(diamond_models, 1)
+        ]
+
+    if data:
+        md_maker.add_section('Diamond Models', data)
+
+
+def _markdown(
+    note: 'AnalystNote',
+    extract_entities: bool,
+    diamond_model: bool,
+    html_tags: bool,
+    defang_malicious_infrastructure: bool,
+    character_limit: int,
+) -> str:
+    """Main markdown function."""
+    md_maker = MarkdownMaker()
+    topic = (
+        note.attributes.topic
+        if isinstance(note.attributes.topic, list)
+        else [note.attributes.topic]
+    )
+    topic_str = f'{bold("Topic:")} {{}}' if len(topic) == 1 else f'{bold("Topics:")} {{}}'
+    intro = [
+        f'{bold("ID:")} {note.id_}  ',
+        f'{bold("Published:")} {note.attributes.published.strftime(TIMESTAMP_STR)}  ',
+        f'{bold("Source:")} {note.source.name}  ',
+        topic_str.format(', '.join(t.name for t in topic) + '  '),
+    ]
+    if validation_urls := '\n- '.join(url.name for url in note.attributes.validation_urls):
+        validation_urls = f'\n- {validation_urls}\n'
+        intro.append(f'{bold("Validation URLs:")} {validation_urls}')
+
+    intro.append(f'[API]({EP_ANALYST_NOTE_LOOKUP.format(note.id_)}) | [Portal]({note.portal_url})')
+
+    md_maker.add_title(note.attributes.title)
+    md_maker.add_section('Summary', intro)
+
+    if extract_entities:
+        _add_extra_entities(note, html_tags, md_maker)
+
+    if diamond_model:
+        _add_diamond_model(note, html_tags, defang_malicious_infrastructure, md_maker)
+
+    md_maker.add_section('Note', _cleanup_insikt_note_text(note.attributes.text))
+
+    output = md_maker.format_output()
+    return output if not character_limit else output[:character_limit]

{psengine-2.0.5 → psengine-2.0.7}/psengine/analyst_notes/note.py

@@ -19,6 +19,7 @@ from pydantic import Field
 from ..common_models import IdNameTypeDescription, RFBaseModel
 from ..constants import TIMESTAMP_STR
 from .constants import NOTES_PER_PAGE, URL_TO_PORTAL
+from .markdown import _markdown
 from .models import Attributes, PreviewAttributesIn, PreviewAttributesOut, RequestAttachment
 
 
@@ -98,6 +99,37 @@ class AnalystNote(RFBaseModel):
             return URL_TO_PORTAL.format(self.id_)
         return URL_TO_PORTAL.format(f'doc:{self.id_}')
 
+    def markdown(
+        self,
+        extract_entities: bool = True,
+        diamond_model: bool = True,
+        html_tags: bool = False,
+        defang_malicious_infrastructure: bool = False,
+        character_limit: int = None,
+    ) -> str:
+        """Return the markdown representation of the Note.
+
+        Args:
+            extract_entities (bool): Extract and include entities in the markdown. Defaults to True.
+            diamond_model (bool): Include a diamond model visualization. Defaults to True.
+            html_tags (bool): Include HTML tags in the output. Defaults to False.
+            defang_malicious_infrastructure (bool): Defang URLs or other malicious indicators.
+                Defaults to False.
+            character_limit (int, optional): Limit the output to a specified number of characters.
+                Defaults to None.
+
+        Returns:
+            str: The generated markdown string.
+        """
+        return _markdown(
+            self,
+            extract_entities=extract_entities,
+            diamond_model=diamond_model,
+            html_tags=html_tags,
+            defang_malicious_infrastructure=defang_malicious_infrastructure,
+            character_limit=character_limit,
+        )
+
 
 class AnalystNotePreviewIn(RFBaseModel):
     """Validate data sent to ``/preview`` endpoint."""

{psengine-2.0.5 → psengine-2.0.7}/psengine/base_http_client.py

@@ -8,7 +8,7 @@
 # represents that it is solely responsible for having all necessary licenses, permissions,   #
 # rights, and/or consents to connect to third party APIs, and that it is solely responsible  #
 # for having all necessary licenses, permissions, rights, and/or consents to any data        #
-# accessed from any third party API.                                                         #.
+# accessed from any third party API.                                                         #
 ##############################################################################################
 
 import json
@@ -16,7 +16,14 @@ import logging
 from typing import Union
 
 from pydantic import validate_call
-from requests import ConnectionError, ConnectTimeout, HTTPError, ReadTimeout, Session, adapters
+from requests import (
+    ConnectionError,  # noqa: A004
+    ConnectTimeout,
+    HTTPError,
+    ReadTimeout,
+    Session,
+    adapters,
+)
 from requests.adapters import HTTPAdapter, Retry
 from requests.exceptions import JSONDecodeError
 from requests.models import Response

{psengine-2.0.5 → psengine-2.0.7}/psengine/classic_alerts/classic_alert_mgr.py

@@ -13,7 +13,7 @@
 
 import logging
 from itertools import chain
-from typing import Optional, Union
+from typing import Annotated, Optional, Union
 
 from pydantic import Field, validate_call
 
@@ -26,8 +26,7 @@ from ..endpoints import (
     EP_CLASSIC_ALERTS_SEARCH,
     EP_CLASSIC_ALERTS_UPDATE,
 )
-from ..helpers import MultiThreadingHelper, debug_call
-from ..helpers.helpers import connection_exceptions
+from ..helpers import MultiThreadingHelper, connection_exceptions, debug_call
 from ..rf_client import RFClient
 from .classic_alert import AlertRuleOut, ClassicAlert, ClassicAlertHit
 from .constants import ALERTS_PER_PAGE, ALL_CA_FIELDS, REQUIRED_CA_FIELDS
@@ -126,20 +125,19 @@ class ClassicAlertMgr:
                 )
             )
 
-        elif isinstance(rule_id, list):
+        if isinstance(rule_id, list):
             return list(chain.from_iterable(self._search(rule, **params) for rule in rule_id))
 
-        elif isinstance(rule_id, str):
+        if isinstance(rule_id, str):
             return self._search(rule_id, **params)
-        else:
-            return self._search(**params)
+        return self._search(**params)
 
     @debug_call
     @validate_call
     @connection_exceptions(ignore_status_code=[], exception_to_raise=AlertFetchError)
     def fetch(
         self,
-        id_: str,
+        id_: Annotated[str, Field(min_length=4)],
         fields: Optional[list[str]] = ALL_CA_FIELDS,
         tagged_text: Optional[bool] = None,
     ) -> ClassicAlert:
@@ -418,8 +416,7 @@ class ClassicAlertMgr:
             JSON response
         """
         self.log.info(f'Updating alerts: {updates}')
-        response = self.rf_client.request('post', url=EP_CLASSIC_ALERTS_UPDATE, data=updates).json()
-        return response
+        return self.rf_client.request('post', url=EP_CLASSIC_ALERTS_UPDATE, data=updates).json()
 
     @debug_call
     @validate_call

{psengine-2.0.5 → psengine-2.0.7}/psengine/classic_alerts/markdown/__init__.py

@@ -10,4 +10,3 @@
 # for having all necessary licenses, permissions, rights, and/or consents to any data        #
 # accessed from any third party API.                                                         #
 ##############################################################################################
-

{psengine-2.0.5 → psengine-2.0.7}/psengine/classic_alerts/markdown/markdown.py

@@ -13,9 +13,13 @@
 
 import re
 from itertools import chain
+from typing import TYPE_CHECKING
 
 from markdown_strings import blockquote, bold, esc_format, link
 
+if TYPE_CHECKING:
+    from ..classic_alerts.classic_alert import ClassicAlert
+
 from ...constants import TIMESTAMP_STR, TRUNCATE_COMMENT
 from ...markdown import (
     MarkdownMaker,
@@ -44,7 +48,7 @@ def _clean_title(alert_title: str) -> str:
     return re.sub(expression, '', alert_title).strip()
 
 
-def _owner_org_markdown(classic_alert) -> list[str]:
+def _owner_org_markdown(classic_alert: 'ClassicAlert') -> list[str]:
     results = []
     details = classic_alert.owner_organisation_details
 
@@ -52,9 +56,9 @@ def _owner_org_markdown(classic_alert) -> list[str]:
         return []
 
     if details.enterprise_name:
-        results.append(f"{bold('Enterprise:')} {details.enterprise_name}  ")
+        results.append(f'{bold("Enterprise:")} {details.enterprise_name}  ')
     if details.owner_name:
-        results.append(f"{bold('Owner:')} {details.owner_name}  ")
+        results.append(f'{bold("Owner:")} {details.owner_name}  ')
 
     orgs = [[org.organisation_id, org.organisation_name] for org in details.organisations]
     orgs.insert(0, ['Organisation ID', 'Organisation Name'])
@@ -64,24 +68,24 @@ def _owner_org_markdown(classic_alert) -> list[str]:
 
 
 def _process_hit_fragment(
-    hit, include_triggered_by: bool, html_tags: bool, classic_alert
+    hit, include_triggered_by: bool, html_tags: bool, classic_alert: 'ClassicAlert'
 ) -> tuple[str, str]:
     content = []
     authors = ', '.join(author.name for author in hit.document.authors)
 
     title_line = f' From {hit.document.source.name}'
     if authors:
-        content.append(f"{bold('Author(s):')} {authors}\n")
+        content.append(f'{bold("Author(s):")} {authors}\n')
 
     if hit.document.title and hit.fragment:
         first_half_title = hit.document.title[: (len(hit.document.title) // 2)]
         if not hit.fragment.lower().startswith(first_half_title.lower()):
-            content.append(f"{bold('Title:')} {clean_text(hit.document.title)}\n")
+            content.append(f'{bold("Title:")} {clean_text(hit.document.title)}\n')
     elif hit.document.title and not hit.fragment:
-        content.append(f"{bold('Title:')} {clean_text(hit.document.title)}\n")
+        content.append(f'{bold("Title:")} {clean_text(hit.document.title)}\n')
 
     if hit.document.url:
-        content.append(f"{bold('URL:')} {hit.document.url}\n")
+        content.append(f'{bold("URL:")} {hit.document.url}\n')
 
     if hit.fragment:
         fragment = (
@@ -90,7 +94,8 @@ def _process_hit_fragment(
         content.append(f'{blockquote(fragment)}\n')
     else:
         content.append(
-            f"_Reference text is missing, check the Recorded Future {link('Portal', str(classic_alert.url.portal))} for more information._\n"  # noqa: E501
+            '_Reference text is missing, check the Recorded Future '
+            f'{link("Portal", str(classic_alert.url.portal))} for more information._\n'
         )
 
     if include_triggered_by:
@@ -101,7 +106,7 @@ def _process_hit_fragment(
                 triggered_by = TRIGGERED_BY_HTML.format(triggered_by)
                 content.append(triggered_by)
             else:
-                content.append(f"{bold('Triggered By:')}\n+ {triggered_by}\n")
+                content.append(f'{bold("Triggered By:")}\n+ {triggered_by}\n')
 
     return title_line, content
 
@@ -125,7 +130,7 @@ def _process_entities(entities, hit) -> list[list[str]]:
 
 
 def _hits_markdown(
-    classic_alert,
+    classic_alert: 'ClassicAlert',
     hits,
     include_fragment_entities: bool = True,
     include_triggered_by: bool = True,
@@ -167,7 +172,7 @@ def _hits_markdown(
     return sections
 
 
-def _enriched_entities_markdown(classic_alert) -> list:
+def _enriched_entities_markdown(classic_alert: 'ClassicAlert') -> list:
     results = []
     for entity in classic_alert.enriched_entities:
         if not entity.evidence:
@@ -175,10 +180,10 @@ def _enriched_entities_markdown(classic_alert) -> list:
 
         criticality = entity.criticality
         contents = [
-            f"{bold('Risk Score:')} {criticality.score}",
-            f"{bold('Criticality:')} {criticality.name}",
-            f"{bold('Triggered:')} {criticality.triggered.strftime(TIMESTAMP_STR)}",
-            f"{bold('Last Triggered:')} {criticality.last_triggered.strftime(TIMESTAMP_STR)}  \n\n",
+            f'{bold("Risk Score:")} {criticality.score}',
+            f'{bold("Criticality:")} {criticality.name}',
+            f'{bold("Triggered:")} {criticality.triggered.strftime(TIMESTAMP_STR)}',
+            f'{bold("Last Triggered:")} {criticality.last_triggered.strftime(TIMESTAMP_STR)}  \n\n',
         ]
 
         evidences = []
@@ -197,7 +202,7 @@ def _enriched_entities_markdown(classic_alert) -> list:
     return results
 
 
-def _target_entities_markdown(classic_alert, html_tags: bool = False) -> list:
+def _target_entities_markdown(classic_alert: 'ClassicAlert', html_tags: bool = False) -> list:
     results = []
     for entity in classic_alert.enriched_entities:
         result = {'title': f'Target {entity.entity.name}'}
@@ -213,17 +218,16 @@ def _target_entities_markdown(classic_alert, html_tags: bool = False) -> list:
     return results
 
 
-def _create_summary_section(ca) -> None:
-    summary_content = [
-        f"{bold('ID:')} {ca.id_}  ",
-        f"{bold('Triggered:')} {ca.log.triggered.strftime(TIMESTAMP_STR)}  ",
-        f"{bold('Alerting Rule:')} {ca.rule.name}  ",
-        f"{link('API', str(ca.url.api))} | {link('Portal', str(ca.url.portal))}",
+def _create_summary_section(ca: 'ClassicAlert') -> None:
+    return [
+        f'{bold("ID:")} {ca.id_}  ',
+        f'{bold("Triggered:")} {ca.log.triggered.strftime(TIMESTAMP_STR)}  ',
+        f'{bold("Alerting Rule:")} {ca.rule.name}  ',
+        f'{link("API", str(ca.url.api))} | {link("Portal", str(ca.url.portal))}',
     ]
-    return summary_content
 
 
-def _get_entities_to_defang(classic_alert) -> set:
+def _get_entities_to_defang(classic_alert: 'ClassicAlert') -> set:
     """Return a set of IOC entities to defang from the classic_alert hits."""
     if not classic_alert.hits:
         return set()
@@ -233,35 +237,38 @@ def _get_entities_to_defang(classic_alert) -> set:
         for entity in chain.from_iterable(h.entities for h in classic_alert.hits)
         if entity.type_ in MARKDOWN_ENTITY_TYPES_TO_DEFANG
     }
-    defanged_entities = raw_entities.union({esc_format(ent, esc=True) for ent in raw_entities})
-    return defanged_entities
+    return raw_entities.union({esc_format(ent, esc=True) for ent in raw_entities})
 
 
-def _add_summary_section(md_maker: MarkdownMaker, classic_alert) -> None:
+def _add_summary_section(md_maker: MarkdownMaker, classic_alert: 'ClassicAlert') -> None:
     """Adds the 'Summary' section to the markdown builder."""
     md_maker.add_title(_clean_title(classic_alert.title))
     md_maker.add_section('Summary', _create_summary_section(classic_alert))
 
 
-def _add_owner_org_section(md_maker: MarkdownMaker, classic_alert, owner_org: bool) -> None:
+def _add_owner_org_section(
+    md_maker: MarkdownMaker, classic_alert: 'ClassicAlert', owner_org: bool
+) -> None:
     """Adds 'Owner Organisation Details' section if owner_org is True and details are present."""
     if owner_org and classic_alert.owner_organisation_details:
         md_maker.add_section('Owner Organisation Details', _owner_org_markdown(classic_alert))
 
 
-def _add_ai_insights_section(md_maker: MarkdownMaker, classic_alert, ai_insights: bool) -> None:
+def _add_ai_insights_section(
+    md_maker: MarkdownMaker, classic_alert: 'ClassicAlert', ai_insights: bool
+) -> None:
     """Adds the 'AI Insights' sections if ai_insights is True and data is present."""
     if ai_insights and classic_alert.ai_insights:
         if classic_alert.ai_insights.text:
             md_maker.add_section('AI Insights', [classic_alert.ai_insights.text])
         if classic_alert.ai_insights.comment:
             md_maker.add_section(
-                'AI Insights', [f"{bold('Comment:')} {classic_alert.ai_insights.comment}"]
+                'AI Insights', [f'{bold("Comment:")} {classic_alert.ai_insights.comment}']
             )
 
 
 def _add_enriched_entities_sections(
-    md_maker: MarkdownMaker, classic_alert, html_tags: bool
+    md_maker: MarkdownMaker, classic_alert: 'ClassicAlert', html_tags: bool
 ) -> None:
     """Adds sections related to enriched entities (evidence and references)."""
     if any(x.evidence for x in classic_alert.enriched_entities):
@@ -277,7 +284,7 @@ def _add_enriched_entities_sections(
 
 def _add_hits_section_if_no_enriched_entities(
     md_maker: MarkdownMaker,
-    classic_alert,
+    classic_alert: 'ClassicAlert',
     fragment_entities: bool,
     triggered_by: bool,
     html_tags: bool,
@@ -297,7 +304,7 @@ def _add_hits_section_if_no_enriched_entities(
 
 
 def _markdown_alert(
-    classic_alert,
+    classic_alert: 'ClassicAlert',
     owner_org: bool = False,
     ai_insights: bool = True,
     fragment_entities: bool = True,

{psengine-2.0.5 → psengine-2.0.7}/psengine/constants.py

@@ -22,8 +22,8 @@ DEFAULT_MAX_WORKERS = 10
 #####################
 # Recorded Future API
 #####################
-RF_TOKEN_ENV_VAR = 'RF_TOKEN'
-RF_TOKEN_VALIDATION_REGEX = r'^[a-f0-9]{32}$'
+RF_TOKEN_ENV_VAR = 'RF_TOKEN'  # noqa: S105
+RF_TOKEN_VALIDATION_REGEX = r'^[a-f0-9]{32}$'  # noqa: S105
 
 #####################
 # Recorded Future Portal

{psengine-2.0.5 → psengine-2.0.7}/psengine/detection/detection_mgr.py

@@ -132,4 +132,6 @@ class DetectionMgr:
 
         if result:
             return result[0]
+
         self.log.info(f'No rule found for id {doc_id}')
+        return None

{psengine-2.0.5 → psengine-2.0.7}/psengine/detection/helpers.py

@@ -47,9 +47,9 @@ def save_rule(rule: DetectionRule, output_directory: Union[str, Path] = None):
     output_directory = Path(output_directory).absolute() if output_directory else Path().cwd()
     OSHelpers.mkdir(output_directory)
 
-    for data in rule.rules:
+    for i, data in enumerate(rule.rules):
         try:
-            full_path = output_directory / data.file_name
+            full_path = output_directory / (data.file_name or f'{rule.id_.replace(":", "_")}_{i}')
             full_path.write_text(data.content)
             LOG.info(f'Wrote: {full_path}')
         except (FileNotFoundError, IsADirectoryError, PermissionError, OSError) as err:  # noqa: PERF203

{psengine-2.0.5 → psengine-2.0.7}/psengine/endpoints.py

@@ -51,11 +51,13 @@ EP_FUSION_FILES = CONNECT_API_BASE_URL + '/fusion/files'
 EP_PLAYBOOK_ALERT = BASE_URL + '/playbook-alert'
 EP_PLAYBOOK_ALERT_SEARCH = EP_PLAYBOOK_ALERT + '/search'
 EP_PLAYBOOK_ALERT_COMMON = EP_PLAYBOOK_ALERT + '/common'
-EP_PLAYBOOK_ALERT_DOMAIN_ABUSE = EP_PLAYBOOK_ALERT + '/domain_abuse'
-EP_PLAYBOOK_ALERT_CYBER_VULNERABILITY = EP_PLAYBOOK_ALERT + '/vulnerability'
 EP_PLAYBOOK_ALERT_CODE_REPO_LEAKAGE = EP_PLAYBOOK_ALERT + '/code_repo_leakage'
-EP_PLAYBOOK_ALERT_THIRD_PARTY_RISK = EP_PLAYBOOK_ALERT + '/third_party_risk'
+EP_PLAYBOOK_ALERT_CYBER_VULNERABILITY = EP_PLAYBOOK_ALERT + '/vulnerability'
+EP_PLAYBOOK_ALERT_DOMAIN_ABUSE = EP_PLAYBOOK_ALERT + '/domain_abuse'
+EP_PLAYBOOK_ALERT_GEOPOLITICS_FACILITY = EP_PLAYBOOK_ALERT + '/geopolitics_facility'
 EP_PLAYBOOK_ALERT_IDENTITY_NOVEL_EXPOSURES = EP_PLAYBOOK_ALERT + '/identity_novel_exposures'
+EP_PLAYBOOK_ALERT_THIRD_PARTY_RISK = EP_PLAYBOOK_ALERT + '/third_party_risk'
+EP_PLAYBOOK_ALERT_MALWARE_REPORT = EP_PLAYBOOK_ALERT + '/malware_report'
 
 ###############################################################################
 # Entity Match Endpoint