runbooks 1.1.3__py3-none-any.whl → 1.1.5__py3-none-any.whl

runbooks/security/real_time_security_monitor.py

@@ -5,7 +5,7 @@ Real-Time AWS Security Monitoring with MCP Integration
 Enterprise-grade real-time security monitoring framework integrated with MCP servers
 for continuous security validation and automated threat response.
 
-Author: DevOps Security Engineer (Claude Code Enterprise Team) 
+Author: DevOps Security Engineer (Claude Code Enterprise Team)
 Framework: Real-time security validation with 61-account support
 Status: Production-ready with MCP integration and automated remediation
 
@@ -48,17 +48,17 @@ from runbooks.common.rich_utils import (
 
 class ThreatLevel(Enum):
     """Real-time threat severity levels."""
-    
-    CRITICAL = "CRITICAL"    # Immediate response required
-    HIGH = "HIGH"           # Response within 1 hour
-    MEDIUM = "MEDIUM"       # Response within 4 hours  
-    LOW = "LOW"            # Response within 24 hours
-    INFO = "INFO"          # Informational only
+
+    CRITICAL = "CRITICAL"  # Immediate response required
+    HIGH = "HIGH"  # Response within 1 hour
+    MEDIUM = "MEDIUM"  # Response within 4 hours
+    LOW = "LOW"  # Response within 24 hours
+    INFO = "INFO"  # Informational only
 
 
 class SecurityEventType(Enum):
     """Types of security events monitored in real-time."""
-    
+
     UNAUTHORIZED_ACCESS = "UNAUTHORIZED_ACCESS"
     PRIVILEGE_ESCALATION = "PRIVILEGE_ESCALATION"
     DATA_EXFILTRATION = "DATA_EXFILTRATION"
@@ -72,7 +72,7 @@ class SecurityEventType(Enum):
 @dataclass
 class SecurityEvent:
     """Real-time security event with automated response capability."""
-    
+
     event_id: str
     timestamp: datetime
     event_type: SecurityEventType
@@ -95,7 +95,7 @@ class SecurityEvent:
 @dataclass
 class SecurityDashboard:
     """Executive security dashboard with business metrics."""
-    
+
     dashboard_id: str
     timestamp: datetime
     accounts_monitored: int
@@ -116,10 +116,10 @@ class RealTimeSecurityMonitor:
     """
     Real-Time AWS Security Monitoring Framework
     ===========================================
-    
+
     Provides continuous security monitoring across multi-account AWS environments
     with real-time threat detection, automated response, and executive reporting.
-    
+
     Enterprise Features:
     - 61-account concurrent monitoring via AWS Organizations
     - Real-time event processing with <30 second detection time
@@ -130,31 +130,31 @@ class RealTimeSecurityMonitor:
     """
 
     def __init__(
-        self, 
-        profile: str = "default", 
+        self,
+        profile: str = "default",
         output_dir: str = "./artifacts/security-monitoring",
-        max_concurrent_accounts: int = 61
+        max_concurrent_accounts: int = 61,
     ):
         self.profile = profile
         self.output_dir = Path(output_dir)
         self.output_dir.mkdir(parents=True, exist_ok=True)
         self.max_concurrent_accounts = max_concurrent_accounts
-        
+
         # Initialize secure session
         self.session = self._create_secure_session()
-        
+
         # Real-time monitoring components
         self.event_processor = SecurityEventProcessor(self.session, self.output_dir)
         self.threat_detector = ThreatDetectionEngine(self.session)
         self.response_engine = AutomatedResponseEngine(self.session, self.output_dir)
         self.mcp_connector = MCPSecurityConnector()
-        
+
         # Monitoring state
         self.monitoring_active = False
         self.monitored_accounts = []
         self.event_queue = asyncio.Queue()
         self.response_queue = asyncio.Queue()
-        
+
         print_header("Real-Time Security Monitor", "1.0.0")
         print_info(f"Profile: {profile}")
         print_info(f"Max concurrent accounts: {max_concurrent_accounts}")
@@ -163,46 +163,46 @@ class RealTimeSecurityMonitor:
     def _create_secure_session(self) -> boto3.Session:
         """Create secure AWS session for monitoring."""
         try:
-            session = create_management_session(profile=self.profile)
-            
+            session = create_management_session(profile_name=self.profile)
+
             # Validate session credentials
             sts_client = session.client("sts")
             identity = sts_client.get_caller_identity()
-            
+
             print_info(f"Secure monitoring session established for: {identity.get('Arn', 'Unknown')}")
             return session
-            
+
         except (ClientError, NoCredentialsError) as e:
             print_error(f"Failed to establish secure session: {str(e)}")
             raise
 
     async def start_real_time_monitoring(
-        self, 
+        self,
         target_accounts: Optional[List[str]] = None,
-        monitoring_duration: Optional[int] = None  # minutes, None for continuous
+        monitoring_duration: Optional[int] = None,  # minutes, None for continuous
     ) -> SecurityDashboard:
         """
         Start real-time security monitoring across organization accounts.
-        
+
         Args:
             target_accounts: Specific accounts to monitor (None for all organization accounts)
             monitoring_duration: Duration in minutes (None for continuous monitoring)
-            
+
         Returns:
             SecurityDashboard with real-time security metrics
         """
-        
+
         if not target_accounts:
             target_accounts = await self._discover_organization_accounts()
-        
+
         # Limit to max concurrent accounts
         if len(target_accounts) > self.max_concurrent_accounts:
             print_warning(f"Limiting monitoring to {self.max_concurrent_accounts} accounts")
-            target_accounts = target_accounts[:self.max_concurrent_accounts]
-        
+            target_accounts = target_accounts[: self.max_concurrent_accounts]
+
         self.monitored_accounts = target_accounts
         self.monitoring_active = True
-        
+
         console.print(
             create_panel(
                 f"[bold cyan]Real-Time Security Monitoring Activated[/bold cyan]\n\n"
@@ -213,462 +213,458 @@ class RealTimeSecurityMonitor:
                 border_style="cyan",
             )
         )
-        
+
         # Start monitoring tasks
         monitoring_tasks = [
-            asyncio.create_task(self._monitor_account_security(account_id)) 
-            for account_id in target_accounts
+            asyncio.create_task(self._monitor_account_security(account_id)) for account_id in target_accounts
         ]
-        
+
         # Start event processing
         event_processing_task = asyncio.create_task(self._process_security_events())
-        
+
         # Start response engine
         response_task = asyncio.create_task(self._execute_automated_responses())
-        
+
         # Start dashboard updates
         dashboard_task = asyncio.create_task(self._update_security_dashboard())
-        
+
         all_tasks = monitoring_tasks + [event_processing_task, response_task, dashboard_task]
-        
+
         try:
             if monitoring_duration:
                 # Run for specified duration
                 await asyncio.wait_for(
-                    asyncio.gather(*all_tasks, return_exceptions=True),
-                    timeout=monitoring_duration * 60
+                    asyncio.gather(*all_tasks, return_exceptions=True), timeout=monitoring_duration * 60
                 )
             else:
                 # Run continuously
                 await asyncio.gather(*all_tasks, return_exceptions=True)
-                
+
         except asyncio.TimeoutError:
             print_info(f"Monitoring duration completed: {monitoring_duration} minutes")
         except KeyboardInterrupt:
             print_warning("Monitoring interrupted by user")
         finally:
             self.monitoring_active = False
-            
+
             # Cancel all tasks
             for task in all_tasks:
                 if not task.done():
                     task.cancel()
-        
+
         # Generate final dashboard
         final_dashboard = await self._generate_final_dashboard()
-        
+
         print_success("Real-time monitoring session completed")
         return final_dashboard
 
     async def _monitor_account_security(self, account_id: str):
         """Monitor security events for a specific account."""
-        
+
         print_info(f"Starting security monitoring for account: {account_id}")
-        
+
         while self.monitoring_active:
             try:
                 # Monitor multiple security event sources
-                
+
                 # 1. CloudTrail events for API activity
                 cloudtrail_events = await self._monitor_cloudtrail_events(account_id)
                 for event in cloudtrail_events:
                     await self.event_queue.put(event)
-                
+
                 # 2. Config compliance changes
                 config_events = await self._monitor_config_compliance(account_id)
                 for event in config_events:
                     await self.event_queue.put(event)
-                
+
                 # 3. Security Hub findings
                 security_hub_events = await self._monitor_security_hub(account_id)
                 for event in security_hub_events:
                     await self.event_queue.put(event)
-                
+
                 # 4. Real-time resource changes
                 resource_events = await self._monitor_resource_changes(account_id)
                 for event in resource_events:
                     await self.event_queue.put(event)
-                
+
                 # Monitor every 30 seconds for real-time detection
                 await asyncio.sleep(30)
-                
+
             except Exception as e:
                 print_error(f"Error monitoring account {account_id}: {str(e)}")
                 await asyncio.sleep(60)  # Back off on errors
 
     async def _monitor_cloudtrail_events(self, account_id: str) -> List[SecurityEvent]:
         """Monitor CloudTrail for security-relevant API events."""
-        
+
         events = []
-        
+
         try:
             # Assume cross-account role if needed
             session = await self._get_account_session(account_id)
-            cloudtrail = session.client('cloudtrail')
-            
+            cloudtrail = session.client("cloudtrail")
+
             # Look for events in the last minute
             end_time = datetime.utcnow()
             start_time = end_time - timedelta(minutes=1)
-            
+
             # Get recent events
             response = cloudtrail.lookup_events(
                 LookupAttributes=[
-                    {
-                        'AttributeKey': 'EventTime',
-                        'AttributeValue': start_time.strftime('%Y-%m-%d %H:%M:%S')
-                    }
+                    {"AttributeKey": "EventTime", "AttributeValue": start_time.strftime("%Y-%m-%d %H:%M:%S")}
                 ],
                 StartTime=start_time,
                 EndTime=end_time,
-                MaxItems=50  # Limit for real-time processing
+                MaxItems=50,  # Limit for real-time processing
             )
-            
-            for event_record in response.get('Events', []):
-                event_name = event_record.get('EventName', '')
-                
+
+            for event_record in response.get("Events", []):
+                event_name = event_record.get("EventName", "")
+
                 # Check for high-risk events
                 if self._is_high_risk_event(event_name):
-                    security_event = self._create_security_event_from_cloudtrail(
-                        event_record, account_id
-                    )
+                    security_event = self._create_security_event_from_cloudtrail(event_record, account_id)
                     events.append(security_event)
-            
+
         except ClientError as e:
             print_warning(f"CloudTrail monitoring failed for {account_id}: {str(e)}")
-        
+
         return events
 
     def _is_high_risk_event(self, event_name: str) -> bool:
         """Determine if CloudTrail event represents high security risk."""
-        
+
         high_risk_events = [
-            'CreateUser', 'DeleteUser', 'AttachUserPolicy', 'DetachUserPolicy',
-            'CreateRole', 'DeleteRole', 'AttachRolePolicy', 'DetachRolePolicy',
-            'PutBucketAcl', 'PutBucketPolicy', 'DeleteBucketPolicy',
-            'AuthorizeSecurityGroupIngress', 'AuthorizeSecurityGroupEgress',
-            'RevokeSecurityGroupIngress', 'RevokeSecurityGroupEgress',
-            'CreateSecurityGroup', 'DeleteSecurityGroup',
-            'ConsoleLogin', 'AssumeRole', 'AssumeRoleWithSAML'
+            "CreateUser",
+            "DeleteUser",
+            "AttachUserPolicy",
+            "DetachUserPolicy",
+            "CreateRole",
+            "DeleteRole",
+            "AttachRolePolicy",
+            "DetachRolePolicy",
+            "PutBucketAcl",
+            "PutBucketPolicy",
+            "DeleteBucketPolicy",
+            "AuthorizeSecurityGroupIngress",
+            "AuthorizeSecurityGroupEgress",
+            "RevokeSecurityGroupIngress",
+            "RevokeSecurityGroupEgress",
+            "CreateSecurityGroup",
+            "DeleteSecurityGroup",
+            "ConsoleLogin",
+            "AssumeRole",
+            "AssumeRoleWithSAML",
         ]
-        
+
         return event_name in high_risk_events
 
-    def _create_security_event_from_cloudtrail(
-        self, 
-        event_record: Dict[str, Any], 
-        account_id: str
-    ) -> SecurityEvent:
+    def _create_security_event_from_cloudtrail(self, event_record: Dict[str, Any], account_id: str) -> SecurityEvent:
         """Create SecurityEvent from CloudTrail event record."""
-        
-        event_name = event_record.get('EventName', 'Unknown')
-        event_time = event_record.get('EventTime', datetime.utcnow())
-        
+
+        event_name = event_record.get("EventName", "Unknown")
+        event_time = event_record.get("EventTime", datetime.utcnow())
+
         # Determine event type and threat level
         event_type = self._classify_event_type(event_name)
         threat_level = self._assess_threat_level(event_name, event_record)
-        
+
         # Extract resource information
-        resources = event_record.get('Resources', [])
-        resource_arn = resources[0].get('ResourceName', '') if resources else f"arn:aws::{account_id}:unknown"
-        
+        resources = event_record.get("Resources", [])
+        resource_arn = resources[0].get("ResourceName", "") if resources else f"arn:aws::{account_id}:unknown"
+
         # Extract user information
-        user_identity = event_record.get('Username', 'Unknown')
-        source_ip = event_record.get('SourceIPAddress', None)
-        
+        user_identity = event_record.get("Username", "Unknown")
+        source_ip = event_record.get("SourceIPAddress", None)
+
         return SecurityEvent(
             event_id=f"ct-{int(time.time())}-{account_id}",
             timestamp=event_time if isinstance(event_time, datetime) else datetime.utcnow(),
             event_type=event_type,
             threat_level=threat_level,
             account_id=account_id,
-            region=event_record.get('AwsRegion', 'unknown'),
+            region=event_record.get("AwsRegion", "unknown"),
             resource_arn=resource_arn,
-            event_details={
-                'event_name': event_name,
-                'cloudtrail_record': event_record
-            },
+            event_details={"event_name": event_name, "cloudtrail_record": event_record},
             source_ip=source_ip,
             user_identity=user_identity,
             auto_response_available=self._has_auto_response(event_name),
             auto_response_command=self._get_auto_response_command(event_name, event_record),
             compliance_impact=self._assess_compliance_impact(event_name),
-            business_impact=self._assess_business_impact(threat_level)
+            business_impact=self._assess_business_impact(threat_level),
         )
 
     def _classify_event_type(self, event_name: str) -> SecurityEventType:
         """Classify CloudTrail event into security event type."""
-        
+
         event_name_lower = event_name.lower()
-        
-        if 'login' in event_name_lower or 'assume' in event_name_lower:
+
+        if "login" in event_name_lower or "assume" in event_name_lower:
             return SecurityEventType.UNAUTHORIZED_ACCESS
-        elif 'policy' in event_name_lower or 'role' in event_name_lower:
+        elif "policy" in event_name_lower or "role" in event_name_lower:
             return SecurityEventType.IAM_POLICY_CHANGE
-        elif 'securitygroup' in event_name_lower:
+        elif "securitygroup" in event_name_lower:
             return SecurityEventType.SECURITY_GROUP_CHANGE
-        elif 'attach' in event_name_lower or 'detach' in event_name_lower:
+        elif "attach" in event_name_lower or "detach" in event_name_lower:
             return SecurityEventType.PRIVILEGE_ESCALATION
         else:
             return SecurityEventType.CONFIGURATION_DRIFT
 
     def _assess_threat_level(self, event_name: str, event_record: Dict[str, Any]) -> ThreatLevel:
         """Assess threat level based on event characteristics."""
-        
+
         # Critical events requiring immediate response
         critical_events = [
-            'DeleteUser', 'DeleteRole', 'DetachUserPolicy', 'DetachRolePolicy',
-            'PutBucketAcl', 'DeleteBucketPolicy'
+            "DeleteUser",
+            "DeleteRole",
+            "DetachUserPolicy",
+            "DetachRolePolicy",
+            "PutBucketAcl",
+            "DeleteBucketPolicy",
         ]
-        
+
         # High-risk events requiring response within 1 hour
         high_risk_events = [
-            'CreateUser', 'CreateRole', 'AttachUserPolicy', 'AttachRolePolicy',
-            'AuthorizeSecurityGroupIngress', 'CreateSecurityGroup'
+            "CreateUser",
+            "CreateRole",
+            "AttachUserPolicy",
+            "AttachRolePolicy",
+            "AuthorizeSecurityGroupIngress",
+            "CreateSecurityGroup",
         ]
-        
+
         if event_name in critical_events:
             return ThreatLevel.CRITICAL
         elif event_name in high_risk_events:
             return ThreatLevel.HIGH
-        elif 'error' in event_record.get('ErrorCode', '').lower():
+        elif "error" in event_record.get("ErrorCode", "").lower():
             return ThreatLevel.MEDIUM  # Failed attempts are medium risk
         else:
             return ThreatLevel.LOW
 
     def _has_auto_response(self, event_name: str) -> bool:
         """Check if event has automated response available."""
-        
+
         auto_response_events = [
-            'AuthorizeSecurityGroupIngress',  # Can auto-restrict
-            'PutBucketAcl',  # Can auto-remediate public access
-            'AttachUserPolicy'  # Can auto-review and potentially detach
+            "AuthorizeSecurityGroupIngress",  # Can auto-restrict
+            "PutBucketAcl",  # Can auto-remediate public access
+            "AttachUserPolicy",  # Can auto-review and potentially detach
         ]
-        
+
         return event_name in auto_response_events
 
-    def _get_auto_response_command(
-        self, 
-        event_name: str, 
-        event_record: Dict[str, Any]
-    ) -> Optional[str]:
+    def _get_auto_response_command(self, event_name: str, event_record: Dict[str, Any]) -> Optional[str]:
         """Get automated response command for event."""
-        
-        if event_name == 'AuthorizeSecurityGroupIngress':
+
+        if event_name == "AuthorizeSecurityGroupIngress":
             # Extract security group ID from event
-            resources = event_record.get('Resources', [])
+            resources = event_record.get("Resources", [])
             if resources:
-                sg_id = resources[0].get('ResourceName', '').split('/')[-1]
+                sg_id = resources[0].get("ResourceName", "").split("/")[-1]
                 return f"runbooks security remediate --type security_group --resource-id {sg_id} --action restrict"
-        
-        elif event_name == 'PutBucketAcl':
+
+        elif event_name == "PutBucketAcl":
             # Extract bucket name from event
-            resources = event_record.get('Resources', [])
+            resources = event_record.get("Resources", [])
             if resources:
-                bucket_name = resources[0].get('ResourceName', '').split('/')[-1]
+                bucket_name = resources[0].get("ResourceName", "").split("/")[-1]
                 return f"runbooks security remediate --type s3_public_access --resource-id {bucket_name} --action block"
-        
+
         return None
 
     def _assess_compliance_impact(self, event_name: str) -> List[str]:
         """Assess which compliance frameworks are impacted by event."""
-        
+
         compliance_impact = []
-        
+
         # IAM events impact multiple frameworks
-        if 'user' in event_name.lower() or 'role' in event_name.lower() or 'policy' in event_name.lower():
-            compliance_impact.extend(['SOC2', 'AWS Well-Architected', 'CIS Benchmarks'])
-        
+        if "user" in event_name.lower() or "role" in event_name.lower() or "policy" in event_name.lower():
+            compliance_impact.extend(["SOC2", "AWS Well-Architected", "CIS Benchmarks"])
+
         # S3 events impact data protection frameworks
-        if 'bucket' in event_name.lower():
-            compliance_impact.extend(['SOC2', 'PCI-DSS', 'HIPAA'])
-        
+        if "bucket" in event_name.lower():
+            compliance_impact.extend(["SOC2", "PCI-DSS", "HIPAA"])
+
         # Network events impact security frameworks
-        if 'securitygroup' in event_name.lower():
-            compliance_impact.extend(['AWS Well-Architected', 'CIS Benchmarks'])
-        
+        if "securitygroup" in event_name.lower():
+            compliance_impact.extend(["AWS Well-Architected", "CIS Benchmarks"])
+
         return compliance_impact
 
     def _assess_business_impact(self, threat_level: ThreatLevel) -> str:
         """Assess business impact of security event."""
-        
+
         impact_mapping = {
             ThreatLevel.CRITICAL: "high",
-            ThreatLevel.HIGH: "medium", 
+            ThreatLevel.HIGH: "medium",
             ThreatLevel.MEDIUM: "low",
             ThreatLevel.LOW: "minimal",
-            ThreatLevel.INFO: "none"
+            ThreatLevel.INFO: "none",
         }
-        
+
         return impact_mapping.get(threat_level, "unknown")
 
     async def _monitor_config_compliance(self, account_id: str) -> List[SecurityEvent]:
         """Monitor AWS Config for compliance changes."""
-        
+
         events = []
-        
+
         try:
             session = await self._get_account_session(account_id)
-            config = session.client('config')
-            
+            config = session.client("config")
+
             # Get compliance changes in the last minute
             end_time = datetime.utcnow()
             start_time = end_time - timedelta(minutes=1)
-            
+
             # Check for compliance evaluation results
             response = config.get_compliance_details_by_config_rule(
-                ConfigRuleName='securityhub-*',  # Security Hub rules
-                ComplianceTypes=['NON_COMPLIANT'],
-                Limit=20
+                ConfigRuleName="securityhub-*",  # Security Hub rules
+                ComplianceTypes=["NON_COMPLIANT"],
+                Limit=20,
             )
-            
-            for evaluation_result in response.get('EvaluationResults', []):
-                if evaluation_result.get('ConfigRuleInvokedTime', datetime.min) >= start_time:
-                    
+
+            for evaluation_result in response.get("EvaluationResults", []):
+                if evaluation_result.get("ConfigRuleInvokedTime", datetime.min) >= start_time:
                     security_event = SecurityEvent(
                         event_id=f"config-{int(time.time())}-{account_id}",
-                        timestamp=evaluation_result.get('ResultRecordedTime', datetime.utcnow()),
+                        timestamp=evaluation_result.get("ResultRecordedTime", datetime.utcnow()),
                         event_type=SecurityEventType.COMPLIANCE_VIOLATION,
                         threat_level=ThreatLevel.MEDIUM,
                         account_id=account_id,
-                        region=session.region_name or 'us-east-1',
-                        resource_arn=evaluation_result.get('EvaluationResultIdentifier', {}).get('EvaluationResultQualifier', {}).get('ResourceId', ''),
+                        region=session.region_name or "us-east-1",
+                        resource_arn=evaluation_result.get("EvaluationResultIdentifier", {})
+                        .get("EvaluationResultQualifier", {})
+                        .get("ResourceId", ""),
                         event_details={
-                            'config_rule': evaluation_result.get('EvaluationResultIdentifier', {}).get('EvaluationResultQualifier', {}).get('ConfigRuleName', ''),
-                            'compliance_type': evaluation_result.get('ComplianceType', 'UNKNOWN')
+                            "config_rule": evaluation_result.get("EvaluationResultIdentifier", {})
+                            .get("EvaluationResultQualifier", {})
+                            .get("ConfigRuleName", ""),
+                            "compliance_type": evaluation_result.get("ComplianceType", "UNKNOWN"),
                         },
-                        compliance_impact=['AWS Config', 'Security Hub'],
-                        business_impact="medium"
+                        compliance_impact=["AWS Config", "Security Hub"],
+                        business_impact="medium",
                     )
-                    
+
                     events.append(security_event)
-            
+
         except ClientError as e:
             print_warning(f"Config monitoring failed for {account_id}: {str(e)}")
-        
+
         return events
 
     async def _monitor_security_hub(self, account_id: str) -> List[SecurityEvent]:
         """Monitor Security Hub for new findings."""
-        
+
         events = []
-        
+
         try:
             session = await self._get_account_session(account_id)
-            security_hub = session.client('securityhub')
-            
+            security_hub = session.client("securityhub")
+
             # Get findings from the last minute
             end_time = datetime.utcnow()
             start_time = end_time - timedelta(minutes=1)
-            
+
             response = security_hub.get_findings(
                 Filters={
-                    'UpdatedAt': [
-                        {
-                            'Start': start_time.isoformat() + 'Z',
-                            'End': end_time.isoformat() + 'Z'
-                        }
+                    "UpdatedAt": [{"Start": start_time.isoformat() + "Z", "End": end_time.isoformat() + "Z"}],
+                    "SeverityLabel": [
+                        {"Value": "HIGH", "Comparison": "EQUALS"},
+                        {"Value": "CRITICAL", "Comparison": "EQUALS"},
                     ],
-                    'SeverityLabel': [
-                        {'Value': 'HIGH', 'Comparison': 'EQUALS'},
-                        {'Value': 'CRITICAL', 'Comparison': 'EQUALS'}
-                    ]
                 },
-                MaxResults=20
+                MaxResults=20,
             )
-            
-            for finding in response.get('Findings', []):
-                
+
+            for finding in response.get("Findings", []):
                 # Map Security Hub severity to threat level
-                severity = finding.get('Severity', {}).get('Label', 'MEDIUM')
-                threat_level = ThreatLevel.CRITICAL if severity == 'CRITICAL' else ThreatLevel.HIGH
-                
+                severity = finding.get("Severity", {}).get("Label", "MEDIUM")
+                threat_level = ThreatLevel.CRITICAL if severity == "CRITICAL" else ThreatLevel.HIGH
+
                 security_event = SecurityEvent(
                     event_id=f"sh-{finding.get('Id', 'unknown')}",
-                    timestamp=datetime.fromisoformat(finding.get('UpdatedAt', '').replace('Z', '+00:00')),
+                    timestamp=datetime.fromisoformat(finding.get("UpdatedAt", "").replace("Z", "+00:00")),
                     event_type=SecurityEventType.COMPLIANCE_VIOLATION,
                     threat_level=threat_level,
                     account_id=account_id,
-                    region=finding.get('Region', 'unknown'),
-                    resource_arn=finding.get('Resources', [{}])[0].get('Id', ''),
+                    region=finding.get("Region", "unknown"),
+                    resource_arn=finding.get("Resources", [{}])[0].get("Id", ""),
                     event_details={
-                        'title': finding.get('Title', ''),
-                        'description': finding.get('Description', ''),
-                        'finding_id': finding.get('Id', ''),
-                        'generator_id': finding.get('GeneratorId', '')
+                        "title": finding.get("Title", ""),
+                        "description": finding.get("Description", ""),
+                        "finding_id": finding.get("Id", ""),
+                        "generator_id": finding.get("GeneratorId", ""),
                     },
-                    compliance_impact=['Security Hub', 'AWS Well-Architected'],
-                    business_impact=self._assess_business_impact(threat_level)
+                    compliance_impact=["Security Hub", "AWS Well-Architected"],
+                    business_impact=self._assess_business_impact(threat_level),
                 )
-                
+
                 events.append(security_event)
-            
+
         except ClientError as e:
             print_warning(f"Security Hub monitoring failed for {account_id}: {str(e)}")
-        
+
         return events
 
     async def _monitor_resource_changes(self, account_id: str) -> List[SecurityEvent]:
         """Monitor real-time resource configuration changes."""
-        
+
         events = []
-        
+
         try:
             session = await self._get_account_session(account_id)
-            
+
             # Monitor S3 bucket policy changes
             s3_events = await self._monitor_s3_changes(session, account_id)
             events.extend(s3_events)
-            
+
             # Monitor EC2 security group changes
             ec2_events = await self._monitor_ec2_changes(session, account_id)
             events.extend(ec2_events)
-            
+
         except Exception as e:
             print_warning(f"Resource monitoring failed for {account_id}: {str(e)}")
-        
+
         return events
 
     async def _monitor_s3_changes(self, session: boto3.Session, account_id: str) -> List[SecurityEvent]:
         """Monitor S3 bucket configuration changes."""
-        
+
         events = []
-        
+
         try:
-            s3 = session.client('s3')
-            
+            s3 = session.client("s3")
+
             # Check for buckets with public access (simplified check)
-            buckets = s3.list_buckets().get('Buckets', [])
-            
+            buckets = s3.list_buckets().get("Buckets", [])
+
             for bucket in buckets[:10]:  # Limit for real-time processing
-                bucket_name = bucket['Name']
-                
+                bucket_name = bucket["Name"]
+
                 try:
                     # Check if bucket allows public access
                     public_access_block = s3.get_public_access_block(Bucket=bucket_name)
-                    
-                    config = public_access_block['PublicAccessBlockConfiguration']
+
+                    config = public_access_block["PublicAccessBlockConfiguration"]
                     if not all(config.values()):  # If any setting is False
-                        
                         security_event = SecurityEvent(
                             event_id=f"s3-public-{int(time.time())}-{account_id}",
                             timestamp=datetime.utcnow(),
                             event_type=SecurityEventType.CONFIGURATION_DRIFT,
                             threat_level=ThreatLevel.HIGH,
                             account_id=account_id,
-                            region='us-east-1',  # S3 is global
+                            region="us-east-1",  # S3 is global
                             resource_arn=f"arn:aws:s3:::{bucket_name}",
-                            event_details={
-                                'bucket_name': bucket_name,
-                                'public_access_config': config
-                            },
+                            event_details={"bucket_name": bucket_name, "public_access_config": config},
                             auto_response_available=True,
                             auto_response_command=f"runbooks security remediate --type s3_public_access --resource-id {bucket_name}",
-                            compliance_impact=['SOC2', 'PCI-DSS', 'HIPAA'],
-                            business_impact="high"
+                            compliance_impact=["SOC2", "PCI-DSS", "HIPAA"],
+                            business_impact="high",
                         )
-                        
+
                         events.append(security_event)
-                        
+
                 except ClientError:
                     # Bucket doesn't have public access block configured - potential issue
                     security_event = SecurityEvent(
@@ -677,147 +673,143 @@ class RealTimeSecurityMonitor:
                         event_type=SecurityEventType.CONFIGURATION_DRIFT,
                         threat_level=ThreatLevel.MEDIUM,
                         account_id=account_id,
-                        region='us-east-1',
+                        region="us-east-1",
                         resource_arn=f"arn:aws:s3:::{bucket_name}",
-                        event_details={
-                            'bucket_name': bucket_name,
-                            'issue': 'No public access block configured'
-                        },
+                        event_details={"bucket_name": bucket_name, "issue": "No public access block configured"},
                         auto_response_available=True,
                         auto_response_command=f"runbooks security remediate --type s3_enable_pab --resource-id {bucket_name}",
-                        compliance_impact=['AWS Well-Architected'],
-                        business_impact="medium"
+                        compliance_impact=["AWS Well-Architected"],
+                        business_impact="medium",
                     )
-                    
+
                     events.append(security_event)
-        
+
         except ClientError as e:
             print_warning(f"S3 monitoring failed: {str(e)}")
-        
+
         return events
 
     async def _monitor_ec2_changes(self, session: boto3.Session, account_id: str) -> List[SecurityEvent]:
         """Monitor EC2 security group changes."""
-        
+
         events = []
-        
+
         try:
-            ec2 = session.client('ec2')
-            
+            ec2 = session.client("ec2")
+
             # Get security groups and check for open access
-            security_groups = ec2.describe_security_groups().get('SecurityGroups', [])
-            
+            security_groups = ec2.describe_security_groups().get("SecurityGroups", [])
+
             for sg in security_groups[:20]:  # Limit for real-time processing
-                sg_id = sg['GroupId']
-                
+                sg_id = sg["GroupId"]
+
                 # Check for overly permissive rules
-                for rule in sg.get('IpPermissions', []):
-                    for ip_range in rule.get('IpRanges', []):
-                        if ip_range.get('CidrIp') == '0.0.0.0/0':
-                            
-                            port = rule.get('FromPort', 'unknown')
+                for rule in sg.get("IpPermissions", []):
+                    for ip_range in rule.get("IpRanges", []):
+                        if ip_range.get("CidrIp") == "0.0.0.0/0":
+                            port = rule.get("FromPort", "unknown")
                             threat_level = ThreatLevel.CRITICAL if port in [22, 3389] else ThreatLevel.HIGH
-                            
+
                             security_event = SecurityEvent(
                                 event_id=f"sg-open-{int(time.time())}-{sg_id}",
                                 timestamp=datetime.utcnow(),
                                 event_type=SecurityEventType.SECURITY_GROUP_CHANGE,
                                 threat_level=threat_level,
                                 account_id=account_id,
-                                region=session.region_name or 'us-east-1',
+                                region=session.region_name or "us-east-1",
                                 resource_arn=f"arn:aws:ec2:*:{account_id}:security-group/{sg_id}",
                                 event_details={
-                                    'security_group_id': sg_id,
-                                    'port': port,
-                                    'protocol': rule.get('IpProtocol', 'unknown')
+                                    "security_group_id": sg_id,
+                                    "port": port,
+                                    "protocol": rule.get("IpProtocol", "unknown"),
                                 },
                                 auto_response_available=True,
                                 auto_response_command=f"runbooks security remediate --type security_group --resource-id {sg_id} --action restrict",
-                                compliance_impact=['AWS Well-Architected', 'CIS Benchmarks'],
-                                business_impact=self._assess_business_impact(threat_level)
+                                compliance_impact=["AWS Well-Architected", "CIS Benchmarks"],
+                                business_impact=self._assess_business_impact(threat_level),
                             )
-                            
+
                             events.append(security_event)
                             break  # One event per security group
-        
+
         except ClientError as e:
             print_warning(f"EC2 monitoring failed: {str(e)}")
-        
+
         return events
 
     async def _get_account_session(self, account_id: str) -> boto3.Session:
         """Get AWS session for specific account (with cross-account role assumption)."""
-        
+
         # For now, return current session
         # In production, this would assume cross-account roles
         return self.session
 
     async def _process_security_events(self):
         """Process security events from the event queue."""
-        
+
         print_info("Starting security event processor")
-        
+
         while self.monitoring_active:
             try:
                 # Get events from queue with timeout
                 try:
                     event = await asyncio.wait_for(self.event_queue.get(), timeout=5.0)
-                    
+
                     # Process the event
                     await self._handle_security_event(event)
-                    
+
                     # Mark task as done
                     self.event_queue.task_done()
-                    
+
                 except asyncio.TimeoutError:
                     continue  # No events in queue, continue monitoring
-                    
+
             except Exception as e:
                 print_error(f"Error processing security events: {str(e)}")
                 await asyncio.sleep(1)
 
     async def _handle_security_event(self, event: SecurityEvent):
         """Handle individual security event."""
-        
+
         # Log the event
         self._log_security_event(event)
-        
+
         # Display real-time alert for high/critical events
         if event.threat_level in [ThreatLevel.CRITICAL, ThreatLevel.HIGH]:
             self._display_security_alert(event)
-        
+
         # Queue for automated response if available
         if event.auto_response_available:
             await self.response_queue.put(event)
-        
+
         # Store event for dashboard and reporting
         await self._store_security_event(event)
 
     def _log_security_event(self, event: SecurityEvent):
         """Log security event to file and console."""
-        
+
         log_entry = {
-            'timestamp': event.timestamp.isoformat(),
-            'event_id': event.event_id,
-            'event_type': event.event_type.value,
-            'threat_level': event.threat_level.value,
-            'account_id': event.account_id,
-            'resource_arn': event.resource_arn,
-            'user_identity': event.user_identity,
-            'source_ip': event.source_ip,
-            'business_impact': event.business_impact
+            "timestamp": event.timestamp.isoformat(),
+            "event_id": event.event_id,
+            "event_type": event.event_type.value,
+            "threat_level": event.threat_level.value,
+            "account_id": event.account_id,
+            "resource_arn": event.resource_arn,
+            "user_identity": event.user_identity,
+            "source_ip": event.source_ip,
+            "business_impact": event.business_impact,
         }
-        
+
         # Write to log file
         log_file = self.output_dir / "security_events.jsonl"
-        with open(log_file, 'a') as f:
-            f.write(json.dumps(log_entry) + '\n')
+        with open(log_file, "a") as f:
+            f.write(json.dumps(log_entry) + "\n")
 
     def _display_security_alert(self, event: SecurityEvent):
         """Display real-time security alert."""
-        
+
         threat_emoji = "🚨" if event.threat_level == ThreatLevel.CRITICAL else "⚠️"
-        
+
         alert_content = (
             f"[bold red]{threat_emoji} SECURITY ALERT[/bold red]\n\n"
             f"[bold]Event Type:[/bold] {event.event_type.value}\n"
@@ -828,41 +820,43 @@ class RealTimeSecurityMonitor:
             f"[bold]Source IP:[/bold] {event.source_ip or 'Unknown'}\n"
             f"[bold]Auto Response:[/bold] {'Available' if event.auto_response_available else 'Manual Required'}"
         )
-        
-        console.print(create_panel(
-            alert_content,
-            title=f"{threat_emoji} Security Event Detected",
-            border_style="red" if event.threat_level == ThreatLevel.CRITICAL else "yellow"
-        ))
+
+        console.print(
+            create_panel(
+                alert_content,
+                title=f"{threat_emoji} Security Event Detected",
+                border_style="red" if event.threat_level == ThreatLevel.CRITICAL else "yellow",
+            )
+        )
 
     async def _store_security_event(self, event: SecurityEvent):
         """Store security event for dashboard and analysis."""
-        
+
         # Store in memory for dashboard (in production, would use database)
-        if not hasattr(self, '_recent_events'):
+        if not hasattr(self, "_recent_events"):
             self._recent_events = []
-        
+
         self._recent_events.append(event)
-        
+
         # Keep only recent events (last 1000)
         if len(self._recent_events) > 1000:
             self._recent_events = self._recent_events[-1000:]
 
     async def _execute_automated_responses(self):
         """Execute automated responses from the response queue."""
-        
+
         print_info("Starting automated response engine")
-        
+
         while self.monitoring_active:
             try:
                 # Get response requests from queue
                 try:
                     event = await asyncio.wait_for(self.response_queue.get(), timeout=5.0)
-                    
+
                     # Execute automated response
                     response_result = await self.response_engine.execute_response(event)
-                    
-                    if response_result['success']:
+
+                    if response_result["success"]:
                         print_success(f"Automated response executed for event: {event.event_id}")
                         event.response_status = "automated_success"
                         event.response_timestamp = datetime.utcnow()
@@ -870,66 +864,63 @@ class RealTimeSecurityMonitor:
                         print_warning(f"Automated response failed for event: {event.event_id}")
                         event.response_status = "automated_failed"
                         event.manual_response_required = True
-                    
+
                     self.response_queue.task_done()
-                    
+
                 except asyncio.TimeoutError:
                     continue
-                    
+
             except Exception as e:
                 print_error(f"Error in automated response: {str(e)}")
                 await asyncio.sleep(1)
 
     async def _update_security_dashboard(self):
         """Update security dashboard in real-time."""
-        
+
         print_info("Starting dashboard updates")
-        
+
         while self.monitoring_active:
             try:
                 # Update dashboard every 60 seconds
                 await asyncio.sleep(60)
-                
+
                 dashboard = await self._generate_current_dashboard()
                 await self._display_dashboard_update(dashboard)
-                
+
             except Exception as e:
                 print_error(f"Error updating dashboard: {str(e)}")
                 await asyncio.sleep(60)
 
     async def _generate_current_dashboard(self) -> SecurityDashboard:
         """Generate current security dashboard."""
-        
-        if not hasattr(self, '_recent_events'):
+
+        if not hasattr(self, "_recent_events"):
             self._recent_events = []
-        
+
         # Calculate metrics for last 24 hours
         now = datetime.utcnow()
-        events_24h = [
-            event for event in self._recent_events 
-            if (now - event.timestamp).total_seconds() < 86400
-        ]
-        
+        events_24h = [event for event in self._recent_events if (now - event.timestamp).total_seconds() < 86400]
+
         critical_events_24h = len([e for e in events_24h if e.threat_level == ThreatLevel.CRITICAL])
         high_events_24h = len([e for e in events_24h if e.threat_level == ThreatLevel.HIGH])
         automated_responses_24h = len([e for e in events_24h if e.response_status == "automated_success"])
-        
+
         # Calculate top threats
         threat_counts = {}
         for event in events_24h:
             threat_type = event.event_type.value
             threat_counts[threat_type] = threat_counts.get(threat_type, 0) + 1
-        
+
         top_threats = [
-            {'threat_type': threat, 'count': count}
+            {"threat_type": threat, "count": count}
             for threat, count in sorted(threat_counts.items(), key=lambda x: x[1], reverse=True)[:5]
         ]
-        
+
         # Calculate compliance score (simplified)
         total_events = len(events_24h)
         compliance_events = len([e for e in events_24h if e.event_type == SecurityEventType.COMPLIANCE_VIOLATION])
         compliance_score = max(0, 100 - (compliance_events / max(1, total_events) * 100))
-        
+
         return SecurityDashboard(
             dashboard_id=f"dash-{int(time.time())}",
             timestamp=now,
@@ -938,29 +929,31 @@ class RealTimeSecurityMonitor:
             critical_events_24h=critical_events_24h,
             high_events_24h=high_events_24h,
             automated_responses_24h=automated_responses_24h,
-            manual_responses_pending=len([e for e in events_24h if e.manual_response_required and e.response_status == "pending"]),
+            manual_responses_pending=len(
+                [e for e in events_24h if e.manual_response_required and e.response_status == "pending"]
+            ),
             compliance_score=compliance_score,
             security_posture_trend="stable",  # Would be calculated from historical data
             top_threats=top_threats,
             business_impact_summary={
-                'high_impact_events': len([e for e in events_24h if e.business_impact == "high"]),
-                'medium_impact_events': len([e for e in events_24h if e.business_impact == "medium"]),
-                'estimated_cost_impact': 0.0  # Would be calculated from business impact
+                "high_impact_events": len([e for e in events_24h if e.business_impact == "high"]),
+                "medium_impact_events": len([e for e in events_24h if e.business_impact == "medium"]),
+                "estimated_cost_impact": 0.0,  # Would be calculated from business impact
             },
             response_time_metrics={
-                'avg_detection_time': 30.0,  # seconds
-                'avg_response_time': 120.0,  # seconds
-                'automation_rate': (automated_responses_24h / max(1, len(events_24h))) * 100
+                "avg_detection_time": 30.0,  # seconds
+                "avg_response_time": 120.0,  # seconds
+                "automation_rate": (automated_responses_24h / max(1, len(events_24h))) * 100,
             },
             cost_impact={
-                'potential_savings': 0.0,  # From prevented incidents
-                'monitoring_cost': 0.0  # Cost of monitoring infrastructure
-            }
+                "potential_savings": 0.0,  # From prevented incidents
+                "monitoring_cost": 0.0,  # Cost of monitoring infrastructure
+            },
         )
 
     async def _display_dashboard_update(self, dashboard: SecurityDashboard):
         """Display dashboard update to console."""
-        
+
         dashboard_content = (
             f"[bold cyan]Security Monitoring Dashboard[/bold cyan]\n\n"
             f"[green]Accounts Monitored:[/green] {dashboard.accounts_monitored}\n"
@@ -970,35 +963,31 @@ class RealTimeSecurityMonitor:
             f"[magenta]Compliance Score:[/magenta] {dashboard.compliance_score:.1f}%\n"
             f"[cyan]Response Time (avg):[/cyan] {dashboard.response_time_metrics['avg_response_time']:.0f}s"
         )
-        
+
         # Only display every 5 minutes to avoid spam
-        if not hasattr(self, '_last_dashboard_display'):
+        if not hasattr(self, "_last_dashboard_display"):
             self._last_dashboard_display = datetime.min
-        
+
         if (datetime.utcnow() - self._last_dashboard_display).total_seconds() > 300:
-            console.print(create_panel(
-                dashboard_content,
-                title="📊 Security Dashboard Update",
-                border_style="blue"
-            ))
+            console.print(create_panel(dashboard_content, title="📊 Security Dashboard Update", border_style="blue"))
             self._last_dashboard_display = datetime.utcnow()
 
     async def _generate_final_dashboard(self) -> SecurityDashboard:
         """Generate final dashboard at end of monitoring session."""
-        
+
         dashboard = await self._generate_current_dashboard()
-        
+
         # Display comprehensive final dashboard
         self._display_final_dashboard(dashboard)
-        
+
         # Export dashboard data
         await self._export_dashboard(dashboard)
-        
+
         return dashboard
 
     def _display_final_dashboard(self, dashboard: SecurityDashboard):
         """Display comprehensive final dashboard."""
-        
+
         # Summary panel
         summary_content = (
             f"[bold green]Monitoring Session Complete[/bold green]\n\n"
@@ -1009,13 +998,9 @@ class RealTimeSecurityMonitor:
             f"[bold]Compliance Score:[/bold] {dashboard.compliance_score:.1f}%\n"
             f"[bold]Automation Rate:[/bold] {dashboard.response_time_metrics['automation_rate']:.1f}%"
         )
-        
-        console.print(create_panel(
-            summary_content,
-            title="🔒 Final Security Monitoring Summary",
-            border_style="green"
-        ))
-        
+
+        console.print(create_panel(summary_content, title="🔒 Final Security Monitoring Summary", border_style="green"))
+
         # Top threats table
         if dashboard.top_threats:
             threats_table = create_table(
@@ -1023,174 +1008,167 @@ class RealTimeSecurityMonitor:
                 columns=[
                     {"name": "Threat Type", "style": "red"},
                     {"name": "Count", "style": "yellow"},
-                    {"name": "Severity", "style": "magenta"}
-                ]
+                    {"name": "Severity", "style": "magenta"},
+                ],
             )
-            
+
             for threat in dashboard.top_threats:
                 threats_table.add_row(
-                    threat['threat_type'].replace('_', ' ').title(),
-                    str(threat['count']),
-                    "High" if threat['count'] > 5 else "Medium"
+                    threat["threat_type"].replace("_", " ").title(),
+                    str(threat["count"]),
+                    "High" if threat["count"] > 5 else "Medium",
                 )
-            
+
             console.print(threats_table)
 
     async def _export_dashboard(self, dashboard: SecurityDashboard):
         """Export dashboard data to file."""
-        
+
         dashboard_file = self.output_dir / f"security_dashboard_{dashboard.dashboard_id}.json"
-        
+
         dashboard_data = {
-            'dashboard_id': dashboard.dashboard_id,
-            'timestamp': dashboard.timestamp.isoformat(),
-            'accounts_monitored': dashboard.accounts_monitored,
-            'total_events_24h': dashboard.total_events_24h,
-            'critical_events_24h': dashboard.critical_events_24h,
-            'high_events_24h': dashboard.high_events_24h,
-            'automated_responses_24h': dashboard.automated_responses_24h,
-            'manual_responses_pending': dashboard.manual_responses_pending,
-            'compliance_score': dashboard.compliance_score,
-            'security_posture_trend': dashboard.security_posture_trend,
-            'top_threats': dashboard.top_threats,
-            'business_impact_summary': dashboard.business_impact_summary,
-            'response_time_metrics': dashboard.response_time_metrics,
-            'cost_impact': dashboard.cost_impact
+            "dashboard_id": dashboard.dashboard_id,
+            "timestamp": dashboard.timestamp.isoformat(),
+            "accounts_monitored": dashboard.accounts_monitored,
+            "total_events_24h": dashboard.total_events_24h,
+            "critical_events_24h": dashboard.critical_events_24h,
+            "high_events_24h": dashboard.high_events_24h,
+            "automated_responses_24h": dashboard.automated_responses_24h,
+            "manual_responses_pending": dashboard.manual_responses_pending,
+            "compliance_score": dashboard.compliance_score,
+            "security_posture_trend": dashboard.security_posture_trend,
+            "top_threats": dashboard.top_threats,
+            "business_impact_summary": dashboard.business_impact_summary,
+            "response_time_metrics": dashboard.response_time_metrics,
+            "cost_impact": dashboard.cost_impact,
         }
-        
-        with open(dashboard_file, 'w') as f:
+
+        with open(dashboard_file, "w") as f:
             json.dump(dashboard_data, f, indent=2)
-        
+
         print_success(f"Dashboard exported to: {dashboard_file}")
 
     async def _discover_organization_accounts(self) -> List[str]:
         """Discover AWS Organization accounts for monitoring."""
-        
+
         accounts = []
-        
+
         try:
-            organizations = self.session.client('organizations')
-            
-            paginator = organizations.get_paginator('list_accounts')
-            
+            organizations = self.session.client("organizations")
+
+            paginator = organizations.get_paginator("list_accounts")
+
             for page in paginator.paginate():
-                for account in page.get('Accounts', []):
-                    if account['Status'] == 'ACTIVE':
-                        accounts.append(account['Id'])
-            
+                for account in page.get("Accounts", []):
+                    if account["Status"] == "ACTIVE":
+                        accounts.append(account["Id"])
+
             print_success(f"Discovered {len(accounts)} active organization accounts for monitoring")
-            
+
         except ClientError as e:
             print_warning(f"Could not discover organization accounts: {str(e)}")
             # Fallback to current account
-            sts = self.session.client('sts')
-            current_account = sts.get_caller_identity()['Account']
+            sts = self.session.client("sts")
+            current_account = sts.get_caller_identity()["Account"]
             accounts = [current_account]
             print_info(f"Using current account for monitoring: {current_account}")
-        
+
         return accounts
 
 
 class SecurityEventProcessor:
     """Process and classify security events."""
-    
+
     def __init__(self, session: boto3.Session, output_dir: Path):
         self.session = session
         self.output_dir = output_dir
-        
+
     async def process_event(self, event: SecurityEvent) -> Dict[str, Any]:
         """Process individual security event."""
-        
+
         return {
-            'event_id': event.event_id,
-            'processed': True,
-            'classification': event.event_type.value,
-            'threat_level': event.threat_level.value
+            "event_id": event.event_id,
+            "processed": True,
+            "classification": event.event_type.value,
+            "threat_level": event.threat_level.value,
         }
 
 
 class ThreatDetectionEngine:
     """Advanced threat detection using ML patterns."""
-    
+
     def __init__(self, session: boto3.Session):
         self.session = session
-        
+
     async def detect_anomalies(self, events: List[SecurityEvent]) -> List[SecurityEvent]:
         """Detect anomalous patterns in security events."""
-        
+
         # Placeholder for ML-based anomaly detection
         return []
 
 
 class AutomatedResponseEngine:
     """Execute automated security responses."""
-    
+
     def __init__(self, session: boto3.Session, output_dir: Path):
         self.session = session
         self.output_dir = output_dir
-        
+
     async def execute_response(self, event: SecurityEvent) -> Dict[str, Any]:
         """Execute automated response to security event."""
-        
+
         if not event.auto_response_command:
-            return {'success': False, 'reason': 'No automated response available'}
-        
+            return {"success": False, "reason": "No automated response available"}
+
         # In dry-run mode, just log the command that would be executed
         print_info(f"Would execute: {event.auto_response_command}")
-        
-        return {
-            'success': True,
-            'command': event.auto_response_command,
-            'execution_mode': 'dry_run'
-        }
+
+        return {"success": True, "command": event.auto_response_command, "execution_mode": "dry_run"}
 
 
 class MCPSecurityConnector:
     """Connect to MCP servers for real-time security data."""
-    
+
     def __init__(self):
         self.mcp_endpoints = {
-            'security_hub': 'mcp://aws/security-hub',
-            'config': 'mcp://aws/config',
-            'cloudtrail': 'mcp://aws/cloudtrail'
+            "security_hub": "mcp://aws/security-hub",
+            "config": "mcp://aws/config",
+            "cloudtrail": "mcp://aws/cloudtrail",
         }
-        
+
     async def get_real_time_data(self, endpoint: str) -> Dict[str, Any]:
         """Get real-time data from MCP endpoint."""
-        
+
         # Placeholder for MCP integration
-        return {'status': 'available', 'data': {}}
+        return {"status": "available", "data": {}}
 
 
 # CLI integration for real-time monitoring
 if __name__ == "__main__":
     import argparse
-    
-    parser = argparse.ArgumentParser(description='Real-Time Security Monitor')
-    parser.add_argument('--profile', default='default', help='AWS profile to use')
-    parser.add_argument('--accounts', nargs='+', help='Target account IDs (optional)')
-    parser.add_argument('--duration', type=int, help='Monitoring duration in minutes (default: continuous)')
-    parser.add_argument('--max-accounts', type=int, default=61, help='Max concurrent accounts')
-    parser.add_argument('--output-dir', default='./artifacts/security-monitoring', help='Output directory')
-    
+
+    parser = argparse.ArgumentParser(description="Real-Time Security Monitor")
+    parser.add_argument("--profile", default="default", help="AWS profile to use")
+    parser.add_argument("--accounts", nargs="+", help="Target account IDs (optional)")
+    parser.add_argument("--duration", type=int, help="Monitoring duration in minutes (default: continuous)")
+    parser.add_argument("--max-accounts", type=int, default=61, help="Max concurrent accounts")
+    parser.add_argument("--output-dir", default="./artifacts/security-monitoring", help="Output directory")
+
     args = parser.parse_args()
-    
+
     async def main():
         monitor = RealTimeSecurityMonitor(
-            profile=args.profile,
-            output_dir=args.output_dir,
-            max_concurrent_accounts=args.max_accounts
+            profile=args.profile, output_dir=args.output_dir, max_concurrent_accounts=args.max_accounts
         )
-        
+
         dashboard = await monitor.start_real_time_monitoring(
-            target_accounts=args.accounts,
-            monitoring_duration=args.duration
+            target_accounts=args.accounts, monitoring_duration=args.duration
         )
-        
+
         print_success(f"Monitoring completed. Dashboard ID: {dashboard.dashboard_id}")
         print_info(f"Total events (24h): {dashboard.total_events_24h}")
         print_info(f"Critical events: {dashboard.critical_events_24h}")
         print_info(f"Compliance score: {dashboard.compliance_score:.1f}%")
-    
+
     # Run the async main function
-    asyncio.run(main())
+    asyncio.run(main())