PyPI - souleyez - Versions diffs - 2.43.29__py3-none-any.whl → 2.43.34__py3-none-any.whl - Mend

souleyez 2.43.29py3-none-any.whl → 2.43.34py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (358) hide show

souleyez/__init__.py +1 -2
souleyez/ai/__init__.py +21 -15
souleyez/ai/action_mapper.py +249 -150
souleyez/ai/chain_advisor.py +116 -100
souleyez/ai/claude_provider.py +29 -28
souleyez/ai/context_builder.py +80 -62
souleyez/ai/executor.py +158 -117
souleyez/ai/feedback_handler.py +136 -121
souleyez/ai/llm_factory.py +27 -20
souleyez/ai/llm_provider.py +4 -2
souleyez/ai/ollama_provider.py +6 -9
souleyez/ai/ollama_service.py +44 -37
souleyez/ai/path_scorer.py +91 -76
souleyez/ai/recommender.py +176 -144
souleyez/ai/report_context.py +74 -73
souleyez/ai/report_service.py +84 -66
souleyez/ai/result_parser.py +222 -229
souleyez/ai/safety.py +67 -44
souleyez/auth/__init__.py +23 -22
souleyez/auth/audit.py +36 -26
souleyez/auth/engagement_access.py +65 -48
souleyez/auth/permissions.py +14 -3
souleyez/auth/session_manager.py +54 -37
souleyez/auth/user_manager.py +109 -64
souleyez/commands/audit.py +40 -43
souleyez/commands/auth.py +35 -15
souleyez/commands/deliverables.py +55 -50
souleyez/commands/engagement.py +47 -28
souleyez/commands/license.py +32 -23
souleyez/commands/screenshots.py +36 -32
souleyez/commands/user.py +82 -36
souleyez/config.py +52 -44
souleyez/core/credential_tester.py +87 -81
souleyez/core/cve_mappings.py +179 -192
souleyez/core/cve_matcher.py +162 -148
souleyez/core/msf_auto_mapper.py +100 -83
souleyez/core/msf_chain_engine.py +294 -256
souleyez/core/msf_database.py +153 -70
souleyez/core/msf_integration.py +679 -673
souleyez/core/msf_rpc_client.py +40 -42
souleyez/core/msf_rpc_manager.py +77 -79
souleyez/core/msf_sync_manager.py +241 -181
souleyez/core/network_utils.py +22 -15
souleyez/core/parser_handler.py +34 -25
souleyez/core/pending_chains.py +114 -63
souleyez/core/templates.py +158 -107
souleyez/core/tool_chaining.py +9526 -2879
souleyez/core/version_utils.py +79 -94
souleyez/core/vuln_correlation.py +136 -89
souleyez/core/web_utils.py +33 -32
souleyez/data/wordlists/ad_users.txt +378 -0
souleyez/data/wordlists/api_endpoints_large.txt +769 -0
souleyez/data/wordlists/home_dir_sensitive.txt +39 -0
souleyez/data/wordlists/lfi_payloads.txt +82 -0
souleyez/data/wordlists/passwords_brute.txt +1548 -0
souleyez/data/wordlists/passwords_crack.txt +2479 -0
souleyez/data/wordlists/passwords_spray.txt +386 -0
souleyez/data/wordlists/subdomains_large.txt +5057 -0
souleyez/data/wordlists/usernames_common.txt +694 -0
souleyez/data/wordlists/web_dirs_large.txt +4769 -0
souleyez/detection/__init__.py +1 -1
souleyez/detection/attack_signatures.py +12 -17
souleyez/detection/mitre_mappings.py +61 -55
souleyez/detection/validator.py +97 -86
souleyez/devtools.py +23 -10
souleyez/docs/README.md +4 -4
souleyez/docs/api-reference/cli-commands.md +2 -2
souleyez/docs/developer-guide/adding-new-tools.md +562 -0
souleyez/docs/user-guide/auto-chaining.md +30 -8
souleyez/docs/user-guide/getting-started.md +1 -1
souleyez/docs/user-guide/installation.md +26 -3
souleyez/docs/user-guide/metasploit-integration.md +2 -2
souleyez/docs/user-guide/rbac.md +1 -1
souleyez/docs/user-guide/scope-management.md +1 -1
souleyez/docs/user-guide/siem-integration.md +1 -1
souleyez/docs/user-guide/tools-reference.md +1 -8
souleyez/docs/user-guide/worker-management.md +1 -1
souleyez/engine/background.py +1239 -535
souleyez/engine/base.py +4 -1
souleyez/engine/job_status.py +17 -49
souleyez/engine/log_sanitizer.py +103 -77
souleyez/engine/manager.py +38 -7
souleyez/engine/result_handler.py +2200 -1550
souleyez/engine/worker_manager.py +50 -41
souleyez/export/evidence_bundle.py +72 -62
souleyez/feature_flags/features.py +16 -20
souleyez/feature_flags.py +5 -9
souleyez/handlers/__init__.py +11 -0
souleyez/handlers/base.py +188 -0
souleyez/handlers/bash_handler.py +277 -0
souleyez/handlers/bloodhound_handler.py +243 -0
souleyez/handlers/certipy_handler.py +311 -0
souleyez/handlers/crackmapexec_handler.py +486 -0
souleyez/handlers/dnsrecon_handler.py +344 -0
souleyez/handlers/enum4linux_handler.py +400 -0
souleyez/handlers/evil_winrm_handler.py +493 -0
souleyez/handlers/ffuf_handler.py +815 -0
souleyez/handlers/gobuster_handler.py +1114 -0
souleyez/handlers/gpp_extract_handler.py +334 -0
souleyez/handlers/hashcat_handler.py +444 -0
souleyez/handlers/hydra_handler.py +563 -0
souleyez/handlers/impacket_getuserspns_handler.py +343 -0
souleyez/handlers/impacket_psexec_handler.py +222 -0
souleyez/handlers/impacket_secretsdump_handler.py +426 -0
souleyez/handlers/john_handler.py +286 -0
souleyez/handlers/katana_handler.py +425 -0
souleyez/handlers/kerbrute_handler.py +298 -0
souleyez/handlers/ldapsearch_handler.py +636 -0
souleyez/handlers/lfi_extract_handler.py +464 -0
souleyez/handlers/msf_auxiliary_handler.py +408 -0
souleyez/handlers/msf_exploit_handler.py +380 -0
souleyez/handlers/nikto_handler.py +413 -0
souleyez/handlers/nmap_handler.py +821 -0
souleyez/handlers/nuclei_handler.py +359 -0
souleyez/handlers/nxc_handler.py +371 -0
souleyez/handlers/rdp_sec_check_handler.py +353 -0
souleyez/handlers/registry.py +292 -0
souleyez/handlers/responder_handler.py +232 -0
souleyez/handlers/service_explorer_handler.py +434 -0
souleyez/handlers/smbclient_handler.py +344 -0
souleyez/handlers/smbmap_handler.py +510 -0
souleyez/handlers/smbpasswd_handler.py +296 -0
souleyez/handlers/sqlmap_handler.py +1116 -0
souleyez/handlers/theharvester_handler.py +601 -0
souleyez/handlers/web_login_test_handler.py +327 -0
souleyez/handlers/whois_handler.py +277 -0
souleyez/handlers/wpscan_handler.py +554 -0
souleyez/history.py +32 -16
souleyez/importers/msf_importer.py +106 -75
souleyez/importers/smart_importer.py +208 -147
souleyez/integrations/siem/__init__.py +10 -10
souleyez/integrations/siem/base.py +17 -18
souleyez/integrations/siem/elastic.py +108 -122
souleyez/integrations/siem/factory.py +207 -80
souleyez/integrations/siem/googlesecops.py +146 -154
souleyez/integrations/siem/rule_mappings/__init__.py +1 -1
souleyez/integrations/siem/rule_mappings/wazuh_rules.py +8 -5
souleyez/integrations/siem/sentinel.py +107 -109
souleyez/integrations/siem/splunk.py +246 -212
souleyez/integrations/siem/wazuh.py +65 -71
souleyez/integrations/wazuh/__init__.py +5 -5
souleyez/integrations/wazuh/client.py +70 -93
souleyez/integrations/wazuh/config.py +85 -57
souleyez/integrations/wazuh/host_mapper.py +28 -36
souleyez/integrations/wazuh/sync.py +78 -68
souleyez/intelligence/__init__.py +4 -5
souleyez/intelligence/correlation_analyzer.py +309 -295
souleyez/intelligence/exploit_knowledge.py +661 -623
souleyez/intelligence/exploit_suggestions.py +159 -139
souleyez/intelligence/gap_analyzer.py +132 -97
souleyez/intelligence/gap_detector.py +251 -214
souleyez/intelligence/sensitive_tables.py +266 -129
souleyez/intelligence/service_parser.py +137 -123
souleyez/intelligence/surface_analyzer.py +407 -268
souleyez/intelligence/target_parser.py +159 -162
souleyez/licensing/__init__.py +6 -6
souleyez/licensing/validator.py +17 -19
souleyez/log_config.py +79 -54
souleyez/main.py +1505 -687
souleyez/migrations/fix_job_counter.py +16 -14
souleyez/parsers/bloodhound_parser.py +41 -39
souleyez/parsers/crackmapexec_parser.py +178 -111
souleyez/parsers/dalfox_parser.py +72 -77
souleyez/parsers/dnsrecon_parser.py +103 -91
souleyez/parsers/enum4linux_parser.py +183 -153
souleyez/parsers/ffuf_parser.py +29 -25
souleyez/parsers/gobuster_parser.py +301 -41
souleyez/parsers/hashcat_parser.py +324 -79
souleyez/parsers/http_fingerprint_parser.py +350 -103
souleyez/parsers/hydra_parser.py +131 -111
souleyez/parsers/impacket_parser.py +231 -178
souleyez/parsers/john_parser.py +98 -86
souleyez/parsers/katana_parser.py +316 -0
souleyez/parsers/msf_parser.py +943 -498
souleyez/parsers/nikto_parser.py +346 -65
souleyez/parsers/nmap_parser.py +262 -174
souleyez/parsers/nuclei_parser.py +40 -44
souleyez/parsers/responder_parser.py +26 -26
souleyez/parsers/searchsploit_parser.py +74 -74
souleyez/parsers/service_explorer_parser.py +279 -0
souleyez/parsers/smbmap_parser.py +180 -124
souleyez/parsers/sqlmap_parser.py +434 -308
souleyez/parsers/theharvester_parser.py +75 -57
souleyez/parsers/whois_parser.py +135 -94
souleyez/parsers/wpscan_parser.py +278 -190
souleyez/plugins/afp.py +44 -36
souleyez/plugins/afp_brute.py +114 -46
souleyez/plugins/ard.py +48 -37
souleyez/plugins/bloodhound.py +95 -61
souleyez/plugins/certipy.py +303 -0
souleyez/plugins/crackmapexec.py +186 -85
souleyez/plugins/dalfox.py +120 -59
souleyez/plugins/dns_hijack.py +146 -41
souleyez/plugins/dnsrecon.py +97 -61
souleyez/plugins/enum4linux.py +91 -66
souleyez/plugins/evil_winrm.py +291 -0
souleyez/plugins/ffuf.py +166 -90
souleyez/plugins/firmware_extract.py +133 -29
souleyez/plugins/gobuster.py +387 -190
souleyez/plugins/gpp_extract.py +393 -0
souleyez/plugins/hashcat.py +100 -73
souleyez/plugins/http_fingerprint.py +854 -267
souleyez/plugins/hydra.py +566 -200
souleyez/plugins/impacket_getnpusers.py +117 -69
souleyez/plugins/impacket_psexec.py +84 -64
souleyez/plugins/impacket_secretsdump.py +103 -69
souleyez/plugins/impacket_smbclient.py +89 -75
souleyez/plugins/john.py +86 -69
souleyez/plugins/katana.py +313 -0
souleyez/plugins/kerbrute.py +237 -0
souleyez/plugins/lfi_extract.py +541 -0
souleyez/plugins/macos_ssh.py +117 -48
souleyez/plugins/mdns.py +35 -30
souleyez/plugins/msf_auxiliary.py +253 -130
souleyez/plugins/msf_exploit.py +239 -161
souleyez/plugins/nikto.py +134 -78
souleyez/plugins/nmap.py +275 -91
souleyez/plugins/nuclei.py +180 -89
souleyez/plugins/nxc.py +285 -0
souleyez/plugins/plugin_base.py +35 -36
souleyez/plugins/plugin_template.py +13 -5
souleyez/plugins/rdp_sec_check.py +130 -0
souleyez/plugins/responder.py +112 -71
souleyez/plugins/router_http_brute.py +76 -65
souleyez/plugins/router_ssh_brute.py +118 -41
souleyez/plugins/router_telnet_brute.py +124 -42
souleyez/plugins/routersploit.py +91 -59
souleyez/plugins/routersploit_exploit.py +77 -55
souleyez/plugins/searchsploit.py +91 -77
souleyez/plugins/service_explorer.py +1160 -0
souleyez/plugins/smbmap.py +122 -72
souleyez/plugins/smbpasswd.py +215 -0
souleyez/plugins/sqlmap.py +301 -113
souleyez/plugins/theharvester.py +127 -75
souleyez/plugins/tr069.py +79 -57
souleyez/plugins/upnp.py +65 -47
souleyez/plugins/upnp_abuse.py +73 -55
souleyez/plugins/vnc_access.py +129 -42
souleyez/plugins/vnc_brute.py +109 -38
souleyez/plugins/web_login_test.py +417 -0
souleyez/plugins/whois.py +77 -58
souleyez/plugins/wpscan.py +173 -69
souleyez/reporting/__init__.py +2 -1
souleyez/reporting/attack_chain.py +411 -346
souleyez/reporting/charts.py +436 -501
souleyez/reporting/compliance_mappings.py +334 -201
souleyez/reporting/detection_report.py +126 -125
souleyez/reporting/formatters.py +828 -591
souleyez/reporting/generator.py +386 -302
souleyez/reporting/metrics.py +72 -75
souleyez/scanner.py +35 -29
souleyez/security/__init__.py +37 -11
souleyez/security/scope_validator.py +175 -106
souleyez/security/validation.py +223 -149
souleyez/security.py +22 -6
souleyez/storage/credentials.py +247 -186
souleyez/storage/crypto.py +296 -129
souleyez/storage/database.py +73 -50
souleyez/storage/db.py +58 -36
souleyez/storage/deliverable_evidence.py +177 -128
souleyez/storage/deliverable_exporter.py +282 -246
souleyez/storage/deliverable_templates.py +134 -116
souleyez/storage/deliverables.py +135 -130
souleyez/storage/engagements.py +109 -56
souleyez/storage/evidence.py +181 -152
souleyez/storage/execution_log.py +31 -17
souleyez/storage/exploit_attempts.py +93 -57
souleyez/storage/exploits.py +67 -36
souleyez/storage/findings.py +48 -61
souleyez/storage/hosts.py +176 -144
souleyez/storage/migrate_to_engagements.py +43 -19
souleyez/storage/migrations/_001_add_credential_enhancements.py +22 -12
souleyez/storage/migrations/_002_add_status_tracking.py +10 -7
souleyez/storage/migrations/_003_add_execution_log.py +14 -8
souleyez/storage/migrations/_005_screenshots.py +13 -5
souleyez/storage/migrations/_006_deliverables.py +13 -5
souleyez/storage/migrations/_007_deliverable_templates.py +12 -7
souleyez/storage/migrations/_008_add_nuclei_table.py +10 -4
souleyez/storage/migrations/_010_evidence_linking.py +17 -10
souleyez/storage/migrations/_011_timeline_tracking.py +20 -13
souleyez/storage/migrations/_012_team_collaboration.py +34 -21
souleyez/storage/migrations/_013_add_host_tags.py +12 -6
souleyez/storage/migrations/_014_exploit_attempts.py +22 -10
souleyez/storage/migrations/_015_add_mac_os_fields.py +15 -7
souleyez/storage/migrations/_016_add_domain_field.py +10 -4
souleyez/storage/migrations/_017_msf_sessions.py +16 -8
souleyez/storage/migrations/_018_add_osint_target.py +10 -6
souleyez/storage/migrations/_019_add_engagement_type.py +10 -6
souleyez/storage/migrations/_020_add_rbac.py +36 -15
souleyez/storage/migrations/_021_wazuh_integration.py +20 -8
souleyez/storage/migrations/_022_wazuh_indexer_columns.py +6 -4
souleyez/storage/migrations/_023_fix_detection_results_fk.py +16 -6
souleyez/storage/migrations/_024_wazuh_vulnerabilities.py +26 -10
souleyez/storage/migrations/_025_multi_siem_support.py +3 -5
souleyez/storage/migrations/_026_add_engagement_scope.py +31 -12
souleyez/storage/migrations/_027_multi_siem_persistence.py +32 -15
souleyez/storage/migrations/__init__.py +26 -26
souleyez/storage/migrations/migration_manager.py +19 -19
souleyez/storage/msf_sessions.py +100 -65
souleyez/storage/osint.py +17 -24
souleyez/storage/recommendation_engine.py +269 -235
souleyez/storage/screenshots.py +33 -32
souleyez/storage/smb_shares.py +136 -92
souleyez/storage/sqlmap_data.py +183 -128
souleyez/storage/team_collaboration.py +135 -141
souleyez/storage/timeline_tracker.py +122 -94
souleyez/storage/wazuh_vulns.py +64 -66
souleyez/storage/web_paths.py +33 -37
souleyez/testing/credential_tester.py +221 -205
souleyez/ui/__init__.py +1 -1
souleyez/ui/ai_quotes.py +12 -12
souleyez/ui/attack_surface.py +2439 -1516
souleyez/ui/chain_rules_view.py +914 -382
souleyez/ui/correlation_view.py +312 -230
souleyez/ui/dashboard.py +2382 -1130
souleyez/ui/deliverables_view.py +148 -62
souleyez/ui/design_system.py +13 -13
souleyez/ui/errors.py +49 -49
souleyez/ui/evidence_linking_view.py +284 -179
souleyez/ui/evidence_vault.py +393 -285
souleyez/ui/exploit_suggestions_view.py +555 -349
souleyez/ui/export_view.py +100 -66
souleyez/ui/gap_analysis_view.py +315 -171
souleyez/ui/help_system.py +105 -97
souleyez/ui/intelligence_view.py +436 -293
souleyez/ui/interactive.py +22827 -10678
souleyez/ui/interactive_selector.py +75 -68
souleyez/ui/log_formatter.py +47 -39
souleyez/ui/menu_components.py +22 -13
souleyez/ui/msf_auxiliary_menu.py +184 -133
souleyez/ui/pending_chains_view.py +336 -172
souleyez/ui/progress_indicators.py +5 -3
souleyez/ui/recommendations_view.py +195 -137
souleyez/ui/rule_builder.py +343 -225
souleyez/ui/setup_wizard.py +678 -284
souleyez/ui/shortcuts.py +217 -165
souleyez/ui/splunk_gap_analysis_view.py +452 -270
souleyez/ui/splunk_vulns_view.py +139 -86
souleyez/ui/team_dashboard.py +498 -335
souleyez/ui/template_selector.py +196 -105
souleyez/ui/terminal.py +6 -6
souleyez/ui/timeline_view.py +198 -127
souleyez/ui/tool_setup.py +264 -164
souleyez/ui/tutorial.py +202 -72
souleyez/ui/tutorial_state.py +40 -40
souleyez/ui/wazuh_vulns_view.py +235 -141
souleyez/ui/wordlist_browser.py +260 -107
souleyez/ui.py +464 -312
souleyez/utils/tool_checker.py +427 -367
souleyez/utils.py +33 -29
souleyez/wordlists.py +134 -167
{souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/METADATA +1 -1
souleyez-2.43.34.dist-info/RECORD +443 -0
{souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/WHEEL +1 -1
souleyez-2.43.29.dist-info/RECORD +0 -379
{souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/entry_points.txt +0 -0
{souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/licenses/LICENSE +0 -0
{souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/top_level.txt +0 -0

souleyez/integrations/siem/splunk.py CHANGED Viewed

@@ -50,7 +50,7 @@ class SplunkSIEMClient(SIEMClient):
             default_index: Default index to search
             sourcetypes: List of sourcetypes to include in searches
         """
-        self.api_url = api_url.rstrip('/')
+        self.api_url = api_url.rstrip("/")
         self.username = username
         self.password = password
         self.verify_ssl = verify_ssl
@@ -60,7 +60,7 @@ class SplunkSIEMClient(SIEMClient):
         self._session_key: Optional[str] = None
     @classmethod
-    def from_config(cls, config: Dict[str, Any]) -> 'SplunkSIEMClient':
+    def from_config(cls, config: Dict[str, Any]) -> "SplunkSIEMClient":
         """Create client from configuration dictionary.
         Args:
@@ -70,19 +70,19 @@ class SplunkSIEMClient(SIEMClient):
             SplunkSIEMClient instance
         """
         return cls(
-            api_url=config.get('api_url', ''),
-            username=config.get('username', ''),
-            password=config.get('password', ''),
-            verify_ssl=config.get('verify_ssl', False),
-            token=config.get('token'),
-            default_index=config.get('default_index', 'main'),
-            sourcetypes=config.get('sourcetypes', []),
+            api_url=config.get("api_url", ""),
+            username=config.get("username", ""),
+            password=config.get("password", ""),
+            verify_ssl=config.get("verify_ssl", False),
+            token=config.get("token"),
+            default_index=config.get("default_index", "main"),
+            sourcetypes=config.get("sourcetypes", []),
         )
     @property
     def siem_type(self) -> str:
         """Return the SIEM type identifier."""
-        return 'splunk'
+        return "splunk"
     def _get_session_key(self) -> str:
         """Get Splunk session key for authentication.
@@ -100,17 +100,18 @@ class SplunkSIEMClient(SIEMClient):
         url = f"{self.api_url}/services/auth/login"
         response = requests.post(
             url,
-            data={'username': self.username, 'password': self.password},
+            data={"username": self.username, "password": self.password},
             verify=self.verify_ssl,
-            timeout=30
+            timeout=30,
         )
         response.raise_for_status()
         # Parse XML response to get session key
         # XML is from authenticated Splunk API response, not untrusted input
         import xml.etree.ElementTree as ET
         root = ET.fromstring(response.text)  # nosec B314
-        session_key = root.find('.//sessionKey')
+        session_key = root.find(".//sessionKey")
         if session_key is not None:
             self._session_key = session_key.text
             return self._session_key
@@ -149,7 +150,7 @@ class SplunkSIEMClient(SIEMClient):
             params=params,
             data=data,
             verify=self.verify_ssl,
-            timeout=60
+            timeout=60,
         )
         return response
@@ -162,38 +163,34 @@ class SplunkSIEMClient(SIEMClient):
         try:
             # Get server info
             response = self._request(
-                "GET",
-                "/services/server/info",
-                params={'output_mode': 'json'}
+                "GET", "/services/server/info", params={"output_mode": "json"}
             )
             response.raise_for_status()
             data = response.json()
-            entry = data.get('entry', [{}])[0]
-            content = entry.get('content', {})
+            entry = data.get("entry", [{}])[0]
+            content = entry.get("content", {})
             return SIEMConnectionStatus(
                 connected=True,
-                version=content.get('version', 'unknown'),
-                siem_type='splunk',
+                version=content.get("version", "unknown"),
+                siem_type="splunk",
                 details={
-                    'server_name': content.get('serverName', ''),
-                    'build': content.get('build', ''),
-                    'os': content.get('os_name', ''),
-                    'license': content.get('licenseState', ''),
-                }
+                    "server_name": content.get("serverName", ""),
+                    "build": content.get("build", ""),
+                    "os": content.get("os_name", ""),
+                    "license": content.get("licenseState", ""),
+                },
             )
         except requests.exceptions.ConnectionError as e:
             return SIEMConnectionStatus(
                 connected=False,
                 error=f"Connection failed: {str(e)}",
-                siem_type='splunk'
+                siem_type="splunk",
             )
         except Exception as e:
             return SIEMConnectionStatus(
-                connected=False,
-                error=str(e),
-                siem_type='splunk'
+                connected=False, error=str(e), siem_type="splunk"
             )
     def _run_search(
@@ -201,7 +198,7 @@ class SplunkSIEMClient(SIEMClient):
         spl_query: str,
         earliest_time: str = "-1h",
         latest_time: str = "now",
-        max_results: int = 100
+        max_results: int = 100,
     ) -> List[Dict[str, Any]]:
         """Run a SPL search and return results.
@@ -219,15 +216,15 @@ class SplunkSIEMClient(SIEMClient):
             "POST",
             "/services/search/jobs",
             data={
-                'search': f'search {spl_query}',
-                'earliest_time': earliest_time,
-                'latest_time': latest_time,
-                'output_mode': 'json',
-            }
+                "search": f"search {spl_query}",
+                "earliest_time": earliest_time,
+                "latest_time": latest_time,
+                "output_mode": "json",
+            },
         )
         response.raise_for_status()
         data = response.json()
-        sid = data.get('sid')
+        sid = data.get("sid")
         if not sid:
             return []
@@ -237,15 +234,13 @@ class SplunkSIEMClient(SIEMClient):
         waited = 0
         while waited < max_wait:
             status_resp = self._request(
-                "GET",
-                f"/services/search/jobs/{sid}",
-                params={'output_mode': 'json'}
+                "GET", f"/services/search/jobs/{sid}", params={"output_mode": "json"}
             )
             status_data = status_resp.json()
-            entry = status_data.get('entry', [{}])[0]
-            content = entry.get('content', {})
+            entry = status_data.get("entry", [{}])[0]
+            content = entry.get("content", {})
-            if content.get('isDone'):
+            if content.get("isDone"):
                 break
             time.sleep(1)
@@ -255,12 +250,12 @@ class SplunkSIEMClient(SIEMClient):
         results_resp = self._request(
             "GET",
             f"/services/search/jobs/{sid}/results",
-            params={'output_mode': 'json', 'count': max_results}
+            params={"output_mode": "json", "count": max_results},
         )
         if results_resp.status_code == 200:
             results_data = results_resp.json()
-            return results_data.get('results', [])
+            return results_data.get("results", [])
         return []
@@ -272,7 +267,7 @@ class SplunkSIEMClient(SIEMClient):
         dest_ip: Optional[str] = None,
         rule_ids: Optional[List[str]] = None,
         search_text: Optional[str] = None,
-        limit: int = 100
+        limit: int = 100,
     ) -> List[SIEMAlert]:
         """Query alerts from Splunk.
@@ -289,12 +284,12 @@ class SplunkSIEMClient(SIEMClient):
             List of normalized SIEMAlert objects
         """
         # Build SPL query
-        query_parts = [f'index={self.default_index}']
+        query_parts = [f"index={self.default_index}"]
         # Add sourcetype filter
         if self.sourcetypes:
-            st_filter = ' OR '.join(f'sourcetype="{st}"' for st in self.sourcetypes)
-            query_parts.append(f'({st_filter})')
+            st_filter = " OR ".join(f'sourcetype="{st}"' for st in self.sourcetypes)
+            query_parts.append(f"({st_filter})")
         # IP filters - search common field names and raw text
         if source_ip:
@@ -316,14 +311,14 @@ class SplunkSIEMClient(SIEMClient):
         # Rule IDs (saved search names or correlation rule IDs)
         if rule_ids:
-            rule_filter = ' OR '.join(f'savedsearch_name="{r}"' for r in rule_ids)
-            query_parts.append(f'({rule_filter})')
+            rule_filter = " OR ".join(f'savedsearch_name="{r}"' for r in rule_ids)
+            query_parts.append(f"({rule_filter})")
-        spl = ' '.join(query_parts)
+        spl = " ".join(query_parts)
         # Time range formatting
-        earliest = start_time.strftime('%Y-%m-%dT%H:%M:%S')
-        latest = end_time.strftime('%Y-%m-%dT%H:%M:%S')
+        earliest = start_time.strftime("%Y-%m-%dT%H:%M:%S")
+        latest = end_time.strftime("%Y-%m-%dT%H:%M:%S")
         results = self._run_search(spl, earliest, latest, limit)
         return [self._normalize_alert(r) for r in results]
@@ -341,17 +336,20 @@ class SplunkSIEMClient(SIEMClient):
         # Try to parse _raw if it's JSON (HEC events store data here)
         event_data = {}
-        raw_str = raw_result.get('_raw', '')
+        raw_str = raw_result.get("_raw", "")
         if raw_str and isinstance(raw_str, str):
             try:
                 parsed = json_lib.loads(raw_str)
                 # HEC wraps in 'event' key, or data might be at top level
-                event_data = parsed.get('event', parsed) if isinstance(parsed, dict) else {}
+                event_data = (
+                    parsed.get("event", parsed) if isinstance(parsed, dict) else {}
+                )
             except (json_lib.JSONDecodeError, TypeError):
                 # Try to extract embedded JSON from syslog lines
                 # Format: "Jan  7 14:23:38 host program {json...}"
                 import re
-                json_match = re.search(r'\{.*\}', raw_str)
+                json_match = re.search(r"\{.*\}", raw_str)
                 if json_match:
                     try:
                         event_data = json_lib.loads(json_match.group())
@@ -359,7 +357,7 @@ class SplunkSIEMClient(SIEMClient):
                         pass
         # Helper to get field from event_data first, then raw_result
-        def get_field(*keys, default=''):
+        def get_field(*keys, default=""):
             for key in keys:
                 if event_data.get(key):
                     return event_data[key]
@@ -368,21 +366,21 @@ class SplunkSIEMClient(SIEMClient):
             return default
         # Parse timestamp
-        timestamp_str = raw_result.get('_time', '')
+        timestamp_str = raw_result.get("_time", "")
         try:
-            timestamp = datetime.fromisoformat(timestamp_str.replace('Z', '+00:00'))
+            timestamp = datetime.fromisoformat(timestamp_str.replace("Z", "+00:00"))
         except (ValueError, AttributeError):
             timestamp = datetime.now()
         # Extract rule/alert info - check event_data first
-        rule_id = get_field('rule_id', 'rule_name', 'savedsearch_name', 'alert')
-        rule_name = get_field('rule_name', 'search_name') or rule_id
+        rule_id = get_field("rule_id", "rule_name", "savedsearch_name", "alert")
+        rule_name = get_field("rule_name", "search_name") or rule_id
         # For plain log events (no alert fields), use event_type or sourcetype
         if not rule_id:
             # Prefer Suricata event_type over generic sourcetype
-            event_type = get_field('event_type')
-            sourcetype = raw_result.get('sourcetype', '')
+            event_type = get_field("event_type")
+            sourcetype = raw_result.get("sourcetype", "")
             if event_type:
                 rule_id = event_type
                 rule_name = f"Suricata: {event_type}"
@@ -391,89 +389,104 @@ class SplunkSIEMClient(SIEMClient):
                 rule_name = f"Log: {sourcetype}"
         # Map severity - check event_data first
-        severity_raw = get_field('severity', default='info')
+        severity_raw = get_field("severity", default="info")
         severity = self._map_severity(severity_raw)
         # Extract IPs - check event_data first
-        source_ip = get_field('src_ip', 'src', 'source_ip')
-        dest_ip = get_field('dest_ip', 'dest', 'destination_ip')
+        source_ip = get_field("src_ip", "src", "source_ip")
+        dest_ip = get_field("dest_ip", "dest", "destination_ip")
         # For plain log events, use 'host' as source
         if not source_ip:
-            source_ip = raw_result.get('host', '')
+            source_ip = raw_result.get("host", "")
         # Extract description - try multiple sources
-        description = get_field('description', 'signature', 'message')
+        description = get_field("description", "signature", "message")
         # Suricata-specific: check nested alert object
-        if not description and event_data.get('alert'):
-            alert_obj = event_data['alert']
+        if not description and event_data.get("alert"):
+            alert_obj = event_data["alert"]
             if isinstance(alert_obj, dict):
-                description = alert_obj.get('signature', alert_obj.get('category', ''))
+                description = alert_obj.get("signature", alert_obj.get("category", ""))
         # Suricata event_type with context
         if not description:
-            event_type = get_field('event_type', 'category')
+            event_type = get_field("event_type", "category")
             if event_type:
                 # Add context based on event type
-                if event_type == 'dns' and event_data.get('dns'):
-                    dns = event_data['dns']
-                    rrname = dns.get('rrname', '') if isinstance(dns, dict) else ''
+                if event_type == "dns" and event_data.get("dns"):
+                    dns = event_data["dns"]
+                    rrname = dns.get("rrname", "") if isinstance(dns, dict) else ""
                     description = f"DNS: {rrname}" if rrname else f"DNS query"
-                elif event_type == 'http' and event_data.get('http'):
-                    http = event_data['http']
-                    hostname = http.get('hostname', '') if isinstance(http, dict) else ''
+                elif event_type == "http" and event_data.get("http"):
+                    http = event_data["http"]
+                    hostname = (
+                        http.get("hostname", "") if isinstance(http, dict) else ""
+                    )
                     description = f"HTTP: {hostname}" if hostname else "HTTP request"
-                elif event_type == 'flow':
-                    app_proto = get_field('app_proto', default='')
+                elif event_type == "flow":
+                    app_proto = get_field("app_proto", default="")
                     description = f"Flow: {app_proto}" if app_proto else "Network flow"
-                elif event_type == 'alert':
+                elif event_type == "alert":
                     description = "Suricata alert"
                 else:
-                    description = f"{event_type}: {get_field('action', default='detected')}"
+                    description = (
+                        f"{event_type}: {get_field('action', default='detected')}"
+                    )
         # For plain log events, try to extract something useful from _raw
         if not description and raw_str:
             # Skip syslog header to get actual message
             # Format: "Mon DD HH:MM:SS hostname program: message"
             import re
             # Try to extract message after "program:" or "program["
-            msg_match = re.search(r'^\w+\s+\d+\s+[\d:]+\s+\S+\s+\S+[:\[]\s*(.+)', raw_str)
+            msg_match = re.search(
+                r"^\w+\s+\d+\s+[\d:]+\s+\S+\s+\S+[:\[]\s*(.+)", raw_str
+            )
             if msg_match:
                 description = msg_match.group(1).strip()[:150]
             else:
                 # Fallback: clean up raw log
-                clean_raw = raw_str.replace('\n', ' ').strip()
+                clean_raw = raw_str.replace("\n", " ").strip()
                 # Skip if it's just timestamps/IPs with no real content
                 if len(clean_raw) > 50:
-                    description = clean_raw[:150] + ('...' if len(clean_raw) > 150 else '')
+                    description = clean_raw[:150] + (
+                        "..." if len(clean_raw) > 150 else ""
+                    )
                 else:
-                    description = clean_raw if clean_raw else 'No details available'
+                    description = clean_raw if clean_raw else "No details available"
         # Extract MITRE info - check event_data first
         mitre_tactics = []
         mitre_techniques = []
-        mitre_tactic = get_field('mitre_tactic', 'mitre_attack_tactic')
-        mitre_tech = get_field('mitre_technique', 'mitre_attack_technique_id')
+        mitre_tactic = get_field("mitre_tactic", "mitre_attack_tactic")
+        mitre_tech = get_field("mitre_technique", "mitre_attack_technique_id")
         if mitre_tactic:
-            mitre_tactics = [mitre_tactic] if isinstance(mitre_tactic, str) else mitre_tactic
+            mitre_tactics = (
+                [mitre_tactic] if isinstance(mitre_tactic, str) else mitre_tactic
+            )
         if mitre_tech:
-            mitre_techniques = [mitre_tech] if isinstance(mitre_tech, str) else mitre_tech
+            mitre_techniques = (
+                [mitre_tech] if isinstance(mitre_tech, str) else mitre_tech
+            )
         # Store both raw_result and parsed event_data
         full_raw = raw_result.copy()
         if event_data:
-            full_raw['_parsed_event'] = event_data
+            full_raw["_parsed_event"] = event_data
         return SIEMAlert(
-            id=raw_result.get('_cd', raw_result.get('_serial', str(hash(raw_str))[:12])),
+            id=raw_result.get(
+                "_cd", raw_result.get("_serial", str(hash(raw_str))[:12])
+            ),
             timestamp=timestamp,
-            rule_id=str(rule_id) if rule_id else '',
-            rule_name=str(rule_name) if rule_name else '',
+            rule_id=str(rule_id) if rule_id else "",
+            rule_name=str(rule_name) if rule_name else "",
             severity=severity,
             source_ip=source_ip if source_ip else None,
             dest_ip=dest_ip if dest_ip else None,
-            description=str(description)[:200] if description else '',
+            description=str(description)[:200] if description else "",
             raw_data=full_raw,
             mitre_tactics=mitre_tactics,
             mitre_techniques=mitre_techniques,
@@ -482,20 +495,18 @@ class SplunkSIEMClient(SIEMClient):
     def _map_severity(self, severity: str) -> str:
         """Map Splunk severity to normalized severity."""
         severity_lower = str(severity).lower()
-        if severity_lower in ('critical', 'crit', '1'):
-            return 'critical'
-        elif severity_lower in ('high', '2'):
-            return 'high'
-        elif severity_lower in ('medium', 'med', '3'):
-            return 'medium'
-        elif severity_lower in ('low', '4'):
-            return 'low'
-        return 'info'
+        if severity_lower in ("critical", "crit", "1"):
+            return "critical"
+        elif severity_lower in ("high", "2"):
+            return "high"
+        elif severity_lower in ("medium", "med", "3"):
+            return "medium"
+        elif severity_lower in ("low", "4"):
+            return "low"
+        return "info"
     def get_rules(
-        self,
-        rule_ids: Optional[List[str]] = None,
-        enabled_only: bool = True
+        self, rule_ids: Optional[List[str]] = None, enabled_only: bool = True
     ) -> List[SIEMRule]:
         """Get saved searches/correlation rules from Splunk.
@@ -510,34 +521,34 @@ class SplunkSIEMClient(SIEMClient):
         response = self._request(
             "GET",
             "/servicesNS/-/-/saved/searches",
-            params={'output_mode': 'json', 'count': 500}
+            params={"output_mode": "json", "count": 500},
         )
         if response.status_code != 200:
             return []
         data = response.json()
-        entries = data.get('entry', [])
+        entries = data.get("entry", [])
         rules = []
         for entry in entries:
-            name = entry.get('name', '')
-            content = entry.get('content', {})
+            name = entry.get("name", "")
+            content = entry.get("content", {})
             # Filter by rule_ids if provided
             if rule_ids and name not in rule_ids:
                 continue
             # Filter disabled if requested
-            if enabled_only and content.get('disabled', False):
+            if enabled_only and content.get("disabled", False):
                 continue
             rule = SIEMRule(
                 id=name,
                 name=name,
-                description=content.get('description', ''),
-                severity=self._map_severity(content.get('alert.severity', '')),
-                enabled=not content.get('disabled', False),
+                description=content.get("description", ""),
+                severity=self._map_severity(content.get("alert.severity", "")),
+                enabled=not content.get("disabled", False),
                 mitre_tactics=[],
                 mitre_techniques=[],
                 raw_data=content,
@@ -547,9 +558,7 @@ class SplunkSIEMClient(SIEMClient):
         return rules
     def get_hosts(
-        self,
-        time_range: str = "-24h",
-        limit: int = 100
+        self, time_range: str = "-24h", limit: int = 100
     ) -> List[Dict[str, Any]]:
         """Query hosts that have sent data to Splunk.
@@ -564,36 +573,42 @@ class SplunkSIEMClient(SIEMClient):
         """
         # Query to get unique hosts with stats
         spl = (
-            f'index={self.default_index} '
-            f'| stats count as event_count, latest(_time) as last_seen, '
-            f'values(sourcetype) as sourcetypes by host '
-            f'| sort -last_seen '
-            f'| head {limit}'
+            f"index={self.default_index} "
+            f"| stats count as event_count, latest(_time) as last_seen, "
+            f"values(sourcetype) as sourcetypes by host "
+            f"| sort -last_seen "
+            f"| head {limit}"
         )
-        results = self._run_search(spl, earliest_time=time_range, latest_time="now", max_results=limit)
+        results = self._run_search(
+            spl, earliest_time=time_range, latest_time="now", max_results=limit
+        )
         hosts = []
         for r in results:
             # Parse sourcetypes (may be multivalue)
-            sourcetypes_raw = r.get('sourcetypes', '')
+            sourcetypes_raw = r.get("sourcetypes", "")
             if isinstance(sourcetypes_raw, list):
                 sourcetypes = sourcetypes_raw
             elif isinstance(sourcetypes_raw, str):
-                sourcetypes = [s.strip() for s in sourcetypes_raw.split(',') if s.strip()]
+                sourcetypes = [
+                    s.strip() for s in sourcetypes_raw.split(",") if s.strip()
+                ]
             else:
                 sourcetypes = []
             # Infer OS from sourcetypes and hostname
-            os_name = self._infer_os(sourcetypes, r.get('host', ''))
+            os_name = self._infer_os(sourcetypes, r.get("host", ""))
-            hosts.append({
-                'name': r.get('host', 'unknown'),
-                'last_seen': r.get('last_seen', ''),
-                'event_count': int(r.get('event_count', 0)),
-                'sourcetypes': sourcetypes,
-                'os': os_name,
-            })
+            hosts.append(
+                {
+                    "name": r.get("host", "unknown"),
+                    "last_seen": r.get("last_seen", ""),
+                    "event_count": int(r.get("event_count", 0)),
+                    "sourcetypes": sourcetypes,
+                    "os": os_name,
+                }
+            )
         return hosts
@@ -613,38 +628,45 @@ class SplunkSIEMClient(SIEMClient):
         # Check sourcetype patterns
         for st in sourcetypes_lower:
             # macOS patterns
-            if 'macos' in st or 'osx' in st or 'darwin' in st:
-                return 'macOS'
+            if "macos" in st or "osx" in st or "darwin" in st:
+                return "macOS"
             # Windows patterns
-            if 'winevent' in st or 'windows' in st or 'win:' in st:
-                return 'Windows'
+            if "winevent" in st or "windows" in st or "win:" in st:
+                return "Windows"
             # Linux patterns
-            if 'linux' in st:
-                return 'Linux'
+            if "linux" in st:
+                return "Linux"
         # Check hostname patterns
-        if 'mac' in hostname_lower or 'macbook' in hostname_lower or 'imac' in hostname_lower:
-            return 'macOS'
-        if 'win' in hostname_lower or 'desktop-' in hostname_lower:
-            return 'Windows'
+        if (
+            "mac" in hostname_lower
+            or "macbook" in hostname_lower
+            or "imac" in hostname_lower
+        ):
+            return "macOS"
+        if "win" in hostname_lower or "desktop-" in hostname_lower:
+            return "Windows"
         # Infer from common sourcetypes
         for st in sourcetypes_lower:
-            if st in ('linux_secure', 'linux_audit', 'linux_messages', 'linux_syslog'):
-                return 'Linux'
-            if st in ('syslog',):
+            if st in ("linux_secure", "linux_audit", "linux_messages", "linux_syslog"):
+                return "Linux"
+            if st in ("syslog",):
                 # Generic syslog - could be Linux, BSD, or network device
                 # Check hostname for clues
-                if any(x in hostname_lower for x in ['ubuntu', 'debian', 'centos', 'rhel', 'fedora']):
-                    return 'Linux'
-                if 'metasploitable' in hostname_lower:
-                    return 'Linux'
+                if any(
+                    x in hostname_lower
+                    for x in ["ubuntu", "debian", "centos", "rhel", "fedora"]
+                ):
+                    return "Linux"
+                if "metasploitable" in hostname_lower:
+                    return "Linux"
                 # Default syslog to Linux (most common)
-                return 'Linux'
-            if 'apache' in st or 'nginx' in st:
-                return 'Linux'  # Most common, though not guaranteed
+                return "Linux"
+            if "apache" in st or "nginx" in st:
+                return "Linux"  # Most common, though not guaranteed
-        return 'Unknown'
+        return "Unknown"
     def get_vulnerabilities(
         self,
@@ -653,7 +675,7 @@ class SplunkSIEMClient(SIEMClient):
         severity: Optional[str] = None,
         agent_name: Optional[str] = None,
         limit: int = 1000,
-        time_range: str = "-7d"
+        time_range: str = "-7d",
     ) -> List[Dict[str, Any]]:
         """Query vulnerability data from Splunk.
@@ -671,7 +693,7 @@ class SplunkSIEMClient(SIEMClient):
             List of vulnerability dictionaries
         """
         # Build SPL query
-        query_parts = [f'index={index} sourcetype={sourcetype}']
+        query_parts = [f"index={index} sourcetype={sourcetype}"]
         if severity:
             query_parts.append(f'severity="{severity}"')
@@ -679,30 +701,36 @@ class SplunkSIEMClient(SIEMClient):
             query_parts.append(f'agent_name="*{agent_name}*"')
         # Dedup by CVE and agent, get latest
-        spl = ' '.join(query_parts) + (
-            f' | dedup cve, agent_name'
-            f' | table cve, severity, cvss_score, package_name, package_version, '
-            f'os_name, agent_name, agent_id, detected_at, description'
-            f' | sort -cvss_score'
-            f' | head {limit}'
+        spl = " ".join(query_parts) + (
+            f" | dedup cve, agent_name"
+            f" | table cve, severity, cvss_score, package_name, package_version, "
+            f"os_name, agent_name, agent_id, detected_at, description"
+            f" | sort -cvss_score"
+            f" | head {limit}"
         )
-        results = self._run_search(spl, earliest_time=time_range, latest_time="now", max_results=limit)
+        results = self._run_search(
+            spl, earliest_time=time_range, latest_time="now", max_results=limit
+        )
         vulns = []
         for r in results:
-            vulns.append({
-                'cve_id': r.get('cve', ''),
-                'severity': r.get('severity', 'Medium'),
-                'cvss_score': float(r.get('cvss_score', 0)) if r.get('cvss_score') else None,
-                'package_name': r.get('package_name', ''),
-                'package_version': r.get('package_version', ''),
-                'os_name': r.get('os_name', ''),
-                'agent_name': r.get('agent_name', ''),
-                'agent_id': r.get('agent_id', ''),
-                'detected_at': r.get('detected_at', ''),
-                'description': r.get('description', ''),
-            })
+            vulns.append(
+                {
+                    "cve_id": r.get("cve", ""),
+                    "severity": r.get("severity", "Medium"),
+                    "cvss_score": (
+                        float(r.get("cvss_score", 0)) if r.get("cvss_score") else None
+                    ),
+                    "package_name": r.get("package_name", ""),
+                    "package_version": r.get("package_version", ""),
+                    "os_name": r.get("os_name", ""),
+                    "agent_name": r.get("agent_name", ""),
+                    "agent_id": r.get("agent_id", ""),
+                    "detected_at": r.get("detected_at", ""),
+                    "description": r.get("description", ""),
+                }
+            )
         return vulns
@@ -710,7 +738,7 @@ class SplunkSIEMClient(SIEMClient):
         self,
         index: str = "wazuh_vulns",
         sourcetype: str = "wazuh:vulnerabilities",
-        time_range: str = "-7d"
+        time_range: str = "-7d",
     ) -> Dict[str, Any]:
         """Get vulnerability summary statistics from Splunk.
@@ -724,38 +752,44 @@ class SplunkSIEMClient(SIEMClient):
         """
         # Get counts by severity
         spl = (
-            f'index={index} sourcetype={sourcetype}'
-            f' | dedup cve, agent_name'
-            f' | stats dc(cve) as unique_cves, count as total by severity'
+            f"index={index} sourcetype={sourcetype}"
+            f" | dedup cve, agent_name"
+            f" | stats dc(cve) as unique_cves, count as total by severity"
         )
-        results = self._run_search(spl, earliest_time=time_range, latest_time="now", max_results=10)
+        results = self._run_search(
+            spl, earliest_time=time_range, latest_time="now", max_results=10
+        )
         by_severity = {}
         total = 0
         unique_cves = 0
         for r in results:
-            sev = r.get('severity', 'Unknown')
-            count = int(r.get('total', 0))
-            cve_count = int(r.get('unique_cves', 0))
+            sev = r.get("severity", "Unknown")
+            count = int(r.get("total", 0))
+            cve_count = int(r.get("unique_cves", 0))
             by_severity[sev] = count
             total += count
             unique_cves += cve_count
         # Get affected agents count
         spl_agents = (
-            f'index={index} sourcetype={sourcetype}'
-            f' | stats dc(agent_name) as agent_count'
+            f"index={index} sourcetype={sourcetype}"
+            f" | stats dc(agent_name) as agent_count"
+        )
+        agent_results = self._run_search(
+            spl_agents, earliest_time=time_range, latest_time="now", max_results=1
+        )
+        agent_count = (
+            int(agent_results[0].get("agent_count", 0)) if agent_results else 0
         )
-        agent_results = self._run_search(spl_agents, earliest_time=time_range, latest_time="now", max_results=1)
-        agent_count = int(agent_results[0].get('agent_count', 0)) if agent_results else 0
         return {
-            'total': total,
-            'unique_cves': unique_cves,
-            'by_severity': by_severity,
-            'agents_affected': agent_count,
+            "total": total,
+            "unique_cves": unique_cves,
+            "by_severity": by_severity,
+            "agents_affected": agent_count,
         }
     def get_recommended_rules(self, attack_type: str) -> List[Dict[str, Any]]:
@@ -769,25 +803,25 @@ class SplunkSIEMClient(SIEMClient):
         """
         # Splunk-specific rule recommendations
         recommendations_map = {
-            'nmap': [
+            "nmap": [
                 {
-                    'rule_id': 'Network_Port_Scan_Detection',
-                    'rule_name': 'Network Port Scan Detection',
-                    'spl': 'index=* sourcetype=firewall | stats count by src_ip dest_port | where count > 100',
+                    "rule_id": "Network_Port_Scan_Detection",
+                    "rule_name": "Network Port Scan Detection",
+                    "spl": "index=* sourcetype=firewall | stats count by src_ip dest_port | where count > 100",
                 },
             ],
-            'hydra': [
+            "hydra": [
                 {
-                    'rule_id': 'Brute_Force_Authentication',
-                    'rule_name': 'Brute Force Authentication Detection',
-                    'spl': 'index=* sourcetype=*auth* | stats count by src_ip user | where count > 10',
+                    "rule_id": "Brute_Force_Authentication",
+                    "rule_name": "Brute Force Authentication Detection",
+                    "spl": "index=* sourcetype=*auth* | stats count by src_ip user | where count > 10",
                 },
             ],
-            'sqlmap': [
+            "sqlmap": [
                 {
-                    'rule_id': 'SQL_Injection_Attempt',
-                    'rule_name': 'SQL Injection Attempt Detection',
-                    'spl': 'index=* sourcetype=*web* | search *UNION* OR *SELECT* | stats count by src_ip',
+                    "rule_id": "SQL_Injection_Attempt",
+                    "rule_name": "SQL Injection Attempt Detection",
+                    "spl": "index=* sourcetype=*web* | search *UNION* OR *SELECT* | stats count by src_ip",
                 },
             ],
         }
@@ -797,13 +831,13 @@ class SplunkSIEMClient(SIEMClient):
         return [
             {
-                'rule_id': r['rule_id'],
-                'rule_name': r['rule_name'],
-                'description': f"Splunk saved search for detecting {attack_type}",
-                'severity': 'high',
-                'enabled': True,
-                'siem_type': 'splunk',
-                'spl_query': r.get('spl', ''),
+                "rule_id": r["rule_id"],
+                "rule_name": r["rule_name"],
+                "description": f"Splunk saved search for detecting {attack_type}",
+                "severity": "high",
+                "enabled": True,
+                "siem_type": "splunk",
+                "spl_query": r.get("spl", ""),
             }
             for r in recommendations
         ]

souleyez 2.43.29__py3-none-any.whl → 2.43.34__py3-none-any.whl

souleyez 2.43.29py3-none-any.whl → 2.43.34py3-none-any.whl