feat(phase-21): add V3 demo seed, DataSource and DetectionRule models (T-200, T-201, T-202)

2026-02-09 16:06:44 +01:00
parent 29eab4ef77
commit 022c4f2886
7 changed files with 796 additions and 1 deletions
--- a/backend/app/models/detection_rule.py
+++ b/backend/app/models/detection_rule.py
@@ -0,0 +1,42 @@
+"""DetectionRule model — detection rules from multiple sources."""
+
+import uuid
+from datetime import datetime
+
+from sqlalchemy import Column, String, Text, Boolean, DateTime, Index
+from sqlalchemy.dialects.postgresql import UUID, JSONB
+
+from app.database import Base
+
+
+class DetectionRule(Base):
+    """
+    Detection rule from an external source (Sigma, Elastic, Splunk, custom).
+
+    Each rule is mapped to one MITRE ATT&CK technique via
+    ``mitre_technique_id`` and stores the complete rule content in
+    ``rule_content``.
+    """
+    __tablename__ = "detection_rules"
+
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    mitre_technique_id = Column(String, nullable=False)            # e.g. "T1059.001"
+    title = Column(String, nullable=False)
+    description = Column(Text, nullable=True)
+    source = Column(String, nullable=False)                        # sigma / elastic / splunk / custom
+    source_id = Column(String, nullable=True)                      # ID in the source repo (for dedup)
+    source_url = Column(String, nullable=True)
+    rule_content = Column(Text, nullable=False)                    # YAML / KQL / SPL content
+    rule_format = Column(String, nullable=False)                   # sigma_yaml / kql / spl / custom
+    severity = Column(String, nullable=True)                       # informational / low / medium / high / critical
+    platforms = Column(JSONB, nullable=True, default=[])
+    log_sources = Column(JSONB, nullable=True)                     # e.g. {"product": "windows", "service": "sysmon"}
+    false_positive_rate = Column(String, nullable=True)            # low / medium / high
+    is_active = Column(Boolean, default=True)
+    created_at = Column(DateTime, default=datetime.utcnow)
+
+    __table_args__ = (
+        Index('ix_detection_rules_mitre_technique_id', 'mitre_technique_id'),
+        Index('ix_detection_rules_source', 'source'),
+        Index('ix_detection_rules_severity', 'severity'),
+    )