"""DetectionRule model — detection rules from multiple sources.""" # Import uuid import uuid # Import Boolean, Column, DateTime, Index, String, Text,... from sqlalchemy from sqlalchemy import Boolean, Column, DateTime, Index, String, Text, func # Import JSONB, UUID from sqlalchemy.dialects.postgresql from sqlalchemy.dialects.postgresql import JSONB, UUID # Import Base from app.database from app.database import Base # Define class DetectionRule class DetectionRule(Base): """Detection rule from an external source (Sigma, Elastic, Splunk, custom). Each rule is mapped to one MITRE ATT&CK technique via ``mitre_technique_id`` and stores the complete rule content in ``rule_content``. """ # Assign __tablename__ = "detection_rules" __tablename__ = "detection_rules" # Assign id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4) id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4) # Assign mitre_technique_id = Column(String, nullable=False) # e.g. "T1059.001" mitre_technique_id = Column(String, nullable=False) # e.g. "T1059.001" # Assign title = Column(String, nullable=False) title = Column(String, nullable=False) # Assign description = Column(Text, nullable=True) description = Column(Text, nullable=True) # Assign source = Column(String, nullable=False) # sigma / ela... source = Column(String, nullable=False) # sigma / elastic / splunk / custom # Assign source_id = Column(String, nullable=True) # ID in the sour... source_id = Column(String, nullable=True) # ID in the source repo (for dedup) # Assign source_url = Column(String, nullable=True) source_url = Column(String, nullable=True) # Assign rule_content = Column(Text, nullable=False) # YAML / KQL / SPL ... rule_content = Column(Text, nullable=False) # YAML / KQL / SPL content # Assign rule_format = Column(String, nullable=False) # sigma_yaml / kql... rule_format = Column(String, nullable=False) # sigma_yaml / kql / spl / custom # Assign severity = Column(String, nullable=True) # informational... severity = Column(String, nullable=True) # informational / low / medium / high / critical # Assign platforms = Column(JSONB, nullable=True, default=[]) platforms = Column(JSONB, nullable=True, default=[]) # Assign log_sources = Column(JSONB, nullable=True) # e.g. {"product":... log_sources = Column(JSONB, nullable=True) # e.g. {"product": "windows", "service": "sysmon"} # Assign false_positive_rate = Column(String, nullable=True) # low / medium / high false_positive_rate = Column(String, nullable=True) # low / medium / high # Assign is_active = Column(Boolean, default=True) is_active = Column(Boolean, default=True) # Assign created_at = Column(DateTime(timezone=True), server_default=func.now()) created_at = Column(DateTime(timezone=True), server_default=func.now()) # Assign __table_args__ = ( __table_args__ = ( Index('ix_detection_rules_mitre_technique_id', 'mitre_technique_id'), Index('ix_detection_rules_source', 'source'), Index('ix_detection_rules_severity', 'severity'), )