"""Detection rules endpoints — listing, filtering, and template association. Thin HTTP adapter: delegates all query and business logic to detection_rule_service. Provides endpoints for browsing detection rules, querying rules by technique, and managing the template ↔ detection rule associations. """ import uuid from typing import Optional from fastapi import APIRouter, Depends, Query from pydantic import BaseModel from sqlalchemy.orm import Session from app.database import get_db from app.dependencies.auth import get_current_user, require_role, require_any_role from app.models.user import User from app.services.detection_rule_service import ( list_rules, get_rules_for_template, auto_associate_rules, get_rules_for_test, evaluate_rule, ) # ── Pydantic schemas for request validation ──────────────────────────── class DetectionRuleEvaluate(BaseModel): """Payload for evaluating a detection rule against a test.""" test_id: uuid.UUID detection_rule_id: uuid.UUID triggered: Optional[bool] = None notes: Optional[str] = None router = APIRouter(prefix="/detection-rules", tags=["detection-rules"]) # ── GET /detection-rules — List with filters ─────────────────────────── @router.get("") def list_detection_rules( technique: Optional[str] = Query(None, description="Filter by MITRE technique ID"), source: Optional[str] = Query(None, description="Filter by source (sigma, elastic, splunk, custom)"), severity: Optional[str] = Query(None), search: Optional[str] = Query(None), offset: int = Query(0, ge=0), limit: int = Query(50, ge=1, le=200), db: Session = Depends(get_db), current_user: User = Depends(get_current_user), ): """List detection rules with optional filters and pagination.""" return list_rules( db, technique=technique, source=source, severity=severity, search=search, offset=offset, limit=limit, ) # ── GET /detection-rules/for-template/{template_id} ──────────────────── @router.get("/for-template/{template_id}") def get_detection_rules_for_template( template_id: str, db: Session = Depends(get_db), current_user: User = Depends(get_current_user), ): """Get detection rules associated with a test template.""" return get_rules_for_template(db, template_id) # ── POST /detection-rules/auto-associate ──────────────────────────────── @router.post("/auto-associate") def auto_associate_detection_rules( db: Session = Depends(get_db), current_user: User = Depends(require_role("admin")), ): """Auto-associate test templates with detection rules by MITRE technique ID. For each active template, find all active detection rules for the same technique and create associations. Rules with severity >= high are marked as primary. """ return auto_associate_rules(db) # ── GET /detection-rules/for-test/{test_id} ────────────────────────────── @router.get("/for-test/{test_id}") def get_detection_rules_for_test( test_id: str, db: Session = Depends(get_db), current_user: User = Depends(get_current_user), ): """Get detection rules relevant to a test, along with their evaluation results. Finds rules by matching the test's technique_id to detection rules, and returns any existing evaluation results. """ return get_rules_for_test(db, test_id) # ── POST /detection-rules/evaluate ────────────────────────────────────── @router.post("/evaluate") def evaluate_detection_rule( payload: DetectionRuleEvaluate, db: Session = Depends(get_db), current_user: User = Depends(require_any_role("blue_tech", "blue_lead")), ): """Save or update the evaluation result for a detection rule on a test.""" return evaluate_rule( db, test_id=payload.test_id, detection_rule_id=payload.detection_rule_id, triggered=payload.triggered, notes=payload.notes, evaluator_id=current_user.id, )