43 lines
1.9 KiB
Python
43 lines
1.9 KiB
Python
"""DetectionRule model — detection rules from multiple sources."""
|
|
|
|
import uuid
|
|
from datetime import datetime
|
|
|
|
from sqlalchemy import Column, String, Text, Boolean, DateTime, Index
|
|
from sqlalchemy.dialects.postgresql import UUID, JSONB
|
|
|
|
from app.database import Base
|
|
|
|
|
|
class DetectionRule(Base):
|
|
"""
|
|
Detection rule from an external source (Sigma, Elastic, Splunk, custom).
|
|
|
|
Each rule is mapped to one MITRE ATT&CK technique via
|
|
``mitre_technique_id`` and stores the complete rule content in
|
|
``rule_content``.
|
|
"""
|
|
__tablename__ = "detection_rules"
|
|
|
|
id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
|
|
mitre_technique_id = Column(String, nullable=False) # e.g. "T1059.001"
|
|
title = Column(String, nullable=False)
|
|
description = Column(Text, nullable=True)
|
|
source = Column(String, nullable=False) # sigma / elastic / splunk / custom
|
|
source_id = Column(String, nullable=True) # ID in the source repo (for dedup)
|
|
source_url = Column(String, nullable=True)
|
|
rule_content = Column(Text, nullable=False) # YAML / KQL / SPL content
|
|
rule_format = Column(String, nullable=False) # sigma_yaml / kql / spl / custom
|
|
severity = Column(String, nullable=True) # informational / low / medium / high / critical
|
|
platforms = Column(JSONB, nullable=True, default=[])
|
|
log_sources = Column(JSONB, nullable=True) # e.g. {"product": "windows", "service": "sysmon"}
|
|
false_positive_rate = Column(String, nullable=True) # low / medium / high
|
|
is_active = Column(Boolean, default=True)
|
|
created_at = Column(DateTime, default=datetime.utcnow)
|
|
|
|
__table_args__ = (
|
|
Index('ix_detection_rules_mitre_technique_id', 'mitre_technique_id'),
|
|
Index('ix_detection_rules_source', 'source'),
|
|
Index('ix_detection_rules_severity', 'severity'),
|
|
)
|