kitos
8f98bdd273
- ruff.toml: select E/W/F/I/N rules, line-length=120, drop legacy ignores - Auto-fix: sort 82 import blocks (isort), remove 29 unused imports, strip 6 trailing-whitespace blank lines in docstrings - main.py: move setup_logging and settings imports to top (E402) - errors.py: noqa N818 on DDD exception names (96 call sites, safe) - intel_service.py: noqa N817 for universal ET alias - atomic/elastic/sigma import services: move _MAX_UNCOMPRESSED_SIZE and _MAX_ENTRIES to module level (N806) - compliance_import_service.py: move SAMPLE_CONTROLS / CIS_CONTROLS to module level; wrap long description strings (N806 + E501) - snapshot_service.py: move STATUS_ORDER dict to module level (N806) - sigma_import_service.py: remove dead dedup_key expression (F841) - threat_actor_import_service.py: remove dead stix_to_actor expression (F841) - data_source.py, seed_demo.py, campaign_scheduler_service.py, lolbas_import_service.py: wrap lines exceeding 120 chars (E501) - d3fend_import_service.py: per-file E501 ignore (data file with long strings) All 439 unit tests pass. ruff check app/ → All checks passed!
99 lines
3.3 KiB
Python
99 lines
3.3 KiB
Python
"""ThreatActor and ThreatActorTechnique models.
|
|
|
|
Stores profiles of APT groups and their associated MITRE ATT&CK
|
|
techniques, imported from MITRE CTI (STIX 2.0).
|
|
"""
|
|
|
|
import uuid
|
|
|
|
from sqlalchemy import (
|
|
Boolean,
|
|
Column,
|
|
DateTime,
|
|
ForeignKey,
|
|
Index,
|
|
String,
|
|
Text,
|
|
UniqueConstraint,
|
|
func,
|
|
)
|
|
from sqlalchemy.dialects.postgresql import JSONB, UUID
|
|
from sqlalchemy.orm import relationship
|
|
|
|
from app.database import Base
|
|
|
|
|
|
class ThreatActor(Base):
|
|
"""
|
|
Threat actor / APT group profile.
|
|
|
|
Imported from MITRE CTI ``intrusion-set`` STIX objects.
|
|
"""
|
|
__tablename__ = "threat_actors"
|
|
|
|
id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
|
|
mitre_id = Column(String, unique=True, nullable=True) # e.g. "G0016" (APT29)
|
|
name = Column(String, nullable=False)
|
|
aliases = Column(JSONB, nullable=True, default=[]) # ["Cozy Bear", "The Dukes", ...]
|
|
description = Column(Text, nullable=True)
|
|
country = Column(String, nullable=True)
|
|
target_sectors = Column(JSONB, nullable=True, default=[]) # ["government", "defense", ...]
|
|
target_regions = Column(JSONB, nullable=True, default=[]) # ["north-america", "europe", ...]
|
|
motivation = Column(String, nullable=True) # espionage / financial / destruction / ...
|
|
sophistication = Column(String, nullable=True) # low / medium / high / advanced
|
|
first_seen = Column(String, nullable=True)
|
|
last_seen = Column(String, nullable=True)
|
|
references = Column(JSONB, nullable=True, default=[]) # [{"url": "...", "description": "..."}]
|
|
mitre_url = Column(String, nullable=True)
|
|
is_active = Column(Boolean, default=True)
|
|
created_at = Column(DateTime(timezone=True), server_default=func.now())
|
|
|
|
# Relationships
|
|
techniques = relationship(
|
|
"ThreatActorTechnique",
|
|
back_populates="threat_actor",
|
|
cascade="all, delete-orphan",
|
|
)
|
|
|
|
__table_args__ = (
|
|
Index('ix_threat_actors_country', 'country'),
|
|
Index('ix_threat_actors_motivation', 'motivation'),
|
|
)
|
|
|
|
|
|
class ThreatActorTechnique(Base):
|
|
"""
|
|
Association between a threat actor and a MITRE ATT&CK technique.
|
|
|
|
Stores additional context about how the actor uses the technique
|
|
(from the STIX ``relationship`` ``uses`` objects).
|
|
"""
|
|
__tablename__ = "threat_actor_techniques"
|
|
|
|
id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
|
|
threat_actor_id = Column(
|
|
UUID(as_uuid=True),
|
|
ForeignKey("threat_actors.id", ondelete="CASCADE"),
|
|
nullable=False,
|
|
)
|
|
technique_id = Column(
|
|
UUID(as_uuid=True),
|
|
ForeignKey("techniques.id", ondelete="CASCADE"),
|
|
nullable=False,
|
|
)
|
|
usage_description = Column(Text, nullable=True)
|
|
first_seen_using = Column(String, nullable=True)
|
|
|
|
# Relationships
|
|
threat_actor = relationship("ThreatActor", back_populates="techniques")
|
|
technique = relationship("Technique")
|
|
|
|
__table_args__ = (
|
|
Index('ix_threat_actor_techniques_actor', 'threat_actor_id'),
|
|
Index('ix_threat_actor_techniques_technique', 'technique_id'),
|
|
UniqueConstraint(
|
|
'threat_actor_id', 'technique_id',
|
|
name='uq_actor_technique',
|
|
),
|
|
)
|