kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
ec26183e2e7160deae6930095851d2325c1fe1c3
Aegis/backend/app/routers/detection_rules.py
T
kitos ec26183e2e refactor(pep8): enforce full PEP8 compliance across backend Python codebase 
- ruff.toml: select E/W/F/I/N rules, line-length=120, drop legacy ignores
- Auto-fix: sort 82 import blocks (isort), remove 29 unused imports,
  strip 6 trailing-whitespace blank lines in docstrings
- main.py: move setup_logging and settings imports to top (E402)
- errors.py: noqa N818 on DDD exception names (96 call sites, safe)
- intel_service.py: noqa N817 for universal ET alias
- atomic/elastic/sigma import services: move _MAX_UNCOMPRESSED_SIZE and
  _MAX_ENTRIES to module level (N806)
- compliance_import_service.py: move SAMPLE_CONTROLS / CIS_CONTROLS to
  module level; wrap long description strings (N806 + E501)
- snapshot_service.py: move STATUS_ORDER dict to module level (N806)
- sigma_import_service.py: remove dead dedup_key expression (F841)
- threat_actor_import_service.py: remove dead stix_to_actor expression (F841)
- data_source.py, seed_demo.py, campaign_scheduler_service.py,
  lolbas_import_service.py: wrap lines exceeding 120 chars (E501)
- d3fend_import_service.py: per-file E501 ignore (data file with long strings)

All 439 unit tests pass. ruff check app/ → All checks passed!

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 16:40:14 +02:00

132 lines
4.3 KiB
Python
Raw Blame History

"""Detection rules endpoints — listing, filtering, and template association.
Thin HTTP adapter: delegates all query and business logic to detection_rule_service.
Provides endpoints for browsing detection rules, querying rules by technique,
and managing the template ↔ detection rule associations.
"""
import uuid
from typing import Optional
from fastapi import APIRouter, Depends, Query
from pydantic import BaseModel
from sqlalchemy.orm import Session
from app.database import get_db
from app.dependencies.auth import get_current_user, require_any_role, require_role
from app.models.user import User
from app.services.detection_rule_service import (
auto_associate_rules,
evaluate_rule,
get_rules_for_template,
get_rules_for_test,
list_rules,
)
# ── Pydantic schemas for request validation ────────────────────────────
class DetectionRuleEvaluate(BaseModel):
"""Payload for evaluating a detection rule against a test."""
test_id: uuid.UUID
detection_rule_id: uuid.UUID
triggered: Optional[bool] = None
notes: Optional[str] = None
router = APIRouter(prefix="/detection-rules", tags=["detection-rules"])
# ── GET /detection-rules — List with filters ───────────────────────────
@router.get("")
def list_detection_rules(
technique: Optional[str] = Query(None, description="Filter by MITRE technique ID"),
source: Optional[str] = Query(None, description="Filter by source (sigma, elastic, splunk, custom)"),
severity: Optional[str] = Query(None),
search: Optional[str] = Query(None),
offset: int = Query(0, ge=0),
limit: int = Query(50, ge=1, le=200),
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
):
"""List detection rules with optional filters and pagination."""
return list_rules(
db,
technique=technique,
source=source,
severity=severity,
search=search,
offset=offset,
limit=limit,
)
# ── GET /detection-rules/for-template/{template_id} ────────────────────
@router.get("/for-template/{template_id}")
def get_detection_rules_for_template(
template_id: str,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
):
"""Get detection rules associated with a test template."""
return get_rules_for_template(db, template_id)
# ── POST /detection-rules/auto-associate ────────────────────────────────
@router.post("/auto-associate")
def auto_associate_detection_rules(
db: Session = Depends(get_db),
current_user: User = Depends(require_role("admin")),
):
"""Auto-associate test templates with detection rules by MITRE technique ID.
For each active template, find all active detection rules for the same
technique and create associations. Rules with severity >= high are marked
as primary.
"""
return auto_associate_rules(db)
# ── GET /detection-rules/for-test/{test_id} ──────────────────────────────
@router.get("/for-test/{test_id}")
def get_detection_rules_for_test(
test_id: str,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
):
"""Get detection rules relevant to a test, along with their evaluation results.
Finds rules by matching the test's technique_id to detection rules,
and returns any existing evaluation results.
"""
return get_rules_for_test(db, test_id)
# ── POST /detection-rules/evaluate ──────────────────────────────────────
@router.post("/evaluate")
def evaluate_detection_rule(
payload: DetectionRuleEvaluate,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("blue_tech", "blue_lead")),
):
"""Save or update the evaluation result for a detection rule on a test."""
return evaluate_rule(
db,
test_id=payload.test_id,
detection_rule_id=payload.detection_rule_id,
triggered=payload.triggered,
notes=payload.notes,
evaluator_id=current_user.id,
)
Reference in New Issue View Git Blame Copy Permalink