Domů Procházet Nápověda
Přihlásit se
tum
/
soc
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Revize 22 Vydání 0 Wiki

Bez popisu

Strom: 922e61ec37
Větve Značky
soc
/
soc-integrator
/
app
/
repositories
/
mvp_repo.py

mvp_repo.py 13KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395 
  1. from __future__ import annotations
    2. 

  2. 

  3. from datetime import datetime, timezone
    4. 

  4. from typing import Any
    5. 

  5. 

  6. from psycopg.types.json import Json
    7. 

  7. 

  8. from app.db import get_conn
    9. 

  9. 

  10. 

  11. def utc_now() -> datetime:
    12. 

  12.     return datetime.now(timezone.utc)
    13. 

  13. 

  14. 

  15. DEFAULT_POLICY: dict[str, Any] = {
    16. 

  16.     "escalate_severities": ["high", "critical"],
    17. 

  17.     "vpn": {
    18. 

  18.         "allowed_country": "TH",
    19. 

  19.         "exception_users": [],
    20. 

  20.     },
    21. 

  21.     "risk": {
    22. 

  22.         "weights": {
    23. 

  23.             "outside_thailand": 50,
    24. 

  24.             "admin": 20,
    25. 

  25.             "off_hours": 15,
    26. 

  26.             "first_seen_country": 15,
    27. 

  27.         },
    28. 

  28.         "thresholds": {
    29. 

  29.             "high": 70,
    30. 

  30.             "medium": 40,
    31. 

  31.         },
    32. 

  32.     },
    33. 

  33.     "shuffle": {
    34. 

  34.         "ioc_workflow_id": "",
    35. 

  35.     },
    36. 

  36. }
    37. 

  37. 

  38. 

  39. class MvpRepository:
    40. 

  40.     def count_incident_events_since(self, since: datetime, source: str | None = None) -> int:
    41. 

  41.         with get_conn() as conn, conn.cursor() as cur:
    42. 

  42.             if source:
    43. 

  43.                 cur.execute(
    44. 

  44.                     """
    45. 

  45.                     SELECT COUNT(*) AS cnt
    46. 

  46.                     FROM incident_events
    47. 

  47.                     WHERE created_at >= %s
    48. 

  48.                       AND source = %s
    49. 

  49.                     """,
    50. 

  50.                     (since, source),
    51. 

  51.                 )
    52. 

  52.             else:
    53. 

  53.                 cur.execute(
    54. 

  54.                     """
    55. 

  55.                     SELECT COUNT(*) AS cnt
    56. 

  56.                     FROM incident_events
    57. 

  57.                     WHERE created_at >= %s
    58. 

  58.                     """,
    59. 

  59.                     (since,),
    60. 

  60.                 )
    61. 

  61.             row = cur.fetchone() or {}
    62. 

  62.             return int(row.get("cnt", 0) or 0)
    63. 

  63. 

  64.     def count_incidents_with_iris_since(self, since: datetime) -> int:
    65. 

  65.         with get_conn() as conn, conn.cursor() as cur:
    66. 

  66.             cur.execute(
    67. 

  67.                 """
    68. 

  68.                 SELECT COUNT(*) AS cnt
    69. 

  69.                 FROM incident_index
    70. 

  70.                 WHERE first_seen >= %s
    71. 

  71.                   AND iris_case_id IS NOT NULL
    72. 

  72.                   AND iris_case_id <> ''
    73. 

  73.                 """,
    74. 

  74.                 (since,),
    75. 

  75.             )
    76. 

  76.             row = cur.fetchone() or {}
    77. 

  77.             return int(row.get("cnt", 0) or 0)
    78. 

  78. 

  79.     def count_escalations_since(self, since: datetime, success: bool | None = None) -> int:
    80. 

  80.         with get_conn() as conn, conn.cursor() as cur:
    81. 

  81.             if success is None:
    82. 

  82.                 cur.execute(
    83. 

  83.                     """
    84. 

  84.                     SELECT COUNT(*) AS cnt
    85. 

  85.                     FROM escalation_audit
    86. 

  86.                     WHERE attempted_at >= %s
    87. 

  87.                     """,
    88. 

  88.                     (since,),
    89. 

  89.                 )
    90. 

  90.             else:
    91. 

  91.                 cur.execute(
    92. 

  92.                     """
    93. 

  93.                     SELECT COUNT(*) AS cnt
    94. 

  94.                     FROM escalation_audit
    95. 

  95.                     WHERE attempted_at >= %s
    96. 

  96.                       AND success = %s
    97. 

  97.                     """,
    98. 

  98.                     (since, success),
    99. 

  99.                 )
    100. 

  100.             row = cur.fetchone() or {}
    101. 

  101.             return int(row.get("cnt", 0) or 0)
    102. 

  102. 

  103.     def count_c_detection_events_since(self, since: datetime) -> int:
    104. 

  104.         with get_conn() as conn, conn.cursor() as cur:
    105. 

  105.             cur.execute(
    106. 

  106.                 """
    107. 

  107.                 SELECT COUNT(*) AS cnt
    108. 

  108.                 FROM c_detection_events
    109. 

  109.                 WHERE matched_at >= %s
    110. 

  110.                 """,
    111. 

  111.                 (since,),
    112. 

  112.             )
    113. 

  113.             row = cur.fetchone() or {}
    114. 

  114.             return int(row.get("cnt", 0) or 0)
    115. 

  115. 

  116.     def list_recent_escalations(self, limit: int = 20) -> list[dict[str, Any]]:
    117. 

  117.         with get_conn() as conn, conn.cursor() as cur:
    118. 

  118.             cur.execute(
    119. 

  119.                 """
    120. 

  120.                 SELECT id, incident_key, attempted_at, status_code, success, response_excerpt
    121. 

  121.                 FROM escalation_audit
    122. 

  122.                 ORDER BY attempted_at DESC
    123. 

  123.                 LIMIT %s
    124. 

  124.                 """,
    125. 

  125.                 (max(1, limit),),
    126. 

  126.             )
    127. 

  127.             return [dict(row) for row in cur.fetchall()]
    128. 

  128. 

  129.     def has_event(self, source: str, event_id: str) -> bool:
    130. 

  130.         with get_conn() as conn, conn.cursor() as cur:
    131. 

  131.             cur.execute(
    132. 

  132.                 "SELECT 1 FROM incident_events WHERE source = %s AND event_id = %s LIMIT 1",
    133. 

  133.                 (source, event_id),
    134. 

  134.             )
    135. 

  135.             return cur.fetchone() is not None
    136. 

  136. 

  137.     def ensure_policy(self) -> None:
    138. 

  138.         with get_conn() as conn, conn.cursor() as cur:
    139. 

  139.             cur.execute("SELECT id FROM policy_config WHERE id = 1")
    140. 

  140.             found = cur.fetchone()
    141. 

  141.             if not found:
    142. 

  142.                 cur.execute(
    143. 

  143.                     "INSERT INTO policy_config(id, data) VALUES (1, %s)",
    144. 

  144.                     (Json(DEFAULT_POLICY),),
    145. 

  145.                 )
    146. 

  146. 

  147.     def get_policy(self) -> dict[str, Any]:
    148. 

  148.         self.ensure_policy()
    149. 

  149.         with get_conn() as conn, conn.cursor() as cur:
    150. 

  150.             cur.execute("SELECT data FROM policy_config WHERE id = 1")
    151. 

  151.             row = cur.fetchone()
    152. 

  152.             return dict(row["data"]) if row else dict(DEFAULT_POLICY)
    153. 

  153. 

  154.     def update_policy(self, data: dict[str, Any]) -> dict[str, Any]:
    155. 

  155.         with get_conn() as conn, conn.cursor() as cur:
    156. 

  156.             cur.execute(
    157. 

  157.                 """
    158. 

  158.                 INSERT INTO policy_config(id, data, updated_at)
    159. 

  159.                 VALUES (1, %s, NOW())
    160. 

  160.                 ON CONFLICT (id)
    161. 

  161.                 DO UPDATE SET data = EXCLUDED.data, updated_at = NOW()
    162. 

  162.                 RETURNING data
    163. 

  163.                 """,
    164. 

  164.                 (Json(data),),
    165. 

  165.             )
    166. 

  166.             row = cur.fetchone()
    167. 

  167.             return dict(row["data"])
    168. 

  168. 

  169.     def get_incident(self, incident_key: str) -> dict[str, Any] | None:
    170. 

  170.         with get_conn() as conn, conn.cursor() as cur:
    171. 

  171.             cur.execute(
    172. 

  172.                 "SELECT incident_key, iris_case_id, status, severity, first_seen, last_seen FROM incident_index WHERE incident_key = %s",
    173. 

  173.                 (incident_key,),
    174. 

  174.             )
    175. 

  175.             row = cur.fetchone()
    176. 

  176.             return dict(row) if row else None
    177. 

  177. 

  178.     def upsert_incident(
    179. 

  179.         self,
    180. 

  180.         incident_key: str,
    181. 

  181.         severity: str,
    182. 

  182.         status: str,
    183. 

  183.         iris_case_id: str | None,
    184. 

  184.     ) -> dict[str, Any]:
    185. 

  185.         now = utc_now()
    186. 

  186.         with get_conn() as conn, conn.cursor() as cur:
    187. 

  187.             cur.execute(
    188. 

  188.                 """
    189. 

  189.                 INSERT INTO incident_index(incident_key, iris_case_id, status, severity, first_seen, last_seen)
    190. 

  190.                 VALUES (%s, %s, %s, %s, %s, %s)
    191. 

  191.                 ON CONFLICT (incident_key)
    192. 

  192.                 DO UPDATE SET
    193. 

  193.                   iris_case_id = COALESCE(EXCLUDED.iris_case_id, incident_index.iris_case_id),
    194. 

  194.                   status = EXCLUDED.status,
    195. 

  195.                   severity = EXCLUDED.severity,
    196. 

  196.                   last_seen = EXCLUDED.last_seen
    197. 

  197.                 RETURNING incident_key, iris_case_id, status, severity, first_seen, last_seen
    198. 

  198.                 """,
    199. 

  199.                 (incident_key, iris_case_id, status, severity, now, now),
    200. 

  200.             )
    201. 

  201.             return dict(cur.fetchone())
    202. 

  202. 

  203.     def add_event(
    204. 

  204.         self,
    205. 

  205.         incident_key: str,
    206. 

  206.         event_id: str | None,
    207. 

  207.         source: str,
    208. 

  208.         event_type: str,
    209. 

  209.         raw_payload: dict[str, Any],
    210. 

  210.         decision_trace: dict[str, Any],
    211. 

  211.     ) -> None:
    212. 

  212.         with get_conn() as conn, conn.cursor() as cur:
    213. 

  213.             cur.execute(
    214. 

  214.                 """
    215. 

  215.                 INSERT INTO incident_events(incident_key, event_id, source, event_type, raw_payload, decision_trace)
    216. 

  216.                 VALUES (%s, %s, %s, %s, %s, %s)
    217. 

  217.                 """,
    218. 

  218.                 (
    219. 

  219.                     incident_key,
    220. 

  220.                     event_id,
    221. 

  221.                     source,
    222. 

  222.                     event_type,
    223. 

  223.                     Json(raw_payload),
    224. 

  224.                     Json(decision_trace),
    225. 

  225.                 ),
    226. 

  226.             )
    227. 

  227. 

  228.     def add_escalation_audit(
    229. 

  229.         self,
    230. 

  230.         incident_key: str,
    231. 

  231.         status_code: int | None,
    232. 

  232.         success: bool,
    233. 

  233.         response_excerpt: str | None,
    234. 

  234.     ) -> None:
    235. 

  235.         with get_conn() as conn, conn.cursor() as cur:
    236. 

  236.             cur.execute(
    237. 

  237.                 """
    238. 

  238.                 INSERT INTO escalation_audit(incident_key, status_code, success, response_excerpt)
    239. 

  239.                 VALUES (%s, %s, %s, %s)
    240. 

  240.                 """,
    241. 

  241.                 (incident_key, status_code, success, response_excerpt),
    242. 

  242.             )
    243. 

  243. 

  244.     def add_ioc_trace(
    245. 

  245.         self,
    246. 

  246.         action: str,
    247. 

  247.         ioc_type: str,
    248. 

  248.         ioc_value: str,
    249. 

  249.         providers: list[str],
    250. 

  250.         request_payload: dict[str, Any],
    251. 

  251.         response_payload: dict[str, Any],
    252. 

  252.         matched: bool | None = None,
    253. 

  253.         severity: str | None = None,
    254. 

  254.         confidence: float | None = None,
    255. 

  255.         error: str | None = None,
    256. 

  256.     ) -> None:
    257. 

  257.         with get_conn() as conn, conn.cursor() as cur:
    258. 

  258.             cur.execute(
    259. 

  259.                 """
    260. 

  260.                 INSERT INTO ioc_trace(
    261. 

  261.                   action, ioc_type, ioc_value, providers,
    262. 

  262.                   request_payload, response_payload, matched, severity, confidence, error
    263. 

  263.                 )
    264. 

  264.                 VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
    265. 

  265.                 """,
    266. 

  266.                 (
    267. 

  267.                     action,
    268. 

  268.                     ioc_type,
    269. 

  269.                     ioc_value,
    270. 

  270.                     Json(providers),
    271. 

  271.                     Json(request_payload),
    272. 

  272.                     Json(response_payload),
    273. 

  273.                     matched,
    274. 

  274.                     severity,
    275. 

  275.                     confidence,
    276. 

  276.                     error,
    277. 

  277.                 ),
    278. 

  278.             )
    279. 

  279. 

  280.     def list_ioc_trace(self, limit: int = 50, offset: int = 0) -> list[dict[str, Any]]:
    281. 

  281.         with get_conn() as conn, conn.cursor() as cur:
    282. 

  282.             cur.execute(
    283. 

  283.                 """
    284. 

  284.                 SELECT id, action, ioc_type, ioc_value, providers, matched, severity, confidence, error, created_at
    285. 

  285.                 FROM ioc_trace
    286. 

  286.                 ORDER BY created_at DESC
    287. 

  287.                 LIMIT %s OFFSET %s
    288. 

  288.                 """,
    289. 

  289.                 (max(1, limit), max(0, offset)),
    290. 

  290.             )
    291. 

  291.             return [dict(row) for row in cur.fetchall()]
    292. 

  292. 

  293.     def get_correlation_state(self, entity_key: str) -> dict[str, Any] | None:
    294. 

  294.         with get_conn() as conn, conn.cursor() as cur:
    295. 

  295.             cur.execute(
    296. 

  296.                 "SELECT state FROM correlation_state WHERE entity_key = %s",
    297. 

  297.                 (entity_key,),
    298. 

  298.             )
    299. 

  299.             row = cur.fetchone()
    300. 

  300.             return dict(row["state"]) if row else None
    301. 

  301. 

  302.     def upsert_correlation_state(self, entity_key: str, state: dict[str, Any]) -> None:
    303. 

  303.         with get_conn() as conn, conn.cursor() as cur:
    304. 

  304.             cur.execute(
    305. 

  305.                 """
    306. 

  306.                 INSERT INTO correlation_state(entity_key, state, updated_at)
    307. 

  307.                 VALUES (%s, %s, NOW())
    308. 

  308.                 ON CONFLICT (entity_key)
    309. 

  309.                 DO UPDATE SET state = EXCLUDED.state, updated_at = NOW()
    310. 

  310.                 """,
    311. 

  311.                 (entity_key, Json(state)),
    312. 

  312.             )
    313. 

  313. 

  314.     def add_c_detection_event(
    315. 

  315.         self,
    316. 

  316.         usecase_id: str,
    317. 

  317.         entity: str,
    318. 

  318.         severity: str,
    319. 

  319.         evidence: dict[str, Any],
    320. 

  320.         event_ref: dict[str, Any],
    321. 

  321.         incident_key: str | None = None,
    322. 

  322.     ) -> dict[str, Any]:
    323. 

  323.         with get_conn() as conn, conn.cursor() as cur:
    324. 

  324.             cur.execute(
    325. 

  325.                 """
    326. 

  326.                 INSERT INTO c_detection_events(usecase_id, entity, severity, evidence, event_ref, incident_key)
    327. 

  327.                 VALUES (%s, %s, %s, %s, %s, %s)
    328. 

  328.                 RETURNING id, usecase_id, entity, severity, evidence, event_ref, incident_key, matched_at
    329. 

  329.                 """,
    330. 

  330.                 (
    331. 

  331.                     usecase_id,
    332. 

  332.                     entity,
    333. 

  333.                     severity,
    334. 

  334.                     Json(evidence),
    335. 

  335.                     Json(event_ref),
    336. 

  336.                     incident_key,
    337. 

  337.                 ),
    338. 

  338.             )
    339. 

  339.             return dict(cur.fetchone())
    340. 

  340. 

  341.     def update_c_detection_incident(self, event_id: int, incident_key: str | None) -> None:
    342. 

  342.         with get_conn() as conn, conn.cursor() as cur:
    343. 

  343.             cur.execute(
    344. 

  344.                 "UPDATE c_detection_events SET incident_key = %s WHERE id = %s",
    345. 

  345.                 (incident_key, event_id),
    346. 

  346.             )
    347. 

  347. 

  348.     def list_c_detection_events(
    349. 

  349.         self,
    350. 

  350.         limit: int = 50,
    351. 

  351.         offset: int = 0,
    352. 

  352.         usecase_id: str | None = None,
    353. 

  353.     ) -> list[dict[str, Any]]:
    354. 

  354.         with get_conn() as conn, conn.cursor() as cur:
    355. 

  355.             if usecase_id:
    356. 

  356.                 cur.execute(
    357. 

  357.                     """
    358. 

  358.                     SELECT id, usecase_id, entity, severity, evidence, event_ref, incident_key, matched_at
    359. 

  359.                     FROM c_detection_events
    360. 

  360.                     WHERE usecase_id = %s
    361. 

  361.                     ORDER BY matched_at DESC
    362. 

  362.                     LIMIT %s OFFSET %s
    363. 

  363.                     """,
    364. 

  364.                     (usecase_id, max(1, limit), max(0, offset)),
    365. 

  365.                 )
    366. 

  366.             else:
    367. 

  367.                 cur.execute(
    368. 

  368.                     """
    369. 

  369.                     SELECT id, usecase_id, entity, severity, evidence, event_ref, incident_key, matched_at
    370. 

  370.                     FROM c_detection_events
    371. 

  371.                     ORDER BY matched_at DESC
    372. 

  372.                     LIMIT %s OFFSET %s
    373. 

  373.                     """,
    374. 

  374.                     (max(1, limit), max(0, offset)),
    375. 

  375.                 )
    376. 

  376.             return [dict(row) for row in cur.fetchall()]
    377. 

  377. 

  378.     def is_c_detection_in_cooldown(self, usecase_id: str, entity: str, cooldown_seconds: int) -> bool:
    379. 

  379.         if cooldown_seconds <= 0:
    380. 

  380.             return False
    381. 

  381.         with get_conn() as conn, conn.cursor() as cur:
    382. 

  382.             cur.execute(
    383. 

  383.                 """
    384. 

  384.                 SELECT 1
    385. 

  385.                 FROM c_detection_events
    386. 

  386.                 WHERE usecase_id = %s
    387. 

  387.                   AND entity = %s
    388. 

  388.                   AND incident_key IS NOT NULL
    389. 

  389.                   AND matched_at > (NOW() - (%s || ' seconds')::interval)
    390. 

  390.                 LIMIT 1
    391. 

  391.                 """,
    392. 

  392.                 (usecase_id, entity, int(cooldown_seconds)),
    393. 

  393.             )
    394. 

  394.             return cur.fetchone() is not None
    395. 

  395.