class AnalyticMetadata(Document): """Base class for all analytics. Can be extended for cloud.""" id = StringField(pattern=UUID_PATTERN, required=True) categories = ArrayField(StringField(enum=['detect', 'hunt', 'enrich']), required=True) contributors = ArrayField(StringField(), required=True) confidence = StringField(enum=['low', 'medium', 'high'], required=True) created_date = StringField(required=True) description = StringField(required=True) name = StringField(required=True) notes = StringField(required=False) os = ArrayField(StringField(enum=OS_NAMES), required=True) references = ArrayField(StringField(), required=False) tactics = ArrayField(StringField(enum=TACTICS), required=False) tags = ArrayField(StringField(), required=False) techniques = ArrayField(StringField(), required=False) updated_date = StringField(required=True)
class AlertEntity(DocumentWithoutAddProp): field = StringField(required=True, pattern="^\w+$") label = StringField(required=True, max_length=30) type = StringField(required=True, enum=["text", "singleSelect", "checkbox", "radio", "singleSelectSplunkSearch"]) help = StringField(max_length=200) defaultValue = OneOfField([ NumberField(), StringField(max_length=250), BooleanField() ]) required = BooleanField() search = StringField(max_length=200) valueField = StringField(max_length=200) labelField = StringField(max_length=200) options = DictField( properties={ "items": ArrayField(DocumentField(ValueLabelPair, as_ref=True)) } )
class EventInfo(Document): enum = DictField( additional_properties=ArrayField(StringField(eql_name))) fields = ArrayField(StringField(eql_name))
class NumberValidator(ValidatorBase): type = StringField(required=True, enum=["number"]) range = ArrayField(NumberField(), required=True)
class UCCConfig(DocumentWithoutAddProp): meta = DocumentField(Meta, as_ref=True, required=True) pages = DocumentField(Pages, as_ref=True, required=True) alerts = ArrayField(DocumentField(Alerts, as_ref=True), required=False, min_items=1)
class Technology(DocumentWithoutAddProp): version = ArrayField(StringField(required=True, pattern="^\d+(?:\.\d+)*$"),required=True, min_items=1) product = StringField(required=True, max_length=100) vendor = StringField(required=True, max_length=100)
class ConfigurationPage(DocumentWithoutAddProp): title = StringField(required=True, max_length=60) description = StringField(max_length=200) tabs = ArrayField(DocumentField(TabContent, as_ref=True), required=True, min_items=1)
class ConfigurationTable(Table): actions = ArrayField(StringField(enum=["edit", "delete", "clone"]), required=True)
class InputsTable(Table): actions = ArrayField(StringField(enum=["edit", "delete", "clone", "enable"]), required=True)
class Entity(DocumentWithoutAddProp): field = StringField(required=True, pattern="^\w+$") label = StringField(required=True, max_length=30) type = StringField(required=True, enum=["custom", "text", "singleSelect", "checkbox", "multipleSelect", "radio", "placeholder", "oauth", "helpLink"]) help = StringField(max_length=200) tooltip = StringField(max_length=250) defaultValue = OneOfField([ NumberField(), StringField(max_length=250), BooleanField() ]) options = DictField( properties={ "disableSearch": BooleanField(), "autoCompleteFields": OneOfField([ ArrayField(DictField( properties={ "label": StringField(required=True, max_length=150), "children": ArrayField(DocumentField(ValueLabelPair, as_ref=True), required=True) } )), ArrayField(DocumentField(ValueLabelPair, as_ref=True)) ]), "endpointUrl": StringField(max_length=350), "denyList": StringField(max_length=350), "allowList": StringField(max_length=350), "delimiter": StringField(max_length=1), "items": ArrayField(DocumentField(ValueLabelPair, as_ref=True)), "referenceName": StringField(max_length=250), "enable": BooleanField(), "placeholder": StringField(max_length=250), "display": BooleanField(), "labelField": StringField(max_length=250), "src": StringField(max_length=250), "defaultValue": StringField(max_length=250), "disableonEdit": BooleanField(), "basic": ArrayField(DocumentField(OAuthFields, as_ref=True)), "oauth": ArrayField(DocumentField(OAuthFields, as_ref=True)), "auth_type": ArrayField(StringField(max_length=100)), "auth_label": StringField(max_length=250), "oauth_popup_width": NumberField(), "oauth_popup_height": NumberField(), "oauth_timeout": NumberField(), "auth_code_endpoint": StringField(max_length=350), "access_token_endpoint": StringField(max_length=350), "text": StringField(max_length=50), "link": StringField() } ) required = BooleanField() encrypted = BooleanField() # List of inbuilt field validator validators = ArrayField(AnyOfField([ DocumentField(StringValidator, as_ref=True), DocumentField(NumberValidator, as_ref=True), DocumentField(RegexValidator, as_ref=True), DocumentField(EmailValidator, as_ref=True), DocumentField(Ipv4Validator, as_ref=True), DocumentField(UrlValidator, as_ref=True), DocumentField(DateValidator, as_ref=True) ]))