class AnalyticMetadata(Document):
"""Base class for all analytics. Can be extended for cloud."""
id = StringField(pattern=UUID_PATTERN, required=True)
categories = ArrayField(StringField(enum=['detect', 'hunt', 'enrich']),
required=True)
contributors = ArrayField(StringField(), required=True)
confidence = StringField(enum=['low', 'medium', 'high'], required=True)
created_date = StringField(required=True)
description = StringField(required=True)
name = StringField(required=True)
notes = StringField(required=False)
os = ArrayField(StringField(enum=OS_NAMES), required=True)
references = ArrayField(StringField(), required=False)
tactics = ArrayField(StringField(enum=TACTICS), required=False)
tags = ArrayField(StringField(), required=False)
techniques = ArrayField(StringField(), required=False)
updated_date = StringField(required=True)
class AlertEntity(DocumentWithoutAddProp):
field = StringField(required=True, pattern="^\w+$")
label = StringField(required=True, max_length=30)
type = StringField(required=True,
enum=["text", "singleSelect", "checkbox", "radio", "singleSelectSplunkSearch"])
help = StringField(max_length=200)
defaultValue = OneOfField([
NumberField(),
StringField(max_length=250),
BooleanField()
])
required = BooleanField()
search = StringField(max_length=200)
valueField = StringField(max_length=200)
labelField = StringField(max_length=200)
options = DictField(
properties={
"items": ArrayField(DocumentField(ValueLabelPair, as_ref=True))
}
)
class EventInfo(Document):
enum = DictField(
additional_properties=ArrayField(StringField(eql_name)))
fields = ArrayField(StringField(eql_name))
class NumberValidator(ValidatorBase):
type = StringField(required=True, enum=["number"])
range = ArrayField(NumberField(), required=True)
class UCCConfig(DocumentWithoutAddProp):
meta = DocumentField(Meta, as_ref=True, required=True)
pages = DocumentField(Pages, as_ref=True, required=True)
alerts = ArrayField(DocumentField(Alerts, as_ref=True), required=False, min_items=1)
class Technology(DocumentWithoutAddProp):
version = ArrayField(StringField(required=True, pattern="^\d+(?:\.\d+)*$"),required=True, min_items=1)
product = StringField(required=True, max_length=100)
vendor = StringField(required=True, max_length=100)
class ConfigurationPage(DocumentWithoutAddProp):
title = StringField(required=True, max_length=60)
description = StringField(max_length=200)
tabs = ArrayField(DocumentField(TabContent, as_ref=True), required=True, min_items=1)
class ConfigurationTable(Table):
actions = ArrayField(StringField(enum=["edit", "delete", "clone"]), required=True)
class InputsTable(Table):
actions = ArrayField(StringField(enum=["edit", "delete", "clone", "enable"]), required=True)
class Entity(DocumentWithoutAddProp):
field = StringField(required=True, pattern="^\w+$")
label = StringField(required=True, max_length=30)
type = StringField(required=True,
enum=["custom", "text", "singleSelect", "checkbox", "multipleSelect", "radio", "placeholder", "oauth", "helpLink"])
help = StringField(max_length=200)
tooltip = StringField(max_length=250)
defaultValue = OneOfField([
NumberField(),
StringField(max_length=250),
BooleanField()
])
options = DictField(
properties={
"disableSearch": BooleanField(),
"autoCompleteFields": OneOfField([
ArrayField(DictField(
properties={
"label": StringField(required=True, max_length=150),
"children": ArrayField(DocumentField(ValueLabelPair, as_ref=True), required=True)
}
)),
ArrayField(DocumentField(ValueLabelPair, as_ref=True))
]),
"endpointUrl": StringField(max_length=350),
"denyList": StringField(max_length=350),
"allowList": StringField(max_length=350),
"delimiter": StringField(max_length=1),
"items": ArrayField(DocumentField(ValueLabelPair, as_ref=True)),
"referenceName": StringField(max_length=250),
"enable": BooleanField(),
"placeholder": StringField(max_length=250),
"display": BooleanField(),
"labelField": StringField(max_length=250),
"src": StringField(max_length=250),
"defaultValue": StringField(max_length=250),
"disableonEdit": BooleanField(),
"basic": ArrayField(DocumentField(OAuthFields, as_ref=True)),
"oauth": ArrayField(DocumentField(OAuthFields, as_ref=True)),
"auth_type": ArrayField(StringField(max_length=100)),
"auth_label": StringField(max_length=250),
"oauth_popup_width": NumberField(),
"oauth_popup_height": NumberField(),
"oauth_timeout": NumberField(),
"auth_code_endpoint": StringField(max_length=350),
"access_token_endpoint": StringField(max_length=350),
"text": StringField(max_length=50),
"link": StringField()
}
)
required = BooleanField()
encrypted = BooleanField()
# List of inbuilt field validator
validators = ArrayField(AnyOfField([
DocumentField(StringValidator, as_ref=True),
DocumentField(NumberValidator, as_ref=True),
DocumentField(RegexValidator, as_ref=True),
DocumentField(EmailValidator, as_ref=True),
DocumentField(Ipv4Validator, as_ref=True),
DocumentField(UrlValidator, as_ref=True),
DocumentField(DateValidator, as_ref=True)
]))
