def create_event(
event: EventCreate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Create the new event Node using the data from the request
new_event: Event = create_node(node_create=event,
db_node_type=Event,
db=db,
exclude={"alert_uuids"})
# Set the required event properties
new_event.status = crud.read_by_value(value=event.status,
db_table=EventStatus,
db=db)
# Set the various optional event properties if they were given in the request.
if event.owner:
new_event.owner = crud.read_user_by_username(username=event.owner,
db=db)
if event.prevention_tools:
new_event.prevention_tools = crud.read_by_values(
values=event.prevention_tools,
db_table=EventPreventionTool,
db=db,
)
if event.remediations:
new_event.remediations = crud.read_by_values(values=event.remediations,
db_table=EventRemediation,
db=db)
if event.risk_level:
new_event.risk_level = crud.read_by_value(value=event.risk_level,
db_table=EventRiskLevel,
db=db)
if event.source:
new_event.source = crud.read_by_value(value=event.source,
db_table=EventSource,
db=db)
if event.type:
new_event.type = crud.read_by_value(value=event.type,
db_table=EventType,
db=db)
if event.vectors:
new_event.vectors = crud.read_by_values(values=event.vectors,
db_table=EventVector,
db=db)
# Save the new event to the database
db.add(new_event)
crud.commit(db)
response.headers["Content-Location"] = request.url_for("get_event",
uuid=new_event.uuid)
def update_observable(
uuid: UUID,
observable: ObservableUpdate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Read the current observable from the database
db_observable: Observable = crud.read(uuid=uuid,
db_table=Observable,
db=db)
# Get the data that was given in the request and use it to update the database object
update_data = observable.dict(exclude_unset=True)
if "expires_on" in update_data:
db_observable.expires_on = update_data["expires_on"]
if "for_detection" in update_data:
db_observable.for_detection = update_data["for_detection"]
if "type" in update_data:
db_observable.type = crud.read_by_value(value=update_data["type"],
db_table=ObservableType,
db=db)
if "value" in update_data:
db_observable.value = update_data["value"]
crud.commit(db)
response.headers["Content-Location"] = request.url_for("get_observable",
uuid=uuid)
def create_user(
user: UserCreate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Create the new user using the data from the request
new_user = User(**user.dict())
# Get the alert queue from the database to associate with the new user
new_user.default_alert_queue = crud.read_by_value(user.default_alert_queue,
db_table=AlertQueue,
db=db)
# Get the user roles from the database to associate with the new user
new_user.roles = crud.read_by_values(user.roles, db_table=UserRole, db=db)
# Securely hash and salt the password. Bcrypt_256 is used to get around the Bcrypt limitations
# of silently truncating passwords longer than 72 characters as well as not handling NULL bytes.
new_user.password = hash_password(new_user.password)
# Save the new user to the database
db.add(new_user)
crud.commit(db)
response.headers["Content-Location"] = request.url_for("get_user",
uuid=new_user.uuid)
def create_node(
node_create: NodeCreate,
db_node_type: DeclarativeMeta,
db: Session,
exclude: dict = None,
) -> DeclarativeMeta:
"""
Helper function when creating a new Node that sets the attributes inherited from Node.
"""
db_node: Node = db_node_type(**node_create.dict(exclude=exclude))
if node_create.directives:
db_node.directives = crud.read_by_values(values=node_create.directives,
db_table=NodeDirective,
db=db)
if node_create.tags:
db_node.tags = crud.read_by_values(values=node_create.tags,
db_table=NodeTag,
db=db)
if node_create.threat_actor:
db_node.threat_actor = crud.read_by_value(
value=node_create.threat_actor, db_table=NodeThreatActor, db=db)
if node_create.threats:
db_node.threats = crud.read_by_values(values=node_create.threats,
db_table=NodeThreat,
db=db)
return db_node
def create_alert(
alert: AlertCreate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Create the new alert Node using the data from the request
new_alert: Alert = create_node(node_create=alert,
db_node_type=Alert,
db=db)
# Set the required alert properties
new_alert.queue = crud.read_by_value(value=alert.queue,
db_table=AlertQueue,
db=db)
new_alert.type = crud.read_by_value(value=alert.type,
db_table=AlertType,
db=db)
# Set the various optional alert properties if they were given in the request.
if alert.owner:
new_alert.owner = crud.read_user_by_username(username=alert.owner,
db=db)
if alert.tool:
new_alert.tool = crud.read_by_value(value=alert.tool,
db_table=AlertTool,
db=db)
if alert.tool_instance:
new_alert.tool_instance = crud.read_by_value(
value=alert.tool_instance, db_table=AlertToolInstance, db=db)
# Alerts must point to an Analysis, so if we get this far without any errors, a new Analysis needs to be created.
new_alert.analysis = create_node(node_create=AnalysisCreate(),
db_node_type=Analysis,
db=db)
# Save the new alert (including the new analysis) to the database
db.add(new_alert)
crud.commit(db)
response.headers["Content-Location"] = request.url_for("get_alert",
uuid=new_alert.uuid)
def update_user(
uuid: UUID,
user: UserUpdate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Read the current user from the database
db_user: User = crud.read(uuid=uuid, db_table=User, db=db)
# Get the data that was given in the request and use it to update the database object
update_data = user.dict(exclude_unset=True)
if "default_alert_queue" in update_data:
db_user.default_alert_queue = crud.read_by_value(
value=update_data["default_alert_queue"],
db_table=AlertQueue,
db=db)
if "display_name" in update_data:
db_user.display_name = update_data["display_name"]
if "email" in update_data:
db_user.email = update_data["email"]
if "enabled" in update_data:
db_user.enabled = update_data["enabled"]
if "password" in update_data:
db_user.password = hash_password(update_data["password"])
if "roles" in update_data:
db_user.roles = crud.read_by_values(values=update_data["roles"],
db_table=UserRole,
db=db)
if "timezone" in update_data:
db_user.timezone = update_data["timezone"]
if "username" in update_data:
db_user.username = update_data["username"]
crud.commit(db)
response.headers["Content-Location"] = request.url_for("get_user",
uuid=uuid)
def create_observable(
observable: ObservableCreate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Create the new observable using the data from the request
new_observable = Observable(**observable.dict())
# Get the observable type from the database to associate with the new observable
new_observable.type = crud.read_by_value(observable.type,
db_table=ObservableType,
db=db)
# Save the new observable to the database
db.add(new_observable)
crud.commit(db)
response.headers["Content-Location"] = request.url_for(
"get_observable", uuid=new_observable.uuid)
def update_node(node_update: NodeUpdate, uuid: UUID, db_table: DeclarativeMeta,
db: Session) -> DeclarativeMeta:
"""
Helper function when updating a Node that enforces version matching and updates the attributes inherited from Node.
"""
# Fetch the Node from the database
db_node: Node = crud.read(uuid=uuid, db_table=db_table, db=db)
# Get the data that was given in the request and use it to update the database object
update_data = node_update.dict(exclude_unset=True)
# Return an exception if the passed in version does not match the Node's current version
if update_data["version"] != db_node.version:
raise HTTPException(
status_code=status.HTTP_409_CONFLICT,
detail="Unable to update Node due to version mismatch")
if "directives" in update_data:
db_node.directives = crud.read_by_values(
values=update_data["directives"], db_table=NodeDirective, db=db)
if "tags" in update_data:
db_node.tags = crud.read_by_values(values=update_data["tags"],
db_table=NodeTag,
db=db)
if "threat_actor" in update_data:
db_node.threat_actor = crud.read_by_value(
value=update_data["threat_actor"], db_table=NodeThreatActor, db=db)
if "threats" in update_data:
db_node.threats = crud.read_by_values(values=update_data["threats"],
db_table=NodeThreat,
db=db)
# Update the node version
db_node.version = uuid4()
return db_node
for value in data["user_role"]:
db.add(UserRole(value=value))
print(f"Adding user role: {value}")
else:
# Make sure there is always an "admin" role
db.add(UserRole(value="admin"))
print("Adding user role: admin")
# Add an "analyst" user if there are no existing users
if not crud.read_all(db_table=User, db=db):
# Commit the database changes so that they can be used to create the analyst user
crud.commit(db)
db.add(
User(
default_alert_queue=crud.read_by_value(value="default",
db_table=AlertQueue,
db=db),
display_name="Analyst",
email="analyst@localhost",
password="******",
roles=crud.read_by_values(values=["admin"],
db_table=UserRole,
db=db),
username="******",
))
print("Adding user: analyst")
# Commit all of the changes
crud.commit(db)
def create_observable_instance(
observable_instance: ObservableInstanceCreate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Create the new observable instance Node using the data from the request
new_observable_instance: ObservableInstance = create_node(
node_create=observable_instance,
db_node_type=ObservableInstance,
db=db,
exclude={
"parent_analysis_uuid", "performed_analysis_uuids", "type", "value"
},
)
# Read the required fields from the database to use with the new observable instance
new_observable_instance.alert = crud.read(
uuid=observable_instance.alert_uuid, db_table=Alert, db=db)
new_observable_instance.parent_analysis = crud.read(
uuid=observable_instance.parent_analysis_uuid,
db_table=Analysis,
db=db)
# Adding an observable instance counts as modifying the alert and the analysis, so they should both get new versions
new_observable_instance.alert.version = uuid4()
new_observable_instance.parent_analysis.version = uuid4()
# Set any performed analyses that were given
for performed_analysis_uuid in observable_instance.performed_analysis_uuids:
db_analysis = crud.read(uuid=performed_analysis_uuid,
db_table=Analysis,
db=db)
new_observable_instance.performed_analyses.append(db_analysis)
# This counts as editing the analysis, so it should receive an updated version
db_analysis.version = uuid4()
# Set the redirection observable instance if one was given
if observable_instance.redirection_uuid:
new_observable_instance.redirection = crud.read(
uuid=observable_instance.redirection_uuid,
db_table=ObservableInstance,
db=db,
)
# Lastly, check if the Observable represented by this instance already exists. Create it if it does not.
db_observable = crud.read_observable(type=observable_instance.type,
value=observable_instance.value,
db=db)
if not db_observable:
db_observable_type = crud.read_by_value(value=observable_instance.type,
db_table=ObservableType,
db=db)
db_observable = Observable(type=db_observable_type,
value=observable_instance.value)
# Associate the observable instance with its observable
new_observable_instance.observable = db_observable
# Save the new analysis to the database
db.add(new_observable_instance)
crud.commit(db)
response.headers["Content-Location"] = request.url_for(
"get_observable_instance", uuid=new_observable_instance.uuid)
def update_event(
uuid: UUID,
event: EventUpdate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Update the Node attributes
db_event: Event = update_node(node_update=event,
uuid=uuid,
db_table=Event,
db=db)
# Get the data that was given in the request and use it to update the database object
update_data = event.dict(exclude_unset=True)
if "alert_time" in update_data:
db_event.alert_time = update_data["alert_time"]
if "contain_time" in update_data:
db_event.contain_time = update_data["contain_time"]
if "disposition_time" in update_data:
db_event.disposition_time = update_data["disposition_time"]
if "event_time" in update_data:
db_event.event_time = update_data["event_time"]
if "name" in update_data:
db_event.name = update_data["name"]
if "owner" in update_data:
db_event.owner = crud.read_user_by_username(
username=update_data["owner"], db=db)
if "ownership_time" in update_data:
db_event.ownership_time = update_data["ownership_time"]
if "prevention_tools" in update_data:
db_event.prevention_tools = crud.read_by_values(
values=update_data["prevention_tools"],
db_table=EventPreventionTool,
db=db,
)
if "remediation_time" in update_data:
db_event.remediation_time = update_data["remediation_time"]
if "remediations" in update_data:
db_event.remediations = crud.read_by_values(
values=update_data["remediations"],
db_table=EventRemediation,
db=db,
)
if "risk_level" in update_data:
db_event.risk_level = crud.read_by_value(
value=update_data["risk_level"], db_table=EventRiskLevel, db=db)
if "source" in update_data:
db_event.source = crud.read_by_value(value=update_data["source"],
db_table=EventSource,
db=db)
if "status" in update_data:
db_event.status = crud.read_by_value(value=update_data["status"],
db_table=EventStatus,
db=db)
if "type" in update_data:
db_event.type = crud.read_by_value(value=update_data["type"],
db_table=EventType,
db=db)
if "vectors" in update_data:
db_event.vectors = crud.read_by_values(values=update_data["vectors"],
db_table=EventVector,
db=db)
crud.commit(db)
response.headers["Content-Location"] = request.url_for("get_event",
uuid=uuid)
def update_alert(
uuid: UUID,
alert: AlertUpdate,
request: Request,
response: Response,
db: Session = Depends(get_db),
):
# Update the Node attributes
db_alert: Alert = update_node(node_update=alert,
uuid=uuid,
db_table=Alert,
db=db)
# Get the data that was given in the request and use it to update the database object
update_data = alert.dict(exclude_unset=True)
if "description" in update_data:
db_alert.description = update_data["description"]
if "disposition" in update_data:
db_alert.disposition = crud.read_by_value(
value=update_data["disposition"], db_table=AlertDisposition, db=db)
if "event_uuid" in update_data:
db_alert.event = crud.read(uuid=update_data["event_uuid"],
db_table=Event,
db=db)
# This counts as editing the event, so it should receive a new version.
db_alert.event.version = uuid4()
if "event_time" in update_data:
db_alert.event_time = update_data["event_time"]
if "instructions" in update_data:
db_alert.instructions = update_data["instructions"]
if "name" in update_data:
db_alert.name = update_data["name"]
if "owner" in update_data:
db_alert.owner = crud.read_user_by_username(
username=update_data["owner"], db=db)
if "queue" in update_data:
db_alert.queue = crud.read_by_value(value=update_data["queue"],
db_table=AlertQueue,
db=db)
if "tool" in update_data:
db_alert.tool = crud.read_by_value(value=update_data["tool"],
db_table=AlertTool,
db=db)
if "tool_instance" in update_data:
db_alert.tool_instance = crud.read_by_value(
value=update_data["tool_instance"],
db_table=AlertToolInstance,
db=db,
)
if "type" in update_data:
db_alert.type = crud.read_by_value(value=update_data["type"],
db_table=AlertType,
db=db)
crud.commit(db)
response.headers["Content-Location"] = request.url_for("get_alert",
uuid=uuid)