class EmailRecipient(SurrogatePK, Model): recipient = Column(db.String, nullable=False) status = Column(db.String, nullable=False) created_at = Column(db.DateTime, nullable=False) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow)
class DefaultFilters(SurrogatePK, Model): filters = Column(JSONB) platform = Column(db.String, nullable=False) apply_by_default = Column(db.Boolean, nullable=False, default=False) created_at = Column(db.DateTime, nullable=False) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) def __init__(self, filters, platform, created_at, apply_by_default=False, **kwargs): self.filters = filters self.platform = platform self.apply_by_default = apply_by_default self.created_at = created_at self.updated_at = dt.datetime.utcnow() @property def serialize(self): """Return object data in easily serializeable format""" return { 'id': self.id, 'filters': json.loads(self.filters), 'platform': self.platform, 'created_at': dump_datetime(self.created_at), 'updated_at': dump_datetime(self.updated_at) }
class DistributedQueryResult(SurrogatePK, Model): columns = Column(JSONB) timestamp = Column(db.DateTime, default=dt.datetime.utcnow) distributed_query_task_id = reference_col('distributed_query_task', nullable=False) distributed_query_task = relationship( 'DistributedQueryTask', backref=db.backref('results', cascade='all, delete-orphan', lazy='joined'), ) distributed_query_id = reference_col('distributed_query', nullable=False) distributed_query = relationship( 'DistributedQuery', backref=db.backref('results', cascade='all, delete-orphan', lazy='joined'), ) def __init__(self, columns, distributed_query=None, distributed_query_task=None): self.columns = columns self.distributed_query = distributed_query self.distributed_query_task = distributed_query_task def to_dict(self): dict = {c.name: getattr(self, c.name) for c in self.__table__.columns} # dict['tasks'] = self.tasks return dict def to_dict_obj(self): dict = {'columns': self.columns} # dict['tasks'] = self.tasks return dict
class FilePath(SurrogatePK, Model): category = Column(db.String, nullable=False, unique=True) target_paths = Column(db.String) tags = relationship( 'Tag', secondary=file_path_tags, back_populates='file_paths', lazy='joined', ) def __init__(self, category=None, target_paths=None, *args, **kwargs): self.category = category if target_paths is not None: self.set_paths(*target_paths) elif args: self.set_paths(*args) else: self.target_paths = '' def to_dict(self): return {self.category: self.get_paths()} def get_paths(self): return self.target_paths.split('!!') def set_paths(self, *target_paths): self.target_paths = '!!'.join(target_paths)
class DistributedQuery(SurrogatePK, Model): description = Column(db.String, nullable=True) sql = Column(db.String, nullable=False) timestamp = Column(db.DateTime, default=dt.datetime.utcnow) not_before = Column(db.DateTime, default=dt.datetime.utcnow) alert_id = reference_col('alerts', nullable=True) alert = relationship( 'Alerts', backref=db.backref('distributed_query'), ) # tasks = relationship( # 'DistributedQueryTask', # backref=db.backref('distributed_query_task'), # # ) def __init___(self, sql, description=None, not_before=None, alert_id=None): self.sql = sql self.alert_id = alert_id self.description = description self.not_before = not_before def to_dict(self): dict = {c.name: getattr(self, c.name) for c in self.__table__.columns} # dict['tasks'] = self.tasks return dict
class ThreatIntelCredentials(SurrogatePK, Model): intel_name = Column(db.String, nullable=True) credentials = Column(JSONB, default={}, nullable=False) def __init__(self, intel_name, credentials, **kwargs): self.intel_name = intel_name self.credentials = credentials
class AlertEmail(SurrogatePK, Model): alert_id = reference_col('alerts', nullable=False) alert = relationship( 'Alerts', backref=db.backref('alert_email', lazy='dynamic'), ) node = Column(db.String, nullable=False) status = Column(db.String, nullable=True) node_id = reference_col('node', nullable=False) node = relationship( 'Node', backref=db.backref('alert_email', lazy='dynamic'), ) body = Column(db.String, nullable=False) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False) def __init__(self, node=None, node_id=None, alert=None, alert_id=None, body=None, status=None, updated_at=dt.datetime.utcnow()): if node: self.node = node elif node_id: self.node_id = node_id if alert: self.alert = alert elif alert_id: self.alert_id = alert_id self.updated_at = updated_at self.body = body self.status = status
class HandlingToken(SurrogatePK, Model): token = Column(db.String, nullable=False) logged_in_at = Column(db.DateTime, default=dt.datetime.utcnow, nullable=False) token_expired = Column(db.Boolean, nullable=False, default=False) logged_out_at = Column(db.DateTime, nullable=True) user = Column(db.String, nullable=False)
class Query(SurrogatePK, Model): name = Column(db.String, nullable=False) sql = Column(db.String, nullable=False) interval = Column(db.Integer, default=3600) platform = Column(db.String) version = Column(db.String) description = Column(db.String) value = Column(db.String) removed = Column(db.Boolean, nullable=False, default=True) snapshot = Column(db.Boolean, nullable=False, default=False) shard = Column(db.Integer) packs = relationship( 'Pack', secondary=querypacks, back_populates='queries', ) tags = relationship( 'Tag', secondary=query_tags, back_populates='queries', lazy='joined', ) def __init__(self, name, query=None, sql=None, interval=3600, platform=None,packs=[], version=None, description=None, value=None, removed=True, shard=None, snapshot=False, **kwargs): self.name = name self.sql = query or sql self.interval = int(interval) self.platform = platform self.version = version self.description = description self.value = value self.removed = removed self.packs=packs self.snapshot = snapshot self.shard = shard def __repr__(self): return '<Query: {0.name}>'.format(self) def to_dict(self): return { 'id': self.id, 'query': self.sql, 'interval': self.interval, 'platform': self.platform, 'version': self.version, 'description': self.description, 'value': self.value, 'removed': self.removed, 'shard': self.shard, 'snapshot': self.snapshot, 'tags': [r.to_dict() for r in self.tags] }
class VirusTotalAvEngines(SurrogatePK, Model): name = Column(db.String, nullable=False) status = Column(db.Boolean, nullable=False, default=False) description = Column(db.String, nullable=True) def __init__(self, name, status, description=None): self.name = name self.status = status self.description = description
class Settings(SurrogatePK, Model): # config = Column(JSONB) setting = Column(db.String, nullable=False) name = Column(db.String, nullable=False) created_at = Column(db.DateTime, nullable=False) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) def __init__(self, name, setting, **kwargs): self.name = name self.setting = setting
class ResultLogScan(SurrogatePK, Model): scan_type = Column(db.String, nullable=False) scan_value = Column(db.String, nullable=False) reputations = Column(JSONB, default={}, nullable=False) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) def __init__(self, scan_type, scan_value, reputations, **kwargs): self.scan_type = scan_type self.scan_value = scan_value self.reputations = reputations
class DashboardData(SurrogatePK, Model): created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) name = Column(db.String) data = Column(JSONB, default={}) def __init__(self, name='', data={}, updated_at=dt.datetime.utcnow()): self.name = name self.data = data self.updated_at = updated_at
class OsquerySchema(SurrogatePK, Model): name = Column(db.String, nullable=False) platform = Column(ARRAY(db.String), nullable=False) schema = Column(JSONB, default={}, nullable=False) description = Column(db.String, nullable=True) def __init__(self, name=None, platform=None, schema=None, description=None, **kwargs): self.platform = platform self.name = name self.schema = schema self.description = description
class CarvedBlock(SurrogatePK, Model): request_id = Column(db.String, nullable=False) session_id = Column(db.String, nullable=False) block_id = Column(db.Integer, nullable=False) data = Column(db.String, nullable=False) size = Column(db.Integer, nullable=False) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) def __init___(self, request_id=None, session_id=None, block_id=None, data=None, size=None): self.request_id = request_id self.session_id = session_id self.block_id = block_id self.data = data self.size = size
class NodeData(SurrogatePK, Model): # config = Column(JSONB) data = Column(JSONB, default={}, nullable=False) name = Column(db.String, nullable=False) node_id = reference_col('node', nullable=False) node = relationship( 'Node', backref=db.backref('node_data', cascade='all, delete-orphan', lazy='dynamic'), ) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False) def to_dict(self): return { 'name': self.name, 'data': json.dumps(self.data), 'updated_at': dump_datetime(self.updated_at) } def to_dict_obj(self): return { 'name': self.name, 'data': self.data, 'updated_at': dump_datetime(self.updated_at) } def __init__(self, node=None, node_id=None, data=None, name=False, updated_at=None): if node: self.node = node elif node_id: self.node_id = node_id self.data = data self.name = name self.updated_at = updated_at
class AlertEmail(SurrogatePK, Model): alert_id = db.Column(db.Integer, db.ForeignKey('alerts.id', ondelete='CASCADE')) alert = relationship( 'Alerts', backref=db.backref('alert_email', lazy='dynamic', passive_deletes=True), ) status = Column(db.String, nullable=True) node_id = db.Column(db.Integer, db.ForeignKey('node.id', ondelete='CASCADE')) node = relationship('Node', backref=db.backref('alert_email', passive_deletes=True, lazy='dynamic')) body = Column(db.String, nullable=False) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False) def __init__(self, node=None, node_id=None, alert=None, alert_id=None, body=None, status=None, updated_at=dt.datetime.utcnow()): if node: self.node = node elif node_id: self.node_id = node_id if alert: self.alert = alert elif alert_id: self.alert_id = alert_id self.updated_at = updated_at self.body = body self.status = status
class Tag(SurrogatePK, Model): value = Column(db.String, nullable=False, unique=True) nodes = relationship( 'Node', secondary=node_tags, back_populates='tags', ) packs = relationship( 'Pack', secondary=pack_tags, back_populates='tags', ) queries = relationship( 'Query', secondary=query_tags, back_populates='tags', ) file_paths = relationship( 'FilePath', secondary=file_path_tags, back_populates='tags', ) def __init__(self, value, **kwargs): self.value = value def __repr__(self): return '<Tag: {0.value}>'.format(self) @property def packs_count(self): return db.session.object_session(self) \ .query(Pack.id).with_parent(self, 'packs').count() @property def nodes_count(self): return db.session.object_session(self) \ .query(Node.id).with_parent(self, 'nodes').count() @property def queries_count(self): return db.session.object_session(self) \ .query(Query.id).with_parent(self, 'queries').count() @property def file_paths_count(self): return db.session.object_session(self) \ .query(FilePath.id).with_parent(self, 'file_paths').count() def to_dict(self): return self.value
class ResultLog(SurrogatePK, Model): NEW = 0 PENDING = 1 COMPLETE = 2 name = Column(db.String, nullable=False) timestamp = Column(db.DateTime, default=dt.datetime.utcnow) action = Column(db.String) columns = Column(JSONB) node_id = reference_col('node', nullable=False) node = relationship('Node', backref=db.backref('result_logs', lazy='dynamic')) uuid = Column(db.String, nullable=True) status = Column(db.Integer, default=NEW, nullable=False) task_id = Column(db.String, nullable=True) def __init__(self, name=None, action=None, columns=None, timestamp=None, node=None, node_id=None, uuid=None, **kwargs): self.name = name self.action = action self.columns = columns or {} self.timestamp = timestamp self.uuid = uuid if node: self.node = node elif node_id: self.node_id = node_id def to_json(self): return json.dumps(self, default=lambda o: o.__dict__, sort_keys=True, indent=4) def as_dict(self): return {c.name: getattr(self, c.name) for c in self.__table__.columns} def to_dict(self): dictionary = {} for c in self.__table__.columns: if not c.name == "timestamp": dictionary[c.name] = getattr(self, c.name) else: dictionary[c.name] = getattr( self, c.name).strftime('%m/%d/%Y %H/%M/%S') return dictionary @declared_attr def __table_args__(cls): return (Index('idx_%s_node_id_timestamp_desc' % cls.__tablename__, 'node_id', cls.timestamp.desc()), )
class User(UserMixin, SurrogatePK, Model): username = Column(db.String(80), unique=True, nullable=False) email = Column(db.String) password = db.Column(db.String, nullable=False) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) # oauth related stuff social_id = Column(db.String) first_name = Column(db.String) last_name = Column(db.String) def __init__(self, username, password=None, email=None, social_id=None, first_name=None, last_name=None): self.username = username self.email = email if password: self.set_password(password) else: self.password = None self.social_id = social_id self.first_name = first_name self.last_name = last_name def set_password(self, password): self.update( password=bcrypt.generate_password_hash(password).decode('utf-8')) return def check_password(self, value): if not self.password: # still do the computation return bcrypt.generate_password_hash(value) and False return bcrypt.check_password_hash(self.password, value) def generate_auth_token(self): s = Serializer(current_app.config['SECRET_KEY']) return s.dumps({'id': self.id}) @staticmethod def verify_auth_token(token): if not token: return None s = Serializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except SignatureExpired: return None # valid token, but expired except BadSignature: return None # invalid token user = User.query.get(data['id']) return user
class AlertLog(SurrogatePK, Model): name = Column(db.String, nullable=False) timestamp = Column(db.DateTime, default=dt.datetime.utcnow) action = Column(db.String) columns = Column(JSONB) alert_id = db.Column(db.Integer, db.ForeignKey('alerts.id', ondelete='CASCADE')) result_log_uuid = Column(db.String, nullable=True) def __init__(self, name=None, action=None, columns=None, timestamp=None, alert_id=None, result_log_uuid=None): self.name = name self.action = action self.columns = columns or {} self.timestamp = timestamp self.alert_id = alert_id self.result_log_uuid = result_log_uuid def to_dict(self): dictionary = {} for c in self.__table__.columns: if not c.name == "timestamp": dictionary[c.name] = getattr(self, c.name) else: dictionary[c.name] = getattr( self, c.name).strftime('%d-%m-%Y %H:%M:%S.%f') return dictionary @declared_attr def __table_args__(cls): return ( Index('idx_%s_name' % cls.__tablename__, 'name'), Index('idx_%s_result_log_uuid' % cls.__tablename__, 'result_log_uuid'), )
class Config(SurrogatePK, Model): ARCH_x86 = "x86" ARCH_x64 = "x86_64" TYPE_DEFAULT = 0 TYPE_SHALLOW = 1 TYPE_DEEP = 2 platform = Column(db.String) arch = Column(db.String) type = Column(db.Integer, default=TYPE_DEFAULT) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) is_active = Column(db.Boolean, default=True, nullable=False) def __init__(self, platform, arch=ARCH_x64, type=None, updated_at=dt.datetime.utcnow, is_active=False, **kwargs): self.platform = platform self.updated_at = updated_at self.updated_at = dt.datetime.utcnow() self.arch = arch self.type = type self.is_active = is_active
class StatusLog(SurrogatePK, Model): line = Column(db.Integer) message = Column(db.String) severity = Column(db.Integer) filename = Column(db.String) created = Column(db.DateTime, default=dt.datetime.utcnow) version = Column(db.String) node_id = reference_col('node', nullable=False) node = relationship( 'Node', backref=db.backref('status_logs', lazy='dynamic') ) def __init__(self, line=None, message=None, severity=None, filename=None, created=None, node=None, node_id=None, version=None, **kwargs): self.line = int(line) self.message = message self.severity = int(severity) self.filename = filename self.created = created self.version = version if node: self.node = node elif node_id: self.node_id = node_id @declared_attr def __table_args__(cls): return ( Index('idx_%s_node_id_created_desc' % cls.__tablename__, 'node_id', cls.created.desc()), )
class NodeReconData(SurrogatePK, Model): columns = Column(JSONB, default={}, nullable=False) node_data_id = reference_col('node_data', nullable=False) node_data = relationship( 'NodeData', backref=db.backref('node_recon_data', cascade='all, delete-orphan', lazy='dynamic'), ) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False) def to_dict(self): return { 'columns': json.dumps(self.columns), 'updated_at': dump_datetime(self.updated_at) } def to_dict_obj(self): return { 'columns': self.columns, 'updated_at': dump_datetime(self.updated_at) } def __init__(self, node_data=None, node_data_id=None, columns=None, updated_at=None): if node_data: self.node_data = node_data elif node_data_id: self.node_data_id = node_data_id self.columns = columns self.updated_at = updated_at
class PhishTank(SurrogatePK, Model): phish_id = Column(db.String, nullable=False) verified = Column(db.String) url = Column(db.String, nullable=False) online = Column(db.String) target = Column(db.String) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) def __init__(self, id, phish_id, verified, url, online, target, updated_at, **kwargs): self.verified = verified self.phish_id = phish_id self.id = id self.url = url self.online = online self.target = target self.updated_at = updated_at
class IOCIntel(SurrogatePK, Model): type = Column(db.String, nullable=True) intel_type = Column(db.String, nullable=False) value = Column(db.String, nullable=False) threat_name = Column(db.String, nullable=False) created_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) severity = Column(db.String, nullable=False, default='') def __init__(self, type, value, threat_name, intel_type, severity, **kwargs): self.type = type self.value = value self.intel_type = intel_type self.threat_name = threat_name self.severity = severity
class DefaultFilters(SurrogatePK, Model): ARCH_x86 = "x86" ARCH_x64 = "x86_64" filters = Column(JSONB) platform = Column(db.String, nullable=False) arch = Column(db.String) apply_by_default = Column(db.Boolean, nullable=False, default=False) created_at = Column(db.DateTime, nullable=False) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) config_id = reference_col('config', nullable=False) config = relationship('Config', backref=db.backref('default_filters', lazy='dynamic')) def __init__(self, filters, platform, created_at, apply_by_default=False, config_id=None, arch=ARCH_x64, **kwargs): self.filters = filters self.platform = platform self.apply_by_default = apply_by_default self.created_at = created_at self.updated_at = dt.datetime.utcnow() self.arch = arch self.config_id = config_id @property def serialize(self): """Return object data in easily serializeable format""" return { 'id': self.id, 'filters': json.loads(self.filters), 'platform': self.platform, 'arch': self.arch, 'type': self.type, 'created_at': dump_datetime(self.created_at), 'updated_at': dump_datetime(self.updated_at) }
class ReleasedAgentVersions(SurrogatePK, Model): platform = Column(db.String, nullable=False) platform_release = Column(db.String, nullable=True) osquery_version = Column(db.String, nullable=True) extension_version = Column(db.String, nullable=True) extension_hash_md5 = Column(db.String, nullable=True) created_at = Column(db.DateTime, nullable=True, default=dt.datetime.utcnow) def __init__(self, platform=None, platform_release=None, osquery_version=None, extension_version=None, extension_hash_md5=None, **kwargs): self.platform = platform self.platform_release = platform_release self.osquery_version = osquery_version self.extension_version = extension_version self.extension_hash_md5 = extension_hash_md5 self.created_at = dt.datetime.now()
class Rule(SurrogatePK, Model): WARNING = "WARNING" INFO = "INFO" CRITICAL = "CRITICAL" MITRE = "MITRE" DEFAULT = "DEFAULT" name = Column(db.String, nullable=False) alerters = Column(ARRAY(db.String), nullable=False) description = Column(db.String, nullable=True) severity = Column(db.String, nullable=True) conditions = Column(JSONB) updated_at = Column(db.DateTime, nullable=False, default=dt.datetime.utcnow) status = Column(db.String, nullable=True) recon_queries = Column(JSONB) type = Column(db.String, nullable=True, default=DEFAULT) technique_id = Column(db.String, nullable=True) tactics = Column(ARRAY(db.String), nullable=True) def __init__(self, name, alerters, description=None, conditions=None, status='ACTIVE', updated_at=None, recon_queries=None, severity=None, type=None, technique_id=None, tactics=[]): self.name = name self.description = description self.alerters = alerters self.conditions = conditions self.status = status self.recon_queries = recon_queries self.updated_at = updated_at self.severity = severity self.type = type self.technique_id = technique_id self.tactics = tactics def to_dict(self): return {c.name: getattr(self, c.name) for c in self.__table__.columns} def as_dict(self): dictionary = {} for c in self.__table__.columns: if not c.name == "updated_at": dictionary[c.name] = getattr(self, c.name) else: dictionary[c.name] = getattr( self, c.name).strftime('%m/%d/%Y %H/%M/%S') return dictionary @property def template(self): return string.Template("{name}\r\n\r\n{description}".format( name=self.name, description=self.description or ''))
class DistributedQueryTask(SurrogatePK, Model): NEW = 0 PENDING = 1 COMPLETE = 2 FAILED = 3 NOT_SENT = 4 HIGH = 0 LOW = 1 save_results_in_db = Column(db.Boolean, nullable=False, default=False) guid = Column(db.String, nullable=False, unique=True) status = Column(db.Integer, default=0, nullable=False) timestamp = Column(db.DateTime) data = Column(JSONB) updated_at = Column(db.DateTime, nullable=True, default=None) viewed_at = Column(db.DateTime, nullable=True, default=None) priority = Column(db.Integer, default=0, nullable=False) sql = Column(db.String, nullable=True) distributed_query_id = reference_col('distributed_query', nullable=False) distributed_query = relationship( 'DistributedQuery', backref=db.backref('tasks', cascade='all, delete-orphan', lazy='dynamic'), ) node_id = db.Column(db.Integer, db.ForeignKey('node.id', ondelete='CASCADE')) node = relationship('Node', backref=db.backref('distributed_queries', passive_deletes=True, lazy='dynamic')) def __init__(self, node=None, node_id=None, distributed_query=None, save_results_in_db=False, distributed_query_id=None, updated_at=None, priority=0, viewed_at=None, data=None): self.guid = str(uuid.uuid4()) self.updated_at = updated_at self.viewed_at = viewed_at self.save_results_in_db = save_results_in_db self.data = data self.priority = priority if node: self.node = node elif node_id: self.node_id = node_id if distributed_query: self.distributed_query = distributed_query elif distributed_query_id: self.distributed_query_id = distributed_query_id @declared_attr def __table_args__(cls): return (Index('idx_%s_node_id_status' % cls.__tablename__, 'node_id', 'status'), ) def to_dict_obj(self): return { 'id': self.id, 'distributed_query': { 'description': self.distributed_query.description, 'sql': self.distributed_query.sql }, 'results': self.data, }