mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-18 02:24:04 +00:00
139 lines
4.1 KiB
Python
139 lines
4.1 KiB
Python
# Mobile Verification Toolkit (MVT)
|
||
# Copyright (c) 2021-2023 The MVT Authors.
|
||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||
# https://license.mvt.re/1.1/
|
||
from enum import Enum
|
||
|
||
|
||
class AlertLevel(Enum):
|
||
"""
|
||
informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules.
|
||
low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn’t be necessary, but a regular review is recommended.
|
||
medium: Relevant event that should be reviewed manually on a more frequent basis.
|
||
high: Relevant event that should trigger an internal alert and requires a prompt review.
|
||
critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
|
||
"""
|
||
|
||
INFORMATIONAL = 0
|
||
LOW = 10
|
||
MEDIUM = 20
|
||
HIGH = 30
|
||
CRITICAL = 40
|
||
|
||
|
||
class AlertStore(object):
|
||
"""
|
||
Track all of the alerts and detections generated during an analysis.
|
||
|
||
Results can be logged as log messages or in JSON format for processing by other tools.
|
||
"""
|
||
|
||
def __init__(self) -> None:
|
||
self.alerts = []
|
||
|
||
def add_alert(
|
||
self, level, message=None, event_time=None, event=None, ioc=None, detected=True
|
||
):
|
||
"""
|
||
Add an alert to the alert store.
|
||
"""
|
||
self.alerts.append(
|
||
Alert(
|
||
level=level,
|
||
message=message,
|
||
event_time=event_time,
|
||
event=event,
|
||
ioc=ioc,
|
||
detected=detected,
|
||
)
|
||
)
|
||
|
||
def informational(
|
||
self, message=None, event_time=None, event=None, ioc=None, detected=False
|
||
):
|
||
self.add_alert(
|
||
AlertLevel.INFORMATIONAL,
|
||
message=message,
|
||
event_time=event_time,
|
||
event=event,
|
||
ioc=ioc,
|
||
detected=detected,
|
||
)
|
||
|
||
def low(self, message=None, event_time=None, event=None, ioc=None, detected=False):
|
||
self.add_alert(
|
||
AlertLevel.LOW,
|
||
message=message,
|
||
event_time=event_time,
|
||
event=event,
|
||
ioc=ioc,
|
||
detected=detected,
|
||
)
|
||
|
||
def medium(
|
||
self, message=None, event_time=None, event=None, ioc=None, detected=False
|
||
):
|
||
self.add_alert(
|
||
AlertLevel.MEDIUM,
|
||
message=message,
|
||
event_time=event_time,
|
||
event=event,
|
||
ioc=ioc,
|
||
detected=detected,
|
||
)
|
||
|
||
def high(self, message=None, event_time=None, event=None, ioc=None, detected=False):
|
||
self.add_alert(
|
||
AlertLevel.HIGH,
|
||
message=message,
|
||
event_time=event_time,
|
||
event=event,
|
||
ioc=ioc,
|
||
detected=detected,
|
||
)
|
||
|
||
def critical(
|
||
self, message=None, event_time=None, event=None, ioc=None, detected=False
|
||
):
|
||
self.add_alert(
|
||
AlertLevel.CRITICAL,
|
||
message=message,
|
||
event_time=event_time,
|
||
event=event,
|
||
ioc=ioc,
|
||
detected=detected,
|
||
)
|
||
|
||
|
||
class Alert(object):
|
||
"""
|
||
An alert generated by an MVT module.
|
||
"""
|
||
|
||
def __init__(self, level, message, event_time, event, ioc, detected):
|
||
self.level = level
|
||
self.message = message
|
||
self.event_time = event_time
|
||
self.event = event
|
||
self.ioc = ioc
|
||
self.detected = detected
|
||
|
||
def __repr__(self):
|
||
return f"<Alert level={self.level} message={self.message} event_time={self.event_time} event={self.event}>"
|
||
|
||
def __str__(self):
|
||
return f"{self.level} {self.message} {self.event_time} {self.event}"
|
||
|
||
def to_log(self):
|
||
return f"{self.level} {self.message} {self.event_time} {self.event}"
|
||
|
||
def to_json(self):
|
||
return {
|
||
"level": self.level,
|
||
"message": self.message,
|
||
"event_time": self.event_time,
|
||
"event": self.event,
|
||
"ioc": self.ioc,
|
||
"detected": self.detected,
|
||
}
|