Skip to content

ADT

psengine.detection.detection_rule

DetectionRule

Bases: RFBaseModel

Detection rule model to validate output of the /search endpoint.

This class supports hashing, equality comparison, string representation, and total ordering of DetectionRule instances.

Hashing

Returns a hash value based on id_ and the updated timestamp.

Equality

Checks equality between two DetectionRule instances based on id_ and updated time.

Greater-than Comparison

Defines a greater-than comparison between two DetectionRule instances based on the updated timestamp and id_.

String Representation

Returns a string representation of the DetectionRule instance including id_, created timestamp, updated timestamp, and title.

1
2
>>> print(detection_rule)
ID: rule123, Created: 2024-05-21 10:42:30AM, Updated: 2024-05-21 10:42:30AM, Title: Example.
Total ordering

The ordering of DetectionRule instances is determined primarily by the updated timestamp. If two instances have the same updated timestamp, id_ is used as a secondary criterion.

created instance-attribute 

created: datetime

description instance-attribute 

description: str

id_ class-attribute instance-attribute 

id_: str = Field(alias='id')

model_config class-attribute instance-attribute 

model_config = ConfigDict(
    extra=get('RF_MODEL_EXTRA', 'ignore')
)

rules instance-attribute 

rules: list[RuleContext]

title instance-attribute 

title: str

type_ class-attribute instance-attribute 

type_: DetectionRuleType = Field(alias='type')

updated instance-attribute 

updated: datetime

__eq__ 

__eq__(other: DetectionRule)
Source code in psengine/detection/detection_rule.py 
67
68
def __eq__(self, other: 'DetectionRule'):
    return (self.id_, self.updated) == (other.id_, other.updated)

__gt__ 

__gt__(other: DetectionRule)
Source code in psengine/detection/detection_rule.py 
70
71
def __gt__(self, other: 'DetectionRule'):
    return (self.updated, self.id_) > (other.updated, other.id_)

__hash__ 

__hash__()
Source code in psengine/detection/detection_rule.py 
64
65
def __hash__(self):
    return hash((self.id_, self.updated))

__str__ 

__str__()
Source code in psengine/detection/detection_rule.py 
73
74
75
76
77
def __str__(self):
    return (
        f'ID: {self.id_}, Created: {self.created.strftime(TIMESTAMP_STR)}, '
        f'Updated: {self.updated.strftime(TIMESTAMP_STR)}, Title: {self.title}'
    )

json 

json(
    by_alias: bool = True,
    exclude_none: bool = True,
    auto_exclude_unset: bool = True,
    **kwargs,
)

JSON representation of models. It is inherited by every model.

PARAMETER DESCRIPTION
by_alias

Alias flag:

  • If True, writes fields with their API alias (e.g., IpAddress)
  • If False uses the Python attribute name alias.

TYPE: bool DEFAULT: True

exclude_none

Whether to exclude fields equal to None.

TYPE: bool DEFAULT: True

auto_exclude_unset

Whether to auto exclude values not set.

  • If True, uses RF_EXTRA_MODEL config to decide inclusion of unmapped fields.
  • If False, you must specify exclude_unset manually.

TYPE: bool DEFAULT: True

Source code in psengine/common_models.py 
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
def json(
    self,
    by_alias: Annotated[
        bool,
        Doc(
            """
            Alias flag:

            - If `True`, writes fields with their API alias (e.g., `IpAddress`)
            - If `False` uses the Python attribute name alias.
            """
        ),
    ] = True,
    exclude_none: Annotated[bool, Doc('Whether to exclude fields equal to None.')] = True,
    auto_exclude_unset: Annotated[
        bool,
        Doc("""
            Whether to auto exclude values not set.

            - If `True`, uses `RF_EXTRA_MODEL` config to decide inclusion of unmapped fields.
            - If `False`, you must specify `exclude_unset` manually.
            """),
    ] = True,
    **kwargs,
):
    """JSON representation of models. It is inherited by every model."""
    if not auto_exclude_unset and kwargs.get('exclude_unset') is None:
        raise ValueError('`auto_exclude_unset` is False, `exclude_unset has to be provided`')

    exclude_unset = (
        bool(self.model_config['extra'] != 'allow')
        if auto_exclude_unset
        else kwargs['exclude_unset']
    )
    kwargs['exclude_unset'] = exclude_unset
    return self.model_dump(mode='json', by_alias=by_alias, exclude_none=exclude_none, **kwargs)

DetectionRuleSearchOut

Bases: RFBaseModel

Model to validate /search endpoint payload sent.

filter_ class-attribute instance-attribute 

filter_: Optional[SearchFilter] = Field(
    alias='filter', default={}
)

limit class-attribute instance-attribute 

limit: Optional[int] = None

model_config class-attribute instance-attribute 

model_config = ConfigDict(
    extra=get('RF_MODEL_EXTRA', 'ignore')
)

offset class-attribute instance-attribute 

offset: Optional[str] = None

tagged_entities class-attribute instance-attribute 

tagged_entities: Optional[bool] = False

json 

json(
    by_alias: bool = True,
    exclude_none: bool = True,
    auto_exclude_unset: bool = True,
    **kwargs,
)

JSON representation of models. It is inherited by every model.

PARAMETER DESCRIPTION
by_alias

Alias flag:

  • If True, writes fields with their API alias (e.g., IpAddress)
  • If False uses the Python attribute name alias.

TYPE: bool DEFAULT: True

exclude_none

Whether to exclude fields equal to None.

TYPE: bool DEFAULT: True

auto_exclude_unset

Whether to auto exclude values not set.

  • If True, uses RF_EXTRA_MODEL config to decide inclusion of unmapped fields.
  • If False, you must specify exclude_unset manually.

TYPE: bool DEFAULT: True

Source code in psengine/common_models.py 
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
def json(
    self,
    by_alias: Annotated[
        bool,
        Doc(
            """
            Alias flag:

            - If `True`, writes fields with their API alias (e.g., `IpAddress`)
            - If `False` uses the Python attribute name alias.
            """
        ),
    ] = True,
    exclude_none: Annotated[bool, Doc('Whether to exclude fields equal to None.')] = True,
    auto_exclude_unset: Annotated[
        bool,
        Doc("""
            Whether to auto exclude values not set.

            - If `True`, uses `RF_EXTRA_MODEL` config to decide inclusion of unmapped fields.
            - If `False`, you must specify `exclude_unset` manually.
            """),
    ] = True,
    **kwargs,
):
    """JSON representation of models. It is inherited by every model."""
    if not auto_exclude_unset and kwargs.get('exclude_unset') is None:
        raise ValueError('`auto_exclude_unset` is False, `exclude_unset has to be provided`')

    exclude_unset = (
        bool(self.model_config['extra'] != 'allow')
        if auto_exclude_unset
        else kwargs['exclude_unset']
    )
    kwargs['exclude_unset'] = exclude_unset
    return self.model_dump(mode='json', by_alias=by_alias, exclude_none=exclude_none, **kwargs)