Skip to content

ADT

psengine.enrich.soar

SOAREnrichIn

Bases: RFBaseModel

Model used to validate payload sent to SOAR enrichment endpoint.

companybydomain class-attribute instance-attribute 

companybydomain: Optional[list[str]] = None

domain class-attribute instance-attribute 

domain: Optional[list[str]] = None

hash_ class-attribute instance-attribute 

hash_: Optional[list[str]] = Field(
    alias='hash', default=None
)

ip class-attribute instance-attribute 

ip: Optional[list[str]] = None

model_config class-attribute instance-attribute 

model_config = ConfigDict(
    extra=get('RF_MODEL_EXTRA', 'ignore')
)

url class-attribute instance-attribute 

url: Optional[list[str]] = None

vulnerability class-attribute instance-attribute 

vulnerability: Optional[list[str]] = None

json 

json(
    by_alias: bool = True,
    exclude_none: bool = True,
    auto_exclude_unset: bool = True,
    **kwargs,
)

JSON representation of models. It is inherited by every model.

PARAMETER DESCRIPTION
by_alias

Alias flag:

  • If True, writes fields with their API alias (e.g., IpAddress)
  • If False uses the Python attribute name alias.

TYPE: bool DEFAULT: True

exclude_none

Whether to exclude fields equal to None.

TYPE: bool DEFAULT: True

auto_exclude_unset

Whether to auto exclude values not set.

  • If True, uses RF_EXTRA_MODEL config to decide inclusion of unmapped fields.
  • If False, you must specify exclude_unset manually.

TYPE: bool DEFAULT: True

Source code in psengine/common_models.py 
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
def json(
    self,
    by_alias: Annotated[
        bool,
        Doc(
            """
            Alias flag:

            - If `True`, writes fields with their API alias (e.g., `IpAddress`)
            - If `False` uses the Python attribute name alias.
            """
        ),
    ] = True,
    exclude_none: Annotated[bool, Doc('Whether to exclude fields equal to None.')] = True,
    auto_exclude_unset: Annotated[
        bool,
        Doc("""
            Whether to auto exclude values not set.

            - If `True`, uses `RF_EXTRA_MODEL` config to decide inclusion of unmapped fields.
            - If `False`, you must specify `exclude_unset` manually.
            """),
    ] = True,
    **kwargs,
):
    """JSON representation of models. It is inherited by every model."""
    if not auto_exclude_unset and kwargs.get('exclude_unset') is None:
        raise ValueError('`auto_exclude_unset` is False, `exclude_unset has to be provided`')

    exclude_unset = (
        bool(self.model_config['extra'] != 'allow')
        if auto_exclude_unset
        else kwargs['exclude_unset']
    )
    kwargs['exclude_unset'] = exclude_unset
    return self.model_dump(mode='json', by_alias=by_alias, exclude_none=exclude_none, **kwargs)

SOAREnrichOut

Bases: RFBaseModel

Model used for collecting all the data returned in a SOAR call.

content class-attribute instance-attribute 

content: Optional[SOAREnrichedEntity] = None

entity instance-attribute 

entity: str

is_enriched instance-attribute 

is_enriched: bool

model_config class-attribute instance-attribute 

model_config = ConfigDict(
    extra=get('RF_MODEL_EXTRA', 'ignore')
)

json 

json(
    by_alias: bool = True,
    exclude_none: bool = True,
    auto_exclude_unset: bool = True,
    **kwargs,
)

JSON representation of models. It is inherited by every model.

PARAMETER DESCRIPTION
by_alias

Alias flag:

  • If True, writes fields with their API alias (e.g., IpAddress)
  • If False uses the Python attribute name alias.

TYPE: bool DEFAULT: True

exclude_none

Whether to exclude fields equal to None.

TYPE: bool DEFAULT: True

auto_exclude_unset

Whether to auto exclude values not set.

  • If True, uses RF_EXTRA_MODEL config to decide inclusion of unmapped fields.
  • If False, you must specify exclude_unset manually.

TYPE: bool DEFAULT: True

Source code in psengine/common_models.py 
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
def json(
    self,
    by_alias: Annotated[
        bool,
        Doc(
            """
            Alias flag:

            - If `True`, writes fields with their API alias (e.g., `IpAddress`)
            - If `False` uses the Python attribute name alias.
            """
        ),
    ] = True,
    exclude_none: Annotated[bool, Doc('Whether to exclude fields equal to None.')] = True,
    auto_exclude_unset: Annotated[
        bool,
        Doc("""
            Whether to auto exclude values not set.

            - If `True`, uses `RF_EXTRA_MODEL` config to decide inclusion of unmapped fields.
            - If `False`, you must specify `exclude_unset` manually.
            """),
    ] = True,
    **kwargs,
):
    """JSON representation of models. It is inherited by every model."""
    if not auto_exclude_unset and kwargs.get('exclude_unset') is None:
        raise ValueError('`auto_exclude_unset` is False, `exclude_unset has to be provided`')

    exclude_unset = (
        bool(self.model_config['extra'] != 'allow')
        if auto_exclude_unset
        else kwargs['exclude_unset']
    )
    kwargs['exclude_unset'] = exclude_unset
    return self.model_dump(mode='json', by_alias=by_alias, exclude_none=exclude_none, **kwargs)

SOAREnrichedEntity

Bases: RFBaseModel

Model used for validating returned data from the SOAR endpoint for bulk enrichment.

This class supports hashing, equality comparison, string representation, and total ordering of SOAREnrichedEntity instances.

Hashing

Returns a hash value based on the entity id_ and the risk score.

Equality

Checks equality between two SOAREnrichedEntity instances based on their entity name and risk score.

Greater-than Comparison

Defines a greater-than comparison between two SOAREnrichedEntity instances based on their risk score and entity name.

String Representation

Returns a string representation of the SOAREnrichedEntity instance including the enriched entity name, risk score, and most critical rule.

1
2
>>> print(soar_enriched_entity)
Enriched Entity: 1.1.1.1, Risk Score: 95, Most Critical Rule: C&C Server
Total ordering

The ordering of SOAREnrichedEntity instances is determined primarily by the risk score. If two instances have the same risk score, their entity name is used as a secondary criterion.

entity instance-attribute 

entity: IdNameTypeDescription

model_config class-attribute instance-attribute 

model_config = ConfigDict(
    extra=get('RF_MODEL_EXTRA', 'ignore')
)

risk instance-attribute 

risk: Risk

__eq__ 

__eq__(other: SOAREnrichedEntity)
Source code in psengine/enrich/soar.py 
62
63
def __eq__(self, other: 'SOAREnrichedEntity'):
    return (self.entity.name, self.risk.score) == (other.entity.name, other.risk.score)

__gt__ 

__gt__(other: SOAREnrichedEntity)
Source code in psengine/enrich/soar.py 
65
66
def __gt__(self, other: 'SOAREnrichedEntity'):
    return (self.risk.score, self.entity.name) > (other.risk.score, other.entity.name)

__hash__ 

__hash__()
Source code in psengine/enrich/soar.py 
59
60
def __hash__(self):
    return hash((self.entity.id_, self.risk.score))

__str__ 

__str__()
Source code in psengine/enrich/soar.py 
68
69
70
71
72
def __str__(self):
    return (
        f'Enriched Entity: {self.entity.name}, Risk Score: {self.risk.score}, '
        f'Most Critical Rule: {self.risk.rule.most_critical}'
    )

json 

json(
    by_alias: bool = True,
    exclude_none: bool = True,
    auto_exclude_unset: bool = True,
    **kwargs,
)

JSON representation of models. It is inherited by every model.

PARAMETER DESCRIPTION
by_alias

Alias flag:

  • If True, writes fields with their API alias (e.g., IpAddress)
  • If False uses the Python attribute name alias.

TYPE: bool DEFAULT: True

exclude_none

Whether to exclude fields equal to None.

TYPE: bool DEFAULT: True

auto_exclude_unset

Whether to auto exclude values not set.

  • If True, uses RF_EXTRA_MODEL config to decide inclusion of unmapped fields.
  • If False, you must specify exclude_unset manually.

TYPE: bool DEFAULT: True

Source code in psengine/common_models.py 
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
def json(
    self,
    by_alias: Annotated[
        bool,
        Doc(
            """
            Alias flag:

            - If `True`, writes fields with their API alias (e.g., `IpAddress`)
            - If `False` uses the Python attribute name alias.
            """
        ),
    ] = True,
    exclude_none: Annotated[bool, Doc('Whether to exclude fields equal to None.')] = True,
    auto_exclude_unset: Annotated[
        bool,
        Doc("""
            Whether to auto exclude values not set.

            - If `True`, uses `RF_EXTRA_MODEL` config to decide inclusion of unmapped fields.
            - If `False`, you must specify `exclude_unset` manually.
            """),
    ] = True,
    **kwargs,
):
    """JSON representation of models. It is inherited by every model."""
    if not auto_exclude_unset and kwargs.get('exclude_unset') is None:
        raise ValueError('`auto_exclude_unset` is False, `exclude_unset has to be provided`')

    exclude_unset = (
        bool(self.model_config['extra'] != 'allow')
        if auto_exclude_unset
        else kwargs['exclude_unset']
    )
    kwargs['exclude_unset'] = exclude_unset
    return self.model_dump(mode='json', by_alias=by_alias, exclude_none=exclude_none, **kwargs)