Spaces:
Running
Running
| """Risk scoring agent.""" | |
| from __future__ import annotations | |
| from statistics import mean | |
| from models.schemas import DetectionFinding, EnrichedEvent, Incident, RiskAssessment, Severity | |
| def score_incident(incident: Incident, events: list[EnrichedEvent], findings: list[DetectionFinding]) -> RiskAssessment: | |
| event_ids = {n.event_id for n in incident.nodes} | |
| rel_events = [e for e in events if e.id in event_ids] | |
| rel_findings = [f for f in findings if f.event_id in event_ids] | |
| base = 30.0 | |
| if rel_findings: | |
| base += mean([f.confidence for f in rel_findings]) * 40 | |
| for f in rel_findings: | |
| if f.severity == Severity.CRITICAL: | |
| base += 12 | |
| elif f.severity == Severity.HIGH: | |
| base += 8 | |
| elif f.severity == Severity.MEDIUM: | |
| base += 4 | |
| for e in rel_events: | |
| if e.enrichment.get("reputation") == "malicious": | |
| base += 15 | |
| if e.event_type == "privilege.sudo": | |
| base += 6 | |
| risk = max(0, min(100, base)) | |
| severity = Severity.CRITICAL if risk >= 85 else Severity.HIGH if risk >= 65 else Severity.MEDIUM if risk >= 40 else Severity.LOW | |
| confidence = mean([f.confidence for f in rel_findings]) if rel_findings else 0.45 | |
| return RiskAssessment( | |
| incident_id=incident.id, | |
| risk_score=round(risk, 2), | |
| severity=severity, | |
| confidence=round(confidence, 3), | |
| factors={ | |
| "events": len(rel_events), | |
| "findings": len(rel_findings), | |
| "techniques": list({f.technique for f in rel_findings}), | |
| }, | |
| ) | |