Implement Phase 4: ML threat detection, automated playbooks, and advanced reporting

Co-authored-by: mblanke <9078342+mblanke@users.noreply.github.com>

backend/app/api/routes/threat_intel.py

@@ -0,0 +1,127 @@
+from typing import List
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from app.core.database import get_db
+from app.core.deps import get_current_active_user, get_tenant_id
+from app.core.threat_intel import get_threat_analyzer
+from app.models.user import User
+from app.models.threat_score import ThreatScore
+from app.models.host import Host
+from app.models.artifact import Artifact
+from app.schemas.threat_score import ThreatScoreRead, ThreatScoreCreate
+
+router = APIRouter()
+
+
+@router.post("/analyze/host/{host_id}", response_model=ThreatScoreRead)
+async def analyze_host(
+    host_id: int,
+    current_user: User = Depends(get_current_active_user),
+    tenant_id: int = Depends(get_tenant_id),
+    db: Session = Depends(get_db)
+):
+    """
+    Analyze a host for threats using ML
+    """
+    host = db.query(Host).filter(
+        Host.id == host_id,
+        Host.tenant_id == tenant_id
+    ).first()
+    
+    if not host:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Host not found"
+        )
+    
+    # Analyze host
+    analyzer = get_threat_analyzer()
+    analysis = analyzer.analyze_host({
+        "hostname": host.hostname,
+        "ip_address": host.ip_address,
+        "os": host.os,
+        "host_metadata": host.host_metadata
+    })
+    
+    # Store threat score
+    threat_score = ThreatScore(
+        tenant_id=tenant_id,
+        host_id=host_id,
+        score=analysis["score"],
+        confidence=analysis["confidence"],
+        threat_type=analysis["threat_type"],
+        indicators=analysis["indicators"],
+        ml_model_version=analysis["ml_model_version"]
+    )
+    db.add(threat_score)
+    db.commit()
+    db.refresh(threat_score)
+    
+    return threat_score
+
+
+@router.post("/analyze/artifact/{artifact_id}", response_model=ThreatScoreRead)
+async def analyze_artifact(
+    artifact_id: int,
+    current_user: User = Depends(get_current_active_user),
+    tenant_id: int = Depends(get_tenant_id),
+    db: Session = Depends(get_db)
+):
+    """
+    Analyze an artifact for threats
+    """
+    artifact = db.query(Artifact).filter(Artifact.id == artifact_id).first()
+    
+    if not artifact:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Artifact not found"
+        )
+    
+    # Analyze artifact
+    analyzer = get_threat_analyzer()
+    analysis = analyzer.analyze_artifact({
+        "artifact_type": artifact.artifact_type,
+        "value": artifact.value
+    })
+    
+    # Store threat score
+    threat_score = ThreatScore(
+        tenant_id=tenant_id,
+        artifact_id=artifact_id,
+        score=analysis["score"],
+        confidence=analysis["confidence"],
+        threat_type=analysis["threat_type"],
+        indicators=analysis["indicators"],
+        ml_model_version=analysis["ml_model_version"]
+    )
+    db.add(threat_score)
+    db.commit()
+    db.refresh(threat_score)
+    
+    return threat_score
+
+
+@router.get("/scores", response_model=List[ThreatScoreRead])
+async def list_threat_scores(
+    skip: int = 0,
+    limit: int = 100,
+    min_score: float = 0.0,
+    threat_type: str = None,
+    current_user: User = Depends(get_current_active_user),
+    tenant_id: int = Depends(get_tenant_id),
+    db: Session = Depends(get_db)
+):
+    """
+    List threat scores with filtering
+    """
+    query = db.query(ThreatScore).filter(ThreatScore.tenant_id == tenant_id)
+    
+    if min_score:
+        query = query.filter(ThreatScore.score >= min_score)
+    if threat_type:
+        query = query.filter(ThreatScore.threat_type == threat_type)
+    
+    scores = query.order_by(ThreatScore.score.desc()).offset(skip).limit(limit).all()
+    return scores