Implement Phase 4: ML threat detection, automated playbooks, and advanced reporting

Co-authored-by: mblanke <9078342+mblanke@users.noreply.github.com>

backend/app/models/playbook.py

@@ -0,0 +1,45 @@
+from sqlalchemy import Column, Integer, String, DateTime, ForeignKey, Boolean, Text, JSON
+from sqlalchemy.orm import relationship
+from datetime import datetime, timezone
+
+from app.core.database import Base
+
+
+class Playbook(Base):
+    __tablename__ = "playbooks"
+
+    id = Column(Integer, primary_key=True, index=True)
+    tenant_id = Column(Integer, ForeignKey("tenants.id"), nullable=False)
+    name = Column(String, nullable=False, index=True)
+    description = Column(Text, nullable=True)
+    trigger_type = Column(String, nullable=False)  # manual, scheduled, event
+    trigger_config = Column(JSON, nullable=True)
+    actions = Column(JSON, nullable=False)  # List of action definitions
+    is_enabled = Column(Boolean, default=True, nullable=False)
+    created_by = Column(Integer, ForeignKey("users.id"), nullable=False)
+    created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
+    updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
+
+    # Relationships
+    tenant = relationship("Tenant")
+    creator = relationship("User", foreign_keys=[created_by])
+    executions = relationship("PlaybookExecution", back_populates="playbook")
+
+
+class PlaybookExecution(Base):
+    __tablename__ = "playbook_executions"
+
+    id = Column(Integer, primary_key=True, index=True)
+    playbook_id = Column(Integer, ForeignKey("playbooks.id"), nullable=False)
+    tenant_id = Column(Integer, ForeignKey("tenants.id"), nullable=False)
+    status = Column(String, nullable=False)  # pending, running, completed, failed
+    started_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
+    completed_at = Column(DateTime, nullable=True)
+    result = Column(JSON, nullable=True)
+    error_message = Column(Text, nullable=True)
+    triggered_by = Column(Integer, ForeignKey("users.id"), nullable=True)
+
+    # Relationships
+    playbook = relationship("Playbook", back_populates="executions")
+    tenant = relationship("Tenant")
+    trigger_user = relationship("User")

backend/app/models/report_template.py

@@ -0,0 +1,43 @@
+from sqlalchemy import Column, Integer, String, DateTime, ForeignKey, Boolean, Text, JSON
+from sqlalchemy.orm import relationship
+from datetime import datetime, timezone
+
+from app.core.database import Base
+
+
+class ReportTemplate(Base):
+    __tablename__ = "report_templates"
+
+    id = Column(Integer, primary_key=True, index=True)
+    tenant_id = Column(Integer, ForeignKey("tenants.id"), nullable=False)
+    name = Column(String, nullable=False, index=True)
+    description = Column(Text, nullable=True)
+    template_type = Column(String, nullable=False)  # case_summary, host_analysis, threat_report
+    template_config = Column(JSON, nullable=False)  # Configuration for report generation
+    is_default = Column(Boolean, default=False, nullable=False)
+    created_by = Column(Integer, ForeignKey("users.id"), nullable=False)
+    created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
+
+    # Relationships
+    tenant = relationship("Tenant")
+    creator = relationship("User")
+
+
+class Report(Base):
+    __tablename__ = "reports"
+
+    id = Column(Integer, primary_key=True, index=True)
+    tenant_id = Column(Integer, ForeignKey("tenants.id"), nullable=False)
+    template_id = Column(Integer, ForeignKey("report_templates.id"), nullable=True)
+    title = Column(String, nullable=False)
+    report_type = Column(String, nullable=False)
+    format = Column(String, nullable=False)  # pdf, html, json
+    file_path = Column(String, nullable=True)
+    status = Column(String, nullable=False)  # generating, completed, failed
+    generated_by = Column(Integer, ForeignKey("users.id"), nullable=False)
+    generated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
+
+    # Relationships
+    tenant = relationship("Tenant")
+    template = relationship("ReportTemplate")
+    generator = relationship("User")

backend/app/models/threat_score.py

@@ -0,0 +1,26 @@
+from sqlalchemy import Column, Integer, String, DateTime, ForeignKey, Float, Text, JSON
+from sqlalchemy.orm import relationship
+from datetime import datetime, timezone
+
+from app.core.database import Base
+
+
+class ThreatScore(Base):
+    __tablename__ = "threat_scores"
+
+    id = Column(Integer, primary_key=True, index=True)
+    tenant_id = Column(Integer, ForeignKey("tenants.id"), nullable=False)
+    host_id = Column(Integer, ForeignKey("hosts.id"), nullable=True)
+    artifact_id = Column(Integer, ForeignKey("artifacts.id"), nullable=True)
+    score = Column(Float, nullable=False, index=True)  # 0.0 to 1.0
+    confidence = Column(Float, nullable=False)  # 0.0 to 1.0
+    threat_type = Column(String, nullable=False)  # malware, suspicious, anomaly, etc.
+    description = Column(Text, nullable=True)
+    indicators = Column(JSON, nullable=True)  # List of indicators that contributed to score
+    ml_model_version = Column(String, nullable=True)
+    created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), index=True)
+
+    # Relationships
+    tenant = relationship("Tenant")
+    host = relationship("Host")
+    artifact = relationship("Artifact")