data_models module
This module contains data classes for representing the following:
- Data models
- Alerts
- Variable containers
- General parameters
- Connector parameters
class TIPCommon.data_models.AlertCard
class TIPCommon.data_models.AlertCard(id_: int, creation_time_unix_time_ms: int, modification_time_unix_time_ms: int, identifier: str, status: int, name: str, priority: [AlertPriority](#TIPCommon.data_models.AlertPriority) | int | None, workflow_status: int | None, sla_expiration_unix_time: int | None, sla_critical_expiration_unix_time: int | None, start_time: int, end_time: int, alert_group_identifier: str, events_count: int, title: str, rule_generator: str, device_product: str, device_vendor: str, playbook_attached: bool | None, playbook_run_count: int | None, is_manual_alert: bool | None, sla: [SLA](#TIPCommon.data_models.SLA) | None, fields_groups: list[[FieldsGroup](#TIPCommon.data_models.FieldsGroup)], source_url: str | None, source_rule_url: str | None, siem_alert_id: str | None, additional_properties: str | None, case_id: int | None, ticket_id: str | None, closure_details: MutableMapping[str, Any] | None, event_count: int | None = None, product_families: list[str] | None = None, entity_cards: list[MutableMapping[str, Any]] | None = None, security_event_cards: list[MutableMapping[str, Any]] | None = None, involved_relations: list[MutableMapping[str, Any]] | None = None)
Bases: object
AlertCard represents a summary card for an alert, encapsulating critical metadata and status indicators used for visualization and tracking within the platform.
Methods
The following methods facilitate the serialization and reconstruction of alert cards from structured data.
| Methods | |
|---|---|
from_json() |
A class method that creates an |
to_json() |
Converts the |
Attributes
The following table highlights the primary structural attributes and complex data models associated with the alert.
| Attributes | |
|---|---|
fields_groups |
A list of grouped fields associated with the alert, used for structured data presentation in the UI. |
sla |
The Service Level Agreement object defining the response and resolution timeframes for the alert. |
class TIPCommon.data_models.AlertEvent
class TIPCommon.data_models.AlertEvent(fields: list[EventPropertyField], identifier: str, case_id: int, alert_identifier: str, name: str, product: str, port: str | None, source_system_name: str, outcome: str | None, time: int, type_: str, artifact_entities: list[str])
Bases: object
AlertEvent represents an individual event associated with an alert, containing specific telemetry data, field properties, and entity relationships.
Methods
The following method fƒconacilitates the reconstruction of event objects from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that creates an |
Attributes
The following table highlights the primary structural attributes and complex data models associated with the event.
| Attributes | |
|---|---|
fields |
A list of property fields specific to the event, defining its unique data points. |
artifact_entities |
A list of entity identifiers extracted from the event telemetry. |
class TIPCommon.data_models.AlertPriority
class TIPCommon.data_models.AlertPriority(value)
Bases: Enum
AlertPriority defines the standardized integer-based severity levels used to categorize and prioritize alerts within the platform.
Constants
The following constants represent the specific priority values assigned to alerts.
| Constants | |
|---|---|
CRITICAL |
100 |
HIGH |
80 |
MEDIUM |
60 |
LOW |
40 |
UNCHANGED |
0 |
INFORMATIVE |
-1 |
class TIPCommon.data_models.AttachmentMetadata
class TIPCommon.data_models.AttachmentMetadata(raw_data: SingleJson)
Bases: object
AttachmentMetadata encapsulates the descriptive data and properties associated with a file attachment, providing methods for structured data conversion and retrieval.
Methods
The following method provides a standardized way to reconstruct case objects from JSON payloads.
| Methods | |
|---|---|
from_json() |
A class method that initializes a new |
to_json() |
Serializes the |
Attributes
The following table highlights the primary data structures used to store the attachment's metadata properties.
| Attributes | |
|---|---|
raw_data |
The underlying dictionary containing the raw metadata attributes as received from the source. |
class TIPCommon.data_models.BaseAlert
class TIPCommon.data_models.BaseAlert(raw_data, alert_id)
Bases: object
BaseAlert is a foundational model representing a generic security alert. It provides a standardized structure for storing raw telemetry alongside a unique platform identifier.
Methods
The following method allows for the serialization of the alert into a standard format.
| Methods | |
|---|---|
to_json() |
Converts the alert into a JSON-serializable dictionary as returned by
|
Attributes
The following table highlights the core data points managed by this model.
| Attributes | |
|---|---|
raw_data |
The raw data payload associated with the alert. |
alert_id |
The unique identifier assigned to the alert. |
Example
The following example demonstrates how to initialize a BaseAlert
and access its raw data and serialized output.
>>> from data_models import BaseAlert
>>> alert = BaseAlert({'foo': 'bar'}, 100)
>>> alert.raw_data
{'foo': 'bar'}
>>> alert.alert_id
100
>>> alert.to_json()
{'foo': 'bar'}
class TIPCommon.data_models.BaseDataModel
class TIPCommon.data_models.BaseDataModel(raw_data)
Bases: object
BaseDataModel acts as the parent class for various data structures within the library, ensuring consistent handling of raw input data and serialization.
Methods
The following method ensures that raw data is retrieved in a format compatible with JSON operations.
| Methods | |
|---|---|
to_json() |
Serializes the raw data stored in the model into a dictionary format. |
Attributes
The following table describes the primary data storage for the base model.
| Attributes | |
|---|---|
raw_data |
The original raw data payload used to initialize the model. |
Example
The following example shows the basic initialization of the data model and the use of the serialization method.
>>> from data_models import BaseDataModel
>>> data = BaseDataModel({'foo': 'bar'})
>>> data.raw_data
{'foo': 'bar'}
>>> data.to_json()
{'foo': 'bar'}
class TIPCommon.data_models.CaseDataStatus
class TIPCommon.data_models.CaseDataStatus(value)
Bases: Enum
CaseDataStatus defines the supported operational statuses for cases within the platform, ranging from initial ingestion to final closure or merging.
Constants
The following constants represent the specific status indicators assigned to case data.
| Constants | |
|---|---|
NEW |
0 |
OPENED |
1 |
CLOSED |
2 |
ALL |
3 |
MERGED |
4 |
CREATION_PENDING |
5 |
class TIPCommon.data_models.CaseDetails
Bases: object
CaseDetails provides an extensive view of a security case, including state-checking properties and methods for reconstructing or serializing case data.
Methods
The following methods manage the conversion of case details between object instances and structured JSON formats.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
to_json() |
Converts the |
Attributes
The following properties provide logical indicators regarding the current state of the case.
| Attributes | |
|---|---|
is_closed |
A boolean property indicating whether the case is in a closed state. |
is_open |
A boolean property indicating whether the case is active or open. |
class TIPCommon.data_models.CaseOverviewInfo
class TIPCommon.data_models.CaseOverviewInfo(id: 'int', create_time_ms: 'int', update_time_ms: 'int', display_id: 'str', display_name: 'str', alert_count: 'int', stage: 'str', priority: 'CasePriority', important: 'bool', description: 'str | None' = None, type: 'int | None' = None, assignee_full_name: 'str | None' = None, environment_data: 'EnvironmentData | None' = None, status: 'CaseDataStatus | None' = None, score: 'int | None' = None, case_sla: 'CaseSLAInfo | None' = None, alerts_sla: 'CaseSLAInfo | None' = None, incident: 'bool | None' = None, has_suspicious_entity: 'bool | None' = None, workflow_status: 'int | None' = None, tags: 'list[str]' = <factory>, products: 'list[str]' = <factory>, touched: 'bool | None' = None, merged: 'bool | None' = None, has_incident: 'bool | None' = None, alert_names: 'list[str]' = <factory>)
Bases: object
CaseOverviewInfo provides a high-level summary of a security case, aggregating metadata, Service Level Agreement (SLA) status, and organizational details used for dashboarding and queue management.
Methods
The following method facilitates the reconstruction of case overview objects from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
Attributes
The following table highlights the primary structural attributes, enums, and key operational metrics associated with the case overview.
| Attributes | |
|---|---|
priority |
The severity level assigned to the case. |
status |
The current operational status of the case data. |
workflow_status |
The current step or state within the platform's automated workflow engine. |
score |
The calculated risk or importance score assigned to the case. |
case_sla |
SLA tracking information specifically for the case resolution lifecycle. |
alerts_sla |
SLA tracking information for the individual alerts contained within the case. |
environment_data |
Metadata regarding the specific organizational environment where the case originated. |
tags |
A list of user-defined or system-generated labels associated with the case. |
class TIPCommon.data_models.CasePriority
class TIPCommon.data_models.CasePriority(value)
Bases: Enum
CasePriority defines the standardized integer-based severity levels used to categorize and prioritize cases within the platform.
Constants
The following constants represent the specific priority values assigned to cases.
| Constants | |
|---|---|
CRITICAL |
100 |
HIGH |
80 |
MEDIUM |
60 |
LOW |
40 |
UNCHANGED |
0 |
INFORMATIVE |
-1 |
class TIPCommon.data_models.CaseSLAInfo
class TIPCommon.data_models.CaseSLAInfo(expiration_time_ms: int | None = None, critical_expiration_time_ms: int | None = None, expiration_status: int | None = None, last_pause_remaining_time_ms: int | None = None)
Bases: object
CaseSLAInfo encapsulates Service Level Agreement (SLA) tracking data, providing timestamps for expiration and status indicators to ensure timely incident response.
Methods
The following method allows for the creation of SLA info objects from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
Attributes
The following table highlights the primary timing and status attributes used to monitor case deadlines.
| Attributes | |
|---|---|
expiration_time_ms |
The Unix timestamp (in milliseconds) when the standard SLA is set to expire. |
critical_expiration_time_ms |
The Unix timestamp (in milliseconds) when the critical SLA threshold is reached. |
expiration_status |
An integer indicator representing the current status of the SLA. |
last_pause_remaining_time_ms |
The amount of time remaining on the SLA clock at the moment it was last paused. |
class TIPCommon.data_models.CaseWallAttachment
class TIPCommon.data_models.CaseWallAttachment(name, file_type, base64_blob, is_important, case_id=None, description=None)
Bases: object
CaseWallAttachment represents a file or data object attached to a case's evidence wall, including the raw content in base64 format and associated metadata.
Attributes
The following table highlights the primary properties and content data associated with the attachment.
| Attributes | |
|---|---|
name |
The filename or display name of the attachment. |
file_type |
The MIME type or file extension indicating the format of the attached data. |
base64_blob |
The actual content of the file, encoded as a base64 string. |
is_important |
A flag indicating if the attachment is marked as critical evidence for the investigation. |
class TIPCommon.data_models.ConnectorCard
class TIPCommon.data_models.ConnectorCard(integration, display_name, identifier, is_enabled, is_remote, status)
Bases: object
ConnectorCard provides a summary of a specific connector's configuration and
current operational state within the platform.
Methods
The following method facilitates the creation of connector card instances from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
Attributes
The following table highlights the operational status and identification properties of the connector.
| Attributes | |
|---|---|
status |
The current connectivity and health status of the connector. |
is_enabled |
Indicates whether the connector is active and processing data. |
class TIPCommon.data_models.ConnectorConnectivityStatusEnum
class TIPCommon.data_models.ConnectorConnectivityStatusEnum(value)
Bases: Enum
ConnectorConnectivityStatusEnum defines the possible connectivity states for a connector, indicating whether it is successfully communicating with its target integration.
Constants
The following constants represent the health status of the connector's connection.
| Constants | |
|---|---|
LIVE |
0 |
NO_CONNECTIVITY |
1 |
class TIPCommon.data_models.ConnectorParamTypes
class TIPCommon.data_models.ConnectorParamTypes(value)
Bases: Enum
ConnectorParamTypes defines the supported data types for connector configuration parameters. These types ensure proper validation and UI rendering within the platform's settings.
Constants
The following constants represent the specific data types available for parameters.
| Constants | |
|---|---|
BOOLEAN |
0 (boolean toggle) |
INTEGER |
1 (numeric integer) |
STRING |
2 (standard text string) |
PASSWORD |
3 (masked password field) |
IP |
4 (IP address) |
HOST |
5 (host name) |
URL |
6 (URL string) |
DOMAIN |
7 (domain name) |
EMAIL |
8 (email address) |
SCRIPT |
12 (legacy script parameter) |
NULL |
-1 (invalid parameter type) |
class TIPCommon.data_models.ConnectorParameter
class TIPCommon.data_models.ConnectorParameter(raw_param)
Bases: Parameter
ConnectorParameter represents an individual configuration setting for a connector. It extends the base parameter model to include specific metadata such as validation types and mandatory requirements.
Attributes
The following properties provide access to the configuration details and constraints of the connector parameter.
| Attributes | |
|---|---|
name |
The unique name used to identify the parameter within the connector configuration. |
value |
The current value assigned to the parameter. |
type |
The data type of the parameter, used for validation and UI rendering. |
mode |
The operational mode or visibility setting of the parameter. |
is_mandatory |
Indicates whether a value must be provided for this parameter before the connector is saved or executed. |
Example
The following example demonstrates how to initialize a ConnectorParameter
using a raw dictionary and access its properties.
>>> from data_models import ConnectorParameter, ConnectorParamTypes
>>> p = ConnectorParameter({
'param_name': 'api_root',
'type': ConnectorParamTypes.STRING,
'param_value': '[http://foo.bar](http://foo.bar)',
'is_mandatory': True,
'mode': 0
})
>>> print(p)
ConnectorParameter(name='api_root', value='[http://foo.bar](http://foo.bar)', type=2, mode=0, is_mandatory=True)
class TIPCommon.data_models.Container
class TIPCommon.data_models.Container()
Bases: object
Container acts as a generic, dynamic object for storing variables as attributes. It is useful for passing arbitrary data collections between different components of the platform.
Example
The following example shows how to initialize a container and dynamically assign and retrieve a variable.
>>> from data_models import Container
>>> container = Container()
>>> container.one = 1
>>> container.one
1
class TIPCommon.data_models.CreateEntity
class TIPCommon.data_models.CreateEntity(case_id, alert_identifier, entity_type, entity_identifier, entity_to_connect_regex, types_to_connect=None, is_primary_link=False, is_directional=False)
Bases: object
CreateEntity encapsulates the instructions needed to create and link a new entity to an existing case and alert. It includes logic for regex-based connection and relationship mapping.
Methods
The following method handles the conversion of entity creation instructions into a platform-compatible format.
| Methods | |
|---|---|
to_json() |
Converts the |
Attributes
The following table highlights the primary properties used to define the new entity and its relationships within the platform.
| Attributes | |
|---|---|
case_id |
The unique identifier of the case where the entity will be created. |
alert_identifier |
The identifier of the alert to which this entity is associated. |
entity_type |
The classification of the entity. |
entity_identifier |
The specific value or name identifying the entity. |
entity_to_connect_regex |
A regular expression used to identify other entities that to connect to this one. |
types_to_connect |
A specific list of entity types eligible for connection based on the regex. |
is_primary_link |
Indicates if this connection represents the primary relationship between the entities. |
is_directional |
Determines if the connection has a defined direction (source to target) or is reciprocal. |
class TIPCommon.data_models.CustomField
class TIPCommon.data_models.CustomField(id, display_name, description, type, scopes)
Bases: object
CustomField represents a user-defined data field within the platform. It allows for the extension of standard data models by adding specific metadata tailored to organizational requirements.
Methods
The following method allows for the reconstruction of custom field objects from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
Attributes
The following table highlights the primary properties and scope constraints of the custom field.
| Attributes | |
|---|---|
id |
The unique identifier for the custom field. |
display_name |
The human-readable label shown in the platform UI. |
type |
The data type of the field. |
scopes |
A list of application areas where this field is available |
class TIPCommon.data_models.CustomFieldScope
class TIPCommon.data_models.CustomFieldScope(value)
Bases: Enum
CustomFieldScope defines the valid targets where a custom field is applied within the platform hierarchy.
Methods
The following method provides utility for resolving the path of the scoped object.
| Methods | |
|---|---|
build_parent_path() |
Constructs the internal platform path for the specified parent object identifier. |
Constants
The following constants represent the specific scopes available for custom fields.
| Constants | |
|---|---|
ALERTS |
'Alert' |
CASE |
'Case' |
class TIPCommon.data_models.CustomFieldValue
class TIPCommon.data_models.CustomFieldValue(custom_field_id, values, scope, identifier)
Bases: object
CustomFieldValue represents the specific data assigned to a custom field instance. It links the field definition to the actual content provided by a user or automated process.
Methods
The following method facilitates the reconstruction of custom field values from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
Attributes
The following table highlights the primary properties and contextual identifiers for the custom field value.
| Attributes | |
|---|---|
custom_field_id |
The identifier of the |
values |
A list of strings representing the actual data stored in the field. |
scope |
The application area where this specific value is applied. |
identifier |
The unique identifier for the specific object that holds this value. |
class TIPCommon.data_models.DataAccessContext
class TIPCommon.data_models.DataAccessContext(global_access, assigned_scopes)
Bases: object
DataAccessContext defines the permissions and visibility constraints for a user or process, determining which data scopes are accessible during execution.
Methods
The following methods manage the conversion of access context data between object instances and JSON formats.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
to_json() |
Converts the |
Attributes
The following table highlights the primary access controls defined within the context.
| Attributes | |
|---|---|
global_access |
Indicates whether the context allows for unrestricted access across all data scopes. |
assigned_scopes |
A list of specific scopes or organizational units to which access has been explicitly granted. |
class TIPCommon.data_models.DatabaseContextType
class TIPCommon.data_models.DatabaseContextType(value)
Bases: Enum
DatabaseContextType specifies the operational context for database interactions, ensuring that data is persisted or retrieved from the correct logical segment of the platform.
Constants
The following constants represent the specific areas of the platform where database operations occur.
| Constants | |
|---|---|
GLOBAL |
0 (global system-wide context) |
CASE |
1 (specific security case context) |
ALERT |
2 (individual alert context) |
JOB |
3 (scheduled job or automation context) |
CONNECTOR |
4 (data connector context) |
class TIPCommon.data_models.DynamicParameter
class TIPCommon.data_models.DynamicParameter(key: str, value: str)
Bases: object
DynamicParameter represents a flexible key-value pair used to pass runtime configuration or custom metadata between system components.
Methods
The following method handles the reconstruction of dynamic parameters from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
Attributes
The following table describes the properties of the dynamic parameter.
| Attributes | |
|---|---|
key |
The name or identifier for the parameter. |
value |
The data content associated with the key. |
class TIPCommon.data_models.EmailTemplate
class TIPCommon.data_models.EmailTemplate(template_type, name, content, creator_user_name, for_migration, environments, _id, creation_time_unix_time_in_ms, modification_time_unix_time_in_ms)
Bases: object
EmailTemplate represents a standardized communication format used for notifications and reporting within the platform. It encapsulates the message content, metadata, and environmental constraints.
Methods
The following methods manage the serialization and reconstruction of email templates.
| Methods | |
|---|---|
from_json() |
A class method that initializes an |
to_json() |
Converts the |
Attributes
The following table highlights the primary properties and structural data of the email template.
| Attributes | |
|---|---|
content |
The body text or HTML structure of the email template. |
environments |
A list of organizational environments where this template is available for use. |
template_type |
The classification or category of the template. |
class TIPCommon.data_models.Entity
class TIPCommon.data_models.Entity(raw_data, case_id, entity_type, enriched, artifact, vulnerable, suspicious, attacker, pivot, internal, manually_created, fields)
Bases: object
Entity represents a specific observable or object of interest within a security case (such as an IP address, file hash, or user). It tracks both the raw telemetry and various boolean "tags" that indicate the entity's role or risk level in the investigation.
Methods
The following methods manage the serialization and reconstruction of entity objects.
| Methods | |
|---|---|
from_json() |
A class method that initializes an |
to_json() |
Converts the |
Attributes
The following table highlights the primary classification flags and data structures associated with the entity.
| Attributes | |
|---|---|
entity_type |
The category of the entity. |
suspicious |
Indicates if the entity has been flagged as potentially malicious by system logic or external intelligence. |
vulnerable |
Indicates if the entity is known to have existing security vulnerabilities. |
attacker |
Flagged if the entity is identified as the source of malicious activity. |
internal |
Indicates if the entity belongs to the organization's internal network or infrastructure. |
fields |
A list of additional properties or enriched data points associated with the entity. |
class TIPCommon.data_models.EntityCard
class TIPCommon.data_models.EntityCard(identifier, entity_type, is_suspicious, linked_entities)
Bases: object
EntityCard represents a summarized view of an entity, typically used for UI components. It aggregates the entity's identification, type, and relationships with other entities in a simplified structure.
Methods
The following methods manage the serialization and reconstruction of entity cards.
| Methods | |
|---|---|
from_json() |
A class method that initializes an |
to_json() |
Converts the |
Attributes
The following table highlights the primary properties used for identifying and linking entities within the card.
| Attributes | |
|---|---|
identifier |
The unique value or name that identifies the entity. |
entity_type |
The classification category of the entity. |
is_suspicious |
A string indicator (often |
linked_entities |
A list of identifiers for other entities that are related to this specific entity card. |
class TIPCommon.data_models.EnvironmentData
class TIPCommon.data_models.EnvironmentData(environment, dynamic_parameters=<factory>, base64_image=None, platform=None)
Bases: object
EnvironmentData encapsulates configuration and branding information for a specific organizational environment. This includes environment-specific parameters and visual assets used for multi-tenant or multi-environment deployments.
Methods
The following method facilitates the creation of environment data objects from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes an |
Attributes
The following table highlights the configuration parameters and branding assets associated with the environment.
| Attributes | |
|---|---|
environment |
The name of the organizational environment. |
dynamic_parameters |
A list of custom key-value pairs specific to this environment's configuration. |
base64_image |
An optional base64-encoded string representing the environment's logo or icon. |
platform |
An integer identifier representing the specific platform or infrastructure provider. |
class TIPCommon.data_models.EventCard
class TIPCommon.data_models.EventCard(case_id, alert_identifier, event_id, name, time, product, port, outcome, artifact_entities, fields)
Bases: object
EventCard represents a concise, visual-friendly summary of a specific security event. It is designed to surface the most critical telemetry—such as timing, source product, and outcome—for use in investigative dashboards and event queues.
Methods
The following methods manage the conversion of event card data between object instances and JSON formats.
| Methods | |
|---|---|
from_json() |
A class method that initializes an |
to_json() |
Converts the |
Attributes
The following table highlights the primary telemetry and organizational identifiers stored within the event card.
| Attributes | |
|---|---|
event_id |
The unique identifier for the specific event record. |
time |
The Unix timestamp representing when the event occurred. |
product |
The security product or tool that generated the event telemetry. |
outcome |
The recorded result of the event. |
artifact_entities |
A list of entities identified within the event telemetry that serve as artifacts for the case. |
fields |
A collection of additional key-value properties specific to this event's data payload. |
class TIPCommon.data_models.EventPropertyField
class TIPCommon.data_models.EventPropertyField(order, group_name, is_integration, is_highlight, items)
Bases: object
EventPropertyField defines a structured collection of event attributes, organized by priority and grouping. It is used to categorize telemetry data for display, highlighting critical fields for investigative focus.
Methods
The following method handles the reconstruction of property field objects from structured JSON data.
| Methods | |
|---|---|
from_json() |
A class method that initializes an |
Attributes
The following table highlights the metadata and content items that define the event property field.
| Attributes | |
|---|---|
group_name |
The name of the logical group to which these fields belong. |
is_highlight |
Indicates if this field should be visually emphasized in the platform UI as a high-priority data point. |
items |
A list of specific data items contained within this property group. |
class TIPCommon.data_models.FieldGroupItem
class TIPCommon.data_models.FieldGroupItem(original_name, name, value)
Bases: object
FieldGroupItem represents a specific data point within a field group, maintaining a mapping between the original source name and the human-readable display name.
Methods
The following methods manage the serialization and reconstruction of field group items.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
to_json() |
Converts the |
class TIPCommon.data_models.FieldItem
class TIPCommon.data_models.FieldItem(original_name, name, value)
Bases: object
FieldItem is a base data structure for individual properties, storing the raw key, the mapped label, and the associated value.
Methods
| Methods | |
|---|---|
from_json() |
A class method that creates a |
class TIPCommon.data_models.FieldsGroup
class TIPCommon.data_models.FieldsGroup(order, group_name, is_integration, is_highlight, hide_options, items)
Bases: object
FieldsGroup serves as a container for organizing multiple field items into a logical collection. It is primarily used to control the layout and visibility of data within the platform's user interface.
Methods
The following methods manage the conversion of field group data between object instances and structured JSON.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
to_json() |
Converts the |
Attributes
The following table highlights the properties that define the display behavior and contents of the group.
| Attributes | |
|---|---|
group_name |
The label used to identify the group in the UI. |
is_highlight |
Determines if the group should be visually emphasized. |
items |
A list of specific data points contained within the group. |
class TIPCommon.data_models.GoogleServiceAccount
class TIPCommon.data_models.GoogleServiceAccount(account_type, project_id, private_key_id, private_key, client_email, client_id, auth_uri, token_uri, auth_provider_x509_url, client_x509_cert_url)
Bases: object
GoogleServiceAccount provides a structured representation of Google Cloud service account credentials. It is used to manage authentication details for integrations interacting with Google services.
Methods
The following method facilitates the export of credential data into the standard format required by client libraries.
| Methods | |
|---|---|
to_dict() |
Serializes the service account properties into a dictionary
compatible with the standard |
class TIPCommon.data_models.Insight
class TIPCommon.data_models.Insight(raw_data)
Bases: object
Insight represents a discrete analytical finding or observation generated by the platform or an integration. It encapsulates raw data that provides additional context or recommended actions for a security investigation.
Methods
The following methods manage the serialization and reconstruction of insight objects.
| Methods | |
|---|---|
from_json() |
A class method that creates an |
to_json() |
Serializes the |
Attributes
| Attributes | |
|---|---|
raw_data |
The underlying raw data payload containing the specific findings and metrics of the insight. |
class TIPCommon.data_models.InstalledIntegrationInstance
class TIPCommon.data_models.InstalledIntegrationInstance(instance, identifier, integration_identifier, environment_identifier, instance_name)
Bases: object
InstalledIntegrationInstance represents a specific, configured instance of an integration that has been deployed within an environment. It links the general integration definition to its specific environmental deployment and naming.
Methods
The following methods manage the conversion of integration instance data between object instances and structured JSON.
| Methods | |
|---|---|
from_json() |
A class method that parses JSON data into an
|
to_json() |
Serializes the integration instance data into a JSON-compatible dictionary format. |
Attributes
The following table highlights the identifiers used to track the integration across different organizational environments.
| Attributes | |
|---|---|
instance_name |
The user-defined name for this specific integration instance. |
integration_identifier |
The unique identifier for the parent integration. |
environment_identifier |
The identifier for the organizational environment where this instance is installed. |
class TIPCommon.data_models.InternalDomain
class TIPCommon.data_models.InternalDomain(alias_name, id_, domain_display_name, environments_json, creation_time_unix_time_in_ms, modification_time_unix_time_in_ms)
Bases: object
InternalDomain represents a domain identifier that is recognized as part of the organization's internal infrastructure. These records are critical for distinguishing between internal traffic and external threats during security investigations.
Methods
The following methods manage the serialization and reconstruction of internal domain records.
| Methods | |
|---|---|
from_json() |
A class method that creates an |
to_json() |
Converts the |
Attributes
The following table highlights the properties used to identify and categorize internal domains.
| Attributes | |
|---|---|
domain_display_name |
The primary domain name. |
alias_name |
An alternative name or label used to identify the domain within the platform. |
environments_json |
A JSON-formatted string listing the environments where this domain is considered internal. |
class TIPCommon.data_models.JobParamType
class TIPCommon.data_models.JobParamType(value)
Bases: Enum
JobParamType defines the supported data types for parameters used within scheduled jobs or automation tasks. These types facilitate proper input validation and platform-level handling.
Constants
The following constants represent the specific data types available for job parameters.
| Constants | |
|---|---|
BOOLEAN |
0 |
INTEGER |
1 |
STRING |
2 |
PASSWORD |
3 |
IP |
4 |
HOST |
5 |
URL |
6 |
DOMAIN |
7 |
EMAIL |
8 |
NULL |
-1 |
class TIPCommon.data_models.Parameter
class TIPCommon.data_models.Parameter(raw_param)
Bases: object
Parameter serves as the primary base class for all parameter-related models in the library. It provides a consistent interface for handling raw configuration data.
Attributes
The following property provides access to the underlying data used to initialize the parameter.
| Attributes | |
|---|---|
raw_data |
The original dictionary payload containing the parameter's configuration. |
Example
The following example demonstrates how to initialize the base Parameter class
and access its raw data.
>>> from data_models import Parameter
>>> p = Parameter({'foo': 'bar'})
>>> print(p)
Parameter(raw_data={'foo': 'bar'})
class TIPCommon.data_models.SLA
class TIPCommon.data_models.SLA(sla_expiration_time, critical_expiration_time, expiration_status, remaining_time_since_last_pause)
Bases: object
SLA (Service Level Agreement) encapsulates the timing constraints and status for an alert. It provides high-precision tracking for standard and critical deadlines, including logic for handled pauses.
Methods
The following methods manage the conversion of SLA data between object instances and structured JSON.
| Methods | |
|---|---|
from_json() |
A class method that initializes an |
to_json() |
Converts the |
Attributes
The following table highlights the core timing attributes used to track alert expiration.
| Attributes | |
|---|---|
sla_expiration_time |
The Unix timestamp representing the standard SLA expiration deadline. |
critical_expiration_time |
The Unix timestamp representing the critical SLA expiration deadline. |
expiration_status |
The current status of the SLA. |
class TIPCommon.data_models.ScriptContext
class TIPCommon.data_models.ScriptContext(target_entities: 'str' = '', case_id: 'int | str | None' = None, alert_id: 'str' = '', environment: 'str' = '', workflow_id: 'str' = '', workflow_instance_id: 'str | None' = None, parameters: 'SingleJson' = <factory>, integration_identifier: 'str' = '', integration_instance: 'str' = '', action_definition_name: 'str' = '', original_requesting_user: 'str' = '', execution_deadline_unix_time_ms: 'int' = 0, async_polling_interval_in_sec: 'int' = 0, async_total_duration_deadline: 'int' = 0, script_timeout_deadline: 'int' = 0, default_result_value: 'str' = '', use_proxy_settings: 'bool' = False, max_json_result_size: 'int' = 15, vault_settings: 'SiemplifyVault | None' = None, environment_api_key: 'str | None' = None, unique_identifier: 'str' = '', job_api_key: 'str' = '', connector_context: 'ConnectorContext | None' = None)
Bases: object
ScriptContext is a comprehensive container that provides the necessary environment, identifiers, and parameters for script execution. It tracks everything from target entities and workflow IDs to security settings like proxy and vault configurations.
Methods
The following methods allow for the modification and serialization of the script's execution context.
| Methods | |
|---|---|
to_json() |
Serializes the |
update() |
Updates the context attributes with values from a provided dictionary. |
Attributes
Given the extensive nature of the context, the following table highlights the most critical execution and environmental identifiers.
| Attributes | |
|---|---|
case_id |
The identifier of the case associated with the current script execution. |
workflow_id |
The ID of the workflow currently being processed. |
parameters |
A dictionary containing runtime parameters passed to the script. |
execution_deadline_unix_time_ms |
The Unix timestamp indicating when the script execution must conclude. |
vault_settings |
Configuration settings for accessing sensitive data stored in the platform's vault. |
class TIPCommon.data_models.SmimeEmailConfig
class TIPCommon.data_models.SmimeEmailConfig(email, private_key_b64, certificate_b64, ca_certificate_b64)
Bases: object
SmimeEmailConfig encapsulates the necessary cryptographic assets and the email message required to perform S/MIME operations, such as signing or encryption. It holds the raw email and the base64-encoded keys and certificates.
Attributes
The following table describes the cryptographic components managed by this configuration model.
| Attributes | |
|---|---|
email |
The standard Python email message object to process. |
private_key_b64 |
The base64-encoded private key used for signing or decryption. |
certificate_b64 |
The base64-encoded public certificate associated with the private key. |
ca_certificate_b64 |
The base64-encoded Certificate Authority (CA) certificate used to verify the chain of trust. |
class TIPCommon.data_models.SmimeType
class TIPCommon.data_models.SmimeType(value)
Bases: Enum
SmimeType defines the operational mode for S/MIME processing, distinguishing between securing the content via encryption or validating the sender using a digital signature.
Constants
The following constants represent the supported S/MIME message types.
| Constants | |
|---|---|
SIGNED |
'signed' (The message is digitally signed to ensure
authenticity) |
ENCRYPTED |
'encrypted' (The message body is encrypted for
confidentiality) |
class TIPCommon.data_models.TypedContainer
class TIPCommon.data_models.TypedContainer()
Bases: Generic[T]
TypedContainer is a generic wrapper designed to hold data of a specific type. It enhances developer productivity by providing type hints and intellisense, ensuring that the stored object is treated correctly by IDEs and static analysis tools.
class TIPCommon.data_models.UserDetails
class TIPCommon.data_models.UserDetails(id_: int, creation_time_unix_time_in_ms: int, modification_time_unix_time_in_ms: int, permission_group: str, permission_groups: list[str], soc_roles: list[str], is_disabled: bool, login_identifier: str, first_name: str, last_name: str, permission_type: int, role: int, soc_role_id: int, soc_role_ids: list[int], email: str, user_name: str, user_type: int, identity_provider: int, provider_name: str, advanced_reports_access: int, account_state: int, last_login_time: int, previous_login_time: int, last_password_change_time: int, last_password_change_notification_time: int, login_wrong_password_count: int, is_deleted: bool, deletion_time_unix_time_in_ms: int, environments: list[str], allowed_platforms: list[int], data_access_context: [DataAccessContext](#TIPCommon.data_models.DataAccessContext), soc_role: str | None, image_base64: str | None)
Bases: object
UserDetails provides an exhaustive profile of a platform user, encompassing authentication metadata, organizational roles, and granular data access permissions. It is essential for managing user sessions and enforcing role-based access control (RBAC).
Methods
The following methods facilitate the reconstruction and serialization of user profile data.
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
to_json() |
Converts the |
Attributes
The following table highlights the primary identification and permission structures for the user.
| Attributes | |
|---|---|
user_name |
The unique system username used for login and identification. |
soc_roles |
A list of SOC roles assigned to the user, defining their operational permissions. |
data_access_context |
The context defining which data scopes and organizational units the user is permitted to access. |
is_disabled |
A boolean flag indicating whether the user account is currently restricted from logging in. |
class TIPCommon.data_models.UserProfileCard
class TIPCommon.data_models.UserProfileCard(raw_data, first_name, last_name, user_name, account_state)
Bases: object
UserProfileCard provides a lightweight summary of a user's profile, intended for display in UI components like headers or contact cards where the full details are not required.
Methods
| Methods | |
|---|---|
from_json() |
A class method that creates a |
class TIPCommon.data_models.WallData
class TIPCommon.data_models.WallData(raw_data, case_id, activity_kind, activity_data_json, favorite)
Bases: object
WallData represents an entry on a case's "Wall" or timeline. This model tracks activity logs, notes, and system actions that occur during the lifecycle of an investigation.
Methods
| Methods | |
|---|---|
from_json() |
A class method that initializes a |
to_json() |
Serializes the |
Attributes
| Attributes | |
|---|---|
activity_kind |
The category of the activity. |
activity_data_json |
A JSON-formatted string containing the specific details or payload of the activity. |
favorite |
Indicates if the activity entry has been pinned or marked as a favorite for quick reference. |
Need more help? Get answers from Community members and Google SecOps professionals.