I work for a MSSP and a lot of the security alerts we deal with, especially with new clients, can be dealt with according to some simple if-then logic without taking up analyst time to research. To handle these sorts of alerts, I am building a basic python program with a series of logic tests to see if a given alert falls into a 'known' category and can be dealt with automatically.
My desired format is to have a separate python file for each client we service for organizational purposes, and within each file have a series of conditions with corresponding actions if the conditions are met. A managing script then ingests alert data, runs it through every condition within the corresponding client's file, and when a condition returns True it passes the data onto the corresponding action function. So my question is how to organize this.
Currently, within a client's file, I have a class for each 'known' condition, with two @staticmethod functions: condition() and action(). Then the managing script's logic is effectively [pseudocode]:
for class in client_file:
if class.condition(alert_data):
class.action(alert_data)
Organizationally, I like this. Each client has a file, and each known thing to look for has a class. My hesitation, is I am not sure if this is 'pythonic' or generally kosher. I am using @staticmethods because I don't need these classes to have multiple instances, I just like the organizational ability of grouping functions into classes for logical relevance, but it still looks a bit strange and I'm worried it could cause confusion.
So I'm interested in the community's opinion, does this seem like an okay organizational method for my application, or do you have any suggestions on better ways of keeping everything neat?
Example class:
class HostIsWindows:
@staticmethod
def condition(alert_data):
if 'os_type' in alert and alert['os_type'] == 'windows':
return True
else:
return False
@staticmethod
def action(alert_data):
... do something ...
return "This is a result message."
