PYIIDES package

Accomplice

class pyiides.pyiides.Accomplice(id=None, relationship_to_insider=None, **kwargs)

Bases: Person

Initialize an Accomplice instance, inheriting from Person.

Parameters:

• id (str) – Unique identifier for the accomplice. Defaults to a new UUIDv4 string if not provided.

• relationship_to_insider (str) – The relationship of the accomplice to the insider. Must be a valid constant from insider-relationship-vocab.

• **kwargs (dict) – Additional attributes inherited from the Person class.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Examples

>>> from pyiides.pyiides.accomplice import Accomplice
>>> accomplice = Accomplice(
...     first_name="John",
...     last_name="Doe",
...     relationship_to_insider="1"
... )
>>> print(accomplice.id)
e6d8b622-8d6a-4f5b-8b9a-d7c93c6ee6b6
>>> print(accomplice.relationship_to_insider)
1

property age

property alias

append_alias(item)

append_country_of_citizenship(item)

append_job(item)

append_nationality(item)

property city

property comment

property country

property country_of_citizenship

property education

property first_name

property gender

property id

property insider

property jobs

property last_name

property marital_status

property middle_name

property nationality

property number_of_children

property postal_code

property relationship_to_insider

remove_job(item)

property residency

property sponsor

property state

property suffix

to_dict()

returns tuple: (dict of class itself, list containing child id’s to connect)

Charge

class pyiides.pyiides.Charge(title, id=None, section=None, nature_of_offense=None, count=None, plea=None, plea_bargain=None, disposition=None)

Bases: object

Initializes a Charge instance

Parameters:

• id (required) (string) – Unique identifier for the charge. Defaults to a new UUIDv4 string if not provided.

• title (required) (string) – Broad subject matter area of the legal code. For U.S. cases, these are often title ‘18 U.S.C.’.

• section (string) – Section (and subsection) of the law the subject is accused of violating. For U.S. cases for example, Wire Fraud is section 1343 of Title 18.

• nature_of_offense (string) – Description of the title and section of the law being violated.

• count (integer) – Number of times the subject is accused of violating the law associated with this charge. Note that multiple violations of a law are often listed as a range of counts (e.g. ‘Count 2-6’ would have count=5 for this property).

• plea (string) – Plea entered by the defendant for this charge. A constant from charge-plea-vocab.

• plea_bargain (boolean) – Whether the charge indicated here is a lesser charge based on a previous plea agreement.

• disposition (string) – The decision in the case or the final result. A constant from charge-disposition-vocab.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides.utils.helper_functions import Charge
>>> charge = Charge(
...     title="18 U.S.C.",
...     id="6eaf8e6c-8c4d-4d9d-8f8e-6c8c4d4d9d8f",
...     section="1343",
...     nature_of_offense="Wire Fraud",
...     count=5,
...     plea="1",
...     plea_bargain=False,
...     disposition="2"
... )
>>> print(charge.title)
18 U.S.C.
>>> print(charge.section)
1343

property count

property court_case

property disposition

property id

property nature_of_offense

property plea

property plea_bargain

property section

property title

to_dict()

CourtCase

class pyiides.pyiides.CourtCase(id=None, case_number=None, case_title=None, court_country=None, court_state=None, court_district=None, court_type=None, case_type=None, defendant=None, plaintiff=None, comment=None)

Bases: object

Initializes a CourtCase instance

Parameters:

• id (required) (string) – Unique identifier for the court case. Defaults to a new UUIDv4 string if not provided.

• case_number (string) – A case number assigned by the court system in which the case is being tried.

• case_title (string) – Title provided by the court system (e.g., ‘USA v. LastName’ or ‘USA v. LastName, et al.’).

• court_country (string) – Country where the case was tried. A constant from country-vocab.

• court_state (string) – State or region where the case was tried. A constant from state-vocab-us.

• court_district (string) – District where the case was tried, if applicable (e.g., “CA Central District Court”).

• court_type (string) – Type or level of the court where the case is tried. A constant from court-type-vocab.

• case_type (string) – Type of case. A constant from case-type-vocab.

• defendant (array) – The names of all the defendants (or respondents, or appellees) in the case. One or more string values.

• plaintiff (array) – The names of all the plaintiffs (or petitioners, or appellants) in the case. One or more string values.

• comment (string) – Clarifying comments about any of the court case details, or its associated charges and sentences, such as which sentences run concurrently, the structure of a plea deal, or the status of the case.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides.utils.helper_functions import CourtCase
>>> court_case = CourtCase(
...     case_number="1:22-cr-00123-JMF",
...     case_title="USA v. Smith",
...     court_country="US",
...     court_state="NY",
...     court_district="Southern District of New York",
...     court_type="Federal",
...     case_type="Criminal",
...     defendant=["John Smith"],
...     plaintiff=["United States of America"],
...     comment="This case involved multiple charges including espionage and unauthorized disclosure of classified information."
... )
>>> print(court_case.case_title)
USA v. Smith
>>> print(court_case.court_country)
US

append_charge(item)

append_defendant(item)

append_plaintiff(item)

append_sentence(item)

property case_number

property case_title

property case_type

property charges

property comment

property court_country

property court_district

property court_state

property court_type

property defendant

property id

property legal_response

property plaintiff

remove_charge(item)

remove_sentence(item)

property sentences

to_dict()

Detection

class pyiides.pyiides.Detection(id=None, first_detected=None, who_detected=None, detected_method=None, logs=None, comment=None, **kwargs)

Bases: object

Initialize a Detection instance.

Parameters:

• id (str) – Unique identifier for the detection. Defaults to a new UUIDv4 string if not provided.

• first_detected (datetime) – The date and time the victim organization first became aware of the incident.

• who_detected (list) – The individual entities or teams that first detected the incident. One or more constants from detection-team-vocab.

• detected_method (list) – The system or process that led to the first detection of the incident. One or more constants from detection-method-vocab.

• logs (list) – The type(s) of logs used by the detection team and/or method to first detect the incident. One or more constants from detection-log-vocab.

• comment (str) – Clarifying comments about who, what, when, or how the incident was detected.

• **kwargs (dict) – Additional attributes for the detection.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Examples

>>> from datetime import datetime
>>> from pyiides.pyiides.detection import Detection
>>> detection = detection = Detection(
...     first_detected= datetime(2023, 1, 1, 0, 0, 0),
...     who_detected=["LE"],
...     detected_method=["1"],
...     logs=["AC"],
...     comment="Additional details about the detection."
... )
>>> print(detection.first_detected)
2023-01-1 00:00:00

append_detected_method(item)

append_logs(item)

append_who_detected(item)

property comment

property detected_method

property first_detected

property id

property incident

property logs

to_dict()

property who_detected

Impact

class pyiides.pyiides.Impact(high, metric, estimated, id=None, low=None, comment=None)

Bases: object

Initialize an Impact instance

Parameters:

• id (required) (string) – Unique identifier for the impact. Defaults to a new UUIDv4 string if not provided.

• high (required) (number) – The quantity of the impact being measured. If a range, the high end of the range.

• low (number) – If a range, the low estimate of the range.

• metric (required) (string) – The type of impact being quantified. A constant from impact-metric-vocab.

• estimated (required) (boolean) – True if the impact low and/or high is an estimated number or range.

• comment (string) – Clarifying comments.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides import Impact
>>> impact = Impact(high=5000, metric="dollars", estimated=True)
>>> print(impact.high)
5000
>>> print(impact.metric)
dollars
>>> print(impact.estimated)
True

property comment

property estimated

property high

property id

property incident

property low

property metric

to_dict()

Incident

class pyiides.pyiides.Incident(id=None, cia_effect=None, incident_type=None, incident_subtype=None, outcome=None, status=None, summary=None, brief_summary=None, comment=None, **kwargs)

Bases: object

Initialize an Incident instance.

Parameters:

• id (str) – Unique identifier for the incident. Defaults to a new UUIDv4 string if not provided.

• cia_effect (list) – CIA triad components which were affected. One or more constants from cia-vocab.

• incident_type (list) – Categorization of the incident. One or more constants from incident-type-vocabulary. Required if incident_subtype exists.

• incident_subtype (list) – The subtype that the incident fits. MUST match the specified incident_type. One or more constants from incident-subtype-vocabulary.

• outcome (list) – Consequences suffered by the victim organization as a result of the insider’s attack. This is NOT the outcome or consequences imposed on the insider. One or more constants from outcome-type-vocabulary.

• status (str) – The current status of the incident. A constant from incident-status-vocabulary.

• summary (str) – A brief prose explanation of the incident. This summary should serve as a stand-alone explanation of the incident and should include the following information as a general rule: who, what, when, where, why, and how.

• brief_summary (str) – A shortened version of the summary (2-4 sentences, max 500 characters) with anonymized data.

• comment (str) – Clarifying details about the incident or any of the above properties.

• **kwargs (dict) – Additional attributes for the incident.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Examples

>>> incident = Incident(
...     cia_effect=["C", "I"],
...     incident_type=["F"],
...     incident_subtype=["F.1"],
...     outcome=["BR"],
...     status="P",
...     summary="An insider incident involving data theft.",
...     brief_summary="Insider data theft.",
...     comment="Additional details about the incident."
... )
>>> print(incident.id)
123e4567-e89b-12d3-a456-426614174000
>>> print(incident.incident_type)
['F']

append_cia(item)

append_impact(item)

append_insider(item)

append_note(item)

append_organization(item)

append_outcome(item)

append_source(item)

append_subtype(item)

append_target(item)

append_ttp(item)

append_type(item)

property brief_summary

property cia_effect

property comment

property detection

property id

property impacts

property incident_subtype

property incident_type

property insiders

property notes

property organizations

property outcome

remove_impact(item)

remove_insider(item)

remove_note(item)

remove_organization(item)

remove_source(item)

remove_target(item)

remove_ttp(item)

property response

property sources

property status

property summary

property targets

to_dict()

property ttps

Insider

class pyiides.pyiides.Insider(incident_role, id=None, motive=None, substance_use_during_incident=None, psychological_issues=None, predispositions=None, concerning_behaviors=None, **kwargs)

Bases: Person

Initialize an Insider instance.

Parameters:

• id (str) – Unique identifier for the Job. Defaults to a new UUIDv4 string if not provided.

• incident_role (str) – The insider’s role in the incident. Whether the insider was the primary actor or had a different role in the incident. A constant from incident-role-vocab.

• motive (list) – The insider’s motive(s) for the incident. One or more constants from motive-vocab.

• substance_use_during_incident (bool) – Indicates if the insider was using or abusing substances at the time they took one or more actions related to the incident.

• psychological_issues (list) – Psychological issue(s) the insider experienced during or before the incident. One or more constants from psych-issues-vocab.

• predispositions (list) – The insider’s tendency toward certain actions or qualities. One or more array values.

• concerning_behaviors (list) – The insider’s history of past behavior that could indicate future issues. One or more array values.

• **kwargs (dict) – Additional attributes for the Job.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides.pyiides.insider import Insider
>>> insider = Insider(
...     id="123e4567-e89b-12d3-a456-426614174000",
...     incident_role="1",
...     motive=["1"],
...     substance_use_during_incident=True,
...     psychological_issues=["1"],
...     predispositions=[("1", "1.1")],
...     concerning_behaviors=[("3.1", "3.1.1")]
... )
>>> print(insider.id)
123e4567-e89b-12d3-a456-426614174000
>>> print(insider.incident_role)
1

property accomplices

property age

property alias

append_accomplice(item)

append_alias(item)

append_concerning_behaviors(elem)

append_country_of_citizenship(item)

append_job(item)

append_motive(item)

append_nationality(item)

append_predispositions(elem)

append_psychological_issues(item)

append_stressor(item)

property city

property comment

property concerning_behaviors

property country

property country_of_citizenship

property education

property first_name

property gender

property id

property incident

property incident_role

property jobs

property last_name

property marital_status

property middle_name

property motive

property nationality

property number_of_children

property postal_code

property predispositions

property psychological_issues

remove_accomplice(item)

remove_job(item)

remove_stressor(item)

property residency

property sponsor

property state

property stressors

property substance_use_during_incident

property suffix

to_dict()

Job

class pyiides.pyiides.Job(id=None, job_function=None, occupation=None, title=None, position_technical=None, access_authorization=None, employment_type=None, hire_date=None, departure_date=None, tenure=None, comment=None, **kwargs)

Bases: object

Initialize a Job instance.

Parameters:

• id (str) – Unique identifier for the Job. Defaults to a new UUIDv4 string if not provided.

• job_function (str) – Functional category of the individual’s job. Based on the 2018 Standard Occupational Classification system published by the Bureau of Labor Statistics. A constant from job-function-vocab. Required if occupation exists.

• occupation (str) – The subcategory of the individual’s job. Must match the constant for job_function. A constant from occupation-vocab. Required if title exists.

• title (str) – The individual’s job title. If title is specified, occupation should be as well.

• position_technical (bool) – The individual had access to technical areas of the organization as part of their job role. E.g. IT admin, network engineer, help desk associate, etc.

• access_authorization (str) – The level of access control given by this job role. A constant from access-auth-vocab.

• employment_type (str) – The individual’s employment arrangement at the time of the incident. A constant from employment-type-vocab.

• hire_date (date) – Date the individual is hired into this position.

• departure_date (date) – Date the individual departed from this position.

• tenure (timedelta) – The amount of time the individual spent in this particular job role.

• comment (str) – Clarifying comments or details about the job or the individual’s employment with the organization.

• **kwargs (dict) – Additional attributes for the Job.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> job = Job(
...     id="123e4567-e89b-12d3-a456-426614174000",
...     job_function="15",
...     occupation="15.1",
...     title="Software Developer",
...     position_technical=True,
...     access_authorization="2",
...     employment_type="FLT",
...     hire_date=date(2020, 1, 1),
...     departure_date=date(2023, 1, 1),
...     tenure=timedelta(days=1096),
...     comment="This is a comment"
... )
>>> print(job.id)
123e4567-e89b-12d3-a456-426614174000
>>> print(job.title)
Software Developer
>>> print(access_authorization)
2

property access_authorization

property accomplice

property comment

property departure_date

property employment_type

property hire_date

property id

property insider

property job_function

property occupation

property organization

property position_technical

property tenure

property title

to_dict()

LegalResponse

class pyiides.pyiides.LegalResponse(id=None, law_enforcement_contacted=None, insider_arrested=None, insider_charged=None, insider_pleads=None, insider_judgment=None, insider_sentenced=None, insider_charges_dropped=None, insider_charges_dismissed=None, insider_settled=None, comment=None)

Bases: object

Initializes a LegalResponse instance

Parameters:

• id (required) (string) – Unique identifier for the legal response. Defaults to a new UUIDv4 string if not provided.

• law_enforcement_contacted (date) – Organization contacts law enforcement to aid in the investigation of the incident. E.g., Police are called to respond to the Insider’s violent behavior in the workplace).

• insider_arrested (date) – Insider is taken into custody. E.g., Police arrest insider in their home.

• insider_charged (date) – Insider is formally charged. Charges must relate to the incident. This category also covers a waiver of indictment and subsequent filing of information. E.g., Insider was indicted on computer fraud charges.

• insider_pleads (date) – Insider puts forth a plea to the court, including guilty, not guilty, nolo contendere (no contest). E.g., Insider pleads guilty to computer intrusion.

• insider_judgment (date) – Insider is found guilty, not guilty, or liable or not liable in a court of law. E.g., Insider is found guilty in a jury trial.

• insider_sentenced (date) – Insider is given a legally mandated punishment. E.g., Insider sentenced to 5 months in jail, then supervised release, community service, and restitution.

• insider_charges_dropped (date) – The plaintiff drops their case against the insider. E.g., The organization in a civil suit decides to drop the suit.

• insider_charges_dismissed (date) – The plaintiff dismiss their case against the insider. E.g., Upon discovery of further evidence, the judge decided to drop the charges against the insider.

• insider_settled (date) – The case against the insider is settled outside of the courtroom. E.g., The victim organization reached an agreement with the insider to not file formal charges in return for financial compensation.

• comment (string) – Comments clarifying the details or dates of the legal response.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides.utils.helper_functions import LegalResponse
>>> legal_response = LegalResponse(
...     id="6eaf8e6c-8c4d-4d9d-8f8e-6c8c4d4d9d8f",
...     law_enforcement_contacted=datetime.date(2023, 1, 1),
...     insider_arrested=datetime.date(2023, 1, 2),
...     insider_charged=datetime.date(2023, 1, 3),
...     insider_pleads=datetime.date(2023, 1, 4),
...     insider_judgment=datetime.date(2023, 1, 5),
...     insider_sentenced=datetime.date(2023, 1, 6),
...     insider_charges_dropped=datetime.date(2023, 1, 7),
...     insider_charges_dismissed=datetime.date(2023, 1, 8),
...     insider_settled=datetime.date(2023, 1, 9),
...     comment="This is a sample comment."
... )
>>> print(legal_response.id)
6eaf8e6c-8c4d-4d9d-8f8e-6c8c4d4d9d8f
>>> print(legal_response.comment)
This is a sample comment.

append_court_case(item)

property comment

property court_cases

property id

property insider_arrested

property insider_charged

property insider_charges_dismissed

property insider_charges_dropped

property insider_judgment

property insider_pleads

property insider_sentenced

property insider_settled

property law_enforcement_contacted

remove_court_case(item)

property response

to_dict()

Organization

class pyiides.pyiides.Organization(id=None, name=None, city=None, state=None, country=None, postal_code=None, small_business=None, industry_sector=None, industry_subsector=None, business=None, parent_company=None, incident_role=None, **kwargs)

Bases: object

Initialize an Organization instance.

Parameters:

• id (str) – Unique identifier for the Organization. Defaults to a new UUIDv4 string if not provided.

• name (str) – The name of the organization. E.g., “Company XYZ, Inc.”

• city (str) – The city where the organization is located. Use the address of the headquarters if the whole organization was affected or use the address of the local branch if only that local branch was affected.

• state (str) – The state where the organization is located. Use the address of the headquarters if the whole organization was affected or use the address of the local branch if only that local branch was affected.

• country (str) – The country where the organization is located. Use the address of the headquarters if the whole organization was affected or use the address of the local branch if only that local branch was affected. Public implementations should use the standard codes provided by ISO 3166-1 alpha-2.

• postal_code (int) – The postal code of the organization. Use the address of the headquarters if the whole organization was affected or use the address of the local branch if only that local branch was affected.

• small_business (bool) – TRUE if the organization is a privately owned business with 500 or fewer employees.

• industry_sector (str) – Top-level category for the economic sector the organization belongs to. Note, sectors are derived from the North American Industry Classification System (NAICS) version 2022 published by the United States Office of Management and Budget. A constant from industry-sector-vocab. Required if industry_subsector exists.

• industry_subsector (str) – Second-level category for the economic sector the organization belongs to. This value MUST map back to industry_sector. E.g., if sector is “9”, subsector must be “9.x”. A constant from industry-subsector-vocab.

• business (str) – Description of the organization’s business.

• parent_company (str) – Name of the organization’s parent company, if applicable.

• incident_role (str) – The organization’s role in the incident. A constant from org-role-vocab.

• **kwargs (dict) – Additional attributes for the Organization.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> organization = Organization(
...     id="123e4567-e89b-12d3-a456-426614174000",
...     name="Company XYZ, Inc.",
...     city="New York",
...     state="NY",
...     country="US",
...     postal_code=10001,
...     small_business=True,
...     industry_sector="51",
...     industry_subsector="51.2",
...     business="Software Development",
...     parent_company="Parent Company ABC",
...     incident_role="V"
... )
>>> print(organization.id)
123e4567-e89b-12d3-a456-426614174000
>>> print(organization.name)
Company XYZ, Inc.

append_job(item)

append_stressor(item)

property business

property city

property country

property id

property incident

property incident_role

property industry_sector

property industry_subsector

property jobs

property name

property parent_company

property postal_code

remove_job(item)

remove_stressor(item)

property small_business

property state

property stressors

to_dict()

Person

class pyiides.pyiides.Person(first_name=None, middle_name=None, last_name=None, suffix=None, alias=None, city=None, state=None, country=None, postal_code=None, country_of_citizenship=None, nationality=None, residency=None, gender=None, age=None, education=None, marital_status=None, number_of_children=None, comment=None, **kwargs)

Bases: object

Initialize a Person instance.

Parameters:

• first_name (str) – The first, or given, name of the individual.

• middle_name (str) – The middle name of the individual.

• last_name (str) – The last, or family, name of the individual.

• suffix (str) – The name suffix of the individual. A constant from suffix-vocab.

• alias (list) – A list of aliases (other names) the individual has used, and/or the anonymized names of the individual in court records. One or more string values.

• city (str) – The city (or county/district) that the person resided in at the time of the incident.

• state (str) – The state (or region) that the person resided in at the time of the incident.

• country (str) – The country that the person resided in at the time of the incident. Public implementations should use the standard codes provided by ISO 3166-1 alpha-2.

• postal_code (int) – The postal code that the person resided in at the time of the incident.

• country_of_citizenship (list) – Citizenship(s) of the person. Public implementations should use the standard codes provided by ISO 3166-1 alpha-2. One or more string values.

• nationality (list) – The nationality or nationalities of the person. Public implementations should use the standard codes provided by ISO 3166-1 alpha-2. One or more string values.

• residency (str) – Residency status if the person was not a citizen of the country where they resided during the incident. A constant from residency-vocab.

• gender (str) – Sex or gender at the time of the incident. A constant from gender-vocab.

• age (int) – Age at the time that the incident began.

• education (str) – Highest level of education at the time the incident began. A constant from education-vocab.

• marital_status (str) – The marital status at the time of the incident. A constant from marital-status-vocab.

• number_of_children (int) – The number of children that the person is responsible for, at the time of the incident.

• comment (str) – Comments or clarifications regarding any of the Person properties.

• **kwargs (dict) – Additional attributes for the person.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Examples

>>> from pyiides import Person
>>> person = Person(first_name="John", last_name="Doe", city="New York", country="US")
>>> print(person.first_name)
John
>>> print(person.city)
New York

property age

property alias

append_alias(item)

append_country_of_citizenship(item)

append_nationality(item)

property city

property comment

property country

property country_of_citizenship

property education

property first_name

property gender

property last_name

property marital_status

property middle_name

property nationality

property number_of_children

property postal_code

property residency

property state

property suffix

to_dict()

Response

class pyiides.pyiides.Response(id=None, technical_controls=None, behavioral_controls=None, investigated_by=None, investigation_events=None, comment=None, **kwargs)

Bases: object

Initialize a Response instance.

Parameters:

• id (str) – Unique identifier for the response. Defaults to a new UUIDv4 string if not provided.

• technical_controls (list) – Controls put in place to limit or monitor the insider’s access to devices, data, or the network, or to limit/monitor network/device access for the user population more generally. One or more list values.

• behavioral_controls (list) – Controls put in place to limit, monitor, or correct the insider’s behavior within the organization. One or more list values.

• investigated_by (list) – The organization(s) or entity(s) that investigated the incident. One or more constants from investigator-vocab.

• investigation_events (list) – Specific events that happened during the course of the investigation into the incident. One or more array values.

• comment (str) – Clarifying comments or additional details about the organization’s response.

• **kwargs (dict) – Additional attributes for the response.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> response = Response(
...     id="123e4567-e89b-12d3-a456-426614174000",
...     technical_controls=[("1", date(2023, 1, 1))],
...     behavioral_controls=[("4", date(2023, 1, 2))],
...     investigated_by=["1", "2"],
...     investigation_events=[("2", date(2023, 1, 3))],
...     comment="Initial comment"
... )
>>> print(response.id)
123e4567-e89b-12d3-a456-426614174000
>>> print(response.technical_controls)
[("1", "2023-01-01")]

append_behavioral_controls(item)

append_investigated_by(item)

append_investigation_events(item)

append_technical_controls(item)

property behavioral_controls

property comment

property id

property incident

property investigated_by

property investigation_events

property legal_response

property technical_controls

to_dict()

Sentence

class pyiides.pyiides.Sentence(sentence_type, id=None, quantity=None, metric=None, concurrency=None)

Bases: object

Initializes a Sentence instance

Parameters:

• id (required) (string) – Unique identifier for the sentence. Defaults to a new UUIDv4 string if not provided.

• sentence_type (required) (string) – The type of sentence that was ordered. A constant from sentence-type-vocab.

• quantity (integer) – The quantity of the sentence type imposed. MUST be used with the metric property if used. Required if metric exists.

• metric (string) – The measurement type of the sentence imposed. MUST be used with the quantity property if used. A constant from sentence-metric-vocab. Required if quantity exists.

• concurrency (boolean) – Whether the sentence is to run concurrently (at the same time as) other sentences within the same case.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides.utils.helper_functions import Sentence
>>> sentence = Sentence(
...     id="6eaf8e6c-8c4d-4d9d-8f8e-6c8c4d4d9d8f",
...     sentence_type="9",
...     quantity=5,
...     metric="Years",
...     concurrency=True
... )
>>> print(sentence.sentence_type)
9
>>> print(sentence.quantity)
5

property concurrency

property court_case

property id

property metric

property quantity

property sentence_type

to_dict()

Sponsor

class pyiides.pyiides.Sponsor(id=None, name=None, sponsor_type=None)

Bases: object

Initializes a Sponsor instance

Parameters:

• id (required) (string) – Unique identifier for the sponsor. Defaults to a new UUIDv4 string if not provided.

• name (string) – The name of the individual or entity sponsoring the insider’s actions.

• sponsor_type (string) – The type of sponsor. A constant from sponsor-type-vocab.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides.utils.helper_functions import Sponsor
>>> sponsor = Sponsor(
...     id="6eaf8e6c-8c4d-4d9d-8f8e-6c8c4d4d9d8f",
...     name="Foreign Government",
...     sponsor_type="SS"
... )
>>> print(sponsor.name)
Foreign Government
>>> print(sponsor.sponsor_type)
SS

property accomplices

append_accomplice(item)

append_insider(item)

property id

property insiders

property name

remove_accomplice(item)

remove_insider(item)

property sponsor_type

to_dict()

Stressor

class pyiides.pyiides.Stressor(id=None, date=None, category=None, subcategory=None, comment=None)

Bases: object

Initialize a Stressor instance

Parameters:

• id (required) (string) – Unique identifier for the stressor. Defaults to a new UUIDv4 string if not provided.

• date (date) – The date the stressor first occurred.

• category (string) – The category to which the stressor belongs. A constant from stressor-category-vocab. Required if subcategory exists.

• subcategory (string) – The subcategory to which the stressor belongs. When subcategory is specified, category MUST also be specified. The subcategory constant MUST map to the specified category constant. A constant from stressor-subcategory-vocab.

• comment (string) – Clarifying comments about the stressor.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from pyiides import Stressor
>>> stressor = Stressor(date=datetime.date(2023, 6, 14), category="2", subcategory="2.12", comment="High-pressure project deadline")
>>> print(stressor.id)
ac386e51-2f66-40fe-bfb7-c791019b2b97
>>> print(stressor.date)
2023-06-14
>>> print(stressor.category)
2
>>> print(stressor.subcategory)
2.12
>>> print(stressor.comment)
High-pressure project deadline

property category

property comment

property date

property id

property insider

property organization

property subcategory

to_dict()

Source

class pyiides.pyiides.Source(title, id=None, source_type=None, file_type=None, date=None, public=None, document=None, comment=None)

Bases: object

Initializes a Source instance

Parameters:

• id (string) – Unique identifier for the source. Defaults to a new UUIDv4 string if not provided.

• title (required) (string) – The title of the source.

• source_type (string) – The type of the source.

• file_type (string) – The type of file (e.g., pdf, html).

• date (datetime) – The date the source was created or last modified.

• public (bool) – Indicates if the source is public.

• document (string) – The document or URL associated with the source.

• comment (string) – Clarifying comments about the source.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> from datetime import datetime
>>> source = Source(
...     title="Sample Title",
...     id="source--123e4567-e89b-12d3-a456-426614174000",
...     source_type="Type A",
...     file_type="pdf",
...     date=datetime(2023, 1, 1),
...     public=True,
...     document="http://example.com",
...     comment="Sample comments about the sample source."
... )
>>> print(source.title)
Sample Title
>>> print(source.date)
2023-01-01 00:00:00

property comment

property date

property document

property file_type

property id

property incident

property public

property source_type

property title

to_dict()

Target

class pyiides.pyiides.Target(asset_type, category, subcategory, format, owner, sensitivity, id=None, description=None)

Bases: object

Initializes a Target instance

Parameters:

• id (required) (string) – Unique identifier for the target. Defaults to a new UUIDv4 string if not provided.

• asset_type (required) (string) – The type of target. A constant from target-asset-vocab. Required if category exists.

• category (required) (string) – The classification group a target belongs to. A constant from target-category-vocab. Required if subcategory exists.

• subcategory (required) (string) – The lower-level classification group a target belongs to. A constant from target-subcategory-vocab.

• format (required) (string) – The data type of the target. A constant from target-format-vocab.

• owner (required) (string) – Who the data is about. For assets, the owner of the asset. In cases where the owner and subject of the data/asset is unclear, pick the person/group most responsible for safeguarding the data/asset. A constant from target-owner-vocab.

• sensitivity (required) (array) – The level of sensitivity and controls applied to a target. One or more constants from target-sensitivity-vocab.

• description (string) – Brief description of the target.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> target = Target(
...     id="12345678-1234-1234-1234-123456789abc",
...     asset_type="4",
...     category="4.1",
...     subcategory="4.1.1",
...     format="1",
...     owner="O",
...     sensitivity=["25"],
...     description="Client list for manifold sales"
... )
>>> print(target.id)
12345678-1234-1234-1234-123456789abc
>>> print(target.asset_type)
4
>>> print(target.category)
4.1
>>> print(target.subcategory)
4.1.1
>>> print(target.format)
1

property asset_type

property category

property description

property format

property id

property incident

property owner

property sensitivity

property subcategory

to_dict()

TTP

class pyiides.pyiides.TTP(id=None, date=None, sequence_num=None, observed=None, number_of_times=None, ttp_vocab=None, tactic=None, technique=None, location=None, hours=None, device=None, channel=None, description=None, **kwargs)

Bases: object

Initialize a TTP instance.

Parameters:

• id (str) – Unique identifier for the TTP. Defaults to a new UUIDv4 string if not provided.

• date (datetime) – The date and time the action happened. If over a range of time, the start time of the action.

• sequence_num (int) – The sequence number of this action in the overall timeline of actions. Helpful if the sequence of events is known, but the dates are unknown.

• observed (bool) – Whether the action was observed by the victim organization or investigative team at the time it happened.

• number_of_times (int) – The number of times this particular action took place. E.g., subject issued “5” fraudulent checks over the course of three weeks.

• ttp_vocab (str) – A reference to the TTP framework being used by this TTP. Common options are IIDES, ATT&CK, CAPEC, etc. Default is “IIDES”. Required if tactic exists.

• tactic (str) – The high-level category or goal of the action. A constant from tactic-vocab. Required if technique exists.

• technique (str) – The general action taken. If technique exists, tactic should as well. A constant from technique-vocab.

• location (list) – Whether the action was taken on-site or remotely.

• hours (list) – Whether the action was taken during work hours.

• device (list) – The device where this action either took place or a device that was affected by the action. A device where the action could be detected. One or more constants from device-vocab.

• channel (list) – Methods used to transmit information outside, or into, the victim organization. One or more constants from channel-vocab.

• description (str) – Description of the action/procedure.

• **kwargs (dict) – Additional attributes for the TTP.

Raises:

• TypeError – If any provided attribute is of the incorrect type.

• ValueError – If any provided attribute is of the incorrect vocabulary.

Example

>>> ttp = TTP(
...     id="123e4567-e89b-12d3-a456-426614174000",
...     date=datetime(2023, 1, 1, 0, 0, 0),
...     sequence_num=1,
...     observed=True,
...     number_of_times=5,
...     ttp_vocab="IIDES",
...     tactic="1",
...     technique="1.1",
...     location=["1"],
...     hours=["1"],
...     device=["1"],
...     channel=["1"],
...     description="Initial description"
... )
>>> print(ttp.id)
123e4567-e89b-12d3-a456-426614174000
>>> print(ttp.date)
2020-01-01 00:00:00

append_channel(item)

append_device(item)

append_hours(item)

append_location(item)

property channel

property date

property description

property device

property hours

property id

property incident

property location

property number_of_times

property observed

property sequence_num

property tactic

property technique

to_dict()

property ttp_vocab