Data Model Classes

class MISPEvent(AbstractMISP):
    """
    MISP event representation with attributes, objects, and metadata.
    
    Key Properties:
    - info: Event title/description
    - threat_level_id: Threat level (1-4)
    - analysis: Analysis status (0-2)
    - distribution: Sharing distribution level (0-5)
    - published: Publication status
    - uuid: Unique event identifier
    - timestamp: Last modification time
    - publish_timestamp: Publication time
    - orgc_id: Creator organization ID
    - org_id: Owner organization ID
    """
    
    def __init__(self) -> None: ...
    
    def add_attribute(
        self, 
        type: str, 
        value: str, 
        category: str = None,
        **kwargs
    ) -> 'MISPAttribute': ...
    
    def add_object(self, obj: 'MISPObject') -> None: ...
    
    def add_tag(self, tag: Union[str, 'MISPTag']) -> None: ...
    
    def publish(self) -> None: ...
    
    def unpublish(self) -> None: ...

class MISPAttribute(AbstractMISP):
    """
    MISP attribute representing indicators and observables.
    
    Key Properties:
    - type: Attribute type (ip-dst, domain, md5, etc.)
    - value: Attribute value
    - category: Attribute category
    - to_ids: IDS export flag
    - distribution: Sharing distribution level
    - comment: Descriptive comment
    - uuid: Unique attribute identifier
    - timestamp: Last modification time
    - event_id: Parent event ID
    """
    
    def __init__(self) -> None: ...
    
    def add_tag(self, tag: Union[str, 'MISPTag']) -> None: ...
    
    def add_sighting(self, sighting: 'MISPSighting') -> None: ...

class MISPObject(AbstractMISP):
    """
    MISP object for structured threat intelligence data.
    
    Key Properties:
    - name: Object template name
    - meta_category: Object meta category
    - description: Object description
    - template_uuid: Template UUID
    - template_version: Template version
    - distribution: Sharing distribution level
    - uuid: Unique object identifier
    """
    
    def __init__(self, name: str, **kwargs) -> None: ...
    
    def add_attribute(
        self, 
        object_relation: str, 
        value: str, 
        **kwargs
    ) -> 'MISPObjectAttribute': ...
    
    def add_reference(
        self, 
        referenced_uuid: str, 
        relationship_type: str
    ) -> 'MISPObjectReference': ...
    
    def has_attributes_by_relation(self, object_relation: str) -> bool: ...
    
    def get_attributes_by_relation(self, object_relation: str) -> List['MISPObjectAttribute']: ...

class MISPUser(AbstractMISP):
    """
    MISP user account representation.
    
    Key Properties:
    - email: User email address
    - org_id: Organization ID
    - role_id: User role ID
    - authkey: API authentication key
    - newsread: News read timestamp
    - termsaccepted: Terms acceptance status
    - disabled: Account disabled status
    """
    
    def __init__(self) -> None: ...

class MISPOrganisation(AbstractMISP):
    """
    MISP organization representation.
    
    Key Properties:
    - name: Organization name
    - description: Organization description
    - type: Organization type
    - nationality: Organization nationality
    - sector: Organization sector
    - created_by: Creator user ID
    - uuid: Unique organization identifier
    - local: Local organization flag
    """
    
    def __init__(self) -> None: ...

class MISPRole(AbstractMISP):
    """
    User role definition with permissions.
    
    Key Properties:
    - name: Role name
    - created: Creation timestamp
    - modified: Modification timestamp
    - perm_admin: Admin permissions
    - perm_site_admin: Site admin permissions
    - perm_sync: Sync permissions
    - perm_audit: Audit permissions
    """
    
    def __init__(self) -> None: ...

class MISPSighting(AbstractMISP):
    """
    Sighting data for threat intelligence observations.
    
    Key Properties:
    - type: Sighting type (0=sighting, 1=false positive, 2=expiration)
    - date_sighting: Sighting timestamp
    - organisation_id: Reporting organization
    - source: Sighting source
    - uuid: Unique sighting identifier
    """
    
    def __init__(self) -> None: ...

class MISPGalaxy(AbstractMISP):
    """
    Galaxy threat intelligence knowledge base.
    
    Key Properties:
    - name: Galaxy name
    - type: Galaxy type
    - description: Galaxy description  
    - version: Galaxy version
    - uuid: Unique galaxy identifier
    - namespace: Galaxy namespace
    """
    
    def __init__(self) -> None: ...

class MISPGalaxyCluster(AbstractMISP):
    """
    Galaxy cluster representing threat patterns.
    
    Key Properties:
    - type: Cluster type
    - value: Cluster value
    - description: Cluster description
    - galaxy_id: Parent galaxy ID
    - source: Information source
    - authors: Cluster authors
    - uuid: Unique cluster identifier
    """
    
    def __init__(self) -> None: ...

class MISPTag(AbstractMISP):
    """
    Tag for classification and labeling.
    
    Key Properties:
    - name: Tag name
    - colour: Tag color (hex code)
    - exportable: Export flag
    - hide_tag: Visibility flag
    - user_id: Creator user ID
    - numerical_value: Numeric weight
    """
    
    def __init__(self) -> None: ...

class MISPServer(AbstractMISP):
    """
    Remote MISP server configuration.
    
    Key Properties:
    - name: Server name
    - url: Server URL
    - authkey: Authentication key
    - org_id: Organization ID
    - push: Push enabled flag
    - pull: Pull enabled flag
    - json_connection: JSON connection flag
    """
    
    def __init__(self) -> None: ...

class MISPSharingGroup(AbstractMISP):
    """
    Sharing group for access control.
    
    Key Properties:
    - name: Sharing group name
    - description: Group description
    - releasability: Release information
    - organisation_id: Owner organization
    - created_by: Creator user ID
    - local: Local group flag
    """
    
    def __init__(self) -> None: ...

class MISPFeed(AbstractMISP):
    """
    External data feed configuration.
    
    Key Properties:
    - name: Feed name
    - provider: Feed provider
    - url: Feed URL
    - rules: Processing rules
    - enabled: Feed enabled status
    - distribution: Default distribution
    - sharing_group_id: Default sharing group
    """
    
    def __init__(self) -> None: ...

class MISPNote(AbstractMISP):
    """
    Analyst contextual notes.
    
    Key Properties:
    - note: Note content
    - language: Note language
    - object_type: Referenced object type
    - object_uuid: Referenced object UUID
    - authors: Note authors
    - distribution: Sharing distribution
    """
    
    def __init__(self) -> None: ...

class MISPOpinion(AbstractMISP):
    """
    Expert threat assessments.
    
    Key Properties:
    - opinion: Opinion value (0-100)
    - comment: Opinion comment
    - object_type: Referenced object type
    - object_uuid: Referenced object UUID
    - authors: Opinion authors
    - distribution: Sharing distribution
    """
    
    def __init__(self) -> None: ...

class MISPRelationship(AbstractMISP):
    """
    Entity relationship definitions.
    
    Key Properties:
    - relationship_type: Relationship type
    - object_uuid: Source object UUID
    - related_object_uuid: Target object UUID
    - distribution: Sharing distribution
    """
    
    def __init__(self) -> None: ...

class AbstractMISP:
    """
    Base class for all MISP objects with common functionality.
    
    Methods:
    - from_dict(): Create object from dictionary
    - to_dict(): Convert object to dictionary
    - to_json(): Convert object to JSON string
    - load_file(): Load object from file
    - save(): Save object to file
    - jsonable(): Get JSON-serializable representation
    """
    
    def from_dict(self, **kwargs) -> None: ...
    def to_dict(self) -> Dict: ...
    def to_json(self) -> str: ...
    def jsonable(self) -> Dict: ...

from enum import Enum

class Distribution(Enum):
    """Sharing distribution levels."""
    your_organisation_only = 0
    this_community_only = 1
    connected_communities = 2
    all_communities = 3
    sharing_group = 4
    inherit = 5

class ThreatLevel(Enum):
    """Threat level classifications."""
    high = 1
    medium = 2
    low = 3
    undefined = 4

class Analysis(Enum):
    """Analysis status levels."""
    initial = 0
    ongoing = 1
    completed = 2

from pymisp import MISPEvent, MISPAttribute, Distribution, ThreatLevel

# Create new event
event = MISPEvent()
event.info = "Malware Campaign Analysis"
event.distribution = Distribution.this_community_only.value
event.threat_level_id = ThreatLevel.high.value
event.analysis = 1  # Ongoing

# Add attributes directly
ip_attr = event.add_attribute('ip-dst', '192.168.1.100', category='Network activity')
ip_attr.comment = 'C2 server IP'

# Create standalone attribute
domain_attr = MISPAttribute()
domain_attr.type = 'domain'
domain_attr.value = 'malware.example.com'
domain_attr.category = 'Network activity'
domain_attr.to_ids = True

# Add to event
event.attributes.append(domain_attr)

from pymisp import MISPObject

# Create file object
file_obj = MISPObject('file')
file_obj.add_attribute('filename', 'malware.exe')
file_obj.add_attribute('md5', 'd41d8cd98f00b204e9800998ecf8427e')
file_obj.add_attribute('sha1', 'da39a3ee5e6b4b0d3255bfef95601890afd80709')
file_obj.add_attribute('size-in-bytes', 1024)

# Add object to event
event.add_object(file_obj)

# Create network connection object
conn_obj = MISPObject('network-connection')
conn_obj.add_attribute('src-ip', '192.168.1.100')
conn_obj.add_attribute('dst-ip', '203.0.113.10')
conn_obj.add_attribute('src-port', 8080)
conn_obj.add_attribute('dst-port', 443)
conn_obj.add_attribute('protocol', 'tcp')

event.add_object(conn_obj)

from pymisp import MISPEvent

# Create and populate event
event = MISPEvent()
event.info = "Test Event"
event.add_attribute('ip-dst', '192.168.1.1')

# Convert to dictionary
event_dict = event.to_dict()

# Convert to JSON
event_json = event.to_json()

# Create from dictionary
new_event = MISPEvent()
new_event.from_dict(**event_dict)

# Save to file
event.save('event.json')

# Load from file
loaded_event = MISPEvent()
loaded_event.load_file('event.json')

from pymisp import MISPTag

# Create custom tag
tag = MISPTag()
tag.name = 'custom:campaign-x'
tag.colour = '#ff0000'
tag.exportable = True

# Add tags to event
event.add_tag('apt')
event.add_tag('malware')
event.add_tag(tag)

# Add tags to attributes
attribute.add_tag('high-confidence')
attribute.add_tag('ioc')

from pymisp import MISPUser, MISPOrganisation

# Create organization
org = MISPOrganisation()
org.name = "Security Company"
org.description = "Cybersecurity organization"
org.type = "CSIRT"
org.nationality = "US"
org.sector = "Security"

# Create user
user = MISPUser()
user.email = "analyst@security.com"
user.org_id = 1
user.role_id = 3  # User role

from typing import Union, List, Dict, Optional, Any
from datetime import datetime
from enum import Enum

MISPEntity = Union[MISPEvent, MISPAttribute, MISPObject, MISPUser, MISPOrganisation]
AttributeType = str
AttributeValue = Union[str, int, float]
UUID = str
Timestamp = Union[str, int, datetime]
DistributionLevel = int  # 0-5
ThreatLevelID = int  # 1-4
AnalysisLevel = int  # 0-2