[client] feat(SCV): review keywords and categorization process (#4266)

gabriel-peze · gabriel-peze · commit 2f45b9ddd5e7 · 2025-12-10T18:07:19.000+01:00
diff --git a/pyoaev/security_domain/builder.py b/pyoaev/security_domain/builder.py
@@ -7,37 +7,21 @@ def _find_in_keywords(self, keywords, search):
         return any(keyword.lower() in search.lower() for keyword in keywords.value)
 
     # Define the domain by item
-    def get_associated_security_domains(self, name, description):
+    def get_associated_security_domains(self, name):
         domains = []
         domains.append(SecurityDomains.ENDPOINT.value)
 
-        if self._find_in_keywords(
-            SecurityDomainsKeyWords.NETWORK, name
-        ) or self._find_in_keywords(SecurityDomainsKeyWords.NETWORK, description):
+        if self._find_in_keywords(SecurityDomainsKeyWords.NETWORK, name):
             domains.append(SecurityDomains.NETWORK.value)
-        if self._find_in_keywords(
-            SecurityDomainsKeyWords.WEB_APP, name
-        ) or self._find_in_keywords(SecurityDomainsKeyWords.WEB_APP, description):
+        if self._find_in_keywords(SecurityDomainsKeyWords.WEB_APP, name):
             domains.append(SecurityDomains.WEB_APP.value)
-        if self._find_in_keywords(
-            SecurityDomainsKeyWords.EMAIL_INFILTRATION, name
-        ) or self._find_in_keywords(
-            SecurityDomainsKeyWords.EMAIL_INFILTRATION, description
-        ):
+        if self._find_in_keywords(SecurityDomainsKeyWords.EMAIL_INFILTRATION, name):
             domains.append(SecurityDomains.EMAIL_INFILTRATION.value)
-        if self._find_in_keywords(
-            SecurityDomainsKeyWords.DATA_EXFILTRATION, name
-        ) or self._find_in_keywords(
-            SecurityDomainsKeyWords.DATA_EXFILTRATION, description
-        ):
+        if self._find_in_keywords(SecurityDomainsKeyWords.DATA_EXFILTRATION, name):
             domains.append(SecurityDomains.DATA_EXFILTRATION.value)
-        if self._find_in_keywords(
-            SecurityDomainsKeyWords.URL_FILTERING, name
-        ) or self._find_in_keywords(SecurityDomainsKeyWords.URL_FILTERING, description):
+        if self._find_in_keywords(SecurityDomainsKeyWords.URL_FILTERING, name):
             domains.append(SecurityDomains.URL_FILTERING.value)
-        if self._find_in_keywords(
-            SecurityDomainsKeyWords.CLOUD, name
-        ) or self._find_in_keywords(SecurityDomainsKeyWords.CLOUD, description):
+        if self._find_in_keywords(SecurityDomainsKeyWords.CLOUD, name):
             domains.append(SecurityDomains.CLOUD.value)
 
         return domains
diff --git a/pyoaev/security_domain/types.py b/pyoaev/security_domain/types.py
@@ -2,203 +2,12 @@
 
 
 class SecurityDomainsKeyWords(Enum):
-    NETWORK = [
-        "lateral movement",
-        "packet sniff",
-        "port scan",
-        "man-in-the-middle",
-        "arp spoof",
-        "smb",
-        "rdp",
-        "dns tunnel",
-        "network share",
-        "c2",
-        "beacon",
-        "firewall",
-        "domain controller",
-        "kerberos",
-        "golden ticket",
-        "silver ticket",
-        "domain trust",
-        "active directory",
-        "ldap",
-        "network boundary",
-        "bgp hijack",
-        "bgp hijack",
-        "dns hijack",
-        "dhcp poison",
-        "forced authentication",
-        "remote service",
-        "network device",
-        "vlan hopping",
-        "protocol tunnel",
-        "traffic signaling",
-        "weaken encryption",
-        "exploitation remote",
-    ]
-    WEB_APP = [
-        "sql injection",
-        "cross-site script",
-        "web shell",
-        "csrf",
-        "file upload vulnerability",
-        "apache",
-        "nginx",
-        "iis",
-        "php",
-        "javascript",
-        "rest api",
-        "cookie",
-        "server-side request forgery",
-        "ssrf",
-        "xml external entity",
-        "xxe",
-        "deserialization",
-        "path traversal",
-        "local file inclusion",
-        "remote file inclusion",
-        "template injection",
-        "ssti",
-        "api abuse",
-        "drive-by compromise",
-        "browser exploit",
-        "forge web credential",
-        "web service",
-        "defacement",
-        "server software component",
-        "reverse proxy",
-        "webdav",
-        "session hijack",
-    ]
-    EMAIL_INFILTRATION = [
-        "spearphishing attachment",
-        "spearphishing link",
-        "phishing",
-        "malicious attachment",
-        "email account",
-        "outlook",
-        "exchange",
-        "smtp",
-        "mail server",
-        "social engineering",
-        "inbox rule",
-        "dkim",
-        "business email compromise",
-        "bec",
-        "email forwarding rule",
-        "email delegation",
-        "oauth consent",
-        "reply-to manipulation",
-        "email thread hijack",
-        "internal spearphishing",
-        "email collection",
-        "zimbra",
-        "mapi",
-        "email template",
-        "spoof sender",
-        "dmarc",
-        "spf",
-        "email gateway",
-        "link shortener",
-    ]
-    DATA_EXFILTRATION = [
-        "exfiltrat",
-        "data staging",
-        "data compressed",
-        "steganography",
-        "covert channel",
-        "database dump",
-        "automated collection",
-        "intellectual property",
-        "cloud storage exfil",
-        "ftp exfil",
-        "physical medium",
-        "air gap",
-        "scheduled transfer",
-        "alternate protocol",
-        "icmp tunnel",
-        "dns exfiltration",
-        "automated exfiltration",
-        "web service exfil",
-        "pastebin",
-        "code repository",
-        "cloud account transfer",
-        "email exfil",
-        "data destruction",
-        "data encrypted",
-        "image steganography",
-    ]
-    URL_FILTERING = [
-        "domain fronting",
-        "url shorten",
-        "typosquatting",
-        "typosquatting",
-        "homograph",
-        "punycode",
-        "url reputation",
-        "content filter",
-        "web gateway",
-        "safe browsing",
-        "url categorization",
-        "blacklist bypass",
-        "whitelist",
-        "redirect",
-        "proxy bypass",
-        "dns over https",
-        "dns over tls",
-        "unicode domain",
-        "url encode",
-        "double encode",
-        "open redirect",
-        "captive portal",
-        "proxy pac",
-        "socks proxy",
-        "vpn bypass",
-        "domain generation",
-        "fast flux",
-        "url confusion",
-        "subdomain takeover",
-        "Bitsadmin Download (PowerShell)",
-    ]
-    CLOUD = [
-        "aws",
-        "azure",
-        "gcp",
-        "lambda",
-        "s3 bucket",
-        "blob storage",
-        "kubernetes",
-        "docker",
-        "serverless",
-        "cloud instance",
-        "iam role",
-        "iam role",
-        "saas",
-        "tenant",
-        "subscription",
-        "api gateway",
-        "microservice",
-        "cloud trail",
-        "cloudtrail",
-        "cloud formation",
-        "terraform",
-        "cloud init",
-        "metadata service",
-        "instance metadata",
-        "cloud api",
-        "resource policy",
-        "cloud dashboard",
-        "unused region",
-        "snapshot",
-        "cloud backup",
-        "object storage",
-        "cloud function",
-        "service principal",
-        "managed identity",
-        "cloud key",
-        "sas token",
-        "assume role",
-    ]
+    NETWORK = ["network", "ftp", "smb", "llmnr"]
+    WEB_APP = ["web"]
+    EMAIL_INFILTRATION = ["email", "phishing"]
+    DATA_EXFILTRATION = ["exfiltrat"]
+    URL_FILTERING = ["bitsadmin"]
+    CLOUD = ["aws", "azure", "gcp"]
 
 
 class SecurityDomains(Enum):
