feat: improve generic observable type detection in InQuest analyzer

[lakshita10341]

Description

Improved the type_of_generic() method in the InQuest analyzer to provide more thorough validation of generic observable types.
Closes #3280

Changes Made

1. Enhanced email regex: Updated the pattern to handle TLDs longer than 3 characters and subdomains
2. Added detection for Windows registry keys: Pattern matching for HKEY_*, HKLM, HKCU, etc.
3. Added detection for XMP IDs: UUID-like pattern matching
4. Added basic filename validation: Proper pattern validation instead of defaulting
5. Added warning logging: Log when observable type cannot be determined

Type of change

• Bug fix (non-breaking change which fixes an issue)

Checklist

• I have read and understood the rules about how to Contribute to this project
• The pull request is for the branch develop
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.

[Copilot]

Pull request overview

This PR improves IntelOwl’s InQuest observable analyzer by enhancing type_of_generic() so it can automatically infer more generic observable types beyond just email vs filename, and adds unit tests to validate the new detection logic.

Changes:

• Expanded generic observable detection to identify emails (incl. subdomains/long TLDs), registry keys, and UUID-like XMP IDs.
• Added basic filename validation and warning logging when the type can’t be confidently inferred.
• Added unit tests covering the new type_of_generic() behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
api_app/analyzers_manager/observable_analyzers/inquest.py	Improves generic observable type inference (email/registry/xmpid/filename) and logs a warning on fallback.
tests/api_app/analyzers_manager/unit_tests/observable_analyzers/test_inquest.py	Adds a dedicated test case class validating type_of_generic() for the new patterns.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lakshita10341]

Hi @mlodic, The PR is ready for review. PTAL when you get time. Thanks!

[mlodic]

please show screenshot and json result of an analysis with at least one of this cases then we are ready to merge

[lakshita10341]

{ "id": 4, "user": { "username": "admin" }, "tags": [], "comments": [], "status": "reported_without_fails", "pivots_to_execute": [], "analyzers_to_execute": [ "InQuest_DFI" ], "analyzers_requested": [ "InQuest_DFI" ], "connectors_to_execute": [], "connectors_requested": [], "visualizers_to_execute": [], "playbook_requested": null, "playbook_to_execute": null, "investigation_id": null, "investigation_name": null, "permissions": { "kill": true, "delete": true, "plugin_actions": true }, "data_model": {}, "file_name": "12345678-1234-1234-1234-1234567890ab", "file_mimetype": null, "is_sample": false, "observable_name": "12345678-1234-1234-1234-1234567890ab", "observable_classification": "generic", "md5": "02f6828a5bb86bf6d55c274eb598f71a", "analyzer_reports": [ { "name": "InQuest_DFI", "process_time": 1.94, "status": "SUCCESS", "end_time": "2026-02-09T19:55:50.335543Z", "parameters": { "inquest_analysis": "dfi_search" }, "type": "analyzer", "id": 8, "report": { "data": [], "link": "https://labs.inquest.net/dfi", "success": true, "type_of_generic": "xmpid" }, "errors": [ "No API key retrieved" ], "start_time": "2026-02-09T19:55:48.395903Z", "data_model": null, "description": "Deep File Inspection - search dfi" } ], "connector_reports": [], "pivot_reports": [], "visualizer_reports": [], "analyzable_id": 3, "received_request_time": "2026-02-09T19:55:48.177635Z", "finished_analysis_time": "2026-02-09T19:55:50.577239Z", "process_time": 2.4, "warnings": [], "errors": [] }

Hi @mlodic , I have verified the changes. Here are screenshot and json result, I have added uuid as observable, and got xmpid in type_of_generic