contentctl 3.6.0__py3-none-any.whl → 4.0.2__py3-none-any.whl

contentctl/objects/story.py

@@ -1,49 +1,147 @@
-import string
-import uuid
-import requests
-
-from pydantic import BaseModel, validator, ValidationError
-from datetime import datetime
+from __future__ import annotations
+from typing import TYPE_CHECKING,List
+from contentctl.objects.story_tags import StoryTags
+from pydantic import Field, model_serializer,computed_field, model_validator
+import re
+if TYPE_CHECKING:
+    from contentctl.objects.detection import Detection
+    from contentctl.objects.investigation import Investigation
+    from contentctl.objects.baseline import Baseline
+    
 
 from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.story_tags import StoryTags
-from contentctl.helper.link_validator import LinkValidator
-from contentctl.objects.enums import SecurityContentType
+
+
+
+
+
+#from contentctl.objects.investigation import Investigation
+
+
+
 class Story(SecurityContentObject):
-    # story spec
-    #name: str
-    #id: str
-    #version: int
-    #date: str
-    #author: str
-    #description: str
-    #contentType: SecurityContentType = SecurityContentType.stories
-    narrative: str
-    check_references: bool = False #Validation is done in order, this field must be defined first
-    references: list
-    tags: StoryTags
+    narrative: str = Field(...)
+    tags: StoryTags = Field(...)
 
     # enrichments
-    detection_names: list = None
-    investigation_names: list = None
-    baseline_names: list = None
-    author_company: str = None
-    author_name: str = None
-    detections: list = None
-    investigations: list = None
-    
-
-    # Allow long names for macros
-    @validator('name',check_fields=False)
-    def name_max_length(cls, v):
-        #if len(v) > 67:
-        #    raise ValueError('name is longer then 67 chars: ' + v)
-        return v
-    
-    @validator('narrative')
-    def encode_error(cls, v, values, field):
-        return SecurityContentObject.free_text_field_valid(cls,v,values,field)
-
-    @validator('references')
-    def references_check(cls, v, values):
-        return LinkValidator.SecurityContentObject_validate_references(v, values)
+    #detection_names: List[str] = []
+    #investigation_names: List[str] = []
+    #baseline_names: List[str] = []
+
+    # These are updated when detection and investigation objects are created.
+    # Specifically in the model_post_init functions
+    detections:List[Detection] = []
+    investigations: List[Investigation] = []
+    baselines: List[Baseline] = []
+
+
+    def storyAndInvestigationNamesWithApp(self, app_name:str)->List[str]:
+        return [f"{app_name} - {name} - Rule" for name in self.detection_names] + \
+               [f"{app_name} - {name} - Response Task" for name in self.investigation_names]
+        
+    @model_serializer
+    def serialize_model(self):
+        #Call serializer for parent
+        super_fields = super().serialize_model()
+        
+        #All fields custom to this model
+        model= {
+            "narrative": self.narrative,
+            "tags": self.tags.model_dump(),
+            "detection_names": self.detection_names,
+            "investigation_names": self.investigation_names,
+            "baseline_names": self.baseline_names,
+            "author_company": self.author_company,
+            "author_name":self.author_name
+        }
+        detections = []
+        for detection in self.detections:
+            new_detection = {
+                "name":detection.name,
+                "source":detection.source,
+                "type":detection.type
+            }
+            if self.tags.mitre_attack_enrichments is not None:
+                new_detection['tags'] = {"mitre_attack_enrichments": [{"mitre_attack_technique":  enrichment.mitre_attack_technique} for enrichment in detection.tags.mitre_attack_enrichments]}
+            detections.append(new_detection)
+
+        model['detections'] = detections
+        #Combine fields from this model with fields from parent
+        super_fields.update(model)
+        
+        #return the model
+        return super_fields
+
+    @model_validator(mode="after")
+    def setTagsFields(self):
+        
+        enrichments = []
+        for detection in self.detections:
+            enrichments.extend(detection.tags.mitre_attack_enrichments)
+        self.tags.mitre_attack_enrichments = list(set(enrichments))
+
+    
+        tactics = []
+        for enrichment in self.tags.mitre_attack_enrichments:
+            tactics.extend(enrichment.mitre_attack_tactics)
+        self.tags.mitre_attack_tactics = set(tactics)
+
+    
+    
+        datamodels = []
+        for detection in self.detections:
+            datamodels.extend(detection.datamodel)
+        self.tags.datamodels = set(datamodels)
+
+    
+    
+        kill_chain_phases = []
+        for detection in self.detections:
+            kill_chain_phases.extend(detection.tags.kill_chain_phases)
+        self.tags.kill_chain_phases = set(kill_chain_phases)
+
+        return self
+
+
+    @computed_field
+    @property
+    def author_name(self)->str:
+        match_author = re.search(r'^([^,]+)', self.author)
+        if match_author is None:
+            return 'no'
+        else:
+            return match_author.group(1)
+
+    @computed_field
+    @property
+    def author_company(self)->str:
+        match_company = re.search(r',\s?(.*)$', self.author)
+        if match_company is None:
+            return 'no'
+        else:
+            return match_company.group(1)
+
+    @computed_field
+    @property
+    def author_email(self)->str:
+        return "-"
+
+    @computed_field
+    @property
+    def detection_names(self)->List[str]:
+        return [detection.name for detection in self.detections]
+    
+    @computed_field
+    @property
+    def investigation_names(self)->List[str]:
+        return [investigation.name for investigation in self.investigations]
+
+    @computed_field
+    @property
+    def baseline_names(self)->List[str]:        
+        return [baseline.name for baseline in self.baselines]
+    
+   
+    
+    
+ 

contentctl/objects/story_tags.py

@@ -1,38 +1,51 @@
+from __future__ import annotations
+from pydantic import BaseModel, Field, model_serializer, ConfigDict
+from typing import List,Set,Optional, Annotated
 
+from enum import Enum
 
-from pydantic import BaseModel, validator, ValidationError
 from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
-from contentctl.objects.enums import StoryCategory
+from contentctl.objects.enums import StoryCategory, DataModel, KillChainPhase, SecurityContentProductName
+
+
+class StoryUseCase(str,Enum):
+   FRAUD_DETECTION = "Fraud Detection"
+   COMPLIANCE = "Compliance"
+   APPLICATION_SECURITY = "Application Security"
+   SECURITY_MONITORING = "Security Monitoring"
+   ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
 
 class StoryTags(BaseModel):
-    # story spec
-    name: str
-    analytic_story: str
-    category: list[StoryCategory]
-    product: list
-    usecase: str
-
-    # enrichment
-    mitre_attack_enrichments: list[MitreAttackEnrichment] = []
-    mitre_attack_tactics: list = []
-    datamodels: list = []
-    kill_chain_phases: list = []
-
-
-    @validator('product')
-    def tags_product(cls, v, values):
-        valid_products = [
-            "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud",
-            "Splunk Security Analytics for AWS", "Splunk Behavioral Analytics"
-        ]
-
-        for value in v:
-            if value not in valid_products:
-                raise ValueError('product is not valid for ' + values['name'] + '. valid products are ' + str(valid_products))
-        return v
-
-    @validator('category')
-    def category_validate(cls,v,values):
-        if len(v) == 0:
-            raise ValueError(f"Error for Story '{values['name']}' - at least one 'category' MUST be provided.")
-        return v
+   model_config = ConfigDict(extra='forbid', use_enum_values=True)
+   category: List[StoryCategory] = Field(...,min_length=1)
+   product: List[SecurityContentProductName] = Field(...,min_length=1)
+   usecase: StoryUseCase = Field(...)
+
+   # enrichment
+   mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
+   mitre_attack_tactics: Optional[Set[Annotated[str, Field(pattern="^T\d{4}(.\d{3})?$")]]] = None
+   datamodels: Optional[Set[DataModel]] = None
+   kill_chain_phases: Optional[Set[KillChainPhase]] = None
+   cve: List[Annotated[str, "^CVE-[1|2][0-9]{3}-[0-9]+$"]] = []
+   group: List[str] = Field([], description="A list of groups who leverage the techniques list in this Analytic Story.")
+
+   def getCategory_conf(self) -> str:
+      #if len(self.category) > 1:
+      #   print("Story with more than 1 category.  We can only have 1 category, fix it!")
+      return list(self.category)[0]
+   
+   @model_serializer
+   def serialize_model(self):
+      #no super to call
+      return {
+         "category": list(self.category),
+         "product": list(self.product),
+         "usecase": self.usecase,
+         "mitre_attack_enrichments": self.mitre_attack_enrichments,
+         "mitre_attack_tactics": list(self.mitre_attack_tactics) if self.mitre_attack_tactics is not None else None,
+         "datamodels": list(self.datamodels) if self.datamodels is not None else None,
+         "kill_chain_phases": list(self.kill_chain_phases) if self.kill_chain_phases is not None else None  
+      }
+
+        
+    

contentctl/objects/unit_test.py

@@ -1,4 +1,9 @@
-
+from __future__ import annotations
+from pydantic import Field
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from contentctl.objects.unit_test_attack_data import UnitTestAttackData
+    from contentctl.objects.unit_test_result import UnitTestResult
 
 from typing import Union
 
@@ -20,7 +25,7 @@ class UnitTest(BaseTest):
     # contentType: SecurityContentType = SecurityContentType.unit_tests
 
     # The test type (unit)
-    test_type: TestType = Field(TestType.UNIT, const=True)
+    test_type: TestType = Field(TestType.UNIT)
 
     # The condition to check if the search was successful
     pass_condition: Union[str, None] = None

contentctl/objects/unit_test_attack_data.py

@@ -1,22 +1,13 @@
-from pydantic import BaseModel, validator, ValidationError
-from contentctl.helper.utils import Utils
-from typing import Union
+from __future__ import annotations
+from pydantic import BaseModel, HttpUrl, FilePath, Field
+from typing import Union, Optional
 
 
 class UnitTestAttackData(BaseModel):
-    file_name: str = None
-    data: str = None
-    source: str = None
-    sourcetype: str = None
-    update_timestamp: bool = None
-    custom_index: str = None
-    host: str = None
-
-    @validator("data", always=True)
-    def validate_data(cls, v, values):
-        return v
-        try:
-            Utils.verify_file_exists(v)
-        except Exception as e:
-            raise (ValueError(f"Cannot find file {v}: {str(e)}"))
-        return v
+    data: Union[HttpUrl, FilePath] = Field(...)
+    # TODO - should source and sourcetype should be mapped to a list
+    # of supported source and sourcetypes in a given environment?
+    source: str = Field(...)
+    sourcetype: str = Field(...)
+    custom_index: Optional[str] = None
+    host: Optional[str] = None

contentctl/objects/unit_test_baseline.py

@@ -1,6 +1,6 @@
 
 
-from pydantic import BaseModel, validator, ValidationError
+from pydantic import BaseModel
 from typing import Union
 
 class UnitTestBaseline(BaseModel):

contentctl/objects/unit_test_old.py

@@ -1,9 +1,10 @@
-from pydantic import BaseModel, validator, ValidationError
+from __future__ import annotations
+from pydantic import BaseModel
 
 
-from contentctl.objects.unit_test import UnitTest
+from contentctl.objects.unit_test_ssa import UnitTestSSA
 
 
 class UnitTestOld(BaseModel):
     name: str
-    tests: list[UnitTest]
+    tests: list[UnitTestSSA]

contentctl/objects/unit_test_result.py

@@ -1,10 +1,12 @@
-from typing import Union
+from __future__ import annotations
 
+from typing import Union,TYPE_CHECKING
 from splunklib.data import Record
-
-from contentctl.objects.test_config import Infrastructure
 from contentctl.objects.base_test_result import BaseTestResult, TestResultStatus
 
+if TYPE_CHECKING:
+    from contentctl.objects.config import Infrastructure
+
 FORCE_TEST_FAILURE_FOR_MISSING_OBSERVABLE = False
 
 NO_SID = "Testing Failed, NO Search ID"

contentctl/objects/unit_test_ssa.py

@@ -0,0 +1,31 @@
+from __future__ import annotations
+from typing import Optional
+from pydantic import BaseModel, Field
+from pydantic import Field
+
+
+class UnitTestAttackDataSSA(BaseModel):
+    file_name:Optional[str] = None
+    data: str = Field(...)
+    # TODO - should source and sourcetype should be mapped to a list
+    # of supported source and sourcetypes in a given environment?
+    source: str = Field(...)
+
+    sourcetype: Optional[str] = None
+
+
+class UnitTestSSA(BaseModel):
+    """
+    A unit test for a detection
+    """
+    name: str
+
+    # The attack data to be ingested for the unit test
+    attack_data: list[UnitTestAttackDataSSA] = Field(...)
+
+
+
+
+
+    
+