contentctl 3.6.0__py3-none-any.whl → 4.0.2__py3-none-any.whl

contentctl/templates/deployments/{00_default_anomaly.yml → escu_default_configuration_anomaly.yml}

@@ -2,6 +2,7 @@ name: ESCU Default Configuration Anomaly
 id: a9e210c6-9f50-4f8b-b60e-71bb26e4f216
 date: '2021-12-21'
 author: Patrick Bareiss
+type: Anomaly
 description: This configuration file applies to all detections of type anomaly.
   These detections will use Risk Based Alerting.
 scheduling:
@@ -12,5 +13,3 @@ scheduling:
 alert_action:
   rba:
     enabled: 'true'
-tags:
-  type: Anomaly

contentctl/templates/deployments/{00_default_baseline.yml → escu_default_configuration_baseline.yml}

@@ -2,11 +2,10 @@ name: ESCU Default Configuration Baseline
 id: 0f7ee854-1aad-4bef-89c5-5c402b488510
 date: '2021-12-21'
 author: Patrick Bareiss
+type: Baseline
 description: This configuration file applies to all detections of type baseline.
 scheduling:
   cron_schedule: 10 0 * * *
   earliest_time: -1450m@m
   latest_time: -10m@m
   schedule_window: auto
-tags:
-  type: Baseline

contentctl/templates/deployments/{00_default_correlation.yml → escu_default_configuration_correlation.yml}

@@ -2,6 +2,7 @@ name: ESCU Default Configuration Correlation
 id: 36ba498c-46e8-4b62-8bde-67e984a40fb4
 date: '2021-12-21'
 author: Patrick Bareiss
+type: Correlation
 description: This configuration file applies to all detections of type Correlation.
   These correlations will generate Notable Events.
 scheduling:
@@ -16,5 +17,4 @@ alert_action:
     nes_fields: 
     - user
     - dest
-tags:
-  type: 'Correlation'
+

contentctl/templates/deployments/{00_default_hunting.yml → escu_default_configuration_hunting.yml}

@@ -2,11 +2,11 @@ name: ESCU Default Configuration Hunting
 id: cc5895e8-3420-4ab7-af38-cf87a28f9c3b
 date: '2021-12-21'
 author: Patrick Bareiss
+type: Hunting
 description: This configuration file applies to all detections of type hunting.
 scheduling:
   cron_schedule: 0 * * * *
   earliest_time: -70m@m
   latest_time: -10m@m
   schedule_window: auto
-tags:
-  type: Hunting
+

contentctl/templates/deployments/{00_default_ttp.yml → escu_default_configuration_ttp.yml}

@@ -2,6 +2,7 @@ name: ESCU Default Configuration TTP
 id: b81cd059-a3e8-4c03-96ca-e168c50ff70b
 date: '2021-12-21'
 author: Patrick Bareiss
+type: TTP
 description: This configuration file applies to all detections of type TTP.
   These detections will use Risk Based Alerting and generate Notable Events.
 scheduling:
@@ -18,5 +19,3 @@ alert_action:
     - dest
   rba:
     enabled: 'true'
-tags:
-  type: TTP

contentctl/templates/detections/anomalous_usage_of_7zip.yml

@@ -32,7 +32,6 @@ references:
 tags:
   analytic_story:
   - Cobalt Strike
-  - NOBELIUM Group
   asset_type: Endpoint
   confidence: 80
   impact: 80

contentctl/templates/stories/cobalt_strike.yml

@@ -51,7 +51,6 @@ references:
 - https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence
 - https://github.com/zer0yu/Awesome-CobaltStrike
 tags:
-  analytic_story: Cobalt Strike
   category:
   - Adversary Tactics
   product:

{contentctl-3.6.0.dist-info → contentctl-4.0.2.dist-info}/METADATA

@@ -1,33 +1,33 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 3.6.0
+Version: 4.0.2
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
 Author-email: research@splunk.com
-Requires-Python: >=3.9,<4.0
+Requires-Python: >=3.11,<4.0
 Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Requires-Dist: Jinja2 (>=3.1.2,<4.0.0)
-Requires-Dist: PyYAML (>=6.0,<7.0)
+Requires-Dist: PyYAML (>=6.0.1,<7.0.0)
 Requires-Dist: attackcti (>=0.3.7,<0.4.0)
-Requires-Dist: bottle (>=0.12.23,<0.13.0)
-Requires-Dist: docker (>=6.0.1,<7.0.0)
-Requires-Dist: gitpython (>=3.1.29,<4.0.0)
+Requires-Dist: bottle (>=0.12.25,<0.13.0)
+Requires-Dist: docker (>=6.1.3,<7.0.0)
+Requires-Dist: gitpython (>=3.1.43,<4.0.0)
 Requires-Dist: pycvesearch (>=1.2,<2.0)
-Requires-Dist: pydantic (>=1.10.11,<2.0.0)
-Requires-Dist: pysigma (>=0.10.5,<0.11.0)
+Requires-Dist: pydantic (>=2.5.1,<3.0.0)
+Requires-Dist: pygit2 (>=1.14.1,<2.0.0)
+Requires-Dist: pysigma (>=0.10.8,<0.11.0)
 Requires-Dist: pysigma-backend-splunk (>=1.0.3,<2.0.0)
-Requires-Dist: questionary (>=1.10.0,<2.0.0)
-Requires-Dist: requests (>=2.28.1,<3.0.0)
+Requires-Dist: questionary (>=2.0.1,<3.0.0)
+Requires-Dist: requests (>=2.31.0,<3.0.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: splunk-sdk (>=1.7.2,<2.0.0)
-Requires-Dist: tqdm (>=4.65.0,<5.0.0)
-Requires-Dist: validators (>=0.20.0,<0.21.0)
+Requires-Dist: splunk-sdk (>=2.0.1,<3.0.0)
+Requires-Dist: tqdm (>=4.66.1,<5.0.0)
+Requires-Dist: tyro (>=0.8.3,<0.9.0)
+Requires-Dist: validators (>=0.22.0,<0.23.0)
 Requires-Dist: xmltodict (>=0.13.0,<0.14.0)
 Description-Content-Type: text/markdown
 
@@ -211,7 +211,28 @@ contentctl test's default mode allows it to quickly test all content with requir
 6. **docs** - Create documentation as Markdown
 7. **reporting** - Create different reporting files such as a Mitre ATT&CK overlay
 
+# Shell tab-complete
 
+Leveraging the tab completion featureset of the CLI library we're using, you can generate tab completions for `contentctl` automatically, for zsh, bash, and tcsh. For additional details, you can view the docs for the library [here.](https://brentyi.github.io/tyro/tab_completion/) 
+
+### Zsh
+If you already have a location for your ZSH tab completions, you only need to run the generation line and can skip the folder creation, configuring the rest to fit with your shell config.
+
+```zsh
+mkdir -p ~/.zfunc
+contentctl --tyro-write-completion zsh ~/.zfunc/_contentctl
+echo "fpath+=~/.zfunc" >> ~/.zshrc
+echo "autoload -Uz compinit && compinit" >> ~/.zshrc
+source ~/.zshrc
+```
+
+### Bash
+
+```bash
+completion_dir=${BASH_COMPLETION_USER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/bash-completion}/completions/
+mkdir -p $completion_dir
+contentctl --tyro-write-completion bash ${completion_dir}/_contentctl
+```
 
 # Acronyms
 | Acronym | Meaning| Description | 

contentctl-4.0.2.dist-info/RECORD

@@ -0,0 +1,168 @@
+contentctl/__init__.py,sha256=IMjkMO3twhQzluVTo8Z6rE7Eg-9U79_LGKMcsWLKBkY,22
+contentctl/actions/acs_deploy.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr0zw,1418
+contentctl/actions/apav_deploy.py,sha256=vjq-24zCLRvNyS0FSLyE4L2b4etG-qo4OM6Z9P0NYK4,2999
+contentctl/actions/api_deploy.py,sha256=h8r_CjsQo4RXzBN4Q8DqoPh6e7JfNDoXdcxT1nrsaRQ,6965
+contentctl/actions/build.py,sha256=BVc-1E63zeUQ9wWAHTC_fLNvfEK5YT3Z6_QLiE72TQs,4765
+contentctl/actions/convert.py,sha256=0KBWLxvP1hSPXpExePqpOQPRvlQLamvPLyQqeTIWNbk,704
+contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=zg8JasDjCpSC-yhseEyUwO8qbDJIUJbhlus9Li9ZAnA,8818
+contentctl/actions/detection_testing/GitService.py,sha256=Rm5Usc0EZk87rk1W8eKyED6b5CdD0YUQZMjkPfk3ztU,8666
+contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=N5mznaeErVak3mOBwsd0RDBFJO3bku0EZvpayCyU-uk,2259
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=VFhSHdw_0N6ol668hDkaj7yFjPsZqBoFNC8FKzWKICc,53141
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py,sha256=HVGWCXy0GQeBqu2cVJn5H-I8GY8rwgkkc53ilO1TfZA,6846
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureServer.py,sha256=Q1ZfCYOp54O39bgTScZMInkmZiU-bGAM9Hiwr2mq5ms,370
+contentctl/actions/detection_testing/progress_bar.py,sha256=OK9oRnPlzPAswt9KZNYID-YLHxqaYPY821kIE4-rCeA,3244
+contentctl/actions/detection_testing/views/DetectionTestingView.py,sha256=yneZxGnpMvkbWPCTFSWM6hoTCA-JndTMctgTGsLGNNU,7013
+contentctl/actions/detection_testing/views/DetectionTestingViewCLI.py,sha256=Mos0VV2CTSHtIqMPLwtEJlMEU7LE7TXFjM6GUA1G6hM,2050
+contentctl/actions/detection_testing/views/DetectionTestingViewFile.py,sha256=OJgmQgoVnzy7p1MN9bDyKGUhFWKzQc6ejc4F87uZG1I,1123
+contentctl/actions/detection_testing/views/DetectionTestingViewWeb.py,sha256=6mecacXFoTJxcHiRZSnlHos5Hca1jdedEEZfiIAhaJg,4706
+contentctl/actions/doc_gen.py,sha256=YNc1VYA0ikL1hWDHYjfEOmUkfhy8PEIdvTyC4ZLxQRY,863
+contentctl/actions/initialize.py,sha256=2h3_A68mNWcyZjbrKF-OeQXBi5p4Zu3z74K7QxEtII4,1749
+contentctl/actions/initialize_old.py,sha256=0qXbW_fNDvkcnEeL6Zpte8d-hpTu1REyzHsXOCY-YB8,9333
+contentctl/actions/inspect.py,sha256=31v7hISc8B8w5tyMnBPSDb3AHRpm-K9rn-WqJRegzBQ,12628
+contentctl/actions/new_content.py,sha256=s2ovk-F-T_Z1O_bi0DgLHrkersD9AsDNW2Y66lY4jbg,5792
+contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
+contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
+contentctl/actions/test.py,sha256=JXW1CR-tTM2kJ-U5NRG8quY3JlnOb4OmCBgX24XYWJ0,4896
+contentctl/actions/validate.py,sha256=-yZuhFBzqZvtT5FOFO4o4-U72tv6urrAG9QCFwqX4os,2363
+contentctl/contentctl.py,sha256=qiowJPiIdMkh8KkbiYhDyVBc1sKJTBKEXhZDwMC-mAk,10083
+contentctl/enrichments/attack_enrichment.py,sha256=EkEloG3hMmPTloPyYiVkhq3iT_BieXaJmprJ5stfyRw,6732
+contentctl/enrichments/cve_enrichment.py,sha256=r5a2DVpbz7wBW8iU4-OhXmSmJQ28JnFDQJt8XZ96MVo,3934
+contentctl/enrichments/splunk_app_enrichment.py,sha256=zDNHFLZTi2dJ1gdnh0sHkD6F1VtkblqFnhacFcCMBfc,3418
+contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLwhHq80c,7139
+contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+contentctl/helper/utils.py,sha256=iZ6keMdTCs1XySiDVoGIGkMSxD_eDUphwEW-VUYA6vM,15659
+contentctl/input/backend_splunk_ba.py,sha256=Y70tJqgaUM0nzfm2SiGMof4HkhY84feqf-xnRx1xPb4,5861
+contentctl/input/director.py,sha256=CNAzSpO2fjjnhyezOGn9u5QiKq3Xqq7rHI-X9LrpyCo,10716
+contentctl/input/new_content_questions.py,sha256=eV6iHQ9-xCdlDJ0PgUEb0Zfokfmu62sYQnIGjShsf6k,5718
+contentctl/input/sigma_converter.py,sha256=ATFNW7boNngp5dmWM7Gr4rMZrUKjvKW2_qu28--FdiU,19391
+contentctl/input/ssa_detection_builder.py,sha256=43B7q4A8MEMjUU-FR7UapO80deW6BooV9WYzZWxcvgI,8377
+contentctl/input/yml_reader.py,sha256=oaal24UP8rDXkCmN5I3GnIheZrsgkhbKOlzXtyhB474,1475
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=YRbDXBFk_To77jyCkUqhswLV4n9IwJGTSDaiAnI7sFU,30167
+contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=cdBb7Yb3vYkD8xRKMWPG8Aq7oAKfw9fRIBGvjYw8zT0,8065
+contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
+contentctl/objects/atomic.py,sha256=a_G_iliAm86BunpAAG86aAL3LAEGpd9Crp7t7-PxYvI,8979
+contentctl/objects/base_test.py,sha256=6hCL9K-N_jJx1zLbuZQCsB93_XWj6JcGGs2PbbjzJWo,1028
+contentctl/objects/base_test_result.py,sha256=dPupudgeXW64Emk9YJfS5JhUXbZwpEZrrx_DiqbRgvU,4752
+contentctl/objects/baseline.py,sha256=x9vXa45kT2Qu7xQ0icPLvVJLFF6Hrj9svqdbuKtHzDc,2248
+contentctl/objects/baseline_tags.py,sha256=JLdlCUc_DEccMQD6f-sa2qD8pcxYiwMUT_sRZEhW7ZA,2978
+contentctl/objects/config.py,sha256=lwiEJu9M3KVP8krH3ieI-4Yke-nI1dRYbStouLmHIWo,43708
+contentctl/objects/constants.py,sha256=1LjiK9A7t0aHHkJz2mrW-DImdW1P98GPssTwmwNNI_M,3468
+contentctl/objects/correlation_search.py,sha256=B97vCt2Ew7PGgqd5Y9l6RD3DJdy51Eh7Gzkxxs2xqZ0,36891
+contentctl/objects/data_source.py,sha256=ELNsNsarVHJgytPTcaGZOoWgub2v_-Q0xtc_-xUM8yg,405
+contentctl/objects/deployment.py,sha256=Qc6M4yeOvxjqFKR8sfjd4CG06AbVheTOqP1mwqo4t8s,2651
+contentctl/objects/deployment_email.py,sha256=Zu9cXZdfOP6noa_mZpiK1GrYCTgi3Mim94iLGjE674c,147
+contentctl/objects/deployment_notable.py,sha256=QhOI7HEkUuuqk0fum9SD8IpYBlbwIsJUff8s3kCKKj4,198
+contentctl/objects/deployment_phantom.py,sha256=EmRlPKpEij4vqUJgACqK_zcGBmHV8xXczkJi-FxMDio,207
+contentctl/objects/deployment_rba.py,sha256=YFLSKzLU7s8Bt1cJkSBWlfCsc_2MfgiwyaDijQOVlFE,125
+contentctl/objects/deployment_scheduling.py,sha256=bQjbJHNaUGdU1VAGV8-nFOHzHutbIlt7FZpUvR1CV4Y,198
+contentctl/objects/deployment_slack.py,sha256=P6z8OLHDKcDWx7nbKWasqBc3dFRatGcpO2GtmxzVV8I,135
+contentctl/objects/detection.py,sha256=3W41cXf3ECjWuPqWrseqSLC3PAA7O5_nENWWM6MPK0Y,620
+contentctl/objects/detection_tags.py,sha256=dYCa4SfoqRiSOwYpbWo93vLGPxy6V9pArCZMWb5fxZs,10238
+contentctl/objects/enums.py,sha256=2gLRtJ-dHW_xMFdbjOp0LaX_fEV0V-YAZn2JY9gUzJ8,14030
+contentctl/objects/integration_test.py,sha256=W_VksBN_cRo7DTXdr1aLujjS9mgkEp0uvoNpmL0dVnQ,1273
+contentctl/objects/integration_test_result.py,sha256=DrIZRRlILSHGcsK_Rlm3KJLnbKPtIen8uEPFi4ZdJ8s,370
+contentctl/objects/investigation.py,sha256=JRoZxc_qi1fu_VFTRaxOc3B7zzSzCfEURsNzWPUCrtY,2620
+contentctl/objects/investigation_tags.py,sha256=nFpMRKBVBsW21YW_vy2G1lXaSARX-kfFyrPoCyE77Q8,1280
+contentctl/objects/lookup.py,sha256=P8YbzdDAj_MsTBJTEsym35zhQjiN9Eq0MlfON-qvuTM,4556
+contentctl/objects/macro.py,sha256=qUnS1UuGrq2nXj49N2qmwzZDJwyfTCqu3KSZMB6CfWk,2451
+contentctl/objects/mitre_attack_enrichment.py,sha256=bWrMG-Xj3knmULR5q2YZk7mloJBdQUzU1moZfEw9lQM,1073
+contentctl/objects/notable_action.py,sha256=ValkblBaG-60TF19y_vSnNzoNZ3eg48wIfr0qZxyKTA,1605
+contentctl/objects/observable.py,sha256=-nbVASkwyLpstWQk9Za1Hyjg0etGHiZArg7doEOS02k,1156
+contentctl/objects/playbook.py,sha256=hSYYpdMhctgpp7uwaPciFqu1yuFI4M1NHy1WBBLyvzM,2469
+contentctl/objects/playbook_tags.py,sha256=NrhTGcgoYSGEZggrfebko0GBOXN9x05IadRUUL_CVfQ,1436
+contentctl/objects/risk_analysis_action.py,sha256=bySNQX5SBIR8L7SDnlTQr_Jn29YqrPFZtSc0KxQox4Y,4288
+contentctl/objects/risk_object.py,sha256=yY4NmEwEKaRl4sLzCRZb1n8kdpV3HzYbQVQ1ClQWYHw,904
+contentctl/objects/security_content_object.py,sha256=j8KNDwSMfZsSIzJucC3NuZo0SlFVpqHfDc6y3-YHjHI,234
+contentctl/objects/ssa_detection.py,sha256=-G6tXfVVlZgPWS64hIIy3M-aMePANAuQvdpXPlgUyUs,5873
+contentctl/objects/ssa_detection_tags.py,sha256=u8annjzo3MYZ-16wyFnuR8qJJzRa4LEhdprMIrQ47G0,5224
+contentctl/objects/story.py,sha256=LQLCCK_3DkP2x8fQOzcnV0d18_gsVFeS06DEK-qaBUE,4526
+contentctl/objects/story_tags.py,sha256=_OSUQ-uC3wCQMO2w6mqdqe-Wd_PhcpEANf-_xg_jyS0,2169
+contentctl/objects/test_group.py,sha256=Yb1sqGom6SkVL8B3czPndz8w3CK8WdwZ39V_cn0_JZQ,2600
+contentctl/objects/threat_object.py,sha256=S8B7RQFfLxN_g7yKPrDTuYhIy9JvQH3YwJ_T5LUZIa4,711
+contentctl/objects/unit_test.py,sha256=5EDsPNUct1UY5OtfX-VwFzhET83OmLA6XcaQiZWL1Uo,1655
+contentctl/objects/unit_test_attack_data.py,sha256=ZmHA83O8i9VZveDAliNp_XVKOuH5ytGN9l3X8v8jm4o,480
+contentctl/objects/unit_test_baseline.py,sha256=XHvOm7qLYfqrP6uC5U_pfgw_pf8-S2RojuNmbo6lXlM,227
+contentctl/objects/unit_test_old.py,sha256=IfvytHG4ZnUhsvXgdczECZbiwv6YLViYdsk9AqeDBjQ,199
+contentctl/objects/unit_test_result.py,sha256=POQfvvPpSw-jQzINBz1_IszUMJ4Wbopu8HRS1Qe6P2M,2940
+contentctl/objects/unit_test_ssa.py,sha256=RURqXb3e0CuI5nNX8PvFucxatAvMmGSUDngVbqNpoiY,653
+contentctl/output/api_json_output.py,sha256=n3OTd5z-Vkmsn7ny6QCAar_jSMNuuJfzAQa7xq_9if4,9085
+contentctl/output/attack_nav_output.py,sha256=95iKV8U9BMMgqh6cCOw1S89Ln73xmJGgJPHTYR0L7hA,2304
+contentctl/output/attack_nav_writer.py,sha256=64ILZLmNbh2XLmbopgENkeo6t-4SRRG8xZXBmtpNd4g,2219
+contentctl/output/ba_yml_output.py,sha256=Lrk13Q9-f71i3c0oNrT50G94PxdogG4k4-MI-rTMOAo,5950
+contentctl/output/conf_output.py,sha256=qCRT77UKNFCe4AufeBV8Uz9lkPqgpGzU1Y149RuEnis,10147
+contentctl/output/conf_writer.py,sha256=2TaCAPEtU-bMa7A2m7xOxh93PMpzIdhwiHiPLUCeCB4,8281
+contentctl/output/detection_writer.py,sha256=AzxbssNLmsNIOaYKotew5-ONoyq1cQpKSGy3pe191B0,960
+contentctl/output/doc_md_output.py,sha256=gf7osH1uSrC6js3D_I72g4uDe9TaB3tsvtqCHi5znp0,3238
+contentctl/output/finding_report_writer.py,sha256=Me6FtvDbmSSRqYr5rtrtuc5YVze48PyPbrjyAXJ-V4A,3935
+contentctl/output/jinja_writer.py,sha256=bdiqr9FaXYxth4wZ1A52zTMAS5stHNGpezTkaS5pres,1119
+contentctl/output/json_writer.py,sha256=Z-iVLnZb8tzYATxbQtXax0dz572lVPFMNVTx-vWbnog,1007
+contentctl/output/new_content_yml_output.py,sha256=ktZ9miHluqkw8jD-pn-62bjVp1sQqqQ7B53xy18DHU8,2321
+contentctl/output/svg_output.py,sha256=T2p4S085MKj5VPZKvo4tWBVOmYme32J9L7kMEBm3SwQ,2751
+contentctl/output/templates/analyticstories_detections.j2,sha256=MYefoyWAq4b7dth3OlbMWNhFnH3_nnMKaOfw0lMkxT4,917
+contentctl/output/templates/analyticstories_investigations.j2,sha256=7bwt_6U3dr9hbxOUkp0a1KnRJohNgC7GE1zRg_N_awI,515
+contentctl/output/templates/analyticstories_stories.j2,sha256=w_MIadmsynoO_tCmofZj3_5TEmxeHnQEPJuhYaqqc-4,668
+contentctl/output/templates/app.conf.j2,sha256=Y9vDwdU1yRTQZ7jBQWLFo0XAEerN_6IXrkXdS3xkcuM,737
+contentctl/output/templates/app.manifest.j2,sha256=n9TBpikEOD-HQzsad4Fmd0iH5cosRQ12SiXXYZhcO0g,1063
+contentctl/output/templates/collections.j2,sha256=rDpAcqM6hRiyCQPgfRh8KcL41Mrqsc97krQ-JPFhSBQ,181
+contentctl/output/templates/content-version.j2,sha256=2-it0TF5BvqUcmUXVFB4DEh0I01igQGDxZNJpdtDFIA,54
+contentctl/output/templates/detection_count.j2,sha256=9U3o-P_ECkMknsooj_L3B9GZqjnsbaEzr59s3-DOK0I,670
+contentctl/output/templates/detection_coverage.j2,sha256=guE4fow9BqGoCCrQ3b6-EZqWJcThb58V9khuIH7nhT0,631
+contentctl/output/templates/doc_detection_page.j2,sha256=kATedDq0Z8tzxKiD3nD0_-7YiOrjssUMYSDenRYTh6A,1012
+contentctl/output/templates/doc_detections.j2,sha256=QKP2u22bFQFSG6I_Iw1_wR7uza-OXI70roSCbEijLiE,6596
+contentctl/output/templates/doc_navigation.j2,sha256=h25ITC3xcAM17uZGIyyDFURmEdYtQSPvNeWN3RH7j4Q,1471
+contentctl/output/templates/doc_navigation_pages.j2,sha256=ptfjbD4F0Ob7dze9at2q5gqOslcbL3eteUO1zsblDJo,203
+contentctl/output/templates/doc_playbooks.j2,sha256=CWsnm8F097oYT8anW3CE7JaX1haAJTfylThP1ic0UIw,1681
+contentctl/output/templates/doc_playbooks_page.j2,sha256=2d5UNDSOxyMtxKGxGHzJ2Ny_UrqTq267NO1h-lmNduc,679
+contentctl/output/templates/doc_stories.j2,sha256=0J3dAbfSZz-Ma1-C9B6vYPKGwrxoZryYoudy3wUIT4s,1827
+contentctl/output/templates/doc_story_page.j2,sha256=jrf-As8GbqLarRoiDipfM9ZUVRl_bhdNsy-XaCrBaXE,874
+contentctl/output/templates/es_investigations_investigations.j2,sha256=M4beFAFrkdhOIda2uYOXOxm9eBTdtSrTg07ke8FcELs,1013
+contentctl/output/templates/es_investigations_stories.j2,sha256=3_adGXuyMR6v-k3uc6_ht13UqX1AI4HagRdokwW0tqk,388
+contentctl/output/templates/finding_report.j2,sha256=DS9ElRGeyz7UFPiTXiqbhUzOrT4eN8oetdBheQJRFck,1753
+contentctl/output/templates/header.j2,sha256=3usV7jm1q6J-QNnQrZzII9cN0XEGQjg_eVKrEQwfOG0,201
+contentctl/output/templates/macros.j2,sha256=SLcQQ5X7TZS8j-2qP06BTXqdIcnwoYqTAaBLX2Dge7Y,390
+contentctl/output/templates/panel.j2,sha256=Cw_W6p-14n6UivVfpS75KKJiJ2VpdGsSBceYsUYe9gk,221
+contentctl/output/templates/savedsearches_baselines.j2,sha256=xr05J9WJSVdwpiBoPWEejZ1hmeqInyDKyDH4kjzHP6U,1743
+contentctl/output/templates/savedsearches_detections.j2,sha256=NpQNRF6GutVpcpt7BaPOFesvZhBsAoI3CHrtYnRnbo4,6805
+contentctl/output/templates/savedsearches_investigations.j2,sha256=aFIDK4NqtsZr3fb4F_tv9UQTQ2Z-n9pkP5rIocPA65Q,1259
+contentctl/output/templates/transforms.j2,sha256=-cSoie0LgJwibtW-GMhc9BQlmS6h1s1Vykm9O2M0f9Y,1456
+contentctl/output/templates/workflow_actions.j2,sha256=DFoZVnCa8dMRHjW2AdpoydBC0THgiH_W-Nx7WI4-uR4,925
+contentctl/output/yml_output.py,sha256=xtTD3f_WWy8O6Joi4S8gG9paot8JpQFRlwt17_ek5B4,2682
+contentctl/output/yml_writer.py,sha256=UsVhIJ-QmDB3B3GKiapMZ_ZBCJt_mefBzVmUwD9WfNw,271
+contentctl/templates/README,sha256=Hg4LI9g_ss8o3u060woDkhunLXHMtKOhuFK2i-xJpuM,133
+contentctl/templates/app_default.yml,sha256=kDeYdJbfMADQPcho8iH1nqgTFrHNt4EXnIJjPHc2unI,6390
+contentctl/templates/app_template/README/essoc_story_detail.txt,sha256=7hFPBfPpRH28TFl7QchKceZLewQqgFjRWDlmxZzwpmo,897
+contentctl/templates/app_template/README/essoc_summary.txt,sha256=u6wYNYBqmmm7Kn_g_Uex8rRzMQ995MUXCavla95Y1dw,2538
+contentctl/templates/app_template/README/essoc_usage_dashboard.txt,sha256=xYUKKVtdgzPyT3mqdTccaBZuwWnC63lbc9zyYpmHN4o,2432
+contentctl/templates/app_template/README.md,sha256=RT-J9bgRSFsEFgNr9qV6yc2LkfUH_uiMJ2RV4NM9Ymo,366
+contentctl/templates/app_template/default/analytic_stories.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
+contentctl/templates/app_template/default/app.conf,sha256=eTSq1QI4-BgylZJgnNVg5jQCZFXJVNyEJA33lQAgYoc,685
+contentctl/templates/app_template/default/commands.conf,sha256=U2ccwUeGXKKKt5jo14QY5swi-p9_TSJtaNquOkeF3Yk,319
+contentctl/templates/app_template/default/content-version.conf,sha256=TGzX6qLdzRK7x6b0y5AE8ZF59PLU-DrRfS43fVWITqo,34
+contentctl/templates/app_template/default/data/ui/nav/default.xml,sha256=fKN53HZCtNJbQqq_5pP8e5-5m30DRrJittr6q5s6V_0,236
+contentctl/templates/app_template/default/data/ui/views/escu_summary.xml,sha256=jQhkIthPgEEptCJ2wUCj2lWGHBvUl6JGsKkDfONloxI,8635
+contentctl/templates/app_template/default/data/ui/views/feedback.xml,sha256=uM71EMK2uFz8h68nOTNKGnYxob3HhE_caSL6yA-3H-k,696
+contentctl/templates/app_template/default/distsearch.conf,sha256=5fa9bNr9WuVI2_8tTIftvrRwk27Oz3rUoKh6_xlASFw,156
+contentctl/templates/app_template/default/usage_searches.conf,sha256=mFnhAHGhFHIzl8xxA626thnAjyxs5ZQQfur1PP_Xmbg,4257
+contentctl/templates/app_template/default/use_case_library.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
+contentctl/templates/app_template/lookups/mitre_enrichment.csv,sha256=tifPQjFoQHtvpb78hxSP2fKHnHeehNbZDwUjdvc0aEM,66072
+contentctl/templates/app_template/metadata/default.meta,sha256=tcYHZkDF44ApDoDQ_rp8MCA8cuT3DVd5atHgulR1Tvc,423
+contentctl/templates/app_template/static/appIcon.png,sha256=jcJ1PNdkBX7Kl_y9Tf0SZ55OJYA2PpwjvkVvBt9_OoE,3658
+contentctl/templates/app_template/static/appIconAlt.png,sha256=uRXjoHQQjs0-BxcK-3KNBEdck1adDNTHMvV14xR4W0g,2656
+contentctl/templates/app_template/static/appIconAlt_2x.png,sha256=I0m-CPRqq7ak9NJQZGGmz6Ac4pmzFV_SonOUxOEDOFs,7442
+contentctl/templates/app_template/static/appIcon_2x.png,sha256=XEpqQzDvzuEV5StzD05XRgxwySqHHLes1hMPy2v5Vdk,3657
+contentctl/templates/datamodels_cim.conf,sha256=RB_SCtpQG_KaC_0lKTCKexVOlEq_ShGwpGlg95aqOfs,9381
+contentctl/templates/datamodels_custom.conf,sha256=6BANthXdqg3fYpYmEqiGZnv4cWheNfXz1uQ_I1JePXc,480
+contentctl/templates/deployments/escu_default_configuration_anomaly.yml,sha256=j_H2wovWBj1EKxVwj3mMoJVQnVm-2Imt7xnB9U1Tun4,418
+contentctl/templates/deployments/escu_default_configuration_baseline.yml,sha256=NzUvaotkk7hatx9EBjROFIwsvSOZXgfAJUvGS8JrUMg,334
+contentctl/templates/deployments/escu_default_configuration_correlation.yml,sha256=iWLqvJnUKVhpKaLBc_w_W65d9HVZgOZfGA-RIpxsH6M,519
+contentctl/templates/deployments/escu_default_configuration_hunting.yml,sha256=hHmM8u7zncpb-32Qv74UoNs0HKwZwCMoKAq2ygDJZbo,329
+contentctl/templates/deployments/escu_default_configuration_ttp.yml,sha256=1D-pvzaH1v3_yCZXaY6njmdvV4S2_Ak8uzzCOsnj9XY,548
+contentctl/templates/detections/anomalous_usage_of_7zip.yml,sha256=hkN214ZOqbQPWyYrqgbOrYb4iA0DroG1AnFRhSC_m0M,3323
+contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
+contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
+contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
+contentctl-4.0.2.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.0.2.dist-info/METADATA,sha256=xGbT6aNeYGB-__vB1wrMih-Jz2Sb_A8xKb-x3i39QGY,19705
+contentctl-4.0.2.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.0.2.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.0.2.dist-info/RECORD,,

contentctl/actions/detection_testing/DataManipulation.py

@@ -1,149 +0,0 @@
-import json
-from datetime import datetime
-from datetime import timedelta
-#import fileinput
-import os
-import re
-import io
-
-class DataManipulation:
-
-    def manipulate_timestamp(self, file_path, sourcetype, source):
-
-
-        #print('Updating timestamps in attack_data before replaying')
-        if sourcetype == 'aws:cloudtrail':
-            self.manipulate_timestamp_cloudtrail(file_path)
-
-        if source == 'WinEventLog:System' or source == 'WinEventLog:Security':
-            self.manipulate_timestamp_windows_event_log_raw(file_path)
-
-        if source == 'exchange':
-            self.manipulate_timestamp_exchange_logs(file_path)
-
-
-    def manipulate_timestamp_exchange_logs(self, path):
-        f = io.open(path, "r", encoding="utf-8")
-
-        first_line = f.readline()
-        d = json.loads(first_line)
-        latest_event  = datetime.strptime(d["CreationTime"],"%Y-%m-%dT%H:%M:%S")
-
-        now = datetime.now()
-        now = now.strftime("%Y-%m-%dT%H:%M:%S")
-        now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%S")
-
-        difference = now - latest_event
-        f.close()
-
-        #Mimic the behavior of fileinput but in a threadsafe way
-        #Rename the file, which fileinput does for inplace.
-        #Note that path will now be the new file
-        original_backup_file = f"{path}.bak"    
-        os.rename(path, original_backup_file)
-        
-        with open(original_backup_file, "r") as original_file:
-            with open(path, "w") as new_file:
-                for line in original_file:
-                    d = json.loads(line)
-                    original_time = datetime.strptime(d["CreationTime"],"%Y-%m-%dT%H:%M:%S")
-                    new_time = (difference + original_time)
-
-                    original_time = original_time.strftime("%Y-%m-%dT%H:%M:%S")
-                    new_time = new_time.strftime("%Y-%m-%dT%H:%M:%S")
-                    #There is no end character appended, no need for end=''
-                    new_file.write(line.replace(original_time, new_time))
-
-
-        os.remove(original_backup_file)
-
-    def manipulate_timestamp_windows_event_log_raw(self, path):
-
-        f = io.open(path, "r", encoding="utf-8")
-        self.now = datetime.now()
-        self.now = self.now.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
-        self.now = datetime.strptime(self.now,"%Y-%m-%dT%H:%M:%S.%fZ")
-
-        # read raw logs
-        regex = r'\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [AP]M'
-        data = f.read()
-        lst_matches = re.findall(regex, data)
-        if len(lst_matches) > 0:
-            latest_event  = datetime.strptime(lst_matches[-1],"%m/%d/%Y %I:%M:%S %p")
-            self.difference = self.now - latest_event
-            f.close()
-
-            result = re.sub(regex, self.replacement_function, data)
-
-            with io.open(path, "w+", encoding='utf8') as f:
-                f.write(result)
-        else:
-            f.close()
-            return
-
-
-    def replacement_function(self, match):
-        try:
-            event_time = datetime.strptime(match.group(),"%m/%d/%Y %I:%M:%S %p")
-            new_time = self.difference + event_time
-            return new_time.strftime("%m/%d/%Y %I:%M:%S %p")
-        except Exception as e:
-            self.logger.error("Error in timestamp replacement occured: " + str(e))
-            return match.group()
-
-
-    def manipulate_timestamp_cloudtrail(self, path):
-        
-
-        f = io.open(path, "r", encoding="utf-8")
-
-        try:
-            first_line = f.readline()
-            d = json.loads(first_line)
-            latest_event  = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ")
-
-            now = datetime.now()
-            now = now.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
-            now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%S.%fZ")
-        except ValueError:
-            first_line = f.readline()
-            d = json.loads(first_line)
-            latest_event  = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ")
-
-            now = datetime.now()
-            now = now.strftime("%Y-%m-%dT%H:%M:%SZ")
-            now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%SZ")
-
-        difference = now - latest_event
-        f.close()
-
-
-
-        #Mimic the behavior of fileinput but in a threadsafe way
-        #Rename the file, which fileinput does for inplace.
-        #Note that path will now be the new file
-        original_backup_file = f"{path}.bak"    
-        os.rename(path, original_backup_file)
-        
-        with open(original_backup_file, "r") as original_file:
-            with open(path, "w") as new_file:
-                for line in original_file:
-                    try:
-                        d = json.loads(line)
-                        original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ")
-                        new_time = (difference + original_time)
-
-                        original_time = original_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
-                        new_time = new_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
-                        new_file.write(line.replace(original_time, new_time))
-                    except ValueError:
-                        d = json.loads(line)
-                        original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ")
-                        new_time = (difference + original_time)
-
-                        original_time = original_time.strftime("%Y-%m-%dT%H:%M:%SZ")
-                        new_time = new_time.strftime("%Y-%m-%dT%H:%M:%SZ")
-                        new_file.write(line.replace(original_time, new_time))
-
-
-        os.remove(original_backup_file)

contentctl/actions/generate.py

@@ -1,91 +0,0 @@
-import sys
-import shutil
-import os
-
-from dataclasses import dataclass
-
-from contentctl.objects.enums import SecurityContentProduct, SecurityContentType
-from contentctl.input.director import Director, DirectorInputDto, DirectorOutputDto
-from contentctl.output.conf_output import ConfOutput
-from contentctl.output.ba_yml_output import BAYmlOutput
-from contentctl.output.api_json_output import ApiJsonOutput
-import pathlib
-import json
-import datetime
-from typing import Union
-
-@dataclass(frozen=True)
-class GenerateInputDto:
-    director_input_dto: DirectorInputDto
-    splunk_api_username: Union[str,None] = None
-    splunk_api_password: Union[str,None] = None
-    #For most cloud stacks, the stack_type argument has been deprecated for appinspect.
-    #Still, we will pass it in case there are users of very old stacks.
-    stack_type: str = "victoria"
-
-class Generate:
-
-    def execute(self, input_dto: GenerateInputDto) -> DirectorOutputDto:
-        director_output_dto = DirectorOutputDto([],[],[],[],[],[],[],[],[])
-        director = Director(director_output_dto)
-        director.execute(input_dto.director_input_dto)
-
-        if input_dto.director_input_dto.product == SecurityContentProduct.SPLUNK_APP:
-            if (input_dto.splunk_api_username is None) ^ (input_dto.splunk_api_password is None):
-                # Exclusive OR above finds when ONE of these is defined but the other is not
-                if input_dto.splunk_api_password:
-                    raise Exception("splunk_api_password was provided, but splunk_api_username was not. Please provide both or neither")
-                else:
-                    raise Exception("splunk_api_username was provided, but splunk_api_password was not. Please provide both or neither")                
-
-
-            
-            
-            conf_output = ConfOutput(input_dto.director_input_dto.input_path, input_dto.director_input_dto.config)
-            conf_output.writeHeaders()
-            conf_output.writeObjects(director_output_dto.detections, SecurityContentType.detections)
-            conf_output.writeObjects(director_output_dto.stories, SecurityContentType.stories)
-            conf_output.writeObjects(director_output_dto.baselines, SecurityContentType.baselines)
-            conf_output.writeObjects(director_output_dto.investigations, SecurityContentType.investigations)
-            conf_output.writeObjects(director_output_dto.lookups, SecurityContentType.lookups)
-            conf_output.writeObjects(director_output_dto.macros, SecurityContentType.macros)
-            conf_output.writeAppConf()
-            conf_output.packageApp()
-
-            #conf_output.inspectAppCLI()
-            if input_dto.splunk_api_username and input_dto.splunk_api_password:
-                _ = conf_output.inspectAppAPI(input_dto.splunk_api_username, input_dto.splunk_api_password, input_dto.stack_type)
-                
-            print(f'Generate of security content successful to {conf_output.output_path}')
-            return director_output_dto
-
-        elif input_dto.director_input_dto.product == SecurityContentProduct.SSA:
-            output_path = os.path.join(input_dto.director_input_dto.input_path, input_dto.director_input_dto.config.build_ssa.path_root)
-            shutil.rmtree(output_path + '/srs/', ignore_errors=True)
-            shutil.rmtree(output_path + '/complex/', ignore_errors=True)
-            os.makedirs(output_path + '/complex/')
-            os.makedirs(output_path + '/srs/')     
-            ba_yml_output = BAYmlOutput()
-            ba_yml_output.writeObjects(director_output_dto.ssa_detections, output_path)
-
-        elif input_dto.director_input_dto.product == SecurityContentProduct.API:
-            output_path = os.path.join(input_dto.director_input_dto.input_path, input_dto.director_input_dto.config.build_api.path_root)
-            shutil.rmtree(output_path, ignore_errors=True)
-            os.makedirs(output_path)
-            api_json_output = ApiJsonOutput()
-            api_json_output.writeObjects(director_output_dto.detections, output_path, SecurityContentType.detections)
-            api_json_output.writeObjects(director_output_dto.stories, output_path, SecurityContentType.stories)
-            api_json_output.writeObjects(director_output_dto.baselines, output_path, SecurityContentType.baselines)
-            api_json_output.writeObjects(director_output_dto.investigations, output_path, SecurityContentType.investigations)
-            api_json_output.writeObjects(director_output_dto.lookups, output_path, SecurityContentType.lookups)
-            api_json_output.writeObjects(director_output_dto.macros, output_path, SecurityContentType.macros)
-            api_json_output.writeObjects(director_output_dto.deployments, output_path, SecurityContentType.deployments)
- 
-            #create version file for sse api
-            version_file = pathlib.Path(output_path)/"version.json"
-            utc_time = datetime.datetime.utcnow().replace(microsecond=0).isoformat()
-            version_dict = {"version":{"name":f"v{input_dto.director_input_dto.config.build.version}","published_at": f"{utc_time}Z"  }}
-            with open(version_file,"w") as version_f:
-                json.dump(version_dict,version_f)
-                
-        return director_output_dto