contentctl 3.6.0__py3-none-any.whl → 4.0.2__py3-none-any.whl

contentctl/input/new_content_generator.py

@@ -1,95 +0,0 @@
-import os
-import uuid
-import questionary
-from dataclasses import dataclass
-from datetime import datetime
-
-from contentctl.objects.enums import SecurityContentType
-from contentctl.input.new_content_questions import NewContentQuestions
-
-
-@dataclass(frozen=True)
-class NewContentGeneratorInputDto:
-    type: SecurityContentType
-    
-
-@dataclass(frozen=True)
-class NewContentGeneratorOutputDto:
-    obj: dict
-    answers: dict
-
-
-class NewContentGenerator():
-
-    
-    def __init__(self, output_dto: NewContentGeneratorOutputDto) -> None:
-        self.output_dto = output_dto
-
-
-    def execute(self, input_dto: NewContentGeneratorInputDto) -> None:
-        if input_dto.type == SecurityContentType.detections:
-            questions = NewContentQuestions.get_questions_detection()
-            answers = questionary.prompt(questions)
-            self.output_dto.answers.update(answers)
-            self.output_dto.obj['name'] = answers['detection_name']
-            self.output_dto.obj['id'] = str(uuid.uuid4())
-            self.output_dto.obj['version'] = 1
-            self.output_dto.obj['date'] = datetime.today().strftime('%Y-%m-%d')
-            self.output_dto.obj['author'] = answers['detection_author']
-            self.output_dto.obj['data_source'] = answers['data_source']
-            self.output_dto.obj['type'] = answers['detection_type']
-            self.output_dto.obj['status'] = "production" #start everything as production since that's what we INTEND the content to become   
-            self.output_dto.obj['description'] = 'UPDATE_DESCRIPTION'   
-            file_name = self.output_dto.obj['name'].replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
-            self.output_dto.obj['search'] = answers['detection_search'] + ' | `' + file_name + '_filter`'
-            self.output_dto.obj['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'
-            self.output_dto.obj['known_false_positives'] = 'UPDATE_KNOWN_FALSE_POSITIVES'            
-            self.output_dto.obj['references'] = ['REFERENCE']
-            self.output_dto.obj['tags'] = dict()
-            self.output_dto.obj['tags']['analytic_story'] = ['UPDATE_STORY_NAME']
-            self.output_dto.obj['tags']['asset_type'] = 'UPDATE asset_type'
-            self.output_dto.obj['tags']['confidence'] = 'UPDATE value between 1-100'
-            self.output_dto.obj['tags']['impact'] = 'UPDATE value between 1-100'
-            self.output_dto.obj['tags']['message'] = 'UPDATE message'
-            self.output_dto.obj['tags']['mitre_attack_id'] = [x.strip() for x in answers['mitre_attack_ids'].split(',')]
-            self.output_dto.obj['tags']['observable'] = [{'name': 'UPDATE', 'type': 'UPDATE', 'role': ['UPDATE']}]
-            self.output_dto.obj['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
-            self.output_dto.obj['tags']['required_fields'] = ['UPDATE']
-            self.output_dto.obj['tags']['risk_score'] = 'UPDATE (impact * confidence)/100'
-            self.output_dto.obj['tags']['security_domain'] = answers['security_domain']
-            self.output_dto.obj['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
-            
-            #generate the tests section
-            self.output_dto.obj['tests'] = [
-                {
-                    'name': "True Positive Test",
-                    'attack_data': [ 
-                        {
-                        'data': "Enter URL for Dataset Here.  This may also be a relative or absolute path on your local system for testing.",
-                        "sourcetype": "UPDATE SOURCETYPE",
-                        "source": "UPDATE SOURCE"
-                        }
-                    ]
-                }
-            ]
-            
-        
-
-        elif input_dto.type == SecurityContentType.stories:
-            questions = NewContentQuestions.get_questions_story()
-            answers = questionary.prompt(questions)
-            self.output_dto.answers.update(answers)
-            self.output_dto.obj['name'] = answers['story_name']
-            self.output_dto.obj['id'] = str(uuid.uuid4())
-            self.output_dto.obj['version'] = 1
-            self.output_dto.obj['date'] = datetime.today().strftime('%Y-%m-%d')
-            self.output_dto.obj['author'] = answers['story_author']
-            self.output_dto.obj['description'] = 'UPDATE_DESCRIPTION'
-            self.output_dto.obj['narrative'] = 'UPDATE_NARRATIVE'
-            self.output_dto.obj['references'] = []
-            self.output_dto.obj['tags'] = dict()
-            self.output_dto.obj['tags']['analytic_story'] = self.output_dto.obj['name']
-            self.output_dto.obj['tags']['category'] = answers['category']
-            self.output_dto.obj['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
-            self.output_dto.obj['tags']['usecase'] = answers['usecase']
-            self.output_dto.obj['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']

contentctl/input/playbook_builder.py

@@ -1,68 +0,0 @@
-
-import sys
-import os
-import pathlib
-from pydantic import ValidationError
-from pathlib import Path
-
-from contentctl.objects.playbook import Playbook
-from contentctl.input.yml_reader import YmlReader
-
-
-class PlaybookBuilder():
-    playbook: Playbook
-    input_path: pathlib.Path
-    
-    
-    def __init__(self, input_path: pathlib.Path):
-        self.input_path = input_path
-
-    def setObject(self, path: pathlib.Path) -> None:
-        yml_dict = YmlReader.load_file(path)
-
-        try:
-            self.playbook = Playbook.parse_obj(yml_dict)
-
-        except ValidationError as e:
-            print('Validation Error for file ' + str(path))
-            print(e)
-            sys.exit(1)
-
-
-    def addDetections(self) -> None:
-        if self.playbook.tags.detections:
-            self.playbook.tags.detection_objects = []
-            for detection in self.playbook.tags.detections:
-                detection_object = {
-                    "name": detection,
-                    "lowercase_name": self.convertNameToFileName(detection),
-                    "path": self.findDetectionPath(detection)
-                }
-                self.playbook.tags.detection_objects.append(detection_object)
-
-
-    def reset(self) -> None:
-        self.playbook = None
-
-
-    def getObject(self) -> Playbook:
-        return self.playbook
-
-
-    def convertNameToFileName(self, name: str):
-        file_name = name \
-            .replace(' ', '_') \
-            .replace('-','_') \
-            .replace('.','_') \
-            .replace('/','_') \
-            .lower()
-        return file_name
-
-
-    def findDetectionPath(self, detection_name: str) -> str:
-        for path in Path(os.path.join(self.input_path, 'detections')).rglob(self.convertNameToFileName(detection_name) + '.yml'):
-            normalized_path = os.path.normpath(path)
-            path_components = normalized_path.split(os.sep)
-            value_index = path_components.index('detections')
-            return "/".join(path_components[value_index:])
-        raise Exception(f"Failed to find detection path for playbook with name '{detection_name}'")

contentctl/input/story_builder.py

@@ -1,106 +0,0 @@
-import re
-import sys
-import pathlib
-from pydantic import ValidationError
-
-from contentctl.objects.story import Story
-from contentctl.objects.enums import SecurityContentType
-from contentctl.objects.config import Config
-from contentctl.input.yml_reader import YmlReader
-
-
-class StoryBuilder():
-    story: Story
-
-    def setObject(self, path: pathlib.Path) -> None:
-        yml_dict = YmlReader.load_file(path)
-        yml_dict["tags"]["name"] = yml_dict["name"]
-
-        try:
-            self.story = Story.parse_obj(yml_dict)
-        except ValidationError as e:
-            print('Validation Error for file ' + str(path))
-            print(e)
-            sys.exit(1)
-
-    def reset(self) -> None:
-        self.story = None
-
-    def getObject(self) -> Story:
-        return self.story
-
-    def addDetections(self, detections: list, config: Config) -> None:
-        matched_detection_names = []
-        matched_detections = []
-        mitre_attack_enrichments = []
-        mitre_attack_tactics = set()
-        datamodels = set()
-        kill_chain_phases = set()
-
-        for detection in detections:
-            if detection:
-                for detection_analytic_story in detection.tags.analytic_story:
-                    if detection_analytic_story == self.story.name:
-                        matched_detection_names.append(str(f'{config.build.prefix} - ' + detection.name + ' - Rule'))
-                        mitre_attack_enrichments_list = []
-                        if (detection.tags.mitre_attack_enrichments):
-                            for attack in detection.tags.mitre_attack_enrichments:
-                                mitre_attack_enrichments_list.append({"mitre_attack_technique": attack.mitre_attack_technique})
-                        tags_obj = {"mitre_attack_enrichments": mitre_attack_enrichments_list}
-                        matched_detections.append({
-                            "name": detection.name,
-                            "source": detection.source,
-                            "type": detection.type,
-                            "tags": tags_obj
-                        })
-                        datamodels.update(detection.datamodel)
-                        if detection.tags.kill_chain_phases:
-                            kill_chain_phases.update(detection.tags.kill_chain_phases)
-
-                        if detection.tags.mitre_attack_enrichments:
-                            for attack_enrichment in detection.tags.mitre_attack_enrichments:
-                                mitre_attack_tactics.update(attack_enrichment.mitre_attack_tactics)
-                                if attack_enrichment.mitre_attack_id not in [attack.mitre_attack_id for attack in mitre_attack_enrichments]:
-                                    mitre_attack_enrichments.append(attack_enrichment)
-
-        self.story.detection_names = matched_detection_names
-        self.story.detections = matched_detections
-        self.story.tags.datamodels = sorted(list(datamodels))
-        self.story.tags.kill_chain_phases = sorted(list(kill_chain_phases))
-        self.story.tags.mitre_attack_enrichments = mitre_attack_enrichments
-        self.story.tags.mitre_attack_tactics = sorted(list(mitre_attack_tactics))
-
-
-    def addBaselines(self, baselines: list) -> None:
-        matched_baseline_names = []
-        for baseline in baselines:
-            for baseline_analytic_story in  baseline.tags.analytic_story:
-                if baseline_analytic_story == self.story.name:
-                    matched_baseline_names.append(str(f'ESCU - ' + baseline.name))
-
-        self.story.baseline_names = matched_baseline_names
-
-    def addInvestigations(self, investigations: list) -> None:
-        matched_investigation_names = []
-        matched_investigations = []
-        for investigation in investigations:
-            for investigation_analytic_story in  investigation.tags.analytic_story:
-                if investigation_analytic_story == self.story.name:
-                    matched_investigation_names.append(str(f'ESCU - ' + investigation.name + ' - Response Task'))
-                    matched_investigations.append(investigation)
-
-        self.story.investigation_names = matched_investigation_names
-        self.story.investigations = matched_investigations
-
-    def addAuthorCompanyName(self) -> None:
-        match_author = re.search(r'^([^,]+)', self.story.author)
-        if match_author is None:
-            self.story.author_name = 'no'
-        else:
-            self.story.author_name = match_author.group(1)
-
-        match_company = re.search(r',\s?(.*)$', self.story.author)
-        if match_company is None:
-            self.story.author_company = 'no'
-        else:
-            self.story.author_company = match_company.group(1)

contentctl/objects/app.py

@@ -1,214 +0,0 @@
-# Needed for a staticmethod to be able to return an instance of the class it belongs to
-from __future__ import annotations
-
-
-import pathlib
-import re
-import os
-
-from pydantic import BaseModel, validator, ValidationError, Extra, Field
-from dataclasses import dataclass
-from datetime import datetime
-from typing import Union
-import validators
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.enums import DataModel
-from contentctl.helper.utils import Utils
-import yaml
-
-SPLUNKBASE_URL = "https://splunkbase.splunk.com/app/{uid}/release/{release}/download"
-ENVIRONMENT_PATH_NOT_SET = "ENVIRONMENT_PATH_NOT_SET"
-
-class App(BaseModel, extra=Extra.forbid):
-
-    # uid is a numeric identifier assigned by splunkbase, so
-    # homemade applications will not have this
-    uid: Union[int, None]
-
-    # appid is basically the internal name of your app
-    appid: str
-
-    # Title is the human readable name for your application
-    title: str
-
-    # Self explanatory
-    description: Union[str, None]
-    release: str
-
-    local_path: Union[str, None]
-    http_path: Union[str, None]
-    # Splunkbase path is made of the combination of uid and release fields
-    splunkbase_path: Union[str, None]
-
-    # Ultimate source of the app. Can be a local path or a Splunkbase Path.
-    # This will be set via a function call and should not be provided in the YML
-    # Note that this is the path relative to the container mount
-    environment_path: str = ENVIRONMENT_PATH_NOT_SET
-    force_local:bool = False
-
-    def configure_app_source_for_container(
-        self,
-        splunkbase_username: Union[str, None],
-        splunkbase_password: Union[str, None],
-        apps_directory: pathlib.Path,
-        container_mount_path: pathlib.Path,
-    ):
-
-        splunkbase_creds_provided = (
-            splunkbase_username is not None and splunkbase_password is not None
-        )
-
-        if splunkbase_creds_provided and self.splunkbase_path is not None and not self.force_local:
-            self.environment_path = self.splunkbase_path
-
-        elif self.local_path is not None:
-            # local path existence already validated
-            filename = pathlib.Path(self.local_path)
-            destination = str(apps_directory / filename.name)
-            Utils.copy_local_file(self.local_path, destination, verbose_print=True)
-            self.environment_path = str(container_mount_path / filename.name)
-
-        elif self.http_path is not None:
-            from urllib.parse import urlparse
-
-            path_on_server = str(urlparse(self.http_path).path)
-            filename = pathlib.Path(path_on_server)
-            download_path = str(apps_directory / filename.name)
-            Utils.download_file_from_http(self.http_path, download_path)
-            self.environment_path = str(container_mount_path / filename.name)
-
-        else:
-            raise (
-                Exception(
-                    f"Unable to download app {self.title}:\n"
-                    f"Splunkbase Path : {self.splunkbase_path}\n"
-                    f"local_path      : {self.local_path}\n"
-                    f"http_path       : {self.http_path}\n"
-                    f"Splunkbase Creds: {splunkbase_creds_provided}\n"
-                )
-            )
-
-    @staticmethod
-    def validate_string_alphanumeric_with_underscores(input: str) -> bool:
-        if len(input) == 0:
-            raise (ValueError(f"String was length 0"))
-
-        for letter in input:
-            if not (letter.isalnum() or letter in "_-"):
-                raise (
-                    ValueError(
-                        f"String '{input}' can only contain alphanumeric characters, underscores, and hyphens."
-                    )
-                )
-        return True
-
-    @validator("uid")
-    def validate_uid(cls, v):
-        return v
-
-    @validator("appid")
-    def validate_appid(cls, v):
-        # Called function raises exception on failure, so we don't need to raise it here
-        cls.validate_string_alphanumeric_with_underscores(v)
-        return v
-
-    @validator("title")
-    def validate_title(cls, v):
-        # Basically, a title can be any string
-        return v
-
-    @validator("description")
-    def validate_description(cls, v):
-        # description can be anything
-        return v
-
-    @validator("release")
-    def validate_release(cls, v):
-        # release can be any string
-        return v
-
-    @validator("local_path")
-    def validate_local_path(cls, v):
-        if v is not None:
-            p = pathlib.Path(v)
-            if not p.exists():
-                raise (ValueError(f"The path local_path {p} does not exist"))
-            elif not p.is_file():
-                raise (ValueError(f"The path local_path {p} exists, but is not a file"))
-
-        # release can be any string
-        return v
-
-    @validator("http_path")
-    def validate_http_path(cls, v, values):
-        if v is not None:
-            try:
-                if bool(validators.url(v)) == False:
-                    raise ValueError(f"URL '{v}' is not a valid URL")
-            except Exception as e:
-                raise (ValueError(f"Error validating the http_path: {str(e)}"))
-        return v
-
-    @validator("splunkbase_path")
-    def validate_splunkbase_path(cls, v, values):
-
-        if v is not None:
-            try:
-                if bool(validators.url(v)) == False:
-                    raise ValueError(f"splunkbase_url {v} is not a valid URL")
-            except Exception as e:
-                raise (ValueError(f"Error validating the splunkbase_url: {str(e)}"))
-
-            if (
-                bool(
-                    re.match(
-                        "^https://splunkbase\.splunk\.com/app/\d+/release/.+/download$",
-                        v,
-                    )
-                )
-                == False
-            ):
-                raise (
-                    ValueError(
-                        f"splunkbase_url {v} does not match the format {SPLUNKBASE_URL}"
-                    )
-                )
-
-        # Try to form the URL and error out if Splunkbase is the only place to get the app
-        if values["uid"] is None:
-            if values["must_download_from_splunkbase"]:
-                raise (
-                    ValueError(
-                        f"Error building splunkbase_url. Attempting to"
-                        f" build the url for '{values['title']}', but no "
-                        f"uid was supplied."
-                    )
-                )
-            else:
-                return None
-
-        if values["release"] is None:
-            if values["must_download_from_splunkbase"]:
-                raise (
-                    ValueError(
-                        f"Error building splunkbase_url. Attempting to"
-                        f" build the url for '{values['title']}', but no "
-                        f"release was supplied."
-                    )
-                )
-            else:
-                return None
-        return SPLUNKBASE_URL.format(uid=values["uid"], release=values["release"])
-
-    @staticmethod
-    def get_default_apps() -> list[App]:
-        all_app_objs: list[App] = []
-        with open(
-            os.path.join(os.path.dirname(__file__), "../", "templates/app_default.yml"),
-            "r",
-        ) as app_data:
-            all_apps_raw = yaml.safe_load(app_data)
-            for a in all_apps_raw:
-                app_obj = App.parse_obj(a)
-                all_app_objs.append(app_obj)
-        return all_app_objs

contentctl/objects/repo_config.py

@@ -1,163 +0,0 @@
-
-
-import pathlib
-
-
-from pydantic import BaseModel, root_validator, validator, ValidationError, Extra, Field
-from pydantic.main import ModelMetaclass
-from dataclasses import dataclass
-from datetime import datetime
-from typing import Union
-
-import validators
-
-from contentctl.objects.enums import SecurityContentProduct
-
-from contentctl.helper.utils import Utils  
-
-from semantic_version import Version
-
-import git
-ALWAYS_PULL = True
-
-SPLUNKBASE_URL = "https://splunkbase.splunk.com/app/{uid}/release/{release}/download"
-
-class Manifest(BaseModel):
-    #Note that many of these fields are mirrored from App
-
-    #Some information about the developer of the app 
-    author_name: str = Field(default=None, title="Enter the name of the app author")
-    author_email: str = Field(default=None, title="Enter a contact email for the develop(s) of the app")
-    author_company: str = Field(default=None, title="Enter the company who is developing the app")
-
-    #uid is a numeric identifier assigned by splunkbase, so
-    #homemade applications will not have this
-    uid: Union[int, None] = Field(default=None, title="Unique numeric identifier assigned by Splunkbase to identify your app. You can find it in the URL of your app's landing page.  If you do not have one, leave this blank.")
-
-    #appid is basically the internal name of you app
-    appid: str = Field(default=None, title="Internal name of your app.  Note that it MUST be alphanumeric with underscores, but no spaces or other special characters")
-    
-    #Title is the human readable name for your application
-    title: str = Field(default=None, title="Human-Readable name for your app. This can include any characters you want")
-
-    #Self explanatory
-    description: Union[str,None] = Field(default=None, title="Provide a helpful description of the app.")
-    release: str = Field(default=None, title="Provide a name for the current release of the app.  This MUST follow semantic version format MAJOR.MINOR.PATCH[-tag]")
-
-    
-
-    @validator('author_email', always=True)
-    def validate_author_email(cls, v):
-        print("email is")
-        print(v)
-        if bool(validators.email(v)) == False:
-            raise(ValueError(f"Email address {v} is invalid"))
-        return v
-    
-    @validator('release', always=True)
-    def validate_release(cls, v):
-        try:    
-            Version(v)
-        except Exception as e:
-            raise(ValueError(f"The string '{v}' is not a valid Semantic Version.  For more information on Semantic Versioning, please refer to https://semver.org/"))
-        
-        return v
-
-
-class RepoConfig(BaseModel):
-
-    #Needs a manifest to be able to properly generate the app
-    manifest:Manifest = Field(default=None, title="Manifest Object")
-    repo_path: str = Field(default='.', title="Path to the root of your app")
-    repo_url: Union[str,None] = Field(default=None, title="HTTP(s) path to the repo for repo_path.  If this field is blank, it will be inferred from the repo")
-    main_branch: str = Field(title="Main branch of the repo.")
-
-    
-    
-    
-    type: SecurityContentProduct = Field(default=SecurityContentProduct.SPLUNK_ENTERPRISE_APP, title=f"What type of product would you like to build.  Choose one of {SecurityContentProduct._member_names_}")
-    skip_enrichment: bool = Field(default=True, title="Whether or not to skip the enrichment processes when validating the app.  Enrichment increases the amount of time it takes to build an app significantly because it must hit a number of Web APIs.")
-
-    input_path: str = Field(default='.', title="Path to the root of your app")
-    output_path: str = Field(default='./dist', title="Path where 'generate' will write out your raw app")
-    #output_path: str = Field(default='./build', title="Path where 'build' will write out your custom app")
-
-    #test_config: TestConfig = Field(default=TestConfig, title="Test Configuration")
-    
-    #@validator('manifest', always=True, pre=True)
-    '''
-    @root_validator(pre=True)
-    def validate_manifest(cls, values):
-        
-        try:
-            print(Manifest.parse_obj(values))
-        except Exception as e:
-            raise(ValueError(f"error validating manifest: {str(e)}"))
-        
-
-        return values
-        print("TWO")
-        #return {}
-        #return Manifest.parse_obj({"email":"invalid_email@gmail.com"})
-    '''
-    @validator('repo_path', always=True)
-    def validate_repo_path(cls,v):
-        
-        try:
-            path = pathlib.Path(v)
-        except Exception as e:
-            raise(ValueError(f"Error, the provided path is is not a valid path: '{v}'"))
-        
-        try:    
-            r = git.Repo(path)
-        except Exception as e:
-            raise(ValueError(f"Error, the provided path is not a valid git repo: '{path}'"))
-        
-        try:
-            
-            if ALWAYS_PULL:
-                r.remotes.origin.pull()
-        except Exception as e:
-            raise ValueError(f"Error pulling git repository {v}: {str(e)}")
-        
-        
-        return v
-
-
-    @validator('repo_url')
-    def validate_repo_url(cls, v, values):
-        
-
-        #First try to get the value from the repo
-        try:
-            remote_url_from_repo = git.Repo(values['repo_path']).remotes.origin.url
-        except Exception as e:
-            raise(ValueError(f"Error reading remote_url from the repo located at {values['repo_path']}"))
-        
-        if v is not None and remote_url_from_repo != v:
-            raise(ValueError(f"The url of the remote repo supplied in the config file {v} does not "\
-                              f"match the value read from the repository at {values['repo_path']}, {remote_url_from_repo}"))
-        
-        
-        if v is None:    
-            v = remote_url_from_repo
-
-        #Ensure that the url is the proper format
-        try:
-            if bool(validators.url(v)) == False:
-                raise(Exception)
-        except:
-            raise(ValueError(f"Error validating the repo_url. The url is not valid: {v}"))
-        
-
-        return v
-
-    @validator('main_branch')
-    def valid_main_branch(cls, v, values):
-    
-
-        try:
-            Utils.validate_git_branch_name(values['repo_path'],values['repo_url'], v)
-        except Exception as e:
-            raise ValueError(f"Error validating main_branch: {str(e)}")
-        return v