contentctl 4.0.3__py3-none-any.whl → 4.0.5__py3-none-any.whl

contentctl/actions/new_content.py

@@ -19,16 +19,21 @@ class NewContent:
         answers = questionary.prompt(questions)
         answers.update(answers)
         answers['name'] = answers['detection_name']
+        del answers['detection_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['detection_author']
+        del answers['detection_author']
         answers['data_source'] = answers['data_source']
         answers['type'] = answers['detection_type']
+        del answers['detection_type']
         answers['status'] = "production" #start everything as production since that's what we INTEND the content to become   
         answers['description'] = 'UPDATE_DESCRIPTION'   
         file_name = answers['name'].replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
+        answers['kind'] = answers['detection_kind']
         answers['search'] = answers['detection_search'] + ' | `' + file_name + '_filter`'
+        del answers['detection_search']
         answers['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'
         answers['known_false_positives'] = 'UPDATE_KNOWN_FALSE_POSITIVES'            
         answers['references'] = ['REFERENCE']
@@ -52,7 +57,7 @@ class NewContent:
                 'name': "True Positive Test",
                 'attack_data': [ 
                     {
-                    'data': "Enter URL for Dataset Here.  This may also be a relative or absolute path on your local system for testing.",
+                    'data': "https://github.com/splunk/contentctl/wiki",
                     "sourcetype": "UPDATE SOURCETYPE",
                     "source": "UPDATE SOURCE"
                     }
@@ -65,18 +70,21 @@ class NewContent:
         questions = NewContentQuestions.get_questions_story()
         answers = questionary.prompt(questions)
         answers['name'] = answers['story_name']
+        del answers['story_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['story_author']
+        del answers['story_author']
         answers['description'] = 'UPDATE_DESCRIPTION'
         answers['narrative'] = 'UPDATE_NARRATIVE'
         answers['references'] = []
         answers['tags'] = dict()
-        answers['tags']['analytic_story'] = answers['name']
         answers['tags']['category'] = answers['category']
+        del answers['category']
         answers['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
         answers['tags']['usecase'] = answers['usecase']
+        del answers['usecase']
         answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
         return answers
     
@@ -84,13 +92,13 @@ class NewContent:
     def execute(self, input_dto: new) -> None:
         if input_dto.type == NewContentType.detection:
             content_dict = self.buildDetection()
-            subdirectory = pathlib.Path('detections') / content_dict.get('type')
+            subdirectory = pathlib.Path('detections') / content_dict.pop('detection_kind')
         elif input_dto.type == NewContentType.story:
             content_dict = self.buildStory()
             subdirectory = pathlib.Path('stories')
         else:
             raise Exception(f"Unsupported new content type: [{input_dto.type}]")
-    
+
         full_output_path = input_dto.path / subdirectory / SecurityContentObject_Abstract.contentNameToFileName(content_dict.get('name'))
         YmlWriter.writeYmlFile(str(full_output_path), content_dict)
 

contentctl/input/new_content_questions.py

@@ -27,11 +27,6 @@ class NewContentQuestions:
                 'message': 'enter author name',
                 'name': 'detection_author',
             },
-            {
-                "type": "text",
-                "message": "enter author name",
-                "name": "detection_author",
-            },
             {
                 "type": "select",
                 "message": "select a detection type",

contentctl/objects/story_tags.py

@@ -14,6 +14,8 @@ class StoryUseCase(str,Enum):
    APPLICATION_SECURITY = "Application Security"
    SECURITY_MONITORING = "Security Monitoring"
    ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
+   INSIDER_THREAT = "Insider Threat"
+   OTHER = "Other"
 
 class StoryTags(BaseModel):
    model_config = ConfigDict(extra='forbid', use_enum_values=True)

contentctl/output/finding_report_writer.py

@@ -59,9 +59,9 @@ class FindingReportObject():
             detection.tags.risk_level = "Critical"  
 
         evidence_str = "{"
-        for i in range(len(detection.tags.observable)):            
-            evidence_str = evidence_str + '"' + detection.tags.observable[i]["name"] + '": ' + detection.tags.observable[i]["name"].replace(".", "_")
-            if not i == (len(detection.tags.observable) - 1):
+        for i in range(len(detection.tags.required_fields)):            
+            evidence_str = evidence_str + '"' + detection.tags.required_fields[i] + '": ' + detection.tags.required_fields[i].replace(".", "_")
+            if not i == (len(detection.tags.required_fields) - 1):
                 evidence_str = evidence_str + ', '
 
         evidence_str = evidence_str + ', "sourceType": metadata.source_type, "source": metadata.source}'        

{contentctl-4.0.3.dist-info → contentctl-4.0.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.0.3
+Version: 4.0.5
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT

{contentctl-4.0.3.dist-info → contentctl-4.0.5.dist-info}/RECORD

@@ -19,7 +19,7 @@ contentctl/actions/doc_gen.py,sha256=YNc1VYA0ikL1hWDHYjfEOmUkfhy8PEIdvTyC4ZLxQRY
 contentctl/actions/initialize.py,sha256=2h3_A68mNWcyZjbrKF-OeQXBi5p4Zu3z74K7QxEtII4,1749
 contentctl/actions/initialize_old.py,sha256=0qXbW_fNDvkcnEeL6Zpte8d-hpTu1REyzHsXOCY-YB8,9333
 contentctl/actions/inspect.py,sha256=31v7hISc8B8w5tyMnBPSDb3AHRpm-K9rn-WqJRegzBQ,12628
-contentctl/actions/new_content.py,sha256=s2ovk-F-T_Z1O_bi0DgLHrkersD9AsDNW2Y66lY4jbg,5792
+contentctl/actions/new_content.py,sha256=vhpZAIpsBPjrdsQQlVxRPdymM8xa5ju9XE3sa8S-ni4,6013
 contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
 contentctl/actions/test.py,sha256=JXW1CR-tTM2kJ-U5NRG8quY3JlnOb4OmCBgX24XYWJ0,4896
@@ -33,7 +33,7 @@ contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/helper/utils.py,sha256=iZ6keMdTCs1XySiDVoGIGkMSxD_eDUphwEW-VUYA6vM,15659
 contentctl/input/backend_splunk_ba.py,sha256=Y70tJqgaUM0nzfm2SiGMof4HkhY84feqf-xnRx1xPb4,5861
 contentctl/input/director.py,sha256=CNAzSpO2fjjnhyezOGn9u5QiKq3Xqq7rHI-X9LrpyCo,10716
-contentctl/input/new_content_questions.py,sha256=eV6iHQ9-xCdlDJ0PgUEb0Zfokfmu62sYQnIGjShsf6k,5718
+contentctl/input/new_content_questions.py,sha256=o4prlBoUhEMxqpZukquI9WKbzfFJfYhEF7a8m2q_BEE,5565
 contentctl/input/sigma_converter.py,sha256=ATFNW7boNngp5dmWM7Gr4rMZrUKjvKW2_qu28--FdiU,19391
 contentctl/input/ssa_detection_builder.py,sha256=43B7q4A8MEMjUU-FR7UapO80deW6BooV9WYzZWxcvgI,8377
 contentctl/input/yml_reader.py,sha256=oaal24UP8rDXkCmN5I3GnIheZrsgkhbKOlzXtyhB474,1475
@@ -76,7 +76,7 @@ contentctl/objects/security_content_object.py,sha256=j8KNDwSMfZsSIzJucC3NuZo0SlF
 contentctl/objects/ssa_detection.py,sha256=-G6tXfVVlZgPWS64hIIy3M-aMePANAuQvdpXPlgUyUs,5873
 contentctl/objects/ssa_detection_tags.py,sha256=u8annjzo3MYZ-16wyFnuR8qJJzRa4LEhdprMIrQ47G0,5224
 contentctl/objects/story.py,sha256=LQLCCK_3DkP2x8fQOzcnV0d18_gsVFeS06DEK-qaBUE,4526
-contentctl/objects/story_tags.py,sha256=_OSUQ-uC3wCQMO2w6mqdqe-Wd_PhcpEANf-_xg_jyS0,2169
+contentctl/objects/story_tags.py,sha256=0oF1OePLBxa-RQPb438tXrrfosa939CP8UbNV0_S8XY,2225
 contentctl/objects/test_group.py,sha256=Yb1sqGom6SkVL8B3czPndz8w3CK8WdwZ39V_cn0_JZQ,2600
 contentctl/objects/threat_object.py,sha256=S8B7RQFfLxN_g7yKPrDTuYhIy9JvQH3YwJ_T5LUZIa4,711
 contentctl/objects/unit_test.py,sha256=5EDsPNUct1UY5OtfX-VwFzhET83OmLA6XcaQiZWL1Uo,1655
@@ -93,7 +93,7 @@ contentctl/output/conf_output.py,sha256=qCRT77UKNFCe4AufeBV8Uz9lkPqgpGzU1Y149RuE
 contentctl/output/conf_writer.py,sha256=2TaCAPEtU-bMa7A2m7xOxh93PMpzIdhwiHiPLUCeCB4,8281
 contentctl/output/detection_writer.py,sha256=AzxbssNLmsNIOaYKotew5-ONoyq1cQpKSGy3pe191B0,960
 contentctl/output/doc_md_output.py,sha256=gf7osH1uSrC6js3D_I72g4uDe9TaB3tsvtqCHi5znp0,3238
-contentctl/output/finding_report_writer.py,sha256=Me6FtvDbmSSRqYr5rtrtuc5YVze48PyPbrjyAXJ-V4A,3935
+contentctl/output/finding_report_writer.py,sha256=bjJR7NAxLE8vt8uU3zSDhazQzqzOdtCsUu95lVdzU_w,3939
 contentctl/output/jinja_writer.py,sha256=bdiqr9FaXYxth4wZ1A52zTMAS5stHNGpezTkaS5pres,1119
 contentctl/output/json_writer.py,sha256=Z-iVLnZb8tzYATxbQtXax0dz572lVPFMNVTx-vWbnog,1007
 contentctl/output/new_content_yml_output.py,sha256=ktZ9miHluqkw8jD-pn-62bjVp1sQqqQ7B53xy18DHU8,2321
@@ -157,12 +157,16 @@ contentctl/templates/deployments/escu_default_configuration_baseline.yml,sha256=
 contentctl/templates/deployments/escu_default_configuration_correlation.yml,sha256=iWLqvJnUKVhpKaLBc_w_W65d9HVZgOZfGA-RIpxsH6M,519
 contentctl/templates/deployments/escu_default_configuration_hunting.yml,sha256=hHmM8u7zncpb-32Qv74UoNs0HKwZwCMoKAq2ygDJZbo,329
 contentctl/templates/deployments/escu_default_configuration_ttp.yml,sha256=1D-pvzaH1v3_yCZXaY6njmdvV4S2_Ak8uzzCOsnj9XY,548
-contentctl/templates/detections/anomalous_usage_of_7zip.yml,sha256=hkN214ZOqbQPWyYrqgbOrYb4iA0DroG1AnFRhSC_m0M,3323
+contentctl/templates/detections/application/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+contentctl/templates/detections/cloud/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml,sha256=hkN214ZOqbQPWyYrqgbOrYb4iA0DroG1AnFRhSC_m0M,3323
+contentctl/templates/detections/network/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.0.3.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.0.3.dist-info/METADATA,sha256=3qsVxL1TCBlcuUc4W_8TXSwrHBJku7XbEU1Ef_jWhfM,19751
-contentctl-4.0.3.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.0.3.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.0.3.dist-info/RECORD,,
+contentctl-4.0.5.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.0.5.dist-info/METADATA,sha256=64TV2vSygHoDN_WRiXDgUUvIZizbDqPFRNKMdM3RZiU,19751
+contentctl-4.0.5.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.0.5.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.0.5.dist-info/RECORD,,