contentctl 4.0.5__py3-none-any.whl → 4.1.0__py3-none-any.whl

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -26,7 +26,7 @@ from contentctl.objects.integration_test import IntegrationTest
 
 #from contentctl.objects.playbook import Playbook
 from contentctl.objects.enums import DataSource,ProvidingTechnology
-from contentctl.enrichments.cve_enrichment import CveEnrichment, CveEnrichmentObj
+from contentctl.enrichments.cve_enrichment import CveEnrichmentObj
 
 
 class Detection_Abstract(SecurityContentObject):
@@ -40,7 +40,6 @@ class Detection_Abstract(SecurityContentObject):
     search: Union[str, dict[str,Any]] = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
-    check_references: bool = False  
     #data_source: Optional[List[DataSource]] = None
 
     enabled_by_default: bool = False
@@ -54,6 +53,58 @@ class Detection_Abstract(SecurityContentObject):
     # A list of groups of tests, relying on the same data
     test_groups: Union[list[TestGroup], None] = Field(None,validate_default=True)
 
+
+    @field_validator("search", mode="before")
+    @classmethod
+    def validate_presence_of_filter_macro(cls, value:Union[str, dict[str,Any]], info:ValidationInfo)->Union[str, dict[str,Any]]:
+        """
+        Validates that, if required to be present, the filter macro is present with the proper name.
+        The filter macro MUST be derived from the name of the detection
+
+
+        Args:
+            value (Union[str, dict[str,Any]]): The search. It can either be a string (and should be SPL) 
+                                               or a dict, in which case it is Sigma-formatted.
+            info (ValidationInfo): The validation info can contain a number of different objects. Today it only contains the director. 
+
+        Returns:
+            Union[str, dict[str,Any]]: The search, either in sigma or SPL format.
+        """        
+        
+        if isinstance(value,dict):
+            #If the search is a dict, then it is in Sigma format so return it
+            return value
+        
+        # Otherwise, the search is SPL.
+        
+        
+        # In the future, we will may add support that makes the inclusion of the 
+        # filter macro optional or automatically generates it for searches that 
+        # do not have it. For now, continue to require that all searches have a filter macro.
+        FORCE_FILTER_MACRO = True
+        if not FORCE_FILTER_MACRO:
+            return value
+        
+        # Get the required macro name, which is derived from the search name.
+        # Note that a separate validation ensures that the file name matches the content name
+        name:Union[str,None] = info.data.get("name",None)
+        if name is None:
+            #The search was sigma formatted (or failed other validation and was None), so we will not validate macros in it
+            raise ValueError("Cannot validate filter macro, field 'name' (which is required to validate the macro) was missing from the detection YML.")
+        
+        #Get the file name without the extension. Note this is not a full path!
+        file_name = pathlib.Path(cls.contentNameToFileName(name)).stem
+        file_name_with_filter = f"`{file_name}_filter`"
+        
+        if file_name_with_filter not in value:
+            raise ValueError(f"Detection does not contain the EXACT filter macro {file_name_with_filter}. "
+                             "This filter macro MUST be present in the search. It usually placed at the end "
+                             "of the search and is useful for environment-specific filtering of False Positive or noisy results.")
+        
+        return value
+
+
+
     @field_validator("test_groups")
     @classmethod
     def validate_test_groups(cls, value:Union[None, List[TestGroup]], info:ValidationInfo) -> Union[List[TestGroup], None]:
@@ -144,17 +195,30 @@ class Detection_Abstract(SecurityContentObject):
     macros: list[Macro] = Field([],validate_default=True)
     lookups: list[Lookup] = Field([],validate_default=True)
 
-    @computed_field
-    @property
-    def cve_enrichment(self)->List[CveEnrichmentObj]:
-        raise Exception("CVE Enrichment Functionality not currently supported.  It will be re-added at a later time.")
-        enriched_cves = []
-        for cve_id in self.tags.cve:
-            print(f"\nEnriching {cve_id}\n")
-            enriched_cves.append(CveEnrichment.enrich_cve(cve_id))
+    cve_enrichment: list[CveEnrichmentObj] = Field([], validate_default=True)
+    
+    @model_validator(mode="after")
+    def cve_enrichment_func(self, info:ValidationInfo):
+        if len(self.cve_enrichment) > 0:
+            raise ValueError(f"Error, field 'cve_enrichment' should be empty and "
+                             f"dynamically populated at runtime. Instead, this field contained: {self.cve_enrichment}")
+
+        output_dto:Union[DirectorOutputDto,None]= info.context.get("output_dto",None)
+        if output_dto is None:
+            raise ValueError("Context not provided to detection model post validator")
+        
+        
+        enriched_cves:list[CveEnrichmentObj] = []
 
-        return enriched_cves
+        for cve_id in self.tags.cve:
+            try:
+                enriched_cves.append(output_dto.cve_enrichment.enrich_cve(cve_id, raise_exception_on_failure=False))
+            except Exception as e:
+                raise ValueError(f"{e}")
+        self.cve_enrichment = enriched_cves
+        return self
     
+
     splunk_app_enrichment: Optional[List[dict]] = None
     
     @computed_field
@@ -382,11 +446,11 @@ class Detection_Abstract(SecurityContentObject):
             filter_macro = Macro.model_validate({"name":filter_macro_name, 
                                                 "definition":'search *', 
                                                 "description":'Update this macro to limit the output results to filter out false positives.'})
-            director.macros.append(filter_macro)
+            director.addContentToDictMappings(filter_macro)
         
         macros_from_search = Macro.get_macros(search, director)
         
-        return  macros_from_search + [filter_macro]
+        return  macros_from_search
 
     def get_content_dependencies(self)->list[SecurityContentObject]:
         #Do this separately to satisfy type checker

contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py

@@ -12,6 +12,7 @@ import re
 import abc
 import uuid
 import datetime
+import pprint
 from pydantic import BaseModel, field_validator, Field, ValidationInfo, FilePath, HttpUrl, NonNegativeInt, ConfigDict, model_validator, model_serializer
 from typing import Tuple, Optional, List, Union
 import pathlib
@@ -181,6 +182,22 @@ class SecurityContentObject_Abstract(BaseModel, abc.ABC):
         for object in all_objects:
             name_dict[str(pathlib.Path(object.file_path))] = object
         return name_dict
+
+
+    def __repr__(self)->str:
+        # Just use the model_dump functionality that
+        # has already been written. This loses some of the
+        # richness where objects reference themselves, but
+        # is usable
+        m = self.model_dump()
+        return pprint.pformat(m, indent=3)
+
+    def __str__(self)->str:
+        return(self.__repr__())
+        
+
+    
+
     
 
     

contentctl/objects/baseline.py

@@ -31,7 +31,6 @@ class Baseline(SecurityContentObject):
     search: str = Field(..., min_length=4)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
-    check_references: bool = False #Validation is done in order, this field must be defined first
     tags: BaselineTags = Field(...)
 
     # enrichment

contentctl/objects/config.py

@@ -154,6 +154,10 @@ class Config_Base(BaseModel):
 
     path: DirectoryPath = Field(default=DirectoryPath("."), description="The root of your app.")
     app:CustomApp = Field(default_factory=CustomApp)
+    verbose:bool = Field(default=False, description="Enable verbose error logging, including a stacktrace. "
+                         "This option makes debugging contentctl errors much easier, but produces way more "
+                         "output than is useful under most uses cases. "
+                         "Please use this flag if you are submitting a bug report or issue on GitHub.")
     
     @field_serializer('path',when_used='always')
     def serialize_path(path: DirectoryPath)->str:
@@ -269,14 +273,6 @@ class Infrastructure(BaseModel):
     instance_name: str = Field(...)
 
 
-class deploy_rest(build):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
-    
-    target:Infrastructure = Infrastructure(instance_name="splunk_target_host", instance_address="localhost")
-    #This will overwrite existing content without promprting for confirmation
-    overwrite_existing_content:bool = Field(default=True, description="Overwrite existing macros and savedsearches in your enviornment")
-
-
 class Container(Infrastructure):
     model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
     instance_address:str = Field(default="localhost", description="Address of your splunk server.")

contentctl/objects/detection_tags.py

@@ -145,7 +145,7 @@ class DetectionTags(BaseModel):
     @model_validator(mode="after")
     def addAttackEnrichment(self, info:ValidationInfo):
         if len(self.mitre_attack_enrichments) > 0:
-            raise ValueError(f"Error, field 'mitre_attack_enrichment' should be empty and dynamically populated at runtime. Instead, this field contained: {str(v)}")
+            raise ValueError(f"Error, field 'mitre_attack_enrichment' should be empty and dynamically populated at runtime. Instead, this field contained: {self.mitre_attack_enrichments}")
         
         output_dto:Union[DirectorOutputDto,None]= info.context.get("output_dto",None)
         if output_dto is None:

contentctl/objects/macro.py

@@ -9,13 +9,14 @@ if TYPE_CHECKING:
 from contentctl.objects.security_content_object import SecurityContentObject
 
 
-
-MACROS_TO_IGNORE = set(["_filter", "drop_dm_object_name"])
-#Should all of the following be included as well?
-MACROS_TO_IGNORE.add("get_asset" )
-MACROS_TO_IGNORE.add("get_risk_severity")
-MACROS_TO_IGNORE.add("cim_corporate_web_domain_search")
-MACROS_TO_IGNORE.add("prohibited_processes")
+#The following macros are included in commonly-installed apps.
+#As such, we will ignore if they are missing from our app.
+#Included in 
+MACROS_TO_IGNORE = set(["drop_dm_object_name"]) # Part of CIM/Splunk_SA_CIM
+MACROS_TO_IGNORE.add("get_asset") #SA-IdentityManagement, part of Enterprise Security
+MACROS_TO_IGNORE.add("get_risk_severity") #SA-ThreatIntelligence, part of Enterprise Security
+MACROS_TO_IGNORE.add("cim_corporate_web_domain_search") #Part of CIM/Splunk_SA_CIM
+#MACROS_TO_IGNORE.add("prohibited_processes")
 
 
 class Macro(SecurityContentObject):

contentctl/output/yml_writer.py

@@ -8,4 +8,42 @@ class YmlWriter:
     def writeYmlFile(file_path : str, obj : dict[Any,Any]) -> None:
 
         with open(file_path, 'w') as outfile:
-            yaml.safe_dump(obj, outfile, default_flow_style=False, sort_keys=False)
+            yaml.safe_dump(obj, outfile, default_flow_style=False, sort_keys=False)
+
+    @staticmethod
+    def writeDetection(file_path: str, obj: dict[Any,Any]) -> None:
+        output = dict()
+        output["name"] = obj["name"]
+        output["id"] = obj["id"]
+        output["version"] = obj["version"]
+        output["date"] = obj["date"]
+        output["author"] = obj["author"]
+        output["type"] = obj["type"]
+        output["status"] = obj["status"]
+        output["data_source"] = obj['data_sources']
+        output["description"] = obj["description"]
+        output["search"] = obj["search"]
+        output["how_to_implement"] = obj["how_to_implement"]
+        output["known_false_positives"] = obj["known_false_positives"]
+        output["references"] = obj["references"]
+        output["tags"] = obj["tags"]
+        output["tests"] = obj["tags"]
+
+        YmlWriter.writeYmlFile(file_path=file_path, obj=output)
+ 
+    @staticmethod
+    def writeStory(file_path: str, obj: dict[Any,Any]) -> None:
+        output = dict()
+        output['name'] = obj['name']
+        output['id'] = obj['id']
+        output['version'] = obj['version']
+        output['date'] = obj['date']
+        output['author'] = obj['author']
+        output['description'] = obj['description']
+        output['narrative'] = obj['narrative']
+        output['references'] = obj['references']
+        output['tags'] = obj['tags']
+
+        YmlWriter.writeYmlFile(file_path=file_path, obj=output)
+ 
+

{contentctl-4.0.5.dist-info → contentctl-4.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.0.5
+Version: 4.1.0
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -10,25 +10,24 @@ Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
-Requires-Dist: Jinja2 (>=3.1.2,<4.0.0)
+Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: PyYAML (>=6.0.1,<7.0.0)
 Requires-Dist: attackcti (>=0.3.7,<0.4.0)
 Requires-Dist: bottle (>=0.12.25,<0.13.0)
 Requires-Dist: docker (>=7.1.0,<8.0.0)
 Requires-Dist: gitpython (>=3.1.43,<4.0.0)
 Requires-Dist: pycvesearch (>=1.2,<2.0)
-Requires-Dist: pydantic (>=2.5.1,<3.0.0)
+Requires-Dist: pydantic (>=2.7.1,<3.0.0)
 Requires-Dist: pygit2 (>=1.14.1,<2.0.0)
-Requires-Dist: pysigma (>=0.10.8,<0.11.0)
-Requires-Dist: pysigma-backend-splunk (>=1.0.3,<2.0.0)
+Requires-Dist: pysigma (>=0.11.5,<0.12.0)
+Requires-Dist: pysigma-backend-splunk (>=1.1.0,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.2,<2.33.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<70.0.0)
+Requires-Dist: setuptools (>=69.5.1,<71.0.0)
 Requires-Dist: splunk-sdk (>=2.0.1,<3.0.0)
-Requires-Dist: tqdm (>=4.66.1,<5.0.0)
+Requires-Dist: tqdm (>=4.66.4,<5.0.0)
 Requires-Dist: tyro (>=0.8.3,<0.9.0)
-Requires-Dist: validators (>=0.22.0,<0.23.0)
 Requires-Dist: xmltodict (>=0.13.0,<0.14.0)
 Description-Content-Type: text/markdown
 

{contentctl-4.0.5.dist-info → contentctl-4.1.0.dist-info}/RECORD

@@ -1,9 +1,7 @@
 contentctl/__init__.py,sha256=IMjkMO3twhQzluVTo8Z6rE7Eg-9U79_LGKMcsWLKBkY,22
-contentctl/actions/acs_deploy.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr0zw,1418
-contentctl/actions/apav_deploy.py,sha256=vjq-24zCLRvNyS0FSLyE4L2b4etG-qo4OM6Z9P0NYK4,2999
-contentctl/actions/api_deploy.py,sha256=h8r_CjsQo4RXzBN4Q8DqoPh6e7JfNDoXdcxT1nrsaRQ,6965
 contentctl/actions/build.py,sha256=BVc-1E63zeUQ9wWAHTC_fLNvfEK5YT3Z6_QLiE72TQs,4765
 contentctl/actions/convert.py,sha256=0KBWLxvP1hSPXpExePqpOQPRvlQLamvPLyQqeTIWNbk,704
+contentctl/actions/deploy_acs.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr0zw,1418
 contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=zg8JasDjCpSC-yhseEyUwO8qbDJIUJbhlus9Li9ZAnA,8818
 contentctl/actions/detection_testing/GitService.py,sha256=Rm5Usc0EZk87rk1W8eKyED6b5CdD0YUQZMjkPfk3ztU,8666
 contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=N5mznaeErVak3mOBwsd0RDBFJO3bku0EZvpayCyU-uk,2259
@@ -18,34 +16,35 @@ contentctl/actions/detection_testing/views/DetectionTestingViewWeb.py,sha256=6me
 contentctl/actions/doc_gen.py,sha256=YNc1VYA0ikL1hWDHYjfEOmUkfhy8PEIdvTyC4ZLxQRY,863
 contentctl/actions/initialize.py,sha256=2h3_A68mNWcyZjbrKF-OeQXBi5p4Zu3z74K7QxEtII4,1749
 contentctl/actions/initialize_old.py,sha256=0qXbW_fNDvkcnEeL6Zpte8d-hpTu1REyzHsXOCY-YB8,9333
-contentctl/actions/inspect.py,sha256=31v7hISc8B8w5tyMnBPSDb3AHRpm-K9rn-WqJRegzBQ,12628
-contentctl/actions/new_content.py,sha256=vhpZAIpsBPjrdsQQlVxRPdymM8xa5ju9XE3sa8S-ni4,6013
+contentctl/actions/inspect.py,sha256=6gVVKmV5CUUYOkNNVTMPKj9bM1uXVthgGCoFKZGDeS8,12628
+contentctl/actions/new_content.py,sha256=4gTlxV0fmdsSETPX4T9uQPpIAm--Jf2vc6Vm3w-RkfI,6128
 contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
 contentctl/actions/test.py,sha256=JXW1CR-tTM2kJ-U5NRG8quY3JlnOb4OmCBgX24XYWJ0,4896
-contentctl/actions/validate.py,sha256=-yZuhFBzqZvtT5FOFO4o4-U72tv6urrAG9QCFwqX4os,2363
-contentctl/contentctl.py,sha256=qiowJPiIdMkh8KkbiYhDyVBc1sKJTBKEXhZDwMC-mAk,10083
+contentctl/actions/validate.py,sha256=6_M5IMi68Pv4CNw69balQTkfRdjMTurUUv7z8BpGh3Y,2454
+contentctl/api.py,sha256=FBOpRhbBCBdjORmwe_8MPQ3PRZ6T0KrrFcfKovVFkug,6343
+contentctl/contentctl.py,sha256=Vr2cuvaPjpJpYvD9kVoYq7iD6rhLQEpTKmcGoq4emhA,10470
 contentctl/enrichments/attack_enrichment.py,sha256=EkEloG3hMmPTloPyYiVkhq3iT_BieXaJmprJ5stfyRw,6732
-contentctl/enrichments/cve_enrichment.py,sha256=r5a2DVpbz7wBW8iU4-OhXmSmJQ28JnFDQJt8XZ96MVo,3934
+contentctl/enrichments/cve_enrichment.py,sha256=IzkKSdnQi3JrAUUyLpcGA_Y2g_B7latq9bOIMlaMpGg,2315
 contentctl/enrichments/splunk_app_enrichment.py,sha256=zDNHFLZTi2dJ1gdnh0sHkD6F1VtkblqFnhacFcCMBfc,3418
 contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLwhHq80c,7139
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/helper/utils.py,sha256=iZ6keMdTCs1XySiDVoGIGkMSxD_eDUphwEW-VUYA6vM,15659
 contentctl/input/backend_splunk_ba.py,sha256=Y70tJqgaUM0nzfm2SiGMof4HkhY84feqf-xnRx1xPb4,5861
-contentctl/input/director.py,sha256=CNAzSpO2fjjnhyezOGn9u5QiKq3Xqq7rHI-X9LrpyCo,10716
+contentctl/input/director.py,sha256=JsmN35xamnMNl3Wug7KGVLFbVfa5F7jf0ToHEwXFcqM,10965
 contentctl/input/new_content_questions.py,sha256=o4prlBoUhEMxqpZukquI9WKbzfFJfYhEF7a8m2q_BEE,5565
 contentctl/input/sigma_converter.py,sha256=ATFNW7boNngp5dmWM7Gr4rMZrUKjvKW2_qu28--FdiU,19391
 contentctl/input/ssa_detection_builder.py,sha256=43B7q4A8MEMjUU-FR7UapO80deW6BooV9WYzZWxcvgI,8377
 contentctl/input/yml_reader.py,sha256=oaal24UP8rDXkCmN5I3GnIheZrsgkhbKOlzXtyhB474,1475
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=YRbDXBFk_To77jyCkUqhswLV4n9IwJGTSDaiAnI7sFU,30167
-contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=cdBb7Yb3vYkD8xRKMWPG8Aq7oAKfw9fRIBGvjYw8zT0,8065
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=BPY0D_evVu4n3xGE7uGJRP5RKOtPbNKNPnZqvo0qC1A,33311
+contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=IVr26xFrIlTvsqQoqwYl4cmcfaP9BeYt9I0QTriKmwE,8451
 contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
 contentctl/objects/atomic.py,sha256=a_G_iliAm86BunpAAG86aAL3LAEGpd9Crp7t7-PxYvI,8979
 contentctl/objects/base_test.py,sha256=6hCL9K-N_jJx1zLbuZQCsB93_XWj6JcGGs2PbbjzJWo,1028
 contentctl/objects/base_test_result.py,sha256=dPupudgeXW64Emk9YJfS5JhUXbZwpEZrrx_DiqbRgvU,4752
-contentctl/objects/baseline.py,sha256=x9vXa45kT2Qu7xQ0icPLvVJLFF6Hrj9svqdbuKtHzDc,2248
+contentctl/objects/baseline.py,sha256=Lb1vJKtDdlDrzWgrdkC9oQao_TnRrOxSwOWHf4trtaU,2150
 contentctl/objects/baseline_tags.py,sha256=JLdlCUc_DEccMQD6f-sa2qD8pcxYiwMUT_sRZEhW7ZA,2978
-contentctl/objects/config.py,sha256=lwiEJu9M3KVP8krH3ieI-4Yke-nI1dRYbStouLmHIWo,43708
+contentctl/objects/config.py,sha256=tK0BY4A9Go5jp8tpOSwgczuOAyu9dMPvC0nyOHeO-74,43642
 contentctl/objects/constants.py,sha256=1LjiK9A7t0aHHkJz2mrW-DImdW1P98GPssTwmwNNI_M,3468
 contentctl/objects/correlation_search.py,sha256=B97vCt2Ew7PGgqd5Y9l6RD3DJdy51Eh7Gzkxxs2xqZ0,36891
 contentctl/objects/data_source.py,sha256=ELNsNsarVHJgytPTcaGZOoWgub2v_-Q0xtc_-xUM8yg,405
@@ -57,14 +56,14 @@ contentctl/objects/deployment_rba.py,sha256=YFLSKzLU7s8Bt1cJkSBWlfCsc_2MfgiwyaDi
 contentctl/objects/deployment_scheduling.py,sha256=bQjbJHNaUGdU1VAGV8-nFOHzHutbIlt7FZpUvR1CV4Y,198
 contentctl/objects/deployment_slack.py,sha256=P6z8OLHDKcDWx7nbKWasqBc3dFRatGcpO2GtmxzVV8I,135
 contentctl/objects/detection.py,sha256=3W41cXf3ECjWuPqWrseqSLC3PAA7O5_nENWWM6MPK0Y,620
-contentctl/objects/detection_tags.py,sha256=dYCa4SfoqRiSOwYpbWo93vLGPxy6V9pArCZMWb5fxZs,10238
+contentctl/objects/detection_tags.py,sha256=QR906JN8cf5et5aPf-AluEEyP3IvdUQ_KzxKffMSjrc,10261
 contentctl/objects/enums.py,sha256=2gLRtJ-dHW_xMFdbjOp0LaX_fEV0V-YAZn2JY9gUzJ8,14030
 contentctl/objects/integration_test.py,sha256=W_VksBN_cRo7DTXdr1aLujjS9mgkEp0uvoNpmL0dVnQ,1273
 contentctl/objects/integration_test_result.py,sha256=DrIZRRlILSHGcsK_Rlm3KJLnbKPtIen8uEPFi4ZdJ8s,370
 contentctl/objects/investigation.py,sha256=JRoZxc_qi1fu_VFTRaxOc3B7zzSzCfEURsNzWPUCrtY,2620
 contentctl/objects/investigation_tags.py,sha256=nFpMRKBVBsW21YW_vy2G1lXaSARX-kfFyrPoCyE77Q8,1280
 contentctl/objects/lookup.py,sha256=P8YbzdDAj_MsTBJTEsym35zhQjiN9Eq0MlfON-qvuTM,4556
-contentctl/objects/macro.py,sha256=qUnS1UuGrq2nXj49N2qmwzZDJwyfTCqu3KSZMB6CfWk,2451
+contentctl/objects/macro.py,sha256=9nE-bxkFhtaltHOUCr0luU8jCCthmglHjhKs6Q2YzLU,2684
 contentctl/objects/mitre_attack_enrichment.py,sha256=bWrMG-Xj3knmULR5q2YZk7mloJBdQUzU1moZfEw9lQM,1073
 contentctl/objects/notable_action.py,sha256=ValkblBaG-60TF19y_vSnNzoNZ3eg48wIfr0qZxyKTA,1605
 contentctl/objects/observable.py,sha256=-nbVASkwyLpstWQk9Za1Hyjg0etGHiZArg7doEOS02k,1156
@@ -127,7 +126,7 @@ contentctl/output/templates/savedsearches_investigations.j2,sha256=aFIDK4NqtsZr3
 contentctl/output/templates/transforms.j2,sha256=-cSoie0LgJwibtW-GMhc9BQlmS6h1s1Vykm9O2M0f9Y,1456
 contentctl/output/templates/workflow_actions.j2,sha256=DFoZVnCa8dMRHjW2AdpoydBC0THgiH_W-Nx7WI4-uR4,925
 contentctl/output/yml_output.py,sha256=xtTD3f_WWy8O6Joi4S8gG9paot8JpQFRlwt17_ek5B4,2682
-contentctl/output/yml_writer.py,sha256=UsVhIJ-QmDB3B3GKiapMZ_ZBCJt_mefBzVmUwD9WfNw,271
+contentctl/output/yml_writer.py,sha256=zZJ3aK-l0YQXbDweS-XZKejHblyhy2eliSthZZEogUs,1668
 contentctl/templates/README,sha256=Hg4LI9g_ss8o3u060woDkhunLXHMtKOhuFK2i-xJpuM,133
 contentctl/templates/app_default.yml,sha256=kDeYdJbfMADQPcho8iH1nqgTFrHNt4EXnIJjPHc2unI,6390
 contentctl/templates/app_template/README/essoc_story_detail.txt,sha256=7hFPBfPpRH28TFl7QchKceZLewQqgFjRWDlmxZzwpmo,897
@@ -141,7 +140,6 @@ contentctl/templates/app_template/default/content-version.conf,sha256=TGzX6qLdzR
 contentctl/templates/app_template/default/data/ui/nav/default.xml,sha256=fKN53HZCtNJbQqq_5pP8e5-5m30DRrJittr6q5s6V_0,236
 contentctl/templates/app_template/default/data/ui/views/escu_summary.xml,sha256=jQhkIthPgEEptCJ2wUCj2lWGHBvUl6JGsKkDfONloxI,8635
 contentctl/templates/app_template/default/data/ui/views/feedback.xml,sha256=uM71EMK2uFz8h68nOTNKGnYxob3HhE_caSL6yA-3H-k,696
-contentctl/templates/app_template/default/distsearch.conf,sha256=5fa9bNr9WuVI2_8tTIftvrRwk27Oz3rUoKh6_xlASFw,156
 contentctl/templates/app_template/default/usage_searches.conf,sha256=mFnhAHGhFHIzl8xxA626thnAjyxs5ZQQfur1PP_Xmbg,4257
 contentctl/templates/app_template/default/use_case_library.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
 contentctl/templates/app_template/lookups/mitre_enrichment.csv,sha256=tifPQjFoQHtvpb78hxSP2fKHnHeehNbZDwUjdvc0aEM,66072
@@ -165,8 +163,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.0.5.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.0.5.dist-info/METADATA,sha256=64TV2vSygHoDN_WRiXDgUUvIZizbDqPFRNKMdM3RZiU,19751
-contentctl-4.0.5.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.0.5.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.0.5.dist-info/RECORD,,
+contentctl-4.1.0.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.1.0.dist-info/METADATA,sha256=AXM-iaprX65-e2JRJCjSFS4yr315R3uAbh80e5KJp20,19706
+contentctl-4.1.0.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.1.0.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.1.0.dist-info/RECORD,,

contentctl/actions/apav_deploy.py

@@ -1,98 +0,0 @@
-import splunklib.client as client
-import multiprocessing
-import http.server
-import time
-import sys
-import subprocess
-import os
-class Deploy:
-    def __init__(self, args):
-
-        
-        
-        #First, check to ensure that the legal ack is correct. If not, quit
-        if args.acs_legal_ack != "Y":
-            raise(Exception(f"Error - must supply 'acs-legal-ack=Y', not 'acs-legal-ack={args.acs_legal_ack}'"))
-        
-        self.acs_legal_ack = args.acs_legal_ack
-        self.app_package = args.app_package
-        if not os.path.exists(self.app_package):
-            raise(Exception(f"Error - app_package file {self.app_package} does not exist"))
-        self.username = args.username
-        self.password = args.password
-        self.server = args.server
-
-        
-       
-        self.deploy_to_splunk_cloud()
-        #self.http_process = self.start_http_server()
-
-        #self.install_app()
-
-    
-    def deploy_to_splunk_cloud(self):
-        
-        commandline = f"acs apps install private --acs-legal-ack={self.acs_legal_ack} "\
-                f"--app-package {self.app_package} --server {self.server} --username "\
-                f"{self.username} --password {self.password}"
-        
-        
-        try:
-            res = subprocess.run(args = commandline.split(' '), )    
-        except Exception as e:
-            raise(Exception(f"Error deploying to Splunk Cloud Instance: {str(e)}"))
-        print(res.returncode)
-        if res.returncode != 0:
-            raise(Exception("Error deploying to Splunk Cloud Instance. Review output to diagnose error."))
-
-    '''
-    def install_app_local(self) -> bool:
-        #Connect to the service
-        time.sleep(1)
-        #self.http_process.start()
-        #time.sleep(2)
-        
-
-        print(f"Connecting to server {self.host}")
-        try:
-            service = client.connect(host=self.host, port=self.api_port, username=self.username, password=self.password)
-            assert isinstance(service, client.Service)
-            
-        except Exception as e:
-            raise(Exception(f"Failure connecting the Splunk Search Head: {str(e)}"))
-            
-        
-        #Install the app
-        try:
-            params = {'name': self.server_app_path}
-            res = service.post('apps/appinstall', **params)
-            #Check the result?
-
-            print(f"Successfully installed {self.server_app_path}!")
-
-
-
-        except Exception as e:
-            raise(Exception(f"Failure installing the app {self.server_app_path}: {str(e)}"))
-
-        
-        #Query and list all of the installed apps
-        try:
-            all_apps = service.apps
-        except Exception as e:
-            print(f"Failed listing all apps: {str(e)}")
-            return False
-
-        print("Installed apps:")
-        for count, app in enumerate(all_apps):
-            print("\t{count}.  {app.name}")   
-
-
-        print(f"Installing app {self.path}")
-
-        self.http_process.terminate()
-
-        return True
-    '''
-    
-