PyPI - contentctl - Versions diffs - 4.0.5__py3-none-any.whl → 4.1.1__py3-none-any.whl - Mend

contentctl 4.0.5py3-none-any.whl → 4.1.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

contentctl/actions/inspect.py +1 -1
contentctl/actions/new_content.py +6 -3
contentctl/actions/test.py +4 -1
contentctl/actions/validate.py +1 -0
contentctl/api.py +137 -0
contentctl/contentctl.py +28 -24
contentctl/enrichments/cve_enrichment.py +43 -78
contentctl/input/director.py +72 -72
contentctl/objects/abstract_security_content_objects/detection_abstract.py +77 -13
contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py +17 -0
contentctl/objects/baseline.py +0 -1
contentctl/objects/config.py +4 -8
contentctl/objects/detection_tags.py +1 -1
contentctl/objects/macro.py +8 -7
contentctl/output/yml_writer.py +39 -1
{contentctl-4.0.5.dist-info → contentctl-4.1.1.dist-info}/METADATA +7 -8
{contentctl-4.0.5.dist-info → contentctl-4.1.1.dist-info}/RECORD +21 -23
contentctl/actions/apav_deploy.py +0 -98
contentctl/actions/api_deploy.py +0 -151
contentctl/templates/app_template/default/distsearch.conf +0 -5
/contentctl/actions/{acs_deploy.py → deploy_acs.py} +0 -0
{contentctl-4.0.5.dist-info → contentctl-4.1.1.dist-info}/LICENSE.md +0 -0
{contentctl-4.0.5.dist-info → contentctl-4.1.1.dist-info}/WHEEL +0 -0
{contentctl-4.0.5.dist-info → contentctl-4.1.1.dist-info}/entry_points.txt +0 -0

contentctl/objects/abstract_security_content_objects/detection_abstract.py CHANGED Viewed

@@ -26,7 +26,7 @@ from contentctl.objects.integration_test import IntegrationTest
 #from contentctl.objects.playbook import Playbook
 from contentctl.objects.enums import DataSource,ProvidingTechnology
-from contentctl.enrichments.cve_enrichment import CveEnrichment, CveEnrichmentObj
+from contentctl.enrichments.cve_enrichment import CveEnrichmentObj
 class Detection_Abstract(SecurityContentObject):
@@ -40,7 +40,6 @@ class Detection_Abstract(SecurityContentObject):
     search: Union[str, dict[str,Any]] = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
-    check_references: bool = False
     #data_source: Optional[List[DataSource]] = None
     enabled_by_default: bool = False
@@ -54,6 +53,58 @@ class Detection_Abstract(SecurityContentObject):
     # A list of groups of tests, relying on the same data
     test_groups: Union[list[TestGroup], None] = Field(None,validate_default=True)
+    @field_validator("search", mode="before")
+    @classmethod
+    def validate_presence_of_filter_macro(cls, value:Union[str, dict[str,Any]], info:ValidationInfo)->Union[str, dict[str,Any]]:
+        """
+        Validates that, if required to be present, the filter macro is present with the proper name.
+        The filter macro MUST be derived from the name of the detection
+        Args:
+            value (Union[str, dict[str,Any]]): The search. It can either be a string (and should be SPL)
+                                               or a dict, in which case it is Sigma-formatted.
+            info (ValidationInfo): The validation info can contain a number of different objects. Today it only contains the director.
+        Returns:
+            Union[str, dict[str,Any]]: The search, either in sigma or SPL format.
+        """
+        if isinstance(value,dict):
+            #If the search is a dict, then it is in Sigma format so return it
+            return value
+        # Otherwise, the search is SPL.
+        # In the future, we will may add support that makes the inclusion of the
+        # filter macro optional or automatically generates it for searches that
+        # do not have it. For now, continue to require that all searches have a filter macro.
+        FORCE_FILTER_MACRO = True
+        if not FORCE_FILTER_MACRO:
+            return value
+        # Get the required macro name, which is derived from the search name.
+        # Note that a separate validation ensures that the file name matches the content name
+        name:Union[str,None] = info.data.get("name",None)
+        if name is None:
+            #The search was sigma formatted (or failed other validation and was None), so we will not validate macros in it
+            raise ValueError("Cannot validate filter macro, field 'name' (which is required to validate the macro) was missing from the detection YML.")
+        #Get the file name without the extension. Note this is not a full path!
+        file_name = pathlib.Path(cls.contentNameToFileName(name)).stem
+        file_name_with_filter = f"`{file_name}_filter`"
+        if file_name_with_filter not in value:
+            raise ValueError(f"Detection does not contain the EXACT filter macro {file_name_with_filter}. "
+                             "This filter macro MUST be present in the search. It usually placed at the end "
+                             "of the search and is useful for environment-specific filtering of False Positive or noisy results.")
+        return value
     @field_validator("test_groups")
     @classmethod
     def validate_test_groups(cls, value:Union[None, List[TestGroup]], info:ValidationInfo) -> Union[List[TestGroup], None]:
@@ -144,17 +195,30 @@ class Detection_Abstract(SecurityContentObject):
     macros: list[Macro] = Field([],validate_default=True)
     lookups: list[Lookup] = Field([],validate_default=True)
-    @computed_field
-    @property
-    def cve_enrichment(self)->List[CveEnrichmentObj]:
-        raise Exception("CVE Enrichment Functionality not currently supported.  It will be re-added at a later time.")
-        enriched_cves = []
-        for cve_id in self.tags.cve:
-            print(f"\nEnriching {cve_id}\n")
-            enriched_cves.append(CveEnrichment.enrich_cve(cve_id))
+    cve_enrichment: list[CveEnrichmentObj] = Field([], validate_default=True)
+    @model_validator(mode="after")
+    def cve_enrichment_func(self, info:ValidationInfo):
+        if len(self.cve_enrichment) > 0:
+            raise ValueError(f"Error, field 'cve_enrichment' should be empty and "
+                             f"dynamically populated at runtime. Instead, this field contained: {self.cve_enrichment}")
+        output_dto:Union[DirectorOutputDto,None]= info.context.get("output_dto",None)
+        if output_dto is None:
+            raise ValueError("Context not provided to detection model post validator")
+        enriched_cves:list[CveEnrichmentObj] = []
-        return enriched_cves
+        for cve_id in self.tags.cve:
+            try:
+                enriched_cves.append(output_dto.cve_enrichment.enrich_cve(cve_id, raise_exception_on_failure=False))
+            except Exception as e:
+                raise ValueError(f"{e}")
+        self.cve_enrichment = enriched_cves
+        return self
     splunk_app_enrichment: Optional[List[dict]] = None
     @computed_field
@@ -382,11 +446,11 @@ class Detection_Abstract(SecurityContentObject):
             filter_macro = Macro.model_validate({"name":filter_macro_name,
                                                 "definition":'search *',
                                                 "description":'Update this macro to limit the output results to filter out false positives.'})
-            director.macros.append(filter_macro)
+            director.addContentToDictMappings(filter_macro)
         macros_from_search = Macro.get_macros(search, director)
-        return  macros_from_search + [filter_macro]
+        return  macros_from_search
     def get_content_dependencies(self)->list[SecurityContentObject]:
         #Do this separately to satisfy type checker

contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py CHANGED Viewed

@@ -12,6 +12,7 @@ import re
 import abc
 import uuid
 import datetime
+import pprint
 from pydantic import BaseModel, field_validator, Field, ValidationInfo, FilePath, HttpUrl, NonNegativeInt, ConfigDict, model_validator, model_serializer
 from typing import Tuple, Optional, List, Union
 import pathlib
@@ -181,6 +182,22 @@ class SecurityContentObject_Abstract(BaseModel, abc.ABC):
         for object in all_objects:
             name_dict[str(pathlib.Path(object.file_path))] = object
         return name_dict
+    def __repr__(self)->str:
+        # Just use the model_dump functionality that
+        # has already been written. This loses some of the
+        # richness where objects reference themselves, but
+        # is usable
+        m = self.model_dump()
+        return pprint.pformat(m, indent=3)
+    def __str__(self)->str:
+        return(self.__repr__())

contentctl/objects/baseline.py CHANGED Viewed

@@ -31,7 +31,6 @@ class Baseline(SecurityContentObject):
     search: str = Field(..., min_length=4)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
-    check_references: bool = False #Validation is done in order, this field must be defined first
     tags: BaselineTags = Field(...)
     # enrichment

contentctl/objects/config.py CHANGED Viewed

@@ -154,6 +154,10 @@ class Config_Base(BaseModel):
     path: DirectoryPath = Field(default=DirectoryPath("."), description="The root of your app.")
     app:CustomApp = Field(default_factory=CustomApp)
+    verbose:bool = Field(default=False, description="Enable verbose error logging, including a stacktrace. "
+                         "This option makes debugging contentctl errors much easier, but produces way more "
+                         "output than is useful under most uses cases. "
+                         "Please use this flag if you are submitting a bug report or issue on GitHub.")
     @field_serializer('path',when_used='always')
     def serialize_path(path: DirectoryPath)->str:
@@ -269,14 +273,6 @@ class Infrastructure(BaseModel):
     instance_name: str = Field(...)
-class deploy_rest(build):
-    model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
-    target:Infrastructure = Infrastructure(instance_name="splunk_target_host", instance_address="localhost")
-    #This will overwrite existing content without promprting for confirmation
-    overwrite_existing_content:bool = Field(default=True, description="Overwrite existing macros and savedsearches in your enviornment")
 class Container(Infrastructure):
     model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
     instance_address:str = Field(default="localhost", description="Address of your splunk server.")

contentctl/objects/detection_tags.py CHANGED Viewed

@@ -145,7 +145,7 @@ class DetectionTags(BaseModel):
     @model_validator(mode="after")
     def addAttackEnrichment(self, info:ValidationInfo):
         if len(self.mitre_attack_enrichments) > 0:
-            raise ValueError(f"Error, field 'mitre_attack_enrichment' should be empty and dynamically populated at runtime. Instead, this field contained: {str(v)}")
+            raise ValueError(f"Error, field 'mitre_attack_enrichment' should be empty and dynamically populated at runtime. Instead, this field contained: {self.mitre_attack_enrichments}")
         output_dto:Union[DirectorOutputDto,None]= info.context.get("output_dto",None)
         if output_dto is None:

contentctl/objects/macro.py CHANGED Viewed

@@ -9,13 +9,14 @@ if TYPE_CHECKING:
 from contentctl.objects.security_content_object import SecurityContentObject
-MACROS_TO_IGNORE = set(["_filter", "drop_dm_object_name"])
-#Should all of the following be included as well?
-MACROS_TO_IGNORE.add("get_asset" )
-MACROS_TO_IGNORE.add("get_risk_severity")
-MACROS_TO_IGNORE.add("cim_corporate_web_domain_search")
-MACROS_TO_IGNORE.add("prohibited_processes")
+#The following macros are included in commonly-installed apps.
+#As such, we will ignore if they are missing from our app.
+#Included in
+MACROS_TO_IGNORE = set(["drop_dm_object_name"]) # Part of CIM/Splunk_SA_CIM
+MACROS_TO_IGNORE.add("get_asset") #SA-IdentityManagement, part of Enterprise Security
+MACROS_TO_IGNORE.add("get_risk_severity") #SA-ThreatIntelligence, part of Enterprise Security
+MACROS_TO_IGNORE.add("cim_corporate_web_domain_search") #Part of CIM/Splunk_SA_CIM
+#MACROS_TO_IGNORE.add("prohibited_processes")
 class Macro(SecurityContentObject):

contentctl/output/yml_writer.py CHANGED Viewed

@@ -8,4 +8,42 @@ class YmlWriter:
     def writeYmlFile(file_path : str, obj : dict[Any,Any]) -> None:
         with open(file_path, 'w') as outfile:
-            yaml.safe_dump(obj, outfile, default_flow_style=False, sort_keys=False)
+            yaml.safe_dump(obj, outfile, default_flow_style=False, sort_keys=False)
+    @staticmethod
+    def writeDetection(file_path: str, obj: dict[Any,Any]) -> None:
+        output = dict()
+        output["name"] = obj["name"]
+        output["id"] = obj["id"]
+        output["version"] = obj["version"]
+        output["date"] = obj["date"]
+        output["author"] = obj["author"]
+        output["type"] = obj["type"]
+        output["status"] = obj["status"]
+        output["data_source"] = obj['data_sources']
+        output["description"] = obj["description"]
+        output["search"] = obj["search"]
+        output["how_to_implement"] = obj["how_to_implement"]
+        output["known_false_positives"] = obj["known_false_positives"]
+        output["references"] = obj["references"]
+        output["tags"] = obj["tags"]
+        output["tests"] = obj["tags"]
+        YmlWriter.writeYmlFile(file_path=file_path, obj=output)
+    @staticmethod
+    def writeStory(file_path: str, obj: dict[Any,Any]) -> None:
+        output = dict()
+        output['name'] = obj['name']
+        output['id'] = obj['id']
+        output['version'] = obj['version']
+        output['date'] = obj['date']
+        output['author'] = obj['author']
+        output['description'] = obj['description']
+        output['narrative'] = obj['narrative']
+        output['references'] = obj['references']
+        output['tags'] = obj['tags']
+        YmlWriter.writeYmlFile(file_path=file_path, obj=output)

{contentctl-4.0.5.dist-info → contentctl-4.1.1.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.0.5
+Version: 4.1.1
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -10,25 +10,24 @@ Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
-Requires-Dist: Jinja2 (>=3.1.2,<4.0.0)
+Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: PyYAML (>=6.0.1,<7.0.0)
 Requires-Dist: attackcti (>=0.3.7,<0.4.0)
 Requires-Dist: bottle (>=0.12.25,<0.13.0)
 Requires-Dist: docker (>=7.1.0,<8.0.0)
 Requires-Dist: gitpython (>=3.1.43,<4.0.0)
 Requires-Dist: pycvesearch (>=1.2,<2.0)
-Requires-Dist: pydantic (>=2.5.1,<3.0.0)
+Requires-Dist: pydantic (>=2.7.1,<3.0.0)
 Requires-Dist: pygit2 (>=1.14.1,<2.0.0)
-Requires-Dist: pysigma (>=0.10.8,<0.11.0)
-Requires-Dist: pysigma-backend-splunk (>=1.0.3,<2.0.0)
+Requires-Dist: pysigma (>=0.11.5,<0.12.0)
+Requires-Dist: pysigma-backend-splunk (>=1.1.0,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.2,<2.33.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<70.0.0)
+Requires-Dist: setuptools (>=69.5.1,<71.0.0)
 Requires-Dist: splunk-sdk (>=2.0.1,<3.0.0)
-Requires-Dist: tqdm (>=4.66.1,<5.0.0)
+Requires-Dist: tqdm (>=4.66.4,<5.0.0)
 Requires-Dist: tyro (>=0.8.3,<0.9.0)
-Requires-Dist: validators (>=0.22.0,<0.23.0)
 Requires-Dist: xmltodict (>=0.13.0,<0.14.0)
 Description-Content-Type: text/markdown

{contentctl-4.0.5.dist-info → contentctl-4.1.1.dist-info}/RECORD RENAMED Viewed

@@ -1,9 +1,7 @@
 contentctl/__init__.py,sha256=IMjkMO3twhQzluVTo8Z6rE7Eg-9U79_LGKMcsWLKBkY,22
-contentctl/actions/acs_deploy.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr0zw,1418
-contentctl/actions/apav_deploy.py,sha256=vjq-24zCLRvNyS0FSLyE4L2b4etG-qo4OM6Z9P0NYK4,2999
-contentctl/actions/api_deploy.py,sha256=h8r_CjsQo4RXzBN4Q8DqoPh6e7JfNDoXdcxT1nrsaRQ,6965
 contentctl/actions/build.py,sha256=BVc-1E63zeUQ9wWAHTC_fLNvfEK5YT3Z6_QLiE72TQs,4765
 contentctl/actions/convert.py,sha256=0KBWLxvP1hSPXpExePqpOQPRvlQLamvPLyQqeTIWNbk,704
+contentctl/actions/deploy_acs.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr0zw,1418
 contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=zg8JasDjCpSC-yhseEyUwO8qbDJIUJbhlus9Li9ZAnA,8818
 contentctl/actions/detection_testing/GitService.py,sha256=Rm5Usc0EZk87rk1W8eKyED6b5CdD0YUQZMjkPfk3ztU,8666
 contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=N5mznaeErVak3mOBwsd0RDBFJO3bku0EZvpayCyU-uk,2259
@@ -18,34 +16,35 @@ contentctl/actions/detection_testing/views/DetectionTestingViewWeb.py,sha256=6me
 contentctl/actions/doc_gen.py,sha256=YNc1VYA0ikL1hWDHYjfEOmUkfhy8PEIdvTyC4ZLxQRY,863
 contentctl/actions/initialize.py,sha256=2h3_A68mNWcyZjbrKF-OeQXBi5p4Zu3z74K7QxEtII4,1749
 contentctl/actions/initialize_old.py,sha256=0qXbW_fNDvkcnEeL6Zpte8d-hpTu1REyzHsXOCY-YB8,9333
-contentctl/actions/inspect.py,sha256=31v7hISc8B8w5tyMnBPSDb3AHRpm-K9rn-WqJRegzBQ,12628
-contentctl/actions/new_content.py,sha256=vhpZAIpsBPjrdsQQlVxRPdymM8xa5ju9XE3sa8S-ni4,6013
+contentctl/actions/inspect.py,sha256=6gVVKmV5CUUYOkNNVTMPKj9bM1uXVthgGCoFKZGDeS8,12628
+contentctl/actions/new_content.py,sha256=4gTlxV0fmdsSETPX4T9uQPpIAm--Jf2vc6Vm3w-RkfI,6128
 contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
-contentctl/actions/test.py,sha256=JXW1CR-tTM2kJ-U5NRG8quY3JlnOb4OmCBgX24XYWJ0,4896
-contentctl/actions/validate.py,sha256=-yZuhFBzqZvtT5FOFO4o4-U72tv6urrAG9QCFwqX4os,2363
-contentctl/contentctl.py,sha256=qiowJPiIdMkh8KkbiYhDyVBc1sKJTBKEXhZDwMC-mAk,10083
+contentctl/actions/test.py,sha256=dx7f750_MrlvysxOmOdIro1bH0iVKF4K54TSwhvU2MU,5146
+contentctl/actions/validate.py,sha256=6_M5IMi68Pv4CNw69balQTkfRdjMTurUUv7z8BpGh3Y,2454
+contentctl/api.py,sha256=FBOpRhbBCBdjORmwe_8MPQ3PRZ6T0KrrFcfKovVFkug,6343
+contentctl/contentctl.py,sha256=Vr2cuvaPjpJpYvD9kVoYq7iD6rhLQEpTKmcGoq4emhA,10470
 contentctl/enrichments/attack_enrichment.py,sha256=EkEloG3hMmPTloPyYiVkhq3iT_BieXaJmprJ5stfyRw,6732
-contentctl/enrichments/cve_enrichment.py,sha256=r5a2DVpbz7wBW8iU4-OhXmSmJQ28JnFDQJt8XZ96MVo,3934
+contentctl/enrichments/cve_enrichment.py,sha256=IzkKSdnQi3JrAUUyLpcGA_Y2g_B7latq9bOIMlaMpGg,2315
 contentctl/enrichments/splunk_app_enrichment.py,sha256=zDNHFLZTi2dJ1gdnh0sHkD6F1VtkblqFnhacFcCMBfc,3418
 contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLwhHq80c,7139
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/helper/utils.py,sha256=iZ6keMdTCs1XySiDVoGIGkMSxD_eDUphwEW-VUYA6vM,15659
 contentctl/input/backend_splunk_ba.py,sha256=Y70tJqgaUM0nzfm2SiGMof4HkhY84feqf-xnRx1xPb4,5861
-contentctl/input/director.py,sha256=CNAzSpO2fjjnhyezOGn9u5QiKq3Xqq7rHI-X9LrpyCo,10716
+contentctl/input/director.py,sha256=JsmN35xamnMNl3Wug7KGVLFbVfa5F7jf0ToHEwXFcqM,10965
 contentctl/input/new_content_questions.py,sha256=o4prlBoUhEMxqpZukquI9WKbzfFJfYhEF7a8m2q_BEE,5565
 contentctl/input/sigma_converter.py,sha256=ATFNW7boNngp5dmWM7Gr4rMZrUKjvKW2_qu28--FdiU,19391
 contentctl/input/ssa_detection_builder.py,sha256=43B7q4A8MEMjUU-FR7UapO80deW6BooV9WYzZWxcvgI,8377
 contentctl/input/yml_reader.py,sha256=oaal24UP8rDXkCmN5I3GnIheZrsgkhbKOlzXtyhB474,1475
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=YRbDXBFk_To77jyCkUqhswLV4n9IwJGTSDaiAnI7sFU,30167
-contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=cdBb7Yb3vYkD8xRKMWPG8Aq7oAKfw9fRIBGvjYw8zT0,8065
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=BPY0D_evVu4n3xGE7uGJRP5RKOtPbNKNPnZqvo0qC1A,33311
+contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=IVr26xFrIlTvsqQoqwYl4cmcfaP9BeYt9I0QTriKmwE,8451
 contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
 contentctl/objects/atomic.py,sha256=a_G_iliAm86BunpAAG86aAL3LAEGpd9Crp7t7-PxYvI,8979
 contentctl/objects/base_test.py,sha256=6hCL9K-N_jJx1zLbuZQCsB93_XWj6JcGGs2PbbjzJWo,1028
 contentctl/objects/base_test_result.py,sha256=dPupudgeXW64Emk9YJfS5JhUXbZwpEZrrx_DiqbRgvU,4752
-contentctl/objects/baseline.py,sha256=x9vXa45kT2Qu7xQ0icPLvVJLFF6Hrj9svqdbuKtHzDc,2248
+contentctl/objects/baseline.py,sha256=Lb1vJKtDdlDrzWgrdkC9oQao_TnRrOxSwOWHf4trtaU,2150
 contentctl/objects/baseline_tags.py,sha256=JLdlCUc_DEccMQD6f-sa2qD8pcxYiwMUT_sRZEhW7ZA,2978
-contentctl/objects/config.py,sha256=lwiEJu9M3KVP8krH3ieI-4Yke-nI1dRYbStouLmHIWo,43708
+contentctl/objects/config.py,sha256=tK0BY4A9Go5jp8tpOSwgczuOAyu9dMPvC0nyOHeO-74,43642
 contentctl/objects/constants.py,sha256=1LjiK9A7t0aHHkJz2mrW-DImdW1P98GPssTwmwNNI_M,3468
 contentctl/objects/correlation_search.py,sha256=B97vCt2Ew7PGgqd5Y9l6RD3DJdy51Eh7Gzkxxs2xqZ0,36891
 contentctl/objects/data_source.py,sha256=ELNsNsarVHJgytPTcaGZOoWgub2v_-Q0xtc_-xUM8yg,405
@@ -57,14 +56,14 @@ contentctl/objects/deployment_rba.py,sha256=YFLSKzLU7s8Bt1cJkSBWlfCsc_2MfgiwyaDi
 contentctl/objects/deployment_scheduling.py,sha256=bQjbJHNaUGdU1VAGV8-nFOHzHutbIlt7FZpUvR1CV4Y,198
 contentctl/objects/deployment_slack.py,sha256=P6z8OLHDKcDWx7nbKWasqBc3dFRatGcpO2GtmxzVV8I,135
 contentctl/objects/detection.py,sha256=3W41cXf3ECjWuPqWrseqSLC3PAA7O5_nENWWM6MPK0Y,620
-contentctl/objects/detection_tags.py,sha256=dYCa4SfoqRiSOwYpbWo93vLGPxy6V9pArCZMWb5fxZs,10238
+contentctl/objects/detection_tags.py,sha256=QR906JN8cf5et5aPf-AluEEyP3IvdUQ_KzxKffMSjrc,10261
 contentctl/objects/enums.py,sha256=2gLRtJ-dHW_xMFdbjOp0LaX_fEV0V-YAZn2JY9gUzJ8,14030
 contentctl/objects/integration_test.py,sha256=W_VksBN_cRo7DTXdr1aLujjS9mgkEp0uvoNpmL0dVnQ,1273
 contentctl/objects/integration_test_result.py,sha256=DrIZRRlILSHGcsK_Rlm3KJLnbKPtIen8uEPFi4ZdJ8s,370
 contentctl/objects/investigation.py,sha256=JRoZxc_qi1fu_VFTRaxOc3B7zzSzCfEURsNzWPUCrtY,2620
 contentctl/objects/investigation_tags.py,sha256=nFpMRKBVBsW21YW_vy2G1lXaSARX-kfFyrPoCyE77Q8,1280
 contentctl/objects/lookup.py,sha256=P8YbzdDAj_MsTBJTEsym35zhQjiN9Eq0MlfON-qvuTM,4556
-contentctl/objects/macro.py,sha256=qUnS1UuGrq2nXj49N2qmwzZDJwyfTCqu3KSZMB6CfWk,2451
+contentctl/objects/macro.py,sha256=9nE-bxkFhtaltHOUCr0luU8jCCthmglHjhKs6Q2YzLU,2684
 contentctl/objects/mitre_attack_enrichment.py,sha256=bWrMG-Xj3knmULR5q2YZk7mloJBdQUzU1moZfEw9lQM,1073
 contentctl/objects/notable_action.py,sha256=ValkblBaG-60TF19y_vSnNzoNZ3eg48wIfr0qZxyKTA,1605
 contentctl/objects/observable.py,sha256=-nbVASkwyLpstWQk9Za1Hyjg0etGHiZArg7doEOS02k,1156
@@ -127,7 +126,7 @@ contentctl/output/templates/savedsearches_investigations.j2,sha256=aFIDK4NqtsZr3
 contentctl/output/templates/transforms.j2,sha256=-cSoie0LgJwibtW-GMhc9BQlmS6h1s1Vykm9O2M0f9Y,1456
 contentctl/output/templates/workflow_actions.j2,sha256=DFoZVnCa8dMRHjW2AdpoydBC0THgiH_W-Nx7WI4-uR4,925
 contentctl/output/yml_output.py,sha256=xtTD3f_WWy8O6Joi4S8gG9paot8JpQFRlwt17_ek5B4,2682
-contentctl/output/yml_writer.py,sha256=UsVhIJ-QmDB3B3GKiapMZ_ZBCJt_mefBzVmUwD9WfNw,271
+contentctl/output/yml_writer.py,sha256=zZJ3aK-l0YQXbDweS-XZKejHblyhy2eliSthZZEogUs,1668
 contentctl/templates/README,sha256=Hg4LI9g_ss8o3u060woDkhunLXHMtKOhuFK2i-xJpuM,133
 contentctl/templates/app_default.yml,sha256=kDeYdJbfMADQPcho8iH1nqgTFrHNt4EXnIJjPHc2unI,6390
 contentctl/templates/app_template/README/essoc_story_detail.txt,sha256=7hFPBfPpRH28TFl7QchKceZLewQqgFjRWDlmxZzwpmo,897
@@ -141,7 +140,6 @@ contentctl/templates/app_template/default/content-version.conf,sha256=TGzX6qLdzR
 contentctl/templates/app_template/default/data/ui/nav/default.xml,sha256=fKN53HZCtNJbQqq_5pP8e5-5m30DRrJittr6q5s6V_0,236
 contentctl/templates/app_template/default/data/ui/views/escu_summary.xml,sha256=jQhkIthPgEEptCJ2wUCj2lWGHBvUl6JGsKkDfONloxI,8635
 contentctl/templates/app_template/default/data/ui/views/feedback.xml,sha256=uM71EMK2uFz8h68nOTNKGnYxob3HhE_caSL6yA-3H-k,696
-contentctl/templates/app_template/default/distsearch.conf,sha256=5fa9bNr9WuVI2_8tTIftvrRwk27Oz3rUoKh6_xlASFw,156
 contentctl/templates/app_template/default/usage_searches.conf,sha256=mFnhAHGhFHIzl8xxA626thnAjyxs5ZQQfur1PP_Xmbg,4257
 contentctl/templates/app_template/default/use_case_library.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
 contentctl/templates/app_template/lookups/mitre_enrichment.csv,sha256=tifPQjFoQHtvpb78hxSP2fKHnHeehNbZDwUjdvc0aEM,66072
@@ -165,8 +163,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.0.5.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.0.5.dist-info/METADATA,sha256=64TV2vSygHoDN_WRiXDgUUvIZizbDqPFRNKMdM3RZiU,19751
-contentctl-4.0.5.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.0.5.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.0.5.dist-info/RECORD,,
+contentctl-4.1.1.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.1.1.dist-info/METADATA,sha256=ZKt2bKUc9AoQMA8TTIQy4Ohx-GiXEWbX0DxQeJcXvu8,19706
+contentctl-4.1.1.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.1.1.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.1.1.dist-info/RECORD,,

contentctl/actions/apav_deploy.py DELETED Viewed

@@ -1,98 +0,0 @@
-import splunklib.client as client
-import multiprocessing
-import http.server
-import time
-import sys
-import subprocess
-import os
-class Deploy:
-    def __init__(self, args):
-        #First, check to ensure that the legal ack is correct. If not, quit
-        if args.acs_legal_ack != "Y":
-            raise(Exception(f"Error - must supply 'acs-legal-ack=Y', not 'acs-legal-ack={args.acs_legal_ack}'"))
-        self.acs_legal_ack = args.acs_legal_ack
-        self.app_package = args.app_package
-        if not os.path.exists(self.app_package):
-            raise(Exception(f"Error - app_package file {self.app_package} does not exist"))
-        self.username = args.username
-        self.password = args.password
-        self.server = args.server
-        self.deploy_to_splunk_cloud()
-        #self.http_process = self.start_http_server()
-        #self.install_app()
-    def deploy_to_splunk_cloud(self):
-        commandline = f"acs apps install private --acs-legal-ack={self.acs_legal_ack} "\
-                f"--app-package {self.app_package} --server {self.server} --username "\
-                f"{self.username} --password {self.password}"
-        try:
-            res = subprocess.run(args = commandline.split(' '), )
-        except Exception as e:
-            raise(Exception(f"Error deploying to Splunk Cloud Instance: {str(e)}"))
-        print(res.returncode)
-        if res.returncode != 0:
-            raise(Exception("Error deploying to Splunk Cloud Instance. Review output to diagnose error."))
-    '''
-    def install_app_local(self) -> bool:
-        #Connect to the service
-        time.sleep(1)
-        #self.http_process.start()
-        #time.sleep(2)
-        print(f"Connecting to server {self.host}")
-        try:
-            service = client.connect(host=self.host, port=self.api_port, username=self.username, password=self.password)
-            assert isinstance(service, client.Service)
-        except Exception as e:
-            raise(Exception(f"Failure connecting the Splunk Search Head: {str(e)}"))
-        #Install the app
-        try:
-            params = {'name': self.server_app_path}
-            res = service.post('apps/appinstall', **params)
-            #Check the result?
-            print(f"Successfully installed {self.server_app_path}!")
-        except Exception as e:
-            raise(Exception(f"Failure installing the app {self.server_app_path}: {str(e)}"))
-        #Query and list all of the installed apps
-        try:
-            all_apps = service.apps
-        except Exception as e:
-            print(f"Failed listing all apps: {str(e)}")
-            return False
-        print("Installed apps:")
-        for count, app in enumerate(all_apps):
-            print("\t{count}.  {app.name}")
-        print(f"Installing app {self.path}")
-        self.http_process.terminate()
-        return True
-    '''

contentctl 4.0.5__py3-none-any.whl → 4.1.1__py3-none-any.whl

contentctl 4.0.5py3-none-any.whl → 4.1.1py3-none-any.whl