contentctl 4.1.3__py3-none-any.whl → 4.1.4__py3-none-any.whl

contentctl/actions/new_content.py

@@ -32,7 +32,6 @@ class NewContent:
         answers['status'] = "production" #start everything as production since that's what we INTEND the content to become   
         answers['description'] = 'UPDATE_DESCRIPTION'   
         file_name = answers['name'].replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
-        answers['kind'] = answers['detection_kind']
         answers['search'] = answers['detection_search'] + ' | `' + file_name + '_filter`'
         del answers['detection_search']
         answers['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'

contentctl/templates/app_template/default/app.conf

@@ -8,7 +8,6 @@ build = 16367
 
 [triggers]
 reload.analytic_stories = simple
-reload.usage_searches = simple
 reload.use_case_library = simple
 reload.correlationsearches = simple
 reload.analyticstories = simple

{contentctl-4.1.3.dist-info → contentctl-4.1.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.1.3
+Version: 4.1.4
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT

{contentctl-4.1.3.dist-info → contentctl-4.1.4.dist-info}/RECORD

@@ -17,7 +17,7 @@ contentctl/actions/doc_gen.py,sha256=YNc1VYA0ikL1hWDHYjfEOmUkfhy8PEIdvTyC4ZLxQRY
 contentctl/actions/initialize.py,sha256=2h3_A68mNWcyZjbrKF-OeQXBi5p4Zu3z74K7QxEtII4,1749
 contentctl/actions/initialize_old.py,sha256=0qXbW_fNDvkcnEeL6Zpte8d-hpTu1REyzHsXOCY-YB8,9333
 contentctl/actions/inspect.py,sha256=6gVVKmV5CUUYOkNNVTMPKj9bM1uXVthgGCoFKZGDeS8,12628
-contentctl/actions/new_content.py,sha256=4gTlxV0fmdsSETPX4T9uQPpIAm--Jf2vc6Vm3w-RkfI,6128
+contentctl/actions/new_content.py,sha256=o5ZYBQ216RN6TnW_wRxVGJybx2SsJ7ht4PAi1dw45Yg,6076
 contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
 contentctl/actions/test.py,sha256=dx7f750_MrlvysxOmOdIro1bH0iVKF4K54TSwhvU2MU,5146
@@ -135,13 +135,12 @@ contentctl/templates/app_template/README/essoc_summary.txt,sha256=u6wYNYBqmmm7Kn
 contentctl/templates/app_template/README/essoc_usage_dashboard.txt,sha256=xYUKKVtdgzPyT3mqdTccaBZuwWnC63lbc9zyYpmHN4o,2432
 contentctl/templates/app_template/README.md,sha256=RT-J9bgRSFsEFgNr9qV6yc2LkfUH_uiMJ2RV4NM9Ymo,366
 contentctl/templates/app_template/default/analytic_stories.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
-contentctl/templates/app_template/default/app.conf,sha256=eTSq1QI4-BgylZJgnNVg5jQCZFXJVNyEJA33lQAgYoc,685
+contentctl/templates/app_template/default/app.conf,sha256=PrW8TosZ5oVBfpB0SoLxa5vk2ewEAbVKQ6rG8g5WDSQ,654
 contentctl/templates/app_template/default/commands.conf,sha256=U2ccwUeGXKKKt5jo14QY5swi-p9_TSJtaNquOkeF3Yk,319
 contentctl/templates/app_template/default/content-version.conf,sha256=TGzX6qLdzRK7x6b0y5AE8ZF59PLU-DrRfS43fVWITqo,34
 contentctl/templates/app_template/default/data/ui/nav/default.xml,sha256=fKN53HZCtNJbQqq_5pP8e5-5m30DRrJittr6q5s6V_0,236
 contentctl/templates/app_template/default/data/ui/views/escu_summary.xml,sha256=jQhkIthPgEEptCJ2wUCj2lWGHBvUl6JGsKkDfONloxI,8635
 contentctl/templates/app_template/default/data/ui/views/feedback.xml,sha256=uM71EMK2uFz8h68nOTNKGnYxob3HhE_caSL6yA-3H-k,696
-contentctl/templates/app_template/default/usage_searches.conf,sha256=mFnhAHGhFHIzl8xxA626thnAjyxs5ZQQfur1PP_Xmbg,4257
 contentctl/templates/app_template/default/use_case_library.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
 contentctl/templates/app_template/lookups/mitre_enrichment.csv,sha256=tifPQjFoQHtvpb78hxSP2fKHnHeehNbZDwUjdvc0aEM,66072
 contentctl/templates/app_template/metadata/default.meta,sha256=tcYHZkDF44ApDoDQ_rp8MCA8cuT3DVd5atHgulR1Tvc,423
@@ -164,8 +163,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.1.3.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.1.3.dist-info/METADATA,sha256=VxqSwKj59aGzVSuESf7w0PefidDnsaFwre-MlIh6nLI,19706
-contentctl-4.1.3.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.1.3.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.1.3.dist-info/RECORD,,
+contentctl-4.1.4.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.1.4.dist-info/METADATA,sha256=gyBEu2sSknwen-oTm0WdQtCvaPgbWuJBd4jvPuel6iQ,19706
+contentctl-4.1.4.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.1.4.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.1.4.dist-info/RECORD,,

contentctl/templates/app_template/default/usage_searches.conf

@@ -1,73 +0,0 @@
-[escu-metrics-usage]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-dispatchAs = user
-search = index=_audit sourcetype="audittrail" \
-"ESCU - "\
-`comment("Find all the search names in the audittrail.")`\
-| stats count(search) by search savedsearch_name user\
-| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \
-`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\
-| rex field=search "\"(?<savedsearch_name>.*)\""\
-`comment("Extract the name of the search from the search string")`\
-| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=*
-
-[escu-metrics-search]
-action.email.useNSSubject = 1
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-enableSched = 1
-cron_schedule = 0 0 * * *
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-search = index=_audit action=search | transaction search_id maxspan=3m | search ESCU | stats sum(total_run_time) avg(total_run_time) max(total_run_time) sum(result_count)
-
-[escu-metrics-search-events]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-cron_schedule = 0 0 * * *
-enableSched = 1
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-search = [search index=_audit sourcetype="audittrail" \"ESCU NOT "index=_audit" | where search !="" | dedup search_id | rex field=search "\"(?<search_name>.*)\"" | rex field=_raw "user=(?<user>[a-zA-Z0-9_\-]+)" | eval usage=if(savedsearch_name!="", "scheduled", "adhoc") | eval savedsearch_name=if(savedsearch_name != "", savedsearch_name, search_name) | table savedsearch_name search_id user _time usage | outputlookup escu_search_id.csv | table search_id] index=_audit total_run_time event_count result_count NOT "index=_audit" | lookup escu_search_id.csv search_id | stats count(savedsearch_name) AS search_count avg(total_run_time) AS search_avg_run_time sum(total_run_time) AS search_total_run_time sum(result_count) AS search_total_results earliest(_time) AS firsts latest(_time) AS lasts by savedsearch_name user usage| eval first_run=strftime(firsts, "%B %d %Y") | eval last_run=strftime(lasts, "%B %d %Y")
-
-[escu-metrics-search-longest-runtime]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-enableSched = 1
-cron_schedule = 0 0 * * *
-disabled = 1
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-search = index=_* ESCU [search index=_* action=search latest=-2h earliest=-1d| transaction search_id maxspan=3m | search ESCU | stats values(total_run_time) AS run by search_id | sort -run | head 1| table search_id] | table search search_id
-
-[escu-metrics-usage-search]
-action.email.useNSSubject = 1
-alert.digest_mode = True
-alert.suppress = 0
-alert.track = 0
-auto_summarize.dispatch.earliest_time = -1d@h
-cron_schedule = 0 0 * * *
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = -1h@h
-enableSched = 1
-dispatchAs = user
-search = index=_audit sourcetype="audittrail" \
-"ESCU - "\
-`comment("Find all the search names in the audittrail. Ignore the last few minutes so we can exclude this search's text from the result.")`\
-| stats count(search) by search savedsearch_name user\
-| eval usage=(if(savedsearch_name=="","Adhoc","Scheduled")) \
-`comment("If the savedsearch_name field in the audittrail is empty, the search was run adhoc. Otherwise it was run as a scheduled search")`\
-| rex field=search "\"(?<savedsearch_name>.*)\""\
-`comment("Extract the name of the search from the search string")`\
-| table savedsearch_name count(search) usage user | join savedsearch_name max=0 type=left [search sourcetype="manifests" | spath searches{} | mvexpand searches{} | spath input=searches{} | table category search_name | rename search_name as savedsearch_name | dedup savedsearch_name] | search category=*