contentctl 4.2.1__py3-none-any.whl → 4.2.4__py3-none-any.whl

contentctl/objects/risk_event.py

@@ -0,0 +1,315 @@
+import re
+from typing import Union, Optional
+
+from pydantic import BaseModel, Field, PrivateAttr, field_validator
+
+from contentctl.objects.errors import ValidationFailed
+from contentctl.objects.detection import Detection
+from contentctl.objects.observable import Observable
+
+# TODO (PEX-433): use SES_OBSERVABLE_TYPE_MAPPING
+TYPE_MAP: dict[str, list[str]] = {
+    "user": ["User"],
+    "system": ["Hostname", "IP Address", "Endpoint"],
+    "other": ["Process", "URL String", "Unknown", "Process Name"],
+}
+# TODO (PEX-433): 'Email Address', 'File Name', 'File Hash', 'Other', 'User Name', 'File',
+#   'Process Name'
+
+# TODO (PEX-433): use SES_OBSERVABLE_ROLE_MAPPING
+IGNORE_ROLES: list[str] = ["Attacker"]
+# Known valid roles: Victim, Parent Process, Child Process
+# TODO (PEX-433): 'Other', 'Target', 'Unknown'
+# TODO (PEX-433): is Other a valid role
+
+# TODO (PEX-433): do we need User Name in conjunction w/ User? User Name doesn't get mapped to
+#   "user" in risk events
+# TODO (PEX-433): similarly, do we need Process and Process Name?
+
+RESERVED_FIELDS = ["host"]
+
+
+class RiskEvent(BaseModel):
+    """Model for risk event in ES"""
+
+    # The search name (e.g. "ESCU - Windows Modify Registry EnableLinkedConnections - Rule")
+    search_name: str
+
+    # The subject of the risk event (e.g. a username, process name, system name, account ID, etc.)
+    risk_object: Union[int, str]
+
+    # The type of the risk object (e.g. user, system, or other)
+    risk_object_type: str
+
+    # The level of risk associated w/ the risk event
+    risk_score: int
+
+    # The search ID that found that generated this risk event
+    orig_sid: str
+
+    # The message for the risk event
+    risk_message: str
+
+    # The analytic stories applicable to this risk event
+    analyticstories: list[str] = Field(default=[])
+
+    # The MITRE ATT&CK IDs
+    annotations_mitre_attack: list[str] = Field(
+        alias="annotations.mitre_attack",
+        default=[]
+    )
+
+    # Private attribute caching the observable this RiskEvent is mapped to
+    _matched_observable: Optional[Observable] = PrivateAttr(default=None)
+
+    class Config:
+        # Allowing fields that aren't explicitly defined to be passed since some of the risk event's
+        # fields vary depending on the SPL which generated them
+        extra = "allow"
+
+    @field_validator("annotations_mitre_attack", "analyticstories", mode="before")
+    @classmethod
+    def _convert_str_value_to_singleton(cls, v: Union[str, list[str]]) -> list[str]:
+        """
+        Given a value, determine if its a list or a single str value; if a single value, return as a
+        singleton. Do nothing if anything else.
+        """
+        if isinstance(v, list):
+            return v
+        else:
+            return [v]
+
+    def validate_against_detection(self, detection: Detection) -> None:
+        """
+        Given the associated detection, validate the risk event against its fields
+        :param detection: the detection associated w/ this risk event
+        :raises: ValidationFailed
+        """
+        # Check risk_score
+        if self.risk_score != detection.tags.risk_score:
+            raise ValidationFailed(
+                f"Risk score observed in risk event ({self.risk_score}) does not match risk score in "
+                f"detection ({detection.tags.risk_score})."
+            )
+
+        # Check analyticstories
+        self.validate_analyticstories(detection)
+
+        # Check annotations.mitre_attack
+        self.validate_mitre_ids(detection)
+
+        # Check search_name
+        if self.search_name != f"ESCU - {detection.name} - Rule":
+            raise ValidationFailed(
+                f"Saved Search name in risk event ({self.search_name}) does not match detection name "
+                f"({detection.name})."
+            )
+
+        # Check risk_message
+        self.validate_risk_message(detection)
+
+        # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the false
+        #   positive rate in risk/obseravble matching
+        # Check several conditions against the observables
+        # self.validate_risk_against_observables(detection.tags.observable)
+
+    def validate_mitre_ids(self, detection: Detection) -> None:
+        """
+        Given the associated detection, validate the risk event's MITRE attack IDs
+        :param detection: the detection associated w/ this risk event
+        :raises: ValidationFailed
+        """
+        if sorted(self.annotations_mitre_attack) != sorted(detection.tags.mitre_attack_id):
+            raise ValidationFailed(
+                f"MITRE ATT&CK IDs in risk event ({self.annotations_mitre_attack}) do not match those"
+                f" in detection ({detection.tags.mitre_attack_id})."
+            )
+
+    def validate_analyticstories(self, detection: Detection) -> None:
+        """
+        Given the associated detection, validate the risk event's MITRE analytic stories
+        :param detection: the detection associated w/ this risk event
+        :raises: ValidationFailed
+        """
+        # Render the detection analytic_story to a list of strings before comparing
+        detection_analytic_story = [story.name for story in detection.tags.analytic_story]
+        if sorted(self.analyticstories) != sorted(detection_analytic_story):
+            raise ValidationFailed(
+                f"Analytic stories in risk event ({self.analyticstories}) do not match those"
+                f" in detection ({detection.tags.analytic_story})."
+            )
+
+    def validate_risk_message(self, detection: Detection) -> None:
+        """
+        Given the associated detection, validate the risk event's message
+        :param detection: the detection associated w/ this risk event
+        :raises: ValidationFailed
+        """
+        # Extract the field replacement tokens ("$...$")
+        field_replacement_pattern = re.compile(r"\$\S+\$")
+        tokens = field_replacement_pattern.findall(detection.tags.message)
+
+        # Check for the presence of each token in the message from the risk event
+        for token in tokens:
+            if token in self.risk_message:
+                raise ValidationFailed(
+                    f"Unreplaced field replacement string ('{token}') found in risk message:"
+                    f" {self.risk_message}"
+                )
+
+        # Convert detection source message to regex pattern; we need to first sub in a placeholder
+        # so we can escape the string, and then swap in the actual regex elements in place of the
+        # placeholder
+        tmp_placeholder = "PLACEHOLDERPATTERNFORESCAPING"
+        escaped_source_message_with_placeholder: str = re.escape(
+            field_replacement_pattern.sub(
+                tmp_placeholder,
+                detection.tags.message
+            )
+        )
+        placeholder_replacement_pattern = re.compile(tmp_placeholder)
+        final_risk_message_pattern = re.compile(
+            placeholder_replacement_pattern.sub(
+                r"[\\s\\S]*\\S[\\s\\S]*",
+                escaped_source_message_with_placeholder
+            )
+        )
+
+        # Check created regex pattern againt the observed risk message
+        if final_risk_message_pattern.match(self.risk_message) is None:
+            raise ValidationFailed(
+                "Risk message in event does not match the pattern set by the detection. Message in "
+                f"risk event: \"{self.risk_message}\". Message in detection: "
+                f"\"{detection.tags.message}\"."
+            )
+
+    def validate_risk_against_observables(self, observables: list[Observable]) -> None:
+        """
+        Given the observables from the associated detection, validate the risk event against those
+        observables
+        :param observables: the Observable objects from the detection
+        :raises: ValidationFailed
+        """
+        # Get the matched observable; will raise validation errors if no match can be made or if
+        # risk is missing values associated w/ observables
+        matched_observable = self.get_matched_observable(observables)
+
+        # The risk object type should match our mapping of observable types to risk types
+        expected_type = RiskEvent.observable_type_to_risk_type(matched_observable.type)
+        if self.risk_object_type != expected_type:
+            raise ValidationFailed(
+                f"The risk object type ({self.risk_object_type}) does not match the expected type "
+                f"based on the matched observable ({matched_observable.type}=={expected_type})."
+            )
+
+    @staticmethod
+    def observable_type_to_risk_type(observable_type: str) -> str:
+        """
+        Given a string representing the observable type, use our mapping to convert it to the
+        expected type in the risk event
+        :param observable_type: the type of the observable
+        :returns: a string (the risk object type)
+        :raises ValueError: if the observable type has not yet been mapped to a risk object type
+        """
+        # Iterate over the map and search the lists for a match
+        for risk_type in TYPE_MAP:
+            if observable_type in TYPE_MAP[risk_type]:
+                return risk_type
+
+        raise ValueError(
+            f"Observable type {observable_type} does not have a mapping to a risk type in TYPE_MAP"
+        )
+
+    # TODO (PEX-433): should this be an observable instance method? It feels less relevant to
+    #   observables themselves, as it's really only relevant to the handling of risk events
+    @staticmethod
+    def ignore_observable(observable: Observable) -> bool:
+        """
+        Given an observable, determine based on its roles if it should be ignored in risk/observable
+        matching (e.g. Attacker role observables should not generate risk events)
+        :param observable: the Observable object we are checking the roles of
+        :returns: a bool indicating whether this observable should be ignored or not
+        """
+        # TODO (PEX-433): could there be a case where an observable has both an Attacker and Victim
+        #   (or equivalent) role? If so, how should we handle ignoring it?
+        ignore = False
+        for role in observable.role:
+            if role in IGNORE_ROLES:
+                ignore = True
+                break
+        return ignore
+
+    # TODO (PEX-433): two possibilities: alway check for the field itself and the field prefixed
+    #   w/ "orig_" OR more explicitly maintain a list of known "reserved fields", like "host". I
+    #   think I like option 2 better as it can have fewer unknown side effects
+    def matches_observable(self, observable: Observable) -> bool:
+        """
+        Given an observable, check if the risk event matches is
+        :param observable: the Observable object we are comparing the risk event against
+        :returns: bool indicating a match or not
+        """
+        # When field names collide w/ reserved fields in Splunk events (e.g. sourcetype or host)
+        # they get prefixed w/ "orig_"
+        attribute_name = observable.name
+        if attribute_name in RESERVED_FIELDS:
+            attribute_name = f"orig_{attribute_name}"
+
+        # Retrieve the value of this attribute and see if it matches the risk_object
+        value: Union[str, list[str]] = getattr(self, attribute_name)
+        if isinstance(value, str):
+            value = [value]
+
+        # The value of the attribute may be a list of values, so check for any matches
+        return self.risk_object in value
+
+    def get_matched_observable(self, observables: list[Observable]) -> Observable:
+        """
+        Given a list of observables, return the one this risk event matches
+        :param observables: the list of Observable objects we are checking against
+        :returns: the matched Observable object
+        :raises ValidationFailed: if a match could not be made or if an expected field (based on
+            one of the observables) could not be found in the risk event
+        """
+        # Return the cached match if already found
+        if self._matched_observable is not None:
+            return self._matched_observable
+
+        matched_observable: Optional[Observable] = None
+
+        # Iterate over the obervables and check for a match
+        for observable in observables:
+            # Each the field name used in each observable shoud be present in the risk event
+            # TODO (PEX-433): this check is redundant I think; earlier in the unit test, observable
+            #   field
+            #   names are compared against the search result set, ensuring all are present; if all
+            #   are present in the result set, all are present in the risk event
+            if not hasattr(self, observable.name):
+                raise ValidationFailed(
+                    f"Observable field \"{observable.name}\" not found in risk event."
+                )
+
+            # Try to match the risk_object against a specific observable for the obervables with
+            # a valid role (some, like Attacker, don't get converted to risk events)
+            if not RiskEvent.ignore_observable(observable):
+                if self.matches_observable(observable):
+                    # TODO (PEX-433): This check fails as there are some instances where this is
+                    #   true (e.g. we have an observable for process and parent_process and both
+                    #   have the same name like "cmd.exe")
+                    if matched_observable is not None:
+                        raise ValueError(
+                            "Unexpected conditon: we don't expect the value corresponding to an "
+                            "observables field name to be repeated"
+                        )
+                    # NOTE: we explicitly do not break early as we want to check each observable
+                    matched_observable = observable
+
+        # Ensure we were able to match the risk event to a specific observable
+        if matched_observable is None:
+            raise ValidationFailed(
+                f"Unable to match risk event ({self.risk_object}, {self.risk_object_type}) to an "
+                "appropriate observable"
+            )
+
+        # Cache and return the matched observable
+        self._matched_observable = matched_observable
+        return self._matched_observable

contentctl/objects/ssa_detection_tags.py

@@ -53,7 +53,7 @@ class SSADetectionTags(BaseModel):
 
     @validator('cis20')
     def tags_cis20(cls, v, values):
-        pattern = '^CIS ([0-9]|1[0-9]|20)$' #DO NOT match leading zeroes and ensure no extra characters before or after the string
+        pattern = r'^CIS ([\d|1\d|20)$' #DO NOT match leading zeroes and ensure no extra characters before or after the string
         for value in v:
             if not re.match(pattern, value):
                 raise ValueError(f"CIS control '{value}' is not a valid Control ('CIS 1' -> 'CIS 20'):  {values['name']}")

contentctl/objects/story_tags.py

@@ -25,10 +25,10 @@ class StoryTags(BaseModel):
 
    # enrichment
    mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
-   mitre_attack_tactics: Optional[Set[Annotated[str, Field(pattern="^T\d{4}(.\d{3})?$")]]] = None
+   mitre_attack_tactics: Optional[Set[Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")]]] = None
    datamodels: Optional[Set[DataModel]] = None
    kill_chain_phases: Optional[Set[KillChainPhase]] = None
-   cve: List[Annotated[str, "^CVE-[1|2][0-9]{3}-[0-9]+$"]] = []
+   cve: List[Annotated[str, r"^CVE-[1|2]\d{3}-\d+$"]] = []
    group: List[str] = Field([], description="A list of groups who leverage the techniques list in this Analytic Story.")
 
    def getCategory_conf(self) -> str:

contentctl/objects/unit_test.py

@@ -1,16 +1,8 @@
 from __future__ import annotations
-from pydantic import Field
-from typing import TYPE_CHECKING
-if TYPE_CHECKING:
-    from contentctl.objects.unit_test_attack_data import UnitTestAttackData
-    from contentctl.objects.unit_test_result import UnitTestResult
-
 from typing import Union
 
 from pydantic import Field
 
-# from contentctl.objects.security_content_object import SecurityContentObject
-# from contentctl.objects.enums import SecurityContentType
 from contentctl.objects.unit_test_baseline import UnitTestBaseline
 from contentctl.objects.unit_test_attack_data import UnitTestAttackData
 from contentctl.objects.unit_test_result import UnitTestResult
@@ -44,7 +36,7 @@ class UnitTest(BaseTest):
         Skip the test by setting its result status
         :param message: the reason for skipping
         """
-        self.result = UnitTestResult(
+        self.result = UnitTestResult(                                                               # type: ignore
             message=message,
             status=TestResultStatus.SKIP
         )

contentctl/output/data_source_writer.py

@@ -18,10 +18,10 @@ class DataSourceWriter:
             ])
             # Write the data
             for data_source in data_source_objects:
-                if data_source.supported_TA and isinstance(data_source.supported_TA, list) and len(data_source.supported_TA) > 0:
-                    supported_TA_name = data_source.supported_TA[0].get('name', '')
-                    supported_TA_version = data_source.supported_TA[0].get('version', '')
-                    supported_TA_url = data_source.supported_TA[0].get('url', '')
+                if  len(data_source.supported_TA) > 0:
+                    supported_TA_name = data_source.supported_TA[0].name
+                    supported_TA_version = data_source.supported_TA[0].version
+                    supported_TA_url = data_source.supported_TA[0].url or ''
                 else:
                     supported_TA_name = ''
                     supported_TA_version = ''

contentctl/output/templates/savedsearches_detections.j2

@@ -57,15 +57,7 @@ cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
 dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
 dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
 action.correlationsearch.enabled = 1
-{% if detection.status == "deprecated" %}
-action.correlationsearch.label = {{APP_NAME}} - Deprecated - {{ detection.name }} - Rule
-{% elif detection.status == "experimental" %}
-action.correlationsearch.label = {{APP_NAME}} - Experimental - {{ detection.name }} - Rule
-{% elif detection.type | lower == "correlation" %}
-action.correlationsearch.label = {{APP_NAME}} - RIR - {{ detection.name }} - Rule
-{% else %}
 action.correlationsearch.label = {{APP_NAME}} - {{ detection.name }} - Rule
-{% endif %}
 action.correlationsearch.annotations = {{ detection.annotations | tojson }}
 action.correlationsearch.metadata = {{ detection.getMetadata() | tojson }}
 {% if detection.deployment.scheduling.schedule_window is defined %}

{contentctl-4.2.1.dist-info → contentctl-4.2.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.2.1
+Version: 4.2.4
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -24,7 +24,7 @@ Requires-Dist: pysigma-backend-splunk (>=1.1.0,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.2,<2.33.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<71.0.0)
+Requires-Dist: setuptools (>=69.5.1,<73.0.0)
 Requires-Dist: splunk-sdk (>=2.0.1,<3.0.0)
 Requires-Dist: tqdm (>=4.66.4,<5.0.0)
 Requires-Dist: tyro (>=0.8.3,<0.9.0)
@@ -98,10 +98,7 @@ Testing is run using [GitHub Hosted Runners](https://docs.github.com/en/actions/
 
 | Requirement | Supported | Description |  Passing Integration Tests |
 | --------------------- | ----- | ---- | ------ |
-| Python <3.9 | No | No support planned.  contentctl tool uses modern language constructs not supported ion Python3.8 and below | N/A |
-| Python 3.9 | Yes | contentctl tool is written in Python | Yes (locally + GitHub Actions) |
-| Python 3.10 | Yes | contentctl tool is written in Python | Yes (locally + GitHub Actions) |
-| Python 3.11 | Yes | contentctl tool is written in Python | Yes (locally + GitHub Actions)  |
+| Python 3.11+ | Yes | contentctl tool is written in Python | Yes (locally + GitHub Actions)  |
 | Docker (local) | Yes | A running Splunk Server is required for Dynamic Testing.  contentctl can automatically create, configure, and destroy this server as a Splunk container during the lifetime of a test. | (locally + GitHub Actions) |
 | Docker (remote) | Planned | A running Splunk Server is required for Dynamic Testing.  contentctl can automatically create, configure, and destroy this server as a Splunk container during the lifetime of a test. | No |
 
@@ -113,7 +110,7 @@ It is typically recommended to install poetry to the Global Python Environment.*
 
 #### Install via pip (recommended): 
 ```
-python3.9 -m venv .venv
+python3.11 -m venv .venv
 source .venv/bin/activate
 pip install contentctl
 ```
@@ -122,7 +119,7 @@ pip install contentctl
 ```
 git clone https://github.com/splunk/contentctl
 cd contentctl
-python3.9 -m pip install poetry
+python3.11 -m pip install poetry
 poetry install
 poetry shell
 contentctl --help

{contentctl-4.2.1.dist-info → contentctl-4.2.4.dist-info}/RECORD

@@ -5,11 +5,11 @@ contentctl/actions/deploy_acs.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr
 contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=zg8JasDjCpSC-yhseEyUwO8qbDJIUJbhlus9Li9ZAnA,8818
 contentctl/actions/detection_testing/GitService.py,sha256=W1vnDDt8JvIL7Z1Lve3D3RS7h8qwMxrW0BMXVGuDZDM,9007
 contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=N5mznaeErVak3mOBwsd0RDBFJO3bku0EZvpayCyU-uk,2259
-contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=VFhSHdw_0N6ol668hDkaj7yFjPsZqBoFNC8FKzWKICc,53141
-contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py,sha256=HVGWCXy0GQeBqu2cVJn5H-I8GY8rwgkkc53ilO1TfZA,6846
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=fDiyntUFXGi3OKNCL02Pr-4PLzX3dKWcD5UiTYoOkYA,53002
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py,sha256=REM3WB-DQAczeknGAKMzJhnvHgnt-u9yDG2UKGVj2vM,6854
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureServer.py,sha256=Q1ZfCYOp54O39bgTScZMInkmZiU-bGAM9Hiwr2mq5ms,370
 contentctl/actions/detection_testing/progress_bar.py,sha256=OK9oRnPlzPAswt9KZNYID-YLHxqaYPY821kIE4-rCeA,3244
-contentctl/actions/detection_testing/views/DetectionTestingView.py,sha256=yneZxGnpMvkbWPCTFSWM6hoTCA-JndTMctgTGsLGNNU,7013
+contentctl/actions/detection_testing/views/DetectionTestingView.py,sha256=4UIA3BqjGpR-N4c03en1Iu5sHaiFBzfrPsnUVPaBM7A,6725
 contentctl/actions/detection_testing/views/DetectionTestingViewCLI.py,sha256=Mos0VV2CTSHtIqMPLwtEJlMEU7LE7TXFjM6GUA1G6hM,2050
 contentctl/actions/detection_testing/views/DetectionTestingViewFile.py,sha256=OJgmQgoVnzy7p1MN9bDyKGUhFWKzQc6ejc4F87uZG1I,1123
 contentctl/actions/detection_testing/views/DetectionTestingViewWeb.py,sha256=6mecacXFoTJxcHiRZSnlHos5Hca1jdedEEZfiIAhaJg,4706
@@ -21,33 +21,34 @@ contentctl/actions/new_content.py,sha256=o5ZYBQ216RN6TnW_wRxVGJybx2SsJ7ht4PAi1dw
 contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
 contentctl/actions/test.py,sha256=dx7f750_MrlvysxOmOdIro1bH0iVKF4K54TSwhvU2MU,5146
-contentctl/actions/validate.py,sha256=HfHfUTaRNx8eItociAEgQt8BEOVy9jb2yc8bKAGSsFA,3574
+contentctl/actions/validate.py,sha256=2iFhyhh_LXyMAXtkxnYai7CONSVx4Hb8RftEs_Z_7mI,5649
 contentctl/api.py,sha256=FBOpRhbBCBdjORmwe_8MPQ3PRZ6T0KrrFcfKovVFkug,6343
 contentctl/contentctl.py,sha256=Vr2cuvaPjpJpYvD9kVoYq7iD6rhLQEpTKmcGoq4emhA,10470
-contentctl/enrichments/attack_enrichment.py,sha256=EkEloG3hMmPTloPyYiVkhq3iT_BieXaJmprJ5stfyRw,6732
-contentctl/enrichments/cve_enrichment.py,sha256=IzkKSdnQi3JrAUUyLpcGA_Y2g_B7latq9bOIMlaMpGg,2315
+contentctl/enrichments/attack_enrichment.py,sha256=dVwXcULSeZJuQbeTlPpKDyEB9Y6uCy0UGWI83gPLTI0,6735
+contentctl/enrichments/cve_enrichment.py,sha256=SjiytaZktVNbfICXcZ2vZzBiQpOkug5taPtiJK-S1OE,2313
 contentctl/enrichments/splunk_app_enrichment.py,sha256=zDNHFLZTi2dJ1gdnh0sHkD6F1VtkblqFnhacFcCMBfc,3418
 contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLwhHq80c,7139
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+contentctl/helper/splunk_app.py,sha256=PZf60Z3ALQLJQ6I--cbWTCzvOMPGsjZSns1BFrZu4S4,9549
 contentctl/helper/utils.py,sha256=8ICRvE7DUiNL9BK4Hw71hCLFbd3R2u86OwKeDOdaBTY,19454
 contentctl/input/backend_splunk_ba.py,sha256=Y70tJqgaUM0nzfm2SiGMof4HkhY84feqf-xnRx1xPb4,5861
-contentctl/input/director.py,sha256=36Licm8TV62oDk1s97Y7EFGvTKAP1ryXi7NL4BXP9kU,12603
+contentctl/input/director.py,sha256=w-3aMrFGmfLb8vRzI-rP6K-JlmqYOwZS7OLjU_cOlck,12598
 contentctl/input/new_content_questions.py,sha256=o4prlBoUhEMxqpZukquI9WKbzfFJfYhEF7a8m2q_BEE,5565
 contentctl/input/sigma_converter.py,sha256=ATFNW7boNngp5dmWM7Gr4rMZrUKjvKW2_qu28--FdiU,19391
-contentctl/input/ssa_detection_builder.py,sha256=dke9mPn2VQVSpYiaGWjZn3PkqVJTe58gcT2Vifv9_yc,8159
+contentctl/input/ssa_detection_builder.py,sha256=4wjgV-WQaJltPHxqd455lNU_8Dn-OlEaqYO8dvIsZ6c,8279
 contentctl/input/yml_reader.py,sha256=hyVUYhx4Ka8C618kP2D_E3sDUKEQGC6ty_QZQArHKd4,1489
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=gpyl-hnDNAxxMAHDMBZJMK10yZOq78Y6-ZMCStvrgQM,35354
-contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=zpteipbBAwBe90SOmq5ky0KIztS806jnrg1vsBr5PsM,9778
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=TP2FAbcJ3B1xTTKSRh8-p2FfNgnTVIruprp_WMNyJGw,35388
+contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=7tv-WEiUUOvZkao272J9l1IvL0y12kJ6SWLsMeWv9VE,9820
 contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
-contentctl/objects/atomic.py,sha256=a_G_iliAm86BunpAAG86aAL3LAEGpd9Crp7t7-PxYvI,8979
-contentctl/objects/base_test.py,sha256=6hCL9K-N_jJx1zLbuZQCsB93_XWj6JcGGs2PbbjzJWo,1028
-contentctl/objects/base_test_result.py,sha256=dPupudgeXW64Emk9YJfS5JhUXbZwpEZrrx_DiqbRgvU,4752
+contentctl/objects/atomic.py,sha256=BP27gP8KHeODp6UazhVFxwDQ64wuJCARGsLfIH34h7U,8768
+contentctl/objects/base_test.py,sha256=7kAV0njoXaasA-Mt3Zxeq-NFwFF5Z9U85k5cEYW1iY8,1023
+contentctl/objects/base_test_result.py,sha256=ZEAC2IUwUrW_-zHoaS7zp-uBBKIVTS8TcMXjkMByjF4,5006
 contentctl/objects/baseline.py,sha256=Lb1vJKtDdlDrzWgrdkC9oQao_TnRrOxSwOWHf4trtaU,2150
-contentctl/objects/baseline_tags.py,sha256=JLdlCUc_DEccMQD6f-sa2qD8pcxYiwMUT_sRZEhW7ZA,2978
-contentctl/objects/config.py,sha256=tK0BY4A9Go5jp8tpOSwgczuOAyu9dMPvC0nyOHeO-74,43642
+contentctl/objects/baseline_tags.py,sha256=fVhLF-NmisavybB_idu3N0Con0Ymj8clKfRMkWzBB-k,1762
+contentctl/objects/config.py,sha256=ha18aqKmkYqAvM8YI124q6JYxesYRon9rc0NMWFzCS4,43762
 contentctl/objects/constants.py,sha256=1LjiK9A7t0aHHkJz2mrW-DImdW1P98GPssTwmwNNI_M,3468
-contentctl/objects/correlation_search.py,sha256=B97vCt2Ew7PGgqd5Y9l6RD3DJdy51Eh7Gzkxxs2xqZ0,36891
-contentctl/objects/data_source.py,sha256=ThZivI3NoQybD0C0fS_f-FvhjhD5_n09IML913e1fEY,1459
+contentctl/objects/correlation_search.py,sha256=QmYUS_yIkLT6sdAodsbc_aHuLHcL9CmY1uBcQZJB8OY,47933
+contentctl/objects/data_source.py,sha256=aRr6lHu-EtGmi6J2nXKD7i2ozUPtp7X-vDkQiutvD3I,1545
 contentctl/objects/deployment.py,sha256=Qc6M4yeOvxjqFKR8sfjd4CG06AbVheTOqP1mwqo4t8s,2651
 contentctl/objects/deployment_email.py,sha256=Zu9cXZdfOP6noa_mZpiK1GrYCTgi3Mim94iLGjE674c,147
 contentctl/objects/deployment_notable.py,sha256=QhOI7HEkUuuqk0fum9SD8IpYBlbwIsJUff8s3kCKKj4,198
@@ -56,30 +57,33 @@ contentctl/objects/deployment_rba.py,sha256=YFLSKzLU7s8Bt1cJkSBWlfCsc_2MfgiwyaDi
 contentctl/objects/deployment_scheduling.py,sha256=bQjbJHNaUGdU1VAGV8-nFOHzHutbIlt7FZpUvR1CV4Y,198
 contentctl/objects/deployment_slack.py,sha256=P6z8OLHDKcDWx7nbKWasqBc3dFRatGcpO2GtmxzVV8I,135
 contentctl/objects/detection.py,sha256=3W41cXf3ECjWuPqWrseqSLC3PAA7O5_nENWWM6MPK0Y,620
-contentctl/objects/detection_tags.py,sha256=nAHRuBtltx4Rsx9htPtxizRlmQOSypYysbzqn3CQZ_I,10321
+contentctl/objects/detection_tags.py,sha256=b9dav1KJMkGXDtQLn2S7jVwnjOiMz2G5_GPd1PkGI6c,10788
 contentctl/objects/enums.py,sha256=37v7w8xCg5j5hxP3kod0S3HQ9BY-CqZulPiwhnTtEvs,14052
+contentctl/objects/errors.py,sha256=gnD99z4O00EBbMerUjt4368q8mohm3Zb9HByG3CP_A0,525
 contentctl/objects/event_source.py,sha256=G9P7rtcN5hcBNQx6DG37mR3QyQufx--T6kgQGNqQuKk,415
 contentctl/objects/integration_test.py,sha256=W_VksBN_cRo7DTXdr1aLujjS9mgkEp0uvoNpmL0dVnQ,1273
 contentctl/objects/integration_test_result.py,sha256=DrIZRRlILSHGcsK_Rlm3KJLnbKPtIen8uEPFi4ZdJ8s,370
 contentctl/objects/investigation.py,sha256=JRoZxc_qi1fu_VFTRaxOc3B7zzSzCfEURsNzWPUCrtY,2620
 contentctl/objects/investigation_tags.py,sha256=nFpMRKBVBsW21YW_vy2G1lXaSARX-kfFyrPoCyE77Q8,1280
-contentctl/objects/lookup.py,sha256=TwNQqeMPeE8sfAjChxS2yDnejI2Xf3ils3_Xdgthr5c,6924
+contentctl/objects/lookup.py,sha256=oZwBiHfRRrv2ZXdGyWIJWSWZMpuUbsXydaDDfpenk-4,7219
 contentctl/objects/macro.py,sha256=9nE-bxkFhtaltHOUCr0luU8jCCthmglHjhKs6Q2YzLU,2684
-contentctl/objects/mitre_attack_enrichment.py,sha256=bWrMG-Xj3knmULR5q2YZk7mloJBdQUzU1moZfEw9lQM,1073
+contentctl/objects/mitre_attack_enrichment.py,sha256=JqSDnKF0-ZTaxUgvhdYNzIAt-7kNaEBvGr_5Bbfdwr8,1072
 contentctl/objects/notable_action.py,sha256=ValkblBaG-60TF19y_vSnNzoNZ3eg48wIfr0qZxyKTA,1605
-contentctl/objects/observable.py,sha256=-nbVASkwyLpstWQk9Za1Hyjg0etGHiZArg7doEOS02k,1156
+contentctl/objects/notable_event.py,sha256=ITcwLzeatSGpe8267PYN-EhgqOSoWTfciCBVu8zjOXE,682
+contentctl/objects/observable.py,sha256=loEkmo7RPl383Jq-i5BmSnAqpTeh80d6ai7PDeWuxF0,1211
 contentctl/objects/playbook.py,sha256=hSYYpdMhctgpp7uwaPciFqu1yuFI4M1NHy1WBBLyvzM,2469
 contentctl/objects/playbook_tags.py,sha256=NrhTGcgoYSGEZggrfebko0GBOXN9x05IadRUUL_CVfQ,1436
-contentctl/objects/risk_analysis_action.py,sha256=bySNQX5SBIR8L7SDnlTQr_Jn29YqrPFZtSc0KxQox4Y,4288
+contentctl/objects/risk_analysis_action.py,sha256=Glzcq99DAqqOJ2eZYCkUI3R5hA5cZGU0ZuCSinFf2R8,4278
+contentctl/objects/risk_event.py,sha256=LnFg0BKnt7rMJvzxZoaFeInKP4w5onvJwOUxMWWDk6w,14303
 contentctl/objects/risk_object.py,sha256=yY4NmEwEKaRl4sLzCRZb1n8kdpV3HzYbQVQ1ClQWYHw,904
 contentctl/objects/security_content_object.py,sha256=j8KNDwSMfZsSIzJucC3NuZo0SlFVpqHfDc6y3-YHjHI,234
 contentctl/objects/ssa_detection.py,sha256=-G6tXfVVlZgPWS64hIIy3M-aMePANAuQvdpXPlgUyUs,5873
-contentctl/objects/ssa_detection_tags.py,sha256=u8annjzo3MYZ-16wyFnuR8qJJzRa4LEhdprMIrQ47G0,5224
+contentctl/objects/ssa_detection_tags.py,sha256=9aRwbpQHi79NIS9rofjgxDJpw7cWXqG534_kSbvHJh8,5220
 contentctl/objects/story.py,sha256=FXe11LV19xJTtCgx7DKdvV9cL0gKeryUnE3yjpnDmrU,4957
-contentctl/objects/story_tags.py,sha256=0oF1OePLBxa-RQPb438tXrrfosa939CP8UbNV0_S8XY,2225
+contentctl/objects/story_tags.py,sha256=puF-g61YA6eGZy9eLjp4l-5IblMrekcYtQX8EYFOvk0,2221
 contentctl/objects/test_group.py,sha256=Yb1sqGom6SkVL8B3czPndz8w3CK8WdwZ39V_cn0_JZQ,2600
 contentctl/objects/threat_object.py,sha256=S8B7RQFfLxN_g7yKPrDTuYhIy9JvQH3YwJ_T5LUZIa4,711
-contentctl/objects/unit_test.py,sha256=5EDsPNUct1UY5OtfX-VwFzhET83OmLA6XcaQiZWL1Uo,1655
+contentctl/objects/unit_test.py,sha256=AQcGdi4zEMl9PqZTRnBI87_VU7ySaHrPiBHOlquoxrM,1372
 contentctl/objects/unit_test_attack_data.py,sha256=ZmHA83O8i9VZveDAliNp_XVKOuH5ytGN9l3X8v8jm4o,480
 contentctl/objects/unit_test_baseline.py,sha256=XHvOm7qLYfqrP6uC5U_pfgw_pf8-S2RojuNmbo6lXlM,227
 contentctl/objects/unit_test_old.py,sha256=IfvytHG4ZnUhsvXgdczECZbiwv6YLViYdsk9AqeDBjQ,199
@@ -91,7 +95,7 @@ contentctl/output/attack_nav_writer.py,sha256=64ILZLmNbh2XLmbopgENkeo6t-4SRRG8xZ
 contentctl/output/ba_yml_output.py,sha256=Lrk13Q9-f71i3c0oNrT50G94PxdogG4k4-MI-rTMOAo,5950
 contentctl/output/conf_output.py,sha256=qCRT77UKNFCe4AufeBV8Uz9lkPqgpGzU1Y149RuEnis,10147
 contentctl/output/conf_writer.py,sha256=2TaCAPEtU-bMa7A2m7xOxh93PMpzIdhwiHiPLUCeCB4,8281
-contentctl/output/data_source_writer.py,sha256=55gi6toAMcjj0AxOmYMwkTHcANCfK6dezQs5aIQTW4k,1737
+contentctl/output/data_source_writer.py,sha256=ubFjm6XJ4T2d3oqfKwDFasITHeDj3HFmegqVN--5_ME,1635
 contentctl/output/detection_writer.py,sha256=AzxbssNLmsNIOaYKotew5-ONoyq1cQpKSGy3pe191B0,960
 contentctl/output/doc_md_output.py,sha256=gf7osH1uSrC6js3D_I72g4uDe9TaB3tsvtqCHi5znp0,3238
 contentctl/output/finding_report_writer.py,sha256=bjJR7NAxLE8vt8uU3zSDhazQzqzOdtCsUu95lVdzU_w,3939
@@ -123,7 +127,7 @@ contentctl/output/templates/header.j2,sha256=3usV7jm1q6J-QNnQrZzII9cN0XEGQjg_eVK
 contentctl/output/templates/macros.j2,sha256=SLcQQ5X7TZS8j-2qP06BTXqdIcnwoYqTAaBLX2Dge7Y,390
 contentctl/output/templates/panel.j2,sha256=Cw_W6p-14n6UivVfpS75KKJiJ2VpdGsSBceYsUYe9gk,221
 contentctl/output/templates/savedsearches_baselines.j2,sha256=xr05J9WJSVdwpiBoPWEejZ1hmeqInyDKyDH4kjzHP6U,1743
-contentctl/output/templates/savedsearches_detections.j2,sha256=NpQNRF6GutVpcpt7BaPOFesvZhBsAoI3CHrtYnRnbo4,6805
+contentctl/output/templates/savedsearches_detections.j2,sha256=ZEY2oxn1NXrx28OR46azAs9coX_PhK7UGfyiLZh8g2c,6381
 contentctl/output/templates/savedsearches_investigations.j2,sha256=aFIDK4NqtsZr3fb4F_tv9UQTQ2Z-n9pkP5rIocPA65Q,1259
 contentctl/output/templates/transforms.j2,sha256=-cSoie0LgJwibtW-GMhc9BQlmS6h1s1Vykm9O2M0f9Y,1456
 contentctl/output/templates/workflow_actions.j2,sha256=DFoZVnCa8dMRHjW2AdpoydBC0THgiH_W-Nx7WI4-uR4,925
@@ -165,8 +169,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.2.1.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.2.1.dist-info/METADATA,sha256=3S_M3w5I3jpYqd6NtoqTdkxWXWh5HaJ4ut9QLmNtO7k,19706
-contentctl-4.2.1.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.2.1.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.2.1.dist-info/RECORD,,
+contentctl-4.2.4.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.2.4.dist-info/METADATA,sha256=3RsDM2IVtmjpNfbLXXS8MTkQnLYEjngx6yQyJxOeJoY,19386
+contentctl-4.2.4.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.2.4.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.2.4.dist-info/RECORD,,