PyPI - contentctl - Versions diffs - 4.2.5__py3-none-any.whl → 4.3.0__py3-none-any.whl - Mend

contentctl 4.2.5py3-none-any.whl → 4.3.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

contentctl/actions/build.py +0 -14
contentctl/actions/validate.py +0 -1
contentctl/input/director.py +9 -44
contentctl/objects/abstract_security_content_objects/detection_abstract.py +56 -74
contentctl/objects/config.py +0 -2
{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/METADATA +15 -5
{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/RECORD +10 -16
contentctl/actions/convert.py +0 -25
contentctl/input/backend_splunk_ba.py +0 -144
contentctl/input/sigma_converter.py +0 -436
contentctl/input/ssa_detection_builder.py +0 -169
contentctl/output/ba_yml_output.py +0 -153
contentctl/output/finding_report_writer.py +0 -91
{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/LICENSE.md +0 -0
{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/WHEEL +0 -0
{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/entry_points.txt +0 -0

contentctl/input/ssa_detection_builder.py DELETED Viewed

@@ -1,169 +0,0 @@
-import sys
-import re
-import os
-from pydantic import ValidationError
-from typing import List
-from contentctl.input.yml_reader import YmlReader
-from contentctl.objects.detection import Detection
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.macro import Macro
-from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
-from contentctl.enrichments.cve_enrichment import CveEnrichment
-from contentctl.enrichments.splunk_app_enrichment import SplunkAppEnrichment
-from contentctl.objects.ssa_detection import SSADetection
-from contentctl.objects.constants import *
-from contentctl.enrichments.attack_enrichment import AttackEnrichment
-class SSADetectionBuilder():
-    security_content_obj : SSADetection
-    def setObject(self, path: str) -> None:
-        yml_dict = YmlReader.load_file(path)
-        self.security_content_obj = SSADetection.parse_obj(yml_dict)
-        self.security_content_obj.source = os.path.split(os.path.dirname(self.security_content_obj.file_path))[-1]
-    def addProvidingTechnologies(self) -> None:
-        if self.security_content_obj:
-            if 'Endpoint' in str(self.security_content_obj.search):
-                self.security_content_obj.providing_technologies = ["Sysmon", "Microsoft Windows","Carbon Black Response","CrowdStrike Falcon", "Symantec Endpoint Protection"]
-            if "`cloudtrail`" in str(self.security_content_obj.search):
-                self.security_content_obj.providing_technologies = ["Amazon Web Services - Cloudtrail"]
-            if '`wineventlog_security`' in self.security_content_obj.search or '`powershell`' in self.security_content_obj.search:
-                self.security_content_obj.providing_technologies = ["Microsoft Windows"]
-    def addMappings(self) -> None:
-        if self.security_content_obj:
-            keys = ['mitre_attack', 'kill_chain_phases', 'cis20', 'nist']
-            mappings = {}
-            for key in keys:
-                if key == 'mitre_attack':
-                    if getattr(self.security_content_obj.tags, 'mitre_attack_id'):
-                        mappings[key] = getattr(self.security_content_obj.tags, 'mitre_attack_id')
-                elif getattr(self.security_content_obj.tags, key):
-                    mappings[key] = getattr(self.security_content_obj.tags, key)
-            self.security_content_obj.mappings = mappings
-    def addAnnotations(self) -> None:
-        if self.security_content_obj:
-            annotations = {}
-            annotation_keys = ['mitre_attack', 'kill_chain_phases', 'cis20', 'nist',
-                'analytic_story', 'context', 'impact', 'confidence', 'cve']
-            for key in annotation_keys:
-                if key == 'mitre_attack':
-                    if getattr(self.security_content_obj.tags, 'mitre_attack_id'):
-                        annotations[key] = getattr(self.security_content_obj.tags, 'mitre_attack_id')
-                try:
-                    if getattr(self.security_content_obj.tags, key):
-                        annotations[key] = getattr(self.security_content_obj.tags, key)
-                except AttributeError as e:
-                    continue
-            self.security_content_obj.annotations = annotations
-    def addUnitTest(self) -> None:
-        if self.security_content_obj:
-            if self.security_content_obj.tests:
-                self.security_content_obj.test = self.security_content_obj.tests[0]
-    def addMitreAttackEnrichment(self, attack_enrichment: dict) -> None:
-        if self.security_content_obj:
-            if attack_enrichment:
-                if self.security_content_obj.tags.mitre_attack_id:
-                    self.security_content_obj.tags.mitre_attack_enrichments = []
-                    for mitre_attack_id in self.security_content_obj.tags.mitre_attack_id:
-                        if mitre_attack_id in attack_enrichment:
-                            mitre_attack_enrichment = MitreAttackEnrichment(
-                                mitre_attack_id = mitre_attack_id,
-                                mitre_attack_technique = attack_enrichment[mitre_attack_id]["technique"],
-                                mitre_attack_tactics = sorted(attack_enrichment[mitre_attack_id]["tactics"]),
-                                mitre_attack_groups = sorted(attack_enrichment[mitre_attack_id]["groups"])
-                            )
-                            self.security_content_obj.tags.mitre_attack_enrichments.append(mitre_attack_enrichment)
-                        else:
-                            #print("mitre_attack_id " + mitre_attack_id + " doesn't exist for detecction " + self.security_content_obj.name)
-                            raise ValueError("mitre_attack_id " + mitre_attack_id + " doesn't exist for detection " + self.security_content_obj.name)
-    def addMitreAttackEnrichmentNew(self, attack_enrichment: AttackEnrichment) -> None:
-        # We skip enriching if configured to do so
-        if attack_enrichment.use_enrichment:
-            if self.security_content_obj and self.security_content_obj.tags.mitre_attack_id:
-                self.security_content_obj.tags.mitre_attack_enrichments = []
-                for mitre_attack_id in self.security_content_obj.tags.mitre_attack_id:
-                    enrichment_obj = attack_enrichment.getEnrichmentByMitreID(mitre_attack_id)
-                    if enrichment_obj is not None:
-                        self.security_content_obj.tags.mitre_attack_enrichments.append(enrichment_obj)
-    def addCIS(self) -> None:
-        if self.security_content_obj:
-            if self.security_content_obj.tags.security_domain == "network":
-                self.security_content_obj.tags.cis20 = ["CIS 13"]
-            else:
-                self.security_content_obj.tags.cis20 = ["CIS 10"]
-    def addKillChainPhase(self) -> None:
-        if self.security_content_obj:
-            if not self.security_content_obj.tags.kill_chain_phases:
-                kill_chain_phases = list()
-                if self.security_content_obj.tags.mitre_attack_enrichments:
-                    for mitre_attack_enrichment in self.security_content_obj.tags.mitre_attack_enrichments:
-                        for mitre_attack_tactic in mitre_attack_enrichment.mitre_attack_tactics:
-                            kill_chain_phases.append(ATTACK_TACTICS_KILLCHAIN_MAPPING[mitre_attack_tactic])
-                self.security_content_obj.tags.kill_chain_phases = list(dict.fromkeys(kill_chain_phases))
-    def addNist(self) -> None:
-        if self.security_content_obj:
-            if self.security_content_obj.type == "TTP":
-                self.security_content_obj.tags.nist = ["DE.CM"]
-            else:
-                self.security_content_obj.tags.nist = ["DE.AE"]
-    def addDatamodel(self) -> None:
-        if self.security_content_obj:
-            self.security_content_obj.datamodel = []
-            data_models = [
-                "Authentication",
-                "Change",
-                "Change_Analysis",
-                "Email",
-                "Endpoint",
-                "Network_Resolution",
-                "Network_Sessions",
-                "Network_Traffic",
-                "Risk",
-                "Splunk_Audit",
-                "UEBA",
-                "Updates",
-                "Vulnerabilities",
-                "Web"
-            ]
-            for data_model in data_models:
-                if data_model in self.security_content_obj.search:
-                    self.security_content_obj.datamodel.append(data_model)
-    def addRBA(self) -> None:
-        if self.security_content_obj:
-            if self.security_content_obj.tags.risk_score >= 80:
-                self.security_content_obj.tags.risk_severity = 'high'
-            elif (self.security_content_obj.tags.risk_score >= 50 and self.security_content_obj.tags.risk_score <= 79):
-                self.security_content_obj.tags.risk_severity = 'medium'
-            else:
-                self.security_content_obj.tags.risk_severity = 'low'
-    def reset(self) -> None:
-        self.security_content_obj = None
-    def getObject(self) -> SSADetection:
-        return self.security_content_obj

contentctl/output/ba_yml_output.py DELETED Viewed

@@ -1,153 +0,0 @@
-import os
-import re
-from urllib.parse import urlparse
-from contentctl.output.yml_writer import YmlWriter
-from contentctl.objects.enums import SecurityContentType
-from contentctl.output.finding_report_writer import FindingReportObject
-from contentctl.objects.unit_test_old import UnitTestOld
-class BAYmlOutput():
-    def writeObjectsInPlace(self, objects: list) -> None:
-        for object in objects:
-            file_path = object['file_path']
-            object.pop('file_path')
-            object.pop('deprecated')
-            object.pop('experimental')
-            YmlWriter.writeYmlFile(file_path, object)
-    def writeObjects(self, objects: list, output_path: str, contentType: SecurityContentType = None) -> None:
-        for obj in objects:
-            file_name = "ssa___" + self.convertNameToFileName(obj.name, obj.tags)
-            if self.isComplexBARule(obj.search):
-                file_path = os.path.join(output_path, 'complex', file_name)
-            else:
-                file_path = os.path.join(output_path, 'srs', file_name)
-            # add research object
-            RESEARCH_SITE_BASE = 'https://research.splunk.com/'
-            research_site_url = RESEARCH_SITE_BASE + obj.source + "/" + obj.id + "/"
-            obj.tags.research_site_url = research_site_url
-            # add ocsf schema tag
-            obj.tags.event_schema = 'ocsf'
-            body = FindingReportObject.writeFindingReport(obj)
-            if obj.test:
-                test_dict = {
-                    "name": obj.name + " Unit Test",
-                    "tests": [obj.test.dict()]
-                }
-                test_dict["tests"][0]["name"] = obj.name
-                for count in range(len(test_dict["tests"][0]["attack_data"])):
-                    a = urlparse(str(test_dict["tests"][0]["attack_data"][count]["data"]))
-                    test_dict["tests"][0]["attack_data"][count]["file_name"] = os.path.basename(a.path)
-                test = UnitTestOld.parse_obj(test_dict)
-                obj.test = test
-            # create annotations object
-            obj.tags.annotations = {
-                "analytic_story": obj.tags.analytic_story,
-                "cis20": obj.tags.cis20,
-                "kill_chain_phases": obj.tags.kill_chain_phases,
-                "mitre_attack_id": obj.tags.mitre_attack_id,
-                "nist": obj.tags.nist
-            }
-            obj.runtime = "SPL2"
-            obj.internalVersion = 2
-            ### Adding detection_type as top level key for SRS detections
-            obj.detection_type = "STREAMING"
-            # remove unncessary fields
-            YmlWriter.writeYmlFile(file_path, obj.dict(
-                exclude_none=True,
-                include =
-                    {
-                        "name": True,
-                        "id": True,
-                        "version": True,
-                        "status": True,
-                        "detection_type": True,
-                        "description": True,
-                        "search": True,
-                        "how_to_implement": True,
-                        "known_false_positives": True,
-                        "references": True,
-                        "runtime": True,
-                        "internalVersion": True,
-                        "tags":
-                            {
-                                #"analytic_story": True,
-                                #"cis20" : True,
-                                #"nist": True,
-                                #"kill_chain_phases": True,
-                                "annotations": True,
-                                "mappings": True,
-                                #"mitre_attack_id": True,
-                                "risk_severity": True,
-                                "risk_score": True,
-                                "security_domain": True,
-                                "required_fields": True,
-                                "research_site_url": True,
-                                "event_schema": True
-                            },
-                        "test":
-                            {
-                                "name": True,
-                                "tests": {
-                                    '__all__':
-                                        {
-                                            "name": True,
-                                            "file": True,
-                                            "pass_condition": True,
-                                            "attack_data": {
-                                                '__all__':
-                                                {
-                                                    "file_name": True,
-                                                    "data": True,
-                                                    "source": True
-                                                }
-                                            }
-                                        }
-                                }
-                            }
-                    }
-                ))
-            # Add Finding Report Object
-            with open(file_path, 'r') as file:
-                data = file.read().replace('--finding_report--', body)
-            f = open(file_path, "w")
-            f.write(data)
-            f.close()
-    def convertNameToFileName(self, name: str, product: list):
-        file_name = name \
-            .replace(' ', '_') \
-            .replace('-','_') \
-            .replace('.','_') \
-            .replace('/','_') \
-            .lower()
-        if 'Splunk Behavioral Analytics' in product:
-            file_name = 'ssa___' + file_name + '.yml'
-        else:
-            file_name = file_name + '.yml'
-        return file_name
-    def isComplexBARule(self, search):
-        return re.findall("stats|first_time_event|adaptive_threshold", search)

contentctl/output/finding_report_writer.py DELETED Viewed

@@ -1,91 +0,0 @@
-import os
-import re
-from jinja2 import Environment, FileSystemLoader
-from contentctl.objects.ssa_detection import SSADetection
-from contentctl.objects.constants import *
-class FindingReportObject():
-    @staticmethod
-    def writeFindingReport(detection : SSADetection) -> None:
-        if detection.tags.confidence < 33:
-            detection.tags.confidence_id = 1
-        elif detection.tags.confidence < 66:
-            detection.tags.confidence_id = 2
-        else:
-            detection.tags.confidence_id = 3
-        if detection.tags.impact < 20:
-            detection.tags.impact_id = 1
-        elif detection.tags.impact < 40:
-            detection.tags.impact_id = 2
-        elif detection.tags.impact < 60:
-            detection.tags.impact_id = 3
-        elif detection.tags.impact < 80:
-            detection.tags.impact_id = 4
-        else:
-            detection.tags.impact_id = 5
-        detection.tags.kill_chain_phases_id = dict()
-        for kill_chain_phase in detection.tags.kill_chain_phases:
-            detection.tags.kill_chain_phases_id[kill_chain_phase] = SES_KILL_CHAIN_MAPPINGS[kill_chain_phase]
-        kill_chain_phase_str = "["
-        i = 0
-        for kill_chain_phase in detection.tags.kill_chain_phases_id.keys():
-            kill_chain_phase_str = kill_chain_phase_str + '{"phase": "' + kill_chain_phase + '", "phase_id": ' + str(detection.tags.kill_chain_phases_id[kill_chain_phase]) + "}"
-            if not i == (len(detection.tags.kill_chain_phases_id.keys()) - 1):
-                kill_chain_phase_str = kill_chain_phase_str + ', '
-                i = i + 1
-        kill_chain_phase_str = kill_chain_phase_str + ']'
-        detection.tags.kill_chain_phases_str = kill_chain_phase_str
-        if detection.tags.risk_score < 20:
-            detection.tags.risk_level_id = 0
-            detection.tags.risk_level = "Info"
-        elif detection.tags.risk_score < 40:
-            detection.tags.risk_level_id = 1
-            detection.tags.risk_level = "Low"
-        elif detection.tags.risk_score < 60:
-            detection.tags.risk_level_id = 2
-            detection.tags.risk_level = "Medium"
-        elif detection.tags.risk_score < 80:
-            detection.tags.risk_level_id = 3
-            detection.tags.risk_level = "High"
-        else:
-            detection.tags.risk_level_id = 4
-            detection.tags.risk_level = "Critical"
-        evidence_str = "{"
-        for i in range(len(detection.tags.required_fields)):
-            evidence_str = evidence_str + '"' + detection.tags.required_fields[i] + '": ' + detection.tags.required_fields[i].replace(".", "_")
-            if not i == (len(detection.tags.required_fields) - 1):
-                evidence_str = evidence_str + ', '
-        evidence_str = evidence_str + ', "sourceType": metadata.source_type, "source": metadata.source}'
-        detection.tags.evidence_str = evidence_str
-        analytics_story_str = "["
-        for i in range(len(detection.tags.analytic_story)):
-            analytics_story_str = analytics_story_str + '"' + detection.tags.analytic_story[i] + '"'
-            if not i == (len(detection.tags.analytic_story) - 1):
-                analytics_story_str = analytics_story_str + ', '
-        analytics_story_str = analytics_story_str + ']'
-        detection.tags.analytics_story_str = analytics_story_str
-        if "actor.user.name" in detection.tags.required_fields:
-            actor_user_name = "actor_user_name"
-        else:
-            actor_user_name = "\"Unknown\""
-        j2_env = Environment(
-            loader=FileSystemLoader(os.path.join(os.path.dirname(__file__), 'templates')),
-            trim_blocks=True)
-        template = j2_env.get_template('finding_report.j2')
-        body = template.render(detection=detection, attack_tactics_id_mapping=SES_ATTACK_TACTICS_ID_MAPPING, actor_user_name=actor_user_name)
-        return body

{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/LICENSE.md RENAMED Viewed

File without changes

{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/WHEEL RENAMED Viewed

File without changes

{contentctl-4.2.5.dist-info → contentctl-4.3.0.dist-info}/entry_points.txt RENAMED Viewed

File without changes

contentctl 4.2.5__py3-none-any.whl → 4.3.0__py3-none-any.whl

contentctl 4.2.5py3-none-any.whl → 4.3.0py3-none-any.whl