contentctl 4.2.5__py3-none-any.whl → 4.3.1__py3-none-any.whl

{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/RECORD

@@ -1,11 +1,10 @@
 contentctl/__init__.py,sha256=IMjkMO3twhQzluVTo8Z6rE7Eg-9U79_LGKMcsWLKBkY,22
-contentctl/actions/build.py,sha256=mGm1F8jWdj547uJVSEWZBZcEyjoO4QpPKWhJOpRwR94,5739
-contentctl/actions/convert.py,sha256=0KBWLxvP1hSPXpExePqpOQPRvlQLamvPLyQqeTIWNbk,704
+contentctl/actions/build.py,sha256=FXMub_CAVN4kTks3RLHBm8O9qtFV2EkSSNld7FzCPd0,5035
 contentctl/actions/deploy_acs.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr0zw,1418
 contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=zg8JasDjCpSC-yhseEyUwO8qbDJIUJbhlus9Li9ZAnA,8818
 contentctl/actions/detection_testing/GitService.py,sha256=W1vnDDt8JvIL7Z1Lve3D3RS7h8qwMxrW0BMXVGuDZDM,9007
 contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=N5mznaeErVak3mOBwsd0RDBFJO3bku0EZvpayCyU-uk,2259
-contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=fDiyntUFXGi3OKNCL02Pr-4PLzX3dKWcD5UiTYoOkYA,53002
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=1PxEnhWSFgiOtIlqRD10gRShjB65i9vLiFEnwHSGf4o,55139
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py,sha256=REM3WB-DQAczeknGAKMzJhnvHgnt-u9yDG2UKGVj2vM,6854
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureServer.py,sha256=Q1ZfCYOp54O39bgTScZMInkmZiU-bGAM9Hiwr2mq5ms,370
 contentctl/actions/detection_testing/progress_bar.py,sha256=OK9oRnPlzPAswt9KZNYID-YLHxqaYPY821kIE4-rCeA,3244
@@ -21,7 +20,7 @@ contentctl/actions/new_content.py,sha256=o5ZYBQ216RN6TnW_wRxVGJybx2SsJ7ht4PAi1dw
 contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
 contentctl/actions/test.py,sha256=dx7f750_MrlvysxOmOdIro1bH0iVKF4K54TSwhvU2MU,5146
-contentctl/actions/validate.py,sha256=2iFhyhh_LXyMAXtkxnYai7CONSVx4Hb8RftEs_Z_7mI,5649
+contentctl/actions/validate.py,sha256=2MQ8yumCKj7zD8iUuA5gfFEMcE-GPRzYqkvuOexn0JA,5633
 contentctl/api.py,sha256=FBOpRhbBCBdjORmwe_8MPQ3PRZ6T0KrrFcfKovVFkug,6343
 contentctl/contentctl.py,sha256=SxWFMYquSYQAATrTBpvfj4j5DRedsOF2xO96ASs74wA,10505
 contentctl/enrichments/attack_enrichment.py,sha256=dVwXcULSeZJuQbeTlPpKDyEB9Y6uCy0UGWI83gPLTI0,6735
@@ -31,13 +30,10 @@ contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLw
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/helper/splunk_app.py,sha256=PZf60Z3ALQLJQ6I--cbWTCzvOMPGsjZSns1BFrZu4S4,9549
 contentctl/helper/utils.py,sha256=8ICRvE7DUiNL9BK4Hw71hCLFbd3R2u86OwKeDOdaBTY,19454
-contentctl/input/backend_splunk_ba.py,sha256=Y70tJqgaUM0nzfm2SiGMof4HkhY84feqf-xnRx1xPb4,5861
-contentctl/input/director.py,sha256=w-3aMrFGmfLb8vRzI-rP6K-JlmqYOwZS7OLjU_cOlck,12598
+contentctl/input/director.py,sha256=kTqdN_rCzRMn4dR32hPaVyx2llhAxyhJgoGjowhsHzs,10887
 contentctl/input/new_content_questions.py,sha256=o4prlBoUhEMxqpZukquI9WKbzfFJfYhEF7a8m2q_BEE,5565
-contentctl/input/sigma_converter.py,sha256=ATFNW7boNngp5dmWM7Gr4rMZrUKjvKW2_qu28--FdiU,19391
-contentctl/input/ssa_detection_builder.py,sha256=4wjgV-WQaJltPHxqd455lNU_8Dn-OlEaqYO8dvIsZ6c,8279
 contentctl/input/yml_reader.py,sha256=hyVUYhx4Ka8C618kP2D_E3sDUKEQGC6ty_QZQArHKd4,1489
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=TP2FAbcJ3B1xTTKSRh8-p2FfNgnTVIruprp_WMNyJGw,35388
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=V3pglFS5HYdPURIQFdNlHQfXYYr7-xLClrXiMUsb9rw,34745
 contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=7tv-WEiUUOvZkao272J9l1IvL0y12kJ6SWLsMeWv9VE,9820
 contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
 contentctl/objects/atomic.py,sha256=BP27gP8KHeODp6UazhVFxwDQ64wuJCARGsLfIH34h7U,8768
@@ -45,8 +41,8 @@ contentctl/objects/base_test.py,sha256=7kAV0njoXaasA-Mt3Zxeq-NFwFF5Z9U85k5cEYW1i
 contentctl/objects/base_test_result.py,sha256=ZEAC2IUwUrW_-zHoaS7zp-uBBKIVTS8TcMXjkMByjF4,5006
 contentctl/objects/baseline.py,sha256=Lb1vJKtDdlDrzWgrdkC9oQao_TnRrOxSwOWHf4trtaU,2150
 contentctl/objects/baseline_tags.py,sha256=fVhLF-NmisavybB_idu3N0Con0Ymj8clKfRMkWzBB-k,1762
-contentctl/objects/config.py,sha256=ha18aqKmkYqAvM8YI124q6JYxesYRon9rc0NMWFzCS4,43762
-contentctl/objects/constants.py,sha256=1LjiK9A7t0aHHkJz2mrW-DImdW1P98GPssTwmwNNI_M,3468
+contentctl/objects/config.py,sha256=XpCjYIoU4XTM6RL4Nt-YjMX342FJz4R-ATDXJWexHNs,43615
+contentctl/objects/constants.py,sha256=lfCcr1DsTZvANHj4Ee1_sEV-SebHwAn41-5EvmoEX2E,3537
 contentctl/objects/correlation_search.py,sha256=QZp1u-dwTZl9hkUOlJdHQ9h4Hp2bDHWWCKtrp3mvIUY,48310
 contentctl/objects/data_source.py,sha256=aRr6lHu-EtGmi6J2nXKD7i2ozUPtp7X-vDkQiutvD3I,1545
 contentctl/objects/deployment.py,sha256=Qc6M4yeOvxjqFKR8sfjd4CG06AbVheTOqP1mwqo4t8s,2651
@@ -70,7 +66,7 @@ contentctl/objects/macro.py,sha256=9nE-bxkFhtaltHOUCr0luU8jCCthmglHjhKs6Q2YzLU,2
 contentctl/objects/mitre_attack_enrichment.py,sha256=JqSDnKF0-ZTaxUgvhdYNzIAt-7kNaEBvGr_5Bbfdwr8,1072
 contentctl/objects/notable_action.py,sha256=ValkblBaG-60TF19y_vSnNzoNZ3eg48wIfr0qZxyKTA,1605
 contentctl/objects/notable_event.py,sha256=ITcwLzeatSGpe8267PYN-EhgqOSoWTfciCBVu8zjOXE,682
-contentctl/objects/observable.py,sha256=loEkmo7RPl383Jq-i5BmSnAqpTeh80d6ai7PDeWuxF0,1211
+contentctl/objects/observable.py,sha256=pw0Ehi_KMb7nXzw2kuw1FnCknpD8zDkCAqBTa-M_F28,1313
 contentctl/objects/playbook.py,sha256=hSYYpdMhctgpp7uwaPciFqu1yuFI4M1NHy1WBBLyvzM,2469
 contentctl/objects/playbook_tags.py,sha256=NrhTGcgoYSGEZggrfebko0GBOXN9x05IadRUUL_CVfQ,1436
 contentctl/objects/risk_analysis_action.py,sha256=Glzcq99DAqqOJ2eZYCkUI3R5hA5cZGU0ZuCSinFf2R8,4278
@@ -92,13 +88,11 @@ contentctl/objects/unit_test_ssa.py,sha256=RURqXb3e0CuI5nNX8PvFucxatAvMmGSUDngVb
 contentctl/output/api_json_output.py,sha256=n3OTd5z-Vkmsn7ny6QCAar_jSMNuuJfzAQa7xq_9if4,9085
 contentctl/output/attack_nav_output.py,sha256=95iKV8U9BMMgqh6cCOw1S89Ln73xmJGgJPHTYR0L7hA,2304
 contentctl/output/attack_nav_writer.py,sha256=64ILZLmNbh2XLmbopgENkeo6t-4SRRG8xZXBmtpNd4g,2219
-contentctl/output/ba_yml_output.py,sha256=Lrk13Q9-f71i3c0oNrT50G94PxdogG4k4-MI-rTMOAo,5950
 contentctl/output/conf_output.py,sha256=7HcHM9pJLNnan1Kq_7ozvs5iOgfzqdKbO6gwxUZJVnc,9994
 contentctl/output/conf_writer.py,sha256=2TaCAPEtU-bMa7A2m7xOxh93PMpzIdhwiHiPLUCeCB4,8281
 contentctl/output/data_source_writer.py,sha256=ubFjm6XJ4T2d3oqfKwDFasITHeDj3HFmegqVN--5_ME,1635
 contentctl/output/detection_writer.py,sha256=AzxbssNLmsNIOaYKotew5-ONoyq1cQpKSGy3pe191B0,960
 contentctl/output/doc_md_output.py,sha256=gf7osH1uSrC6js3D_I72g4uDe9TaB3tsvtqCHi5znp0,3238
-contentctl/output/finding_report_writer.py,sha256=bjJR7NAxLE8vt8uU3zSDhazQzqzOdtCsUu95lVdzU_w,3939
 contentctl/output/jinja_writer.py,sha256=bdiqr9FaXYxth4wZ1A52zTMAS5stHNGpezTkaS5pres,1119
 contentctl/output/json_writer.py,sha256=Z-iVLnZb8tzYATxbQtXax0dz572lVPFMNVTx-vWbnog,1007
 contentctl/output/new_content_yml_output.py,sha256=ktZ9miHluqkw8jD-pn-62bjVp1sQqqQ7B53xy18DHU8,2321
@@ -163,14 +157,14 @@ contentctl/templates/deployments/escu_default_configuration_hunting.yml,sha256=h
 contentctl/templates/deployments/escu_default_configuration_ttp.yml,sha256=1D-pvzaH1v3_yCZXaY6njmdvV4S2_Ak8uzzCOsnj9XY,548
 contentctl/templates/detections/application/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/templates/detections/cloud/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml,sha256=-jp7CC3shnA9Te_0Zw6jLbLT8JnrVQvOfEUkNCQbCNo,3322
+contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml,sha256=tw5_HVqMyx6itht6v2fz6Uqoy3EoIJ_lzVlrRABrMhY,3311
 contentctl/templates/detections/network/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.2.5.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.2.5.dist-info/METADATA,sha256=AKuXizf44e0rPSDHXX6viX88kBtY4M8RMh01jOEucqU,19386
-contentctl-4.2.5.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.2.5.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.2.5.dist-info/RECORD,,
+contentctl-4.3.1.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.3.1.dist-info/METADATA,sha256=MAmOisMABa1nqU_QRdevnCbhYfgBWH8N3q441doHiTc,20939
+contentctl-4.3.1.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.3.1.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.3.1.dist-info/RECORD,,

contentctl/actions/convert.py

@@ -1,25 +0,0 @@
-
-import sys
-import shutil
-import os
-
-from dataclasses import dataclass
-
-from contentctl.input.sigma_converter import *
-from contentctl.output.yml_output import YmlOutput
-
-@dataclass(frozen=True)
-class ConvertInputDto:
-    sigma_converter_input_dto: SigmaConverterInputDto
-    output_path : str
-
-
-class Convert:
-
-    def execute(self, input_dto: ConvertInputDto) -> None:
-        sigma_converter_output_dto = SigmaConverterOutputDto([])
-        sigma_converter = SigmaConverter(sigma_converter_output_dto)
-        sigma_converter.execute(input_dto.sigma_converter_input_dto)
-
-        yml_output = YmlOutput()
-        yml_output.writeDetections(sigma_converter_output_dto.detections, input_dto.output_path)

contentctl/input/backend_splunk_ba.py

@@ -1,144 +0,0 @@
-import re
-from sigma.conversion.state import ConversionState
-from sigma.rule import SigmaRule
-from sigma.conversion.base import TextQueryBackend
-from sigma.conversion.deferred import DeferredTextQueryExpression
-from sigma.conditions import ConditionFieldEqualsValueExpression, ConditionOR, ConditionAND, ConditionNOT, ConditionItem
-from sigma.types import SigmaCompareExpression
-from sigma.exceptions import SigmaFeatureNotSupportedByBackendError
-from sigma.pipelines.splunk.splunk import splunk_sysmon_process_creation_cim_mapping, splunk_windows_registry_cim_mapping, splunk_windows_file_event_cim_mapping
-
-from contentctl.objects.ssa_detection import SSADetection
-
-from typing import ClassVar, Dict, List, Optional, Pattern, Tuple
-
-
-class SplunkBABackend(TextQueryBackend):
-    """Splunk SPL backend."""
-    precedence: ClassVar[Tuple[ConditionItem, ConditionItem, ConditionItem]] = (ConditionNOT, ConditionOR, ConditionAND)
-    group_expression : ClassVar[str] = "({expr})"
-    parenthesize : bool = True
-
-    or_token : ClassVar[str] = "OR"
-    and_token : ClassVar[str] = "AND"
-    not_token : ClassVar[str] = "NOT"
-    eq_token : ClassVar[str] = "="
-
-    field_quote: ClassVar[str] = '"'
-    field_quote_pattern: ClassVar[Pattern] = re.compile("^[\w.]+$")
-
-    str_quote : ClassVar[str] = '"'
-    escape_char : ClassVar[str] = "\\"
-    wildcard_multi : ClassVar[str] = "%"
-    wildcard_single : ClassVar[str] = "%"
-    add_escaped : ClassVar[str] = "\\"
-
-    re_expression : ClassVar[str] = "match({field}, /(?i){regex}/)=true"
-    re_escape_char : ClassVar[str] = ""
-    re_escape : ClassVar[Tuple[str]] = ('"',)
-
-    cidr_expression : ClassVar[str] = "{value}"
-
-    compare_op_expression : ClassVar[str] = "{field}{operator}{value}"
-    compare_operators : ClassVar[Dict[SigmaCompareExpression.CompareOperators, str]] = {
-        SigmaCompareExpression.CompareOperators.LT  : "<",
-        SigmaCompareExpression.CompareOperators.LTE : "<=",
-        SigmaCompareExpression.CompareOperators.GT  : ">",
-        SigmaCompareExpression.CompareOperators.GTE : ">=",
-    }
-
-    field_null_expression : ClassVar[str] = "{field} IS NOT NULL"
-
-    convert_or_as_in : ClassVar[bool] = True
-    convert_and_as_in : ClassVar[bool] = False
-    in_expressions_allow_wildcards : ClassVar[bool] = False
-    field_in_list_expression : ClassVar[str] = "{field} {op} ({list})"
-    or_in_operator : ClassVar[Optional[str]] = "IN"
-    list_separator : ClassVar[str] = ", "
-
-    unbound_value_str_expression : ClassVar[str] = '{value}'
-    unbound_value_num_expression : ClassVar[str] = '{value}'
-    unbound_value_re_expression : ClassVar[str] = '{value}'
-
-    deferred_start : ClassVar[str] = " "
-    deferred_separator : ClassVar[str] = " OR "
-    deferred_only_query : ClassVar[str] = "*"
-
-    wildcard_match_expression : ClassVar[Optional[str]] = "{field} LIKE {value}"
-
-
-    def __init__(self, processing_pipeline: Optional["sigma.processing.pipeline.ProcessingPipeline"] = None, collect_errors: bool = False, min_time : str = "-30d", max_time : str = "now", detection : SSADetection = None, field_mapping: dict = None, **kwargs):
-        super().__init__(processing_pipeline, collect_errors, **kwargs)
-        self.min_time = min_time or "-30d"
-        self.max_time = max_time or "now"
-        self.detection = detection
-        self.field_mapping = field_mapping
-
-    def finalize_query_data_model(self, rule: SigmaRule, query: str, index: int, state: ConversionState) -> str:
-
-        try:
-            fields = state.processing_state["fields"]
-        except KeyError:
-            raise SigmaFeatureNotSupportedByBackendError("No fields specified by processing pipeline")
-
-        # fields_input_parsing = ''
-        # for count, value in enumerate(fields):
-        #     fields_input_parsing = fields_input_parsing + value + '=ucast(map_get(input_event, "' + value + '"), "string", null)'
-        #     if not count == len(fields) - 1:
-        #         fields_input_parsing = fields_input_parsing + ', '
-
-        detection_str = """
-$main = from source 
-| eval timestamp = time 
-| eval metadata_uid = metadata.uid 
-""".replace("\n", " ")
-
-        parsed_fields = [] 
-
-        for field in self.field_mapping["mapping"].keys():
-            mapped_field = self.field_mapping["mapping"][field]
-            parent = 'parent'
-            i = 1
-            values = mapped_field.split('.')
-            for val in values:
-                if parent == "parent":
-                    parent = val
-                    continue
-                else:
-                    new_val = parent + '_' + val
-                if new_val in parsed_fields:
-                    parent = new_val
-                    i = i + 1
-                    continue
-
-                
-                new_val_equals = new_val + "="
-                new_val_IN = new_val + " IN"
-                if new_val_equals in query or new_val_IN in query:
-                    parser_str = '| eval ' + new_val + ' = ' + 'lower(' + parent + '.' + val + ') '
-                else:
-                    parser_str = '| eval ' + new_val + ' = ' +  parent + '.' + val + ' '
-                detection_str = detection_str + parser_str
-                parsed_fields.append(new_val)
-                parent = new_val
-                i = i + 1
-
-
-        ### Convert sigma values into lower case
-        lower_query = ""
-        in_quotes = False
-        for char in query:
-            if char == '"':
-                in_quotes = not in_quotes
-            if in_quotes:
-                lower_query += char.lower()
-            else:
-                lower_query += char
-
-        detection_str = detection_str + "| where " + lower_query
-
-        detection_str = detection_str.replace("\\\\\\\\", "\\\\")
-        return detection_str
-
-    def finalize_output_data_model(self, queries: List[str]) -> List[str]:
-        return queries