PyPI - contentctl - Versions diffs - 4.2.5__py3-none-any.whl → 4.3.1__py3-none-any.whl - Mend

contentctl 4.2.5py3-none-any.whl → 4.3.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

contentctl/actions/build.py +0 -14
contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py +60 -24
contentctl/actions/validate.py +0 -1
contentctl/input/director.py +9 -44
contentctl/objects/abstract_security_content_objects/detection_abstract.py +61 -74
contentctl/objects/config.py +0 -2
contentctl/objects/constants.py +5 -0
contentctl/objects/observable.py +5 -3
contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml +2 -2
{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/METADATA +16 -6
{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/RECORD +14 -20
contentctl/actions/convert.py +0 -25
contentctl/input/backend_splunk_ba.py +0 -144
contentctl/input/sigma_converter.py +0 -436
contentctl/input/ssa_detection_builder.py +0 -169
contentctl/output/ba_yml_output.py +0 -153
contentctl/output/finding_report_writer.py +0 -91
{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/LICENSE.md +0 -0
{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/WHEEL +0 -0
{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/entry_points.txt +0 -0

contentctl/output/ba_yml_output.py DELETED Viewed

@@ -1,153 +0,0 @@
-import os
-import re
-from urllib.parse import urlparse
-from contentctl.output.yml_writer import YmlWriter
-from contentctl.objects.enums import SecurityContentType
-from contentctl.output.finding_report_writer import FindingReportObject
-from contentctl.objects.unit_test_old import UnitTestOld
-class BAYmlOutput():
-    def writeObjectsInPlace(self, objects: list) -> None:
-        for object in objects:
-            file_path = object['file_path']
-            object.pop('file_path')
-            object.pop('deprecated')
-            object.pop('experimental')
-            YmlWriter.writeYmlFile(file_path, object)
-    def writeObjects(self, objects: list, output_path: str, contentType: SecurityContentType = None) -> None:
-        for obj in objects:
-            file_name = "ssa___" + self.convertNameToFileName(obj.name, obj.tags)
-            if self.isComplexBARule(obj.search):
-                file_path = os.path.join(output_path, 'complex', file_name)
-            else:
-                file_path = os.path.join(output_path, 'srs', file_name)
-            # add research object
-            RESEARCH_SITE_BASE = 'https://research.splunk.com/'
-            research_site_url = RESEARCH_SITE_BASE + obj.source + "/" + obj.id + "/"
-            obj.tags.research_site_url = research_site_url
-            # add ocsf schema tag
-            obj.tags.event_schema = 'ocsf'
-            body = FindingReportObject.writeFindingReport(obj)
-            if obj.test:
-                test_dict = {
-                    "name": obj.name + " Unit Test",
-                    "tests": [obj.test.dict()]
-                }
-                test_dict["tests"][0]["name"] = obj.name
-                for count in range(len(test_dict["tests"][0]["attack_data"])):
-                    a = urlparse(str(test_dict["tests"][0]["attack_data"][count]["data"]))
-                    test_dict["tests"][0]["attack_data"][count]["file_name"] = os.path.basename(a.path)
-                test = UnitTestOld.parse_obj(test_dict)
-                obj.test = test
-            # create annotations object
-            obj.tags.annotations = {
-                "analytic_story": obj.tags.analytic_story,
-                "cis20": obj.tags.cis20,
-                "kill_chain_phases": obj.tags.kill_chain_phases,
-                "mitre_attack_id": obj.tags.mitre_attack_id,
-                "nist": obj.tags.nist
-            }
-            obj.runtime = "SPL2"
-            obj.internalVersion = 2
-            ### Adding detection_type as top level key for SRS detections
-            obj.detection_type = "STREAMING"
-            # remove unncessary fields
-            YmlWriter.writeYmlFile(file_path, obj.dict(
-                exclude_none=True,
-                include =
-                    {
-                        "name": True,
-                        "id": True,
-                        "version": True,
-                        "status": True,
-                        "detection_type": True,
-                        "description": True,
-                        "search": True,
-                        "how_to_implement": True,
-                        "known_false_positives": True,
-                        "references": True,
-                        "runtime": True,
-                        "internalVersion": True,
-                        "tags":
-                            {
-                                #"analytic_story": True,
-                                #"cis20" : True,
-                                #"nist": True,
-                                #"kill_chain_phases": True,
-                                "annotations": True,
-                                "mappings": True,
-                                #"mitre_attack_id": True,
-                                "risk_severity": True,
-                                "risk_score": True,
-                                "security_domain": True,
-                                "required_fields": True,
-                                "research_site_url": True,
-                                "event_schema": True
-                            },
-                        "test":
-                            {
-                                "name": True,
-                                "tests": {
-                                    '__all__':
-                                        {
-                                            "name": True,
-                                            "file": True,
-                                            "pass_condition": True,
-                                            "attack_data": {
-                                                '__all__':
-                                                {
-                                                    "file_name": True,
-                                                    "data": True,
-                                                    "source": True
-                                                }
-                                            }
-                                        }
-                                }
-                            }
-                    }
-                ))
-            # Add Finding Report Object
-            with open(file_path, 'r') as file:
-                data = file.read().replace('--finding_report--', body)
-            f = open(file_path, "w")
-            f.write(data)
-            f.close()
-    def convertNameToFileName(self, name: str, product: list):
-        file_name = name \
-            .replace(' ', '_') \
-            .replace('-','_') \
-            .replace('.','_') \
-            .replace('/','_') \
-            .lower()
-        if 'Splunk Behavioral Analytics' in product:
-            file_name = 'ssa___' + file_name + '.yml'
-        else:
-            file_name = file_name + '.yml'
-        return file_name
-    def isComplexBARule(self, search):
-        return re.findall("stats|first_time_event|adaptive_threshold", search)

contentctl/output/finding_report_writer.py DELETED Viewed

@@ -1,91 +0,0 @@
-import os
-import re
-from jinja2 import Environment, FileSystemLoader
-from contentctl.objects.ssa_detection import SSADetection
-from contentctl.objects.constants import *
-class FindingReportObject():
-    @staticmethod
-    def writeFindingReport(detection : SSADetection) -> None:
-        if detection.tags.confidence < 33:
-            detection.tags.confidence_id = 1
-        elif detection.tags.confidence < 66:
-            detection.tags.confidence_id = 2
-        else:
-            detection.tags.confidence_id = 3
-        if detection.tags.impact < 20:
-            detection.tags.impact_id = 1
-        elif detection.tags.impact < 40:
-            detection.tags.impact_id = 2
-        elif detection.tags.impact < 60:
-            detection.tags.impact_id = 3
-        elif detection.tags.impact < 80:
-            detection.tags.impact_id = 4
-        else:
-            detection.tags.impact_id = 5
-        detection.tags.kill_chain_phases_id = dict()
-        for kill_chain_phase in detection.tags.kill_chain_phases:
-            detection.tags.kill_chain_phases_id[kill_chain_phase] = SES_KILL_CHAIN_MAPPINGS[kill_chain_phase]
-        kill_chain_phase_str = "["
-        i = 0
-        for kill_chain_phase in detection.tags.kill_chain_phases_id.keys():
-            kill_chain_phase_str = kill_chain_phase_str + '{"phase": "' + kill_chain_phase + '", "phase_id": ' + str(detection.tags.kill_chain_phases_id[kill_chain_phase]) + "}"
-            if not i == (len(detection.tags.kill_chain_phases_id.keys()) - 1):
-                kill_chain_phase_str = kill_chain_phase_str + ', '
-                i = i + 1
-        kill_chain_phase_str = kill_chain_phase_str + ']'
-        detection.tags.kill_chain_phases_str = kill_chain_phase_str
-        if detection.tags.risk_score < 20:
-            detection.tags.risk_level_id = 0
-            detection.tags.risk_level = "Info"
-        elif detection.tags.risk_score < 40:
-            detection.tags.risk_level_id = 1
-            detection.tags.risk_level = "Low"
-        elif detection.tags.risk_score < 60:
-            detection.tags.risk_level_id = 2
-            detection.tags.risk_level = "Medium"
-        elif detection.tags.risk_score < 80:
-            detection.tags.risk_level_id = 3
-            detection.tags.risk_level = "High"
-        else:
-            detection.tags.risk_level_id = 4
-            detection.tags.risk_level = "Critical"
-        evidence_str = "{"
-        for i in range(len(detection.tags.required_fields)):
-            evidence_str = evidence_str + '"' + detection.tags.required_fields[i] + '": ' + detection.tags.required_fields[i].replace(".", "_")
-            if not i == (len(detection.tags.required_fields) - 1):
-                evidence_str = evidence_str + ', '
-        evidence_str = evidence_str + ', "sourceType": metadata.source_type, "source": metadata.source}'
-        detection.tags.evidence_str = evidence_str
-        analytics_story_str = "["
-        for i in range(len(detection.tags.analytic_story)):
-            analytics_story_str = analytics_story_str + '"' + detection.tags.analytic_story[i] + '"'
-            if not i == (len(detection.tags.analytic_story) - 1):
-                analytics_story_str = analytics_story_str + ', '
-        analytics_story_str = analytics_story_str + ']'
-        detection.tags.analytics_story_str = analytics_story_str
-        if "actor.user.name" in detection.tags.required_fields:
-            actor_user_name = "actor_user_name"
-        else:
-            actor_user_name = "\"Unknown\""
-        j2_env = Environment(
-            loader=FileSystemLoader(os.path.join(os.path.dirname(__file__), 'templates')),
-            trim_blocks=True)
-        template = j2_env.get_template('finding_report.j2')
-        body = template.render(detection=detection, attack_tactics_id_mapping=SES_ATTACK_TACTICS_ID_MAPPING, actor_user_name=actor_user_name)
-        return body

{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/LICENSE.md RENAMED Viewed

File without changes

{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/WHEEL RENAMED Viewed

File without changes

{contentctl-4.2.5.dist-info → contentctl-4.3.1.dist-info}/entry_points.txt RENAMED Viewed

File without changes

contentctl 4.2.5__py3-none-any.whl → 4.3.1__py3-none-any.whl

contentctl 4.2.5py3-none-any.whl → 4.3.1py3-none-any.whl