contentctl 4.3.2__py3-none-any.whl → 4.3.4__py3-none-any.whl

contentctl/objects/correlation_search.py

@@ -575,10 +575,11 @@ class CorrelationSearch(BaseModel):
             self.logger.debug(f"Using cached risk events ({len(self._risk_events)} total).")
             return self._risk_events
 
+        # TODO (#248): Refactor risk/notable querying to pin to a single savedsearch ID
         # Search for all risk events from a single scheduled search (indicated by orig_sid)
         query = (
             f'search index=risk search_name="{self.name}" [search index=risk search '
-            f'search_name="{self.name}" | head 1 | fields orig_sid] | tojson'
+            f'search_name="{self.name}" | tail 1 | fields orig_sid] | tojson'
         )
         result_iterator = self._search(query)
 
@@ -643,7 +644,7 @@ class CorrelationSearch(BaseModel):
         # Search for all notable events from a single scheduled search (indicated by orig_sid)
         query = (
             f'search index=notable search_name="{self.name}" [search index=notable search '
-            f'search_name="{self.name}" | head 1 | fields orig_sid] | tojson'
+            f'search_name="{self.name}" | tail 1 | fields orig_sid] | tojson'
         )
         result_iterator = self._search(query)
 
@@ -686,15 +687,17 @@ class CorrelationSearch(BaseModel):
             check the risks/notables
         :returns: an IntegrationTestResult on failure; None on success
         """
-        # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the false
-        #   positive rate in risk/obseravble matching
         # Create a mapping of the relevant observables to counters
-        # observables = CorrelationSearch._get_relevant_observables(self.detection.tags.observable)
-        # observable_counts: dict[str, int] = {str(x): 0 for x in observables}
-        # if len(observables) != len(observable_counts):
-        #     raise ClientError(
-        #         f"At least two observables in '{self.detection.name}' have the same name."
-        #     )
+        observables = CorrelationSearch._get_relevant_observables(self.detection.tags.observable)
+        observable_counts: dict[str, int] = {str(x): 0 for x in observables}
+
+        # NOTE: we intentionally want this to be an error state and not a failure state, as
+        #   ultimately this validation should be handled during the build process
+        if len(observables) != len(observable_counts):
+            raise ClientError(
+                f"At least two observables in '{self.detection.name}' have the same name; "
+                "each observable for a detection should be unique."
+            )
 
         # Get the risk events; note that we use the cached risk events, expecting they were
         # saved by a prior call to risk_event_exists
@@ -710,25 +713,29 @@ class CorrelationSearch(BaseModel):
             )
             event.validate_against_detection(self.detection)
 
-            # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the
-            #   false positive rate in risk/obseravble matching
             # Update observable count based on match
-            # matched_observable = event.get_matched_observable(self.detection.tags.observable)
-            # self.logger.debug(
-            #     f"Matched risk event ({event.risk_object}, {event.risk_object_type}) to observable "
-            #     f"({matched_observable.name}, {matched_observable.type}, {matched_observable.role})"
-            # )
-            # observable_counts[str(matched_observable)] += 1
-
-        # TODO (PEX-433): test my new contentctl logic against an old ESCU build; my logic should
-        #   detect the faulty attacker events -> this was the issue from the 4.28/4.27 release;
-        #   recreate by testing against one of those old builds w/ the bad config
-        # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the false
-        #   positive
-        #   rate in risk/obseravble matching
-        # TODO (PEX-433): I foresee issues here if for example a parent and child process share a
-        #   name (matched observable could be either) -> these issues are confirmed to exist, e.g.
-        #   `Windows Steal Authentication Certificates Export Certificate`
+            matched_observable = event.get_matched_observable(self.detection.tags.observable)
+            self.logger.debug(
+                f"Matched risk event (object={event.risk_object}, type={event.risk_object_type}) "
+                f"to observable (name={matched_observable.name}, type={matched_observable.type}, "
+                f"role={matched_observable.role}) using the source field "
+                f"'{event.source_field_name}'"
+            )
+            observable_counts[str(matched_observable)] += 1
+
+        # Report any observables which did not have at least one match to a risk event
+        for observable in observables:
+            self.logger.debug(
+                f"Matched observable (name={observable.name}, type={observable.type}, "
+                f"role={observable.role}) to {observable_counts[str(observable)]} risk events."
+            )
+            if observable_counts[str(observable)] == 0:
+                raise ValidationFailed(
+                    f"Observable (name={observable.name}, type={observable.type}, "
+                    f"role={observable.role}) was not matched to any risk events."
+                )
+
+        # TODO (#250): Re-enable and refactor code that validates the specific risk counts
         # Validate risk events in aggregate; we should have an equal amount of risk events for each
         # relevant observable, and the total count should match the total number of events
         # individual_count: Optional[int] = None

contentctl/objects/detection_tags.py

@@ -33,8 +33,9 @@ from contentctl.objects.enums import (
     SecurityContentProductName
 )
 from contentctl.objects.atomic import AtomicTest
+from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE, CVE_TYPE
 
-
+# TODO (#266): disable the use_enum_values configuration
 class DetectionTags(BaseModel):
     # detection spec
     model_config = ConfigDict(use_enum_values=True, validate_default=False)
@@ -49,8 +50,10 @@ class DetectionTags(BaseModel):
     def risk_score(self) -> int:
         return round((self.confidence * self.impact)/100)
 
-    mitre_attack_id: List[Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")]] = []
+    mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
+
+    # TODO (#249): Add pydantic validator to ensure observables are unique within a detection
     observable: List[Observable] = []
     message: str = Field(...)
     product: list[SecurityContentProductName] = Field(..., min_length=1)
@@ -68,7 +71,7 @@ class DetectionTags(BaseModel):
         else:
             return RiskSeverity('low')
 
-    cve: List[Annotated[str, r"^CVE-[1|2]\d{3}-\d+$"]] = []
+    cve: List[CVE_TYPE] = []
     atomic_guid: List[AtomicTest] = []
     drilldown_search: Optional[str] = None
 
@@ -106,6 +109,8 @@ class DetectionTags(BaseModel):
     # TODO (#221): mappings should be fleshed out into a proper class
     mappings: Optional[List] = None
     # annotations: Optional[dict] = None
+
+    # TODO (#268): Validate manual_test has length > 0 if not None
     manual_test: Optional[str] = None
 
     # The following validator is temporarily disabled pending further discussions

contentctl/objects/integration_test.py

@@ -1,5 +1,3 @@
-from typing import Union
-
 from pydantic import Field
 
 from contentctl.objects.base_test import BaseTest, TestType
@@ -13,10 +11,10 @@ class IntegrationTest(BaseTest):
     An integration test for a detection against ES
     """
     # The test type (integration)
-    test_type: TestType = Field(TestType.INTEGRATION)
+    test_type: TestType = Field(default=TestType.INTEGRATION)
 
     # The test result
-    result: Union[None, IntegrationTestResult] = None
+    result: IntegrationTestResult | None = None
 
     @classmethod
     def derive_from_unit_test(cls, unit_test: UnitTest) -> "IntegrationTest":
@@ -36,7 +34,7 @@ class IntegrationTest(BaseTest):
         Skip the test by setting its result status
         :param message: the reason for skipping
         """
-        self.result = IntegrationTestResult(
+        self.result = IntegrationTestResult(                                                        # type: ignore
             message=message,
             status=TestResultStatus.SKIP
         )

contentctl/objects/integration_test_result.py

@@ -1,13 +1,9 @@
-from typing import Optional
 from contentctl.objects.base_test_result import BaseTestResult
 
 
-SAVED_SEARCH_TEMPLATE = "{server}:{web_port}/en-US/{path}"
-
-
 class IntegrationTestResult(BaseTestResult):
     """
     An integration test result
     """
     # the total time we slept waiting for the detection to fire after activating it
-    wait_duration: Optional[int] = None
+    wait_duration: int | None = None

contentctl/objects/investigation.py

@@ -9,6 +9,7 @@ from contentctl.objects.enums import DataModel
 from contentctl.objects.investigation_tags import InvestigationTags
 
 
+# TODO (#266): disable the use_enum_values configuration
 class Investigation(SecurityContentObject):
     model_config = ConfigDict(use_enum_values=True,validate_default=False)
     type: str = Field(...,pattern="^Investigation$")

contentctl/objects/manual_test.py

@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+from pydantic import Field
+
+from contentctl.objects.test_attack_data import TestAttackData
+from contentctl.objects.manual_test_result import ManualTestResult
+from contentctl.objects.base_test import BaseTest, TestType
+from contentctl.objects.base_test_result import TestResultStatus
+
+
+class ManualTest(BaseTest):
+    """
+    A manual test for a detection
+    """
+    # The test type (manual)
+    test_type: TestType = Field(default=TestType.MANUAL)
+
+    # The attack data to be ingested for the manual test
+    attack_data: list[TestAttackData]
+
+    # The result of the manual test
+    result: ManualTestResult | None = None
+
+    def skip(self, message: str) -> None:
+        """
+        Skip the test by setting its result status
+        :param message: the reason for skipping
+        """
+        self.result = ManualTestResult(                                                             # type: ignore
+            message=message,
+            status=TestResultStatus.SKIP
+        )

contentctl/objects/manual_test_result.py

@@ -0,0 +1,8 @@
+from contentctl.objects.base_test_result import BaseTestResult
+
+
+class ManualTestResult(BaseTestResult):
+    """
+    A manual test result
+    """
+    pass

contentctl/objects/mitre_attack_enrichment.py

@@ -3,6 +3,7 @@ from pydantic import BaseModel, Field, ConfigDict, HttpUrl, field_validator
 from typing import List, Annotated
 from enum import StrEnum
 import datetime
+from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE
 
 class MitreTactics(StrEnum):
     RECONNAISSANCE = "Reconnaissance"
@@ -82,9 +83,10 @@ class MitreAttackGroup(BaseModel):
             return []
         return contributors
 
+# TODO (#266): disable the use_enum_values configuration
 class MitreAttackEnrichment(BaseModel):
     ConfigDict(use_enum_values=True)
-    mitre_attack_id: Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")] = Field(...)
+    mitre_attack_id: MITRE_ATTACK_ID_TYPE = Field(...)
     mitre_attack_technique: str = Field(...)
     mitre_attack_tactics: List[MitreTactics] = Field(...)
     mitre_attack_groups: List[str] = Field(...)

contentctl/objects/risk_event.py

@@ -1,32 +1,51 @@
 import re
-from typing import Union, Optional
 
-from pydantic import BaseModel, Field, PrivateAttr, field_validator
+from pydantic import BaseModel, Field, PrivateAttr, field_validator, computed_field
 
 from contentctl.objects.errors import ValidationFailed
 from contentctl.objects.detection import Detection
 from contentctl.objects.observable import Observable
 
-# TODO (PEX-433): use SES_OBSERVABLE_TYPE_MAPPING
+# TODO (#259): Map our observable types to more than user/system
+# TODO (#247): centralize this mapping w/ usage of SES_OBSERVABLE_TYPE_MAPPING (see
+#   observable.py) and the ad hoc mapping made in detection_abstract.py (see the risk property func)
 TYPE_MAP: dict[str, list[str]] = {
-    "user": ["User"],
-    "system": ["Hostname", "IP Address", "Endpoint"],
-    "other": ["Process", "URL String", "Unknown", "Process Name"],
+    "system": [
+        "Hostname",
+        "IP Address",
+        "Endpoint"
+    ],
+    "user": [
+        "User",
+        "User Name",
+        "Email Address",
+        "Email"
+    ],
+    "hash_values": [],
+    "network_artifacts": [],
+    "host_artifacts": [],
+    "tools": [],
+    "other": [
+        "Process",
+        "URL String",
+        "Unknown",
+        "Process Name",
+        "MAC Address",
+        "File Name",
+        "File Hash",
+        "Resource UID",
+        "Uniform Resource Locator",
+        "File",
+        "Geo Location",
+        "Container",
+        "Registry Key",
+        "Registry Value",
+        "Other"
+    ]
 }
-# TODO (PEX-433): 'Email Address', 'File Name', 'File Hash', 'Other', 'User Name', 'File',
-#   'Process Name'
 
-# TODO (PEX-433): use SES_OBSERVABLE_ROLE_MAPPING
+# Roles that should not generate risks
 IGNORE_ROLES: list[str] = ["Attacker"]
-# Known valid roles: Victim, Parent Process, Child Process
-# TODO (PEX-433): 'Other', 'Target', 'Unknown'
-# TODO (PEX-433): is Other a valid role
-
-# TODO (PEX-433): do we need User Name in conjunction w/ User? User Name doesn't get mapped to
-#   "user" in risk events
-# TODO (PEX-433): similarly, do we need Process and Process Name?
-
-RESERVED_FIELDS = ["host"]
 
 
 class RiskEvent(BaseModel):
@@ -36,7 +55,7 @@ class RiskEvent(BaseModel):
     search_name: str
 
     # The subject of the risk event (e.g. a username, process name, system name, account ID, etc.)
-    risk_object: Union[int, str]
+    risk_object: int | str
 
     # The type of the risk object (e.g. user, system, or other)
     risk_object_type: str
@@ -59,8 +78,12 @@ class RiskEvent(BaseModel):
         default=[]
     )
 
+    # Contributing events search query (we use this to derive the corresponding field from the
+    # observables)
+    contributing_events_search: str
+
     # Private attribute caching the observable this RiskEvent is mapped to
-    _matched_observable: Optional[Observable] = PrivateAttr(default=None)
+    _matched_observable: Observable | None = PrivateAttr(default=None)
 
     class Config:
         # Allowing fields that aren't explicitly defined to be passed since some of the risk event's
@@ -69,7 +92,7 @@ class RiskEvent(BaseModel):
 
     @field_validator("annotations_mitre_attack", "analyticstories", mode="before")
     @classmethod
-    def _convert_str_value_to_singleton(cls, v: Union[str, list[str]]) -> list[str]:
+    def _convert_str_value_to_singleton(cls, v: str | list[str]) -> list[str]:
         """
         Given a value, determine if its a list or a single str value; if a single value, return as a
         singleton. Do nothing if anything else.
@@ -79,6 +102,25 @@ class RiskEvent(BaseModel):
         else:
             return [v]
 
+    @computed_field
+    @property
+    def source_field_name(self) -> str:
+        """
+        A cached derivation of the source field name the risk event corresponds to in the relevant
+        event(s). Useful for mapping back to an observable in the detection.
+        """
+        pattern = re.compile(
+            r"\| savedsearch \"" + self.search_name + r"\" \| search (?P<field>[^=]+)=.+"
+        )
+        match = pattern.search(self.contributing_events_search)
+        if match is None:
+            raise ValueError(
+                "Unable to parse source field name from risk event using "
+                f"'contributing_events_search' ('{self.contributing_events_search}') using "
+                f"pattern: {pattern}"
+            )
+        return match.group("field")
+
     def validate_against_detection(self, detection: Detection) -> None:
         """
         Given the associated detection, validate the risk event against its fields
@@ -108,10 +150,8 @@ class RiskEvent(BaseModel):
         # Check risk_message
         self.validate_risk_message(detection)
 
-        # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the false
-        #   positive rate in risk/obseravble matching
         # Check several conditions against the observables
-        # self.validate_risk_against_observables(detection.tags.observable)
+        self.validate_risk_against_observables(detection.tags.observable)
 
     def validate_mitre_ids(self, detection: Detection) -> None:
         """
@@ -199,7 +239,11 @@ class RiskEvent(BaseModel):
         if self.risk_object_type != expected_type:
             raise ValidationFailed(
                 f"The risk object type ({self.risk_object_type}) does not match the expected type "
-                f"based on the matched observable ({matched_observable.type}=={expected_type})."
+                f"based on the matched observable ({matched_observable.type}->{expected_type}): "
+                f"risk=(object={self.risk_object}, type={self.risk_object_type}, "
+                f"source_field_name={self.source_field_name}), "
+                f"observable=(name={matched_observable.name}, type={matched_observable.type}, "
+                f"role={matched_observable.role})"
             )
 
     @staticmethod
@@ -220,8 +264,6 @@ class RiskEvent(BaseModel):
             f"Observable type {observable_type} does not have a mapping to a risk type in TYPE_MAP"
         )
 
-    # TODO (PEX-433): should this be an observable instance method? It feels less relevant to
-    #   observables themselves, as it's really only relevant to the handling of risk events
     @staticmethod
     def ignore_observable(observable: Observable) -> bool:
         """
@@ -230,8 +272,6 @@ class RiskEvent(BaseModel):
         :param observable: the Observable object we are checking the roles of
         :returns: a bool indicating whether this observable should be ignored or not
         """
-        # TODO (PEX-433): could there be a case where an observable has both an Attacker and Victim
-        #   (or equivalent) role? If so, how should we handle ignoring it?
         ignore = False
         for role in observable.role:
             if role in IGNORE_ROLES:
@@ -239,29 +279,6 @@ class RiskEvent(BaseModel):
                 break
         return ignore
 
-    # TODO (PEX-433): two possibilities: alway check for the field itself and the field prefixed
-    #   w/ "orig_" OR more explicitly maintain a list of known "reserved fields", like "host". I
-    #   think I like option 2 better as it can have fewer unknown side effects
-    def matches_observable(self, observable: Observable) -> bool:
-        """
-        Given an observable, check if the risk event matches is
-        :param observable: the Observable object we are comparing the risk event against
-        :returns: bool indicating a match or not
-        """
-        # When field names collide w/ reserved fields in Splunk events (e.g. sourcetype or host)
-        # they get prefixed w/ "orig_"
-        attribute_name = observable.name
-        if attribute_name in RESERVED_FIELDS:
-            attribute_name = f"orig_{attribute_name}"
-
-        # Retrieve the value of this attribute and see if it matches the risk_object
-        value: Union[str, list[str]] = getattr(self, attribute_name)
-        if isinstance(value, str):
-            value = [value]
-
-        # The value of the attribute may be a list of values, so check for any matches
-        return self.risk_object in value
-
     def get_matched_observable(self, observables: list[Observable]) -> Observable:
         """
         Given a list of observables, return the one this risk event matches
@@ -274,40 +291,41 @@ class RiskEvent(BaseModel):
         if self._matched_observable is not None:
             return self._matched_observable
 
-        matched_observable: Optional[Observable] = None
+        matched_observable: Observable | None = None
 
         # Iterate over the obervables and check for a match
         for observable in observables:
+            # TODO (#252): Refactor and re-enable per-field validation of risk events
             # Each the field name used in each observable shoud be present in the risk event
-            # TODO (PEX-433): this check is redundant I think; earlier in the unit test, observable
-            #   field
-            #   names are compared against the search result set, ensuring all are present; if all
-            #   are present in the result set, all are present in the risk event
-            if not hasattr(self, observable.name):
-                raise ValidationFailed(
-                    f"Observable field \"{observable.name}\" not found in risk event."
-                )
+            # if not hasattr(self, observable.name):
+            #     raise ValidationFailed(
+            #         f"Observable field \"{observable.name}\" not found in risk event."
+            #     )
 
             # Try to match the risk_object against a specific observable for the obervables with
-            # a valid role (some, like Attacker, don't get converted to risk events)
-            if not RiskEvent.ignore_observable(observable):
-                if self.matches_observable(observable):
-                    # TODO (PEX-433): This check fails as there are some instances where this is
-                    #   true (e.g. we have an observable for process and parent_process and both
-                    #   have the same name like "cmd.exe")
-                    if matched_observable is not None:
-                        raise ValueError(
-                            "Unexpected conditon: we don't expect the value corresponding to an "
-                            "observables field name to be repeated"
-                        )
-                    # NOTE: we explicitly do not break early as we want to check each observable
-                    matched_observable = observable
+            # a valid role (some, like Attacker, shouldn't get converted to risk events)
+            if self.source_field_name == observable.name:
+                if matched_observable is not None:
+                    raise ValueError(
+                        "Unexpected conditon: we don't expect the source event field "
+                        "corresponding to an observables field name to be repeated."
+                    )
+
+                # Report any risk events we find that shouldn't be there
+                if RiskEvent.ignore_observable(observable):
+                    raise ValidationFailed(
+                        "Risk event matched an observable with an invalid role: "
+                        f"(name={observable.name}, type={observable.type}, role={observable.role})")
+                # NOTE: we explicitly do not break early as we want to check each observable
+                matched_observable = observable
 
         # Ensure we were able to match the risk event to a specific observable
         if matched_observable is None:
             raise ValidationFailed(
-                f"Unable to match risk event ({self.risk_object}, {self.risk_object_type}) to an "
-                "appropriate observable"
+                f"Unable to match risk event (object={self.risk_object}, type="
+                f"{self.risk_object_type}, source_field_name={self.source_field_name}) to an "
+                "observable; please check for errors in the observable roles/types for this "
+                "detection, as well as the risk event build process in contentctl."
             )
 
         # Cache and return the matched observable

contentctl/objects/ssa_detection.py

@@ -59,6 +59,7 @@ class SSADetection(BaseModel):
     #         raise ValueError('name is longer then 67 chars: ' + v)
     #     return v
 
+    # TODO (#266): disable the use_enum_values configuration
     class Config:
         use_enum_values = True
 

contentctl/objects/story_tags.py

@@ -6,7 +6,7 @@ from enum import Enum
 
 from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
 from contentctl.objects.enums import StoryCategory, DataModel, KillChainPhase, SecurityContentProductName
-
+from contentctl.objects.annotated_types import CVE_TYPE,MITRE_ATTACK_ID_TYPE
 
 class StoryUseCase(str,Enum):
    FRAUD_DETECTION = "Fraud Detection"
@@ -17,6 +17,8 @@ class StoryUseCase(str,Enum):
    INSIDER_THREAT = "Insider Threat"
    OTHER = "Other"
 
+
+# TODO (#266): disable the use_enum_values configuration
 class StoryTags(BaseModel):
    model_config = ConfigDict(extra='forbid', use_enum_values=True)
    category: List[StoryCategory] = Field(...,min_length=1)
@@ -25,10 +27,10 @@ class StoryTags(BaseModel):
 
    # enrichment
    mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
-   mitre_attack_tactics: Optional[Set[Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")]]] = None
+   mitre_attack_tactics: Optional[Set[MITRE_ATTACK_ID_TYPE]] = None
    datamodels: Optional[Set[DataModel]] = None
    kill_chain_phases: Optional[Set[KillChainPhase]] = None
-   cve: List[Annotated[str, r"^CVE-[1|2]\d{3}-\d+$"]] = []
+   cve: List[CVE_TYPE] = []
    group: List[str] = Field([], description="A list of groups who leverage the techniques list in this Analytic Story.")
 
    def getCategory_conf(self) -> str:

contentctl/objects/{unit_test_attack_data.py → test_attack_data.py}

@@ -1,13 +1,12 @@
 from __future__ import annotations
 from pydantic import BaseModel, HttpUrl, FilePath, Field
-from typing import Union, Optional
 
 
-class UnitTestAttackData(BaseModel):
-    data: Union[HttpUrl, FilePath] = Field(...)
+class TestAttackData(BaseModel):
+    data: HttpUrl | FilePath = Field(...)
     # TODO - should source and sourcetype should be mapped to a list
     # of supported source and sourcetypes in a given environment?
     source: str = Field(...)
     sourcetype: str = Field(...)
-    custom_index: Optional[str] = None
-    host: Optional[str] = None
+    custom_index: str | None = None
+    host: str | None = None

contentctl/objects/test_group.py

@@ -2,14 +2,14 @@ from pydantic import BaseModel
 
 from contentctl.objects.unit_test import UnitTest
 from contentctl.objects.integration_test import IntegrationTest
-from contentctl.objects.unit_test_attack_data import UnitTestAttackData
+from contentctl.objects.test_attack_data import TestAttackData
 from contentctl.objects.base_test_result import TestResultStatus
 
 
 class TestGroup(BaseModel):
     """
     Groups of different types of tests relying on the same attack data
-    :param name: Name of the TestGroup (typically derived from a unit test as 
+    :param name: Name of the TestGroup (typically derived from a unit test as
         "{detection.name}:{test.name}")
     :param unit_test: a UnitTest
     :param integration_test: an IntegrationTest
@@ -18,7 +18,7 @@ class TestGroup(BaseModel):
     name: str
     unit_test: UnitTest
     integration_test: IntegrationTest
-    attack_data: list[UnitTestAttackData]
+    attack_data: list[TestAttackData]
 
     @classmethod
     def derive_from_unit_test(cls, unit_test: UnitTest, name_prefix: str) -> "TestGroup":

contentctl/objects/unit_test.py

@@ -1,10 +1,9 @@
 from __future__ import annotations
-from typing import Union
 
 from pydantic import Field
 
 from contentctl.objects.unit_test_baseline import UnitTestBaseline
-from contentctl.objects.unit_test_attack_data import UnitTestAttackData
+from contentctl.objects.test_attack_data import TestAttackData
 from contentctl.objects.unit_test_result import UnitTestResult
 from contentctl.objects.base_test import BaseTest, TestType
 from contentctl.objects.base_test_result import TestResultStatus
@@ -17,19 +16,13 @@ class UnitTest(BaseTest):
     # contentType: SecurityContentType = SecurityContentType.unit_tests
 
     # The test type (unit)
-    test_type: TestType = Field(TestType.UNIT)
-
-    # The condition to check if the search was successful
-    pass_condition: Union[str, None] = None
-
-    # Baselines to be run before a unit test
-    baselines: list[UnitTestBaseline] = []
+    test_type: TestType = Field(default=TestType.UNIT)
 
     # The attack data to be ingested for the unit test
-    attack_data: list[UnitTestAttackData]
+    attack_data: list[TestAttackData]
 
     # The result of the unit test
-    result: Union[None, UnitTestResult] = None
+    result: UnitTestResult | None = None
 
     def skip(self, message: str) -> None:
         """

contentctl/output/templates/savedsearches_detections.j2

@@ -59,7 +59,7 @@ dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
 action.correlationsearch.enabled = 1
 action.correlationsearch.label = {{APP_NAME}} - {{ detection.name }} - Rule
 action.correlationsearch.annotations = {{ detection.annotations | tojson }}
-action.correlationsearch.metadata = {{ detection.getMetadata() | tojson }}
+action.correlationsearch.metadata = {{ detection.metadata | tojson }}
 {% if detection.deployment.scheduling.schedule_window is defined %}
 schedule_window = {{ detection.deployment.scheduling.schedule_window }}
 {% endif %}