contentctl 4.3.3__py3-none-any.whl → 4.3.4__py3-none-any.whl

contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py

@@ -374,12 +374,6 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 return
 
             try:
-                # NOTE: (THIS CODE HAS MOVED) we handle skipping entire detections differently than
-                #   we do skipping individual test cases; we skip entire detections by excluding
-                #   them to an entirely separate queue, while we skip individual test cases via the
-                #   BaseTest.skip() method, such as when we are skipping all integration tests (see
-                #   DetectionBuilder.skipIntegrationTests)
-                # TODO: are we skipping by production status elsewhere?
                 detection = self.sync_obj.inputQueue.pop()
                 self.sync_obj.currentTestingQueue[self.get_name()] = detection
             except IndexError:

contentctl/enrichments/attack_enrichment.py

@@ -10,6 +10,7 @@ from dataclasses import field
 from typing import Annotated,Any
 from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
 from contentctl.objects.config import validate
+from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE
 logging.getLogger('taxii2client').setLevel(logging.CRITICAL)
 
 
@@ -23,7 +24,7 @@ class AttackEnrichment(BaseModel):
         _ = enrichment.get_attack_lookup(str(config.path))
         return enrichment
     
-    def getEnrichmentByMitreID(self, mitre_id:Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")])->MitreAttackEnrichment:
+    def getEnrichmentByMitreID(self, mitre_id:MITRE_ATTACK_ID_TYPE)->MitreAttackEnrichment:
         if not self.use_enrichment:
             raise Exception(f"Error, trying to add Mitre Enrichment, but use_enrichment was set to False")
         

contentctl/enrichments/cve_enrichment.py

@@ -8,7 +8,7 @@ from typing import Annotated, Any, Union, TYPE_CHECKING
 from pydantic import BaseModel,Field, computed_field
 from decimal import Decimal
 from requests.exceptions import ReadTimeout
-
+from contentctl.objects.annotated_types import CVE_TYPE
 if TYPE_CHECKING:
     from contentctl.objects.config import validate
 
@@ -18,7 +18,7 @@ CVESSEARCH_API_URL = 'https://cve.circl.lu'
 
 
 class CveEnrichmentObj(BaseModel):
-    id: Annotated[str, r"^CVE-[1|2]\d{3}-\d+$"]
+    id: CVE_TYPE
     cvss: Annotated[Decimal, Field(ge=.1, le=10, decimal_places=1)]
     summary: str
     

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -322,12 +322,13 @@ class Detection_Abstract(SecurityContentObject):
     @property
     def providing_technologies(self) -> List[ProvidingTechnology]:
         return ProvidingTechnology.getProvidingTechFromSearch(self.search)
-        
-    
+
+    # TODO (#247): Refactor the risk property of detection_abstract
     @computed_field
     @property
     def risk(self) -> list[dict[str, Any]]:
         risk_objects: list[dict[str, str | int]] = []
+        # TODO (#246): "User Name" type should map to a "user" risk object and not "other"
         risk_object_user_types = {'user', 'username', 'email address'}
         risk_object_system_types = {'device', 'endpoint', 'hostname', 'ip address'}
         process_threat_object_types = {'process name', 'process'}

contentctl/objects/annotated_types.py

@@ -0,0 +1,6 @@
+from pydantic import Field
+from typing import Annotated
+
+CVE_TYPE = Annotated[str, Field(pattern=r"^CVE-[1|2]\d{3}-\d+$")]
+MITRE_ATTACK_ID_TYPE = Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")]
+APPID_TYPE = Annotated[str,Field(pattern="^[a-zA-Z0-9_-]+$")]

contentctl/objects/config.py

@@ -18,7 +18,7 @@ from urllib.parse import urlparse
 from abc import ABC, abstractmethod
 from contentctl.objects.enums import PostTestBehavior, DetectionTestingMode
 from contentctl.objects.detection import Detection
-
+from contentctl.objects.annotated_types import APPID_TYPE
 import tqdm
 from functools import partialmethod
 
@@ -33,7 +33,7 @@ class App_Base(BaseModel,ABC):
     model_config = ConfigDict(use_enum_values=True,validate_default=True, arbitrary_types_allowed=True)
     uid: Optional[int] = Field(default=None)
     title: str = Field(description="Human-readable name used by the app. This can have special characters.")
-    appid: Optional[Annotated[str, Field(pattern="^[a-zA-Z0-9_-]+$")]]= Field(default=None,description="Internal name used by your app. "
+    appid: Optional[APPID_TYPE]= Field(default=None,description="Internal name used by your app. "
                                                                     "It may ONLY have characters, numbers, and underscores. No other characters are allowed.")
     version: str = Field(description="The version of your Content Pack.  This must follow semantic versioning guidelines.")
     description: Optional[str] = Field(default="description of app",description="Free text description of the Content Pack.")
@@ -101,7 +101,7 @@ class CustomApp(App_Base):
     # https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Appconf
     uid: int = Field(ge=2, lt=100000, default_factory=lambda:random.randint(20000,100000))
     title: str = Field(default="Content Pack",description="Human-readable name used by the app. This can have special characters.")
-    appid: Annotated[str, Field(pattern="^[a-zA-Z0-9_-]+$")]= Field(default="ContentPack",description="Internal name used by your app. "
+    appid: APPID_TYPE = Field(default="ContentPack",description="Internal name used by your app. "
                                                                     "It may ONLY have characters, numbers, and underscores. No other characters are allowed.")
     version: str = Field(default="0.0.1",description="The version of your Content Pack.  This must follow semantic versioning guidelines.", validate_default=True)
 

contentctl/objects/correlation_search.py

@@ -575,10 +575,11 @@ class CorrelationSearch(BaseModel):
             self.logger.debug(f"Using cached risk events ({len(self._risk_events)} total).")
             return self._risk_events
 
+        # TODO (#248): Refactor risk/notable querying to pin to a single savedsearch ID
         # Search for all risk events from a single scheduled search (indicated by orig_sid)
         query = (
             f'search index=risk search_name="{self.name}" [search index=risk search '
-            f'search_name="{self.name}" | head 1 | fields orig_sid] | tojson'
+            f'search_name="{self.name}" | tail 1 | fields orig_sid] | tojson'
         )
         result_iterator = self._search(query)
 
@@ -643,7 +644,7 @@ class CorrelationSearch(BaseModel):
         # Search for all notable events from a single scheduled search (indicated by orig_sid)
         query = (
             f'search index=notable search_name="{self.name}" [search index=notable search '
-            f'search_name="{self.name}" | head 1 | fields orig_sid] | tojson'
+            f'search_name="{self.name}" | tail 1 | fields orig_sid] | tojson'
         )
         result_iterator = self._search(query)
 
@@ -686,15 +687,17 @@ class CorrelationSearch(BaseModel):
             check the risks/notables
         :returns: an IntegrationTestResult on failure; None on success
         """
-        # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the false
-        #   positive rate in risk/obseravble matching
         # Create a mapping of the relevant observables to counters
-        # observables = CorrelationSearch._get_relevant_observables(self.detection.tags.observable)
-        # observable_counts: dict[str, int] = {str(x): 0 for x in observables}
-        # if len(observables) != len(observable_counts):
-        #     raise ClientError(
-        #         f"At least two observables in '{self.detection.name}' have the same name."
-        #     )
+        observables = CorrelationSearch._get_relevant_observables(self.detection.tags.observable)
+        observable_counts: dict[str, int] = {str(x): 0 for x in observables}
+
+        # NOTE: we intentionally want this to be an error state and not a failure state, as
+        #   ultimately this validation should be handled during the build process
+        if len(observables) != len(observable_counts):
+            raise ClientError(
+                f"At least two observables in '{self.detection.name}' have the same name; "
+                "each observable for a detection should be unique."
+            )
 
         # Get the risk events; note that we use the cached risk events, expecting they were
         # saved by a prior call to risk_event_exists
@@ -710,25 +713,29 @@ class CorrelationSearch(BaseModel):
             )
             event.validate_against_detection(self.detection)
 
-            # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the
-            #   false positive rate in risk/obseravble matching
             # Update observable count based on match
-            # matched_observable = event.get_matched_observable(self.detection.tags.observable)
-            # self.logger.debug(
-            #     f"Matched risk event ({event.risk_object}, {event.risk_object_type}) to observable "
-            #     f"({matched_observable.name}, {matched_observable.type}, {matched_observable.role})"
-            # )
-            # observable_counts[str(matched_observable)] += 1
-
-        # TODO (PEX-433): test my new contentctl logic against an old ESCU build; my logic should
-        #   detect the faulty attacker events -> this was the issue from the 4.28/4.27 release;
-        #   recreate by testing against one of those old builds w/ the bad config
-        # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the false
-        #   positive
-        #   rate in risk/obseravble matching
-        # TODO (PEX-433): I foresee issues here if for example a parent and child process share a
-        #   name (matched observable could be either) -> these issues are confirmed to exist, e.g.
-        #   `Windows Steal Authentication Certificates Export Certificate`
+            matched_observable = event.get_matched_observable(self.detection.tags.observable)
+            self.logger.debug(
+                f"Matched risk event (object={event.risk_object}, type={event.risk_object_type}) "
+                f"to observable (name={matched_observable.name}, type={matched_observable.type}, "
+                f"role={matched_observable.role}) using the source field "
+                f"'{event.source_field_name}'"
+            )
+            observable_counts[str(matched_observable)] += 1
+
+        # Report any observables which did not have at least one match to a risk event
+        for observable in observables:
+            self.logger.debug(
+                f"Matched observable (name={observable.name}, type={observable.type}, "
+                f"role={observable.role}) to {observable_counts[str(observable)]} risk events."
+            )
+            if observable_counts[str(observable)] == 0:
+                raise ValidationFailed(
+                    f"Observable (name={observable.name}, type={observable.type}, "
+                    f"role={observable.role}) was not matched to any risk events."
+                )
+
+        # TODO (#250): Re-enable and refactor code that validates the specific risk counts
         # Validate risk events in aggregate; we should have an equal amount of risk events for each
         # relevant observable, and the total count should match the total number of events
         # individual_count: Optional[int] = None

contentctl/objects/detection_tags.py

@@ -33,7 +33,7 @@ from contentctl.objects.enums import (
     SecurityContentProductName
 )
 from contentctl.objects.atomic import AtomicTest
-
+from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE, CVE_TYPE
 
 # TODO (#266): disable the use_enum_values configuration
 class DetectionTags(BaseModel):
@@ -50,8 +50,10 @@ class DetectionTags(BaseModel):
     def risk_score(self) -> int:
         return round((self.confidence * self.impact)/100)
 
-    mitre_attack_id: List[Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")]] = []
+    mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
+
+    # TODO (#249): Add pydantic validator to ensure observables are unique within a detection
     observable: List[Observable] = []
     message: str = Field(...)
     product: list[SecurityContentProductName] = Field(..., min_length=1)
@@ -69,7 +71,7 @@ class DetectionTags(BaseModel):
         else:
             return RiskSeverity('low')
 
-    cve: List[Annotated[str, r"^CVE-[1|2]\d{3}-\d+$"]] = []
+    cve: List[CVE_TYPE] = []
     atomic_guid: List[AtomicTest] = []
     drilldown_search: Optional[str] = None
 

contentctl/objects/mitre_attack_enrichment.py

@@ -3,6 +3,7 @@ from pydantic import BaseModel, Field, ConfigDict, HttpUrl, field_validator
 from typing import List, Annotated
 from enum import StrEnum
 import datetime
+from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE
 
 class MitreTactics(StrEnum):
     RECONNAISSANCE = "Reconnaissance"
@@ -85,7 +86,7 @@ class MitreAttackGroup(BaseModel):
 # TODO (#266): disable the use_enum_values configuration
 class MitreAttackEnrichment(BaseModel):
     ConfigDict(use_enum_values=True)
-    mitre_attack_id: Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")] = Field(...)
+    mitre_attack_id: MITRE_ATTACK_ID_TYPE = Field(...)
     mitre_attack_technique: str = Field(...)
     mitre_attack_tactics: List[MitreTactics] = Field(...)
     mitre_attack_groups: List[str] = Field(...)

contentctl/objects/risk_event.py

@@ -1,32 +1,51 @@
 import re
-from typing import Union, Optional
 
-from pydantic import BaseModel, Field, PrivateAttr, field_validator
+from pydantic import BaseModel, Field, PrivateAttr, field_validator, computed_field
 
 from contentctl.objects.errors import ValidationFailed
 from contentctl.objects.detection import Detection
 from contentctl.objects.observable import Observable
 
-# TODO (PEX-433): use SES_OBSERVABLE_TYPE_MAPPING
+# TODO (#259): Map our observable types to more than user/system
+# TODO (#247): centralize this mapping w/ usage of SES_OBSERVABLE_TYPE_MAPPING (see
+#   observable.py) and the ad hoc mapping made in detection_abstract.py (see the risk property func)
 TYPE_MAP: dict[str, list[str]] = {
-    "user": ["User"],
-    "system": ["Hostname", "IP Address", "Endpoint"],
-    "other": ["Process", "URL String", "Unknown", "Process Name"],
+    "system": [
+        "Hostname",
+        "IP Address",
+        "Endpoint"
+    ],
+    "user": [
+        "User",
+        "User Name",
+        "Email Address",
+        "Email"
+    ],
+    "hash_values": [],
+    "network_artifacts": [],
+    "host_artifacts": [],
+    "tools": [],
+    "other": [
+        "Process",
+        "URL String",
+        "Unknown",
+        "Process Name",
+        "MAC Address",
+        "File Name",
+        "File Hash",
+        "Resource UID",
+        "Uniform Resource Locator",
+        "File",
+        "Geo Location",
+        "Container",
+        "Registry Key",
+        "Registry Value",
+        "Other"
+    ]
 }
-# TODO (PEX-433): 'Email Address', 'File Name', 'File Hash', 'Other', 'User Name', 'File',
-#   'Process Name'
 
-# TODO (PEX-433): use SES_OBSERVABLE_ROLE_MAPPING
+# Roles that should not generate risks
 IGNORE_ROLES: list[str] = ["Attacker"]
-# Known valid roles: Victim, Parent Process, Child Process
-# TODO (PEX-433): 'Other', 'Target', 'Unknown'
-# TODO (PEX-433): is Other a valid role
-
-# TODO (PEX-433): do we need User Name in conjunction w/ User? User Name doesn't get mapped to
-#   "user" in risk events
-# TODO (PEX-433): similarly, do we need Process and Process Name?
-
-RESERVED_FIELDS = ["host"]
 
 
 class RiskEvent(BaseModel):
@@ -36,7 +55,7 @@ class RiskEvent(BaseModel):
     search_name: str
 
     # The subject of the risk event (e.g. a username, process name, system name, account ID, etc.)
-    risk_object: Union[int, str]
+    risk_object: int | str
 
     # The type of the risk object (e.g. user, system, or other)
     risk_object_type: str
@@ -59,8 +78,12 @@ class RiskEvent(BaseModel):
         default=[]
     )
 
+    # Contributing events search query (we use this to derive the corresponding field from the
+    # observables)
+    contributing_events_search: str
+
     # Private attribute caching the observable this RiskEvent is mapped to
-    _matched_observable: Optional[Observable] = PrivateAttr(default=None)
+    _matched_observable: Observable | None = PrivateAttr(default=None)
 
     class Config:
         # Allowing fields that aren't explicitly defined to be passed since some of the risk event's
@@ -69,7 +92,7 @@ class RiskEvent(BaseModel):
 
     @field_validator("annotations_mitre_attack", "analyticstories", mode="before")
     @classmethod
-    def _convert_str_value_to_singleton(cls, v: Union[str, list[str]]) -> list[str]:
+    def _convert_str_value_to_singleton(cls, v: str | list[str]) -> list[str]:
         """
         Given a value, determine if its a list or a single str value; if a single value, return as a
         singleton. Do nothing if anything else.
@@ -79,6 +102,25 @@ class RiskEvent(BaseModel):
         else:
             return [v]
 
+    @computed_field
+    @property
+    def source_field_name(self) -> str:
+        """
+        A cached derivation of the source field name the risk event corresponds to in the relevant
+        event(s). Useful for mapping back to an observable in the detection.
+        """
+        pattern = re.compile(
+            r"\| savedsearch \"" + self.search_name + r"\" \| search (?P<field>[^=]+)=.+"
+        )
+        match = pattern.search(self.contributing_events_search)
+        if match is None:
+            raise ValueError(
+                "Unable to parse source field name from risk event using "
+                f"'contributing_events_search' ('{self.contributing_events_search}') using "
+                f"pattern: {pattern}"
+            )
+        return match.group("field")
+
     def validate_against_detection(self, detection: Detection) -> None:
         """
         Given the associated detection, validate the risk event against its fields
@@ -108,10 +150,8 @@ class RiskEvent(BaseModel):
         # Check risk_message
         self.validate_risk_message(detection)
 
-        # TODO (PEX-433): Re-enable this check once we have refined the logic and reduced the false
-        #   positive rate in risk/obseravble matching
         # Check several conditions against the observables
-        # self.validate_risk_against_observables(detection.tags.observable)
+        self.validate_risk_against_observables(detection.tags.observable)
 
     def validate_mitre_ids(self, detection: Detection) -> None:
         """
@@ -199,7 +239,11 @@ class RiskEvent(BaseModel):
         if self.risk_object_type != expected_type:
             raise ValidationFailed(
                 f"The risk object type ({self.risk_object_type}) does not match the expected type "
-                f"based on the matched observable ({matched_observable.type}=={expected_type})."
+                f"based on the matched observable ({matched_observable.type}->{expected_type}): "
+                f"risk=(object={self.risk_object}, type={self.risk_object_type}, "
+                f"source_field_name={self.source_field_name}), "
+                f"observable=(name={matched_observable.name}, type={matched_observable.type}, "
+                f"role={matched_observable.role})"
             )
 
     @staticmethod
@@ -220,8 +264,6 @@ class RiskEvent(BaseModel):
             f"Observable type {observable_type} does not have a mapping to a risk type in TYPE_MAP"
         )
 
-    # TODO (PEX-433): should this be an observable instance method? It feels less relevant to
-    #   observables themselves, as it's really only relevant to the handling of risk events
     @staticmethod
     def ignore_observable(observable: Observable) -> bool:
         """
@@ -230,8 +272,6 @@ class RiskEvent(BaseModel):
         :param observable: the Observable object we are checking the roles of
         :returns: a bool indicating whether this observable should be ignored or not
         """
-        # TODO (PEX-433): could there be a case where an observable has both an Attacker and Victim
-        #   (or equivalent) role? If so, how should we handle ignoring it?
         ignore = False
         for role in observable.role:
             if role in IGNORE_ROLES:
@@ -239,29 +279,6 @@ class RiskEvent(BaseModel):
                 break
         return ignore
 
-    # TODO (PEX-433): two possibilities: alway check for the field itself and the field prefixed
-    #   w/ "orig_" OR more explicitly maintain a list of known "reserved fields", like "host". I
-    #   think I like option 2 better as it can have fewer unknown side effects
-    def matches_observable(self, observable: Observable) -> bool:
-        """
-        Given an observable, check if the risk event matches is
-        :param observable: the Observable object we are comparing the risk event against
-        :returns: bool indicating a match or not
-        """
-        # When field names collide w/ reserved fields in Splunk events (e.g. sourcetype or host)
-        # they get prefixed w/ "orig_"
-        attribute_name = observable.name
-        if attribute_name in RESERVED_FIELDS:
-            attribute_name = f"orig_{attribute_name}"
-
-        # Retrieve the value of this attribute and see if it matches the risk_object
-        value: Union[str, list[str]] = getattr(self, attribute_name)
-        if isinstance(value, str):
-            value = [value]
-
-        # The value of the attribute may be a list of values, so check for any matches
-        return self.risk_object in value
-
     def get_matched_observable(self, observables: list[Observable]) -> Observable:
         """
         Given a list of observables, return the one this risk event matches
@@ -274,40 +291,41 @@ class RiskEvent(BaseModel):
         if self._matched_observable is not None:
             return self._matched_observable
 
-        matched_observable: Optional[Observable] = None
+        matched_observable: Observable | None = None
 
         # Iterate over the obervables and check for a match
         for observable in observables:
+            # TODO (#252): Refactor and re-enable per-field validation of risk events
             # Each the field name used in each observable shoud be present in the risk event
-            # TODO (PEX-433): this check is redundant I think; earlier in the unit test, observable
-            #   field
-            #   names are compared against the search result set, ensuring all are present; if all
-            #   are present in the result set, all are present in the risk event
-            if not hasattr(self, observable.name):
-                raise ValidationFailed(
-                    f"Observable field \"{observable.name}\" not found in risk event."
-                )
+            # if not hasattr(self, observable.name):
+            #     raise ValidationFailed(
+            #         f"Observable field \"{observable.name}\" not found in risk event."
+            #     )
 
             # Try to match the risk_object against a specific observable for the obervables with
-            # a valid role (some, like Attacker, don't get converted to risk events)
-            if not RiskEvent.ignore_observable(observable):
-                if self.matches_observable(observable):
-                    # TODO (PEX-433): This check fails as there are some instances where this is
-                    #   true (e.g. we have an observable for process and parent_process and both
-                    #   have the same name like "cmd.exe")
-                    if matched_observable is not None:
-                        raise ValueError(
-                            "Unexpected conditon: we don't expect the value corresponding to an "
-                            "observables field name to be repeated"
-                        )
-                    # NOTE: we explicitly do not break early as we want to check each observable
-                    matched_observable = observable
+            # a valid role (some, like Attacker, shouldn't get converted to risk events)
+            if self.source_field_name == observable.name:
+                if matched_observable is not None:
+                    raise ValueError(
+                        "Unexpected conditon: we don't expect the source event field "
+                        "corresponding to an observables field name to be repeated."
+                    )
+
+                # Report any risk events we find that shouldn't be there
+                if RiskEvent.ignore_observable(observable):
+                    raise ValidationFailed(
+                        "Risk event matched an observable with an invalid role: "
+                        f"(name={observable.name}, type={observable.type}, role={observable.role})")
+                # NOTE: we explicitly do not break early as we want to check each observable
+                matched_observable = observable
 
         # Ensure we were able to match the risk event to a specific observable
         if matched_observable is None:
             raise ValidationFailed(
-                f"Unable to match risk event ({self.risk_object}, {self.risk_object_type}) to an "
-                "appropriate observable"
+                f"Unable to match risk event (object={self.risk_object}, type="
+                f"{self.risk_object_type}, source_field_name={self.source_field_name}) to an "
+                "observable; please check for errors in the observable roles/types for this "
+                "detection, as well as the risk event build process in contentctl."
             )
 
         # Cache and return the matched observable

contentctl/objects/story_tags.py

@@ -6,7 +6,7 @@ from enum import Enum
 
 from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
 from contentctl.objects.enums import StoryCategory, DataModel, KillChainPhase, SecurityContentProductName
-
+from contentctl.objects.annotated_types import CVE_TYPE,MITRE_ATTACK_ID_TYPE
 
 class StoryUseCase(str,Enum):
    FRAUD_DETECTION = "Fraud Detection"
@@ -27,10 +27,10 @@ class StoryTags(BaseModel):
 
    # enrichment
    mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
-   mitre_attack_tactics: Optional[Set[Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")]]] = None
+   mitre_attack_tactics: Optional[Set[MITRE_ATTACK_ID_TYPE]] = None
    datamodels: Optional[Set[DataModel]] = None
    kill_chain_phases: Optional[Set[KillChainPhase]] = None
-   cve: List[Annotated[str, r"^CVE-[1|2]\d{3}-\d+$"]] = []
+   cve: List[CVE_TYPE] = []
    group: List[str] = Field([], description="A list of groups who leverage the techniques list in this Analytic Story.")
 
    def getCategory_conf(self) -> str:

{contentctl-4.3.3.dist-info → contentctl-4.3.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.3.3
+Version: 4.3.4
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -22,7 +22,7 @@ Requires-Dist: pygit2 (>=1.15.1,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.3,<2.33.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<74.0.0)
+Requires-Dist: setuptools (>=69.5.1,<75.0.0)
 Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
 Requires-Dist: tqdm (>=4.66.5,<5.0.0)
 Requires-Dist: tyro (>=0.8.3,<0.9.0)

{contentctl-4.3.3.dist-info → contentctl-4.3.4.dist-info}/RECORD

@@ -4,7 +4,7 @@ contentctl/actions/deploy_acs.py,sha256=mf3uk495H1EU_LNN-TiOsYCo18HMGoEBMb6ojeTr
 contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=zg8JasDjCpSC-yhseEyUwO8qbDJIUJbhlus9Li9ZAnA,8818
 contentctl/actions/detection_testing/GitService.py,sha256=W1vnDDt8JvIL7Z1Lve3D3RS7h8qwMxrW0BMXVGuDZDM,9007
 contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=N5mznaeErVak3mOBwsd0RDBFJO3bku0EZvpayCyU-uk,2259
-contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=w_ULKp-RqE7HXMSzWZ-a4ha0_45GwAG7RLixJjv_gKQ,55718
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=00ymK5PyAn_FREi8Cj0HqpUt-U6XMpSHrN0QNqIrbDA,55190
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py,sha256=REM3WB-DQAczeknGAKMzJhnvHgnt-u9yDG2UKGVj2vM,6854
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureServer.py,sha256=Q1ZfCYOp54O39bgTScZMInkmZiU-bGAM9Hiwr2mq5ms,370
 contentctl/actions/detection_testing/progress_bar.py,sha256=OK9oRnPlzPAswt9KZNYID-YLHxqaYPY821kIE4-rCeA,3244
@@ -23,8 +23,8 @@ contentctl/actions/test.py,sha256=jv12UO_PTjZwvo4G-Dr8fE2gsuWvuvAmO2QQM4q7TL0,59
 contentctl/actions/validate.py,sha256=2MQ8yumCKj7zD8iUuA5gfFEMcE-GPRzYqkvuOexn0JA,5633
 contentctl/api.py,sha256=FBOpRhbBCBdjORmwe_8MPQ3PRZ6T0KrrFcfKovVFkug,6343
 contentctl/contentctl.py,sha256=JXbUD5l1PziRRJxUc1UHrveM33CHryZPmc0RxudDpIs,10328
-contentctl/enrichments/attack_enrichment.py,sha256=HsfHfcrRmsHT6pILN457jmCGOCdAhOlRBGfAP8aZY78,7834
-contentctl/enrichments/cve_enrichment.py,sha256=SjiytaZktVNbfICXcZ2vZzBiQpOkug5taPtiJK-S1OE,2313
+contentctl/enrichments/attack_enrichment.py,sha256=XEcLRnXKfJeChax5gfHDGea5D5MCFjP4bWp8hRWn3d8,7871
+contentctl/enrichments/cve_enrichment.py,sha256=rRdf62sKkBzCBLCNwzAmEhxNiPV2px1VS6MzDiS-uBw,2337
 contentctl/enrichments/splunk_app_enrichment.py,sha256=zDNHFLZTi2dJ1gdnh0sHkD6F1VtkblqFnhacFcCMBfc,3418
 contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLwhHq80c,7139
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -33,17 +33,18 @@ contentctl/helper/utils.py,sha256=8ICRvE7DUiNL9BK4Hw71hCLFbd3R2u86OwKeDOdaBTY,19
 contentctl/input/director.py,sha256=kTqdN_rCzRMn4dR32hPaVyx2llhAxyhJgoGjowhsHzs,10887
 contentctl/input/new_content_questions.py,sha256=o4prlBoUhEMxqpZukquI9WKbzfFJfYhEF7a8m2q_BEE,5565
 contentctl/input/yml_reader.py,sha256=hyVUYhx4Ka8C618kP2D_E3sDUKEQGC6ty_QZQArHKd4,1489
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=OD0QFdBDtAlPt3vUpozeS6F0fs2iTKg6ovKJc6F-Se4,38721
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=U3IvEQO3D5ab7YPUz8JnAnUCNtN--INOs2AP-ew5qn8,38867
 contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=vdZvybF34Zlxf6XOjw400gYbpkPUkOtlu-JiWlAof40,9877
 contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
+contentctl/objects/annotated_types.py,sha256=jnX02BQT4dHbd_DCIjik0PNN3kgsvb7sxAz_1Jy8TOY,259
 contentctl/objects/atomic.py,sha256=BP27gP8KHeODp6UazhVFxwDQ64wuJCARGsLfIH34h7U,8768
 contentctl/objects/base_test.py,sha256=qUtKQJrqCto_fwCBdiH68_tXqokhcv9ceu2fQlBxsjA,1045
 contentctl/objects/base_test_result.py,sha256=jVroyGLb9GD6Wm2QzvgIEA3SWCZqxPsHp9PzxSvpyIs,5101
 contentctl/objects/baseline.py,sha256=Lb1vJKtDdlDrzWgrdkC9oQao_TnRrOxSwOWHf4trtaU,2150
 contentctl/objects/baseline_tags.py,sha256=fVhLF-NmisavybB_idu3N0Con0Ymj8clKfRMkWzBB-k,1762
-contentctl/objects/config.py,sha256=8oP68b_wnPLXBMdvemmWFazaBssASW4jFZjFbTNrboY,44507
+contentctl/objects/config.py,sha256=_DRRMdtDKxjg2u-7iEbBrvKwtABxtlrmAEC8XYBQGk8,44487
 contentctl/objects/constants.py,sha256=lfCcr1DsTZvANHj4Ee1_sEV-SebHwAn41-5EvmoEX2E,3537
-contentctl/objects/correlation_search.py,sha256=QZp1u-dwTZl9hkUOlJdHQ9h4Hp2bDHWWCKtrp3mvIUY,48310
+contentctl/objects/correlation_search.py,sha256=ZZVoO3M594qCy_aAMhQiOPWn8FiSFbRShUCCLx6zhNc,48434
 contentctl/objects/data_source.py,sha256=aRr6lHu-EtGmi6J2nXKD7i2ozUPtp7X-vDkQiutvD3I,1545
 contentctl/objects/deployment.py,sha256=Qc6M4yeOvxjqFKR8sfjd4CG06AbVheTOqP1mwqo4t8s,2651
 contentctl/objects/deployment_email.py,sha256=Zu9cXZdfOP6noa_mZpiK1GrYCTgi3Mim94iLGjE674c,147
@@ -53,7 +54,7 @@ contentctl/objects/deployment_rba.py,sha256=YFLSKzLU7s8Bt1cJkSBWlfCsc_2MfgiwyaDi
 contentctl/objects/deployment_scheduling.py,sha256=bQjbJHNaUGdU1VAGV8-nFOHzHutbIlt7FZpUvR1CV4Y,198
 contentctl/objects/deployment_slack.py,sha256=P6z8OLHDKcDWx7nbKWasqBc3dFRatGcpO2GtmxzVV8I,135
 contentctl/objects/detection.py,sha256=3W41cXf3ECjWuPqWrseqSLC3PAA7O5_nENWWM6MPK0Y,620
-contentctl/objects/detection_tags.py,sha256=esJF7Uvblynm0uJj03EV9Hkr6Jko1LobSnJK2keJXUE,10913
+contentctl/objects/detection_tags.py,sha256=r7nIYMMspPk68aQx5q04jQaFGO4zTYG1P1UAUrX9qtU,11023
 contentctl/objects/enums.py,sha256=37v7w8xCg5j5hxP3kod0S3HQ9BY-CqZulPiwhnTtEvs,14052
 contentctl/objects/errors.py,sha256=gnD99z4O00EBbMerUjt4368q8mohm3Zb9HByG3CP_A0,525
 contentctl/objects/event_source.py,sha256=G9P7rtcN5hcBNQx6DG37mR3QyQufx--T6kgQGNqQuKk,415
@@ -65,20 +66,20 @@ contentctl/objects/lookup.py,sha256=oZwBiHfRRrv2ZXdGyWIJWSWZMpuUbsXydaDDfpenk-4,
 contentctl/objects/macro.py,sha256=9nE-bxkFhtaltHOUCr0luU8jCCthmglHjhKs6Q2YzLU,2684
 contentctl/objects/manual_test.py,sha256=YNquEQ0UCzZGJ0uvHBgJ3Efho-F80ZG885ABLtqB7TI,1022
 contentctl/objects/manual_test_result.py,sha256=C4AYW3jlMsxVzCPzCA5dpAcbKgCpmDO43JmptFm--Q4,155
-contentctl/objects/mitre_attack_enrichment.py,sha256=4c5zapPm1Dpmcg_bgUAjZRY5zS3yPFKYzz5zllb-u1o,3350
+contentctl/objects/mitre_attack_enrichment.py,sha256=4_9hvrxCXnGfyWqoj7C-0pCfGXEBJXfhrcSfb1cmPjs,3387
 contentctl/objects/notable_action.py,sha256=ValkblBaG-60TF19y_vSnNzoNZ3eg48wIfr0qZxyKTA,1605
 contentctl/objects/notable_event.py,sha256=ITcwLzeatSGpe8267PYN-EhgqOSoWTfciCBVu8zjOXE,682
 contentctl/objects/observable.py,sha256=pw0Ehi_KMb7nXzw2kuw1FnCknpD8zDkCAqBTa-M_F28,1313
 contentctl/objects/playbook.py,sha256=hSYYpdMhctgpp7uwaPciFqu1yuFI4M1NHy1WBBLyvzM,2469
 contentctl/objects/playbook_tags.py,sha256=NrhTGcgoYSGEZggrfebko0GBOXN9x05IadRUUL_CVfQ,1436
 contentctl/objects/risk_analysis_action.py,sha256=Glzcq99DAqqOJ2eZYCkUI3R5hA5cZGU0ZuCSinFf2R8,4278
-contentctl/objects/risk_event.py,sha256=LnFg0BKnt7rMJvzxZoaFeInKP4w5onvJwOUxMWWDk6w,14303
+contentctl/objects/risk_event.py,sha256=b5Smh3w5Hecmi7E-Ub5DvO8iOPwnVg2ux47u7oemxX4,14041
 contentctl/objects/risk_object.py,sha256=yY4NmEwEKaRl4sLzCRZb1n8kdpV3HzYbQVQ1ClQWYHw,904
 contentctl/objects/security_content_object.py,sha256=j8KNDwSMfZsSIzJucC3NuZo0SlFVpqHfDc6y3-YHjHI,234
 contentctl/objects/ssa_detection.py,sha256=ud0T6lq-5XUlmeK8Jzw_aNLe6podVcA1o7THDYvWbik,5934
 contentctl/objects/ssa_detection_tags.py,sha256=9aRwbpQHi79NIS9rofjgxDJpw7cWXqG534_kSbvHJh8,5220
 contentctl/objects/story.py,sha256=FXe11LV19xJTtCgx7DKdvV9cL0gKeryUnE3yjpnDmrU,4957
-contentctl/objects/story_tags.py,sha256=qIVCEk3Vr-63tjq3PKapMUUUL6jNCHyp2AqGzDAE-tk,2279
+contentctl/objects/story_tags.py,sha256=cOL8PUzdlFdLPQHc54_-9sdI8nCE1D04oKY7KriOssI,2293
 contentctl/objects/test_attack_data.py,sha256=9OgErjdPR4S-SJpQePt0uwBLPYHYPtqKDd-auhjz7Uc,430
 contentctl/objects/test_group.py,sha256=DCtm4ChGYksOwZQVHsioaweOvI37CSlTZJzKvBX-jbY,2586
 contentctl/objects/threat_object.py,sha256=S8B7RQFfLxN_g7yKPrDTuYhIy9JvQH3YwJ_T5LUZIa4,711
@@ -165,8 +166,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.3.3.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.3.3.dist-info/METADATA,sha256=utrc_z9xKTEuH2CQrudSeb6J4BQZloMvVxkb6y17pvA,20925
-contentctl-4.3.3.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.3.3.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.3.3.dist-info/RECORD,,
+contentctl-4.3.4.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.3.4.dist-info/METADATA,sha256=YgRlkSBe1UQmgQfU3wIVwH0lufqLvfhjnnhY2qBNxiU,20925
+contentctl-4.3.4.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.3.4.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.3.4.dist-info/RECORD,,