contentctl 4.3.4__py3-none-any.whl → 4.3.5__py3-none-any.whl

contentctl/objects/savedsearches_conf.py

@@ -0,0 +1,196 @@
+
+from pathlib import Path
+from typing import Any, ClassVar
+import re
+import tempfile
+import tarfile
+
+from pydantic import BaseModel, Field, PrivateAttr
+
+from contentctl.objects.detection_stanza import DetectionStanza
+
+
+class SavedsearchesConf(BaseModel):
+    """
+    A model of the savedsearches.conf file, represented as a set of stanzas
+
+    NOTE: At present, this model only parses the detections themselves from the .conf; thing like
+    baselines or response tasks are left alone currently
+    """
+    # The path to the conf file
+    path: Path = Field(...)
+
+    # The app label (used for pattern matching in the conf) (e.g. ESCU)
+    app_label: str = Field(...)
+
+    # A dictionary mapping rule names to a model of the corresponding stanza in the conf
+    detection_stanzas: dict[str, DetectionStanza] = Field(default={}, init=False)
+
+    # A internal flag indicating whether we are currently in the detections portion of the conf
+    # during parsing
+    _in_detections: bool = PrivateAttr(default=False)
+
+    # A internal flag indicating whether we are currently in a specific section of the conf
+    # during parsing
+    _in_section: bool = PrivateAttr(default=False)
+
+    # A running list of the accumulated lines identified as part of the current section
+    _current_section_lines: list[str] = PrivateAttr(default=[])
+
+    # The name of the current section
+    _current_section_name: str | None = PrivateAttr(default=None)
+
+    # The current line number as we continue to parse the file
+    _current_line_no: int = PrivateAttr(default=0)
+
+    # A format string for the path to the savedsearches.conf in the app package
+    PACKAGE_CONF_PATH_FMT_STR: ClassVar[str] = "{appid}/default/savedsearches.conf"
+
+    def model_post_init(self, __context: Any) -> None:
+        super().model_post_init(__context)
+        self._parse_detection_stanzas()
+
+    def is_section_header(self, line: str) -> bool:
+        """
+        Given a line, determine if the line is a section header, indicating the start of a new
+        section
+
+        :param line: a line from the conf file
+        :type line: str
+
+        :returns: a bool indicating whether the current line is a section header or not
+        :rtype: bool
+        """
+        # Compile the pattern based on the app name
+        pattern = re.compile(r"\[" + self.app_label + r" - .+ - Rule\]")
+        if pattern.match(line):
+            return True
+        return False
+
+    def section_start(self, line: str) -> None:
+        """
+        Given a line, adjust the state to track a new section
+
+        :param line: a line from the conf file
+        :type line: str
+        """
+        # Determine the new section name:
+        new_section_name = line.strip().strip("[").strip("]")
+
+        # Raise if we are in a section already according to the state (we cannot statr a new section
+        # before ending the previous section)
+        if self._in_section:
+            raise Exception(
+                "Attempting to start a new section w/o ending the current one; check for "
+                f"parsing/serialization errors: (current section: '{self._current_section_name}', "
+                f"new section: '{new_section_name}') [see line {self._current_line_no} in "
+                f"{self.path}]"
+            )
+
+        # Capture the name of this section, reset the lines, and indicate that we are now in a
+        # section
+        self._current_section_name = new_section_name
+        self._current_section_lines = [line]
+        self._in_section = True
+
+    def section_end(self) -> None:
+        """
+        Adjust the state end the section we were enumerating; parse the lines as a DetectionStanza
+        """
+        # Name should have been set during section start
+        if self._current_section_name is None:
+            raise Exception(
+                "Name for the current section was never set; check for parsing/serialization "
+                f"errors [see line {self._current_line_no} in {self.path}]."
+            )
+        elif self._current_section_name in self.detection_stanzas:
+            # Each stanza should be unique, so the name should not already be in the dict
+            raise Exception(
+                f"Name '{self._current_section_name}' already in set of stanzas [see line "
+                f"{self._current_line_no} in {self.path}]."
+            )
+
+        # Build the stanza model from the accumulated lines and adjust the state to end this section
+        self.detection_stanzas[self._current_section_name] = DetectionStanza(
+            name=self._current_section_name,
+            lines=self._current_section_lines
+        )
+        self._in_section = False
+
+    def _parse_detection_stanzas(self) -> None:
+        """
+        Open the conf file, and parse out DetectionStanza objects from the raw conf stanzas
+        """
+        # We don't want to parse the stanzas twice (non-atomic operation)
+        if len(self.detection_stanzas) != 0:
+            raise Exception(
+                f"{len(self.detection_stanzas)} stanzas have already been parsed from this conf; we"
+                " do not need to parse them again"
+            )
+
+        # Open the conf file and iterate over the lines
+        with open(self.path, "r") as file:
+            for line in file:
+                self._current_line_no += 1
+
+                # Break when we get to the end of the app detections
+                if line.strip() == f"### END {self.app_label} DETECTIONS ###":
+                    break
+                elif self._in_detections:
+                    # Check if we are in the detections portion of the conf, and then if we are in a
+                    # section
+                    if self._in_section:
+                        # If we are w/in a section and have hit an empty line, close the section
+                        if line.strip() == "":
+                            self.section_end()
+                        elif self.is_section_header(line):
+                            # Raise if we encounter a section header w/in a section
+                            raise Exception(
+                                "Encountered section header while already in section (current "
+                                f"section: '{self._current_section_name}') [see line "
+                                f"{self._current_line_no} in {self.path}]."
+                            )
+                        else:
+                            # Otherwise, append the line
+                            self._current_section_lines.append(line)
+                    elif self.is_section_header(line):
+                        # If we encounter a section header while not already in a section, start a
+                        # new one
+                        self.section_start(line)
+                    elif line.strip() != "":
+                        # If we are not in a section and have encountered anything other than an
+                        # empty line, something is wrong
+                        raise Exception(
+                            "Found a non-empty line outside a stanza [see line "
+                            f"{self._current_line_no} in {self.path}]."
+                        )
+                elif line.strip() == f"### {self.app_label} DETECTIONS ###":
+                    # We have hit the detections portion of the conf and we adjust the state
+                    # accordingly
+                    self._in_detections = True
+
+    @staticmethod
+    def init_from_package(package_path: Path, app_name: str, appid: str) -> "SavedsearchesConf":
+        """
+        Alternate constructor which can take an app package, and extract the savedsearches.conf from
+        a temporary file.
+
+        :param package_path: Path to the app package
+        :type package_path: :class:`pathlib.Path`
+        :param app_name: the name of the app (e.g. ESCU)
+        :type app_name: str
+
+        :returns: a SavedsearchesConf object
+        :rtype: :class:`contentctl.objects.savedsearches_conf.SavedsearchesConf`
+        """
+        # Create a temporary directory
+        with tempfile.TemporaryDirectory() as tmpdir:
+            # Open the tar/gzip archive
+            with tarfile.open(package_path) as package:
+                # Extract the savedsearches.conf and use it to init the model
+                package_conf_path = SavedsearchesConf.PACKAGE_CONF_PATH_FMT_STR.format(appid=appid)
+                package.extract(package_conf_path, path=tmpdir)
+                return SavedsearchesConf(
+                    path=Path(tmpdir, package_conf_path),
+                    app_label=app_name
+                )

contentctl/output/conf_writer.py

@@ -34,7 +34,10 @@ class ConfWriter():
         # Failing to do so will result in an improperly formatted conf files that
         # cannot be parsed
         if isinstance(obj,str):
-            return obj.replace(f"\n"," \\\n")
+            # Remove leading and trailing characters. Conf parsers may erroneously 
+            # Parse fields if they have leading or trailing newlines/whitespace and we 
+            # probably don't want that anyway as it doesn't look good in output
+            return obj.strip().replace(f"\n"," \\\n")
         else:
             return obj
 

contentctl/output/new_content_yml_output.py

@@ -39,11 +39,8 @@ class NewContentYmlOutput():
             .replace('.','_') \
             .replace('/','_') \
             .lower()
-        if 'Splunk Behavioral Analytics' in product:
-            
-            file_name = 'ssa___' + file_name + '.yml'
-        else:
-            file_name = file_name + '.yml'
+        
+        file_name = file_name + '.yml'
         return file_name
 
 
@@ -54,8 +51,6 @@ class NewContentYmlOutput():
             .replace('.','_') \
             .replace('/','_') \
             .lower()
-        if 'Splunk Behavioral Analytics' in product:          
-            file_name = 'ssa___' + file_name + '.test.yml'
-        else:
-            file_name = file_name + '.test.yml'
+        
+        file_name = file_name + '.test.yml'
         return file_name

{contentctl-4.3.4.dist-info → contentctl-4.3.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.3.4
+Version: 4.3.5
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -13,7 +13,7 @@ Classifier: Programming Language :: Python :: 3.12
 Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: PyYAML (>=6.0.2,<7.0.0)
 Requires-Dist: attackcti (>=0.4.0,<0.5.0)
-Requires-Dist: bottle (>=0.12.25,<0.13.0)
+Requires-Dist: bottle (>=0.12.25,<0.14.0)
 Requires-Dist: docker (>=7.1.0,<8.0.0)
 Requires-Dist: gitpython (>=3.1.43,<4.0.0)
 Requires-Dist: pycvesearch (>=1.2,<2.0)
@@ -22,7 +22,7 @@ Requires-Dist: pygit2 (>=1.15.1,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.3,<2.33.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<75.0.0)
+Requires-Dist: setuptools (>=69.5.1,<76.0.0)
 Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
 Requires-Dist: tqdm (>=4.66.5,<5.0.0)
 Requires-Dist: tyro (>=0.8.3,<0.9.0)
@@ -165,7 +165,7 @@ This section is under active development.  It will allow you to a [MITRE Map](ht
 Choose TYPE {detection, story} to create new content for the Content Pack.  The tool will interactively ask a series of questions required for generating a basic piece of content and automatically add it to the Content Pack.
 
 ### contentctl inspect
-This section is under development.  It will enable the user to perform an appinspect of the content pack in preparation for deployment onto a Splunk Instance or via Splunk Cloud.
+This section is under development.  The inspect action performs a number of post-build validations. Primarily, it will enable the user to perform an appinspect of the content pack in preparation for deployment onto a Splunk Instance or via Splunk Cloud. It also compares detections in the new build against a prior build, confirming that any changed detections have had their versions incremented (this comparison happens at the savedsearch.conf level, which is why it must happen after the build). Please also note that new versions of contentctl may result in the generation of different savedsearches.conf files without any content changes in YML (new keys at the .conf level which will necessitate bumping of the version in the YML file).
 
 ### contentctl deploy
 The reason to build content is so that it can be deployed to your environment.  However, deploying content to multiple servers and different types of infrastructure can be tricky and time-consuming.  contentctl makes this easy by supporting a number of different deployment mechanisms. Deployment targets can be defined in [contentctl.yml](/contentctl/templates/contentctl_default.yml).

{contentctl-4.3.4.dist-info → contentctl-4.3.5.dist-info}/RECORD

@@ -13,37 +13,37 @@ contentctl/actions/detection_testing/views/DetectionTestingViewCLI.py,sha256=v5F
 contentctl/actions/detection_testing/views/DetectionTestingViewFile.py,sha256=3mBCQy3hYuX8bNqh3al0nANlMwq9sxbQjkhwA1V5LOA,1090
 contentctl/actions/detection_testing/views/DetectionTestingViewWeb.py,sha256=6mecacXFoTJxcHiRZSnlHos5Hca1jdedEEZfiIAhaJg,4706
 contentctl/actions/doc_gen.py,sha256=YNc1VYA0ikL1hWDHYjfEOmUkfhy8PEIdvTyC4ZLxQRY,863
-contentctl/actions/initialize.py,sha256=Ifi13REBwQyUfCHma6IzjM_Z8uYEZ3Qz8kmP0WIFbJQ,1975
+contentctl/actions/initialize.py,sha256=wEO3u8vJYP8Xh2OSJ_HxfMV6mqOdkPyWbUzNGEqMTNA,3055
 contentctl/actions/initialize_old.py,sha256=0qXbW_fNDvkcnEeL6Zpte8d-hpTu1REyzHsXOCY-YB8,9333
-contentctl/actions/inspect.py,sha256=6gVVKmV5CUUYOkNNVTMPKj9bM1uXVthgGCoFKZGDeS8,12628
+contentctl/actions/inspect.py,sha256=kxExmA4dn4-JXl_PiPVmGObeqQmYd04nKjFNvjFyFYc,17232
 contentctl/actions/new_content.py,sha256=o5ZYBQ216RN6TnW_wRxVGJybx2SsJ7ht4PAi1dw45Yg,6076
 contentctl/actions/release_notes.py,sha256=akkFfLhsJuaPUyjsb6dLlKt9cUM-JApAjTFQMbYoXeM,13115
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
 contentctl/actions/test.py,sha256=jv12UO_PTjZwvo4G-Dr8fE2gsuWvuvAmO2QQM4q7TL0,5917
-contentctl/actions/validate.py,sha256=2MQ8yumCKj7zD8iUuA5gfFEMcE-GPRzYqkvuOexn0JA,5633
-contentctl/api.py,sha256=FBOpRhbBCBdjORmwe_8MPQ3PRZ6T0KrrFcfKovVFkug,6343
-contentctl/contentctl.py,sha256=JXbUD5l1PziRRJxUc1UHrveM33CHryZPmc0RxudDpIs,10328
-contentctl/enrichments/attack_enrichment.py,sha256=XEcLRnXKfJeChax5gfHDGea5D5MCFjP4bWp8hRWn3d8,7871
+contentctl/actions/validate.py,sha256=TL_zUU8Lo2ygf28F_EtaKWTFRBrbg-31XN5j2feNFKM,5524
+contentctl/api.py,sha256=O0dNE3-WkWs2zuOeAQnIicgOtBX5s2bGBhRVo3j69-8,6327
+contentctl/contentctl.py,sha256=CLYQ1kpVcUkOXPGrGyE7SwAkEtvjq2kHENWyy81gwsM,10400
+contentctl/enrichments/attack_enrichment.py,sha256=i0p5ud7EqA2SMB7Gc8JQdIonUTjAeDN-hxKBV4XV-Rg,6391
 contentctl/enrichments/cve_enrichment.py,sha256=rRdf62sKkBzCBLCNwzAmEhxNiPV2px1VS6MzDiS-uBw,2337
 contentctl/enrichments/splunk_app_enrichment.py,sha256=zDNHFLZTi2dJ1gdnh0sHkD6F1VtkblqFnhacFcCMBfc,3418
 contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLwhHq80c,7139
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-contentctl/helper/splunk_app.py,sha256=PZf60Z3ALQLJQ6I--cbWTCzvOMPGsjZSns1BFrZu4S4,9549
+contentctl/helper/splunk_app.py,sha256=5KoacltgQ2J1BdxqvZYhr6GCXFl2tsy8TEWNc2gXkqw,14187
 contentctl/helper/utils.py,sha256=8ICRvE7DUiNL9BK4Hw71hCLFbd3R2u86OwKeDOdaBTY,19454
-contentctl/input/director.py,sha256=kTqdN_rCzRMn4dR32hPaVyx2llhAxyhJgoGjowhsHzs,10887
+contentctl/input/director.py,sha256=Z_NV6nyfFHDcWUaXi9Q88Xv-V_patuzQ39YsFzJoXQE,10434
 contentctl/input/new_content_questions.py,sha256=o4prlBoUhEMxqpZukquI9WKbzfFJfYhEF7a8m2q_BEE,5565
 contentctl/input/yml_reader.py,sha256=hyVUYhx4Ka8C618kP2D_E3sDUKEQGC6ty_QZQArHKd4,1489
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=U3IvEQO3D5ab7YPUz8JnAnUCNtN--INOs2AP-ew5qn8,38867
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=2TOIfDVZm1uQbHFrP9YFOy7pXDPkIWCxzm-qCzK9Twc,39061
 contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=vdZvybF34Zlxf6XOjw400gYbpkPUkOtlu-JiWlAof40,9877
 contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
 contentctl/objects/annotated_types.py,sha256=jnX02BQT4dHbd_DCIjik0PNN3kgsvb7sxAz_1Jy8TOY,259
-contentctl/objects/atomic.py,sha256=BP27gP8KHeODp6UazhVFxwDQ64wuJCARGsLfIH34h7U,8768
+contentctl/objects/atomic.py,sha256=L9QSmwmmSFFfvUykPk_nXwz9XDz-Gn6e0rrDxxRO8uY,7292
 contentctl/objects/base_test.py,sha256=qUtKQJrqCto_fwCBdiH68_tXqokhcv9ceu2fQlBxsjA,1045
 contentctl/objects/base_test_result.py,sha256=jVroyGLb9GD6Wm2QzvgIEA3SWCZqxPsHp9PzxSvpyIs,5101
 contentctl/objects/baseline.py,sha256=Lb1vJKtDdlDrzWgrdkC9oQao_TnRrOxSwOWHf4trtaU,2150
 contentctl/objects/baseline_tags.py,sha256=fVhLF-NmisavybB_idu3N0Con0Ymj8clKfRMkWzBB-k,1762
-contentctl/objects/config.py,sha256=_DRRMdtDKxjg2u-7iEbBrvKwtABxtlrmAEC8XYBQGk8,44487
-contentctl/objects/constants.py,sha256=lfCcr1DsTZvANHj4Ee1_sEV-SebHwAn41-5EvmoEX2E,3537
+contentctl/objects/config.py,sha256=q6-zGzKXi_etiAOJDgKKrU31WfmJkA9_Yjnx2QccScA,49808
+contentctl/objects/constants.py,sha256=389Gna6BtukAkXfOKiHEg-FtPRVEVReV4pEMeLuq7o8,3653
 contentctl/objects/correlation_search.py,sha256=ZZVoO3M594qCy_aAMhQiOPWn8FiSFbRShUCCLx6zhNc,48434
 contentctl/objects/data_source.py,sha256=aRr6lHu-EtGmi6J2nXKD7i2ozUPtp7X-vDkQiutvD3I,1545
 contentctl/objects/deployment.py,sha256=Qc6M4yeOvxjqFKR8sfjd4CG06AbVheTOqP1mwqo4t8s,2651
@@ -54,9 +54,11 @@ contentctl/objects/deployment_rba.py,sha256=YFLSKzLU7s8Bt1cJkSBWlfCsc_2MfgiwyaDi
 contentctl/objects/deployment_scheduling.py,sha256=bQjbJHNaUGdU1VAGV8-nFOHzHutbIlt7FZpUvR1CV4Y,198
 contentctl/objects/deployment_slack.py,sha256=P6z8OLHDKcDWx7nbKWasqBc3dFRatGcpO2GtmxzVV8I,135
 contentctl/objects/detection.py,sha256=3W41cXf3ECjWuPqWrseqSLC3PAA7O5_nENWWM6MPK0Y,620
-contentctl/objects/detection_tags.py,sha256=r7nIYMMspPk68aQx5q04jQaFGO4zTYG1P1UAUrX9qtU,11023
-contentctl/objects/enums.py,sha256=37v7w8xCg5j5hxP3kod0S3HQ9BY-CqZulPiwhnTtEvs,14052
-contentctl/objects/errors.py,sha256=gnD99z4O00EBbMerUjt4368q8mohm3Zb9HByG3CP_A0,525
+contentctl/objects/detection_metadata.py,sha256=eCsru2cymc3VINjt9MpDyGw2zXa2HyVEPv-XiGAcAeQ,2236
+contentctl/objects/detection_stanza.py,sha256=842fHPfGDdddHF5UzgftYr8OlYblWhMWZxPQsTu2wKg,3066
+contentctl/objects/detection_tags.py,sha256=90-dGSMwZH-6VYReb2_f81s3pZ4dJ2PBQZog4GMZcE4,11030
+contentctl/objects/enums.py,sha256=xY-pESjN8AUeP_ELCtMDUxQO7OzMJbK-QSl4UJfaqGQ,14016
+contentctl/objects/errors.py,sha256=WURmJCqhy2CZNXXCypXVtwnjSBx-VIcB6W9oFJmzoFk,5762
 contentctl/objects/event_source.py,sha256=G9P7rtcN5hcBNQx6DG37mR3QyQufx--T6kgQGNqQuKk,415
 contentctl/objects/integration_test.py,sha256=UBBx85f517MpQXOM7-iEasACEQ0-Ia7W4rDChOHZfno,1319
 contentctl/objects/integration_test_result.py,sha256=9oVWka57alIVPiCDbNgy-OmJcBicyYbrr6anL52Wgks,278
@@ -75,9 +77,8 @@ contentctl/objects/playbook_tags.py,sha256=NrhTGcgoYSGEZggrfebko0GBOXN9x05IadRUU
 contentctl/objects/risk_analysis_action.py,sha256=Glzcq99DAqqOJ2eZYCkUI3R5hA5cZGU0ZuCSinFf2R8,4278
 contentctl/objects/risk_event.py,sha256=b5Smh3w5Hecmi7E-Ub5DvO8iOPwnVg2ux47u7oemxX4,14041
 contentctl/objects/risk_object.py,sha256=yY4NmEwEKaRl4sLzCRZb1n8kdpV3HzYbQVQ1ClQWYHw,904
+contentctl/objects/savedsearches_conf.py,sha256=tCyZHqAQ9azgwIyySViY2BdM4To5Cb_GeYEEHPwR4Zc,8604
 contentctl/objects/security_content_object.py,sha256=j8KNDwSMfZsSIzJucC3NuZo0SlFVpqHfDc6y3-YHjHI,234
-contentctl/objects/ssa_detection.py,sha256=ud0T6lq-5XUlmeK8Jzw_aNLe6podVcA1o7THDYvWbik,5934
-contentctl/objects/ssa_detection_tags.py,sha256=9aRwbpQHi79NIS9rofjgxDJpw7cWXqG534_kSbvHJh8,5220
 contentctl/objects/story.py,sha256=FXe11LV19xJTtCgx7DKdvV9cL0gKeryUnE3yjpnDmrU,4957
 contentctl/objects/story_tags.py,sha256=cOL8PUzdlFdLPQHc54_-9sdI8nCE1D04oKY7KriOssI,2293
 contentctl/objects/test_attack_data.py,sha256=9OgErjdPR4S-SJpQePt0uwBLPYHYPtqKDd-auhjz7Uc,430
@@ -85,20 +86,18 @@ contentctl/objects/test_group.py,sha256=DCtm4ChGYksOwZQVHsioaweOvI37CSlTZJzKvBX-
 contentctl/objects/threat_object.py,sha256=S8B7RQFfLxN_g7yKPrDTuYhIy9JvQH3YwJ_T5LUZIa4,711
 contentctl/objects/unit_test.py,sha256=eMFehpHhmZA5WYBqhWUNRF_LpxuLM9VooAxjXeNbrxY,1144
 contentctl/objects/unit_test_baseline.py,sha256=XHvOm7qLYfqrP6uC5U_pfgw_pf8-S2RojuNmbo6lXlM,227
-contentctl/objects/unit_test_old.py,sha256=IfvytHG4ZnUhsvXgdczECZbiwv6YLViYdsk9AqeDBjQ,199
 contentctl/objects/unit_test_result.py,sha256=POQfvvPpSw-jQzINBz1_IszUMJ4Wbopu8HRS1Qe6P2M,2940
-contentctl/objects/unit_test_ssa.py,sha256=RURqXb3e0CuI5nNX8PvFucxatAvMmGSUDngVbqNpoiY,653
 contentctl/output/api_json_output.py,sha256=n3OTd5z-Vkmsn7ny6QCAar_jSMNuuJfzAQa7xq_9if4,9085
 contentctl/output/attack_nav_output.py,sha256=95iKV8U9BMMgqh6cCOw1S89Ln73xmJGgJPHTYR0L7hA,2304
 contentctl/output/attack_nav_writer.py,sha256=64ILZLmNbh2XLmbopgENkeo6t-4SRRG8xZXBmtpNd4g,2219
 contentctl/output/conf_output.py,sha256=7HcHM9pJLNnan1Kq_7ozvs5iOgfzqdKbO6gwxUZJVnc,9994
-contentctl/output/conf_writer.py,sha256=2TaCAPEtU-bMa7A2m7xOxh93PMpzIdhwiHiPLUCeCB4,8281
+contentctl/output/conf_writer.py,sha256=uMxWrdu-4paiTgUGu_FUWMjT-r_IpdZSTUSDZUGC6k8,8541
 contentctl/output/data_source_writer.py,sha256=ubFjm6XJ4T2d3oqfKwDFasITHeDj3HFmegqVN--5_ME,1635
 contentctl/output/detection_writer.py,sha256=AzxbssNLmsNIOaYKotew5-ONoyq1cQpKSGy3pe191B0,960
 contentctl/output/doc_md_output.py,sha256=gf7osH1uSrC6js3D_I72g4uDe9TaB3tsvtqCHi5znp0,3238
 contentctl/output/jinja_writer.py,sha256=bdiqr9FaXYxth4wZ1A52zTMAS5stHNGpezTkaS5pres,1119
 contentctl/output/json_writer.py,sha256=Z-iVLnZb8tzYATxbQtXax0dz572lVPFMNVTx-vWbnog,1007
-contentctl/output/new_content_yml_output.py,sha256=ktZ9miHluqkw8jD-pn-62bjVp1sQqqQ7B53xy18DHU8,2321
+contentctl/output/new_content_yml_output.py,sha256=KvP0FffQBPznSKqJyRQMtehf4XYEVK5jiPlUwnkekUc,2061
 contentctl/output/svg_output.py,sha256=T2p4S085MKj5VPZKvo4tWBVOmYme32J9L7kMEBm3SwQ,2751
 contentctl/output/templates/analyticstories_detections.j2,sha256=MYefoyWAq4b7dth3OlbMWNhFnH3_nnMKaOfw0lMkxT4,917
 contentctl/output/templates/analyticstories_investigations.j2,sha256=7bwt_6U3dr9hbxOUkp0a1KnRJohNgC7GE1zRg_N_awI,515
@@ -166,8 +165,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.3.4.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.3.4.dist-info/METADATA,sha256=YgRlkSBe1UQmgQfU3wIVwH0lufqLvfhjnnhY2qBNxiU,20925
-contentctl-4.3.4.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-contentctl-4.3.4.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.3.4.dist-info/RECORD,,
+contentctl-4.3.5.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-4.3.5.dist-info/METADATA,sha256=Ja_S233rBxi4ZWj0ihjS7XdybxUirZFKwC2sZvwvOaI,21489
+contentctl-4.3.5.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+contentctl-4.3.5.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-4.3.5.dist-info/RECORD,,

contentctl/objects/ssa_detection.py

@@ -1,157 +0,0 @@
-from __future__ import annotations
-import uuid
-import string
-import requests
-import time
-from pydantic import BaseModel, validator, root_validator
-from dataclasses import dataclass
-from datetime import datetime
-from typing import Union
-import re
-
-from contentctl.objects.abstract_security_content_objects.detection_abstract import Detection_Abstract
-from contentctl.objects.enums import AnalyticsType
-from contentctl.objects.enums import DataModel
-from contentctl.objects.enums import DetectionStatus
-from contentctl.objects.deployment import Deployment
-from contentctl.objects.ssa_detection_tags import SSADetectionTags
-from contentctl.objects.unit_test_ssa import UnitTestSSA
-from contentctl.objects.unit_test_old import UnitTestOld
-from contentctl.objects.macro import Macro
-from contentctl.objects.lookup import Lookup
-from contentctl.objects.baseline import Baseline
-from contentctl.objects.playbook import Playbook
-from contentctl.helper.link_validator import LinkValidator
-from contentctl.objects.enums import SecurityContentType
-
-class SSADetection(BaseModel):
-    # detection spec
-    name: str
-    id: str
-    version: int
-    date: str
-    author: str
-    type: AnalyticsType = ...
-    status: DetectionStatus = ...
-    detection_type: str = None
-    description: str
-    data_source: list[str]
-    search: Union[str, dict]
-    how_to_implement: str
-    known_false_positives: str
-    references: list
-    tags: SSADetectionTags
-    tests: list[UnitTestSSA] = None
-
-    # enrichments
-    annotations: dict = None
-    risk: list = None
-    mappings: dict = None
-    file_path: str = None
-    source: str = None
-    test: Union[UnitTestSSA, dict, UnitTestOld] = None
-    runtime: str = None
-    internalVersion: int = None
-
-    # @validator('name')v
-    # def name_max_length(cls, v, values):
-    #     if len(v) > 67:
-    #         raise ValueError('name is longer then 67 chars: ' + v)
-    #     return v
-
-    # TODO (#266): disable the use_enum_values configuration
-    class Config:
-        use_enum_values = True
-
-    '''
-    @validator("name")
-    def name_invalid_chars(cls, v):
-        invalidChars = set(string.punctuation.replace("-", ""))
-        if any(char in invalidChars for char in v):
-            raise ValueError("invalid chars used in name: " + v)
-        return v
-
-    @validator("id")
-    def id_check(cls, v, values):
-        try:
-            uuid.UUID(str(v))
-        except:
-            raise ValueError("uuid is not valid: " + values["name"])
-        return v
-
-    @validator("date")
-    def date_valid(cls, v, values):
-        try:
-            datetime.strptime(v, "%Y-%m-%d")
-        except:
-            raise ValueError("date is not in format YYYY-MM-DD: " + values["name"])
-        return v
-
-    # @validator("type")
-    # def type_valid(cls, v, values):
-    #     if v.lower() not in [el.name.lower() for el in AnalyticsType]:
-    #         raise ValueError("not valid analytics type: " + values["name"])
-    #     return v
-
-    @validator("description", "how_to_implement")
-    def encode_error(cls, v, values, field):
-        try:
-            v.encode("ascii")
-        except UnicodeEncodeError:
-            raise ValueError("encoding error in " + field.name + ": " + values["name"])
-        return v
-
-    # @root_validator
-    # def search_validation(cls, values):
-    #     if 'ssa_' not in values['file_path']:
-    #         if not '_filter' in values['search']:
-    #             raise ValueError('filter macro missing in: ' + values["name"])
-    #         if any(x in values['search'] for x in ['eventtype=', 'sourcetype=', ' source=', 'index=']):
-    #             if not 'index=_internal' in values['search']:
-    #                 raise ValueError('Use source macro instead of eventtype, sourcetype, source or index in detection: ' + values["name"])
-    #     return values
-
-    @root_validator
-    def name_max_length(cls, values):
-        # Check max length only for ESCU searches, SSA does not have that constraint
-        if "ssa_" not in values["file_path"]:
-            if len(values["name"]) > 67:
-                raise ValueError("name is longer then 67 chars: " + values["name"])
-        return values
-
-
-    @root_validator
-    def new_line_check(cls, values):
-        # Check if there is a new line in description and how to implement that is not escaped
-        pattern = r'(?<!\\)\n' 
-        if re.search(pattern, values["description"]):
-            match_obj = re.search(pattern,values["description"])
-            words = values["description"][:match_obj.span()[0]].split()[-10:]
-            newline_context = ' '.join(words)
-            raise ValueError(f"Field named 'description' contains new line that is not escaped using backslash. Add backslash at the end of the line after the words: '{newline_context}' in '{values['name']}'")
-        if re.search(pattern, values["how_to_implement"]):
-            match_obj = re.search(pattern,values["how_to_implement"])
-            words = values["how_to_implement"][:match_obj.span()[0]].split()[-10:]
-            newline_context = ' '.join(words)
-            raise ValueError(f"Field named 'how_to_implement' contains new line that is not escaped using backslash. Add backslash at the end of the line after the words: '{newline_context}' in '{values['name']}'")
-        return values
-
-    # @validator('references')
-    # def references_check(cls, v, values):
-    #     return LinkValidator.SecurityContentObject_validate_references(v, values)
-
-
-    @validator("search")
-    def search_validate(cls, v, values):
-        # write search validator
-        return v
-
-    @validator("tests")
-    def tests_validate(cls, v, values):
-        if (values.get("status","") in [DetectionStatus.production.value, DetectionStatus.validation.value]) and not v:
-            raise ValueError(
-                "At least one test is required for a production or validation detection: " + values["name"]
-            )
-        return v
-
-    '''