contentctl 4.3.4__py3-none-any.whl → 4.4.0__py3-none-any.whl

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -20,7 +20,8 @@ from contentctl.objects.lookup import Lookup
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
     from contentctl.objects.baseline import Baseline
-
+    from contentctl.objects.config import CustomApp
+    
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import AnalyticsType
 from contentctl.objects.enums import DataModel
@@ -35,11 +36,17 @@ from contentctl.objects.test_group import TestGroup
 from contentctl.objects.integration_test import IntegrationTest
 from contentctl.objects.data_source import DataSource
 from contentctl.objects.base_test_result import TestResultStatus
-
-# from contentctl.objects.playbook import Playbook
+from contentctl.objects.drilldown import Drilldown, DRILLDOWN_SEARCH_PLACEHOLDER
 from contentctl.objects.enums import ProvidingTechnology
 from contentctl.enrichments.cve_enrichment import CveEnrichmentObj
 import datetime
+from contentctl.objects.constants import (
+    ES_MAX_STANZA_LENGTH,
+    ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE,
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
+    CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE
+)
+
 MISSING_SOURCES: set[str] = set()
 
 # Those AnalyticsTypes that we do not test via contentctl
@@ -51,8 +58,8 @@ SKIPPED_ANALYTICS_TYPES: set[str] = {
 # TODO (#266): disable the use_enum_values configuration
 class Detection_Abstract(SecurityContentObject):
     model_config = ConfigDict(use_enum_values=True)
-
-    # contentType: SecurityContentType = SecurityContentType.detections
+    name:str = Field(...,max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
+    #contentType: SecurityContentType = SecurityContentType.detections
     type: AnalyticsType = Field(...)
     status: DetectionStatus = Field(...)
     data_source: list[str] = []
@@ -60,6 +67,16 @@ class Detection_Abstract(SecurityContentObject):
     search: str = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
+    explanation: None | str = Field(
+        default=None,
+        exclude=True, #Don't serialize this value when dumping the object
+        description="Provide an explanation to be included "
+        "in the 'Explanation' field of the Detection in "
+        "the Use Case Library. If this field is not "
+        "defined in the YML, it will default to the "
+        "value of the 'description' field when " 
+        "serialized in analyticstories_detections.j2",
+    )
 
     enabled_by_default: bool = False
     file_path: FilePath = Field(...)
@@ -70,9 +87,30 @@ class Detection_Abstract(SecurityContentObject):
     # https://github.com/pydantic/pydantic/issues/9101#issuecomment-2019032541
     tests: List[Annotated[Union[UnitTest, IntegrationTest, ManualTest], Field(union_mode='left_to_right')]] = []
     # A list of groups of tests, relying on the same data
-    test_groups: Union[list[TestGroup], None] = Field(None, validate_default=True)
+    test_groups: list[TestGroup] = []
 
     data_source_objects: list[DataSource] = []
+    drilldown_searches: list[Drilldown] = Field(default=[], description="A list of Drilldowns that should be included with this search")
+
+    def get_conf_stanza_name(self, app:CustomApp)->str:
+        stanza_name = CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+        self.check_conf_stanza_max_length(stanza_name)
+        return stanza_name
+    
+
+    def get_action_dot_correlationsearch_dot_label(self, app:CustomApp, max_stanza_length:int=ES_MAX_STANZA_LENGTH)->str:
+        stanza_name = self.get_conf_stanza_name(app)
+        stanza_name_after_saving_in_es = ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(
+            security_domain_value = self.tags.security_domain.value, 
+            search_name = stanza_name
+            )
+        
+    
+        if len(stanza_name_after_saving_in_es) > max_stanza_length:
+            raise ValueError(f"label may only be {max_stanza_length} characters to allow updating in-product, "
+                             f"but stanza was actually {len(stanza_name_after_saving_in_es)} characters: '{stanza_name_after_saving_in_es}' ")
+        
+        return stanza_name    
 
     @field_validator("search", mode="before")
     @classmethod
@@ -83,15 +121,13 @@ class Detection_Abstract(SecurityContentObject):
 
 
         Args:
-            value (Union[str, dict[str,Any]]): The search. It can either be a string (and should be
-                SPL or a dict, in which case it is Sigma-formatted.
+            value (str): The SPL search. It must be an SPL-formatted string.
             info (ValidationInfo): The validation info can contain a number of different objects.
                 Today it only contains the director.
 
         Returns:
-            Union[str, dict[str,Any]]: The search, either in sigma or SPL format.
-        """        
-        
+            str: The search, as an SPL formatted string.
+        """
         
         # Otherwise, the search is SPL.
 
@@ -132,6 +168,7 @@ class Detection_Abstract(SecurityContentObject):
         the model from the list of unit tests. Also, preemptively skips all manual tests, as well as
         tests for experimental/deprecated detections and Correlation type detections.
         """
+        
         # Since ManualTest and UnitTest are not differentiable without looking at the manual_test
         # tag, Pydantic builds all tests as UnitTest objects. If we see the manual_test flag, we
         # convert these to ManualTest
@@ -250,6 +287,7 @@ class Detection_Abstract(SecurityContentObject):
             annotations_dict["cve"] = self.tags.cve
         annotations_dict["impact"] = self.tags.impact
         annotations_dict["type"] = self.type
+        annotations_dict["type_list"] = [self.type]
         # annotations_dict["version"] = self.version
 
         annotations_dict["data_source"] = self.data_source
@@ -390,7 +428,11 @@ class Detection_Abstract(SecurityContentObject):
         # NOTE: we ignore the type error around self.status because we are using Pydantic's
         # use_enum_values configuration
         # https://docs.pydantic.dev/latest/api/config/#pydantic.config.ConfigDict.populate_by_name
-        
+
+        # NOTE: The `inspect` action is HIGHLY sensitive to the structure of the metadata line in
+        # the detection stanza in savedsearches.conf. Additive operations (e.g. a new field in the
+        # dict below) should not have any impact, but renaming or removing any of these fields will
+        # break the `inspect` action.
         return {
             'detection_id': str(self.id),
             'deprecated': '1' if self.status == DetectionStatus.deprecated.value else '0',          # type: ignore
@@ -516,13 +558,53 @@ class Detection_Abstract(SecurityContentObject):
         self.data_source_objects = matched_data_sources
 
         for story in self.tags.analytic_story:
-            story.detections.append(self)
+            story.detections.append(self)     
 
         self.cve_enrichment_func(__context)
 
         # Derive TestGroups and IntegrationTests, adjust for ManualTests, skip as needed
         self.adjust_tests_and_groups()
 
+        # Ensure that if there is at least 1 drilldown, at least
+        # 1 of the drilldowns contains the string Drilldown.SEARCH_PLACEHOLDER.
+        # This is presently a requirement when 1 or more drilldowns are added to a detection.
+        # Note that this is only required for production searches that are not hunting
+            
+        if self.type == AnalyticsType.Hunting.value or self.status != DetectionStatus.production.value:
+            #No additional check need to happen on the potential drilldowns.
+            pass
+        else:
+            found_placeholder = False
+            if len(self.drilldown_searches) < 2:
+                raise ValueError(f"This detection is required to have 2 drilldown_searches, but only has [{len(self.drilldown_searches)}]")
+            for drilldown in self.drilldown_searches:
+                if DRILLDOWN_SEARCH_PLACEHOLDER in drilldown.search:
+                    found_placeholder = True
+            if not found_placeholder:
+                raise ValueError("Detection has one or more drilldown_searches, but none of them "
+                                 f"contained '{DRILLDOWN_SEARCH_PLACEHOLDER}. This is a requirement "
+                                 "if drilldown_searches are defined.'")
+            
+        # Update the search fields with the original search, if required
+        for drilldown in self.drilldown_searches:
+            drilldown.perform_search_substitutions(self)
+
+        #For experimental purposes, add the default drilldowns
+        #self.drilldown_searches.extend(Drilldown.constructDrilldownsFromDetection(self))
+
+    @property
+    def drilldowns_in_JSON(self) -> list[dict[str,str]]:
+        """This function is required for proper JSON 
+        serializiation of drilldowns to occur in savedsearches.conf.
+        It returns the list[Drilldown] as a list[dict].
+        Without this function, the jinja template is unable
+        to convert list[Drilldown] to JSON
+
+        Returns:
+            list[dict[str,str]]: List of Drilldowns dumped to dict format
+        """        
+        return [drilldown.model_dump() for drilldown in self.drilldown_searches]
+
     @field_validator('lookups', mode="before")
     @classmethod
     def getDetectionLookups(cls, v:list[str], info:ValidationInfo) -> list[Lookup]:
@@ -651,6 +733,27 @@ class Detection_Abstract(SecurityContentObject):
         else:
             self.tags.nist = [NistCategory.DE_AE]
         return self
+        
+
+    @model_validator(mode="after")
+    def ensureThrottlingFieldsExist(self):
+        '''
+        For throttling to work properly, the fields to throttle on MUST
+        exist in the search itself.  If not, then we cannot apply the throttling
+        '''
+        if self.tags.throttling is None:
+            # No throttling configured for this detection
+            return self
+
+        missing_fields:list[str] = [field for field in self.tags.throttling.fields if field not in self.search]
+        if len(missing_fields) > 0:
+            raise ValueError(f"The following throttle fields were missing from the search: {missing_fields}")
+
+        else:
+            # All throttling fields present in search
+            return self
+            
+
 
     @model_validator(mode="after")
     def ensureProperObservablesExist(self):
@@ -728,6 +831,45 @@ class Detection_Abstract(SecurityContentObject):
         # Found everything
         return self
 
+    @field_validator("tests", mode="before")
+    def ensure_yml_test_is_unittest(cls, v:list[dict]):
+        """The typing for the tests field allows it to be one of
+        a number of different types of tests. However, ONLY
+        UnitTest should be allowed to be defined in the YML
+        file.  If part of the UnitTest defined in the YML
+        is incorrect, such as the attack_data file, then
+        it will FAIL to be instantiated as a UnitTest and
+        may instead be instantiated as a different type of
+        test, such as IntegrationTest (since that requires
+        less fields) which is incorrect. Ensure that any
+        raw data read from the YML can actually construct
+        a valid UnitTest and, if not, return errors right
+        away instead of letting Pydantic try to construct
+        it into a different type of test
+
+        Args:
+            v (list[dict]): list of dicts read from the yml. 
+            Each one SHOULD be a valid UnitTest. If we cannot
+            construct a valid unitTest from it, a ValueError should be raised
+
+        Returns:
+            _type_: The input of the function, assuming no 
+            ValueError is raised.
+        """        
+        valueErrors:list[ValueError] = []
+        for unitTest in v:
+            #This raises a ValueError on a failed UnitTest.
+            try:
+                UnitTest.model_validate(unitTest)
+            except ValueError as e:
+                valueErrors.append(e)
+        if len(valueErrors):
+            raise ValueError(valueErrors)
+        # All of these can be constructred as UnitTests with no
+        # Exceptions, so let the normal flow continue
+        return v
+        
+
     @field_validator("tests")
     def tests_validate(
         cls,

contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py

@@ -5,8 +5,10 @@ if TYPE_CHECKING:
     from contentctl.objects.deployment import Deployment
     from contentctl.objects.security_content_object import SecurityContentObject
     from contentctl.input.director import DirectorOutputDto
+    from contentctl.objects.config import CustomApp
 
 from contentctl.objects.enums import AnalyticsType
+from contentctl.objects.constants import CONTENTCTL_MAX_STANZA_LENGTH
 import abc
 import uuid
 import datetime
@@ -31,14 +33,14 @@ NO_FILE_NAME = "NO_FILE_NAME"
 
 # TODO (#266): disable the use_enum_values configuration
 class SecurityContentObject_Abstract(BaseModel, abc.ABC):
-    model_config = ConfigDict(use_enum_values=True, validate_default=True)
-
-    name: str = Field(...)
-    author: str = Field("Content Author", max_length=255)
-    date: datetime.date = Field(datetime.date.today())
-    version: NonNegativeInt = 1
-    id: uuid.UUID = Field(default_factory=uuid.uuid4)  # we set a default here until all content has a uuid
-    description: str = Field("Enter Description Here", max_length=10000)
+    model_config = ConfigDict(use_enum_values=True,validate_default=True)
+    
+    name: str = Field(...,max_length=99)
+    author: str = Field(...,max_length=255)
+    date: datetime.date = Field(...)
+    version: NonNegativeInt = Field(...)
+    id: uuid.UUID = Field(...) #we set a default here until all content has a uuid
+    description: str = Field(...,max_length=10000)
     file_path: Optional[FilePath] = None
     references: Optional[List[HttpUrl]] = None
 
@@ -56,7 +58,13 @@ class SecurityContentObject_Abstract(BaseModel, abc.ABC):
             "description": self.description,
             "references": [str(url) for url in self.references or []]
         }
-
+    
+    
+    def check_conf_stanza_max_length(self, stanza_name:str, max_stanza_length:int=CONTENTCTL_MAX_STANZA_LENGTH) -> None:
+        if len(stanza_name) > max_stanza_length:
+            raise ValueError(f"conf stanza may only be {max_stanza_length} characters, "
+                             f"but stanza was actually {len(stanza_name)} characters: '{stanza_name}' ")
+    
     @staticmethod
     def objectListToNameList(objects: list[SecurityContentObject]) -> list[str]:
         return [object.getName() for object in objects]

contentctl/objects/atomic.py

@@ -1,12 +1,15 @@
 from __future__ import annotations
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from contentctl.objects.config import validate
+
 from contentctl.input.yml_reader import YmlReader
 from pydantic import BaseModel, model_validator, ConfigDict, FilePath, UUID4
+import dataclasses
 from typing import List, Optional, Dict, Union, Self
 import pathlib
-
-
 from enum import StrEnum, auto
-
+import uuid
 
 class SupportedPlatform(StrEnum):        
     windows = auto()
@@ -84,15 +87,6 @@ class AtomicTest(BaseModel):
     dependencies: Optional[List[AtomicDependency]] = None
     dependency_executor_name: Optional[DependencyExecutorType] = None
 
-    @staticmethod
-    def AtomicTestWhenEnrichmentIsDisabled(auto_generated_guid: UUID4) -> AtomicTest:
-        return AtomicTest(name="Placeholder Atomic Test (enrichment disabled)",
-                          auto_generated_guid=auto_generated_guid,
-                          description="This is a placeholder AtomicTest. Because enrichments were not enabled, it has not been validated against the real Atomic Red Team Repo.",
-                          supported_platforms=[],
-                          executor=AtomicExecutor(name="Placeholder Executor (enrichment disabled)", 
-                                                  command="Placeholder command (enrichment disabled)"))
-    
     @staticmethod
     def AtomicTestWhenTestIsMissing(auto_generated_guid: UUID4) -> AtomicTest:
         return AtomicTest(name="Missing Atomic",
@@ -100,31 +94,16 @@ class AtomicTest(BaseModel):
                           description="This is a placeholder AtomicTest. Either the auto_generated_guid is incorrect or it there was an exception while parsing its AtomicFile.",
                           supported_platforms=[],
                           executor=AtomicExecutor(name="Placeholder Executor (failed to find auto_generated_guid)", 
-                                                  command="Placeholder command (failed to find auto_generated_guid)"))
-
-
-    @classmethod
-    def getAtomicByAtomicGuid(cls, guid: UUID4, all_atomics:list[AtomicTest] | None)->AtomicTest:
-        if all_atomics is None:
-            return AtomicTest.AtomicTestWhenEnrichmentIsDisabled(guid)
-        matching_atomics = [atomic for atomic in all_atomics if atomic.auto_generated_guid == guid]
-        if len(matching_atomics) == 0:
-            raise ValueError(f"Unable to find atomic_guid {guid} in {len(all_atomics)} atomic_tests from ART Repo")
-        elif len(matching_atomics) > 1:
-            raise ValueError(f"Found {len(matching_atomics)} matching tests for atomic_guid {guid} in {len(all_atomics)} atomic_tests from ART Repo")
-        
-        return matching_atomics[0]
+                                                  command="Placeholder command (failed to find auto_generated_guid)"))    
     
     @classmethod
-    def parseArtRepo(cls, repo_path:pathlib.Path)->List[AtomicFile]:
-        if not repo_path.is_dir():
-            print(f"WARNING: Atomic Red Team repo does NOT exist at {repo_path.absolute()}. You can check it out with:\n * git clone --single-branch https://github.com/redcanaryco/atomic-red-team. This will ONLY throw a validation error if you reference atomid_guids in your detection(s).")
-            return []
+    def parseArtRepo(cls, repo_path:pathlib.Path)->dict[uuid.UUID, AtomicTest]:
+        test_mapping: dict[uuid.UUID, AtomicTest] = {}
         atomics_path = repo_path/"atomics"
         if not atomics_path.is_dir():
-            print(f"WARNING: Atomic Red Team repo exists at {repo_path.absolute}, but atomics directory does NOT exist at {atomics_path.absolute()}. Was it deleted or renamed? This will ONLY throw a validation error if you reference atomid_guids in your detection(s).")
-            return []
-        
+            raise FileNotFoundError(f"WARNING: Atomic Red Team repo exists at {repo_path}, "
+                                    f"but atomics directory does NOT exist at {atomics_path}. "
+                                    "Was it deleted or renamed?")
 
         atomic_files:List[AtomicFile] = []
         error_messages:List[str] = []
@@ -133,6 +112,7 @@ class AtomicTest(BaseModel):
                 atomic_files.append(cls.constructAtomicFile(obj_path))
             except Exception as e:
                 error_messages.append(f"File [{obj_path}]\n{str(e)}")
+
         if len(error_messages) > 0:
             exceptions_string = '\n\n'.join(error_messages)
             print(f"WARNING: The following [{len(error_messages)}] ERRORS were generated when parsing the Atomic Red Team Repo.\n"
@@ -140,38 +120,28 @@ class AtomicTest(BaseModel):
                    "Note that this is only a warning and contentctl will ignore Atomics contained in these files.\n"
                   f"However, if you have written a detection that references them, 'contentctl build --enrichments' will fail:\n\n{exceptions_string}")
         
-        return atomic_files
+        # Now iterate over all the files, collect all the tests, and return the dict mapping
+        redefined_guids:set[uuid.UUID] = set()
+        for atomic_file in atomic_files:
+            for atomic_test in atomic_file.atomic_tests:
+                if atomic_test.auto_generated_guid in test_mapping:
+                    redefined_guids.add(atomic_test.auto_generated_guid)
+                else:
+                    test_mapping[atomic_test.auto_generated_guid] = atomic_test
+        if len(redefined_guids) > 0:
+            guids_string = '\n\t'.join([str(guid) for guid in redefined_guids])
+            raise Exception(f"The following [{len(redefined_guids)}] Atomic Test"
+                            " auto_generated_guid(s) were defined more than once. "
+                            f"auto_generated_guids MUST be unique:\n\t{guids_string}")
+
+        print(f"Successfully parsed [{len(test_mapping)}] Atomic Red Team Tests!")
+        return test_mapping
     
     @classmethod
     def constructAtomicFile(cls, file_path:pathlib.Path)->AtomicFile:
         yml_dict = YmlReader.load_file(file_path) 
         atomic_file = AtomicFile.model_validate(yml_dict)
         return atomic_file
-    
-    @classmethod
-    def getAtomicTestsFromArtRepo(cls, repo_path:pathlib.Path, enabled:bool=True)->list[AtomicTest] | None:
-        # Get all the atomic files.  Note that if the ART repo is not found, we will not throw an error,
-        # but will not have any atomics. This means that if atomic_guids are referenced during validation,
-        # validation for those detections will fail
-        if not enabled:
-            return None
-        
-        atomic_files = cls.getAtomicFilesFromArtRepo(repo_path)
-            
-        atomic_tests:List[AtomicTest] = []
-        for atomic_file in atomic_files:
-            atomic_tests.extend(atomic_file.atomic_tests)
-        print(f"Found [{len(atomic_tests)}] Atomic Simulations in the Atomic Red Team Repo!")
-        return atomic_tests
-
-    
-    @classmethod
-    def getAtomicFilesFromArtRepo(cls, repo_path:pathlib.Path)->List[AtomicFile]:
-        return cls.parseArtRepo(repo_path)
-
-    
-    
-
 
 
 class AtomicFile(BaseModel):
@@ -182,27 +152,31 @@ class AtomicFile(BaseModel):
     atomic_tests: List[AtomicTest]
 
 
+class AtomicEnrichment(BaseModel):
+    data: dict[uuid.UUID,AtomicTest] = dataclasses.field(default_factory = dict)
+    use_enrichment: bool = False
 
+    @classmethod
+    def getAtomicEnrichment(cls, config:validate)->AtomicEnrichment:
+        enrichment = AtomicEnrichment(use_enrichment=config.enrichments)
+        if config.enrichments:
+            enrichment.data = AtomicTest.parseArtRepo(config.atomic_red_team_repo_path)
+
+        return enrichment
+
+    def getAtomic(self, atomic_guid: uuid.UUID)->AtomicTest:
+        if self.use_enrichment:
+            if atomic_guid in self.data:
+                return self.data[atomic_guid]
+            else:
+                raise Exception(f"Atomic with GUID {atomic_guid} not found.")
+        else:
+            # If enrichment is not enabled, for the sake of compatability
+            # return a stub test with no useful or meaningful information.
+            return AtomicTest.AtomicTestWhenTestIsMissing(atomic_guid)
 
-# ATOMICS_PATH = pathlib.Path("./atomics")
-# atomic_objects = []
-# atomic_simulations = []
-# for obj_path in ATOMICS_PATH.glob("**/T*.yaml"):
-#     try:
-#         with open(obj_path, 'r', encoding="utf-8") as obj_handle:
-#             obj_data = yaml.load(obj_handle, Loader=yaml.CSafeLoader)
-#             atomic_obj = AtomicFile.model_validate(obj_data)
-#     except Exception as e:
-#         print(f"Error parsing object at path {obj_path}: {str(e)}")
-#         print(f"We have successfully parsed {len(atomic_objects)}, however!")
-#         sys.exit(1)
-
-#     print(f"Successfully parsed {obj_path}!")
-#     atomic_objects.append(atomic_obj)
-#     atomic_simulations += atomic_obj.atomic_tests
+    
 
-# print(f"Successfully parsed all {len(atomic_objects)} files!")
-# print(f"Successfully parsed all {len(atomic_simulations)} simulations!")
     
 
         

contentctl/objects/base_test_result.py

@@ -1,8 +1,8 @@
 from typing import Union, Any
 from enum import Enum
 
-from pydantic import BaseModel
-from splunklib.data import Record
+from pydantic import ConfigDict, BaseModel
+from splunklib.data import Record                                                                   # type: ignore
 
 from contentctl.helper.utils import Utils
 
@@ -53,11 +53,11 @@ class BaseTestResult(BaseModel):
     # The Splunk endpoint URL
     sid_link: Union[None, str] = None
 
-    class Config:
-        validate_assignment = True
-
-        # Needed to allow for embedding of Exceptions in the model
-        arbitrary_types_allowed = True
+    # Needed to allow for embedding of Exceptions in the model
+    model_config = ConfigDict(
+        validate_assignment=True,
+        arbitrary_types_allowed=True
+    )
 
     @property
     def passed(self) -> bool:

contentctl/objects/baseline.py

@@ -1,33 +1,21 @@
 
 from __future__ import annotations
-from typing import TYPE_CHECKING, Annotated, Optional, List,Any
+from typing import Annotated, Optional, List,Any
 from pydantic import field_validator, ValidationInfo, Field, model_serializer
-if TYPE_CHECKING:
-    from contentctl.input.director import DirectorOutputDto
-
 from contentctl.objects.deployment import Deployment
 from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.enums import DataModel, AnalyticsType
+from contentctl.objects.enums import DataModel
 from contentctl.objects.baseline_tags import BaselineTags
-from contentctl.objects.enums import DeploymentType
-#from contentctl.objects.deployment import Deployment
 
-# from typing import TYPE_CHECKING
-# if TYPE_CHECKING:
-#     from contentctl.input.director import DirectorOutputDto
+from contentctl.objects.config import CustomApp
+
 
+from contentctl.objects.constants import CONTENTCTL_MAX_SEARCH_NAME_LENGTH,CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE
 
 class Baseline(SecurityContentObject):
-    # baseline spec
-    #name: str
-    #id: str
-    #version: int
-    #date: str
-    #author: str
-    #contentType: SecurityContentType = SecurityContentType.baselines
+    name:str = Field(...,max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
     type: Annotated[str,Field(pattern="^Baseline$")] = Field(...)
     datamodel: Optional[List[DataModel]] = None
-    #description: str
     search: str = Field(..., min_length=4)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
@@ -35,6 +23,12 @@ class Baseline(SecurityContentObject):
 
     # enrichment
     deployment: Deployment = Field({})
+    
+
+    def get_conf_stanza_name(self, app:CustomApp)->str:
+        stanza_name = CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+        self.check_conf_stanza_max_length(stanza_name)
+        return stanza_name
 
     @field_validator("deployment", mode="before")
     def getDeployment(cls, v:Any, info:ValidationInfo)->Deployment:

contentctl/objects/baseline_tags.py

@@ -1,15 +1,12 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING
 from pydantic import BaseModel, Field, field_validator, ValidationInfo, model_serializer
 from typing import List, Any, Union
 
 from contentctl.objects.story import Story
-from contentctl.objects.deployment import Deployment
 from contentctl.objects.detection import Detection
 from contentctl.objects.enums import SecurityContentProductName
 from contentctl.objects.enums import SecurityDomain
-if TYPE_CHECKING:
-    from contentctl.input.director import DirectorOutputDto
+
 
 
 
@@ -19,7 +16,7 @@ class BaselineTags(BaseModel):
     #deployment: Deployment = Field('SET_IN_GET_DEPLOYMENT_FUNCTION')
     # TODO (#223): can we remove str from the possible types here?
     detections: List[Union[Detection,str]] = Field(...)
-    product: list[SecurityContentProductName] = Field(...,min_length=1)
+    product: List[SecurityContentProductName] = Field(...,min_length=1)
     required_fields: List[str] = Field(...,min_length=1)
     security_domain: SecurityDomain = Field(...)