contentctl 4.3.4__py3-none-any.whl → 4.4.0__py3-none-any.whl

contentctl/objects/ssa_detection.py

@@ -1,157 +0,0 @@
-from __future__ import annotations
-import uuid
-import string
-import requests
-import time
-from pydantic import BaseModel, validator, root_validator
-from dataclasses import dataclass
-from datetime import datetime
-from typing import Union
-import re
-
-from contentctl.objects.abstract_security_content_objects.detection_abstract import Detection_Abstract
-from contentctl.objects.enums import AnalyticsType
-from contentctl.objects.enums import DataModel
-from contentctl.objects.enums import DetectionStatus
-from contentctl.objects.deployment import Deployment
-from contentctl.objects.ssa_detection_tags import SSADetectionTags
-from contentctl.objects.unit_test_ssa import UnitTestSSA
-from contentctl.objects.unit_test_old import UnitTestOld
-from contentctl.objects.macro import Macro
-from contentctl.objects.lookup import Lookup
-from contentctl.objects.baseline import Baseline
-from contentctl.objects.playbook import Playbook
-from contentctl.helper.link_validator import LinkValidator
-from contentctl.objects.enums import SecurityContentType
-
-class SSADetection(BaseModel):
-    # detection spec
-    name: str
-    id: str
-    version: int
-    date: str
-    author: str
-    type: AnalyticsType = ...
-    status: DetectionStatus = ...
-    detection_type: str = None
-    description: str
-    data_source: list[str]
-    search: Union[str, dict]
-    how_to_implement: str
-    known_false_positives: str
-    references: list
-    tags: SSADetectionTags
-    tests: list[UnitTestSSA] = None
-
-    # enrichments
-    annotations: dict = None
-    risk: list = None
-    mappings: dict = None
-    file_path: str = None
-    source: str = None
-    test: Union[UnitTestSSA, dict, UnitTestOld] = None
-    runtime: str = None
-    internalVersion: int = None
-
-    # @validator('name')v
-    # def name_max_length(cls, v, values):
-    #     if len(v) > 67:
-    #         raise ValueError('name is longer then 67 chars: ' + v)
-    #     return v
-
-    # TODO (#266): disable the use_enum_values configuration
-    class Config:
-        use_enum_values = True
-
-    '''
-    @validator("name")
-    def name_invalid_chars(cls, v):
-        invalidChars = set(string.punctuation.replace("-", ""))
-        if any(char in invalidChars for char in v):
-            raise ValueError("invalid chars used in name: " + v)
-        return v
-
-    @validator("id")
-    def id_check(cls, v, values):
-        try:
-            uuid.UUID(str(v))
-        except:
-            raise ValueError("uuid is not valid: " + values["name"])
-        return v
-
-    @validator("date")
-    def date_valid(cls, v, values):
-        try:
-            datetime.strptime(v, "%Y-%m-%d")
-        except:
-            raise ValueError("date is not in format YYYY-MM-DD: " + values["name"])
-        return v
-
-    # @validator("type")
-    # def type_valid(cls, v, values):
-    #     if v.lower() not in [el.name.lower() for el in AnalyticsType]:
-    #         raise ValueError("not valid analytics type: " + values["name"])
-    #     return v
-
-    @validator("description", "how_to_implement")
-    def encode_error(cls, v, values, field):
-        try:
-            v.encode("ascii")
-        except UnicodeEncodeError:
-            raise ValueError("encoding error in " + field.name + ": " + values["name"])
-        return v
-
-    # @root_validator
-    # def search_validation(cls, values):
-    #     if 'ssa_' not in values['file_path']:
-    #         if not '_filter' in values['search']:
-    #             raise ValueError('filter macro missing in: ' + values["name"])
-    #         if any(x in values['search'] for x in ['eventtype=', 'sourcetype=', ' source=', 'index=']):
-    #             if not 'index=_internal' in values['search']:
-    #                 raise ValueError('Use source macro instead of eventtype, sourcetype, source or index in detection: ' + values["name"])
-    #     return values
-
-    @root_validator
-    def name_max_length(cls, values):
-        # Check max length only for ESCU searches, SSA does not have that constraint
-        if "ssa_" not in values["file_path"]:
-            if len(values["name"]) > 67:
-                raise ValueError("name is longer then 67 chars: " + values["name"])
-        return values
-
-
-    @root_validator
-    def new_line_check(cls, values):
-        # Check if there is a new line in description and how to implement that is not escaped
-        pattern = r'(?<!\\)\n' 
-        if re.search(pattern, values["description"]):
-            match_obj = re.search(pattern,values["description"])
-            words = values["description"][:match_obj.span()[0]].split()[-10:]
-            newline_context = ' '.join(words)
-            raise ValueError(f"Field named 'description' contains new line that is not escaped using backslash. Add backslash at the end of the line after the words: '{newline_context}' in '{values['name']}'")
-        if re.search(pattern, values["how_to_implement"]):
-            match_obj = re.search(pattern,values["how_to_implement"])
-            words = values["how_to_implement"][:match_obj.span()[0]].split()[-10:]
-            newline_context = ' '.join(words)
-            raise ValueError(f"Field named 'how_to_implement' contains new line that is not escaped using backslash. Add backslash at the end of the line after the words: '{newline_context}' in '{values['name']}'")
-        return values
-
-    # @validator('references')
-    # def references_check(cls, v, values):
-    #     return LinkValidator.SecurityContentObject_validate_references(v, values)
-
-
-    @validator("search")
-    def search_validate(cls, v, values):
-        # write search validator
-        return v
-
-    @validator("tests")
-    def tests_validate(cls, v, values):
-        if (values.get("status","") in [DetectionStatus.production.value, DetectionStatus.validation.value]) and not v:
-            raise ValueError(
-                "At least one test is required for a production or validation detection: " + values["name"]
-            )
-        return v
-
-    '''

contentctl/objects/ssa_detection_tags.py

@@ -1,138 +0,0 @@
-from __future__ import annotations
-import re
-from typing import List
-from pydantic import BaseModel, validator, ValidationError, model_validator, Field
-
-from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
-from contentctl.objects.constants import *
-from contentctl.objects.enums import SecurityContentProductName
-
-class SSADetectionTags(BaseModel):
-    # detection spec
-    #name: str
-    analytic_story: list
-    asset_type: str
-    automated_detection_testing: str = None
-    cis20: list = None
-    confidence: int
-    impact: int
-    kill_chain_phases: list = None
-    message: str
-    mitre_attack_id: list = None
-    nist: list = None
-    observable: list
-    product: List[SecurityContentProductName] = Field(...,min_length=1)
-    required_fields: list
-    risk_score: int
-    security_domain: str
-    risk_severity: str = None
-    cve: list = None
-    supported_tas: list = None
-    atomic_guid: list = None
-    drilldown_search: str = None
-    manual_test: str = None
-
-
-    # enrichment
-    mitre_attack_enrichments: list[MitreAttackEnrichment] = []
-    confidence_id: int = None
-    impact_id: int = None
-    context_ids: list = None
-    risk_level_id: int = None
-    risk_level: str = None
-    observable_str: str = None
-    evidence_str: str = None
-    analytics_story_str: str = None
-    kill_chain_phases_id:dict = None
-    kill_chain_phases_str:str = None
-    research_site_url: str = None
-    event_schema: str = None
-    mappings: list = None
-    annotations: dict = None
-
-
-    @validator('cis20')
-    def tags_cis20(cls, v, values):
-        pattern = r'^CIS ([\d|1\d|20)$' #DO NOT match leading zeroes and ensure no extra characters before or after the string
-        for value in v:
-            if not re.match(pattern, value):
-                raise ValueError(f"CIS control '{value}' is not a valid Control ('CIS 1' -> 'CIS 20'):  {values['name']}")
-        return v
-    
-    @validator('nist')
-    def tags_nist(cls, v, values):
-        # Sourced Courtest of NIST: https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf (Page 19)
-        IDENTIFY = [f'ID.{category}' for category in ["AM", "BE", "GV", "RA", "RM"]      ]
-        PROTECT  = [f'PR.{category}' for category in ["AC", "AT", "DS", "IP", "MA", "PT"]]
-        DETECT   = [f'DE.{category}' for category in ["AE", "CM", "DP"]                  ]
-        RESPOND  = [f'RS.{category}' for category in ["RP", "CO", "AN", "MI", "IM"]      ]
-        RECOVER  = [f'RC.{category}' for category in ["RP", "IM", "CO"]                  ]
-        ALL_NIST_CATEGORIES = IDENTIFY + PROTECT + DETECT + RESPOND + RECOVER
-
-        
-        for value in v:
-            if not value in ALL_NIST_CATEGORIES:
-                raise ValueError(f"NIST Category '{value}' is not a valid category")
-        return v
-
-    @validator('confidence')
-    def tags_confidence(cls, v, values):
-        v = int(v)
-        if not (v > 0 and v <= 100):
-             raise ValueError('confidence score is out of range 1-100.' )
-        else:
-            return v
-
-
-    @validator('impact')
-    def tags_impact(cls, v, values):
-        if not (v > 0 and v <= 100):
-             raise ValueError('impact score is out of range 1-100.')
-        else:
-            return v
-
-    @validator('kill_chain_phases')
-    def tags_kill_chain_phases(cls, v, values):
-        valid_kill_chain_phases = SES_KILL_CHAIN_MAPPINGS.keys()
-        for value in v:
-            if value not in valid_kill_chain_phases:
-                raise ValueError('kill chain phase not valid. Valid options are ' + str(valid_kill_chain_phases))
-        return v
-
-    @validator('mitre_attack_id')
-    def tags_mitre_attack_id(cls, v, values):
-        pattern = 'T[0-9]{4}'
-        for value in v:
-            if not re.match(pattern, value):
-                raise ValueError('Mitre Attack ID are not following the pattern Txxxx:' )
-        return v
-
-
-
-    @validator('risk_score')
-    def tags_calculate_risk_score(cls, v, values):
-        calculated_risk_score = round(values['impact'] * values['confidence'] / 100)
-        if calculated_risk_score != int(v):
-            raise ValueError(f"Risk Score must be calculated as round(confidence * impact / 100)"
-                             f"\n  Expected risk_score={calculated_risk_score}, found risk_score={int(v)}: {values['name']}")
-        return v
-
-
-    @model_validator(mode="after")
-    def tags_observable(self):
-        valid_roles = SES_OBSERVABLE_ROLE_MAPPING.keys()
-        valid_types = SES_OBSERVABLE_TYPE_MAPPING.keys()
-        
-        for value in self.observable:
-            if value['type'] in valid_types:
-                if 'Splunk Behavioral Analytics' in self.product:
-                    continue
-
-                if 'role' not in value:
-                    raise ValueError('Observable role is missing')
-                for role in value['role']:
-                    if role not in valid_roles:
-                        raise ValueError(f'Observable role ' + role + ' not valid. Valid options are {str(valid_roles)}')
-            else:
-                raise ValueError(f'Observable type ' + value['type'] + ' not valid. Valid options are {str(valid_types)}')
-        return self

contentctl/objects/unit_test_old.py

@@ -1,10 +0,0 @@
-from __future__ import annotations
-from pydantic import BaseModel
-
-
-from contentctl.objects.unit_test_ssa import UnitTestSSA
-
-
-class UnitTestOld(BaseModel):
-    name: str
-    tests: list[UnitTestSSA]

contentctl/objects/unit_test_ssa.py

@@ -1,31 +0,0 @@
-from __future__ import annotations
-from typing import Optional
-from pydantic import BaseModel, Field
-from pydantic import Field
-
-
-class UnitTestAttackDataSSA(BaseModel):
-    file_name:Optional[str] = None
-    data: str = Field(...)
-    # TODO - should source and sourcetype should be mapped to a list
-    # of supported source and sourcetypes in a given environment?
-    source: str = Field(...)
-
-    sourcetype: Optional[str] = None
-
-
-class UnitTestSSA(BaseModel):
-    """
-    A unit test for a detection
-    """
-    name: str
-
-    # The attack data to be ingested for the unit test
-    attack_data: list[UnitTestAttackDataSSA] = Field(...)
-
-
-
-
-
-    
-

contentctl/output/templates/finding_report.j2

@@ -1,30 +0,0 @@
-
-  | eval devices = [{"hostname": device_hostname, "type_id": 0, "uuid": device.uuid}],
-    time = timestamp,
-    evidence = {{ detection.tags.evidence_str }},
-    message = "{{ detection.name }} has been triggered on " + device_hostname + " by " + {{ actor_user_name }} + ".",
-    users = [{"name": {{ actor_user_name }}, "uuid": actor_user.uuid, "uid": actor_user.uid}],
-    activity_id = 1,
-    cis_csc = [{"control": "CIS 10", "version": 8}], 
-    analytic_stories = {{ detection.tags.analytics_story_str }},
-    class_name = "Detection Report", 
-    confidence = {{ detection.tags.confidence }},
-    confidence_id = {{ detection.tags.confidence_id }},
-    duration = 0, 
-    impact = {{ detection.tags.impact }},
-    impact_id = {{ detection.tags.impact_id }},
-    kill_chain = {{ detection.tags.kill_chain_phases_str }},
-    nist = ["DE.AE"], 
-    risk_level = "{{ detection.tags.risk_level }}", 
-    category_uid = 2,
-    class_uid = 102001,
-    risk_level_id = {{ detection.tags.risk_level_id }},
-    risk_score = {{ detection.tags.risk_score }},
-    severity_id = 0,
-    rule = {"name": "{{ detection.name }}", "uid": "{{ detection.id }}", "type": "Streaming"},
-    metadata = {"customer_uid": metadata.customer_uid, "product": {"name": "Behavior Analytics", "vendor_name": "Splunk"}, "version": "1.0.0-rc.2", "logged_time": time()},
-    type_uid = 10200101,
-    start_time = timestamp,
-    end_time = timestamp
-  | fields metadata, rule, activity_id, analytic_stories, cis_csc, category_uid, class_name, class_uid, confidence, confidence_id, devices, duration, time, evidence, impact, impact_id, kill_chain, message, nist, observables, risk_level, risk_level_id, risk_score, severity_id, type_uid, users, start_time, end_time 
-  | into sink;