contentctl 4.3.5__py3-none-any.whl → 4.4.0__py3-none-any.whl

contentctl/objects/enums.py

@@ -55,6 +55,8 @@ class SecurityContentType(enum.Enum):
     investigations = 8
     unit_tests = 9
     data_sources = 11
+    dashboards = 12
+
 
 # Bringing these changes back in line will take some time after
 # the initial merge is complete
@@ -195,21 +197,21 @@ class KillChainPhase(str, enum.Enum):
 class DataSource(str,enum.Enum):
     OSQUERY_ES_PROCESS_EVENTS = "OSQuery ES Process Events"
     POWERSHELL_4104 = "Powershell 4104"
-    SYSMON_EVENT_ID_1 = "Sysmon Event ID 1"
-    SYSMON_EVENT_ID_10 = "Sysmon Event ID 10"
-    SYSMON_EVENT_ID_11 = "Sysmon Event ID 11"
-    SYSMON_EVENT_ID_13 = "Sysmon Event ID 13"
-    SYSMON_EVENT_ID_15 = "Sysmon Event ID 15"
-    SYSMON_EVENT_ID_20 = "Sysmon Event ID 20"
-    SYSMON_EVENT_ID_21 = "Sysmon Event ID 21"
-    SYSMON_EVENT_ID_22 = "Sysmon Event ID 22"
-    SYSMON_EVENT_ID_23 = "Sysmon Event ID 23"
-    SYSMON_EVENT_ID_3 = "Sysmon Event ID 3"
-    SYSMON_EVENT_ID_5 = "Sysmon Event ID 5"
-    SYSMON_EVENT_ID_6 = "Sysmon Event ID 6"
-    SYSMON_EVENT_ID_7 = "Sysmon Event ID 7"
-    SYSMON_EVENT_ID_8 = "Sysmon Event ID 8"
-    SYSMON_EVENT_ID_9 = "Sysmon Event ID 9"
+    SYSMON_EVENT_ID_1 = "Sysmon EventID 1"
+    SYSMON_EVENT_ID_3 = "Sysmon EventID 3"
+    SYSMON_EVENT_ID_5 = "Sysmon EventID 5"
+    SYSMON_EVENT_ID_6 = "Sysmon EventID 6"
+    SYSMON_EVENT_ID_7 = "Sysmon EventID 7"
+    SYSMON_EVENT_ID_8 = "Sysmon EventID 8"
+    SYSMON_EVENT_ID_9 = "Sysmon EventID 9"
+    SYSMON_EVENT_ID_10 = "Sysmon EventID 10"
+    SYSMON_EVENT_ID_11 = "Sysmon EventID 11"
+    SYSMON_EVENT_ID_13 = "Sysmon EventID 13"
+    SYSMON_EVENT_ID_15 = "Sysmon EventID 15"
+    SYSMON_EVENT_ID_20 = "Sysmon EventID 20"
+    SYSMON_EVENT_ID_21 = "Sysmon EventID 21"
+    SYSMON_EVENT_ID_22 = "Sysmon EventID 22"
+    SYSMON_EVENT_ID_23 = "Sysmon EventID 23"
     WINDOWS_SECURITY_4624 = "Windows Security 4624"
     WINDOWS_SECURITY_4625 = "Windows Security 4625"
     WINDOWS_SECURITY_4648 = "Windows Security 4648"
@@ -405,14 +407,16 @@ class NistCategory(str, enum.Enum):
     RC_IM = "RC.IM"
     RC_CO = "RC.CO"
 
-class RiskLevel(str,enum.Enum):
-    INFO = "Info"
-    LOW = "Low"
-    MEDIUM = "Medium"
-    HIGH = "High"
-    CRITICAL = "Critical"
-
 class RiskSeverity(str,enum.Enum):
+    # Levels taken from the following documentation link
+    # https://docs.splunk.com/Documentation/ES/7.3.2/User/RiskScoring
+    # 20 - info (0-20 for us)
+    # 40 - low (21-40 for us)
+    # 60 - medium (41-60 for us)
+    # 80 - high (61-80 for us)
+    # 100 - critical (81 - 100 for us)
+    INFORMATIONAL = "informational"
     LOW = "low"
     MEDIUM = "medium"
     HIGH = "high"
+    CRITICAL = "critical"

contentctl/objects/investigation.py

@@ -1,20 +1,23 @@
 from __future__ import annotations
 import re
-from typing import TYPE_CHECKING, Optional, List, Any
-from pydantic import field_validator, computed_field, Field, ValidationInfo, ConfigDict,model_serializer
-if TYPE_CHECKING:
-    from contentctl.input.director import DirectorOutputDto
+from typing import List, Any
+from pydantic import computed_field, Field, ConfigDict,model_serializer
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import DataModel
 from contentctl.objects.investigation_tags import InvestigationTags
-
+from contentctl.objects.constants import (
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
+    CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE,
+    CONTENTCTL_MAX_STANZA_LENGTH
+)
+from contentctl.objects.config import CustomApp
 
 # TODO (#266): disable the use_enum_values configuration
 class Investigation(SecurityContentObject):
     model_config = ConfigDict(use_enum_values=True,validate_default=False)
     type: str = Field(...,pattern="^Investigation$")
     datamodel: list[DataModel] = Field(...)
-    
+    name:str = Field(...,max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
     search: str = Field(...)
     how_to_implement: str = Field(...)
     known_false_positives: str = Field(...)
@@ -27,11 +30,11 @@ class Investigation(SecurityContentObject):
     @property
     def inputs(self)->List[str]:
         #Parse out and return all inputs from the searchj
-        inputs = []
+        inputs:List[str] = []
         pattern = r"\$([^\s.]*)\$"
 
         for input in re.findall(pattern, self.search):
-            inputs.append(input)
+            inputs.append(str(input))
 
         return inputs
 
@@ -40,6 +43,16 @@ class Investigation(SecurityContentObject):
     def lowercase_name(self)->str:
         return self.name.replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower().replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
 
+    
+    # This is a slightly modified version of the get_conf_stanza_name function from
+    # SecurityContentObject_Abstract
+    def get_response_task_name(self, app:CustomApp, max_stanza_length:int=CONTENTCTL_MAX_STANZA_LENGTH)->str:
+        stanza_name = CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+        if len(stanza_name) > max_stanza_length:
+            raise ValueError(f"conf stanza may only be {max_stanza_length} characters, "
+                             f"but stanza was actually {len(stanza_name)} characters: '{stanza_name}' ")
+        return stanza_name
+    
 
     @model_serializer
     def serialize_model(self):
@@ -66,12 +79,7 @@ class Investigation(SecurityContentObject):
 
 
     def model_post_init(self, ctx:dict[str,Any]):
-        # director: Optional[DirectorOutputDto] = ctx.get("output_dto",None)
-        # if not isinstance(director,DirectorOutputDto):
-        #     raise ValueError("DirectorOutputDto was not passed in context of Detection model_post_init")
-        director: Optional[DirectorOutputDto] = ctx.get("output_dto",None)
+        # Ensure we link all stories this investigation references
+        # back to itself
         for story in self.tags.analytic_story:
             story.investigations.append(self)
-    
-
-    

contentctl/objects/investigation_tags.py

@@ -1,12 +1,13 @@
 from __future__ import annotations
+from typing import List
 from pydantic import BaseModel, Field, field_validator, ValidationInfo, model_serializer
 from contentctl.objects.story import Story
 from contentctl.objects.enums import SecurityContentInvestigationProductName, SecurityDomain
 
 class InvestigationTags(BaseModel):
-    analytic_story: list[Story] = Field([],min_length=1)
-    product: list[SecurityContentInvestigationProductName] = Field(...,min_length=1)
-    required_fields: list[str] = Field(min_length=1)
+    analytic_story: List[Story] = Field([],min_length=1)
+    product: List[SecurityContentInvestigationProductName] = Field(...,min_length=1)
+    required_fields: List[str] = Field(min_length=1)
     security_domain: SecurityDomain = Field(...)
 
 

contentctl/objects/lookup.py

@@ -1,8 +1,10 @@
 from __future__ import annotations
-from pydantic import field_validator, ValidationInfo, model_validator, FilePath, model_serializer
+from pydantic import field_validator, ValidationInfo, model_validator, FilePath, model_serializer, Field, NonNegativeInt
 from typing import TYPE_CHECKING, Optional, Any, Union
 import re
 import csv
+import uuid
+import datetime
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
     from contentctl.objects.config import validate
@@ -32,6 +34,11 @@ class Lookup(SecurityContentObject):
     match_type: Optional[str] = None
     min_matches: Optional[int] = None
     case_sensitive_match: Optional[bool] = None
+    # TODO: Add id field to all lookup ymls
+    id: uuid.UUID = Field(default_factory=uuid.uuid4) 
+    date: datetime.date = Field(datetime.date.today())
+    author: str = Field("NO AUTHOR DEFINED",max_length=255)
+    version: NonNegativeInt = 1
     
 
     @model_serializer

contentctl/objects/macro.py

@@ -3,12 +3,13 @@
 from __future__ import annotations
 from typing import TYPE_CHECKING, List
 import re
-from pydantic import Field, model_serializer
+from pydantic import Field, model_serializer, NonNegativeInt
+import uuid
+import datetime
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 from contentctl.objects.security_content_object import SecurityContentObject
 
-
 #The following macros are included in commonly-installed apps.
 #As such, we will ignore if they are missing from our app.
 #Included in 
@@ -22,7 +23,11 @@ MACROS_TO_IGNORE.add("cim_corporate_web_domain_search") #Part of CIM/Splunk_SA_C
 class Macro(SecurityContentObject):
     definition: str = Field(..., min_length=1)
     arguments: List[str] = Field([])
-    
+    # TODO: Add id field to all macro ymls
+    id: uuid.UUID = Field(default_factory=uuid.uuid4)
+    date: datetime.date = Field(datetime.date.today())
+    author: str = Field("NO AUTHOR DEFINED",max_length=255)
+    version: NonNegativeInt = 1
     
 
 
@@ -49,10 +54,15 @@ class Macro(SecurityContentObject):
         #If a comment ENDS in a macro, for example ```this is a comment with a macro `macro_here````
         #then there is a small edge case where the regex below does not work properly.  If that is 
         #the case, we edit the search slightly to insert a space
-        text_field = re.sub(r"\`\`\`\`", r"` ```", text_field)
-        text_field = re.sub(r"\`\`\`.*?\`\`\`", " ", text_field)
-        
+        if re.findall(r"\`\`\`\`", text_field):
+            raise ValueError("Search contained four or more '`' characters in a row which is invalid SPL"
+                            "This may have occurred when a macro was commented out.\n"
+                            "Please ammend your search to remove the substring '````'")
 
+        # replace all the macros with a space    
+        text_field = re.sub(r"\`\`\`[\s\S]*?\`\`\`", " ", text_field) 
+        
+        
         macros_to_get = re.findall(r'`([^\s]+)`', text_field)
         #If macros take arguments, stop at the first argument.  We just want the name of the macro
         macros_to_get = set([macro[:macro.find('(')] if macro.find('(') != -1 else macro for macro in macros_to_get])
@@ -62,4 +72,3 @@ class Macro(SecurityContentObject):
         macros_to_get -= macros_to_ignore
         return Macro.mapNamesToSecurityContentObjects(list(macros_to_get), director)
         
-    

contentctl/objects/notable_event.py

@@ -1,4 +1,4 @@
-from pydantic import BaseModel
+from pydantic import ConfigDict, BaseModel
 
 from contentctl.objects.detection import Detection
 
@@ -11,10 +11,11 @@ class NotableEvent(BaseModel):
     # The search ID that found that generated this risk event
     orig_sid: str
 
-    class Config:
-        # Allowing fields that aren't explicitly defined to be passed since some of the risk event's
-        # fields vary depending on the SPL which generated them
-        extra = 'allow'
+    # Allowing fields that aren't explicitly defined to be passed since some of the risk event's
+    # fields vary depending on the SPL which generated them
+    model_config = ConfigDict(
+        extra='allow'
+    )
 
     def validate_against_detection(self, detection: Detection) -> None:
         raise NotImplementedError()

contentctl/objects/risk_analysis_action.py

@@ -1,7 +1,7 @@
 from typing import Any
 import json
 
-from pydantic import BaseModel, validator
+from pydantic import BaseModel, field_validator
 
 from contentctl.objects.risk_object import RiskObject
 from contentctl.objects.threat_object import ThreatObject
@@ -21,11 +21,11 @@ class RiskAnalysisAction(BaseModel):
     risk_objects: list[RiskObject]
     message: str
 
-    @validator("message", always=True, pre=True)
+    @field_validator("message", mode="before")
     @classmethod
-    def _validate_message(cls, v, values) -> str:
+    def _validate_message(cls, v: Any) -> str:
         """
-        Validate splunk_path and derive if None
+        Validate message and derive if None
         """
         if v is None:
             raise ValueError(

contentctl/objects/risk_event.py

@@ -1,7 +1,7 @@
 import re
+from functools import cached_property
 
-from pydantic import BaseModel, Field, PrivateAttr, field_validator, computed_field
-
+from pydantic import ConfigDict, BaseModel, Field, PrivateAttr, field_validator, computed_field
 from contentctl.objects.errors import ValidationFailed
 from contentctl.objects.detection import Detection
 from contentctl.objects.observable import Observable
@@ -85,10 +85,11 @@ class RiskEvent(BaseModel):
     # Private attribute caching the observable this RiskEvent is mapped to
     _matched_observable: Observable | None = PrivateAttr(default=None)
 
-    class Config:
-        # Allowing fields that aren't explicitly defined to be passed since some of the risk event's
-        # fields vary depending on the SPL which generated them
-        extra = "allow"
+    # Allowing fields that aren't explicitly defined to be passed since some of the risk event's
+    # fields vary depending on the SPL which generated them
+    model_config = ConfigDict(
+        extra="allow"
+    )
 
     @field_validator("annotations_mitre_attack", "analyticstories", mode="before")
     @classmethod
@@ -103,7 +104,7 @@ class RiskEvent(BaseModel):
             return [v]
 
     @computed_field
-    @property
+    @cached_property
     def source_field_name(self) -> str:
         """
         A cached derivation of the source field name the risk event corresponds to in the relevant

contentctl/objects/story.py

@@ -8,26 +8,14 @@ if TYPE_CHECKING:
     from contentctl.objects.investigation import Investigation
     from contentctl.objects.baseline import Baseline
     from contentctl.objects.data_source import DataSource
+    from contentctl.objects.config import CustomApp
 
 from contentctl.objects.security_content_object import SecurityContentObject
 
-
-
-
-
-#from contentctl.objects.investigation import Investigation
-
-
-
 class Story(SecurityContentObject):
     narrative: str = Field(...)
     tags: StoryTags = Field(...)
 
-    # enrichments
-    #detection_names: List[str] = []
-    #investigation_names: List[str] = []
-    #baseline_names: List[str] = []
-
     # These are updated when detection and investigation objects are created.
     # Specifically in the model_post_init functions
     detections:List[Detection] = []
@@ -46,9 +34,9 @@ class Story(SecurityContentObject):
         return sorted(list(data_source_objects))
 
 
-    def storyAndInvestigationNamesWithApp(self, app_name:str)->List[str]:
-        return [f"{app_name} - {name} - Rule" for name in self.detection_names] + \
-               [f"{app_name} - {name} - Response Task" for name in self.investigation_names]
+    def storyAndInvestigationNamesWithApp(self, app:CustomApp)->List[str]:
+        return [detection.get_conf_stanza_name(app) for detection in self.detections] + \
+               [investigation.get_response_task_name(app) for investigation in self.investigations]
         
     @model_serializer
     def serialize_model(self):

contentctl/objects/throttling.py

@@ -0,0 +1,46 @@
+from pydantic import BaseModel, Field, field_validator
+from typing import Annotated
+
+
+# Alert Suppression/Throttling settings have been taken from 
+# https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Savedsearchesconf
+class Throttling(BaseModel):
+    fields: list[str] = Field(..., description="The list of fields to throttle on. These fields MUST occur in the search.", min_length=1)
+    period: Annotated[str,Field(pattern="^[0-9]+[smh]$")] =  Field(..., description="How often the alert should be triggered. "
+                                                    "This may be specified in seconds, minutes, or hours.  "
+                                                    "For example, if an alert should be triggered once a day,"
+                                                    " it may be specified in seconds (86400s), minutes (1440m), or hours import (24h).")
+    
+    @field_validator("fields")
+    def no_spaces_in_fields(cls, v:list[str])->list[str]:
+        for field in v:
+            if ' ' in field:
+                raise ValueError("Spaces are not presently supported in 'alert.suppress.fields' / throttling fields in conf files. "
+                                "The field '{field}' has a space in it. If this is a blocker, please raise this as an issue on the Project.")
+        return v
+
+    def conf_formatted_fields(self)->str:
+        '''
+        TODO:
+        The field alert.suppress.fields is defined as follows:
+        alert.suppress.fields = <comma-delimited-field-list>
+        * List of fields to use when suppressing per-result alerts. This field *must*
+        be specified if the digest mode is disabled and suppression is enabled.
+
+        In order to support fields with spaces in them, we may need to wrap each
+        field in "". 
+        This function returns a properly formatted value, where each field
+        is wrapped in "" and separated with a comma. For example, the fields 
+        ["field1", "field 2", "field3"] would be returned as the string
+
+        "field1","field 2","field3
+
+        However, for now, we will error on fields with spaces and simply
+        separate with commas
+        '''
+        
+        return ",".join(self.fields)
+
+        # The following may be used once we determine proper support
+        # for fields with spaces
+        #return ",".join([f'"{field}"' for field in self.fields])

contentctl/output/conf_output.py

@@ -152,6 +152,10 @@ class ConfOutput:
                                     'macros.j2',
                                     self.config, objects))
         
+        elif type == SecurityContentType.dashboards:
+            written_files.update(ConfWriter.writeDashboardFiles(self.config, objects))
+
+
         return written_files
             
 

contentctl/output/conf_writer.py

@@ -8,6 +8,7 @@ from xmlrpc.client import APPLICATION_ERROR
 from jinja2 import Environment, FileSystemLoader, StrictUndefined
 import pathlib
 from contentctl.objects.security_content_object import SecurityContentObject
+from contentctl.objects.dashboard import Dashboard
 from contentctl.objects.config import build
 import xml.etree.ElementTree as ET
 
@@ -61,7 +62,7 @@ class ConfWriter():
         j2_env = ConfWriter.getJ2Environment()
         template = j2_env.get_template(template_name)
         
-        output = template.render(objects=objects, APP_NAME=config.app.label, currentDate=datetime.datetime.now(datetime.UTC).date().isoformat())
+        output = template.render(objects=objects, app=config.app, currentDate=datetime.datetime.now(datetime.UTC).date().isoformat())
         
         output_path = config.getPackageDirectoryPath()/app_output_path
         output_path.parent.mkdir(parents=True, exist_ok=True)
@@ -94,7 +95,7 @@ class ConfWriter():
         j2_env = ConfWriter.getJ2Environment()
         template = j2_env.get_template(template_name)
         
-        output = template.render(objects=objects, APP_NAME=config.app.label)
+        output = template.render(objects=objects, app=config.app)
         
         output_path = config.getPackageDirectoryPath()/app_output_path
         output_path.parent.mkdir(parents=True, exist_ok=True)
@@ -107,6 +108,22 @@ class ConfWriter():
 
     
 
+    @staticmethod
+    def writeDashboardFiles(config:build, dashboards:list[Dashboard])->set[pathlib.Path]:
+        written_files:set[pathlib.Path] = set()
+        for dashboard in dashboards:
+            output_file_path = dashboard.getOutputFilepathRelativeToAppRoot(config)
+            # Check that the full output path does not exist so that we are not having an
+            # name collision with a file in app_template
+            if (config.getPackageDirectoryPath()/output_file_path).exists():
+                raise FileExistsError(f"ERROR: Overwriting Dashboard File {output_file_path}. Does this file exist in {config.getAppTemplatePath()} AND {config.path/'dashboards'}?")
+                
+            ConfWriter.writeXmlFileHeader(output_file_path, config)
+            dashboard.writeDashboardFile(ConfWriter.getJ2Environment(), config)
+            ConfWriter.validateXmlFile(config.getPackageDirectoryPath()/output_file_path)
+            written_files.add(output_file_path)
+        return written_files
+
 
     @staticmethod
     def writeXmlFileHeader(app_output_path:pathlib.Path, config: build) -> None:
@@ -142,7 +159,7 @@ class ConfWriter():
         j2_env = ConfWriter.getJ2Environment()
         
         template = j2_env.get_template(template_name)
-        output = template.render(objects=objects, APP_NAME=config.app.label)
+        output = template.render(objects=objects, app=config.app)
         
         output_path.parent.mkdir(parents=True, exist_ok=True)
         with open(output_path, 'a') as f:

contentctl/output/templates/analyticstories_detections.j2

@@ -3,11 +3,11 @@
 
 {% for detection in objects %}
 {% if (detection.type == 'TTP' or detection.type == 'Anomaly' or detection.type == 'Hunting' or detection.type == 'Correlation') %}
-[savedsearch://{{APP_NAME}} - {{ detection.name }} - Rule]
+[savedsearch://{{ detection.get_conf_stanza_name(app) }}]
 type = detection
 asset_type = {{ detection.tags.asset_type.value }}
 confidence = medium
-explanation = {{ detection.description | escapeNewlines() }}
+explanation = {{ (detection.explanation if detection.explanation else detection.description) | escapeNewlines() }}
 {% if detection.how_to_implement is defined %}
 how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}

contentctl/output/templates/analyticstories_investigations.j2

@@ -1,13 +1,13 @@
 
 ### RESPONSE TASKS ###
 
-{% for detection in objects %}
-{% if (detection.type == 'Investigation') %}
-[savedsearch://{{APP_NAME}} - {{ detection.name }} - Response Task]
+{% for investigation in objects %}
+{% if (investigation.type == 'Investigation') %}
+[savedsearch://{{ investigation.get_response_task_name(app) }}]
 type = investigation
 explanation = none
-{% if detection.how_to_implement is defined %}
-how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
+{% if investigation.how_to_implement is defined %}
+how_to_implement = {{ investigation.how_to_implement | escapeNewlines() }}
 {% else %}
 how_to_implement = none
 {% endif %}

contentctl/output/templates/analyticstories_stories.j2

@@ -10,7 +10,7 @@ version = {{ story.version }}
 references = {{ story.getReferencesListForJson() | tojson }}
 maintainers = [{"company": "{{ story.author_company }}", "email": "{{ story.author_email }}", "name": "{{ story.author_name }}"}]
 spec_version = 3
-searches = {{ story.storyAndInvestigationNamesWithApp(APP_NAME) | tojson }}
+searches = {{ story.storyAndInvestigationNamesWithApp(app) | tojson }}
 description = {{ story.description | escapeNewlines() }}
 {% if story.narrative is defined %}
 narrative = {{ story.narrative | escapeNewlines() }}

contentctl/output/templates/savedsearches_baselines.j2

@@ -1,14 +1,13 @@
 
 
-### {{APP_NAME}} BASELINES ###
+### {{app.label}} BASELINES ###
 
 {% for detection in objects %}
 {% if (detection.type == 'Baseline') %}
-[{{APP_NAME}} - {{ detection.name }}]
+[{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = support
-action.escu.full_search_name = {{APP_NAME}} - {{ detection.name }}
 description = {{ detection.description | escapeNewlines() }}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}

contentctl/output/templates/savedsearches_detections.j2

@@ -1,8 +1,8 @@
-### {{APP_NAME}} DETECTIONS ###
+### {{app.label}} DETECTIONS ###
 
 {% for detection in objects %}
 {% if (detection.type == 'TTP' or detection.type == 'Anomaly' or detection.type == 'Hunting' or detection.type == 'Correlation') %}
-[{{APP_NAME}} - {{ detection.name }} - Rule]
+[{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
 {% if detection.status == "deprecated" %}
@@ -28,7 +28,6 @@ action.escu.known_false_positives = None
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}
 action.escu.confidence = high
-action.escu.full_search_name = {{APP_NAME}} - {{ detection.name }} - Rule
 action.escu.search_type = detection
 {% if detection.tags.product is defined %}
 action.escu.product = {{ detection.tags.product | tojson }}
@@ -57,7 +56,7 @@ cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
 dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
 dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
 action.correlationsearch.enabled = 1
-action.correlationsearch.label = {{APP_NAME}} - {{ detection.name }} - Rule
+action.correlationsearch.label = {{ detection.get_action_dot_correlationsearch_dot_label(app) }}
 action.correlationsearch.annotations = {{ detection.annotations | tojson }}
 action.correlationsearch.metadata = {{ detection.metadata | tojson }}
 {% if detection.deployment.scheduling.schedule_window is defined %}
@@ -72,7 +71,7 @@ action.notable.param.nes_fields = {{ detection.nes_fields }}
 action.notable.param.rule_description = {{ detection.deployment.alert_action.notable.rule_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines()}}
 action.notable.param.rule_title = {% if detection.type | lower == "correlation" %}RBA: {{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% else %}{{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% endif +%}
 action.notable.param.security_domain = {{ detection.tags.security_domain.value }}
-action.notable.param.severity = high
+action.notable.param.severity = {{ detection.tags.severity.value }}
 {% endif %}
 {% if detection.deployment.alert_action.email %}
 action.email.subject.alert = {{ detection.deployment.alert_action.email.subject | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
@@ -107,8 +106,14 @@ relation = greater than
 quantity = 0
 realtime_schedule = 0
 is_visible = false
+{% if detection.tags.throttling %}
+alert.suppress = true
+alert.suppress.fields = {{ detection.tags.throttling.conf_formatted_fields() }}
+alert.suppress.period = {{ detection.tags.throttling.period }}
+{% endif %}
 search = {{ detection.search | escapeNewlines() }}
-
+action.notable.param.drilldown_searches = {{ detection.drilldowns_in_JSON | tojson | escapeNewlines() }}
 {% endif %}
+
 {% endfor %}
-### END {{ APP_NAME }} DETECTIONS ###
+### END {{ app.label }} DETECTIONS ###

contentctl/output/templates/savedsearches_investigations.j2

@@ -1,15 +1,14 @@
 
 
-### {{APP_NAME}} RESPONSE TASKS ###
+### {{app.label}} RESPONSE TASKS ###
 
 {% for detection in objects %}
 {% if (detection.type == 'Investigation') %}
 {% if detection.search is defined %}
-[{{APP_NAME}} - {{ detection.name }} - Response Task]
+[{{ detection.get_response_task_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = investigative
-action.escu.full_search_name = {{APP_NAME}} - {{ detection.name }} - Response Task
 description = {{ detection.description | escapeNewlines() }}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}
@@ -35,4 +34,4 @@ search = {{ detection.search | escapeNewlines() }}
 {% endfor %}
 
 
-### END {{ APP_NAME }} RESPONSE TASKS ###
+### END {{ app.label }} RESPONSE TASKS ###

contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml

@@ -29,6 +29,15 @@ references:
 - https://attack.mitre.org/techniques/T1560/001/
 - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
 - https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
+drilldown_searches:
+- name: View the detection results for $user$ and $dest$
+  search: '%original_detection_search% | search  user = $user$ dest = $dest$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for $user$ and $dest$
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Cobalt Strike
@@ -80,4 +89,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: xmlwineventlog
+    sourcetype: xmlwineventlog