contentctl 4.4.6__py3-none-any.whl → 5.0.0a0__py3-none-any.whl

contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml

@@ -38,51 +38,33 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading
+    of 7zip.
+  risk_objects:
+    - field: user
+      type: user
+      score: 56
+    - field: dest
+      type: system
+      score: 60
+  threat_objects:
+    - field: parent_process_name
+      type: parent_process_name
+    - field: process_name
+      type: process_name
 tags:
   analytic_story:
   - Cobalt Strike
   asset_type: Endpoint
-  confidence: 80
-  impact: 80
-  message: An instance of $parent_process_name$ spawning $process_name$ was identified
-    on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading
-    of 7zip.
   mitre_attack_id:
   - T1560.001
   - T1560
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
-  - name: parent_process_name
-    type: Process
-    role:
-    - Attacker
-  - name: process_name
-    type: Process
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - _time
-  - Processes.process_name
-  - Processes.process
-  - Processes.dest
-  - Processes.user
-  - Processes.parent_process_name
-  - Processes.process_name
-  - Processes.parent_process
-  - Processes.process_id
-  - Processes.parent_process_id
-  risk_score: 64
   security_domain: endpoint
 tests:
 - name: True Positive Test

{contentctl-4.4.6.dist-info → contentctl-5.0.0a0.dist-info}/METADATA

@@ -1,15 +1,16 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.3
 Name: contentctl
-Version: 4.4.6
+Version: 5.0.0a0
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
 Author-email: research@splunk.com
-Requires-Python: >=3.11,<3.13
+Requires-Python: >=3.11,<3.14
 Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: PyYAML (>=6.0.2,<7.0.0)
 Requires-Dist: attackcti (>=0.4.0,<0.5.0)
@@ -17,7 +18,7 @@ Requires-Dist: bottle (>=0.12.25,<0.14.0)
 Requires-Dist: docker (>=7.1.0,<8.0.0)
 Requires-Dist: gitpython (>=3.1.43,<4.0.0)
 Requires-Dist: pycvesearch (>=1.2,<2.0)
-Requires-Dist: pydantic (>=2.8.2,<3.0.0)
+Requires-Dist: pydantic (>=2.9.2,<2.10.0)
 Requires-Dist: pygit2 (>=1.15.1,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.3,<2.33.0)
@@ -25,7 +26,7 @@ Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
 Requires-Dist: setuptools (>=69.5.1,<76.0.0)
 Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
 Requires-Dist: tqdm (>=4.66.5,<5.0.0)
-Requires-Dist: tyro (>=0.8.3,<0.9.0)
+Requires-Dist: tyro (>=0.9.2,<0.10.0)
 Requires-Dist: xmltodict (>=0.13,<0.15)
 Description-Content-Type: text/markdown
 

{contentctl-4.4.6.dist-info → contentctl-5.0.0a0.dist-info}/RECORD

@@ -1,14 +1,14 @@
 contentctl/__init__.py,sha256=IMjkMO3twhQzluVTo8Z6rE7Eg-9U79_LGKMcsWLKBkY,22
-contentctl/actions/build.py,sha256=T1shTnBqJ2OfAL5RRDLBw1CdeV-Oqqp3uJ8ObEEKTIM,5201
+contentctl/actions/build.py,sha256=J-ALH-_IFypOZWarTCLdnTo9g5IpIwEJBON2cnhwKEw,5505
 contentctl/actions/deploy_acs.py,sha256=4mD3wEgudi8UWpTW9mB5n65Bcs1w4g5cG2yflj-uEck,3259
-contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=zg8JasDjCpSC-yhseEyUwO8qbDJIUJbhlus9Li9ZAnA,8818
+contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=YAEtyAErvDgk4eqIXWLVllZFKe_0ZKliycR9fvWeMjI,8744
 contentctl/actions/detection_testing/GitService.py,sha256=HcyuPrW6zBeCNu2l2JJgB_wTyvdWeK3Ii32pUf3vs08,9698
 contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=N5mznaeErVak3mOBwsd0RDBFJO3bku0EZvpayCyU-uk,2259
-contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=mcdLt3tZr-xF5xaYnD0q7JQx9qrbRIzPNl6D9MeeB5k,56999
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=Vy-BWRC_YqctFQOxEluf2cxtA8AHV-aIS1RJx0Fril8,57138
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py,sha256=WCtyyMKTA17JzPIb10rV8C6vdG-cBzHtFC9T2CuYY2o,7047
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureServer.py,sha256=Q1ZfCYOp54O39bgTScZMInkmZiU-bGAM9Hiwr2mq5ms,370
-contentctl/actions/detection_testing/progress_bar.py,sha256=OK9oRnPlzPAswt9KZNYID-YLHxqaYPY821kIE4-rCeA,3244
-contentctl/actions/detection_testing/views/DetectionTestingView.py,sha256=nh9-gBSy-7FFBU71v4K5rwJmPzX2swFivbNfzDOpH-U,7674
+contentctl/actions/detection_testing/progress_bar.py,sha256=jiorPxfSAX6jCK1BSQDKNYchTshBnWshWB0XphLp91A,3229
+contentctl/actions/detection_testing/views/DetectionTestingView.py,sha256=ENHVBQxR3Ws4NYZmCfmoKBtAaGX9QW028obMQ6o1YnU,7615
 contentctl/actions/detection_testing/views/DetectionTestingViewCLI.py,sha256=v5F3heZ3ZD0ik_-a_zDYSEz6oc5VdVj3e5rSSZ-tK00,2149
 contentctl/actions/detection_testing/views/DetectionTestingViewFile.py,sha256=3mBCQy3hYuX8bNqh3al0nANlMwq9sxbQjkhwA1V5LOA,1090
 contentctl/actions/detection_testing/views/DetectionTestingViewWeb.py,sha256=Q6p7UqDOYI2VjFl21_1iue76rWVsQmJUzRewtUBF1a8,4755
@@ -16,103 +16,101 @@ contentctl/actions/doc_gen.py,sha256=YNc1VYA0ikL1hWDHYjfEOmUkfhy8PEIdvTyC4ZLxQRY
 contentctl/actions/initialize.py,sha256=wEO3u8vJYP8Xh2OSJ_HxfMV6mqOdkPyWbUzNGEqMTNA,3055
 contentctl/actions/initialize_old.py,sha256=0qXbW_fNDvkcnEeL6Zpte8d-hpTu1REyzHsXOCY-YB8,9333
 contentctl/actions/inspect.py,sha256=dXV020g_GwwspSgiS6jQxW0JEVr_nublJBevwZ79mZo,17424
-contentctl/actions/new_content.py,sha256=3ZKSQ_O7GUTflEg2bqo2iGK65EaL96c4MEqGJPanXWg,6445
+contentctl/actions/new_content.py,sha256=wefzwJ0uCduLTvkynls1IVJCmcs_3RU9YkDzx7iiWeo,8363
 contentctl/actions/release_notes.py,sha256=0K7zHQyVHVYK_whiv4PvxOKS4_0s1Ya_RDCrrcT3FW4,13319
 contentctl/actions/reporting.py,sha256=MJEmvmoA1WnSFZEU9QM6daL_W94oOX0WXAcX1qAM2As,1583
-contentctl/actions/test.py,sha256=jv12UO_PTjZwvo4G-Dr8fE2gsuWvuvAmO2QQM4q7TL0,5917
-contentctl/actions/validate.py,sha256=eVxXf67b65ywe4yXYqaTXJShvqbzG9vd6jlkq-YVzy8,5538
+contentctl/actions/test.py,sha256=gS-BIexzzjHUR8RvQADDjyTIeJvilbuufPQq10TINJE,5953
+contentctl/actions/validate.py,sha256=7w5444SiOs0R4c_2Yn0tRaFx9Nf-r7o9aMjSaz3N9Kw,5602
 contentctl/api.py,sha256=O0dNE3-WkWs2zuOeAQnIicgOtBX5s2bGBhRVo3j69-8,6327
-contentctl/contentctl.py,sha256=H2tst7G9JSpfvPqR_-Vmt78ngwaRg6FmndNByWf-3tM,10517
+contentctl/contentctl.py,sha256=Z_B7gZ1eWjlwhna9aMhn-rteCArMgLOINI8rfGiHZBc,11190
 contentctl/enrichments/attack_enrichment.py,sha256=i0p5ud7EqA2SMB7Gc8JQdIonUTjAeDN-hxKBV4XV-Rg,6391
 contentctl/enrichments/cve_enrichment.py,sha256=aXpv_kCS0XP6JpC_ZEOeBPgrl38t_vkKZe9Ay35lRi4,2347
 contentctl/enrichments/splunk_app_enrichment.py,sha256=zDNHFLZTi2dJ1gdnh0sHkD6F1VtkblqFnhacFcCMBfc,3418
 contentctl/helper/link_validator.py,sha256=-XorhxfGtjLynEL1X4hcpRMiyemogf2JEnvLwhHq80c,7139
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/helper/splunk_app.py,sha256=5KoacltgQ2J1BdxqvZYhr6GCXFl2tsy8TEWNc2gXkqw,14187
-contentctl/helper/utils.py,sha256=8ICRvE7DUiNL9BK4Hw71hCLFbd3R2u86OwKeDOdaBTY,19454
-contentctl/input/director.py,sha256=U7jrhqP7IbfaSLXGIVtKrVvGTwIrmI1roW2X1jmZZ8Q,10841
-contentctl/input/new_content_questions.py,sha256=p-rop4YpCjyg0RYKQ7Cvk9-7uaa5GDELNVeeUlxk6ks,4191
-contentctl/input/yml_reader.py,sha256=hyVUYhx4Ka8C618kP2D_E3sDUKEQGC6ty_QZQArHKd4,1489
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=QnLfNK4fa-Y-LmdPVfEJMa8WDzDsKz-bwpixbCLJKNo,45766
-contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=VUTNG6LvYf5D1L8UA5uciBBI0VfB432-6TCe2hP-_YE,10324
-contentctl/objects/alert_action.py,sha256=E9gjCn5C31h0sN7k90KNe4agRxFFSnMW_Z-Ri_3YQss,1335
+contentctl/helper/utils.py,sha256=8UDQWZmPg0hRjLNSf4gowsbdVCC4YFJW-xVxyIXUA_Y,18954
+contentctl/input/director.py,sha256=ieNzGHY7KMdwZZ7Re8-NnfdW3dRnrwh98BLFldDU1wg,10975
+contentctl/input/new_content_questions.py,sha256=7Sfdp-HrlyDN2H88CHrByZIL26iN-gqN17tHSkBg6UA,4196
+contentctl/input/yml_reader.py,sha256=BBO5AiLjwKTrVVMmW3p8BgFMXdTHPwPlEPlNXInmGNo,2015
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=uc7eadSrL9pDdT0U_QtoYhQeQbx9HUlrJLJaBs5lNxc,50053
+contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=6vFf6ZZiUFBclYLg9e_AmZYsPfIq385jgqcFGvzWdmE,10232
+contentctl/objects/alert_action.py,sha256=vH8Yp3Ja4ane_bvOYvQhBwZiicYHJWKoecEsZzXEtKE,1393
 contentctl/objects/annotated_types.py,sha256=jnX02BQT4dHbd_DCIjik0PNN3kgsvb7sxAz_1Jy8TOY,259
-contentctl/objects/atomic.py,sha256=L9QSmwmmSFFfvUykPk_nXwz9XDz-Gn6e0rrDxxRO8uY,7292
-contentctl/objects/base_test.py,sha256=qUtKQJrqCto_fwCBdiH68_tXqokhcv9ceu2fQlBxsjA,1045
-contentctl/objects/base_test_result.py,sha256=pr-rwr80bJej8hHNhiVBvw49FZmRuPfOIChLJjY22lY,5205
-contentctl/objects/baseline.py,sha256=cnJQt1z-PQDH6mbDU-eqo-l41LSWsaKmqU0IxuJWnGk,2139
-contentctl/objects/baseline_tags.py,sha256=fyfH2KZqUhPGCwfverYw2_ZGXQIjgkT3P7hiYDPnN4Y,1599
-contentctl/objects/config.py,sha256=m99_glCCDluLrSDsC8SXJpXt97kIom8ppsp34aG3J5s,50475
-contentctl/objects/constants.py,sha256=scKaQlubfjkW5n2AztY5zneAgjVLXbnyK0ZBALxPUV8,5529
-contentctl/objects/correlation_search.py,sha256=N83HiS-IUcFFPPw2F7wyTn0GrrKsq9YbtWuE5iqhAKs,46271
+contentctl/objects/atomic.py,sha256=l10rrcZ2XItdnpOzSpHSbEwC12jelsPzELmeJZAGv2E,7338
+contentctl/objects/base_test.py,sha256=V5hZK2EjBIdTFmXa8pHmqQVsgFF_yL2iknCOO1KTALo,1103
+contentctl/objects/base_test_result.py,sha256=XxqOQHfOVTx3vvPgTz7ppE4EA_3MJx6Tf8G9bmhrWAI,5209
+contentctl/objects/baseline.py,sha256=EtJZeKfuFRWLCgHdVNDgHaP_8CysD15GYs_hDnPPt0k,3020
+contentctl/objects/baseline_tags.py,sha256=Z5BB0vxXpmbVeCyESs2WYaFgonBZTYY0iLZVAPabdJc,1548
+contentctl/objects/config.py,sha256=GJbZ7M7nKaMir3kPA6_wgFah9ZsvEClnNiplVeoG6Vo,49134
+contentctl/objects/constants.py,sha256=Bn1O3FIcmLd7QYT-pZuhtaZ7k8sUvTWwh8XYXg4A_7M,5760
+contentctl/objects/correlation_search.py,sha256=xNcURW_K8rRG8VKkQ6WGL8a4zBw4CORyr2SvY-3TCVQ,46039
 contentctl/objects/dashboard.py,sha256=GKb_YqZMSP98Y97AlKffJrtVUufZzJag-zdmqRePLZ4,4114
-contentctl/objects/data_source.py,sha256=aRr6lHu-EtGmi6J2nXKD7i2ozUPtp7X-vDkQiutvD3I,1545
-contentctl/objects/deployment.py,sha256=9iFo3iwvBVmBMlW-VhwX4ikbh2shl5cumSPOFMdqT2Q,3044
-contentctl/objects/deployment_email.py,sha256=Zu9cXZdfOP6noa_mZpiK1GrYCTgi3Mim94iLGjE674c,147
-contentctl/objects/deployment_notable.py,sha256=QhOI7HEkUuuqk0fum9SD8IpYBlbwIsJUff8s3kCKKj4,198
-contentctl/objects/deployment_phantom.py,sha256=EmRlPKpEij4vqUJgACqK_zcGBmHV8xXczkJi-FxMDio,207
-contentctl/objects/deployment_rba.py,sha256=YFLSKzLU7s8Bt1cJkSBWlfCsc_2MfgiwyaDijQOVlFE,125
-contentctl/objects/deployment_scheduling.py,sha256=bQjbJHNaUGdU1VAGV8-nFOHzHutbIlt7FZpUvR1CV4Y,198
-contentctl/objects/deployment_slack.py,sha256=P6z8OLHDKcDWx7nbKWasqBc3dFRatGcpO2GtmxzVV8I,135
+contentctl/objects/data_source.py,sha256=gst7ut7wdpew0woEDQSRVuyYuVf0fLHc0Z6rXW9Fvbw,1489
+contentctl/objects/deployment.py,sha256=dOPBq-0n1ETdVzhtgX81cIvkarafy4WRkVwEjwCMxaQ,2874
+contentctl/objects/deployment_email.py,sha256=XU7jzEUYCfb71If0eLanz1rNl8PR-3RZtEh6FPqjiSY,205
+contentctl/objects/deployment_notable.py,sha256=ALkddRQCgC2IO3AAl8M823icNvTL-V8pkIfRFj0ZvDk,256
+contentctl/objects/deployment_phantom.py,sha256=MjTNi-B2IX6Xgxr6S20jJjo-4taX_zF-HXrFXl1x7gs,265
+contentctl/objects/deployment_rba.py,sha256=E7z-Vus3m0gn1Zd7qrKiPztkj3C0inJIXh2SMif9bKk,183
+contentctl/objects/deployment_scheduling.py,sha256=qqjBcawyC9oPlOIPTQuP-88wbrdxSOjdudtooWrlTwM,256
+contentctl/objects/deployment_slack.py,sha256=Bg6hgIgc-BaWIv6CSWwE6429c9umFlBY51s-ZPTajtQ,193
 contentctl/objects/detection.py,sha256=3W41cXf3ECjWuPqWrseqSLC3PAA7O5_nENWWM6MPK0Y,620
 contentctl/objects/detection_metadata.py,sha256=eCsru2cymc3VINjt9MpDyGw2zXa2HyVEPv-XiGAcAeQ,2236
 contentctl/objects/detection_stanza.py,sha256=842fHPfGDdddHF5UzgftYr8OlYblWhMWZxPQsTu2wKg,3066
-contentctl/objects/detection_tags.py,sha256=iozG-McM6VRYuqWHhQXvKD_iVyug2rdofuTf4jeUaG4,11208
-contentctl/objects/drilldown.py,sha256=k_U0-vXKBCKeoUKszQ_0FdYQMq9c9mJ3PsHe6rM2lAA,3914
-contentctl/objects/enums.py,sha256=teR7tf5mUc60B5DjIhDsczbsOUJRkkOu--oh_id9JQk,14221
+contentctl/objects/detection_tags.py,sha256=2jGUvWSK0-b5M-guzcJQs2v5LfV_5hcfZpeS6HGx3Xo,9903
+contentctl/objects/drilldown.py,sha256=rnhGIjm0uc7BFekzlxBeMbxpLpC1dcjkh8n0rF_SheI,3987
+contentctl/objects/enums.py,sha256=Uy5n7diPs2q7vzhe2dTr2Mzr5ifzuKDmUhD-RujPl4E,13418
 contentctl/objects/errors.py,sha256=WURmJCqhy2CZNXXCypXVtwnjSBx-VIcB6W9oFJmzoFk,5762
-contentctl/objects/event_source.py,sha256=G9P7rtcN5hcBNQx6DG37mR3QyQufx--T6kgQGNqQuKk,415
 contentctl/objects/integration_test.py,sha256=UBBx85f517MpQXOM7-iEasACEQ0-Ia7W4rDChOHZfno,1319
 contentctl/objects/integration_test_result.py,sha256=9oVWka57alIVPiCDbNgy-OmJcBicyYbrr6anL52Wgks,278
-contentctl/objects/investigation.py,sha256=UCiKvTW3SQrjbbVAdYxmtJb_DT3-wuVgxZvT9nudvnw,3236
-contentctl/objects/investigation_tags.py,sha256=mwjIyWtQflF_sjzKOmfcXj-DkPsgwX0jSN7_weearM4,1304
-contentctl/objects/lookup.py,sha256=vy-4JVswguJGIniIwkPG_WAeo5JlCrHUTV9FOyksRII,7516
-contentctl/objects/macro.py,sha256=nEIWRVCMQiTfSD5ajg-39laf-JH85zKE9uIFnljQTyE,3293
+contentctl/objects/investigation.py,sha256=UOTieT033I3wU_-ydTCzT3LC1Is-WfnJKqcoVndW8LE,3244
+contentctl/objects/investigation_tags.py,sha256=-BP9rjtOzYCXsA5f626kO70cHxHBPyxeRYhdNkQDA1Q,1255
+contentctl/objects/lookup.py,sha256=rPMiCemlN3XORMAjuH10sgQhkjMqpSQOVSr-DdyFaN8,10529
+contentctl/objects/macro.py,sha256=DNBecV1kGOudKY0lx7nSjUjRmMi0CNWHYcmvaRZGFPg,3430
 contentctl/objects/manual_test.py,sha256=YNquEQ0UCzZGJ0uvHBgJ3Efho-F80ZG885ABLtqB7TI,1022
 contentctl/objects/manual_test_result.py,sha256=C4AYW3jlMsxVzCPzCA5dpAcbKgCpmDO43JmptFm--Q4,155
-contentctl/objects/mitre_attack_enrichment.py,sha256=4_9hvrxCXnGfyWqoj7C-0pCfGXEBJXfhrcSfb1cmPjs,3387
+contentctl/objects/mitre_attack_enrichment.py,sha256=0BvYdWVqFer029S3o_Wve_GQEKgvFZi_rjAb-rHid9c,3325
 contentctl/objects/notable_action.py,sha256=ValkblBaG-60TF19y_vSnNzoNZ3eg48wIfr0qZxyKTA,1605
 contentctl/objects/notable_event.py,sha256=YlmI5CbTeu2hrj1yhmvu6ma4RY_6RFvIuq8aEtrn4z8,703
-contentctl/objects/observable.py,sha256=pw0Ehi_KMb7nXzw2kuw1FnCknpD8zDkCAqBTa-M_F28,1313
+contentctl/objects/observable.py,sha256=1nM2ldkCcicxCX_ibOl2_qewJ5yQDyOIuCUsdithFZk,1421
 contentctl/objects/playbook.py,sha256=hSYYpdMhctgpp7uwaPciFqu1yuFI4M1NHy1WBBLyvzM,2469
-contentctl/objects/playbook_tags.py,sha256=NrhTGcgoYSGEZggrfebko0GBOXN9x05IadRUUL_CVfQ,1436
+contentctl/objects/playbook_tags.py,sha256=jG_zsd8yL3HvSdDwbVJOu5KVA3--YYCBbhFGykoMrf4,1560
+contentctl/objects/rba.py,sha256=AkrbhzKeckxRn_6FEeA0geie2e71UOwpSEm9cqpnCN8,2826
 contentctl/objects/risk_analysis_action.py,sha256=OeatdTFXa6801JZIyvfN7c0B0rTnXpdVh1PXHCmQsz0,4275
-contentctl/objects/risk_event.py,sha256=wPVQPwvA3u_2CTeZwy7xLHrIH98mWpvBunEsQLGlb-Y,14106
+contentctl/objects/risk_event.py,sha256=1PNMlZaNPYKGNPyTvH5FdvQpDxl58t4gexKDSisP7AQ,12520
 contentctl/objects/risk_object.py,sha256=yY4NmEwEKaRl4sLzCRZb1n8kdpV3HzYbQVQ1ClQWYHw,904
 contentctl/objects/savedsearches_conf.py,sha256=tCyZHqAQ9azgwIyySViY2BdM4To5Cb_GeYEEHPwR4Zc,8604
 contentctl/objects/security_content_object.py,sha256=j8KNDwSMfZsSIzJucC3NuZo0SlFVpqHfDc6y3-YHjHI,234
 contentctl/objects/story.py,sha256=9q8_WosIZwq5cWIUbl_0IErV4fWc9VA18YBuJeflXn0,4823
-contentctl/objects/story_tags.py,sha256=cOL8PUzdlFdLPQHc54_-9sdI8nCE1D04oKY7KriOssI,2293
-contentctl/objects/test_attack_data.py,sha256=9OgErjdPR4S-SJpQePt0uwBLPYHYPtqKDd-auhjz7Uc,430
+contentctl/objects/story_tags.py,sha256=GEzURFnlloBrBHoTjLHKRmqAein1ylcyFr4VE4jzFPU,2214
+contentctl/objects/test_attack_data.py,sha256=7p-kOJguTZtG9y5th5U3qfPFvpiAWLST_OBw8dwWl_4,488
 contentctl/objects/test_group.py,sha256=DCtm4ChGYksOwZQVHsioaweOvI37CSlTZJzKvBX-jbY,2586
 contentctl/objects/threat_object.py,sha256=S8B7RQFfLxN_g7yKPrDTuYhIy9JvQH3YwJ_T5LUZIa4,711
 contentctl/objects/throttling.py,sha256=om0pGOMStr6sTwm5uZ7rBcSHhRLpaX6TS5x-aaPGsR0,2369
 contentctl/objects/unit_test.py,sha256=eMFehpHhmZA5WYBqhWUNRF_LpxuLM9VooAxjXeNbrxY,1144
-contentctl/objects/unit_test_baseline.py,sha256=XHvOm7qLYfqrP6uC5U_pfgw_pf8-S2RojuNmbo6lXlM,227
+contentctl/objects/unit_test_baseline.py,sha256=x1pDW028R4xzmz_kIiIerXTHE6kFfHkf28zIVl1wX9c,284
 contentctl/objects/unit_test_result.py,sha256=POQfvvPpSw-jQzINBz1_IszUMJ4Wbopu8HRS1Qe6P2M,2940
-contentctl/output/api_json_output.py,sha256=n3OTd5z-Vkmsn7ny6QCAar_jSMNuuJfzAQa7xq_9if4,9085
+contentctl/output/api_json_output.py,sha256=67mZwYdn5gEl9u24BAopGtPxaKTkPO74S_9zS2XlVIk,8261
 contentctl/output/attack_nav_output.py,sha256=95iKV8U9BMMgqh6cCOw1S89Ln73xmJGgJPHTYR0L7hA,2304
 contentctl/output/attack_nav_writer.py,sha256=64ILZLmNbh2XLmbopgENkeo6t-4SRRG8xZXBmtpNd4g,2219
-contentctl/output/conf_output.py,sha256=tJRFWSswl-XAkcggstkR-tiQUL9en4Z4x-KBZTQCQYg,10170
-contentctl/output/conf_writer.py,sha256=LgkVrJuG1PAnilTyh3DhraNJiG2o-h19_1JU2M_7zB0,13115
-contentctl/output/data_source_writer.py,sha256=ubFjm6XJ4T2d3oqfKwDFasITHeDj3HFmegqVN--5_ME,1635
-contentctl/output/detection_writer.py,sha256=AzxbssNLmsNIOaYKotew5-ONoyq1cQpKSGy3pe191B0,960
+contentctl/output/conf_output.py,sha256=e19RGptVUOatj8c-SuIDd4uqYa7Yg9z9Globv23w1fE,10643
+contentctl/output/conf_writer.py,sha256=9eqt2tm1xjs397pwWLz5oPJcMHbs62ejRG7KghGQQCI,15137
+contentctl/output/data_source_writer.py,sha256=NIn9mVQmYtGjWANeeveRhfXTUescVuWnEEDRXaNb1qg,1579
 contentctl/output/doc_md_output.py,sha256=gf7osH1uSrC6js3D_I72g4uDe9TaB3tsvtqCHi5znp0,3238
 contentctl/output/jinja_writer.py,sha256=bdiqr9FaXYxth4wZ1A52zTMAS5stHNGpezTkaS5pres,1119
-contentctl/output/json_writer.py,sha256=Z-iVLnZb8tzYATxbQtXax0dz572lVPFMNVTx-vWbnog,1007
-contentctl/output/new_content_yml_output.py,sha256=KvP0FffQBPznSKqJyRQMtehf4XYEVK5jiPlUwnkekUc,2061
-contentctl/output/svg_output.py,sha256=T2p4S085MKj5VPZKvo4tWBVOmYme32J9L7kMEBm3SwQ,2751
-contentctl/output/templates/analyticstories_detections.j2,sha256=TZHnWEPWWwMjGgPswMoT9Dcfqs2X2E1lJCVXYwqveHY,970
+contentctl/output/json_writer.py,sha256=xQzARL0eiftVBm9yeBKw6cu2wqc9ughormi2rCFlJ1Q,861
+contentctl/output/svg_output.py,sha256=rDAm6Y5Pc3KktjDh2hXgWFUcONrA8Op22RzSLVMsKBo,2745
+contentctl/output/templates/analyticstories_detections.j2,sha256=_xM5MMC_O5aLTBI04afgrCnYVfojmbb3J1JVq2AkaT8,964
 contentctl/output/templates/analyticstories_investigations.j2,sha256=kqy9lR6W3avqETCM2tSZ8WWOlfiyOtFv6G5N4SZWSaQ,527
 contentctl/output/templates/analyticstories_stories.j2,sha256=4rS-oN6JHAVKF3ToMxzHqK7asytw1R4OQmZGtzdRRBI,663
 contentctl/output/templates/app.conf.j2,sha256=UL80Px4IUGPD-DgcAiUrS4emHBIY7DxleSNyNXCH5tQ,623
 contentctl/output/templates/app.manifest.j2,sha256=Q1803mcfgNvUs8s4e1zD1J3_mxfPYVtLkD8fhCO6d-I,1103
-contentctl/output/templates/collections.j2,sha256=rDpAcqM6hRiyCQPgfRh8KcL41Mrqsc97krQ-JPFhSBQ,181
+contentctl/output/templates/collections.j2,sha256=w2hkY7Yfm7AmY1O_7DP-znLS_whgKX79VbnW7QlvrNU,151
 contentctl/output/templates/content-version.j2,sha256=2-it0TF5BvqUcmUXVFB4DEh0I01igQGDxZNJpdtDFIA,54
 contentctl/output/templates/detection_count.j2,sha256=9U3o-P_ECkMknsooj_L3B9GZqjnsbaEzr59s3-DOK0I,670
 contentctl/output/templates/detection_coverage.j2,sha256=guE4fow9BqGoCCrQ3b6-EZqWJcThb58V9khuIH7nhT0,631
 contentctl/output/templates/doc_detection_page.j2,sha256=kATedDq0Z8tzxKiD3nD0_-7YiOrjssUMYSDenRYTh6A,1012
-contentctl/output/templates/doc_detections.j2,sha256=QKP2u22bFQFSG6I_Iw1_wR7uza-OXI70roSCbEijLiE,6596
+contentctl/output/templates/doc_detections.j2,sha256=tjTQh6R5zMMmBm9hk-8dFG5p0PyhWSGkrYeRxe9gfPU,6500
 contentctl/output/templates/doc_navigation.j2,sha256=h25ITC3xcAM17uZGIyyDFURmEdYtQSPvNeWN3RH7j4Q,1471
 contentctl/output/templates/doc_navigation_pages.j2,sha256=ptfjbD4F0Ob7dze9at2q5gqOslcbL3eteUO1zsblDJo,203
 contentctl/output/templates/doc_playbooks.j2,sha256=CWsnm8F097oYT8anW3CE7JaX1haAJTfylThP1ic0UIw,1681
@@ -125,13 +123,12 @@ contentctl/output/templates/header.j2,sha256=3usV7jm1q6J-QNnQrZzII9cN0XEGQjg_eVK
 contentctl/output/templates/macros.j2,sha256=SLcQQ5X7TZS8j-2qP06BTXqdIcnwoYqTAaBLX2Dge7Y,390
 contentctl/output/templates/panel.j2,sha256=Cw_W6p-14n6UivVfpS75KKJiJ2VpdGsSBceYsUYe9gk,221
 contentctl/output/templates/savedsearches_baselines.j2,sha256=BfpNrApucyByZHYW-Az63NO7hXBRYtlQCZcgBcLDv60,1683
-contentctl/output/templates/savedsearches_detections.j2,sha256=WEpY9C81cifCM0ZC_pubn9pNIXcnPPhQGSrmr79j1aI,6672
+contentctl/output/templates/savedsearches_detections.j2,sha256=O6R1FVyHLR8BcfNpajojmeVYQBQefuBNAAPRQp5IRs0,6831
 contentctl/output/templates/savedsearches_investigations.j2,sha256=3jWg3OEwnexZxebpyP9_7lbZI407e5rlx1-epRs1Kpc,1170
 contentctl/output/templates/server.conf.j2,sha256=sPZUkiuJNGm9R8rpjfRKyuAvmmQb0C4w9Q6hpmvmPeU,127
-contentctl/output/templates/transforms.j2,sha256=-cSoie0LgJwibtW-GMhc9BQlmS6h1s1Vykm9O2M0f9Y,1456
+contentctl/output/templates/transforms.j2,sha256=EySDJWorLHRSTibMIvbV7PdDb6uDC058gMUk-kiK6g0,1481
 contentctl/output/templates/workflow_actions.j2,sha256=DFoZVnCa8dMRHjW2AdpoydBC0THgiH_W-Nx7WI4-uR4,925
-contentctl/output/yml_output.py,sha256=xtTD3f_WWy8O6Joi4S8gG9paot8JpQFRlwt17_ek5B4,2682
-contentctl/output/yml_writer.py,sha256=zZJ3aK-l0YQXbDweS-XZKejHblyhy2eliSthZZEogUs,1668
+contentctl/output/yml_writer.py,sha256=7-qcJJoF6P6p9nHVO8dtEmuekg5_buSXlE2ITrFNsX8,2137
 contentctl/templates/README.md,sha256=GoRmywUqwnjaehY_GLmGqxsFXCLP9plpDYwB6W6nVPs,428
 contentctl/templates/app_default.yml,sha256=kDeYdJbfMADQPcho8iH1nqgTFrHNt4EXnIJjPHc2unI,6390
 contentctl/templates/app_template/README/essoc_story_detail.txt,sha256=7hFPBfPpRH28TFl7QchKceZLewQqgFjRWDlmxZzwpmo,897
@@ -160,14 +157,14 @@ contentctl/templates/deployments/escu_default_configuration_hunting.yml,sha256=h
 contentctl/templates/deployments/escu_default_configuration_ttp.yml,sha256=1D-pvzaH1v3_yCZXaY6njmdvV4S2_Ak8uzzCOsnj9XY,548
 contentctl/templates/detections/application/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/templates/detections/cloud/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml,sha256=AwAjsSuNAEux-_P4Co_Rf73IzSQF6XNhVcCzgU_bGT0,4189
+contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml,sha256=VQ8mxkOOm7RfnBomtOXF9XGE8fV-j5j-4pFtpocQ17Y,3875
 contentctl/templates/detections/network/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=rlaXxMN-5k8LnKBLPafBoksyMtlmsPMHPJOjTiMiZ-M,3063
-contentctl-4.4.6.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-4.4.6.dist-info/METADATA,sha256=1Pm1dJSU9fg8yNPt0dknhmoq_xdt5vXN3m--qV3fMiM,21486
-contentctl-4.4.6.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
-contentctl-4.4.6.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-4.4.6.dist-info/RECORD,,
+contentctl-5.0.0a0.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-5.0.0a0.dist-info/METADATA,sha256=VJgxzJ76UWoloqr2hv-qD_03L1JAsaoNsbLNeslnpfo,21541
+contentctl-5.0.0a0.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
+contentctl-5.0.0a0.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-5.0.0a0.dist-info/RECORD,,

{contentctl-4.4.6.dist-info → contentctl-5.0.0a0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 1.9.1
+Generator: poetry-core 2.0.1
 Root-Is-Purelib: true
 Tag: py3-none-any

contentctl/objects/event_source.py

@@ -1,11 +0,0 @@
-from __future__ import annotations
-from typing import Union, Optional, List
-from pydantic import BaseModel, Field
-
-from contentctl.objects.security_content_object import SecurityContentObject
-
-class EventSource(SecurityContentObject):
-    fields: Optional[list[str]] = None
-    field_mappings: Optional[list[dict]] = None
-    convert_to_log_source: Optional[list[dict]] = None
-    example_log: Optional[str] = None

contentctl/output/detection_writer.py

@@ -1,28 +0,0 @@
-
-import yaml
-
-
-class DetectionWriter:
-
-    @staticmethod
-    def writeYmlFile(file_path : str, obj : dict) -> None:
-
-        new_obj = dict()
-        new_obj["name"] = obj["name"]
-        new_obj["id"] = obj["id"]
-        new_obj["version"] = obj["version"]
-        new_obj["date"] = obj["date"]
-        new_obj["author"] = obj["author"]
-        new_obj["type"] = obj["type"]
-        new_obj["status"] = obj["status"]
-        new_obj["description"] = obj["description"]
-        new_obj["data_source"] = obj["data_source"]
-        new_obj["search"] = obj["search"]
-        new_obj["how_to_implement"] = obj["how_to_implement"]
-        new_obj["known_false_positives"] = obj["known_false_positives"]
-        new_obj["references"] = obj["references"]
-        new_obj["tags"] = obj["tags"]
-        new_obj["tests"] = obj["tests"]
-
-        with open(file_path, 'w') as outfile:
-            yaml.safe_dump(new_obj, outfile, default_flow_style=False, sort_keys=False)

contentctl/output/new_content_yml_output.py

@@ -1,56 +0,0 @@
-import os
-import pathlib
-from contentctl.objects.enums import SecurityContentType
-from contentctl.output.yml_writer import YmlWriter
-import pathlib
-from contentctl.objects.config import NewContentType
-class NewContentYmlOutput():
-    output_path: pathlib.Path
-    
-    def __init__(self, output_path:pathlib.Path):
-        self.output_path = output_path
-    
-    
-    def writeObjectNewContent(self, object: dict, subdirectory_name: str, type: NewContentType) -> None:
-        if type == NewContentType.detection:
-
-            file_path = os.path.join(self.output_path, 'detections', subdirectory_name, self.convertNameToFileName(object['name'], object['tags']['product']))
-            output_folder = pathlib.Path(self.output_path)/'detections'/subdirectory_name
-            #make sure the output folder exists for this detection
-            output_folder.mkdir(exist_ok=True)
-
-            YmlWriter.writeYmlFile(file_path, object)
-            print("Successfully created detection " + file_path)
-        
-        elif type == NewContentType.story:
-            file_path = os.path.join(self.output_path, 'stories', self.convertNameToFileName(object['name'], object['tags']['product']))
-            YmlWriter.writeYmlFile(file_path, object)
-            print("Successfully created story " + file_path)        
-        
-        else:
-            raise(Exception(f"Object Must be Story or Detection, but is not: {object}"))
-
-
-
-    def convertNameToFileName(self, name: str, product: list):
-        file_name = name \
-            .replace(' ', '_') \
-            .replace('-','_') \
-            .replace('.','_') \
-            .replace('/','_') \
-            .lower()
-        
-        file_name = file_name + '.yml'
-        return file_name
-
-
-    def convertNameToTestFileName(self, name: str, product: list):
-        file_name = name \
-            .replace(' ', '_') \
-            .replace('-','_') \
-            .replace('.','_') \
-            .replace('/','_') \
-            .lower()
-        
-        file_name = file_name + '.test.yml'
-        return file_name

contentctl/output/yml_output.py

@@ -1,66 +0,0 @@
-import os
-
-from contentctl.output.detection_writer import DetectionWriter
-from contentctl.objects.detection import Detection
-
-
-class YmlOutput():
-
-
-    def writeDetections(self, objects: list, output_path : str) -> None:
-        for obj in objects:
-            file_path = obj.file_path
-            obj.id = str(obj.id)
-
-            DetectionWriter.writeYmlFile(os.path.join(output_path, file_path), obj.dict(
-                exclude_none=True,
-                include =
-                    {
-                        "name": True,
-                        "id": True,
-                        "version": True,
-                        "date": True,
-                        "author": True,
-                        "type": True,
-                        "status": True,
-                        "description": True,
-                        "data_source": True,
-                        "search": True,
-                        "how_to_implement": True,
-                        "known_false_positives": True,
-                        "references": True,
-                        "tags": 
-                            {
-                                "analytic_story": True,
-                                "asset_type": True,
-                                "atomic_guid": True,
-                                "confidence": True,
-                                "impact": True,
-                                "drilldown_search": True,
-                                "mappings": True,
-                                "message": True,
-                                "mitre_attack_id": True,
-                                "kill_chain_phases:": True,
-                                "observable": True,
-                                "product": True,
-                                "required_fields": True,
-                                "risk_score": True,
-                                "security_domain": True
-                            },
-                        "tests": 
-                            {
-                                '__all__': 
-                                    {
-                                        "name": True,
-                                        "attack_data": {
-                                            '__all__': 
-                                            {
-                                                "data": True,
-                                                "source": True,
-                                                "sourcetype": True
-                                            }
-                                        }
-                                    }
-                            }
-                    }
-            ))