contentctl 4.4.7__py3-none-any.whl → 5.0.0__py3-none-any.whl

contentctl/objects/constants.py

@@ -15,7 +15,7 @@ ATTACK_TACTICS_KILLCHAIN_MAPPING = {
     "Collection": "Exploitation",
     "Command And Control": "Command and Control",
     "Exfiltration": "Actions on Objectives",
-    "Impact": "Actions on Objectives"
+    "Impact": "Actions on Objectives",
 }
 
 SES_CONTEXT_MAPPING = {
@@ -65,7 +65,7 @@ SES_CONTEXT_MAPPING = {
     "Other:Policy Violation": 82,
     "Other:Threat Intelligence": 83,
     "Other:Flight Risk": 84,
-    "Other:Removable Storage": 85
+    "Other:Removable Storage": 85,
 }
 
 SES_KILL_CHAIN_MAPPINGS = {
@@ -76,47 +76,9 @@ SES_KILL_CHAIN_MAPPINGS = {
     "Exploitation": 4,
     "Installation": 5,
     "Command and Control": 6,
-    "Actions on Objectives": 7
+    "Actions on Objectives": 7,
 }
 
-SES_OBSERVABLE_ROLE_MAPPING = {
-    "Other": -1,
-    "Unknown": 0,
-    "Actor": 1,
-    "Target": 2,
-    "Attacker": 3,
-    "Victim": 4,
-    "Parent Process": 5,
-    "Child Process": 6,
-    "Known Bad": 7,
-    "Data Loss": 8,
-    "Observer": 9
-}
-
-SES_OBSERVABLE_TYPE_MAPPING = {
-    "Unknown": 0,
-    "Hostname": 1,
-    "IP Address": 2,
-    "MAC Address": 3,
-    "User Name": 4,
-    "Email Address": 5,
-    "URL String": 6,
-    "File Name": 7,
-    "File Hash": 8,
-    "Process Name": 9,
-    "Resource UID": 10,
-    "Endpoint": 20,
-    "User": 21,
-    "Email": 22,
-    "Uniform Resource Locator": 23,
-    "File": 24,
-    "Process": 25,
-    "Geo Location": 26,
-    "Container": 27,
-    "Registry Key": 28,
-    "Registry Value": 29,
-    "Other": 99
-}
 
 SES_ATTACK_TACTICS_ID_MAPPING = {
     "Reconnaissance": "TA0043",
@@ -132,24 +94,20 @@ SES_ATTACK_TACTICS_ID_MAPPING = {
     "Collection": "TA0009",
     "Command_and_Control": "TA0011",
     "Exfiltration": "TA0010",
-    "Impact": "TA0040"
+    "Impact": "TA0040",
 }
 
-RBA_OBSERVABLE_ROLE_MAPPING = {
-    "Attacker": 0,
-    "Victim": 1
-}
 
 # The relative path to the directory where any apps/packages will be downloaded
 DOWNLOADS_DIRECTORY = "downloads"
 
 # Maximum length of the name field for a search.
-# This number is derived from a limitation that exists in 
+# This number is derived from a limitation that exists in
 # ESCU where a search cannot be edited, due to validation
 # errors, if its name is longer than 99 characters.
 # When an saved search is cloned in Enterprise Security User Interface,
-# it is wrapped in the following: 
-# {Detection.tags.security_domain.value} - {SEARCH_STANZA_NAME} - Rule
+# it is wrapped in the following:
+# {Detection.tags.security_domain} - {SEARCH_STANZA_NAME} - Rule
 # Similarly, when we generate the search stanza name in contentctl, it
 # is app.label - detection.name - Rule
 # However, in product the search name is:
@@ -157,16 +115,35 @@ DOWNLOADS_DIRECTORY = "downloads"
 # or in ESCU:
 # ESCU - {detection.name} - Rule,
 # this gives us a maximum length below.
-# When an ESCU search is cloned, it will 
+# When an ESCU search is cloned, it will
 # have a full name like (the following is NOT a typo):
 # Endpoint - ESCU - Name of Search From YML File - Rule - Rule
 # The math below accounts for all these caveats
 ES_MAX_STANZA_LENGTH = 99
-CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Rule"
+CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Rule"
+)
 CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name}"
-CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Response Task"
+CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Response Task"
+)
+
+ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = (
+    "{security_domain_value} - {search_name} - Rule"
+)
+SECURITY_DOMAIN_MAX_LENGTH = max(
+    [len(SecurityDomain[value]) for value in SecurityDomain._member_map_]
+)
+CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(
+    ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(
+        security_domain_value="X" * SECURITY_DOMAIN_MAX_LENGTH, search_name=""
+    )
+)
+CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(
+    CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(
+        app_label="ESCU", detection_name=""
+    )
+)
 
-ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = "{security_domain_value} - {search_name} - Rule"
-SECURITY_DOMAIN_MAX_LENGTH = max([len(SecurityDomain[value]) for value in SecurityDomain._member_map_])
-CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(security_domain_value="X"*SECURITY_DOMAIN_MAX_LENGTH,search_name=""))
-CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(app_label="ESCU", detection_name=""))
+DEPRECATED_TEMPLATE = "**WARNING**, this {content_type} has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {description}"
+EXPERIMENTAL_TEMPLATE = "**WARNING**, this {content_type} is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the {content_type} has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. {description}"