contentctl 4.4.7__py3-none-any.whl → 5.0.0__py3-none-any.whl

contentctl/objects/detection_tags.py

@@ -1,91 +1,62 @@
 from __future__ import annotations
+
 import uuid
 from typing import TYPE_CHECKING, List, Optional, Union
+
 from pydantic import (
+    UUID4,
     BaseModel,
+    ConfigDict,
     Field,
-    NonNegativeInt,
-    PositiveInt,
-    computed_field,
-    UUID4,
     HttpUrl,
-    ConfigDict,
-    field_validator,
     ValidationInfo,
+    computed_field,
+    field_validator,
     model_serializer,
-    model_validator
+    model_validator,
 )
+
 from contentctl.objects.story import Story
 from contentctl.objects.throttling import Throttling
+
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
-from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
+from contentctl.objects.annotated_types import CVE_TYPE, MITRE_ATTACK_ID_TYPE
+from contentctl.objects.atomic import AtomicEnrichment, AtomicTest
 from contentctl.objects.constants import ATTACK_TACTICS_KILLCHAIN_MAPPING
-from contentctl.objects.observable import Observable
 from contentctl.objects.enums import (
-    Cis18Value,
     AssetType,
-    SecurityDomain,
-    RiskSeverity,
+    Cis18Value,
     KillChainPhase,
     NistCategory,
-    SecurityContentProductName
+    SecurityContentProductName,
+    SecurityDomain,
 )
-from contentctl.objects.atomic import AtomicEnrichment, AtomicTest
-from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE, CVE_TYPE
+from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
+
 
-# TODO (#266): disable the use_enum_values configuration
 class DetectionTags(BaseModel):
     # detection spec
-    model_config = ConfigDict(use_enum_values=True, validate_default=False)
+
+    model_config = ConfigDict(validate_default=False, extra="forbid")
     analytic_story: list[Story] = Field(...)
     asset_type: AssetType = Field(...)
-
-    confidence: NonNegativeInt = Field(..., le=100)
-    impact: NonNegativeInt = Field(..., le=100)
-
-    @computed_field
-    @property
-    def risk_score(self) -> int:
-        return round((self.confidence * self.impact)/100)
-    
-    @computed_field
-    @property
-    def severity(self)->RiskSeverity:
-        if 0 <= self.risk_score <= 20:
-            return RiskSeverity.INFORMATIONAL
-        elif 20 < self.risk_score <= 40:
-            return RiskSeverity.LOW
-        elif 40 < self.risk_score <= 60:
-            return RiskSeverity.MEDIUM
-        elif 60 < self.risk_score <= 80:
-            return RiskSeverity.HIGH
-        elif 80 < self.risk_score <= 100:
-            return RiskSeverity.CRITICAL
-        else:
-            raise Exception(f"Error getting severity - risk_score must be between 0-100, but was actually {self.risk_score}")
-
+    group: list[str] = []
 
     mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
 
-    # TODO (#249): Add pydantic validator to ensure observables are unique within a detection
-    observable: List[Observable] = []
-    message: str = Field(...)
     product: list[SecurityContentProductName] = Field(..., min_length=1)
-    required_fields: list[str] = Field(min_length=1)
     throttling: Optional[Throttling] = None
     security_domain: SecurityDomain = Field(...)
     cve: List[CVE_TYPE] = []
     atomic_guid: List[AtomicTest] = []
-    
 
     # enrichment
-    mitre_attack_enrichments: List[MitreAttackEnrichment] = Field([], validate_default=True)
-    confidence_id: Optional[PositiveInt] = Field(None, ge=1, le=3)
-    impact_id: Optional[PositiveInt] = Field(None, ge=1, le=5)
-    evidence_str: Optional[str] = None
+    mitre_attack_enrichments: List[MitreAttackEnrichment] = Field(
+        [], validate_default=True
+    )
 
     @computed_field
     @property
@@ -114,55 +85,19 @@ class DetectionTags(BaseModel):
 
     # TODO (#268): Validate manual_test has length > 0 if not None
     manual_test: Optional[str] = None
-    
-    # The following validator is temporarily disabled pending further discussions
-    # @validator('message')
-    # def validate_message(cls,v,values):
-
-    #     observables:list[Observable] = values.get("observable",[])
-    #     observable_names = set([o.name for o in observables])
-    #     #find all of the observables used in the message by name
-    #     name_match_regex = r"\$([^\s.]*)\$"
-
-    #     message_observables = set()
-
-    #     #Make sure that all observable names in
-    #     for match in re.findall(name_match_regex, v):
-    #         #Remove
-    #         match_without_dollars = match.replace("$", "")
-    #         message_observables.add(match_without_dollars)
-
-    #     missing_observables = message_observables - observable_names
-    #     unused_observables = observable_names - message_observables
-    #     if len(missing_observables) > 0:
-    #         raise ValueError(
-    #             "The following observables are referenced in the message, but were not declared as"
-    #             f" observables: {missing_observables}"
-    #         )
-
-    #     if len(unused_observables) > 0:
-    #         raise ValueError(
-    #             "The following observables were declared, but are not referenced in the message:"
-    #             f" {unused_observables}"
-    #         )
-    #     return v
 
     @model_serializer
     def serialize_model(self):
         # Since this field has no parent, there is no need to call super() serialization function
         return {
             "analytic_story": [story.name for story in self.analytic_story],
-            "asset_type": self.asset_type.value,
+            "asset_type": self.asset_type,
             "cis20": self.cis20,
             "kill_chain_phases": self.kill_chain_phases,
             "nist": self.nist,
-            "observable": self.observable,
-            "message": self.message,
-            "risk_score": self.risk_score,
             "security_domain": self.security_domain,
-            "risk_severity": self.severity,
             "mitre_attack_id": self.mitre_attack_id,
-            "mitre_attack_enrichments": self.mitre_attack_enrichments
+            "mitre_attack_enrichments": self.mitre_attack_enrichments,
         }
 
     @model_validator(mode="after")
@@ -176,9 +111,13 @@ class DetectionTags(BaseModel):
                 f" at runtime. Instead, this field contained: {self.mitre_attack_enrichments}"
             )
 
-        output_dto: Union[DirectorOutputDto, None] = info.context.get("output_dto", None)
+        output_dto: Union[DirectorOutputDto, None] = info.context.get(
+            "output_dto", None
+        )
         if output_dto is None:
-            raise ValueError("Context not provided to detection.detection_tags model post validator")
+            raise ValueError(
+                "Context not provided to detection.detection_tags model post validator"
+            )
 
         if output_dto.attack_enrichment.use_enrichment is False:
             return self
@@ -187,7 +126,9 @@ class DetectionTags(BaseModel):
         missing_tactics: list[str] = []
         for mitre_attack_id in self.mitre_attack_id:
             try:
-                mitre_enrichments.append(output_dto.attack_enrichment.getEnrichmentByMitreID(mitre_attack_id))
+                mitre_enrichments.append(
+                    output_dto.attack_enrichment.getEnrichmentByMitreID(mitre_attack_id)
+                )
             except Exception:
                 missing_tactics.append(mitre_attack_id)
 
@@ -198,7 +139,7 @@ class DetectionTags(BaseModel):
 
         return self
 
-    '''
+    """
     @field_validator('mitre_attack_enrichments', mode="before")
     @classmethod
     def addAttackEnrichments(cls, v:list[MitreAttackEnrichment], info:ValidationInfo)->list[MitreAttackEnrichment]:
@@ -216,31 +157,43 @@ class DetectionTags(BaseModel):
         enrichments = []
 
         return enrichments
-    '''
+    """
 
-    @field_validator('analytic_story', mode="before")
+    @field_validator("analytic_story", mode="before")
     @classmethod
-    def mapStoryNamesToStoryObjects(cls, v: list[str], info: ValidationInfo) -> list[Story]:
+    def mapStoryNamesToStoryObjects(
+        cls, v: list[str], info: ValidationInfo
+    ) -> list[Story]:
         if info.context is None:
             raise ValueError("ValidationInfo.context unexpectedly null")
 
-        return Story.mapNamesToSecurityContentObjects(v, info.context.get("output_dto", None))
+        return Story.mapNamesToSecurityContentObjects(
+            v, info.context.get("output_dto", None)
+        )
 
     def getAtomicGuidStringArray(self) -> List[str]:
-        return [str(atomic_guid.auto_generated_guid) for atomic_guid in self.atomic_guid]
+        return [
+            str(atomic_guid.auto_generated_guid) for atomic_guid in self.atomic_guid
+        ]
 
-    @field_validator('atomic_guid', mode="before")
+    @field_validator("atomic_guid", mode="before")
     @classmethod
-    def mapAtomicGuidsToAtomicTests(cls, v: List[UUID4], info: ValidationInfo) -> List[AtomicTest]:
+    def mapAtomicGuidsToAtomicTests(
+        cls, v: List[UUID4], info: ValidationInfo
+    ) -> List[AtomicTest]:
         if len(v) == 0:
             return []
 
         if info.context is None:
             raise ValueError("ValidationInfo.context unexpectedly null")
 
-        output_dto: Union[DirectorOutputDto, None] = info.context.get("output_dto", None)
+        output_dto: Union[DirectorOutputDto, None] = info.context.get(
+            "output_dto", None
+        )
         if output_dto is None:
-            raise ValueError("Context not provided to detection.detection_tags.atomic_guid validator")
+            raise ValueError(
+                "Context not provided to detection.detection_tags.atomic_guid validator"
+            )
 
         atomic_enrichment: AtomicEnrichment = output_dto.atomic_enrichment
 
@@ -282,4 +235,6 @@ class DetectionTags(BaseModel):
         elif len(missing_tests) > 0:
             raise ValueError(missing_tests_string)
 
-        return matched_tests + [AtomicTest.AtomicTestWhenTestIsMissing(test) for test in missing_tests]
+        return matched_tests + [
+            AtomicTest.AtomicTestWhenTestIsMissing(test) for test in missing_tests
+        ]

contentctl/objects/drilldown.py

@@ -1,70 +1,102 @@
 from __future__ import annotations
-from pydantic import BaseModel, Field, model_serializer
+
 from typing import TYPE_CHECKING
+
+from pydantic import BaseModel, Field, model_serializer
+
 if TYPE_CHECKING:
     from contentctl.objects.detection import Detection
+
 from contentctl.objects.enums import AnalyticsType
+
 DRILLDOWN_SEARCH_PLACEHOLDER = "%original_detection_search%"
 EARLIEST_OFFSET = "$info_min_time$"
 LATEST_OFFSET = "$info_max_time$"
 RISK_SEARCH = "index = risk  starthoursago = 168 endhoursago = 0 | stats count values(search_name) values(risk_message) values(analyticstories) values(annotations._all) values(annotations.mitre_attack.mitre_tactic) "
 
+
 class Drilldown(BaseModel):
     name: str = Field(..., description="The name of the drilldown search", min_length=5)
-    search: str = Field(..., description="The text of a drilldown search. This must be valid SPL.", min_length=1)
-    earliest_offset:None | str = Field(..., 
-                                description="Earliest offset time for the drilldown search. "
-                                f"The most common value for this field is '{EARLIEST_OFFSET}', "
-                                "but it is NOT the default value and must be supplied explicitly.", 
-                                min_length= 1)
-    latest_offset:None | str = Field(..., 
-                              description="Latest offset time for the driolldown search. "
-                              f"The most common value for this field is '{LATEST_OFFSET}', "
-                              "but it is NOT the default value and must be supplied explicitly.", 
-                              min_length= 1)
+    search: str = Field(
+        ...,
+        description="The text of a drilldown search. This must be valid SPL.",
+        min_length=1,
+    )
+    earliest_offset: None | str = Field(
+        ...,
+        description="Earliest offset time for the drilldown search. "
+        f"The most common value for this field is '{EARLIEST_OFFSET}', "
+        "but it is NOT the default value and must be supplied explicitly.",
+        min_length=1,
+    )
+    latest_offset: None | str = Field(
+        ...,
+        description="Latest offset time for the driolldown search. "
+        f"The most common value for this field is '{LATEST_OFFSET}', "
+        "but it is NOT the default value and must be supplied explicitly.",
+        min_length=1,
+    )
 
     @classmethod
     def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldown]:
-        victim_observables = [o for o in detection.tags.observable if o.role[0] == "Victim"] 
+        # Ensure the rba object is defined
+        if detection.rba is None:
+            raise NotImplementedError(
+                f"Unexpected error: Detection '{detection.name}' has no RBA objects associated "
+                "with it; cannot construct drilldowns."
+            )
+
+        victim_observables = [o for o in detection.rba.risk_objects]
         if len(victim_observables) == 0 or detection.type == AnalyticsType.Hunting:
             # No victims, so no drilldowns
             return []
         print(f"Adding default drilldowns for [{detection.name}]")
-        variableNamesString = ' and '.join([f"${o.name}$" for o in victim_observables])
+        variableNamesString = " and ".join([f"${o.field}$" for o in victim_observables])
         nameField = f"View the detection results for {variableNamesString}"
-        appendedSearch =  " | search " + ' '.join([f"{o.name} = ${o.name}$" for o in victim_observables])
+        appendedSearch = " | search " + " ".join(
+            [f"{o.field} = ${o.field}$" for o in victim_observables]
+        )
         search_field = f"{detection.search}{appendedSearch}"
-        detection_results = cls(name=nameField, earliest_offset=EARLIEST_OFFSET, latest_offset=LATEST_OFFSET, search=search_field)
-        
-        
+        detection_results = cls(
+            name=nameField,
+            earliest_offset=EARLIEST_OFFSET,
+            latest_offset=LATEST_OFFSET,
+            search=search_field,
+        )
+
         nameField = f"View risk events for the last 7 days for {variableNamesString}"
-        fieldNamesListString = ', '.join([o.name for o in victim_observables])
+        fieldNamesListString = ", ".join([o.field for o in victim_observables])
         search_field = f"{RISK_SEARCH}by {fieldNamesListString} {appendedSearch}"
-        risk_events_last_7_days = cls(name=nameField, earliest_offset=None, latest_offset=None, search=search_field)
+        risk_events_last_7_days = cls(
+            name=nameField,
+            earliest_offset=None,
+            latest_offset=None,
+            search=search_field,
+        )
 
-        return [detection_results,risk_events_last_7_days]
-    
+        return [detection_results, risk_events_last_7_days]
 
-    def perform_search_substitutions(self, detection:Detection)->None:
+    def perform_search_substitutions(self, detection: Detection) -> None:
         """Replaces the field DRILLDOWN_SEARCH_PLACEHOLDER (%original_detection_search%)
         with the search contained in the detection. We do this so that the YML does not
         need the search copy/pasted from the search field into the drilldown object.
 
         Args:
             detection (Detection): Detection to be used to update the search field of the drilldown
-        """             
-        self.search = self.search.replace(DRILLDOWN_SEARCH_PLACEHOLDER, detection.search)
-    
+        """
+        self.search = self.search.replace(
+            DRILLDOWN_SEARCH_PLACEHOLDER, detection.search
+        )
 
     @model_serializer
-    def serialize_model(self) -> dict[str,str]:
-        #Call serializer for parent
-        model:dict[str,str] = {}
+    def serialize_model(self) -> dict[str, str]:
+        # Call serializer for parent
+        model: dict[str, str] = {}
 
-        model['name'] = self.name
-        model['search'] = self.search
+        model["name"] = self.name
+        model["search"] = self.search
         if self.earliest_offset is not None:
-            model['earliest_offset'] = self.earliest_offset
+            model["earliest_offset"] = self.earliest_offset
         if self.latest_offset is not None:
-            model['latest_offset'] = self.latest_offset
-        return model
+            model["latest_offset"] = self.latest_offset
+        return model