contentctl 4.4.7__py3-none-any.whl → 5.0.0__py3-none-any.whl

contentctl/objects/story_tags.py

@@ -1,55 +1,66 @@
 from __future__ import annotations
 from pydantic import BaseModel, Field, model_serializer, ConfigDict
-from typing import List,Set,Optional, Annotated
+from typing import List, Set, Optional
 
 from enum import Enum
 
 from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
-from contentctl.objects.enums import StoryCategory, DataModel, KillChainPhase, SecurityContentProductName
-from contentctl.objects.annotated_types import CVE_TYPE,MITRE_ATTACK_ID_TYPE
+from contentctl.objects.enums import (
+    StoryCategory,
+    DataModel,
+    KillChainPhase,
+    SecurityContentProductName,
+)
+from contentctl.objects.annotated_types import CVE_TYPE, MITRE_ATTACK_ID_TYPE
 
-class StoryUseCase(str,Enum):
-   FRAUD_DETECTION = "Fraud Detection"
-   COMPLIANCE = "Compliance"
-   APPLICATION_SECURITY = "Application Security"
-   SECURITY_MONITORING = "Security Monitoring"
-   ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
-   INSIDER_THREAT = "Insider Threat"
-   OTHER = "Other"
+
+class StoryUseCase(str, Enum):
+    FRAUD_DETECTION = "Fraud Detection"
+    COMPLIANCE = "Compliance"
+    APPLICATION_SECURITY = "Application Security"
+    SECURITY_MONITORING = "Security Monitoring"
+    ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
+    INSIDER_THREAT = "Insider Threat"
+    OTHER = "Other"
 
 
-# TODO (#266): disable the use_enum_values configuration
 class StoryTags(BaseModel):
-   model_config = ConfigDict(extra='forbid', use_enum_values=True)
-   category: List[StoryCategory] = Field(...,min_length=1)
-   product: List[SecurityContentProductName] = Field(...,min_length=1)
-   usecase: StoryUseCase = Field(...)
-
-   # enrichment
-   mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
-   mitre_attack_tactics: Optional[Set[MITRE_ATTACK_ID_TYPE]] = None
-   datamodels: Optional[Set[DataModel]] = None
-   kill_chain_phases: Optional[Set[KillChainPhase]] = None
-   cve: List[CVE_TYPE] = []
-   group: List[str] = Field([], description="A list of groups who leverage the techniques list in this Analytic Story.")
-
-   def getCategory_conf(self) -> str:
-      #if len(self.category) > 1:
-      #   print("Story with more than 1 category.  We can only have 1 category, fix it!")
-      return list(self.category)[0]
-   
-   @model_serializer
-   def serialize_model(self):
-      #no super to call
-      return {
-         "category": list(self.category),
-         "product": list(self.product),
-         "usecase": self.usecase,
-         "mitre_attack_enrichments": self.mitre_attack_enrichments,
-         "mitre_attack_tactics": list(self.mitre_attack_tactics) if self.mitre_attack_tactics is not None else None,
-         "datamodels": list(self.datamodels) if self.datamodels is not None else None,
-         "kill_chain_phases": list(self.kill_chain_phases) if self.kill_chain_phases is not None else None  
-      }
-
-        
-    
+    model_config = ConfigDict(extra="forbid")
+    category: List[StoryCategory] = Field(..., min_length=1)
+    product: List[SecurityContentProductName] = Field(..., min_length=1)
+    usecase: StoryUseCase = Field(...)
+
+    # enrichment
+    mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
+    mitre_attack_tactics: Optional[Set[MITRE_ATTACK_ID_TYPE]] = None
+    datamodels: Optional[Set[DataModel]] = None
+    kill_chain_phases: Optional[Set[KillChainPhase]] = None
+    cve: List[CVE_TYPE] = []
+    group: List[str] = Field(
+        [],
+        description="A list of groups who leverage the techniques list in this Analytic Story.",
+    )
+
+    def getCategory_conf(self) -> str:
+        # if len(self.category) > 1:
+        #   print("Story with more than 1 category.  We can only have 1 category, fix it!")
+        return list(self.category)[0]
+
+    @model_serializer
+    def serialize_model(self):
+        # no super to call
+        return {
+            "category": list(self.category),
+            "product": list(self.product),
+            "usecase": self.usecase,
+            "mitre_attack_enrichments": self.mitre_attack_enrichments,
+            "mitre_attack_tactics": list(self.mitre_attack_tactics)
+            if self.mitre_attack_tactics is not None
+            else None,
+            "datamodels": list(self.datamodels)
+            if self.datamodels is not None
+            else None,
+            "kill_chain_phases": list(self.kill_chain_phases)
+            if self.kill_chain_phases is not None
+            else None,
+        }

contentctl/objects/test_attack_data.py

@@ -1,8 +1,9 @@
 from __future__ import annotations
-from pydantic import BaseModel, HttpUrl, FilePath, Field
+from pydantic import BaseModel, HttpUrl, FilePath, Field, ConfigDict
 
 
 class TestAttackData(BaseModel):
+    model_config = ConfigDict(extra="forbid")
     data: HttpUrl | FilePath = Field(...)
     # TODO - should source and sourcetype should be mapped to a list
     # of supported source and sourcetypes in a given environment?

contentctl/objects/test_group.py

@@ -15,13 +15,16 @@ class TestGroup(BaseModel):
     :param integration_test: an IntegrationTest
     :param attack_data: the attack data associated with tests in the TestGroup
     """
+
     name: str
     unit_test: UnitTest
     integration_test: IntegrationTest
     attack_data: list[TestAttackData]
 
     @classmethod
-    def derive_from_unit_test(cls, unit_test: UnitTest, name_prefix: str) -> "TestGroup":
+    def derive_from_unit_test(
+        cls, unit_test: UnitTest, name_prefix: str
+    ) -> "TestGroup":
         """
         Given a UnitTest and a prefix, construct a TestGroup, with in IntegrationTest corresponding to the UnitTest
         :param unit_test: the UnitTest
@@ -36,7 +39,7 @@ class TestGroup(BaseModel):
             name=f"{name_prefix}:{unit_test.name}",
             unit_test=unit_test,
             integration_test=integration_test,
-            attack_data=unit_test.attack_data
+            attack_data=unit_test.attack_data,
         )
 
     def unit_test_skipped(self) -> bool:

contentctl/objects/threat_object.py

@@ -11,5 +11,6 @@ class ThreatObject(BaseModel):
     :param field: the name of the field from which the risk object will get it's name
     :param type_: the type of the risk object (e.g. "system")
     """
+
     field: str
     type: str

contentctl/objects/throttling.py

@@ -2,25 +2,34 @@ from pydantic import BaseModel, Field, field_validator
 from typing import Annotated
 
 
-# Alert Suppression/Throttling settings have been taken from 
+# Alert Suppression/Throttling settings have been taken from
 # https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Savedsearchesconf
 class Throttling(BaseModel):
-    fields: list[str] = Field(..., description="The list of fields to throttle on. These fields MUST occur in the search.", min_length=1)
-    period: Annotated[str,Field(pattern="^[0-9]+[smh]$")] =  Field(..., description="How often the alert should be triggered. "
-                                                    "This may be specified in seconds, minutes, or hours.  "
-                                                    "For example, if an alert should be triggered once a day,"
-                                                    " it may be specified in seconds (86400s), minutes (1440m), or hours import (24h).")
-    
+    fields: list[str] = Field(
+        ...,
+        description="The list of fields to throttle on. These fields MUST occur in the search.",
+        min_length=1,
+    )
+    period: Annotated[str, Field(pattern="^[0-9]+[smh]$")] = Field(
+        ...,
+        description="How often the alert should be triggered. "
+        "This may be specified in seconds, minutes, or hours.  "
+        "For example, if an alert should be triggered once a day,"
+        " it may be specified in seconds (86400s), minutes (1440m), or hours import (24h).",
+    )
+
     @field_validator("fields")
-    def no_spaces_in_fields(cls, v:list[str])->list[str]:
+    def no_spaces_in_fields(cls, v: list[str]) -> list[str]:
         for field in v:
-            if ' ' in field:
-                raise ValueError("Spaces are not presently supported in 'alert.suppress.fields' / throttling fields in conf files. "
-                                "The field '{field}' has a space in it. If this is a blocker, please raise this as an issue on the Project.")
+            if " " in field:
+                raise ValueError(
+                    "Spaces are not presently supported in 'alert.suppress.fields' / throttling fields in conf files. "
+                    "The field '{field}' has a space in it. If this is a blocker, please raise this as an issue on the Project."
+                )
         return v
 
-    def conf_formatted_fields(self)->str:
-        '''
+    def conf_formatted_fields(self) -> str:
+        """
         TODO:
         The field alert.suppress.fields is defined as follows:
         alert.suppress.fields = <comma-delimited-field-list>
@@ -28,19 +37,19 @@ class Throttling(BaseModel):
         be specified if the digest mode is disabled and suppression is enabled.
 
         In order to support fields with spaces in them, we may need to wrap each
-        field in "". 
+        field in "".
         This function returns a properly formatted value, where each field
-        is wrapped in "" and separated with a comma. For example, the fields 
+        is wrapped in "" and separated with a comma. For example, the fields
         ["field1", "field 2", "field3"] would be returned as the string
 
         "field1","field 2","field3
 
         However, for now, we will error on fields with spaces and simply
         separate with commas
-        '''
-        
+        """
+
         return ",".join(self.fields)
 
         # The following may be used once we determine proper support
         # for fields with spaces
-        #return ",".join([f'"{field}"' for field in self.fields])
+        # return ",".join([f'"{field}"' for field in self.fields])

contentctl/objects/unit_test.py

@@ -2,7 +2,6 @@ from __future__ import annotations
 
 from pydantic import Field
 
-from contentctl.objects.unit_test_baseline import UnitTestBaseline
 from contentctl.objects.test_attack_data import TestAttackData
 from contentctl.objects.unit_test_result import UnitTestResult
 from contentctl.objects.base_test import BaseTest, TestType
@@ -13,6 +12,7 @@ class UnitTest(BaseTest):
     """
     A unit test for a detection
     """
+
     # contentType: SecurityContentType = SecurityContentType.unit_tests
 
     # The test type (unit)
@@ -29,7 +29,6 @@ class UnitTest(BaseTest):
         Skip the test by setting its result status
         :param message: the reason for skipping
         """
-        self.result = UnitTestResult(                                                               # type: ignore
-            message=message,
-            status=TestResultStatus.SKIP
+        self.result = UnitTestResult(  # type: ignore
+            message=message, status=TestResultStatus.SKIP
         )

contentctl/objects/unit_test_baseline.py

@@ -1,11 +1,11 @@
-
-
-from pydantic import BaseModel
+from pydantic import BaseModel, ConfigDict
 from typing import Union
 
+
 class UnitTestBaseline(BaseModel):
+    model_config = ConfigDict(extra="forbid")
     name: str
     file: str
     pass_condition: str
-    earliest_time: Union[str,None] = None
-    latest_time: Union[str,None] = None
+    earliest_time: Union[str, None] = None
+    latest_time: Union[str, None] = None

contentctl/objects/unit_test_result.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Union,TYPE_CHECKING
+from typing import Union, TYPE_CHECKING
 from splunklib.data import Record
 from contentctl.objects.base_test_result import BaseTestResult, TestResultStatus
 
@@ -15,7 +15,7 @@ SID_TEMPLATE = "{server}:{web_port}/en-US/app/search/search?sid={sid}"
 
 class UnitTestResult(BaseTestResult):
     missing_observables: list[str] = []
-    
+
     def set_job_content(
         self,
         content: Union[Record, None],
@@ -40,7 +40,7 @@ class UnitTestResult(BaseTestResult):
         self.exception = exception
         self.status = status
         self.job_content = content
-        
+
         # Set the job content, if given
         if content is not None:
             if self.status == TestResultStatus.PASS:
@@ -50,7 +50,7 @@ class UnitTestResult(BaseTestResult):
             elif self.status == TestResultStatus.ERROR:
                 self.message = "TEST ERROR"
             elif self.status == TestResultStatus.SKIP:
-                #A test that was SKIPPED should not have job content since it should not have been run.
+                # A test that was SKIPPED should not have job content since it should not have been run.
                 self.message = "TEST SKIPPED"
 
             if not config.instance_address.startswith("http://"):
@@ -64,7 +64,7 @@ class UnitTestResult(BaseTestResult):
             )
 
         elif self.status == TestResultStatus.SKIP:
-            self.message = "TEST SKIPPED" 
+            self.message = "TEST SKIPPED"
             pass
 
         elif content is None:
@@ -72,7 +72,7 @@ class UnitTestResult(BaseTestResult):
             if self.exception is not None:
                 self.message = f"EXCEPTION: {str(self.exception)}"
             else:
-                self.message = f"ERROR with no more specific message available."
+                self.message = "ERROR with no more specific message available."
             self.sid_link = NO_SID
 
         return self.success