contentctl 4.4.7__py3-none-any.whl → 5.0.0__py3-none-any.whl

contentctl/output/jinja_writer.py

@@ -4,30 +4,34 @@ from jinja2 import Environment, FileSystemLoader
 
 
 class JinjaWriter:
-
     @staticmethod
-    def writeObjectsList(template_name : str, output_path : str, objects : list) -> None:
-
+    def writeObjectsList(template_name: str, output_path: str, objects: list) -> None:
         j2_env = Environment(
-            loader=FileSystemLoader(os.path.join(os.path.dirname(__file__), 'templates')), 
-            trim_blocks=False)
+            loader=FileSystemLoader(
+                os.path.join(os.path.dirname(__file__), "templates")
+            ),
+            trim_blocks=False,
+        )
 
         template = j2_env.get_template(template_name)
         output = template.render(objects=objects)
-        with open(output_path, 'w') as f:
-            output = output.encode('ascii', 'ignore').decode('ascii')
+        with open(output_path, "w") as f:
+            output = output.encode("ascii", "ignore").decode("ascii")
             f.write(output)
 
-
     @staticmethod
-    def writeObject(template_name : str, output_path : str, object: dict[str,Any]) -> None:
-
+    def writeObject(
+        template_name: str, output_path: str, object: dict[str, Any]
+    ) -> None:
         j2_env = Environment(
-            loader=FileSystemLoader(os.path.join(os.path.dirname(__file__), 'templates')), 
-            trim_blocks=False)
+            loader=FileSystemLoader(
+                os.path.join(os.path.dirname(__file__), "templates")
+            ),
+            trim_blocks=False,
+        )
 
         template = j2_env.get_template(template_name)
         output = template.render(object=object)
-        with open(output_path, 'w') as f:
-            output = output.encode('ascii', 'ignore').decode('ascii')
-            f.write(output)
+        with open(output_path, "w") as f:
+            output = output.encode("ascii", "ignore").decode("ascii")
+            f.write(output)

contentctl/output/json_writer.py

@@ -1,21 +1,31 @@
 import json
-from contentctl.objects.abstract_security_content_objects.security_content_object_abstract import SecurityContentObject_Abstract
-from typing import List
-from io import TextIOWrapper
-class JsonWriter():
+from typing import Any
 
+
+class JsonWriter:
     @staticmethod
-    def writeJsonObject(file_path : str, object_name: str, objs: List[dict],readable_output=False) -> None:
+    def writeJsonObject(
+        file_path: str,
+        object_name: str,
+        objs: list[dict[str, Any]],
+        readable_output: bool = True,
+    ) -> None:
         try:
-            with open(file_path, 'w') as outfile:
+            with open(file_path, "w") as outfile:
                 if readable_output:
                     # At the cost of slightly larger filesize, improve the redability significantly
                     # by sorting and indenting keys/values
-                    sorted_objs = sorted(objs, key=lambda o: o['name'])
-                    json.dump({object_name:sorted_objs}, outfile, ensure_ascii=False, indent=2)
+                    sorted_objs = sorted(objs, key=lambda o: o["name"])
+                    json.dump(
+                        {object_name: sorted_objs},
+                        outfile,
+                        ensure_ascii=False,
+                        indent=2,
+                    )
                 else:
-                    json.dump({object_name:objs}, outfile, ensure_ascii=False)
+                    json.dump({object_name: objs}, outfile, ensure_ascii=False)
 
         except Exception as e:
-             raise Exception(f"Error serializing object to Json File '{file_path}': {str(e)}")
-            
+            raise Exception(
+                f"Error serializing object to Json File '{file_path}': {str(e)}"
+            )

contentctl/output/svg_output.py

@@ -1,4 +1,3 @@
-import os
 import pathlib
 from typing import List, Any
 
@@ -6,50 +5,69 @@ from contentctl.objects.enums import SecurityContentType
 from contentctl.output.jinja_writer import JinjaWriter
 from contentctl.objects.enums import DetectionStatus
 from contentctl.objects.detection import Detection
-class SvgOutput():
 
-    
-    def get_badge_dict(self, name:str, total_detections:List[Detection], these_detections:List[Detection])->dict[str,Any]:
-        obj:dict[str,Any] = {}
-        obj['name'] = name
+
+class SvgOutput:
+    def get_badge_dict(
+        self,
+        name: str,
+        total_detections: List[Detection],
+        these_detections: List[Detection],
+    ) -> dict[str, Any]:
+        obj: dict[str, Any] = {}
+        obj["name"] = name
 
         if name == "Production":
-            obj['color'] = "Green"
+            obj["color"] = "Green"
         elif name == "Detections":
-            obj['color'] = "Green"
+            obj["color"] = "Green"
         elif name == "Experimental":
-            obj['color'] = "Yellow"
+            obj["color"] = "Yellow"
         elif name == "Deprecated":
-            obj['color'] = "Red"
+            obj["color"] = "Red"
 
-        obj['count'] = len(total_detections)
-        if obj['count'] == 0:
-            obj['coverage'] = "NaN"
+        obj["count"] = len(total_detections)
+        if obj["count"] == 0:
+            obj["coverage"] = "NaN"
         else:
-            obj['coverage'] = len(these_detections) / obj['count']
-            obj['coverage'] = "{:.0%}".format(obj['coverage'])
+            obj["coverage"] = len(these_detections) / obj["count"]
+            obj["coverage"] = "{:.0%}".format(obj["coverage"])
         return obj
-    
-    def writeObjects(self, detections: List[Detection], output_path: pathlib.Path, type: SecurityContentType = None) -> None:
-        
-        
-
-        total_dict:dict[str,Any] = self.get_badge_dict("Detections", detections, detections)
-        production_dict:dict[str,Any] = self.get_badge_dict("% Production", detections, [detection for detection in detections if detection.status == DetectionStatus.production.value])
-        #deprecated_dict = self.get_badge_dict("Deprecated", detections, [detection for detection in detections if detection.status == DetectionStatus.deprecated])
-        #experimental_dict = self.get_badge_dict("Experimental", detections, [detection for detection in detections if detection.status == DetectionStatus.experimental])
-        
-        
-
-
-        #Total number of detections
-        JinjaWriter.writeObject('detection_count.j2', output_path /'detection_count.svg', total_dict)
-        #JinjaWriter.writeObject('detection_count.j2', os.path.join(output_path, 'production_count.svg'), production_dict)
-        #JinjaWriter.writeObject('detection_count.j2', os.path.join(output_path, 'deprecated_count.svg'), deprecated_dict)
-        #JinjaWriter.writeObject('detection_count.j2', os.path.join(output_path, 'experimental_count.svg'), experimental_dict)
-
-        #Percentage of detections that are production
-        JinjaWriter.writeObject('detection_coverage.j2', output_path/'detection_coverage.svg', production_dict)
-        #JinjaWriter.writeObject('detection_coverage.j2', os.path.join(output_path, 'detection_coverage.svg'), deprecated_dict)
-        #JinjaWriter.writeObject('detection_coverage.j2', os.path.join(output_path, 'detection_coverage.svg'), experimental_dict)
 
+    def writeObjects(
+        self,
+        detections: List[Detection],
+        output_path: pathlib.Path,
+        type: SecurityContentType = None,
+    ) -> None:
+        total_dict: dict[str, Any] = self.get_badge_dict(
+            "Detections", detections, detections
+        )
+        production_dict: dict[str, Any] = self.get_badge_dict(
+            "% Production",
+            detections,
+            [
+                detection
+                for detection in detections
+                if detection.status == DetectionStatus.production
+            ],
+        )
+        # deprecated_dict = self.get_badge_dict("Deprecated", detections, [detection for detection in detections if detection.status == DetectionStatus.deprecated])
+        # experimental_dict = self.get_badge_dict("Experimental", detections, [detection for detection in detections if detection.status == DetectionStatus.experimental])
+
+        # Total number of detections
+        JinjaWriter.writeObject(
+            "detection_count.j2", output_path / "detection_count.svg", total_dict
+        )
+        # JinjaWriter.writeObject('detection_count.j2', os.path.join(output_path, 'production_count.svg'), production_dict)
+        # JinjaWriter.writeObject('detection_count.j2', os.path.join(output_path, 'deprecated_count.svg'), deprecated_dict)
+        # JinjaWriter.writeObject('detection_count.j2', os.path.join(output_path, 'experimental_count.svg'), experimental_dict)
+
+        # Percentage of detections that are production
+        JinjaWriter.writeObject(
+            "detection_coverage.j2",
+            output_path / "detection_coverage.svg",
+            production_dict,
+        )
+        # JinjaWriter.writeObject('detection_coverage.j2', os.path.join(output_path, 'detection_coverage.svg'), deprecated_dict)
+        # JinjaWriter.writeObject('detection_coverage.j2', os.path.join(output_path, 'detection_coverage.svg'), experimental_dict)

contentctl/output/templates/analyticstories_detections.j2

@@ -5,9 +5,9 @@
 {% if (detection.type == 'TTP' or detection.type == 'Anomaly' or detection.type == 'Hunting' or detection.type == 'Correlation') %}
 [savedsearch://{{ detection.get_conf_stanza_name(app) }}]
 type = detection
-asset_type = {{ detection.tags.asset_type.value }}
+asset_type = {{ detection.tags.asset_type }}
 confidence = medium
-explanation = {{ (detection.explanation if detection.explanation else detection.description) | escapeNewlines() }}
+explanation = {{ detection.status_aware_description | escapeNewlines() }}
 {% if detection.how_to_implement is defined %}
 how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}

contentctl/output/templates/analyticstories_stories.j2

@@ -11,7 +11,7 @@ references = {{ story.getReferencesListForJson() | tojson }}
 maintainers = [{"company": "{{ story.author_company }}", "email": "{{ story.author_email }}", "name": "{{ story.author_name }}"}]
 spec_version = 3
 searches = {{ story.storyAndInvestigationNamesWithApp(app) | tojson }}
-description = {{ story.description | escapeNewlines() }}
+description = {{ story.status_aware_description | escapeNewlines() }}
 {% if story.narrative is defined %}
 narrative = {{ story.narrative | escapeNewlines() }}
 {% endif %}

contentctl/output/templates/collections.j2

@@ -1,6 +1,6 @@
 
 {% for lookup in objects %}
-{% if lookup.collection is defined and lookup.collection != None %}
+{% if lookup.collection is defined %}
 [{{ lookup.name }}]
 enforceTypes = false
 replicate = false

contentctl/output/templates/doc_detections.j2

@@ -162,11 +162,6 @@ The SPL above uses the following Lookups:
 {% endfor %}
 {% endif -%}
 
-#### Required field
-{% for field in object.tags.required_fields -%}
-* {{ field }}
-{% endfor %}
-
 #### How To Implement
 {{ object.how_to_implement}}
 

contentctl/output/templates/es_investigations_investigations.j2

@@ -2,7 +2,7 @@
 {% for response_task in objects %}
 [panel://workbench_panel_{{ response_task.lowercase_name }}___response_task]
 label = {{ response_task.name }}
-description = {{ response_task.description | escapeNewlines() }}
+description = {{ response_task.status_aware_description | escapeNewlines() }}
 disabled = 0
 tokens = {\
 {% for token in response_task.inputs %}

contentctl/output/templates/es_investigations_stories.j2

@@ -2,7 +2,7 @@
 {% for story in objects %}
 [panel_group://workbench_panel_group_{{ story.lowercase_name}}]
 label = {{ story.name }}
-description = {{ story.description | escapeNewlines() }}
+description = {{ story.status_aware_description | escapeNewlines() }}
 disabled = 0
 
 {% if story.workbench_panels is defined %}

contentctl/output/templates/savedsearches_baselines.j2

@@ -8,7 +8,7 @@
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = support
-description = {{ detection.description | escapeNewlines() }}
+description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}
 {% if detection.tags.analytic_story is defined %}
@@ -29,7 +29,7 @@ action.escu.providing_technologies = {{ detection.providing_technologies | tojso
 {% else %}
 action.escu.providing_technologies = []
 {% endif %}
-action.escu.eli5 = {{ detection.description | escapeNewlines() }}
+action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
 {% if detection.how_to_implement is defined %}
 action.escu.how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}

contentctl/output/templates/savedsearches_detections.j2

@@ -5,16 +5,10 @@
 [{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
-{% if detection.status == "deprecated" %}
-description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description | escapeNewlines() }} 
-{% elif detection.status == "experimental" %}
-description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description | escapeNewlines() }} 
-{% else %}
-description = {{ detection.description | escapeNewlines() }}
-{% endif %}
+description = {{ detection.status_aware_description | escapeNewlines() }} 
 action.escu.mappings = {{ detection.mappings | tojson }}
 action.escu.data_models = {{ detection.datamodel | tojson }}
-action.escu.eli5 = {{ detection.description | escapeNewlines() }}
+action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
 {% if detection.how_to_implement %}
 action.escu.how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}
@@ -44,7 +38,7 @@ action.escu.providing_technologies = null
 action.escu.analytic_story = {{ objectListToNameList(detection.tags.analytic_story) | tojson }}
 {% if detection.deployment.alert_action.rba.enabled%}
 action.risk = 1
-action.risk.param._risk_message = {{ detection.tags.message | escapeNewlines() }}
+action.risk.param._risk_message = {{ detection.rba.message | escapeNewlines() }}
 action.risk.param._risk = {{ detection.risk | tojson }}
 action.risk.param._risk_score = 0
 action.risk.param.verbose = 0
@@ -70,8 +64,13 @@ action.notable.param.nes_fields = {{ detection.nes_fields }}
 {% endif %}
 action.notable.param.rule_description = {{ detection.deployment.alert_action.notable.rule_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines()}}
 action.notable.param.rule_title = {% if detection.type | lower == "correlation" %}RBA: {{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% else %}{{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% endif +%}
-action.notable.param.security_domain = {{ detection.tags.security_domain.value }}
-action.notable.param.severity = {{ detection.tags.severity.value }}
+action.notable.param.security_domain = {{ detection.tags.security_domain }}
+{% if detection.rba %}
+action.notable.param.severity = {{ detection.rba.severity }}
+{% else %}
+{# Correlations do not have detection.rba defined, but should get a default severity #}
+action.notable.param.severity = high 
+{% endif %}
 {% endif %}
 {% if detection.deployment.alert_action.email %}
 action.email.subject.alert = {{ detection.deployment.alert_action.email.subject | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}

contentctl/output/templates/savedsearches_investigations.j2

@@ -9,7 +9,7 @@
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = investigative
-description = {{ detection.description | escapeNewlines() }}
+description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}
 {% if detection.tags.analytic_story is defined %}
@@ -21,7 +21,7 @@ action.escu.earliest_time_offset = 3600
 action.escu.latest_time_offset = 86400
 action.escu.providing_technologies = []
 action.escu.data_models = {{ detection.datamodel | tojson }}
-action.escu.eli5 = {{ detection.description | escapeNewlines() }}
+action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.how_to_implement = none
 action.escu.known_false_positives = None at this time
 disabled = true

contentctl/output/templates/transforms.j2

@@ -1,8 +1,8 @@
 
 {% for lookup in objects %}
 [{{ lookup.name }}]
-{% if lookup.filename is defined and lookup.filename != None %}
-filename = {{ lookup.filename.name  }}
+{% if lookup.app_filename is defined and lookup.app_filename != None %}
+filename = {{ lookup.app_filename.name  }}
 {% else %}
 collection = {{ lookup.collection }}
 external_type = kvstore
@@ -13,11 +13,9 @@ default_match = {{ lookup.default_match | lower }}
 {% if lookup.case_sensitive_match is defined and lookup.case_sensitive_match != None %}
 case_sensitive_match = {{ lookup.case_sensitive_match | lower }}
 {% endif %}
-{% if lookup.description is defined and lookup.description != None %}
 # description = {{ lookup.description | escapeNewlines() }}
-{% endif %}
-{% if lookup.match_type is defined and lookup.match_type != None %}
-match_type = {{ lookup.match_type }}
+{% if lookup.match_type | length > 0 %}
+match_type = {{ lookup.match_type_to_conf_format }}
 {% endif %}
 {% if lookup.max_matches is defined and lookup.max_matches != None %}
 max_matches = {{ lookup.max_matches }}
@@ -25,8 +23,8 @@ max_matches = {{ lookup.max_matches }}
 {% if lookup.min_matches is defined and lookup.min_matches != None %}
 min_matches = {{ lookup.min_matches }}
 {% endif %}
-{% if lookup.fields_list is defined and lookup.fields_list != None %}
-fields_list = {{ lookup.fields_list }}
+{% if lookup.fields_to_fields_list_conf_format is defined %}
+fields_list = {{ lookup.fields_to_fields_list_conf_format }}
 {% endif %}
 {% if lookup.filter is defined and lookup.filter != None %}
 filter = {{ lookup.filter }}

contentctl/output/yml_writer.py

@@ -1,17 +1,28 @@
-
 import yaml
 from typing import Any
+from enum import StrEnum, IntEnum
 
-class YmlWriter:
+# Set the following so that we can write StrEnum and IntEnum
+# to files. Otherwise, we will get the following errors when trying
+# to write to files:
+# yaml.representer.RepresenterError: ('cannot represent an object',.....
+yaml.SafeDumper.add_multi_representer(
+    StrEnum, yaml.representer.SafeRepresenter.represent_str
+)
+
+yaml.SafeDumper.add_multi_representer(
+    IntEnum, yaml.representer.SafeRepresenter.represent_int
+)
 
-    @staticmethod
-    def writeYmlFile(file_path : str, obj : dict[Any,Any]) -> None:
 
-        with open(file_path, 'w') as outfile:
+class YmlWriter:
+    @staticmethod
+    def writeYmlFile(file_path: str, obj: dict[Any, Any]) -> None:
+        with open(file_path, "w") as outfile:
             yaml.safe_dump(obj, outfile, default_flow_style=False, sort_keys=False)
 
     @staticmethod
-    def writeDetection(file_path: str, obj: dict[Any,Any]) -> None:
+    def writeDetection(file_path: str, obj: dict[Any, Any]) -> None:
         output = dict()
         output["name"] = obj["name"]
         output["id"] = obj["id"]
@@ -20,7 +31,7 @@ class YmlWriter:
         output["author"] = obj["author"]
         output["type"] = obj["type"]
         output["status"] = obj["status"]
-        output["data_source"] = obj['data_sources']
+        output["data_source"] = obj["data_sources"]
         output["description"] = obj["description"]
         output["search"] = obj["search"]
         output["how_to_implement"] = obj["how_to_implement"]
@@ -30,20 +41,18 @@ class YmlWriter:
         output["tests"] = obj["tags"]
 
         YmlWriter.writeYmlFile(file_path=file_path, obj=output)
- 
+
     @staticmethod
-    def writeStory(file_path: str, obj: dict[Any,Any]) -> None:
+    def writeStory(file_path: str, obj: dict[Any, Any]) -> None:
         output = dict()
-        output['name'] = obj['name']
-        output['id'] = obj['id']
-        output['version'] = obj['version']
-        output['date'] = obj['date']
-        output['author'] = obj['author']
-        output['description'] = obj['description']
-        output['narrative'] = obj['narrative']
-        output['references'] = obj['references']
-        output['tags'] = obj['tags']
+        output["name"] = obj["name"]
+        output["id"] = obj["id"]
+        output["version"] = obj["version"]
+        output["date"] = obj["date"]
+        output["author"] = obj["author"]
+        output["description"] = obj["description"]
+        output["narrative"] = obj["narrative"]
+        output["references"] = obj["references"]
+        output["tags"] = obj["tags"]
 
         YmlWriter.writeYmlFile(file_path=file_path, obj=output)
- 
-

contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml

@@ -38,51 +38,33 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($user$, $dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading
+    of 7zip.
+  risk_objects:
+    - field: user
+      type: user
+      score: 56
+    - field: dest
+      type: system
+      score: 60
+  threat_objects:
+    - field: parent_process_name
+      type: parent_process_name
+    - field: process_name
+      type: process_name
 tags:
   analytic_story:
   - Cobalt Strike
   asset_type: Endpoint
-  confidence: 80
-  impact: 80
-  message: An instance of $parent_process_name$ spawning $process_name$ was identified
-    on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading
-    of 7zip.
   mitre_attack_id:
   - T1560.001
   - T1560
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
-  - name: parent_process_name
-    type: Process
-    role:
-    - Attacker
-  - name: process_name
-    type: Process
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - _time
-  - Processes.process_name
-  - Processes.process
-  - Processes.dest
-  - Processes.user
-  - Processes.parent_process_name
-  - Processes.process_name
-  - Processes.parent_process
-  - Processes.process_id
-  - Processes.parent_process_id
-  risk_score: 64
   security_domain: endpoint
 tests:
 - name: True Positive Test

contentctl/templates/stories/cobalt_strike.yml

@@ -3,6 +3,7 @@ id: bcfd17e8-5461-400a-80a2-3b7d1459220c
 version: 1
 date: '2021-02-16'
 author: Michael Haag, Splunk
+status: production
 description: Cobalt Strike is threat emulation software. Red teams and penetration
   testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature
   security programs. Most recently, Cobalt Strike has become the choice tool by threat

{contentctl-4.4.7.dist-info → contentctl-5.0.0.dist-info}/METADATA

@@ -1,15 +1,16 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.3
 Name: contentctl
-Version: 4.4.7
+Version: 5.0.0
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
 Author-email: research@splunk.com
-Requires-Python: >=3.11,<3.13
+Requires-Python: >=3.11,<3.14
 Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: PyYAML (>=6.0.2,<7.0.0)
 Requires-Dist: attackcti (>=0.4.0,<0.5.0)
@@ -25,7 +26,7 @@ Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
 Requires-Dist: setuptools (>=69.5.1,<76.0.0)
 Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
 Requires-Dist: tqdm (>=4.66.5,<5.0.0)
-Requires-Dist: tyro (>=0.8.3,<0.9.0)
+Requires-Dist: tyro (>=0.9.2,<0.10.0)
 Requires-Dist: xmltodict (>=0.13,<0.15)
 Description-Content-Type: text/markdown