contentctl 4.4.7__tar.gz → 5.0.0a0__tar.gz

{contentctl-4.4.7 → contentctl-5.0.0a0}/PKG-INFO

@@ -1,15 +1,16 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.3
 Name: contentctl
-Version: 4.4.7
+Version: 5.0.0a0
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
 Author-email: research@splunk.com
-Requires-Python: >=3.11,<3.13
+Requires-Python: >=3.11,<3.14
 Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: PyYAML (>=6.0.2,<7.0.0)
 Requires-Dist: attackcti (>=0.4.0,<0.5.0)
@@ -25,7 +26,7 @@ Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
 Requires-Dist: setuptools (>=69.5.1,<76.0.0)
 Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
 Requires-Dist: tqdm (>=4.66.5,<5.0.0)
-Requires-Dist: tyro (>=0.8.3,<0.9.0)
+Requires-Dist: tyro (>=0.9.2,<0.10.0)
 Requires-Dist: xmltodict (>=0.13,<0.15)
 Description-Content-Type: text/markdown
 

contentctl-5.0.0a0/contentctl/actions/build.py

@@ -0,0 +1,103 @@
+import sys
+import shutil
+import os
+
+from dataclasses import dataclass
+
+from contentctl.objects.enums import SecurityContentType
+from contentctl.input.director import Director, DirectorOutputDto
+from contentctl.output.conf_output import ConfOutput
+from contentctl.output.conf_writer import ConfWriter
+from contentctl.output.api_json_output import ApiJsonOutput
+from contentctl.output.data_source_writer import DataSourceWriter
+from contentctl.objects.lookup import CSVLookup, Lookup_Type
+import pathlib
+import json
+import datetime
+import uuid
+
+from contentctl.objects.config import build
+
+@dataclass(frozen=True)
+class BuildInputDto:
+    director_output_dto: DirectorOutputDto
+    config:build
+
+
+class Build:
+
+
+
+    def execute(self, input_dto: BuildInputDto) -> DirectorOutputDto:
+        if input_dto.config.build_app:
+
+            updated_conf_files:set[pathlib.Path] = set()
+            conf_output = ConfOutput(input_dto.config)
+
+
+            # Construct a path to a YML that does not actually exist.
+            # We mock this "fake" path since the YML does not exist.
+            # This ensures the checking for the existence of the CSV is correct
+            data_sources_fake_yml_path = input_dto.config.getPackageDirectoryPath() / "lookups" / "data_sources.yml"
+
+            # Construct a special lookup whose CSV is created at runtime and
+            # written directly into the lookups folder. We will delete this after a build, 
+            # assuming that it is successful.
+            data_sources_lookup_csv_path = input_dto.config.getPackageDirectoryPath() / "lookups" / "data_sources.csv"
+
+
+            
+            DataSourceWriter.writeDataSourceCsv(input_dto.director_output_dto.data_sources, data_sources_lookup_csv_path)
+            input_dto.director_output_dto.addContentToDictMappings(CSVLookup.model_construct(name="data_sources",
+                                                                            id=uuid.UUID("b45c1403-6e09-47b0-824f-cf6e44f15ac8"),
+                                                                            version=1,
+                                                                            author=input_dto.config.app.author_name,
+                                                                            date = datetime.date.today(), 
+                                                                            description= "A lookup file that will contain the data source objects for detections.",
+                                                                            lookup_type=Lookup_Type.csv,
+                                                                            file_path=data_sources_fake_yml_path))
+            updated_conf_files.update(conf_output.writeHeaders())
+            updated_conf_files.update(conf_output.writeLookups(input_dto.director_output_dto.lookups))
+            updated_conf_files.update(conf_output.writeDetections(input_dto.director_output_dto.detections))
+            updated_conf_files.update(conf_output.writeStories(input_dto.director_output_dto.stories))
+            updated_conf_files.update(conf_output.writeBaselines(input_dto.director_output_dto.baselines))
+            updated_conf_files.update(conf_output.writeInvestigations(input_dto.director_output_dto.investigations))
+            updated_conf_files.update(conf_output.writeMacros(input_dto.director_output_dto.macros))
+            updated_conf_files.update(conf_output.writeDashboards(input_dto.director_output_dto.dashboards))
+            updated_conf_files.update(conf_output.writeMiscellaneousAppFiles())
+            
+
+            
+            
+            #Ensure that the conf file we just generated/update is syntactically valid
+            for conf_file in updated_conf_files:
+                ConfWriter.validateConfFile(conf_file) 
+                
+            conf_output.packageApp()
+
+            print(f"Build of '{input_dto.config.app.title}' APP successful to {input_dto.config.getPackageFilePath()}")
+        
+
+        if input_dto.config.build_api:    
+            shutil.rmtree(input_dto.config.getAPIPath(), ignore_errors=True)
+            input_dto.config.getAPIPath().mkdir(parents=True)
+            api_json_output = ApiJsonOutput(input_dto.config.getAPIPath(), input_dto.config.app.label)
+            api_json_output.writeDetections(input_dto.director_output_dto.detections)
+            api_json_output.writeStories(input_dto.director_output_dto.stories)
+            api_json_output.writeBaselines(input_dto.director_output_dto.baselines)
+            api_json_output.writeInvestigations(input_dto.director_output_dto.investigations)
+            api_json_output.writeLookups(input_dto.director_output_dto.lookups)
+            api_json_output.writeMacros(input_dto.director_output_dto.macros)
+            api_json_output.writeDeployments(input_dto.director_output_dto.deployments)
+
+            
+            #create version file for sse api
+            version_file = input_dto.config.getAPIPath()/"version.json"
+            utc_time = datetime.datetime.now(datetime.timezone.utc).replace(microsecond=0,tzinfo=None).isoformat()
+            version_dict = {"version":{"name":f"v{input_dto.config.app.version}","published_at": f"{utc_time}Z"  }}
+            with open(version_file,"w") as version_f:
+                json.dump(version_dict,version_f)
+            
+            print(f"Build of '{input_dto.config.app.title}' API successful to {input_dto.config.getAPIPath()}")
+
+        return input_dto.director_output_dto

{contentctl-4.4.7 → contentctl-5.0.0a0}/contentctl/actions/detection_testing/DetectionTestingManager.py

@@ -5,7 +5,6 @@ from contentctl.actions.detection_testing.infrastructures.DetectionTestingInfras
 from contentctl.actions.detection_testing.infrastructures.DetectionTestingInfrastructureServer import DetectionTestingInfrastructureServer
 from urllib.parse import urlparse
 from copy import deepcopy
-from contentctl.objects.enums import DetectionTestingTargetInfrastructure
 import signal
 import datetime
 # from queue import Queue

{contentctl-4.4.7 → contentctl-5.0.0a0}/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py

@@ -442,7 +442,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     self.format_pbar_string(
                         TestReportingType.GROUP,
                         test_group.name,
-                        FinalTestingStates.SKIP.value,
+                        FinalTestingStates.SKIP,
                         start_time=time.time(),
                         set_pbar=False,
                     )
@@ -483,7 +483,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.GROUP,
                     test_group.name,
-                    TestingStates.DONE_GROUP.value,
+                    TestingStates.DONE_GROUP,
                     start_time=setup_results.start_time,
                     set_pbar=False,
                 )
@@ -504,7 +504,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         self.format_pbar_string(
             TestReportingType.GROUP,
             test_group.name,
-            TestingStates.BEGINNING_GROUP.value,
+            TestingStates.BEGINNING_GROUP,
             start_time=setup_start_time
         )
         # https://github.com/WoLpH/python-progressbar/issues/164
@@ -544,7 +544,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         self.format_pbar_string(
             TestReportingType.GROUP,
             test_group.name,
-            TestingStates.DELETING.value,
+            TestingStates.DELETING,
             start_time=test_group_start_time,
         )
 
@@ -632,7 +632,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.SKIP.value,
+                    FinalTestingStates.SKIP,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -664,7 +664,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.ERROR.value,
+                    FinalTestingStates.ERROR,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -724,7 +724,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 res = "ERROR"
                 link = detection.search
             else:
-                res = test.result.status.value.upper()                                              # type: ignore
+                res = test.result.status.upper()                                              # type: ignore
                 link = test.result.get_summary_dict()["sid_link"]
 
             self.format_pbar_string(
@@ -755,7 +755,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.PASS.value,
+                    FinalTestingStates.PASS,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -766,7 +766,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.SKIP.value,
+                    FinalTestingStates.SKIP,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -777,7 +777,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.FAIL.value,
+                    FinalTestingStates.FAIL,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -788,7 +788,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.ERROR.value,
+                    FinalTestingStates.ERROR,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -821,7 +821,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         test_start_time = time.time()
 
         # First, check to see if the test should be skipped (Hunting or Correlation)
-        if detection.type in [AnalyticsType.Hunting.value, AnalyticsType.Correlation.value]:
+        if detection.type in [AnalyticsType.Hunting, AnalyticsType.Correlation]:
             test.skip(
                 f"TEST SKIPPED: detection is type {detection.type} and cannot be integration "
                 "tested at this time"
@@ -843,11 +843,11 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             # Determine the reporting state (we should only encounter SKIP/FAIL/ERROR)
             state: str
             if test.result.status == TestResultStatus.SKIP:
-                state = FinalTestingStates.SKIP.value
+                state = FinalTestingStates.SKIP
             elif test.result.status == TestResultStatus.FAIL:
-                state = FinalTestingStates.FAIL.value
+                state = FinalTestingStates.FAIL
             elif test.result.status == TestResultStatus.ERROR:
-                state = FinalTestingStates.ERROR.value
+                state = FinalTestingStates.ERROR
             else:
                 raise ValueError(
                     f"Status for (integration) '{detection.name}:{test.name}' was preemptively set"
@@ -891,7 +891,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.INTEGRATION,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.FAIL.value,
+                    FinalTestingStates.FAIL,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -935,7 +935,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             if test.result is None:
                 res = "ERROR"
             else:
-                res = test.result.status.value.upper()                                              # type: ignore
+                res = test.result.status.upper()                                              # type: ignore
 
             # Get the link to the saved search in this specific instance
             link = f"https://{self.infrastructure.instance_address}:{self.infrastructure.web_ui_port}"
@@ -968,7 +968,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.INTEGRATION,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.PASS.value,
+                    FinalTestingStates.PASS,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -979,7 +979,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.INTEGRATION,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.SKIP.value,
+                    FinalTestingStates.SKIP,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -990,7 +990,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.INTEGRATION,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.FAIL.value,
+                    FinalTestingStates.FAIL,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -1001,7 +1001,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.INTEGRATION,
                     f"{detection.name}:{test.name}",
-                    FinalTestingStates.ERROR.value,
+                    FinalTestingStates.ERROR,
                     start_time=test_start_time,
                     set_pbar=False,
                 )
@@ -1077,7 +1077,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
-                    TestingStates.PROCESSING.value,
+                    TestingStates.PROCESSING,
                     start_time=start_time
                 )
 
@@ -1086,7 +1086,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             self.format_pbar_string(
                 TestReportingType.UNIT,
                 f"{detection.name}:{test.name}",
-                TestingStates.SEARCHING.value,
+                TestingStates.SEARCHING,
                 start_time=start_time,
             )
 
@@ -1094,6 +1094,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             job = self.get_conn().search(query=search, **kwargs)
             results = JSONResultsReader(job.results(output_mode="json"))
 
+            # TODO (cmcginley): @ljstella you're removing this ultimately, right?
             # Consolidate a set of the distinct observable field names
             observable_fields_set = set([o.name for o in detection.tags.observable]) # keeping this around for later
             risk_object_fields_set = set([o.name for o in detection.tags.observable if "Victim" in o.role ]) # just the "Risk Objects"
@@ -1121,7 +1122,10 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     missing_risk_objects = risk_object_fields_set - results_fields_set
                     if len(missing_risk_objects) > 0:
                         # Report a failure in such cases
-                        e = Exception(f"The observable field(s) {missing_risk_objects} are missing in the detection results")
+                        e = Exception(
+                            f"The risk object field(s) {missing_risk_objects} are missing in the "
+                            "detection results"
+                        )
                         test.result.set_job_content(
                             job.content,
                             self.infrastructure,
@@ -1137,6 +1141,8 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     # on a field.  In this case, the field will appear but will not contain any values
                     current_empty_fields: set[str] = set()
 
+                    # TODO (cmcginley): @ljstella is this something we're keeping for testing as
+                    #   well?
                     for field in observable_fields_set:
                         if result.get(field, 'null') == 'null':
                             if field in risk_object_fields_set:
@@ -1289,7 +1295,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.format_pbar_string(
                     TestReportingType.GROUP,
                     test_group.name,
-                    TestingStates.DOWNLOADING.value,
+                    TestingStates.DOWNLOADING,
                     start_time=test_group_start_time
                 )
 
@@ -1307,7 +1313,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         self.format_pbar_string(
             TestReportingType.GROUP,
             test_group.name,
-            TestingStates.REPLAYING.value,
+            TestingStates.REPLAYING,
             start_time=test_group_start_time
         )
 

{contentctl-4.4.7 → contentctl-5.0.0a0}/contentctl/actions/detection_testing/progress_bar.py

@@ -1,10 +1,10 @@
 import time
-from enum import Enum
+from enum import StrEnum
 from tqdm import tqdm
 import datetime
 
 
-class TestReportingType(str, Enum):
+class TestReportingType(StrEnum):
     """
     5-char identifiers for the type of testing being reported on
     """
@@ -21,7 +21,7 @@ class TestReportingType(str, Enum):
     INTEGRATION = "INTEG"
 
 
-class TestingStates(str, Enum):
+class TestingStates(StrEnum):
     """
     Defined testing states
     """
@@ -40,10 +40,10 @@ class TestingStates(str, Enum):
 
 
 # the longest length of any state
-LONGEST_STATE = max(len(w.value) for w in TestingStates)
+LONGEST_STATE = max(len(w) for w in TestingStates)
 
 
-class FinalTestingStates(str, Enum):
+class FinalTestingStates(StrEnum):
     """
     The possible final states for a test (for pbar reporting)
     """
@@ -82,7 +82,7 @@ def format_pbar_string(
     :returns: a formatted string for use w/ pbar
     """
     # Extract and ljust our various fields
-    field_one = test_reporting_type.value
+    field_one = test_reporting_type
     field_two = test_name.ljust(MAX_TEST_NAME_LENGTH)
     field_three = state.ljust(LONGEST_STATE)
     field_four = datetime.timedelta(seconds=round(time.time() - start_time))

{contentctl-4.4.7 → contentctl-5.0.0a0}/contentctl/actions/detection_testing/views/DetectionTestingView.py

@@ -110,11 +110,11 @@ class DetectionTestingView(BaseModel, abc.ABC):
                 total_skipped += 1
 
             # Aggregate production status metrics
-            if detection.status == DetectionStatus.production.value:                                # type: ignore
+            if detection.status == DetectionStatus.production:                                
                 total_production += 1
-            elif detection.status == DetectionStatus.experimental.value:                            # type: ignore
+            elif detection.status == DetectionStatus.experimental:                            
                 total_experimental += 1
-            elif detection.status == DetectionStatus.deprecated.value:                              # type: ignore
+            elif detection.status == DetectionStatus.deprecated:                              
                 total_deprecated += 1
 
             # Check if the detection is manual_test
@@ -178,7 +178,7 @@ class DetectionTestingView(BaseModel, abc.ABC):
         # Construct and return the larger results dict
         result_dict = {
             "summary": {
-                "mode": self.config.getModeName(),
+                "mode": self.config.mode.mode_name,
                 "enable_integration_testing": self.config.enable_integration_testing,
                 "success": overall_success,
                 "total_detections": total_detections,

contentctl-5.0.0a0/contentctl/actions/new_content.py

@@ -0,0 +1,150 @@
+from dataclasses import dataclass
+import questionary
+from typing import Any
+from contentctl.input.new_content_questions import NewContentQuestions
+from contentctl.objects.config import new, NewContentType
+import uuid
+from datetime import datetime
+import pathlib
+from contentctl.objects.abstract_security_content_objects.security_content_object_abstract import SecurityContentObject_Abstract
+from contentctl.output.yml_writer import YmlWriter
+from contentctl.objects.enums import AssetType
+from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, SES_OBSERVABLE_ROLE_MAPPING
+class NewContent:
+    UPDATE_PREFIX = "__UPDATE__"
+    
+    DEFAULT_DRILLDOWN_DEF = [
+        {
+            "name": f'View the detection results for - "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" and "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"',
+            "search": f'%original_detection_search% | search  "${UPDATE_PREFIX}FIRST_RISK_OBJECT = "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" second_observable_type_here = "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"',
+            "earliest_offset": '$info_min_time$',
+            "latest_offset": '$info_max_time$' 
+        },
+        {
+            "name": f'View risk events for the last 7 days for - "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" and "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"',
+            "search": f'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("${UPDATE_PREFIX}FIRST_RISK_OBJECT$", "${UPDATE_PREFIX}SECOND_RISK_OBJECT$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`',
+            "earliest_offset": '$info_min_time$',
+            "latest_offset": '$info_max_time$' 
+        }
+    ]
+    
+
+    def buildDetection(self) -> tuple[dict[str, Any], str]:
+        questions = NewContentQuestions.get_questions_detection()
+        answers: dict[str, str] = questionary.prompt(
+            questions,
+            kbi_msg="User did not answer all of the prompt questions. Exiting...",
+        )
+        if not answers:
+            raise ValueError("User didn't answer one or more questions!")
+
+        data_source_field = (
+            answers["data_source"] if len(answers["data_source"]) > 0 else [f"{NewContent.UPDATE_PREFIX} zero or more data_sources"]
+        )
+        file_name = (
+            answers["detection_name"]
+            .replace(" ", "_")
+            .replace("-", "_")
+            .replace(".", "_")
+            .replace("/", "_")
+            .lower()
+        )
+
+        #Minimum lenght for a mitre tactic is 5 characters: T1000
+        if len(answers["mitre_attack_ids"]) >= 5:
+            mitre_attack_ids = [x.strip() for x in answers["mitre_attack_ids"].split(",")]
+        else:
+            #string was too short, so just put a placeholder
+            mitre_attack_ids = [f"{NewContent.UPDATE_PREFIX} zero or more mitre_attack_ids"]
+
+        output_file_answers: dict[str, Any] = {
+            "name": answers["detection_name"],
+            "id": str(uuid.uuid4()),
+            "version": 1,
+            "date": datetime.today().strftime("%Y-%m-%d"),
+            "author": answers["detection_author"],
+            "status": "production",  # start everything as production since that's what we INTEND the content to become
+            "type": answers["detection_type"],
+            "description": f"{NewContent.UPDATE_PREFIX} by providing a description of your search",
+            "data_source": data_source_field,
+            "search": f"{answers['detection_search']} | `{file_name}_filter`",
+            "how_to_implement": f"{NewContent.UPDATE_PREFIX} how to implement your search",
+            "known_false_positives": f"{NewContent.UPDATE_PREFIX} known false positives for your search",
+            "references": [f"{NewContent.UPDATE_PREFIX} zero or more http references to provide more information about your search"],
+            "drilldown_searches": NewContent.DEFAULT_DRILLDOWN_DEF,
+            "tags": {
+                "analytic_story": [f"{NewContent.UPDATE_PREFIX} by providing zero or more analytic stories"],
+                "asset_type": f"{NewContent.UPDATE_PREFIX} by providing and asset type from {list(AssetType._value2member_map_)}",
+                "confidence": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
+                "impact": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
+                "message": f"{NewContent.UPDATE_PREFIX} by providing a risk message. Fields in your search results can be referenced using $fieldName$",
+                "mitre_attack_id": mitre_attack_ids,
+                "observable": [
+                    {"name": f"{NewContent.UPDATE_PREFIX} the field name of the observable. This is a field that exists in your search results.", "type": f"{NewContent.UPDATE_PREFIX} the type of your observable from the list {list(SES_OBSERVABLE_TYPE_MAPPING.keys())}.", "role": [f"{NewContent.UPDATE_PREFIX} the role from the list {list(SES_OBSERVABLE_ROLE_MAPPING.keys())}"]}
+                ],
+                "product": [
+                    "Splunk Enterprise",
+                    "Splunk Enterprise Security",
+                    "Splunk Cloud",
+                ],
+                "security_domain": answers["security_domain"],
+                "cve": [f"{NewContent.UPDATE_PREFIX} with CVE(s) if applicable"],
+            },
+            "tests": [
+                {
+                    "name": "True Positive Test",
+                    "attack_data": [
+                        {
+                            "data": f"{NewContent.UPDATE_PREFIX} the data file to replay. Go to https://github.com/splunk/contentctl/wiki for information about the format of this field",
+                            "sourcetype": f"{NewContent.UPDATE_PREFIX} the sourcetype of your data file.",
+                            "source": f"{NewContent.UPDATE_PREFIX} the source of your datafile",
+                        }
+                    ],
+                }
+            ],
+        }
+
+        if answers["detection_type"] not in ["TTP", "Anomaly", "Correlation"]:
+            del output_file_answers["drilldown_searches"]
+
+        return output_file_answers, answers['detection_kind']
+
+    def buildStory(self) -> dict[str, Any]:
+        questions = NewContentQuestions.get_questions_story()
+        answers = questionary.prompt(
+            questions, 
+            kbi_msg="User did not answer all of the prompt questions. Exiting...")
+        if not answers:
+            raise ValueError("User didn't answer one or more questions!")
+        answers['name'] = answers['story_name']
+        del answers['story_name']
+        answers['id'] = str(uuid.uuid4())
+        answers['version'] = 1
+        answers['date'] = datetime.today().strftime('%Y-%m-%d')
+        answers['author'] = answers['story_author']
+        del answers['story_author']
+        answers['description'] = 'UPDATE_DESCRIPTION'
+        answers['narrative'] = 'UPDATE_NARRATIVE'
+        answers['references'] = []
+        answers['tags'] = dict()
+        answers['tags']['category'] = answers['category']
+        del answers['category']
+        answers['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
+        answers['tags']['usecase'] = answers['usecase']
+        del answers['usecase']
+        answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
+        return answers
+
+    def execute(self, input_dto: new) -> None:
+        if input_dto.type == NewContentType.detection:
+            content_dict, detection_kind = self.buildDetection()
+            subdirectory = pathlib.Path('detections') / detection_kind
+        elif input_dto.type == NewContentType.story:
+            content_dict = self.buildStory()
+            subdirectory = pathlib.Path('stories')
+        else:
+            raise Exception(f"Unsupported new content type: [{input_dto.type}]")
+
+        full_output_path = input_dto.path / subdirectory / SecurityContentObject_Abstract.contentNameToFileName(content_dict.get('name'))
+        YmlWriter.writeYmlFile(str(full_output_path), content_dict)
+

{contentctl-4.4.7 → contentctl-5.0.0a0}/contentctl/actions/test.py

@@ -1,7 +1,7 @@
 from dataclasses import dataclass
 from typing import List
 
-from contentctl.objects.config import test_common
+from contentctl.objects.config import test_common, Selected, Changes
 from contentctl.objects.enums import DetectionTestingMode, DetectionStatus, AnalyticsType
 from contentctl.objects.detection import Detection
 
@@ -78,10 +78,9 @@ class Test:
             input_dto=manager_input_dto, output_dto=output_dto
         )
 
-        mode = input_dto.config.getModeName()
         if len(input_dto.detections) == 0:
             print(
-                f"With Detection Testing Mode '{mode}', there were [0] detections found to test."
+                f"With Detection Testing Mode '{input_dto.config.mode.mode_name}', there were [0] detections found to test."
                 "\nAs such, we will quit immediately."
             )
             # Directly call stop so that the summary.yml will be generated. Of course it will not
@@ -89,8 +88,8 @@ class Test:
             # detections were tested.
             file.stop()
         else:
-            print(f"MODE: [{mode}] - Test [{len(input_dto.detections)}] detections")
-            if mode in [DetectionTestingMode.changes.value, DetectionTestingMode.selected.value]:
+            print(f"MODE: [{input_dto.config.mode.mode_name}] - Test [{len(input_dto.detections)}] detections")
+            if isinstance(input_dto.config.mode,  Selected) or isinstance(input_dto.config.mode, Changes):
                 files_string = '\n- '.join(
                     [str(pathlib.Path(detection.file_path).relative_to(input_dto.config.path)) for detection in input_dto.detections]
                 )

{contentctl-4.4.7 → contentctl-5.0.0a0}/contentctl/actions/validate.py

@@ -6,6 +6,7 @@ from contentctl.objects.config import validate
 from contentctl.enrichments.attack_enrichment import AttackEnrichment
 from contentctl.enrichments.cve_enrichment import CveEnrichment
 from contentctl.objects.atomic import AtomicEnrichment
+from contentctl.objects.lookup import FileBackedLookup
 from contentctl.helper.utils import Utils
 from contentctl.objects.data_source import DataSource
 from contentctl.helper.splunk_app import SplunkApp
@@ -64,7 +65,7 @@ class Validate:
         lookupsDirectory = repo_path/"lookups"
         
         # Get all of the files referneced by Lookups
-        usedLookupFiles:list[pathlib.Path] = [lookup.filename for lookup in director_output_dto.lookups if lookup.filename is not None] + [lookup.file_path for lookup in director_output_dto.lookups if lookup.file_path is not None]
+        usedLookupFiles:list[pathlib.Path] = [lookup.filename for lookup in director_output_dto.lookups if isinstance(lookup, FileBackedLookup)] + [lookup.file_path for lookup in director_output_dto.lookups if lookup.file_path is not None]
 
         # Get all of the mlmodel and csv files in the lookups directory
         csvAndMlmodelFiles  = Utils.get_security_content_files_from_directory(lookupsDirectory, allowedFileExtensions=[".yml",".csv",".mlmodel"], fileExtensionsToReturn=[".csv",".mlmodel"])