contentctl 5.0.0a0__py3-none-any.whl → 5.0.0a3__py3-none-any.whl

contentctl/objects/constants.py

@@ -15,7 +15,7 @@ ATTACK_TACTICS_KILLCHAIN_MAPPING = {
     "Collection": "Exploitation",
     "Command And Control": "Command and Control",
     "Exfiltration": "Actions on Objectives",
-    "Impact": "Actions on Objectives"
+    "Impact": "Actions on Objectives",
 }
 
 SES_CONTEXT_MAPPING = {
@@ -65,7 +65,7 @@ SES_CONTEXT_MAPPING = {
     "Other:Policy Violation": 82,
     "Other:Threat Intelligence": 83,
     "Other:Flight Risk": 84,
-    "Other:Removable Storage": 85
+    "Other:Removable Storage": 85,
 }
 
 SES_KILL_CHAIN_MAPPINGS = {
@@ -76,49 +76,9 @@ SES_KILL_CHAIN_MAPPINGS = {
     "Exploitation": 4,
     "Installation": 5,
     "Command and Control": 6,
-    "Actions on Objectives": 7
+    "Actions on Objectives": 7,
 }
 
-# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
-SES_OBSERVABLE_ROLE_MAPPING = {
-    "Other": -1,
-    "Unknown": 0,
-    "Actor": 1,
-    "Target": 2,
-    "Attacker": 3,
-    "Victim": 4,
-    "Parent Process": 5,
-    "Child Process": 6,
-    "Known Bad": 7,
-    "Data Loss": 8,
-    "Observer": 9
-}
-
-# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
-SES_OBSERVABLE_TYPE_MAPPING = {
-    "Unknown": 0,
-    "Hostname": 1,
-    "IP Address": 2,
-    "MAC Address": 3,
-    "User Name": 4,
-    "Email Address": 5,
-    "URL String": 6,
-    "File Name": 7,
-    "File Hash": 8,
-    "Process Name": 9,
-    "Resource UID": 10,
-    "Endpoint": 20,
-    "User": 21,
-    "Email": 22,
-    "Uniform Resource Locator": 23,
-    "File": 24,
-    "Process": 25,
-    "Geo Location": 26,
-    "Container": 27,
-    "Registry Key": 28,
-    "Registry Value": 29,
-    "Other": 99
-}
 
 SES_ATTACK_TACTICS_ID_MAPPING = {
     "Reconnaissance": "TA0043",
@@ -134,24 +94,19 @@ SES_ATTACK_TACTICS_ID_MAPPING = {
     "Collection": "TA0009",
     "Command_and_Control": "TA0011",
     "Exfiltration": "TA0010",
-    "Impact": "TA0040"
+    "Impact": "TA0040",
 }
 
-# TODO (cmcginley): is this just for the transition testing?
-RBA_OBSERVABLE_ROLE_MAPPING = {
-    "Attacker": 0,
-    "Victim": 1
-}
 
 # The relative path to the directory where any apps/packages will be downloaded
 DOWNLOADS_DIRECTORY = "downloads"
 
 # Maximum length of the name field for a search.
-# This number is derived from a limitation that exists in 
+# This number is derived from a limitation that exists in
 # ESCU where a search cannot be edited, due to validation
 # errors, if its name is longer than 99 characters.
 # When an saved search is cloned in Enterprise Security User Interface,
-# it is wrapped in the following: 
+# it is wrapped in the following:
 # {Detection.tags.security_domain} - {SEARCH_STANZA_NAME} - Rule
 # Similarly, when we generate the search stanza name in contentctl, it
 # is app.label - detection.name - Rule
@@ -160,16 +115,32 @@ DOWNLOADS_DIRECTORY = "downloads"
 # or in ESCU:
 # ESCU - {detection.name} - Rule,
 # this gives us a maximum length below.
-# When an ESCU search is cloned, it will 
+# When an ESCU search is cloned, it will
 # have a full name like (the following is NOT a typo):
 # Endpoint - ESCU - Name of Search From YML File - Rule - Rule
 # The math below accounts for all these caveats
 ES_MAX_STANZA_LENGTH = 99
-CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Rule"
+CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Rule"
+)
 CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name}"
-CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Response Task"
+CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Response Task"
+)
 
-ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = "{security_domain_value} - {search_name} - Rule"
-SECURITY_DOMAIN_MAX_LENGTH = max([len(SecurityDomain[value]) for value in SecurityDomain._member_map_])
-CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(security_domain_value="X"*SECURITY_DOMAIN_MAX_LENGTH,search_name=""))
-CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(app_label="ESCU", detection_name=""))
+ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = (
+    "{security_domain_value} - {search_name} - Rule"
+)
+SECURITY_DOMAIN_MAX_LENGTH = max(
+    [len(SecurityDomain[value]) for value in SecurityDomain._member_map_]
+)
+CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(
+    ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(
+        security_domain_value="X" * SECURITY_DOMAIN_MAX_LENGTH, search_name=""
+    )
+)
+CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(
+    CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(
+        app_label="ESCU", detection_name=""
+    )
+)

contentctl/objects/correlation_search.py

@@ -6,25 +6,25 @@ from enum import StrEnum, IntEnum
 from functools import cached_property
 
 from pydantic import ConfigDict, BaseModel, computed_field, Field, PrivateAttr
-from splunklib.results import JSONResultsReader, Message                                            # type: ignore
-from splunklib.binding import HTTPError, ResponseReader                                             # type: ignore
-import splunklib.client as splunklib                                                                # type: ignore
-from tqdm import tqdm                                                                               # type: ignore
+from splunklib.results import JSONResultsReader, Message  # type: ignore
+from splunklib.binding import HTTPError, ResponseReader  # type: ignore
+import splunklib.client as splunklib  # type: ignore
+from tqdm import tqdm  # type: ignore
 
 from contentctl.objects.risk_analysis_action import RiskAnalysisAction
 from contentctl.objects.notable_action import NotableAction
 from contentctl.objects.base_test_result import TestResultStatus
 from contentctl.objects.integration_test_result import IntegrationTestResult
 from contentctl.actions.detection_testing.progress_bar import (
-    format_pbar_string,                                                                             # type: ignore
+    format_pbar_string,  # type: ignore
     TestReportingType,
-    TestingStates
+    TestingStates,
 )
 from contentctl.objects.errors import (
     IntegrationTestingError,
     ServerError,
     ClientError,
-    ValidationFailed
+    ValidationFailed,
 )
 from contentctl.objects.detection import Detection
 from contentctl.objects.risk_event import RiskEvent
@@ -65,7 +65,9 @@ def get_logger() -> logging.Logger:
             handler = logging.NullHandler()
 
         # Format our output
-        formatter = logging.Formatter('%(asctime)s - %(levelname)s:%(name)s - %(message)s')
+        formatter = logging.Formatter(
+            "%(asctime)s - %(levelname)s:%(name)s - %(message)s"
+        )
         handler.setFormatter(formatter)
 
         # Set handler level and add to logger
@@ -79,6 +81,7 @@ class SavedSearchKeys(StrEnum):
     """
     Various keys into the SavedSearch content
     """
+
     # setup the names of the keys we expect to access in content
     EARLIEST_TIME_KEY = "dispatch.earliest_time"
     LATEST_TIME_KEY = "dispatch.latest_time"
@@ -92,6 +95,7 @@ class Indexes(StrEnum):
     """
     Indexes we search against
     """
+
     # setup the names of the risk and notable indexes
     RISK_INDEX = "risk"
     NOTABLE_INDEX = "notable"
@@ -101,6 +105,7 @@ class TimeoutConfig(IntEnum):
     """
     Configuration values for the exponential backoff timer
     """
+
     # base amount to sleep for before beginning exponential backoff during testing
     BASE_SLEEP = 60
 
@@ -118,6 +123,7 @@ class ScheduleConfig(StrEnum):
     """
     Configuraton values for the saved search schedule
     """
+
     EARLIEST_TIME = "-5y@y"
     LATEST_TIME = "-1m@m"
     CRON_SCHEDULE = "*/1 * * * *"
@@ -132,11 +138,10 @@ class ResultIterator:
     :param response_reader: a ResponseReader object
     :param logger: a Logger object
     """
+
     def __init__(self, response_reader: ResponseReader) -> None:
         # init the results reader
-        self.results_reader: JSONResultsReader = JSONResultsReader(
-            response_reader
-        )
+        self.results_reader: JSONResultsReader = JSONResultsReader(response_reader)
 
         # get logger
         self.logger: logging.Logger = get_logger()
@@ -150,18 +155,18 @@ class ResultIterator:
             # log messages, or raise if error
             if isinstance(result, Message):
                 # convert level string to level int
-                level_name = result.type.strip().upper()                                            # type: ignore
+                level_name = result.type.strip().upper()  # type: ignore
                 level: int = logging.getLevelName(level_name)
 
                 # log message at appropriate level and raise if needed
-                message = f"SPLUNK: {result.message}"                                               # type: ignore
+                message = f"SPLUNK: {result.message}"  # type: ignore
                 self.logger.log(level, message)
                 if level == logging.ERROR:
                     raise ServerError(message)
 
             # if dict, just return
             elif isinstance(result, dict):
-                return result                                                                       # type: ignore
+                return result  # type: ignore
 
             # raise for any unexpected types
             else:
@@ -178,14 +183,13 @@ class PbarData(BaseModel):
     :param fq_test_name: the fully qualifed (fq) test name ("<detection_name>:<test_name>") used for logging
     :param start_time: the start time used for logging
     """
-    pbar: tqdm                                                                                      # type: ignore
+
+    pbar: tqdm  # type: ignore
     fq_test_name: str
     start_time: float
 
     # needed to support the tqdm type
-    model_config = ConfigDict(
-        arbitrary_types_allowed=True
-    )
+    model_config = ConfigDict(arbitrary_types_allowed=True)
 
 
 class CorrelationSearch(BaseModel):
@@ -198,6 +202,7 @@ class CorrelationSearch(BaseModel):
     :param pbar_data: the encapsulated info needed for logging w/ pbar
     :param test_index: the index attack data is forwarded to for testing (optionally used in cleanup)
     """
+
     # the detection associated with the correlation search (e.g. "Windows Modify Registry EnableLinkedConnections")
     detection: Detection = Field(...)
 
@@ -232,10 +237,7 @@ class CorrelationSearch(BaseModel):
 
     # Need arbitrary types to allow fields w/ types like SavedSearch; we also want to forbid
     # unexpected fields
-    model_config = ConfigDict(
-        arbitrary_types_allowed=True,
-        extra='forbid'
-    )
+    model_config = ConfigDict(arbitrary_types_allowed=True, extra="forbid")
 
     def model_post_init(self, __context: Any) -> None:
         super().model_post_init(__context)
@@ -309,7 +311,7 @@ class CorrelationSearch(BaseModel):
         The earliest time configured for the saved search
         """
         if self.saved_search is not None:
-            return self.saved_search.content[SavedSearchKeys.EARLIEST_TIME_KEY]                     # type: ignore
+            return self.saved_search.content[SavedSearchKeys.EARLIEST_TIME_KEY]  # type: ignore
         else:
             raise ClientError(
                 "Something unexpected went wrong in initialization; saved_search was not populated"
@@ -321,7 +323,7 @@ class CorrelationSearch(BaseModel):
         The latest time configured for the saved search
         """
         if self.saved_search is not None:
-            return self.saved_search.content[SavedSearchKeys.LATEST_TIME_KEY]                       # type: ignore
+            return self.saved_search.content[SavedSearchKeys.LATEST_TIME_KEY]  # type: ignore
         else:
             raise ClientError(
                 "Something unexpected went wrong in initialization; saved_search was not populated"
@@ -333,7 +335,7 @@ class CorrelationSearch(BaseModel):
         The cron schedule configured for the saved search
         """
         if self.saved_search is not None:
-            return self.saved_search.content[SavedSearchKeys.CRON_SCHEDULE_KEY]                     # type: ignore
+            return self.saved_search.content[SavedSearchKeys.CRON_SCHEDULE_KEY]  # type: ignore
         else:
             raise ClientError(
                 "Something unexpected went wrong in initialization; saved_search was not populated"
@@ -345,7 +347,7 @@ class CorrelationSearch(BaseModel):
         Whether the saved search is enabled
         """
         if self.saved_search is not None:
-            if int(self.saved_search.content[SavedSearchKeys.DISBALED_KEY]):                        # type: ignore
+            if int(self.saved_search.content[SavedSearchKeys.DISBALED_KEY]):  # type: ignore
                 return False
             else:
                 return True
@@ -354,7 +356,7 @@ class CorrelationSearch(BaseModel):
                 "Something unexpected went wrong in initialization; saved_search was not populated"
             )
 
-    @ property
+    @property
     def has_risk_analysis_action(self) -> bool:
         """Whether the correlation search has an associated risk analysis Adaptive Response Action
         :return: a boolean indicating whether it has a risk analysis Adaptive Response Action
@@ -405,11 +407,13 @@ class CorrelationSearch(BaseModel):
         """
         # grab risk details if present
         self._risk_analysis_action = CorrelationSearch._get_risk_analysis_action(
-            self.saved_search.content                                                               # type: ignore
+            self.saved_search.content  # type: ignore
         )
 
         # grab notable details if present
-        self._notable_action = CorrelationSearch._get_notable_action(self.saved_search.content)     # type: ignore
+        self._notable_action = CorrelationSearch._get_notable_action(
+            self.saved_search.content
+        )  # type: ignore
 
     def refresh(self) -> None:
         """Refreshes the metadata in the SavedSearch entity, and re-parses the fields we care about
@@ -417,10 +421,9 @@ class CorrelationSearch(BaseModel):
         After operations we expect to alter the state of the SavedSearch, we call refresh so that we have a local
         representation of the new state; then we extrat what we care about into this instance
         """
-        self.logger.debug(
-            f"Refreshing SavedSearch metadata for {self.name}...")
+        self.logger.debug(f"Refreshing SavedSearch metadata for {self.name}...")
         try:
-            self.saved_search.refresh()                                                             # type: ignore
+            self.saved_search.refresh()  # type: ignore
         except HTTPError as e:
             raise ServerError(f"HTTP error encountered during refresh: {e}")
         self._parse_risk_and_notable_actions()
@@ -434,7 +437,7 @@ class CorrelationSearch(BaseModel):
         """
         self.logger.debug(f"Enabling {self.name}...")
         try:
-            self.saved_search.enable()                                                              # type: ignore
+            self.saved_search.enable()  # type: ignore
         except HTTPError as e:
             raise ServerError(f"HTTP error encountered while enabling detection: {e}")
         if refresh:
@@ -449,7 +452,7 @@ class CorrelationSearch(BaseModel):
         """
         self.logger.debug(f"Disabling {self.name}...")
         try:
-            self.saved_search.disable()                                                             # type: ignore
+            self.saved_search.disable()  # type: ignore
         except HTTPError as e:
             raise ServerError(f"HTTP error encountered while disabling detection: {e}")
         if refresh:
@@ -460,7 +463,7 @@ class CorrelationSearch(BaseModel):
         earliest_time: str = ScheduleConfig.EARLIEST_TIME,
         latest_time: str = ScheduleConfig.LATEST_TIME,
         cron_schedule: str = ScheduleConfig.CRON_SCHEDULE,
-        refresh: bool = True
+        refresh: bool = True,
     ) -> None:
         """Updates the correlation search timeframe to work with test data
 
@@ -477,12 +480,12 @@ class CorrelationSearch(BaseModel):
         data = {
             SavedSearchKeys.EARLIEST_TIME_KEY: earliest_time,
             SavedSearchKeys.LATEST_TIME_KEY: latest_time,
-            SavedSearchKeys.CRON_SCHEDULE_KEY: cron_schedule
+            SavedSearchKeys.CRON_SCHEDULE_KEY: cron_schedule,
         }
         self.logger.info(data)
         self.logger.info(f"Updating timeframe for '{self.name}': {data}")
         try:
-            self.saved_search.update(**data)                                                        # type: ignore
+            self.saved_search.update(**data)  # type: ignore
         except HTTPError as e:
             raise ServerError(f"HTTP error encountered while updating timeframe: {e}")
 
@@ -531,7 +534,9 @@ class CorrelationSearch(BaseModel):
 
         # Use the cached risk_events unless we're forcing an update
         if self._risk_events is not None:
-            self.logger.debug(f"Using cached risk events ({len(self._risk_events)} total).")
+            self.logger.debug(
+                f"Using cached risk events ({len(self._risk_events)} total)."
+            )
             return self._risk_events
 
         # TODO (#248): Refactor risk/notable querying to pin to a single savedsearch ID
@@ -553,7 +558,9 @@ class CorrelationSearch(BaseModel):
                         parsed_raw = json.loads(result["_raw"])
                         event = RiskEvent.model_validate(parsed_raw)
                     except Exception:
-                        self.logger.error(f"Failed to parse RiskEvent from search result: {result}")
+                        self.logger.error(
+                            f"Failed to parse RiskEvent from search result: {result}"
+                        )
                         raise
                     events.append(event)
                     self.logger.debug(f"Found risk event for '{self.name}': {event}")
@@ -597,7 +604,9 @@ class CorrelationSearch(BaseModel):
 
         # Use the cached notable_events unless we're forcing an update
         if self._notable_events is not None:
-            self.logger.debug(f"Using cached notable events ({len(self._notable_events)} total).")
+            self.logger.debug(
+                f"Using cached notable events ({len(self._notable_events)} total)."
+            )
             return self._notable_events
 
         # Search for all notable events from a single scheduled search (indicated by orig_sid)
@@ -618,7 +627,9 @@ class CorrelationSearch(BaseModel):
                         parsed_raw = json.loads(result["_raw"])
                         event = NotableEvent.model_validate(parsed_raw)
                     except Exception:
-                        self.logger.error(f"Failed to parse NotableEvent from search result: {result}")
+                        self.logger.error(
+                            f"Failed to parse NotableEvent from search result: {result}"
+                        )
                         raise
                     events.append(event)
                     self.logger.debug(f"Found notable event for '{self.name}': {event}")
@@ -653,7 +664,9 @@ class CorrelationSearch(BaseModel):
                 " with it; cannot validate."
             )
 
-        risk_object_counts: dict[int, int] = {id(x): 0 for x in self.detection.rba.risk_objects}
+        risk_object_counts: dict[int, int] = {
+            id(x): 0 for x in self.detection.rba.risk_objects
+        }
 
         # Get the risk events; note that we use the cached risk events, expecting they were
         # saved by a prior call to risk_event_exists
@@ -670,7 +683,9 @@ class CorrelationSearch(BaseModel):
             event.validate_against_detection(self.detection)
 
             # Update risk object count based on match
-            matched_risk_object = event.get_matched_risk_object(self.detection.rba.risk_objects)
+            matched_risk_object = event.get_matched_risk_object(
+                self.detection.rba.risk_objects
+            )
             self.logger.debug(
                 f"Matched risk event (object={event.es_risk_object}, type={event.es_risk_object_type}) "
                 f"to detection's risk object (name={matched_risk_object.field}, "
@@ -740,7 +755,9 @@ class CorrelationSearch(BaseModel):
 
     # NOTE: it would be more ideal to switch this to a system which gets the handle of the saved search job and polls
     #   it for completion, but that seems more tricky
-    def test(self, max_sleep: int = TimeoutConfig.MAX_SLEEP, raise_on_exc: bool = False) -> IntegrationTestResult:
+    def test(
+        self, max_sleep: int = TimeoutConfig.MAX_SLEEP, raise_on_exc: bool = False
+    ) -> IntegrationTestResult:
         """Execute the integration test
 
         Executes an integration test for this CorrelationSearch. First, ensures no matching risk/notables already exist
@@ -772,9 +789,7 @@ class CorrelationSearch(BaseModel):
 
         try:
             # first make sure the indexes are currently empty and the detection is starting from a disabled state
-            self.logger.debug(
-                "Cleaning up any pre-existing risk/notable events..."
-            )
+            self.logger.debug("Cleaning up any pre-existing risk/notable events...")
             self.update_pbar(TestingStates.PRE_CLEANUP)
             if self.risk_event_exists():
                 self.logger.warning(
@@ -806,7 +821,9 @@ class CorrelationSearch(BaseModel):
                 # loop so long as the elapsed time is less than max_sleep
                 while elapsed_sleep_time < max_sleep:
                     # sleep so the detection job can finish
-                    self.logger.info(f"Waiting {time_to_sleep} for {self.name} so it can finish")
+                    self.logger.info(
+                        f"Waiting {time_to_sleep} for {self.name} so it can finish"
+                    )
                     self.update_pbar(TestingStates.VALIDATING)
                     time.sleep(time_to_sleep)
                     elapsed_sleep_time += time_to_sleep
@@ -895,7 +912,7 @@ class CorrelationSearch(BaseModel):
                     wait_duration=elapsed_sleep_time,
                     exception=e,
                 )
-                self.logger.exception(result.message)                    # type: ignore
+                self.logger.exception(result.message)  # type: ignore
             else:
                 raise e
         except Exception as e:
@@ -905,7 +922,10 @@ class CorrelationSearch(BaseModel):
 
         # log based on result status
         if result is not None:
-            if result.status == TestResultStatus.PASS or result.status == TestResultStatus.SKIP:
+            if (
+                result.status == TestResultStatus.PASS
+                or result.status == TestResultStatus.SKIP
+            ):
                 self.logger.info(f"{result.status.name}: {result.message}")
             elif result.status == TestResultStatus.FAIL:
                 self.logger.error(f"{result.status.name}: {result.message}")
@@ -928,11 +948,11 @@ class CorrelationSearch(BaseModel):
         :param query: the SPL string to run
         """
         self.logger.debug(f"Executing query: `{query}`")
-        job = self.service.search(query, exec_mode="blocking")                                      # type: ignore
+        job = self.service.search(query, exec_mode="blocking")  # type: ignore
 
         # query the results, catching any HTTP status code errors
         try:
-            response_reader: ResponseReader = job.results(output_mode="json")                       # type: ignore
+            response_reader: ResponseReader = job.results(output_mode="json")  # type: ignore
         except HTTPError as e:
             # e.g. ->  HTTP 400 Bad Request -- b'{"messages":[{"type":"FATAL","text":"Error in \'delete\' command: You
             #   have insufficient privileges to delete events."}]}'
@@ -940,7 +960,7 @@ class CorrelationSearch(BaseModel):
             self.logger.error(message)
             raise ServerError(message)
 
-        return ResultIterator(response_reader)                                                      # type: ignore
+        return ResultIterator(response_reader)  # type: ignore
 
     def _delete_index(self, index: str) -> None:
         """Deletes events in a given index
@@ -991,7 +1011,7 @@ class CorrelationSearch(BaseModel):
 
         # Add indexes to purge
         if delete_test_index:
-            self.indexes_to_purge.add(self.test_index)                                              # type: ignore
+            self.indexes_to_purge.add(self.test_index)  # type: ignore
         if self._risk_events is not None:
             self.indexes_to_purge.add(Indexes.RISK_INDEX)
         if self._notable_events is not None:
@@ -1019,5 +1039,5 @@ class CorrelationSearch(BaseModel):
             self.pbar_data.fq_test_name,
             state,
             self.pbar_data.start_time,
-            True
+            True,
         )