contentctl 5.0.0a0__py3-none-any.whl → 5.0.0a3__py3-none-any.whl

contentctl/objects/story.py

@@ -1,8 +1,9 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING,List
+from typing import TYPE_CHECKING, List
 from contentctl.objects.story_tags import StoryTags
-from pydantic import Field, model_serializer,computed_field, model_validator
+from pydantic import Field, model_serializer, computed_field, model_validator
 import re
+
 if TYPE_CHECKING:
     from contentctl.objects.detection import Detection
     from contentctl.objects.investigation import Investigation
@@ -12,88 +13,90 @@ if TYPE_CHECKING:
 
 from contentctl.objects.security_content_object import SecurityContentObject
 
+
 class Story(SecurityContentObject):
     narrative: str = Field(...)
     tags: StoryTags = Field(...)
 
     # These are updated when detection and investigation objects are created.
     # Specifically in the model_post_init functions
-    detections:List[Detection] = []
+    detections: List[Detection] = []
     investigations: List[Investigation] = []
     baselines: List[Baseline] = []
-    
-    
+
     @computed_field
     @property
-    def data_sources(self)-> list[DataSource]:
+    def data_sources(self) -> list[DataSource]:
         # Only add a data_source if it does not already exist in the story
-        data_source_objects:set[DataSource] = set()
+        data_source_objects: set[DataSource] = set()
         for detection in self.detections:
             data_source_objects.update(set(detection.data_source_objects))
-        
+
         return sorted(list(data_source_objects))
 
+    def storyAndInvestigationNamesWithApp(self, app: CustomApp) -> List[str]:
+        return [
+            detection.get_conf_stanza_name(app) for detection in self.detections
+        ] + [
+            investigation.get_response_task_name(app)
+            for investigation in self.investigations
+        ]
 
-    def storyAndInvestigationNamesWithApp(self, app:CustomApp)->List[str]:
-        return [detection.get_conf_stanza_name(app) for detection in self.detections] + \
-               [investigation.get_response_task_name(app) for investigation in self.investigations]
-        
     @model_serializer
     def serialize_model(self):
-        #Call serializer for parent
+        # Call serializer for parent
         super_fields = super().serialize_model()
-        
-        #All fields custom to this model
-        model= {
+
+        # All fields custom to this model
+        model = {
             "narrative": self.narrative,
             "tags": self.tags.model_dump(),
             "detection_names": self.detection_names,
             "investigation_names": self.investigation_names,
             "baseline_names": self.baseline_names,
             "author_company": self.author_company,
-            "author_name":self.author_name
+            "author_name": self.author_name,
         }
         detections = []
         for detection in self.detections:
             new_detection = {
-                "name":detection.name,
-                "source":detection.source,
-                "type":detection.type
+                "name": detection.name,
+                "source": detection.source,
+                "type": detection.type,
             }
             if self.tags.mitre_attack_enrichments is not None:
-                new_detection['tags'] = {"mitre_attack_enrichments": [{"mitre_attack_technique":  enrichment.mitre_attack_technique} for enrichment in detection.tags.mitre_attack_enrichments]}
+                new_detection["tags"] = {
+                    "mitre_attack_enrichments": [
+                        {"mitre_attack_technique": enrichment.mitre_attack_technique}
+                        for enrichment in detection.tags.mitre_attack_enrichments
+                    ]
+                }
             detections.append(new_detection)
 
-        model['detections'] = detections
-        #Combine fields from this model with fields from parent
+        model["detections"] = detections
+        # Combine fields from this model with fields from parent
         super_fields.update(model)
-        
-        #return the model
+
+        # return the model
         return super_fields
 
     @model_validator(mode="after")
     def setTagsFields(self):
-        
         enrichments = []
         for detection in self.detections:
             enrichments.extend(detection.tags.mitre_attack_enrichments)
         self.tags.mitre_attack_enrichments = list(set(enrichments))
 
-    
         tactics = []
         for enrichment in self.tags.mitre_attack_enrichments:
             tactics.extend(enrichment.mitre_attack_tactics)
         self.tags.mitre_attack_tactics = set(tactics)
 
-    
-    
         datamodels = []
         for detection in self.detections:
             datamodels.extend(detection.datamodel)
         self.tags.datamodels = set(datamodels)
 
-    
-    
         kill_chain_phases = []
         for detection in self.detections:
             kill_chain_phases.extend(detection.tags.kill_chain_phases)
@@ -101,42 +104,40 @@ class Story(SecurityContentObject):
 
         return self
 
-
     @computed_field
     @property
-    def author_name(self)->str:
-        match_author = re.search(r'^([^,]+)', self.author)
+    def author_name(self) -> str:
+        match_author = re.search(r"^([^,]+)", self.author)
         if match_author is None:
-            return 'no'
+            return "no"
         else:
             return match_author.group(1)
 
     @computed_field
     @property
-    def author_company(self)->str:
-        match_company = re.search(r',\s?(.*)$', self.author)
+    def author_company(self) -> str:
+        match_company = re.search(r",\s?(.*)$", self.author)
         if match_company is None:
-            return 'no'
+            return "no"
         else:
             return match_company.group(1)
 
     @computed_field
     @property
-    def author_email(self)->str:
+    def author_email(self) -> str:
         return "-"
 
     @computed_field
     @property
-    def detection_names(self)->List[str]:
+    def detection_names(self) -> List[str]:
         return [detection.name for detection in self.detections]
-    
+
     @computed_field
     @property
-    def investigation_names(self)->List[str]:
+    def investigation_names(self) -> List[str]:
         return [investigation.name for investigation in self.investigations]
 
     @computed_field
     @property
-    def baseline_names(self)->List[str]:        
+    def baseline_names(self) -> List[str]:
         return [baseline.name for baseline in self.baselines]
-    

contentctl/objects/story_tags.py

@@ -1,54 +1,66 @@
 from __future__ import annotations
 from pydantic import BaseModel, Field, model_serializer, ConfigDict
-from typing import List,Set,Optional, Annotated
+from typing import List, Set, Optional
 
 from enum import Enum
 
 from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
-from contentctl.objects.enums import StoryCategory, DataModel, KillChainPhase, SecurityContentProductName
-from contentctl.objects.annotated_types import CVE_TYPE,MITRE_ATTACK_ID_TYPE
+from contentctl.objects.enums import (
+    StoryCategory,
+    DataModel,
+    KillChainPhase,
+    SecurityContentProductName,
+)
+from contentctl.objects.annotated_types import CVE_TYPE, MITRE_ATTACK_ID_TYPE
 
-class StoryUseCase(str,Enum):
-   FRAUD_DETECTION = "Fraud Detection"
-   COMPLIANCE = "Compliance"
-   APPLICATION_SECURITY = "Application Security"
-   SECURITY_MONITORING = "Security Monitoring"
-   ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
-   INSIDER_THREAT = "Insider Threat"
-   OTHER = "Other"
+
+class StoryUseCase(str, Enum):
+    FRAUD_DETECTION = "Fraud Detection"
+    COMPLIANCE = "Compliance"
+    APPLICATION_SECURITY = "Application Security"
+    SECURITY_MONITORING = "Security Monitoring"
+    ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
+    INSIDER_THREAT = "Insider Threat"
+    OTHER = "Other"
 
 
 class StoryTags(BaseModel):
-   model_config = ConfigDict(extra='forbid')
-   category: List[StoryCategory] = Field(...,min_length=1)
-   product: List[SecurityContentProductName] = Field(...,min_length=1)
-   usecase: StoryUseCase = Field(...)
-
-   # enrichment
-   mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
-   mitre_attack_tactics: Optional[Set[MITRE_ATTACK_ID_TYPE]] = None
-   datamodels: Optional[Set[DataModel]] = None
-   kill_chain_phases: Optional[Set[KillChainPhase]] = None
-   cve: List[CVE_TYPE] = []
-   group: List[str] = Field([], description="A list of groups who leverage the techniques list in this Analytic Story.")
-
-   def getCategory_conf(self) -> str:
-      #if len(self.category) > 1:
-      #   print("Story with more than 1 category.  We can only have 1 category, fix it!")
-      return list(self.category)[0]
-   
-   @model_serializer
-   def serialize_model(self):
-      #no super to call
-      return {
-         "category": list(self.category),
-         "product": list(self.product),
-         "usecase": self.usecase,
-         "mitre_attack_enrichments": self.mitre_attack_enrichments,
-         "mitre_attack_tactics": list(self.mitre_attack_tactics) if self.mitre_attack_tactics is not None else None,
-         "datamodels": list(self.datamodels) if self.datamodels is not None else None,
-         "kill_chain_phases": list(self.kill_chain_phases) if self.kill_chain_phases is not None else None  
-      }
-
-        
-    
+    model_config = ConfigDict(extra="forbid")
+    category: List[StoryCategory] = Field(..., min_length=1)
+    product: List[SecurityContentProductName] = Field(..., min_length=1)
+    usecase: StoryUseCase = Field(...)
+
+    # enrichment
+    mitre_attack_enrichments: Optional[List[MitreAttackEnrichment]] = None
+    mitre_attack_tactics: Optional[Set[MITRE_ATTACK_ID_TYPE]] = None
+    datamodels: Optional[Set[DataModel]] = None
+    kill_chain_phases: Optional[Set[KillChainPhase]] = None
+    cve: List[CVE_TYPE] = []
+    group: List[str] = Field(
+        [],
+        description="A list of groups who leverage the techniques list in this Analytic Story.",
+    )
+
+    def getCategory_conf(self) -> str:
+        # if len(self.category) > 1:
+        #   print("Story with more than 1 category.  We can only have 1 category, fix it!")
+        return list(self.category)[0]
+
+    @model_serializer
+    def serialize_model(self):
+        # no super to call
+        return {
+            "category": list(self.category),
+            "product": list(self.product),
+            "usecase": self.usecase,
+            "mitre_attack_enrichments": self.mitre_attack_enrichments,
+            "mitre_attack_tactics": list(self.mitre_attack_tactics)
+            if self.mitre_attack_tactics is not None
+            else None,
+            "datamodels": list(self.datamodels)
+            if self.datamodels is not None
+            else None,
+            "kill_chain_phases": list(self.kill_chain_phases)
+            if self.kill_chain_phases is not None
+            else None,
+        }

contentctl/objects/test_group.py

@@ -15,13 +15,16 @@ class TestGroup(BaseModel):
     :param integration_test: an IntegrationTest
     :param attack_data: the attack data associated with tests in the TestGroup
     """
+
     name: str
     unit_test: UnitTest
     integration_test: IntegrationTest
     attack_data: list[TestAttackData]
 
     @classmethod
-    def derive_from_unit_test(cls, unit_test: UnitTest, name_prefix: str) -> "TestGroup":
+    def derive_from_unit_test(
+        cls, unit_test: UnitTest, name_prefix: str
+    ) -> "TestGroup":
         """
         Given a UnitTest and a prefix, construct a TestGroup, with in IntegrationTest corresponding to the UnitTest
         :param unit_test: the UnitTest
@@ -36,7 +39,7 @@ class TestGroup(BaseModel):
             name=f"{name_prefix}:{unit_test.name}",
             unit_test=unit_test,
             integration_test=integration_test,
-            attack_data=unit_test.attack_data
+            attack_data=unit_test.attack_data,
         )
 
     def unit_test_skipped(self) -> bool:

contentctl/objects/threat_object.py

@@ -11,5 +11,6 @@ class ThreatObject(BaseModel):
     :param field: the name of the field from which the risk object will get it's name
     :param type_: the type of the risk object (e.g. "system")
     """
+
     field: str
     type: str

contentctl/objects/throttling.py

@@ -2,25 +2,34 @@ from pydantic import BaseModel, Field, field_validator
 from typing import Annotated
 
 
-# Alert Suppression/Throttling settings have been taken from 
+# Alert Suppression/Throttling settings have been taken from
 # https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Savedsearchesconf
 class Throttling(BaseModel):
-    fields: list[str] = Field(..., description="The list of fields to throttle on. These fields MUST occur in the search.", min_length=1)
-    period: Annotated[str,Field(pattern="^[0-9]+[smh]$")] =  Field(..., description="How often the alert should be triggered. "
-                                                    "This may be specified in seconds, minutes, or hours.  "
-                                                    "For example, if an alert should be triggered once a day,"
-                                                    " it may be specified in seconds (86400s), minutes (1440m), or hours import (24h).")
-    
+    fields: list[str] = Field(
+        ...,
+        description="The list of fields to throttle on. These fields MUST occur in the search.",
+        min_length=1,
+    )
+    period: Annotated[str, Field(pattern="^[0-9]+[smh]$")] = Field(
+        ...,
+        description="How often the alert should be triggered. "
+        "This may be specified in seconds, minutes, or hours.  "
+        "For example, if an alert should be triggered once a day,"
+        " it may be specified in seconds (86400s), minutes (1440m), or hours import (24h).",
+    )
+
     @field_validator("fields")
-    def no_spaces_in_fields(cls, v:list[str])->list[str]:
+    def no_spaces_in_fields(cls, v: list[str]) -> list[str]:
         for field in v:
-            if ' ' in field:
-                raise ValueError("Spaces are not presently supported in 'alert.suppress.fields' / throttling fields in conf files. "
-                                "The field '{field}' has a space in it. If this is a blocker, please raise this as an issue on the Project.")
+            if " " in field:
+                raise ValueError(
+                    "Spaces are not presently supported in 'alert.suppress.fields' / throttling fields in conf files. "
+                    "The field '{field}' has a space in it. If this is a blocker, please raise this as an issue on the Project."
+                )
         return v
 
-    def conf_formatted_fields(self)->str:
-        '''
+    def conf_formatted_fields(self) -> str:
+        """
         TODO:
         The field alert.suppress.fields is defined as follows:
         alert.suppress.fields = <comma-delimited-field-list>
@@ -28,19 +37,19 @@ class Throttling(BaseModel):
         be specified if the digest mode is disabled and suppression is enabled.
 
         In order to support fields with spaces in them, we may need to wrap each
-        field in "". 
+        field in "".
         This function returns a properly formatted value, where each field
-        is wrapped in "" and separated with a comma. For example, the fields 
+        is wrapped in "" and separated with a comma. For example, the fields
         ["field1", "field 2", "field3"] would be returned as the string
 
         "field1","field 2","field3
 
         However, for now, we will error on fields with spaces and simply
         separate with commas
-        '''
-        
+        """
+
         return ",".join(self.fields)
 
         # The following may be used once we determine proper support
         # for fields with spaces
-        #return ",".join([f'"{field}"' for field in self.fields])
+        # return ",".join([f'"{field}"' for field in self.fields])

contentctl/objects/unit_test.py

@@ -2,7 +2,6 @@ from __future__ import annotations
 
 from pydantic import Field
 
-from contentctl.objects.unit_test_baseline import UnitTestBaseline
 from contentctl.objects.test_attack_data import TestAttackData
 from contentctl.objects.unit_test_result import UnitTestResult
 from contentctl.objects.base_test import BaseTest, TestType
@@ -13,6 +12,7 @@ class UnitTest(BaseTest):
     """
     A unit test for a detection
     """
+
     # contentType: SecurityContentType = SecurityContentType.unit_tests
 
     # The test type (unit)
@@ -29,7 +29,6 @@ class UnitTest(BaseTest):
         Skip the test by setting its result status
         :param message: the reason for skipping
         """
-        self.result = UnitTestResult(                                                               # type: ignore
-            message=message,
-            status=TestResultStatus.SKIP
+        self.result = UnitTestResult(  # type: ignore
+            message=message, status=TestResultStatus.SKIP
         )

contentctl/objects/unit_test_baseline.py

@@ -1,12 +1,11 @@
-
-
-from pydantic import BaseModel,ConfigDict
+from pydantic import BaseModel, ConfigDict
 from typing import Union
 
+
 class UnitTestBaseline(BaseModel):
     model_config = ConfigDict(extra="forbid")
     name: str
     file: str
     pass_condition: str
-    earliest_time: Union[str,None] = None
-    latest_time: Union[str,None] = None
+    earliest_time: Union[str, None] = None
+    latest_time: Union[str, None] = None

contentctl/objects/unit_test_result.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from typing import Union,TYPE_CHECKING
+from typing import Union, TYPE_CHECKING
 from splunklib.data import Record
 from contentctl.objects.base_test_result import BaseTestResult, TestResultStatus
 
@@ -15,7 +15,7 @@ SID_TEMPLATE = "{server}:{web_port}/en-US/app/search/search?sid={sid}"
 
 class UnitTestResult(BaseTestResult):
     missing_observables: list[str] = []
-    
+
     def set_job_content(
         self,
         content: Union[Record, None],
@@ -40,7 +40,7 @@ class UnitTestResult(BaseTestResult):
         self.exception = exception
         self.status = status
         self.job_content = content
-        
+
         # Set the job content, if given
         if content is not None:
             if self.status == TestResultStatus.PASS:
@@ -50,7 +50,7 @@ class UnitTestResult(BaseTestResult):
             elif self.status == TestResultStatus.ERROR:
                 self.message = "TEST ERROR"
             elif self.status == TestResultStatus.SKIP:
-                #A test that was SKIPPED should not have job content since it should not have been run.
+                # A test that was SKIPPED should not have job content since it should not have been run.
                 self.message = "TEST SKIPPED"
 
             if not config.instance_address.startswith("http://"):
@@ -64,7 +64,7 @@ class UnitTestResult(BaseTestResult):
             )
 
         elif self.status == TestResultStatus.SKIP:
-            self.message = "TEST SKIPPED" 
+            self.message = "TEST SKIPPED"
             pass
 
         elif content is None:
@@ -72,7 +72,7 @@ class UnitTestResult(BaseTestResult):
             if self.exception is not None:
                 self.message = f"EXCEPTION: {str(self.exception)}"
             else:
-                self.message = f"ERROR with no more specific message available."
+                self.message = "ERROR with no more specific message available."
             self.sid_link = NO_SID
 
         return self.success

contentctl/output/api_json_output.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 from typing import TYPE_CHECKING
+
 if TYPE_CHECKING:
     from contentctl.objects.detection import Detection
     from contentctl.objects.lookup import Lookup
@@ -15,12 +16,11 @@ import pathlib
 from contentctl.output.json_writer import JsonWriter
 
 
-
 class ApiJsonOutput:
     output_path: pathlib.Path
     app_label: str
 
-    def __init__(self, output_path:pathlib.Path, app_label: str):
+    def __init__(self, output_path: pathlib.Path, app_label: str):
         self.output_path = output_path
         self.app_label = app_label
 
@@ -53,7 +53,7 @@ class ApiJsonOutput:
             )
             for detection in objects
         ]
-        #Only a subset of macro fields are required:
+        # Only a subset of macro fields are required:
         # for detection in detections:
         #     new_macros = []
         #     for macro in detection.get("macros",[]):
@@ -62,16 +62,15 @@ class ApiJsonOutput:
         #         new_macro_fields["definition"] = macro.get("definition")
         #         new_macro_fields["description"] = macro.get("description")
         #         if len(macro.get("arguments", [])) > 0:
-        #             new_macro_fields["arguments"] = macro.get("arguments") 
+        #             new_macro_fields["arguments"] = macro.get("arguments")
         #         new_macros.append(new_macro_fields)
         #     detection["macros"] = new_macros
         #     del()
-                
-        
+
         JsonWriter.writeJsonObject(
             os.path.join(self.output_path, "detections.json"), "detections", detections
         )
-    
+
     def writeMacros(
         self,
         objects: list[Macro],
@@ -81,13 +80,13 @@ class ApiJsonOutput:
             for macro in objects
         ]
         for macro in macros:
-            for k in ["author", "date","version","id","references"]:
+            for k in ["author", "date", "version", "id", "references"]:
                 if k in macro:
-                    del(macro[k])
+                    del macro[k]
         JsonWriter.writeJsonObject(
             os.path.join(self.output_path, "macros.json"), "macros", macros
         )
-    
+
     def writeStories(
         self,
         objects: list[Story],
@@ -126,8 +125,9 @@ class ApiJsonOutput:
                 }
                 for detection in story["detections"]
             ]
-            story["detection_names"] = [f"{self.app_label} - {name} - Rule" for name in story["detection_names"]]
-            
+            story["detection_names"] = [
+                f"{self.app_label} - {name} - Rule" for name in story["detection_names"]
+            ]
 
         JsonWriter.writeJsonObject(
             os.path.join(self.output_path, "stories.json"), "stories", stories
@@ -159,10 +159,10 @@ class ApiJsonOutput:
             )
             for baseline in objects
         ]
-        
+
         JsonWriter.writeJsonObject(
-                os.path.join(self.output_path, "baselines.json"), "baselines", baselines
-            )
+            os.path.join(self.output_path, "baselines.json"), "baselines", baselines
+        )
 
     def writeInvestigations(
         self,
@@ -221,9 +221,9 @@ class ApiJsonOutput:
             for lookup in objects
         ]
         for lookup in lookups:
-            for k in ["author","date","version","id","references"]:
+            for k in ["author", "date", "version", "id", "references"]:
                 if k in lookup:
-                    del(lookup[k]) 
+                    del lookup[k]
         JsonWriter.writeJsonObject(
             os.path.join(self.output_path, "lookups.json"), "lookups", lookups
         )
@@ -244,16 +244,16 @@ class ApiJsonOutput:
                         "description",
                         "scheduling",
                         "rba",
-                        "tags"
-                    ] 
+                        "tags",
+                    ]
                 )
             )
             for deployment in objects
         ]
-        #references are not to be included, but have been deleted in the
-        #model_serialization logic
+        # references are not to be included, but have been deleted in the
+        # model_serialization logic
         JsonWriter.writeJsonObject(
             os.path.join(self.output_path, "deployments.json"),
             "deployments",
             deployments,
-        )
+        )