contentctl 5.0.0a2__py3-none-any.whl → 5.0.0a3__py3-none-any.whl

contentctl/objects/baseline.py

@@ -1,10 +1,16 @@
-
 from __future__ import annotations
-from typing import Annotated, List,Any, TYPE_CHECKING
+from typing import Annotated, List, Any, TYPE_CHECKING
+
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
-from pydantic import field_validator, ValidationInfo, Field, model_serializer, computed_field
+from pydantic import (
+    field_validator,
+    ValidationInfo,
+    Field,
+    model_serializer,
+    computed_field,
+)
 from contentctl.objects.deployment import Deployment
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import DataModel
@@ -13,11 +19,15 @@ from contentctl.objects.baseline_tags import BaselineTags
 from contentctl.objects.config import CustomApp
 
 from contentctl.objects.lookup import Lookup
-from contentctl.objects.constants import CONTENTCTL_MAX_SEARCH_NAME_LENGTH,CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE
+from contentctl.objects.constants import (
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
+    CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE,
+)
+
 
 class Baseline(SecurityContentObject):
-    name:str = Field(...,max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
-    type: Annotated[str,Field(pattern="^Baseline$")] = Field(...)
+    name: str = Field(..., max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
+    type: Annotated[str, Field(pattern="^Baseline$")] = Field(...)
     search: str = Field(..., min_length=4)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
@@ -26,30 +36,31 @@ class Baseline(SecurityContentObject):
     # enrichment
     deployment: Deployment = Field({})
 
-
-    @field_validator('lookups', mode="before")
+    @field_validator("lookups", mode="before")
     @classmethod
-    def getBaselineLookups(cls, v:list[str], info:ValidationInfo) -> list[Lookup]:
-        '''
+    def getBaselineLookups(cls, v: list[str], info: ValidationInfo) -> list[Lookup]:
+        """
         This function has been copied and renamed from the Detection_Abstract class
-        '''
-        director:DirectorOutputDto = info.context.get("output_dto",None)
-        search: str | None = info.data.get("search",None)
+        """
+        director: DirectorOutputDto = info.context.get("output_dto", None)
+        search: str | None = info.data.get("search", None)
         if search is None:
             raise ValueError("Search was None - is this file missing the search field?")
-        
+
         lookups = Lookup.get_lookups(search, director)
         return lookups
 
-    def get_conf_stanza_name(self, app:CustomApp)->str:
-        stanza_name = CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+    def get_conf_stanza_name(self, app: CustomApp) -> str:
+        stanza_name = CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE.format(
+            app_label=app.label, detection_name=self.name
+        )
         self.check_conf_stanza_max_length(stanza_name)
         return stanza_name
 
     @field_validator("deployment", mode="before")
-    def getDeployment(cls, v:Any, info:ValidationInfo)->Deployment:
-        return Deployment.getDeployment(v,info)
-    
+    def getDeployment(cls, v: Any, info: ValidationInfo) -> Deployment:
+        return Deployment.getDeployment(v, info)
+
     @computed_field
     @property
     def datamodel(self) -> List[DataModel]:
@@ -57,21 +68,21 @@ class Baseline(SecurityContentObject):
 
     @model_serializer
     def serialize_model(self):
-        #Call serializer for parent
+        # Call serializer for parent
         super_fields = super().serialize_model()
-        
-        #All fields custom to this model
-        model= {
+
+        # All fields custom to this model
+        model = {
             "tags": self.tags.model_dump(),
             "type": self.type,
             "search": self.search,
-            "how_to_implement":self.how_to_implement,
-            "known_false_positives":self.known_false_positives,
+            "how_to_implement": self.how_to_implement,
+            "known_false_positives": self.known_false_positives,
             "datamodel": self.datamodel,
         }
-        
-        #Combine fields from this model with fields from parent
+
+        # Combine fields from this model with fields from parent
         super_fields.update(model)
-        
-        #return the model
-        return super_fields
+
+        # return the model
+        return super_fields

contentctl/objects/baseline_tags.py

@@ -1,5 +1,12 @@
 from __future__ import annotations
-from pydantic import BaseModel, Field, field_validator, ValidationInfo, model_serializer, ConfigDict
+from pydantic import (
+    BaseModel,
+    Field,
+    field_validator,
+    ValidationInfo,
+    model_serializer,
+    ConfigDict,
+)
 from typing import List, Any, Union
 
 from contentctl.objects.story import Story
@@ -8,35 +15,35 @@ from contentctl.objects.enums import SecurityContentProductName
 from contentctl.objects.enums import SecurityDomain
 
 
-
-
-
 class BaselineTags(BaseModel):
     model_config = ConfigDict(extra="forbid")
     analytic_story: list[Story] = Field(...)
-    #deployment: Deployment = Field('SET_IN_GET_DEPLOYMENT_FUNCTION')
+    # deployment: Deployment = Field('SET_IN_GET_DEPLOYMENT_FUNCTION')
     # TODO (#223): can we remove str from the possible types here?
-    detections: List[Union[Detection,str]] = Field(...)
-    product: List[SecurityContentProductName] = Field(...,min_length=1)
+    detections: List[Union[Detection, str]] = Field(...)
+    product: List[SecurityContentProductName] = Field(..., min_length=1)
     security_domain: SecurityDomain = Field(...)
 
+    @field_validator("analytic_story", mode="before")
+    def getStories(cls, v: Any, info: ValidationInfo) -> List[Story]:
+        return Story.mapNamesToSecurityContentObjects(
+            v, info.context.get("output_dto", None)
+        )
 
-    @field_validator("analytic_story",mode="before")
-    def getStories(cls, v:Any, info:ValidationInfo)->List[Story]:
-        return Story.mapNamesToSecurityContentObjects(v, info.context.get("output_dto",None))
-    
-    
     @model_serializer
-    def serialize_model(self):    
-        #All fields custom to this model
-        model= {
+    def serialize_model(self):
+        # All fields custom to this model
+        model = {
             "analytic_story": [story.name for story in self.analytic_story],
-            "detections": [detection.name for detection in self.detections if isinstance(detection,Detection)],
+            "detections": [
+                detection.name
+                for detection in self.detections
+                if isinstance(detection, Detection)
+            ],
             "product": self.product,
-            "security_domain":self.security_domain,
-            "deployments": None
+            "security_domain": self.security_domain,
+            "deployments": None,
         }
-        
-        
-        #return the model
-        return model
+
+        # return the model
+        return model

contentctl/objects/config.py

@@ -1162,7 +1162,7 @@ class release_notes(Config_Base):
         p = self.path / "dist"
         try:
             p.mkdir(exist_ok=True, parents=True)
-        except Exception:
+        except Exception as e:
             raise Exception(
                 f"Error making the directory '{p}' to hold release_notes: {str(e)}"
             )

contentctl/objects/constants.py

@@ -15,7 +15,7 @@ ATTACK_TACTICS_KILLCHAIN_MAPPING = {
     "Collection": "Exploitation",
     "Command And Control": "Command and Control",
     "Exfiltration": "Actions on Objectives",
-    "Impact": "Actions on Objectives"
+    "Impact": "Actions on Objectives",
 }
 
 SES_CONTEXT_MAPPING = {
@@ -65,7 +65,7 @@ SES_CONTEXT_MAPPING = {
     "Other:Policy Violation": 82,
     "Other:Threat Intelligence": 83,
     "Other:Flight Risk": 84,
-    "Other:Removable Storage": 85
+    "Other:Removable Storage": 85,
 }
 
 SES_KILL_CHAIN_MAPPINGS = {
@@ -76,49 +76,9 @@ SES_KILL_CHAIN_MAPPINGS = {
     "Exploitation": 4,
     "Installation": 5,
     "Command and Control": 6,
-    "Actions on Objectives": 7
+    "Actions on Objectives": 7,
 }
 
-# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
-SES_OBSERVABLE_ROLE_MAPPING = {
-    "Other": -1,
-    "Unknown": 0,
-    "Actor": 1,
-    "Target": 2,
-    "Attacker": 3,
-    "Victim": 4,
-    "Parent Process": 5,
-    "Child Process": 6,
-    "Known Bad": 7,
-    "Data Loss": 8,
-    "Observer": 9
-}
-
-# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
-SES_OBSERVABLE_TYPE_MAPPING = {
-    "Unknown": 0,
-    "Hostname": 1,
-    "IP Address": 2,
-    "MAC Address": 3,
-    "User Name": 4,
-    "Email Address": 5,
-    "URL String": 6,
-    "File Name": 7,
-    "File Hash": 8,
-    "Process Name": 9,
-    "Resource UID": 10,
-    "Endpoint": 20,
-    "User": 21,
-    "Email": 22,
-    "Uniform Resource Locator": 23,
-    "File": 24,
-    "Process": 25,
-    "Geo Location": 26,
-    "Container": 27,
-    "Registry Key": 28,
-    "Registry Value": 29,
-    "Other": 99
-}
 
 SES_ATTACK_TACTICS_ID_MAPPING = {
     "Reconnaissance": "TA0043",
@@ -134,24 +94,19 @@ SES_ATTACK_TACTICS_ID_MAPPING = {
     "Collection": "TA0009",
     "Command_and_Control": "TA0011",
     "Exfiltration": "TA0010",
-    "Impact": "TA0040"
+    "Impact": "TA0040",
 }
 
-# TODO (cmcginley): is this just for the transition testing?
-RBA_OBSERVABLE_ROLE_MAPPING = {
-    "Attacker": 0,
-    "Victim": 1
-}
 
 # The relative path to the directory where any apps/packages will be downloaded
 DOWNLOADS_DIRECTORY = "downloads"
 
 # Maximum length of the name field for a search.
-# This number is derived from a limitation that exists in 
+# This number is derived from a limitation that exists in
 # ESCU where a search cannot be edited, due to validation
 # errors, if its name is longer than 99 characters.
 # When an saved search is cloned in Enterprise Security User Interface,
-# it is wrapped in the following: 
+# it is wrapped in the following:
 # {Detection.tags.security_domain} - {SEARCH_STANZA_NAME} - Rule
 # Similarly, when we generate the search stanza name in contentctl, it
 # is app.label - detection.name - Rule
@@ -160,16 +115,32 @@ DOWNLOADS_DIRECTORY = "downloads"
 # or in ESCU:
 # ESCU - {detection.name} - Rule,
 # this gives us a maximum length below.
-# When an ESCU search is cloned, it will 
+# When an ESCU search is cloned, it will
 # have a full name like (the following is NOT a typo):
 # Endpoint - ESCU - Name of Search From YML File - Rule - Rule
 # The math below accounts for all these caveats
 ES_MAX_STANZA_LENGTH = 99
-CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Rule"
+CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Rule"
+)
 CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name}"
-CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Response Task"
+CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Response Task"
+)
 
-ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = "{security_domain_value} - {search_name} - Rule"
-SECURITY_DOMAIN_MAX_LENGTH = max([len(SecurityDomain[value]) for value in SecurityDomain._member_map_])
-CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(security_domain_value="X"*SECURITY_DOMAIN_MAX_LENGTH,search_name=""))
-CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(app_label="ESCU", detection_name=""))
+ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = (
+    "{security_domain_value} - {search_name} - Rule"
+)
+SECURITY_DOMAIN_MAX_LENGTH = max(
+    [len(SecurityDomain[value]) for value in SecurityDomain._member_map_]
+)
+CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(
+    ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(
+        security_domain_value="X" * SECURITY_DOMAIN_MAX_LENGTH, search_name=""
+    )
+)
+CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(
+    CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(
+        app_label="ESCU", detection_name=""
+    )
+)