contentctl 5.0.0a2__py3-none-any.whl → 5.0.0a3__py3-none-any.whl

contentctl/objects/deployment.py

@@ -1,5 +1,11 @@
 from __future__ import annotations
-from pydantic import Field, computed_field,ValidationInfo, model_serializer, NonNegativeInt, ConfigDict
+from pydantic import (
+    Field,
+    computed_field,
+    ValidationInfo,
+    model_serializer,
+    NonNegativeInt,
+)
 from typing import Any
 import uuid
 import datetime
@@ -10,68 +16,69 @@ from contentctl.objects.alert_action import AlertAction
 from contentctl.objects.enums import DeploymentType
 
 
-class Deployment(SecurityContentObject):    
+class Deployment(SecurityContentObject):
     scheduling: DeploymentScheduling = Field(...)
     alert_action: AlertAction = AlertAction()
     type: DeploymentType = Field(...)
-    author: str = Field(...,max_length=255)
+    author: str = Field(..., max_length=255)
     version: NonNegativeInt = 1
 
-    #Type was the only tag exposed and should likely be removed/refactored.
-    #For transitional reasons, provide this as a computed_field in prep for removal
+    # Type was the only tag exposed and should likely be removed/refactored.
+    # For transitional reasons, provide this as a computed_field in prep for removal
     @computed_field
     @property
-    def tags(self)->dict[str,DeploymentType]:
+    def tags(self) -> dict[str, DeploymentType]:
         return {"type": self.type}
 
-        
     @staticmethod
-    def getDeployment(v:dict[str,Any], info:ValidationInfo)->Deployment:
+    def getDeployment(v: dict[str, Any], info: ValidationInfo) -> Deployment:
         if v != {}:
             # If the user has defined a deployment, then allow it to be validated
             # and override the default deployment info defined in type:Baseline
-            v['type'] = DeploymentType.Embedded
-            
+            v["type"] = DeploymentType.Embedded
+
             detection_name = info.data.get("name", None)
             if detection_name is None:
-                raise ValueError("Could not create inline deployment - Baseline or Detection lacking 'name' field,")
+                raise ValueError(
+                    "Could not create inline deployment - Baseline or Detection lacking 'name' field,"
+                )
 
-            # Add a number of static values            
-            v.update({
-              'name': f"{detection_name} - Inline Deployment",
-              'id':uuid.uuid4(),
-              'date': datetime.date.today(),
-              'description': "Inline deployment created at runtime.",
-              'author': "contentctl tool"
-            })
+            # Add a number of static values
+            v.update(
+                {
+                    "name": f"{detection_name} - Inline Deployment",
+                    "id": uuid.uuid4(),
+                    "date": datetime.date.today(),
+                    "description": "Inline deployment created at runtime.",
+                    "author": "contentctl tool",
+                }
+            )
 
-            
             # This constructs a temporary in-memory deployment,
-            # allowing the deployment to be easily defined in the 
+            # allowing the deployment to be easily defined in the
             # detection on a per detection basis.
             return Deployment.model_validate(v)
-                        
+
         else:
-            return SecurityContentObject.getDeploymentFromType(info.data.get("type",None), info)
-    
+            return SecurityContentObject.getDeploymentFromType(
+                info.data.get("type", None), info
+            )
+
     @model_serializer
     def serialize_model(self):
-        #Call serializer for parent
+        # Call serializer for parent
         super_fields = super().serialize_model()
-        
-        #All fields custom to this model
-        model= {
-            "scheduling": self.scheduling.model_dump(),
-            "tags": self.tags
-        }
 
-        #Combine fields from this model with fields from parent
+        # All fields custom to this model
+        model = {"scheduling": self.scheduling.model_dump(), "tags": self.tags}
+
+        # Combine fields from this model with fields from parent
         model.update(super_fields)
-        
+
         alert_action_fields = self.alert_action.model_dump()
         model.update(alert_action_fields)
 
-        del(model['references'])
-        
-        #return the model
-        return model
+        del model["references"]
+
+        # return the model
+        return model

contentctl/objects/deployment_email.py

@@ -6,4 +6,4 @@ class DeploymentEmail(BaseModel):
     model_config = ConfigDict(extra="forbid")
     message: str
     subject: str
-    to: str
+    to: str

contentctl/objects/deployment_notable.py

@@ -2,8 +2,9 @@ from __future__ import annotations
 from pydantic import BaseModel, ConfigDict
 from typing import List
 
+
 class DeploymentNotable(BaseModel):
     model_config = ConfigDict(extra="forbid")
     rule_description: str
     rule_title: str
-    nes_fields: List[str]
+    nes_fields: List[str]

contentctl/objects/deployment_phantom.py

@@ -4,8 +4,8 @@ from pydantic import BaseModel, ConfigDict
 
 class DeploymentPhantom(BaseModel):
     model_config = ConfigDict(extra="forbid")
-    cam_workers : str
-    label : str
-    phantom_server : str
-    sensitivity : str
-    severity : str
+    cam_workers: str
+    label: str
+    phantom_server: str
+    sensitivity: str
+    severity: str

contentctl/objects/deployment_rba.py

@@ -4,4 +4,4 @@ from pydantic import BaseModel, ConfigDict
 
 class DeploymentRBA(BaseModel):
     model_config = ConfigDict(extra="forbid")
-    enabled: bool = False
+    enabled: bool = False

contentctl/objects/deployment_scheduling.py

@@ -7,4 +7,4 @@ class DeploymentScheduling(BaseModel):
     cron_schedule: str
     earliest_time: str
     latest_time: str
-    schedule_window: str
+    schedule_window: str

contentctl/objects/deployment_slack.py

@@ -5,4 +5,4 @@ from pydantic import BaseModel, ConfigDict
 class DeploymentSlack(BaseModel):
     model_config = ConfigDict(extra="forbid")
     channel: str
-    message: str
+    message: str

contentctl/objects/detection.py

@@ -1,5 +1,8 @@
 from __future__ import annotations
-from contentctl.objects.abstract_security_content_objects.detection_abstract import Detection_Abstract
+from contentctl.objects.abstract_security_content_objects.detection_abstract import (
+    Detection_Abstract,
+)
+
 
 class Detection(Detection_Abstract):
     # Customization to the Detection Class go here.
@@ -12,4 +15,4 @@ class Detection(Detection_Abstract):
     # them or modifying their behavior may cause
     # undefined issues with the contentctl tooling
     # or output of the tooling.
-    pass
+    pass

contentctl/objects/detection_metadata.py

@@ -8,6 +8,7 @@ class DetectionMetadata(BaseModel):
     """
     A model of the metadata line in a detection stanza in savedsearches.conf
     """
+
     # A bool indicating whether the detection is deprecated (serialized as an int, 1 or 0)
     deprecated: bool = Field(...)
 

contentctl/objects/detection_stanza.py

@@ -11,6 +11,7 @@ class DetectionStanza(BaseModel):
     """
     A model representing a stanza for a detection in savedsearches.conf
     """
+
     # The lines that comprise this stanza, in the order they appear in the conf
     lines: list[str] = Field(...)
 
@@ -47,7 +48,9 @@ class DetectionStanza(BaseModel):
             raise Exception(f"No metadata for detection '{self.name}' found in stanza.")
 
         # Parse the metadata JSON into a model
-        return DetectionMetadata.model_validate_json(meta_line[len(DetectionStanza.METADATA_LINE_PREFIX):])
+        return DetectionMetadata.model_validate_json(
+            meta_line[len(DetectionStanza.METADATA_LINE_PREFIX) :]
+        )
 
     @computed_field
     @cached_property
@@ -76,4 +79,6 @@ class DetectionStanza(BaseModel):
         :returns: True if the version still needs to be bumped
         :rtype: bool
         """
-        return (self.hash != previous.hash) and (self.metadata.detection_version <= previous.metadata.detection_version)
+        return (self.hash != previous.hash) and (
+            self.metadata.detection_version <= previous.metadata.detection_version
+        )

contentctl/objects/detection_tags.py

@@ -1,42 +1,45 @@
 from __future__ import annotations
+
 import uuid
 from typing import TYPE_CHECKING, List, Optional, Union
+
 from pydantic import (
+    UUID4,
     BaseModel,
+    ConfigDict,
     Field,
-    computed_field,
-    UUID4,
     HttpUrl,
-    ConfigDict,
-    field_validator,
     ValidationInfo,
+    computed_field,
+    field_validator,
     model_serializer,
-    model_validator
+    model_validator,
 )
+
 from contentctl.objects.story import Story
 from contentctl.objects.throttling import Throttling
+
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
-from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
+from contentctl.objects.annotated_types import CVE_TYPE, MITRE_ATTACK_ID_TYPE
+from contentctl.objects.atomic import AtomicEnrichment, AtomicTest
 from contentctl.objects.constants import ATTACK_TACTICS_KILLCHAIN_MAPPING
-from contentctl.objects.observable import Observable
 from contentctl.objects.enums import (
-    Cis18Value,
     AssetType,
-    SecurityDomain,
+    Cis18Value,
     KillChainPhase,
     NistCategory,
-    SecurityContentProductName
+    SecurityContentProductName,
+    SecurityDomain,
 )
-from contentctl.objects.atomic import AtomicEnrichment, AtomicTest
-from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE, CVE_TYPE
+from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
 
 
 class DetectionTags(BaseModel):
     # detection spec
 
-    model_config = ConfigDict(validate_default=False, extra='forbid')
+    model_config = ConfigDict(validate_default=False, extra="forbid")
     analytic_story: list[Story] = Field(...)
     asset_type: AssetType = Field(...)
     group: list[str] = []
@@ -44,9 +47,6 @@ class DetectionTags(BaseModel):
     mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
 
-    # TODO (cmcginley): observable should be removed as well, yes?
-    # TODO (#249): Add pydantic validator to ensure observables are unique within a detection
-    observable: List[Observable] = []
     product: list[SecurityContentProductName] = Field(..., min_length=1)
     throttling: Optional[Throttling] = None
     security_domain: SecurityDomain = Field(...)
@@ -54,7 +54,9 @@ class DetectionTags(BaseModel):
     atomic_guid: List[AtomicTest] = []
 
     # enrichment
-    mitre_attack_enrichments: List[MitreAttackEnrichment] = Field([], validate_default=True)
+    mitre_attack_enrichments: List[MitreAttackEnrichment] = Field(
+        [], validate_default=True
+    )
 
     @computed_field
     @property
@@ -84,38 +86,6 @@ class DetectionTags(BaseModel):
     # TODO (#268): Validate manual_test has length > 0 if not None
     manual_test: Optional[str] = None
 
-    # The following validator is temporarily disabled pending further discussions
-    # @validator('message')
-    # def validate_message(cls,v,values):
-
-    #     observables:list[Observable] = values.get("observable",[])
-    #     observable_names = set([o.name for o in observables])
-    #     #find all of the observables used in the message by name
-    #     name_match_regex = r"\$([^\s.]*)\$"
-
-    #     message_observables = set()
-
-    #     #Make sure that all observable names in
-    #     for match in re.findall(name_match_regex, v):
-    #         #Remove
-    #         match_without_dollars = match.replace("$", "")
-    #         message_observables.add(match_without_dollars)
-
-    #     missing_observables = message_observables - observable_names
-    #     unused_observables = observable_names - message_observables
-    #     if len(missing_observables) > 0:
-    #         raise ValueError(
-    #             "The following observables are referenced in the message, but were not declared as"
-    #             f" observables: {missing_observables}"
-    #         )
-
-    #     if len(unused_observables) > 0:
-    #         raise ValueError(
-    #             "The following observables were declared, but are not referenced in the message:"
-    #             f" {unused_observables}"
-    #         )
-    #     return v
-
     @model_serializer
     def serialize_model(self):
         # Since this field has no parent, there is no need to call super() serialization function
@@ -127,7 +97,7 @@ class DetectionTags(BaseModel):
             "nist": self.nist,
             "security_domain": self.security_domain,
             "mitre_attack_id": self.mitre_attack_id,
-            "mitre_attack_enrichments": self.mitre_attack_enrichments
+            "mitre_attack_enrichments": self.mitre_attack_enrichments,
         }
 
     @model_validator(mode="after")
@@ -141,9 +111,13 @@ class DetectionTags(BaseModel):
                 f" at runtime. Instead, this field contained: {self.mitre_attack_enrichments}"
             )
 
-        output_dto: Union[DirectorOutputDto, None] = info.context.get("output_dto", None)
+        output_dto: Union[DirectorOutputDto, None] = info.context.get(
+            "output_dto", None
+        )
         if output_dto is None:
-            raise ValueError("Context not provided to detection.detection_tags model post validator")
+            raise ValueError(
+                "Context not provided to detection.detection_tags model post validator"
+            )
 
         if output_dto.attack_enrichment.use_enrichment is False:
             return self
@@ -152,7 +126,9 @@ class DetectionTags(BaseModel):
         missing_tactics: list[str] = []
         for mitre_attack_id in self.mitre_attack_id:
             try:
-                mitre_enrichments.append(output_dto.attack_enrichment.getEnrichmentByMitreID(mitre_attack_id))
+                mitre_enrichments.append(
+                    output_dto.attack_enrichment.getEnrichmentByMitreID(mitre_attack_id)
+                )
             except Exception:
                 missing_tactics.append(mitre_attack_id)
 
@@ -163,7 +139,7 @@ class DetectionTags(BaseModel):
 
         return self
 
-    '''
+    """
     @field_validator('mitre_attack_enrichments', mode="before")
     @classmethod
     def addAttackEnrichments(cls, v:list[MitreAttackEnrichment], info:ValidationInfo)->list[MitreAttackEnrichment]:
@@ -181,31 +157,43 @@ class DetectionTags(BaseModel):
         enrichments = []
 
         return enrichments
-    '''
+    """
 
-    @field_validator('analytic_story', mode="before")
+    @field_validator("analytic_story", mode="before")
     @classmethod
-    def mapStoryNamesToStoryObjects(cls, v: list[str], info: ValidationInfo) -> list[Story]:
+    def mapStoryNamesToStoryObjects(
+        cls, v: list[str], info: ValidationInfo
+    ) -> list[Story]:
         if info.context is None:
             raise ValueError("ValidationInfo.context unexpectedly null")
 
-        return Story.mapNamesToSecurityContentObjects(v, info.context.get("output_dto", None))
+        return Story.mapNamesToSecurityContentObjects(
+            v, info.context.get("output_dto", None)
+        )
 
     def getAtomicGuidStringArray(self) -> List[str]:
-        return [str(atomic_guid.auto_generated_guid) for atomic_guid in self.atomic_guid]
+        return [
+            str(atomic_guid.auto_generated_guid) for atomic_guid in self.atomic_guid
+        ]
 
-    @field_validator('atomic_guid', mode="before")
+    @field_validator("atomic_guid", mode="before")
     @classmethod
-    def mapAtomicGuidsToAtomicTests(cls, v: List[UUID4], info: ValidationInfo) -> List[AtomicTest]:
+    def mapAtomicGuidsToAtomicTests(
+        cls, v: List[UUID4], info: ValidationInfo
+    ) -> List[AtomicTest]:
         if len(v) == 0:
             return []
 
         if info.context is None:
             raise ValueError("ValidationInfo.context unexpectedly null")
 
-        output_dto: Union[DirectorOutputDto, None] = info.context.get("output_dto", None)
+        output_dto: Union[DirectorOutputDto, None] = info.context.get(
+            "output_dto", None
+        )
         if output_dto is None:
-            raise ValueError("Context not provided to detection.detection_tags.atomic_guid validator")
+            raise ValueError(
+                "Context not provided to detection.detection_tags.atomic_guid validator"
+            )
 
         atomic_enrichment: AtomicEnrichment = output_dto.atomic_enrichment
 
@@ -247,4 +235,6 @@ class DetectionTags(BaseModel):
         elif len(missing_tests) > 0:
             raise ValueError(missing_tests_string)
 
-        return matched_tests + [AtomicTest.AtomicTestWhenTestIsMissing(test) for test in missing_tests]
+        return matched_tests + [
+            AtomicTest.AtomicTestWhenTestIsMissing(test) for test in missing_tests
+        ]

contentctl/objects/drilldown.py

@@ -1,71 +1,102 @@
 from __future__ import annotations
-from pydantic import BaseModel, Field, model_serializer
+
 from typing import TYPE_CHECKING
+
+from pydantic import BaseModel, Field, model_serializer
+
 if TYPE_CHECKING:
     from contentctl.objects.detection import Detection
+
 from contentctl.objects.enums import AnalyticsType
+
 DRILLDOWN_SEARCH_PLACEHOLDER = "%original_detection_search%"
 EARLIEST_OFFSET = "$info_min_time$"
 LATEST_OFFSET = "$info_max_time$"
 RISK_SEARCH = "index = risk  starthoursago = 168 endhoursago = 0 | stats count values(search_name) values(risk_message) values(analyticstories) values(annotations._all) values(annotations.mitre_attack.mitre_tactic) "
 
+
 class Drilldown(BaseModel):
     name: str = Field(..., description="The name of the drilldown search", min_length=5)
-    search: str = Field(..., description="The text of a drilldown search. This must be valid SPL.", min_length=1)
-    earliest_offset:None | str = Field(..., 
-                                description="Earliest offset time for the drilldown search. "
-                                f"The most common value for this field is '{EARLIEST_OFFSET}', "
-                                "but it is NOT the default value and must be supplied explicitly.", 
-                                min_length= 1)
-    latest_offset:None | str = Field(..., 
-                              description="Latest offset time for the driolldown search. "
-                              f"The most common value for this field is '{LATEST_OFFSET}', "
-                              "but it is NOT the default value and must be supplied explicitly.", 
-                              min_length= 1)
+    search: str = Field(
+        ...,
+        description="The text of a drilldown search. This must be valid SPL.",
+        min_length=1,
+    )
+    earliest_offset: None | str = Field(
+        ...,
+        description="Earliest offset time for the drilldown search. "
+        f"The most common value for this field is '{EARLIEST_OFFSET}', "
+        "but it is NOT the default value and must be supplied explicitly.",
+        min_length=1,
+    )
+    latest_offset: None | str = Field(
+        ...,
+        description="Latest offset time for the driolldown search. "
+        f"The most common value for this field is '{LATEST_OFFSET}', "
+        "but it is NOT the default value and must be supplied explicitly.",
+        min_length=1,
+    )
 
-    # TODO (cmcginley): @ljstella the drilldowns will need to be updated
     @classmethod
     def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldown]:
-        victim_observables = [o for o in detection.tags.observable if o.role[0] == "Victim"] 
+        # Ensure the rba object is defined
+        if detection.rba is None:
+            raise NotImplementedError(
+                f"Unexpected error: Detection '{detection.name}' has no RBA objects associated "
+                "with it; cannot construct drilldowns."
+            )
+
+        victim_observables = [o for o in detection.rba.risk_objects]
         if len(victim_observables) == 0 or detection.type == AnalyticsType.Hunting:
             # No victims, so no drilldowns
             return []
         print(f"Adding default drilldowns for [{detection.name}]")
-        variableNamesString = ' and '.join([f"${o.name}$" for o in victim_observables])
+        variableNamesString = " and ".join([f"${o.field}$" for o in victim_observables])
         nameField = f"View the detection results for {variableNamesString}"
-        appendedSearch =  " | search " + ' '.join([f"{o.name} = ${o.name}$" for o in victim_observables])
+        appendedSearch = " | search " + " ".join(
+            [f"{o.field} = ${o.field}$" for o in victim_observables]
+        )
         search_field = f"{detection.search}{appendedSearch}"
-        detection_results = cls(name=nameField, earliest_offset=EARLIEST_OFFSET, latest_offset=LATEST_OFFSET, search=search_field)
-        
-        
+        detection_results = cls(
+            name=nameField,
+            earliest_offset=EARLIEST_OFFSET,
+            latest_offset=LATEST_OFFSET,
+            search=search_field,
+        )
+
         nameField = f"View risk events for the last 7 days for {variableNamesString}"
-        fieldNamesListString = ', '.join([o.name for o in victim_observables])
+        fieldNamesListString = ", ".join([o.field for o in victim_observables])
         search_field = f"{RISK_SEARCH}by {fieldNamesListString} {appendedSearch}"
-        risk_events_last_7_days = cls(name=nameField, earliest_offset=None, latest_offset=None, search=search_field)
+        risk_events_last_7_days = cls(
+            name=nameField,
+            earliest_offset=None,
+            latest_offset=None,
+            search=search_field,
+        )
 
-        return [detection_results,risk_events_last_7_days]
-    
+        return [detection_results, risk_events_last_7_days]
 
-    def perform_search_substitutions(self, detection:Detection)->None:
+    def perform_search_substitutions(self, detection: Detection) -> None:
         """Replaces the field DRILLDOWN_SEARCH_PLACEHOLDER (%original_detection_search%)
         with the search contained in the detection. We do this so that the YML does not
         need the search copy/pasted from the search field into the drilldown object.
 
         Args:
             detection (Detection): Detection to be used to update the search field of the drilldown
-        """             
-        self.search = self.search.replace(DRILLDOWN_SEARCH_PLACEHOLDER, detection.search)
-    
+        """
+        self.search = self.search.replace(
+            DRILLDOWN_SEARCH_PLACEHOLDER, detection.search
+        )
 
     @model_serializer
-    def serialize_model(self) -> dict[str,str]:
-        #Call serializer for parent
-        model:dict[str,str] = {}
+    def serialize_model(self) -> dict[str, str]:
+        # Call serializer for parent
+        model: dict[str, str] = {}
 
-        model['name'] = self.name
-        model['search'] = self.search
+        model["name"] = self.name
+        model["search"] = self.search
         if self.earliest_offset is not None:
-            model['earliest_offset'] = self.earliest_offset
+            model["earliest_offset"] = self.earliest_offset
         if self.latest_offset is not None:
-            model['latest_offset'] = self.latest_offset
-        return model
+            model["latest_offset"] = self.latest_offset
+        return model