contentctl 5.0.0a2__py3-none-any.whl → 5.0.1__py3-none-any.whl

contentctl/objects/baseline.py

@@ -1,23 +1,33 @@
-
 from __future__ import annotations
-from typing import Annotated, List,Any, TYPE_CHECKING
+
+from typing import TYPE_CHECKING, Annotated, Any, List, Literal
+
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
-from pydantic import field_validator, ValidationInfo, Field, model_serializer, computed_field
-from contentctl.objects.deployment import Deployment
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.enums import DataModel
-from contentctl.objects.baseline_tags import BaselineTags
+from pydantic import (
+    Field,
+    ValidationInfo,
+    computed_field,
+    field_validator,
+    model_serializer,
+)
 
+from contentctl.objects.baseline_tags import BaselineTags
 from contentctl.objects.config import CustomApp
-
+from contentctl.objects.constants import (
+    CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE,
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
+)
+from contentctl.objects.deployment import Deployment
+from contentctl.objects.enums import DataModel, DetectionStatus
 from contentctl.objects.lookup import Lookup
-from contentctl.objects.constants import CONTENTCTL_MAX_SEARCH_NAME_LENGTH,CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE
+from contentctl.objects.security_content_object import SecurityContentObject
+
 
 class Baseline(SecurityContentObject):
-    name:str = Field(...,max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
-    type: Annotated[str,Field(pattern="^Baseline$")] = Field(...)
+    name: str = Field(..., max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
+    type: Annotated[str, Field(pattern="^Baseline$")] = Field(...)
     search: str = Field(..., min_length=4)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
@@ -25,31 +35,33 @@ class Baseline(SecurityContentObject):
     lookups: list[Lookup] = Field([], validate_default=True)
     # enrichment
     deployment: Deployment = Field({})
+    status: Literal[DetectionStatus.production, DetectionStatus.deprecated]
 
-
-    @field_validator('lookups', mode="before")
+    @field_validator("lookups", mode="before")
     @classmethod
-    def getBaselineLookups(cls, v:list[str], info:ValidationInfo) -> list[Lookup]:
-        '''
+    def getBaselineLookups(cls, v: list[str], info: ValidationInfo) -> list[Lookup]:
+        """
         This function has been copied and renamed from the Detection_Abstract class
-        '''
-        director:DirectorOutputDto = info.context.get("output_dto",None)
-        search: str | None = info.data.get("search",None)
+        """
+        director: DirectorOutputDto = info.context.get("output_dto", None)
+        search: str | None = info.data.get("search", None)
         if search is None:
             raise ValueError("Search was None - is this file missing the search field?")
-        
+
         lookups = Lookup.get_lookups(search, director)
         return lookups
 
-    def get_conf_stanza_name(self, app:CustomApp)->str:
-        stanza_name = CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+    def get_conf_stanza_name(self, app: CustomApp) -> str:
+        stanza_name = CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE.format(
+            app_label=app.label, detection_name=self.name
+        )
         self.check_conf_stanza_max_length(stanza_name)
         return stanza_name
 
     @field_validator("deployment", mode="before")
-    def getDeployment(cls, v:Any, info:ValidationInfo)->Deployment:
-        return Deployment.getDeployment(v,info)
-    
+    def getDeployment(cls, v: Any, info: ValidationInfo) -> Deployment:
+        return Deployment.getDeployment(v, info)
+
     @computed_field
     @property
     def datamodel(self) -> List[DataModel]:
@@ -57,21 +69,21 @@ class Baseline(SecurityContentObject):
 
     @model_serializer
     def serialize_model(self):
-        #Call serializer for parent
+        # Call serializer for parent
         super_fields = super().serialize_model()
-        
-        #All fields custom to this model
-        model= {
+
+        # All fields custom to this model
+        model = {
             "tags": self.tags.model_dump(),
             "type": self.type,
             "search": self.search,
-            "how_to_implement":self.how_to_implement,
-            "known_false_positives":self.known_false_positives,
+            "how_to_implement": self.how_to_implement,
+            "known_false_positives": self.known_false_positives,
             "datamodel": self.datamodel,
         }
-        
-        #Combine fields from this model with fields from parent
+
+        # Combine fields from this model with fields from parent
         super_fields.update(model)
-        
-        #return the model
-        return super_fields
+
+        # return the model
+        return super_fields

contentctl/objects/baseline_tags.py

@@ -1,5 +1,12 @@
 from __future__ import annotations
-from pydantic import BaseModel, Field, field_validator, ValidationInfo, model_serializer, ConfigDict
+from pydantic import (
+    BaseModel,
+    Field,
+    field_validator,
+    ValidationInfo,
+    model_serializer,
+    ConfigDict,
+)
 from typing import List, Any, Union
 
 from contentctl.objects.story import Story
@@ -8,35 +15,35 @@ from contentctl.objects.enums import SecurityContentProductName
 from contentctl.objects.enums import SecurityDomain
 
 
-
-
-
 class BaselineTags(BaseModel):
     model_config = ConfigDict(extra="forbid")
     analytic_story: list[Story] = Field(...)
-    #deployment: Deployment = Field('SET_IN_GET_DEPLOYMENT_FUNCTION')
+    # deployment: Deployment = Field('SET_IN_GET_DEPLOYMENT_FUNCTION')
     # TODO (#223): can we remove str from the possible types here?
-    detections: List[Union[Detection,str]] = Field(...)
-    product: List[SecurityContentProductName] = Field(...,min_length=1)
+    detections: List[Union[Detection, str]] = Field(...)
+    product: List[SecurityContentProductName] = Field(..., min_length=1)
     security_domain: SecurityDomain = Field(...)
 
+    @field_validator("analytic_story", mode="before")
+    def getStories(cls, v: Any, info: ValidationInfo) -> List[Story]:
+        return Story.mapNamesToSecurityContentObjects(
+            v, info.context.get("output_dto", None)
+        )
 
-    @field_validator("analytic_story",mode="before")
-    def getStories(cls, v:Any, info:ValidationInfo)->List[Story]:
-        return Story.mapNamesToSecurityContentObjects(v, info.context.get("output_dto",None))
-    
-    
     @model_serializer
-    def serialize_model(self):    
-        #All fields custom to this model
-        model= {
+    def serialize_model(self):
+        # All fields custom to this model
+        model = {
             "analytic_story": [story.name for story in self.analytic_story],
-            "detections": [detection.name for detection in self.detections if isinstance(detection,Detection)],
+            "detections": [
+                detection.name
+                for detection in self.detections
+                if isinstance(detection, Detection)
+            ],
             "product": self.product,
-            "security_domain":self.security_domain,
-            "deployments": None
+            "security_domain": self.security_domain,
+            "deployments": None,
         }
-        
-        
-        #return the model
-        return model
+
+        # return the model
+        return model

contentctl/objects/config.py

@@ -1162,7 +1162,7 @@ class release_notes(Config_Base):
         p = self.path / "dist"
         try:
             p.mkdir(exist_ok=True, parents=True)
-        except Exception:
+        except Exception as e:
             raise Exception(
                 f"Error making the directory '{p}' to hold release_notes: {str(e)}"
             )

contentctl/objects/constants.py

@@ -15,7 +15,7 @@ ATTACK_TACTICS_KILLCHAIN_MAPPING = {
     "Collection": "Exploitation",
     "Command And Control": "Command and Control",
     "Exfiltration": "Actions on Objectives",
-    "Impact": "Actions on Objectives"
+    "Impact": "Actions on Objectives",
 }
 
 SES_CONTEXT_MAPPING = {
@@ -65,7 +65,7 @@ SES_CONTEXT_MAPPING = {
     "Other:Policy Violation": 82,
     "Other:Threat Intelligence": 83,
     "Other:Flight Risk": 84,
-    "Other:Removable Storage": 85
+    "Other:Removable Storage": 85,
 }
 
 SES_KILL_CHAIN_MAPPINGS = {
@@ -76,49 +76,9 @@ SES_KILL_CHAIN_MAPPINGS = {
     "Exploitation": 4,
     "Installation": 5,
     "Command and Control": 6,
-    "Actions on Objectives": 7
+    "Actions on Objectives": 7,
 }
 
-# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
-SES_OBSERVABLE_ROLE_MAPPING = {
-    "Other": -1,
-    "Unknown": 0,
-    "Actor": 1,
-    "Target": 2,
-    "Attacker": 3,
-    "Victim": 4,
-    "Parent Process": 5,
-    "Child Process": 6,
-    "Known Bad": 7,
-    "Data Loss": 8,
-    "Observer": 9
-}
-
-# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
-SES_OBSERVABLE_TYPE_MAPPING = {
-    "Unknown": 0,
-    "Hostname": 1,
-    "IP Address": 2,
-    "MAC Address": 3,
-    "User Name": 4,
-    "Email Address": 5,
-    "URL String": 6,
-    "File Name": 7,
-    "File Hash": 8,
-    "Process Name": 9,
-    "Resource UID": 10,
-    "Endpoint": 20,
-    "User": 21,
-    "Email": 22,
-    "Uniform Resource Locator": 23,
-    "File": 24,
-    "Process": 25,
-    "Geo Location": 26,
-    "Container": 27,
-    "Registry Key": 28,
-    "Registry Value": 29,
-    "Other": 99
-}
 
 SES_ATTACK_TACTICS_ID_MAPPING = {
     "Reconnaissance": "TA0043",
@@ -134,24 +94,19 @@ SES_ATTACK_TACTICS_ID_MAPPING = {
     "Collection": "TA0009",
     "Command_and_Control": "TA0011",
     "Exfiltration": "TA0010",
-    "Impact": "TA0040"
+    "Impact": "TA0040",
 }
 
-# TODO (cmcginley): is this just for the transition testing?
-RBA_OBSERVABLE_ROLE_MAPPING = {
-    "Attacker": 0,
-    "Victim": 1
-}
 
 # The relative path to the directory where any apps/packages will be downloaded
 DOWNLOADS_DIRECTORY = "downloads"
 
 # Maximum length of the name field for a search.
-# This number is derived from a limitation that exists in 
+# This number is derived from a limitation that exists in
 # ESCU where a search cannot be edited, due to validation
 # errors, if its name is longer than 99 characters.
 # When an saved search is cloned in Enterprise Security User Interface,
-# it is wrapped in the following: 
+# it is wrapped in the following:
 # {Detection.tags.security_domain} - {SEARCH_STANZA_NAME} - Rule
 # Similarly, when we generate the search stanza name in contentctl, it
 # is app.label - detection.name - Rule
@@ -160,16 +115,35 @@ DOWNLOADS_DIRECTORY = "downloads"
 # or in ESCU:
 # ESCU - {detection.name} - Rule,
 # this gives us a maximum length below.
-# When an ESCU search is cloned, it will 
+# When an ESCU search is cloned, it will
 # have a full name like (the following is NOT a typo):
 # Endpoint - ESCU - Name of Search From YML File - Rule - Rule
 # The math below accounts for all these caveats
 ES_MAX_STANZA_LENGTH = 99
-CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Rule"
+CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Rule"
+)
 CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name}"
-CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Response Task"
+CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = (
+    "{app_label} - {detection_name} - Response Task"
+)
+
+ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = (
+    "{security_domain_value} - {search_name} - Rule"
+)
+SECURITY_DOMAIN_MAX_LENGTH = max(
+    [len(SecurityDomain[value]) for value in SecurityDomain._member_map_]
+)
+CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(
+    ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(
+        security_domain_value="X" * SECURITY_DOMAIN_MAX_LENGTH, search_name=""
+    )
+)
+CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(
+    CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(
+        app_label="ESCU", detection_name=""
+    )
+)
 
-ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = "{security_domain_value} - {search_name} - Rule"
-SECURITY_DOMAIN_MAX_LENGTH = max([len(SecurityDomain[value]) for value in SecurityDomain._member_map_])
-CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(security_domain_value="X"*SECURITY_DOMAIN_MAX_LENGTH,search_name=""))
-CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(app_label="ESCU", detection_name=""))
+DEPRECATED_TEMPLATE = "**WARNING**, this {content_type} has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {description}"
+EXPERIMENTAL_TEMPLATE = "**WARNING**, this {content_type} is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the {content_type} has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. {description}"