contentctl 5.0.0a2__py3-none-any.whl → 5.0.1__py3-none-any.whl

contentctl/actions/inspect.py

@@ -16,7 +16,7 @@ from contentctl.objects.errors import (
     DetectionIDError,
     DetectionMissingError,
     VersionDecrementedError,
-    VersionBumpingError
+    VersionBumpingError,
 )
 
 
@@ -26,10 +26,8 @@ class InspectInputDto:
 
 
 class Inspect:
-
     def execute(self, config: inspect) -> str:
         if config.build_app or config.build_api:
-
             self.inspectAppCLI(config)
             appinspect_token = self.inspectAppAPI(config)
 
@@ -48,9 +46,13 @@ class Inspect:
 
     def inspectAppAPI(self, config: inspect) -> str:
         session = Session()
-        session.auth = HTTPBasicAuth(config.splunk_api_username, config.splunk_api_password)
-        if config.stack_type not in ['victoria', 'classic']:
-            raise Exception(f"stack_type MUST be either 'classic' or 'victoria', NOT '{config.stack_type}'")
+        session.auth = HTTPBasicAuth(
+            config.splunk_api_username, config.splunk_api_password
+        )
+        if config.stack_type not in ["victoria", "classic"]:
+            raise Exception(
+                f"stack_type MUST be either 'classic' or 'victoria', NOT '{config.stack_type}'"
+            )
 
         APPINSPECT_API_LOGIN = "https://api.splunk.com/2.0/rest/login/splunk"
 
@@ -59,21 +61,25 @@ class Inspect:
         res.raise_for_status()
 
         authorization_bearer = res.json().get("data", {}).get("token", None)
-        APPINSPECT_API_VALIDATION_REQUEST = "https://appinspect.splunk.com/v1/app/validate"
+        APPINSPECT_API_VALIDATION_REQUEST = (
+            "https://appinspect.splunk.com/v1/app/validate"
+        )
         headers = {
             "Authorization": f"bearer {authorization_bearer}",
-            "Cache-Control": "no-cache"
+            "Cache-Control": "no-cache",
         }
 
         package_path = config.getPackageFilePath(include_version=False)
         if not package_path.is_file():
-            raise Exception(f"Cannot run Appinspect API on App '{config.app.title}' - "
-                            f"no package exists as expected path '{package_path}'.\nAre you "
-                            "trying to 'contentctl deploy_acs' the package BEFORE running 'contentctl build'?")
+            raise Exception(
+                f"Cannot run Appinspect API on App '{config.app.title}' - "
+                f"no package exists as expected path '{package_path}'.\nAre you "
+                "trying to 'contentctl deploy_acs' the package BEFORE running 'contentctl build'?"
+            )
 
         files = {
             "app_package": open(package_path, "rb"),
-            "included_tags": (None, "cloud")
+            "included_tags": (None, "cloud"),
         }
 
         res = post(APPINSPECT_API_VALIDATION_REQUEST, headers=headers, files=files)
@@ -82,26 +88,27 @@ class Inspect:
 
         request_id = res.json().get("request_id", None)
         APPINSPECT_API_VALIDATION_STATUS = f"https://appinspect.splunk.com/v1/app/validate/status/{request_id}?included_tags=private_{config.stack_type}"
-        headers = headers = {
-            "Authorization": f"bearer {authorization_bearer}"
-        }
+        headers = headers = {"Authorization": f"bearer {authorization_bearer}"}
         startTime = timeit.default_timer()
         # the first time, wait for 40 seconds. subsequent times, wait for less.
         # this is because appinspect takes some time to return, so there is no sense
         # checking many times when we know it will take at least 40 seconds to run.
         iteration_wait_time = 40
         while True:
-
             res = get(APPINSPECT_API_VALIDATION_STATUS, headers=headers)
             res.raise_for_status()
             status = res.json().get("status", None)
             if status in ["PROCESSING", "PREPARING"]:
-                print(f"[{self.getElapsedTime(startTime)}] Appinspect API is {status}...")
+                print(
+                    f"[{self.getElapsedTime(startTime)}] Appinspect API is {status}..."
+                )
                 time.sleep(iteration_wait_time)
                 iteration_wait_time = 1
                 continue
             elif status == "SUCCESS":
-                print(f"[{self.getElapsedTime(startTime)}] Appinspect API has finished!")
+                print(
+                    f"[{self.getElapsedTime(startTime)}] Appinspect API has finished!"
+                )
                 break
             else:
                 raise Exception(f"Error - Unknown Appinspect API status '{status}'")
@@ -111,7 +118,7 @@ class Inspect:
         # Get human-readable HTML report
         headers = headers = {
             "Authorization": f"bearer {authorization_bearer}",
-            "Content-Type": "text/html"
+            "Content-Type": "text/html",
         }
         res = get(APPINSPECT_API_REPORT, headers=headers)
         res.raise_for_status()
@@ -120,7 +127,7 @@ class Inspect:
         # Get JSON report for processing
         headers = headers = {
             "Authorization": f"bearer {authorization_bearer}",
-            "Content-Type": "application/json"
+            "Content-Type": "application/json",
         }
         res = get(APPINSPECT_API_REPORT, headers=headers)
         res.raise_for_status()
@@ -128,8 +135,12 @@ class Inspect:
 
         # Just get app path here to avoid long function calls in the open() calls below
         appPath = config.getPackageFilePath(include_version=True)
-        appinpect_html_path = appPath.with_suffix(appPath.suffix+".appinspect_api_results.html")
-        appinspect_json_path = appPath.with_suffix(appPath.suffix+".appinspect_api_results.json")
+        appinpect_html_path = appPath.with_suffix(
+            appPath.suffix + ".appinspect_api_results.html"
+        )
+        appinspect_json_path = appPath.with_suffix(
+            appPath.suffix + ".appinspect_api_results.json"
+        )
         # Use the full path of the app, but update the suffix to include info about appinspect
         with open(appinpect_html_path, "wb") as report:
             report.write(report_html)
@@ -148,9 +159,15 @@ class Inspect:
                 "\t - https://dev.splunk.com/enterprise/docs/developapps/testvalidate/appinspect/useappinspectclitool/"
             )
             from splunk_appinspect.main import (
-                validate, MODE_OPTION, APP_PACKAGE_ARGUMENT, OUTPUT_FILE_OPTION,
-                LOG_FILE_OPTION, INCLUDED_TAGS_OPTION, EXCLUDED_TAGS_OPTION,
-                PRECERT_MODE, TEST_MODE)
+                validate,
+                MODE_OPTION,
+                APP_PACKAGE_ARGUMENT,
+                OUTPUT_FILE_OPTION,
+                LOG_FILE_OPTION,
+                INCLUDED_TAGS_OPTION,
+                EXCLUDED_TAGS_OPTION,
+                TEST_MODE,
+            )
         except Exception as e:
             print(e)
             # print("******WARNING******")
@@ -175,10 +192,18 @@ class Inspect:
         included_tags = []
         excluded_tags = []
 
-        appinspect_output = self.dist/f"{self.config.build.title}-{self.config.build.version}.appinspect_cli_results.json"
-        appinspect_logging = self.dist/f"{self.config.build.title}-{self.config.build.version}.appinspect_cli_logging.log"
+        appinspect_output = (
+            self.dist
+            / f"{self.config.build.title}-{self.config.build.version}.appinspect_cli_results.json"
+        )
+        appinspect_logging = (
+            self.dist
+            / f"{self.config.build.title}-{self.config.build.version}.appinspect_cli_logging.log"
+        )
         try:
-            arguments_list = [(APP_PACKAGE_ARGUMENT, str(self.getPackagePath(include_version=False)))]
+            arguments_list = [
+                (APP_PACKAGE_ARGUMENT, str(self.getPackagePath(include_version=False)))
+            ]
             options_list = []
             options_list += [MODE_OPTION, TEST_MODE]
             options_list += [OUTPUT_FILE_OPTION, str(appinspect_output)]
@@ -198,16 +223,22 @@ class Inspect:
                 # The sys.exit called inside of appinspect validate closes stdin.  We need to
                 # reopen it.
                 sys.stdin = open("/dev/stdin", "r")
-                print(f"AppInspect passed! Please check [ {appinspect_output} , {appinspect_logging} ] for verbose information.")
+                print(
+                    f"AppInspect passed! Please check [ {appinspect_output} , {appinspect_logging} ] for verbose information."
+                )
             else:
-                if sys.version.startswith('3.11') or sys.version.startswith('3.12'):
-                    raise Exception("At this time, AppInspect may fail on valid apps under Python>=3.11 with "
-                                    "the error 'global flags not at the start of the expression at position 1'. "
-                                    "If you encounter this error, please run AppInspect on a version of Python "
-                                    "<3.11.  This issue is currently tracked. Please review the appinspect "
-                                    "report output above for errors.")
+                if sys.version.startswith("3.11") or sys.version.startswith("3.12"):
+                    raise Exception(
+                        "At this time, AppInspect may fail on valid apps under Python>=3.11 with "
+                        "the error 'global flags not at the start of the expression at position 1'. "
+                        "If you encounter this error, please run AppInspect on a version of Python "
+                        "<3.11.  This issue is currently tracked. Please review the appinspect "
+                        "report output above for errors."
+                    )
                 else:
-                    raise Exception("AppInspect Failure - Please review the appinspect report output above for errors.")
+                    raise Exception(
+                        "AppInspect Failure - Please review the appinspect report output above for errors."
+                    )
         finally:
             # appinspect outputs the log in json format, but does not format it to be easier
             # to read (it is all in one line). Read back that file and write it so it
@@ -217,20 +248,26 @@ class Inspect:
             self.parseAppinspectJsonLogFile(appinspect_output)
 
     def parseAppinspectJsonLogFile(
-            self,
-            logfile_path: pathlib.Path,
-            status_types: list[str] = ["error", "failure", "manual_check", "warning"],
-            exception_types: list[str] = ["error", "failure", "manual_check"]
+        self,
+        logfile_path: pathlib.Path,
+        status_types: list[str] = ["error", "failure", "manual_check", "warning"],
+        exception_types: list[str] = ["error", "failure", "manual_check"],
     ) -> None:
         if not set(exception_types).issubset(set(status_types)):
-            raise Exception(f"Error - exception_types {exception_types} MUST be a subset of status_types {status_types}, but it is not")
+            raise Exception(
+                f"Error - exception_types {exception_types} MUST be a subset of status_types {status_types}, but it is not"
+            )
         with open(logfile_path, "r+") as logfile:
             j = json.load(logfile)
             # Seek back to the beginning of the file. We don't need to clear
             # it sice we will always write AT LEAST the same number of characters
             # back as we read (due to the addition of whitespace)
             logfile.seek(0)
-            json.dump(j, logfile, indent=3, )
+            json.dump(
+                j,
+                logfile,
+                indent=3,
+            )
 
         reports = j.get("reports", [])
         if len(reports) != 1:
@@ -240,7 +277,9 @@ class Inspect:
         for group in reports[0].get("groups", []):
             for check in group.get("checks", []):
                 if check.get("result", "") in status_types:
-                    verbose_errors.append(f" - {check.get('result','')} [{group.get('name','NONAME')}: {check.get('name', 'NONAME')}]")
+                    verbose_errors.append(
+                        f" - {check.get('result', '')} [{group.get('name', 'NONAME')}: {check.get('name', 'NONAME')}]"
+                    )
         verbose_errors.sort()
 
         summary = j.get("summary", None)
@@ -250,17 +289,21 @@ class Inspect:
         generated_exception = False
         for key in status_types:
             if summary.get(key, 0) > 0:
-                msgs.append(f" - {summary.get(key,0)} {key}s")
+                msgs.append(f" - {summary.get(key, 0)} {key}s")
                 if key in exception_types:
                     generated_exception = True
         if len(msgs) > 0 or len(verbose_errors):
-            summary = '\n'.join(msgs)
-            details = '\n'.join(verbose_errors)
+            summary = "\n".join(msgs)
+            details = "\n".join(verbose_errors)
             summary = f"{summary}\nDetails:\n{details}"
             if generated_exception:
-                raise Exception(f"AppInspect found [{','.join(exception_types)}] that MUST be addressed to pass AppInspect API:\n{summary}")
+                raise Exception(
+                    f"AppInspect found [{','.join(exception_types)}] that MUST be addressed to pass AppInspect API:\n{summary}"
+                )
             else:
-                print(f"AppInspect found [{','.join(status_types)}] that MAY cause a failure during AppInspect API:\n{summary}")
+                print(
+                    f"AppInspect found [{','.join(status_types)}] that MAY cause a failure during AppInspect API:\n{summary}"
+                )
         else:
             print("AppInspect was successful!")
 
@@ -283,12 +326,12 @@ class Inspect:
         current_build_conf = SavedsearchesConf.init_from_package(
             package_path=config.getPackageFilePath(include_version=False),
             app_name=config.app.label,
-            appid=config.app.appid
+            appid=config.app.appid,
         )
         previous_build_conf = SavedsearchesConf.init_from_package(
             package_path=config.get_previous_package_file_path(),
             app_name=config.app.label,
-            appid=config.app.appid
+            appid=config.app.appid,
         )
 
         # Compare the conf files
@@ -298,31 +341,41 @@ class Inspect:
             # No detections should be removed from build to build
             if rule_name not in current_build_conf.detection_stanzas:
                 if config.suppress_missing_content_exceptions:
-                    print(f"[SUPPRESSED] {DetectionMissingError(rule_name=rule_name).long_message}")
+                    print(
+                        f"[SUPPRESSED] {DetectionMissingError(rule_name=rule_name).long_message}"
+                    )
                 else:
-                    validation_errors[rule_name].append(DetectionMissingError(rule_name=rule_name))
+                    validation_errors[rule_name].append(
+                        DetectionMissingError(rule_name=rule_name)
+                    )
                 continue
             # Pull out the individual stanza for readability
             previous_stanza = previous_build_conf.detection_stanzas[rule_name]
             current_stanza = current_build_conf.detection_stanzas[rule_name]
 
             # Detection IDs should not change
-            if current_stanza.metadata.detection_id != previous_stanza.metadata.detection_id:
+            if (
+                current_stanza.metadata.detection_id
+                != previous_stanza.metadata.detection_id
+            ):
                 validation_errors[rule_name].append(
                     DetectionIDError(
                         rule_name=rule_name,
                         current_id=current_stanza.metadata.detection_id,
-                        previous_id=previous_stanza.metadata.detection_id
+                        previous_id=previous_stanza.metadata.detection_id,
                     )
                 )
 
             # Versions should never decrement in successive builds
-            if current_stanza.metadata.detection_version < previous_stanza.metadata.detection_version:
+            if (
+                current_stanza.metadata.detection_version
+                < previous_stanza.metadata.detection_version
+            ):
                 validation_errors[rule_name].append(
                     VersionDecrementedError(
                         rule_name=rule_name,
                         current_version=current_stanza.metadata.detection_version,
-                        previous_version=previous_stanza.metadata.detection_version
+                        previous_version=previous_stanza.metadata.detection_version,
                     )
                 )
 
@@ -332,12 +385,14 @@ class Inspect:
                     VersionBumpingError(
                         rule_name=rule_name,
                         current_version=current_stanza.metadata.detection_version,
-                        previous_version=previous_stanza.metadata.detection_version
+                        previous_version=previous_stanza.metadata.detection_version,
                     )
                 )
 
         # Convert our dict mapping to a flat list of errors for use in reporting
-        validation_error_list = [x for inner_list in validation_errors.values() for x in inner_list]    
+        validation_error_list = [
+            x for inner_list in validation_errors.values() for x in inner_list
+        ]
 
         # Report failure/success
         print("\nDetection Metadata Validation:")
@@ -350,11 +405,13 @@ class Inspect:
                         print(f"\t\t🔸 {error.short_message}")
         else:
             # If no errors in the list, report success
-            print("\t✅ Detection metadata looks good and all versions were bumped appropriately :)")
+            print(
+                "\t✅ Detection metadata looks good and all versions were bumped appropriately :)"
+            )
 
         # Raise an ExceptionGroup for all validation issues
         if len(validation_error_list) > 0:
             raise ExceptionGroup(
                 "Validation errors when comparing detection stanzas in current and previous build:",
-                validation_error_list
-            )
+                validation_error_list,
+            )

contentctl/actions/new_content.py

@@ -1,33 +1,44 @@
-from dataclasses import dataclass
-import questionary
-from typing import Any
-from contentctl.input.new_content_questions import NewContentQuestions
-from contentctl.objects.config import new, NewContentType
+import pathlib
 import uuid
 from datetime import datetime
-import pathlib
-from contentctl.objects.abstract_security_content_objects.security_content_object_abstract import SecurityContentObject_Abstract
-from contentctl.output.yml_writer import YmlWriter
+from typing import Any
+
+import questionary
+
+from contentctl.input.new_content_questions import NewContentQuestions
+from contentctl.objects.abstract_security_content_objects.security_content_object_abstract import (
+    SecurityContentObject_Abstract,
+)
+from contentctl.objects.config import NewContentType, new
 from contentctl.objects.enums import AssetType
-from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, SES_OBSERVABLE_ROLE_MAPPING
+from contentctl.output.yml_writer import YmlWriter
+
+
 class NewContent:
     UPDATE_PREFIX = "__UPDATE__"
-    
+
     DEFAULT_DRILLDOWN_DEF = [
         {
             "name": f'View the detection results for - "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" and "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"',
             "search": f'%original_detection_search% | search  "${UPDATE_PREFIX}FIRST_RISK_OBJECT = "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" second_observable_type_here = "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"',
-            "earliest_offset": '$info_min_time$',
-            "latest_offset": '$info_max_time$' 
+            "earliest_offset": "$info_min_time$",
+            "latest_offset": "$info_max_time$",
         },
         {
             "name": f'View risk events for the last 7 days for - "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" and "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"',
             "search": f'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("${UPDATE_PREFIX}FIRST_RISK_OBJECT$", "${UPDATE_PREFIX}SECOND_RISK_OBJECT$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`',
-            "earliest_offset": '$info_min_time$',
-            "latest_offset": '$info_max_time$' 
-        }
+            "earliest_offset": "$info_min_time$",
+            "latest_offset": "$info_max_time$",
+        },
     ]
-    
+
+    DEFAULT_RBA = {
+        "message": "Risk Message goes here",
+        "risk_objects": [{"field": "dest", "type": "system", "score": 10}],
+        "threat_objects": [
+            {"field": "parent_process_name", "type": "parent_process_name"}
+        ],
+    }
 
     def buildDetection(self) -> tuple[dict[str, Any], str]:
         questions = NewContentQuestions.get_questions_detection()
@@ -39,7 +50,9 @@ class NewContent:
             raise ValueError("User didn't answer one or more questions!")
 
         data_source_field = (
-            answers["data_source"] if len(answers["data_source"]) > 0 else [f"{NewContent.UPDATE_PREFIX} zero or more data_sources"]
+            answers["data_sources"]
+            if len(answers["data_sources"]) > 0
+            else [f"{NewContent.UPDATE_PREFIX} zero or more data_sources"]
         )
         file_name = (
             answers["detection_name"]
@@ -50,12 +63,16 @@ class NewContent:
             .lower()
         )
 
-        #Minimum lenght for a mitre tactic is 5 characters: T1000
+        # Minimum lenght for a mitre tactic is 5 characters: T1000
         if len(answers["mitre_attack_ids"]) >= 5:
-            mitre_attack_ids = [x.strip() for x in answers["mitre_attack_ids"].split(",")]
+            mitre_attack_ids = [
+                x.strip() for x in answers["mitre_attack_ids"].split(",")
+            ]
         else:
-            #string was too short, so just put a placeholder
-            mitre_attack_ids = [f"{NewContent.UPDATE_PREFIX} zero or more mitre_attack_ids"]
+            # string was too short, so just put a placeholder
+            mitre_attack_ids = [
+                f"{NewContent.UPDATE_PREFIX} zero or more mitre_attack_ids"
+            ]
 
         output_file_answers: dict[str, Any] = {
             "name": answers["detection_name"],
@@ -70,18 +87,17 @@ class NewContent:
             "search": f"{answers['detection_search']} | `{file_name}_filter`",
             "how_to_implement": f"{NewContent.UPDATE_PREFIX} how to implement your search",
             "known_false_positives": f"{NewContent.UPDATE_PREFIX} known false positives for your search",
-            "references": [f"{NewContent.UPDATE_PREFIX} zero or more http references to provide more information about your search"],
+            "references": [
+                f"{NewContent.UPDATE_PREFIX} zero or more http references to provide more information about your search"
+            ],
             "drilldown_searches": NewContent.DEFAULT_DRILLDOWN_DEF,
+            "rba": NewContent.DEFAULT_RBA,
             "tags": {
-                "analytic_story": [f"{NewContent.UPDATE_PREFIX} by providing zero or more analytic stories"],
+                "analytic_story": [
+                    f"{NewContent.UPDATE_PREFIX} by providing zero or more analytic stories"
+                ],
                 "asset_type": f"{NewContent.UPDATE_PREFIX} by providing and asset type from {list(AssetType._value2member_map_)}",
-                "confidence": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
-                "impact": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
-                "message": f"{NewContent.UPDATE_PREFIX} by providing a risk message. Fields in your search results can be referenced using $fieldName$",
                 "mitre_attack_id": mitre_attack_ids,
-                "observable": [
-                    {"name": f"{NewContent.UPDATE_PREFIX} the field name of the observable. This is a field that exists in your search results.", "type": f"{NewContent.UPDATE_PREFIX} the type of your observable from the list {list(SES_OBSERVABLE_TYPE_MAPPING.keys())}.", "role": [f"{NewContent.UPDATE_PREFIX} the role from the list {list(SES_OBSERVABLE_ROLE_MAPPING.keys())}"]}
-                ],
                 "product": [
                     "Splunk Enterprise",
                     "Splunk Enterprise Security",
@@ -107,44 +123,58 @@ class NewContent:
         if answers["detection_type"] not in ["TTP", "Anomaly", "Correlation"]:
             del output_file_answers["drilldown_searches"]
 
-        return output_file_answers, answers['detection_kind']
+        if answers["detection_type"] not in ["TTP", "Anomaly"]:
+            del output_file_answers["rba"]
+
+        return output_file_answers, answers["detection_kind"]
 
     def buildStory(self) -> dict[str, Any]:
         questions = NewContentQuestions.get_questions_story()
         answers = questionary.prompt(
-            questions, 
-            kbi_msg="User did not answer all of the prompt questions. Exiting...")
+            questions,
+            kbi_msg="User did not answer all of the prompt questions. Exiting...",
+        )
         if not answers:
             raise ValueError("User didn't answer one or more questions!")
-        answers['name'] = answers['story_name']
-        del answers['story_name']
-        answers['id'] = str(uuid.uuid4())
-        answers['version'] = 1
-        answers['date'] = datetime.today().strftime('%Y-%m-%d')
-        answers['author'] = answers['story_author']
-        del answers['story_author']
-        answers['description'] = 'UPDATE_DESCRIPTION'
-        answers['narrative'] = 'UPDATE_NARRATIVE'
-        answers['references'] = []
-        answers['tags'] = dict()
-        answers['tags']['category'] = answers['category']
-        del answers['category']
-        answers['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
-        answers['tags']['usecase'] = answers['usecase']
-        del answers['usecase']
-        answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
+        answers["name"] = answers["story_name"]
+        del answers["story_name"]
+        answers["id"] = str(uuid.uuid4())
+        answers["version"] = 1
+        answers["status"] = "production"
+        answers["date"] = datetime.today().strftime("%Y-%m-%d")
+        answers["author"] = answers["story_author"]
+        del answers["story_author"]
+        answers["description"] = "UPDATE_DESCRIPTION"
+        answers["narrative"] = "UPDATE_NARRATIVE"
+        answers["references"] = []
+        answers["tags"] = dict()
+        answers["tags"]["category"] = answers["category"]
+        del answers["category"]
+        answers["tags"]["product"] = [
+            "Splunk Enterprise",
+            "Splunk Enterprise Security",
+            "Splunk Cloud",
+        ]
+        answers["tags"]["usecase"] = answers["usecase"]
+        del answers["usecase"]
+        answers["tags"]["cve"] = ["UPDATE WITH CVE(S) IF APPLICABLE"]
         return answers
 
     def execute(self, input_dto: new) -> None:
         if input_dto.type == NewContentType.detection:
             content_dict, detection_kind = self.buildDetection()
-            subdirectory = pathlib.Path('detections') / detection_kind
+            subdirectory = pathlib.Path("detections") / detection_kind
         elif input_dto.type == NewContentType.story:
             content_dict = self.buildStory()
-            subdirectory = pathlib.Path('stories')
+            subdirectory = pathlib.Path("stories")
         else:
             raise Exception(f"Unsupported new content type: [{input_dto.type}]")
 
-        full_output_path = input_dto.path / subdirectory / SecurityContentObject_Abstract.contentNameToFileName(content_dict.get('name'))
+        full_output_path = (
+            input_dto.path
+            / subdirectory
+            / SecurityContentObject_Abstract.contentNameToFileName(
+                content_dict.get("name")
+            )
+        )
         YmlWriter.writeYmlFile(str(full_output_path), content_dict)
-