contentctl 5.0.0a3__tar.gz → 5.0.1__tar.gz

{contentctl-5.0.0a3 → contentctl-5.0.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: contentctl
-Version: 5.0.0a3
+Version: 5.0.1
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/actions/new_content.py

@@ -32,6 +32,14 @@ class NewContent:
         },
     ]
 
+    DEFAULT_RBA = {
+        "message": "Risk Message goes here",
+        "risk_objects": [{"field": "dest", "type": "system", "score": 10}],
+        "threat_objects": [
+            {"field": "parent_process_name", "type": "parent_process_name"}
+        ],
+    }
+
     def buildDetection(self) -> tuple[dict[str, Any], str]:
         questions = NewContentQuestions.get_questions_detection()
         answers: dict[str, str] = questionary.prompt(
@@ -42,8 +50,8 @@ class NewContent:
             raise ValueError("User didn't answer one or more questions!")
 
         data_source_field = (
-            answers["data_source"]
-            if len(answers["data_source"]) > 0
+            answers["data_sources"]
+            if len(answers["data_sources"]) > 0
             else [f"{NewContent.UPDATE_PREFIX} zero or more data_sources"]
         )
         file_name = (
@@ -83,19 +91,12 @@ class NewContent:
                 f"{NewContent.UPDATE_PREFIX} zero or more http references to provide more information about your search"
             ],
             "drilldown_searches": NewContent.DEFAULT_DRILLDOWN_DEF,
-            "rba": {
-                "message": "Risk Messages goes here",
-                "risk_objects": [],
-                "threat_objects": [],
-            },
+            "rba": NewContent.DEFAULT_RBA,
             "tags": {
                 "analytic_story": [
                     f"{NewContent.UPDATE_PREFIX} by providing zero or more analytic stories"
                 ],
                 "asset_type": f"{NewContent.UPDATE_PREFIX} by providing and asset type from {list(AssetType._value2member_map_)}",
-                "confidence": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
-                "impact": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
-                "message": f"{NewContent.UPDATE_PREFIX} by providing a risk message. Fields in your search results can be referenced using $fieldName$",
                 "mitre_attack_id": mitre_attack_ids,
                 "product": [
                     "Splunk Enterprise",
@@ -139,6 +140,7 @@ class NewContent:
         del answers["story_name"]
         answers["id"] = str(uuid.uuid4())
         answers["version"] = 1
+        answers["status"] = "production"
         answers["date"] = datetime.today().strftime("%Y-%m-%d")
         answers["author"] = answers["story_author"]
         del answers["story_author"]

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -383,21 +383,17 @@ class Detection_Abstract(SecurityContentObject):
     @computed_field
     @property
     def risk(self) -> list[dict[str, Any]]:
-        risk_objects: list[dict[str, str | int]] = []
-
-        for entity in self.rba.risk_objects:
-            risk_object: dict[str, str | int] = dict()
-            risk_object["risk_object_type"] = entity.type
-            risk_object["risk_object_field"] = entity.field
-            risk_object["risk_score"] = entity.score
-            risk_objects.append(risk_object)
-
-        for entity in self.rba.threat_objects:
-            threat_object: dict[str, str] = dict()
-            threat_object["threat_object_field"] = entity.field
-            threat_object["threat_object_type"] = entity.type
-            risk_objects.append(threat_object)
-        return risk_objects
+        if self.rba is None:
+            raise Exception(
+                f"Attempting to serialize rba section of [{self.name}], however RBA section is None"
+            )
+        """
+        action.risk.param._risk
+        of the conf file only contains a list of dicts. We do not eant to 
+        include the message here, so we do not return it.
+        """
+        rba_dict = self.rba.model_dump()
+        return rba_dict["risk_objects"] + rba_dict["threat_objects"]
 
     @computed_field
     @property

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py

@@ -1,31 +1,39 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING, Self, Any
+
+from typing import TYPE_CHECKING, Any, Self
 
 if TYPE_CHECKING:
+    from contentctl.input.director import DirectorOutputDto
     from contentctl.objects.deployment import Deployment
     from contentctl.objects.security_content_object import SecurityContentObject
-    from contentctl.input.director import DirectorOutputDto
 
-from contentctl.objects.enums import AnalyticsType
-from contentctl.objects.constants import CONTENTCTL_MAX_STANZA_LENGTH
 import abc
-import uuid
 import datetime
+import pathlib
 import pprint
+import uuid
+from functools import cached_property
+from typing import List, Optional, Tuple, Union
+
 from pydantic import (
     BaseModel,
-    field_validator,
+    ConfigDict,
     Field,
-    ValidationInfo,
     FilePath,
     HttpUrl,
     NonNegativeInt,
-    ConfigDict,
+    ValidationInfo,
+    computed_field,
+    field_validator,
     model_serializer,
 )
-from typing import Tuple, Optional, List, Union
-import pathlib
 
+from contentctl.objects.constants import (
+    CONTENTCTL_MAX_STANZA_LENGTH,
+    DEPRECATED_TEMPLATE,
+    EXPERIMENTAL_TEMPLATE,
+)
+from contentctl.objects.enums import AnalyticsType, DetectionStatus
 
 NO_FILE_NAME = "NO_FILE_NAME"
 
@@ -44,6 +52,41 @@ class SecurityContentObject_Abstract(BaseModel, abc.ABC):
     def model_post_init(self, __context: Any) -> None:
         self.ensureFileNameMatchesSearchName()
 
+    @computed_field
+    @cached_property
+    def status_aware_description(self) -> str:
+        """We need to be able to write out a description that includes information
+        about whether or not a detection has been deprecated or not. This is important
+        for providing information to the user as well as powering the deprecation
+        assistant dashboad(s). Make sure this information is output correctly, if
+        appropriate.
+        Otherwise, if a detection is not deprecated or experimental, just return th
+        unmodified description.
+
+        Raises:
+            NotImplementedError: This content type does not support status_aware_description.
+            This is because the object does not define a status field
+
+        Returns:
+            str: description, which may or may not be prefixed with the deprecation/experimental message
+        """
+        status = getattr(self, "status", None)
+
+        if not isinstance(status, DetectionStatus):
+            raise NotImplementedError(
+                f"Detection status is not implemented for [{self.name}] of type '{type(self).__name__}'"
+            )
+        if status == DetectionStatus.experimental:
+            return EXPERIMENTAL_TEMPLATE.format(
+                content_type=type(self).__name__, description=self.description
+            )
+        elif status == DetectionStatus.deprecated:
+            return DEPRECATED_TEMPLATE.format(
+                content_type=type(self).__name__, description=self.description
+            )
+        else:
+            return self.description
+
     @model_serializer
     def serialize_model(self):
         return {

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/objects/baseline.py

@@ -1,28 +1,28 @@
 from __future__ import annotations
-from typing import Annotated, List, Any, TYPE_CHECKING
+
+from typing import TYPE_CHECKING, Annotated, Any, List, Literal
 
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
 from pydantic import (
-    field_validator,
-    ValidationInfo,
     Field,
-    model_serializer,
+    ValidationInfo,
     computed_field,
+    field_validator,
+    model_serializer,
 )
-from contentctl.objects.deployment import Deployment
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.enums import DataModel
-from contentctl.objects.baseline_tags import BaselineTags
 
+from contentctl.objects.baseline_tags import BaselineTags
 from contentctl.objects.config import CustomApp
-
-from contentctl.objects.lookup import Lookup
 from contentctl.objects.constants import (
-    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
     CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE,
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
 )
+from contentctl.objects.deployment import Deployment
+from contentctl.objects.enums import DataModel, DetectionStatus
+from contentctl.objects.lookup import Lookup
+from contentctl.objects.security_content_object import SecurityContentObject
 
 
 class Baseline(SecurityContentObject):
@@ -35,6 +35,7 @@ class Baseline(SecurityContentObject):
     lookups: list[Lookup] = Field([], validate_default=True)
     # enrichment
     deployment: Deployment = Field({})
+    status: Literal[DetectionStatus.production, DetectionStatus.deprecated]
 
     @field_validator("lookups", mode="before")
     @classmethod

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/objects/constants.py

@@ -144,3 +144,6 @@ CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(
         app_label="ESCU", detection_name=""
     )
 )
+
+DEPRECATED_TEMPLATE = "**WARNING**, this {content_type} has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {description}"
+EXPERIMENTAL_TEMPLATE = "**WARNING**, this {content_type} is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the {content_type} has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. {description}"

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/objects/investigation.py

@@ -1,16 +1,19 @@
 from __future__ import annotations
+
 import re
-from typing import List, Any
-from pydantic import computed_field, Field, ConfigDict, model_serializer
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.enums import DataModel
-from contentctl.objects.investigation_tags import InvestigationTags
+from typing import Any, List, Literal
+
+from pydantic import ConfigDict, Field, computed_field, model_serializer
+
+from contentctl.objects.config import CustomApp
 from contentctl.objects.constants import (
     CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
-    CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE,
     CONTENTCTL_MAX_STANZA_LENGTH,
+    CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE,
 )
-from contentctl.objects.config import CustomApp
+from contentctl.objects.enums import DataModel, DetectionStatus
+from contentctl.objects.investigation_tags import InvestigationTags
+from contentctl.objects.security_content_object import SecurityContentObject
 
 
 class Investigation(SecurityContentObject):
@@ -21,6 +24,7 @@ class Investigation(SecurityContentObject):
     how_to_implement: str = Field(...)
     known_false_positives: str = Field(...)
     tags: InvestigationTags
+    status: Literal[DetectionStatus.production, DetectionStatus.deprecated]
 
     # enrichment
     @computed_field
@@ -99,3 +103,6 @@ class Investigation(SecurityContentObject):
         # back to itself
         for story in self.tags.analytic_story:
             story.investigations.append(self)
+        # back to itself
+        for story in self.tags.analytic_story:
+            story.investigations.append(self)

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/objects/rba.py

@@ -1,9 +1,12 @@
-from enum import Enum
-from pydantic import BaseModel, computed_field, Field
+from __future__ import annotations
+
 from abc import ABC
-from typing import Set, Annotated
-from contentctl.objects.enums import RiskSeverity
+from enum import Enum
+from typing import Annotated, Set
 
+from pydantic import BaseModel, Field, computed_field, model_serializer
+
+from contentctl.objects.enums import RiskSeverity
 
 RiskScoreValue_Type = Annotated[int, Field(ge=1, le=100)]
 
@@ -51,6 +54,28 @@ class RiskObject(BaseModel):
     def __hash__(self):
         return hash((self.field, self.type, self.score))
 
+    def __lt__(self, other: RiskObject) -> bool:
+        if (
+            f"{self.field}{self.type}{self.score}"
+            < f"{other.field}{other.type}{other.score}"
+        ):
+            return True
+        return False
+
+    @model_serializer
+    def serialize_risk_object(self) -> dict[str, str | int]:
+        """
+        We define this explicitly for two reasons, even though the automatic
+        serialization works correctly.  First we want to enforce a specific
+        field order for reasons of readability. Second, some of the fields
+        actually have different names than they do in the object.
+        """
+        return {
+            "risk_object_field": self.field,
+            "risk_object_type": self.type,
+            "risk_score": self.score,
+        }
+
 
 class ThreatObject(BaseModel):
     field: str
@@ -59,6 +84,24 @@ class ThreatObject(BaseModel):
     def __hash__(self):
         return hash((self.field, self.type))
 
+    def __lt__(self, other: ThreatObject) -> bool:
+        if f"{self.field}{self.type}" < f"{other.field}{other.type}":
+            return True
+        return False
+
+    @model_serializer
+    def serialize_threat_object(self) -> dict[str, str]:
+        """
+        We define this explicitly for two reasons, even though the automatic
+        serialization works correctly.  First we want to enforce a specific
+        field order for reasons of readability. Second, some of the fields
+        actually have different names than they do in the object.
+        """
+        return {
+            "threat_object_field": self.field,
+            "threat_object_type": self.type,
+        }
+
 
 class RBAObject(BaseModel, ABC):
     message: str
@@ -94,3 +137,11 @@ class RBAObject(BaseModel, ABC):
             raise Exception(
                 f"Error getting severity - risk_score must be between 0-100, but was actually {self.risk_score}"
             )
+
+    @model_serializer
+    def serialize_rba(self) -> dict[str, str | list[dict[str, str | int]]]:
+        return {
+            "message": self.message,
+            "risk_objects": [obj.model_dump() for obj in sorted(self.risk_objects)],
+            "threat_objects": [obj.model_dump() for obj in sorted(self.threat_objects)],
+        }

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/objects/story.py

@@ -1,23 +1,27 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING, List
-from contentctl.objects.story_tags import StoryTags
-from pydantic import Field, model_serializer, computed_field, model_validator
+
 import re
+from typing import TYPE_CHECKING, List, Literal
+
+from pydantic import Field, computed_field, model_serializer, model_validator
+
+from contentctl.objects.story_tags import StoryTags
 
 if TYPE_CHECKING:
-    from contentctl.objects.detection import Detection
-    from contentctl.objects.investigation import Investigation
     from contentctl.objects.baseline import Baseline
-    from contentctl.objects.data_source import DataSource
     from contentctl.objects.config import CustomApp
+    from contentctl.objects.data_source import DataSource
+    from contentctl.objects.detection import Detection
+    from contentctl.objects.investigation import Investigation
 
+from contentctl.objects.enums import DetectionStatus
 from contentctl.objects.security_content_object import SecurityContentObject
 
 
 class Story(SecurityContentObject):
     narrative: str = Field(...)
     tags: StoryTags = Field(...)
-
+    status: Literal[DetectionStatus.production, DetectionStatus.deprecated]
     # These are updated when detection and investigation objects are created.
     # Specifically in the model_post_init functions
     detections: List[Detection] = []

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/analyticstories_detections.j2

@@ -7,7 +7,7 @@
 type = detection
 asset_type = {{ detection.tags.asset_type }}
 confidence = medium
-explanation = {{ (detection.explanation if detection.explanation else detection.description) | escapeNewlines() }}
+explanation = {{ detection.status_aware_description | escapeNewlines() }}
 {% if detection.how_to_implement is defined %}
 how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/analyticstories_stories.j2

@@ -11,7 +11,7 @@ references = {{ story.getReferencesListForJson() | tojson }}
 maintainers = [{"company": "{{ story.author_company }}", "email": "{{ story.author_email }}", "name": "{{ story.author_name }}"}]
 spec_version = 3
 searches = {{ story.storyAndInvestigationNamesWithApp(app) | tojson }}
-description = {{ story.description | escapeNewlines() }}
+description = {{ story.status_aware_description | escapeNewlines() }}
 {% if story.narrative is defined %}
 narrative = {{ story.narrative | escapeNewlines() }}
 {% endif %}

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/es_investigations_investigations.j2

@@ -2,7 +2,7 @@
 {% for response_task in objects %}
 [panel://workbench_panel_{{ response_task.lowercase_name }}___response_task]
 label = {{ response_task.name }}
-description = {{ response_task.description | escapeNewlines() }}
+description = {{ response_task.status_aware_description | escapeNewlines() }}
 disabled = 0
 tokens = {\
 {% for token in response_task.inputs %}

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/es_investigations_stories.j2

@@ -2,7 +2,7 @@
 {% for story in objects %}
 [panel_group://workbench_panel_group_{{ story.lowercase_name}}]
 label = {{ story.name }}
-description = {{ story.description | escapeNewlines() }}
+description = {{ story.status_aware_description | escapeNewlines() }}
 disabled = 0
 
 {% if story.workbench_panels is defined %}

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/savedsearches_baselines.j2

@@ -8,7 +8,7 @@
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = support
-description = {{ detection.description | escapeNewlines() }}
+description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}
 {% if detection.tags.analytic_story is defined %}
@@ -29,7 +29,7 @@ action.escu.providing_technologies = {{ detection.providing_technologies | tojso
 {% else %}
 action.escu.providing_technologies = []
 {% endif %}
-action.escu.eli5 = {{ detection.description | escapeNewlines() }}
+action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
 {% if detection.how_to_implement is defined %}
 action.escu.how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/savedsearches_detections.j2

@@ -5,16 +5,10 @@
 [{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
-{% if detection.status == "deprecated" %}
-description = **WARNING**, this detection has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description | escapeNewlines() }} 
-{% elif detection.status == "experimental" %}
-description = **WARNING**, this detection is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the detection has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. {{ detection.description | escapeNewlines() }} 
-{% else %}
-description = {{ detection.description | escapeNewlines() }}
-{% endif %}
+description = {{ detection.status_aware_description | escapeNewlines() }} 
 action.escu.mappings = {{ detection.mappings | tojson }}
 action.escu.data_models = {{ detection.datamodel | tojson }}
-action.escu.eli5 = {{ detection.description | escapeNewlines() }}
+action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
 {% if detection.how_to_implement %}
 action.escu.how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/savedsearches_investigations.j2

@@ -9,7 +9,7 @@
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = investigative
-description = {{ detection.description | escapeNewlines() }}
+description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}
 {% if detection.tags.analytic_story is defined %}
@@ -21,7 +21,7 @@ action.escu.earliest_time_offset = 3600
 action.escu.latest_time_offset = 86400
 action.escu.providing_technologies = []
 action.escu.data_models = {{ detection.datamodel | tojson }}
-action.escu.eli5 = {{ detection.description | escapeNewlines() }}
+action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.how_to_implement = none
 action.escu.known_false_positives = None at this time
 disabled = true

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/output/templates/transforms.j2

@@ -13,9 +13,7 @@ default_match = {{ lookup.default_match | lower }}
 {% if lookup.case_sensitive_match is defined and lookup.case_sensitive_match != None %}
 case_sensitive_match = {{ lookup.case_sensitive_match | lower }}
 {% endif %}
-{% if lookup.description is defined and lookup.description != None %}
 # description = {{ lookup.description | escapeNewlines() }}
-{% endif %}
 {% if lookup.match_type | length > 0 %}
 match_type = {{ lookup.match_type_to_conf_format }}
 {% endif %}

{contentctl-5.0.0a3 → contentctl-5.0.1}/contentctl/templates/stories/cobalt_strike.yml

@@ -3,6 +3,7 @@ id: bcfd17e8-5461-400a-80a2-3b7d1459220c
 version: 1
 date: '2021-02-16'
 author: Michael Haag, Splunk
+status: production
 description: Cobalt Strike is threat emulation software. Red teams and penetration
   testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature
   security programs. Most recently, Cobalt Strike has become the choice tool by threat

{contentctl-5.0.0a3 → contentctl-5.0.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "contentctl"
-version = "5.0.0-alpha.3"
+version = "5.0.1"
 
 description = "Splunk Content Control Tool"
 authors = ["STRT <research@splunk.com>"]