contentctl 5.0.0a3__tar.gz → 5.0.2__tar.gz

{contentctl-5.0.0a3 → contentctl-5.0.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: contentctl
-Version: 5.0.0a3
+Version: 5.0.2
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/actions/inspect.py

@@ -1,23 +1,45 @@
-import sys
-from dataclasses import dataclass
-import pathlib
-import json
 import datetime
-import timeit
+import json
+import pathlib
+import sys
 import time
+import timeit
+from dataclasses import dataclass
+from io import BufferedReader
 
-from requests import Session, post, get
+from requests import Session, get, post
 from requests.auth import HTTPBasicAuth
 
 from contentctl.objects.config import inspect
-from contentctl.objects.savedsearches_conf import SavedsearchesConf
 from contentctl.objects.errors import (
-    MetadataValidationError,
     DetectionIDError,
     DetectionMissingError,
-    VersionDecrementedError,
+    MetadataValidationError,
     VersionBumpingError,
+    VersionDecrementedError,
 )
+from contentctl.objects.savedsearches_conf import SavedsearchesConf
+
+"""
+The following list includes all appinspect tags available from:
+https://dev.splunk.com/enterprise/reference/appinspect/appinspecttagreference/
+
+This allows contentctl to be as forward-leaning as possible in catching
+any potential issues on the widest variety of stacks.
+"""
+INCLUDED_TAGS_LIST = [
+    "aarch64_compatibility",
+    "ast",
+    "cloud",
+    "future",
+    "manual",
+    "packaging_standards",
+    "private_app",
+    "private_classic",
+    "private_victoria",
+    "splunk_appinspect",
+]
+INCLUDED_TAGS_STRING = ",".join(INCLUDED_TAGS_LIST)
 
 
 @dataclass(frozen=True)
@@ -28,7 +50,6 @@ class InspectInputDto:
 class Inspect:
     def execute(self, config: inspect) -> str:
         if config.build_app or config.build_api:
-            self.inspectAppCLI(config)
             appinspect_token = self.inspectAppAPI(config)
 
             if config.enable_metadata_validation:
@@ -49,10 +70,6 @@ class Inspect:
         session.auth = HTTPBasicAuth(
             config.splunk_api_username, config.splunk_api_password
         )
-        if config.stack_type not in ["victoria", "classic"]:
-            raise Exception(
-                f"stack_type MUST be either 'classic' or 'victoria', NOT '{config.stack_type}'"
-            )
 
         APPINSPECT_API_LOGIN = "https://api.splunk.com/2.0/rest/login/splunk"
 
@@ -64,10 +81,6 @@ class Inspect:
         APPINSPECT_API_VALIDATION_REQUEST = (
             "https://appinspect.splunk.com/v1/app/validate"
         )
-        headers = {
-            "Authorization": f"bearer {authorization_bearer}",
-            "Cache-Control": "no-cache",
-        }
 
         package_path = config.getPackageFilePath(include_version=False)
         if not package_path.is_file():
@@ -77,18 +90,43 @@ class Inspect:
                 "trying to 'contentctl deploy_acs' the package BEFORE running 'contentctl build'?"
             )
 
-        files = {
+        """
+        Some documentation on "files" argument for requests.post exists here:
+        https://docs.python-requests.org/en/latest/api/
+        The type (None, INCLUDED_TAGS_STRING) is intentional, and the None is important.
+        In curl syntax, the request we make below is equivalent to
+        curl -X POST \
+            -H "Authorization: bearer <TOKEN>" \
+            -H "Cache-Control: no-cache" \
+            -F "app_package=@<PATH/APP-PACKAGE>" \
+            -F "included_tags=cloud" \
+            --url "https://appinspect.splunk.com/v1/app/validate"
+        
+        This is confirmed by the great resource:
+        https://curlconverter.com/
+        """
+        data: dict[str, tuple[None, str] | BufferedReader] = {
             "app_package": open(package_path, "rb"),
-            "included_tags": (None, "cloud"),
+            "included_tags": (
+                None,
+                INCLUDED_TAGS_STRING,
+            ),  # tuple with None is intentional here
         }
 
-        res = post(APPINSPECT_API_VALIDATION_REQUEST, headers=headers, files=files)
+        headers = {
+            "Authorization": f"bearer {authorization_bearer}",
+            "Cache-Control": "no-cache",
+        }
+
+        res = post(APPINSPECT_API_VALIDATION_REQUEST, files=data, headers=headers)
 
         res.raise_for_status()
 
         request_id = res.json().get("request_id", None)
-        APPINSPECT_API_VALIDATION_STATUS = f"https://appinspect.splunk.com/v1/app/validate/status/{request_id}?included_tags=private_{config.stack_type}"
-        headers = headers = {"Authorization": f"bearer {authorization_bearer}"}
+        APPINSPECT_API_VALIDATION_STATUS = (
+            f"https://appinspect.splunk.com/v1/app/validate/status/{request_id}"
+        )
+
         startTime = timeit.default_timer()
         # the first time, wait for 40 seconds. subsequent times, wait for less.
         # this is because appinspect takes some time to return, so there is no sense
@@ -114,7 +152,9 @@ class Inspect:
                 raise Exception(f"Error - Unknown Appinspect API status '{status}'")
 
         # We have finished running appinspect, so get the report
-        APPINSPECT_API_REPORT = f"https://appinspect.splunk.com/v1/app/report/{request_id}?included_tags=private_{config.stack_type}"
+        APPINSPECT_API_REPORT = (
+            f"https://appinspect.splunk.com/v1/app/report/{request_id}"
+        )
         # Get human-readable HTML report
         headers = headers = {
             "Authorization": f"bearer {authorization_bearer}",
@@ -159,14 +199,14 @@ class Inspect:
                 "\t - https://dev.splunk.com/enterprise/docs/developapps/testvalidate/appinspect/useappinspectclitool/"
             )
             from splunk_appinspect.main import (
-                validate,
-                MODE_OPTION,
                 APP_PACKAGE_ARGUMENT,
-                OUTPUT_FILE_OPTION,
-                LOG_FILE_OPTION,
-                INCLUDED_TAGS_OPTION,
                 EXCLUDED_TAGS_OPTION,
+                INCLUDED_TAGS_OPTION,
+                LOG_FILE_OPTION,
+                MODE_OPTION,
+                OUTPUT_FILE_OPTION,
                 TEST_MODE,
+                validate,
             )
         except Exception as e:
             print(e)

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/actions/new_content.py

@@ -32,6 +32,14 @@ class NewContent:
         },
     ]
 
+    DEFAULT_RBA = {
+        "message": "Risk Message goes here",
+        "risk_objects": [{"field": "dest", "type": "system", "score": 10}],
+        "threat_objects": [
+            {"field": "parent_process_name", "type": "parent_process_name"}
+        ],
+    }
+
     def buildDetection(self) -> tuple[dict[str, Any], str]:
         questions = NewContentQuestions.get_questions_detection()
         answers: dict[str, str] = questionary.prompt(
@@ -42,8 +50,8 @@ class NewContent:
             raise ValueError("User didn't answer one or more questions!")
 
         data_source_field = (
-            answers["data_source"]
-            if len(answers["data_source"]) > 0
+            answers["data_sources"]
+            if len(answers["data_sources"]) > 0
             else [f"{NewContent.UPDATE_PREFIX} zero or more data_sources"]
         )
         file_name = (
@@ -83,19 +91,12 @@ class NewContent:
                 f"{NewContent.UPDATE_PREFIX} zero or more http references to provide more information about your search"
             ],
             "drilldown_searches": NewContent.DEFAULT_DRILLDOWN_DEF,
-            "rba": {
-                "message": "Risk Messages goes here",
-                "risk_objects": [],
-                "threat_objects": [],
-            },
+            "rba": NewContent.DEFAULT_RBA,
             "tags": {
                 "analytic_story": [
                     f"{NewContent.UPDATE_PREFIX} by providing zero or more analytic stories"
                 ],
                 "asset_type": f"{NewContent.UPDATE_PREFIX} by providing and asset type from {list(AssetType._value2member_map_)}",
-                "confidence": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
-                "impact": f"{NewContent.UPDATE_PREFIX} by providing a value between 1-100",
-                "message": f"{NewContent.UPDATE_PREFIX} by providing a risk message. Fields in your search results can be referenced using $fieldName$",
                 "mitre_attack_id": mitre_attack_ids,
                 "product": [
                     "Splunk Enterprise",
@@ -139,6 +140,7 @@ class NewContent:
         del answers["story_name"]
         answers["id"] = str(uuid.uuid4())
         answers["version"] = 1
+        answers["status"] = "production"
         answers["date"] = datetime.today().strftime("%Y-%m-%d")
         answers["author"] = answers["story_author"]
         del answers["story_author"]

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/contentctl.py

@@ -1,7 +1,9 @@
 import pathlib
+import random
 import sys
 import traceback
 import warnings
+from dataclasses import dataclass
 
 import tyro
 
@@ -155,6 +157,35 @@ YOU HAVE BEEN WARNED!
 """
 
 
+def get_random_compliment():
+    compliments = [
+        "Your detection rules are like a zero-day shield! 🛡️",
+        "You catch threats like it's child's play! 🎯",
+        "Your correlation rules are pure genius! 🧠",
+        "Threat actors fear your detection engineering! ⚔️",
+        "You're the SOC's secret weapon! 🦾",
+        "Your false positive rate is impressively low! 📊",
+        "Malware trembles at your detection logic! 🦠",
+        "You're the threat hunter extraordinaire! 🔍",
+        "Your MITRE mappings are a work of art! 🎨",
+        "APTs have nightmares about your detections! 👻",
+        "Your content testing is bulletproof! 🎯",
+        "You're the detection engineering MVP! 🏆",
+    ]
+    return random.choice(compliments)
+
+
+def recognize_func():
+    print(get_random_compliment())
+
+
+@dataclass
+class RecognizeCommand:
+    """Dummy subcommand for 'recognize' with no parameters."""
+
+    pass
+
+
 def main():
     print(CONTENTCTL_5_WARNING)
     try:
@@ -210,6 +241,7 @@ def main():
             "test_servers": test_servers.model_construct(**t.__dict__),
             "release_notes": release_notes.model_construct(**config_obj),
             "deploy_acs": deploy_acs.model_construct(**t.__dict__),
+            "recognize": RecognizeCommand(),
         }
     )
 
@@ -240,6 +272,8 @@ def main():
             deploy_acs_func(updated_config)
         elif type(config) is test or type(config) is test_servers:
             test_common_func(config)
+        elif type(config) is RecognizeCommand:
+            recognize_func()
         else:
             raise Exception(f"Unknown command line type '{type(config).__name__}'")
     except FileNotFoundError as e:

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -383,21 +383,17 @@ class Detection_Abstract(SecurityContentObject):
     @computed_field
     @property
     def risk(self) -> list[dict[str, Any]]:
-        risk_objects: list[dict[str, str | int]] = []
-
-        for entity in self.rba.risk_objects:
-            risk_object: dict[str, str | int] = dict()
-            risk_object["risk_object_type"] = entity.type
-            risk_object["risk_object_field"] = entity.field
-            risk_object["risk_score"] = entity.score
-            risk_objects.append(risk_object)
-
-        for entity in self.rba.threat_objects:
-            threat_object: dict[str, str] = dict()
-            threat_object["threat_object_field"] = entity.field
-            threat_object["threat_object_type"] = entity.type
-            risk_objects.append(threat_object)
-        return risk_objects
+        if self.rba is None:
+            raise Exception(
+                f"Attempting to serialize rba section of [{self.name}], however RBA section is None"
+            )
+        """
+        action.risk.param._risk
+        of the conf file only contains a list of dicts. We do not eant to 
+        include the message here, so we do not return it.
+        """
+        rba_dict = self.rba.model_dump()
+        return rba_dict["risk_objects"] + rba_dict["threat_objects"]
 
     @computed_field
     @property

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py

@@ -1,31 +1,39 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING, Self, Any
+
+from typing import TYPE_CHECKING, Any, Self
 
 if TYPE_CHECKING:
+    from contentctl.input.director import DirectorOutputDto
     from contentctl.objects.deployment import Deployment
     from contentctl.objects.security_content_object import SecurityContentObject
-    from contentctl.input.director import DirectorOutputDto
 
-from contentctl.objects.enums import AnalyticsType
-from contentctl.objects.constants import CONTENTCTL_MAX_STANZA_LENGTH
 import abc
-import uuid
 import datetime
+import pathlib
 import pprint
+import uuid
+from functools import cached_property
+from typing import List, Optional, Tuple, Union
+
 from pydantic import (
     BaseModel,
-    field_validator,
+    ConfigDict,
     Field,
-    ValidationInfo,
     FilePath,
     HttpUrl,
     NonNegativeInt,
-    ConfigDict,
+    ValidationInfo,
+    computed_field,
+    field_validator,
     model_serializer,
 )
-from typing import Tuple, Optional, List, Union
-import pathlib
 
+from contentctl.objects.constants import (
+    CONTENTCTL_MAX_STANZA_LENGTH,
+    DEPRECATED_TEMPLATE,
+    EXPERIMENTAL_TEMPLATE,
+)
+from contentctl.objects.enums import AnalyticsType, DetectionStatus
 
 NO_FILE_NAME = "NO_FILE_NAME"
 
@@ -44,6 +52,41 @@ class SecurityContentObject_Abstract(BaseModel, abc.ABC):
     def model_post_init(self, __context: Any) -> None:
         self.ensureFileNameMatchesSearchName()
 
+    @computed_field
+    @cached_property
+    def status_aware_description(self) -> str:
+        """We need to be able to write out a description that includes information
+        about whether or not a detection has been deprecated or not. This is important
+        for providing information to the user as well as powering the deprecation
+        assistant dashboad(s). Make sure this information is output correctly, if
+        appropriate.
+        Otherwise, if a detection is not deprecated or experimental, just return th
+        unmodified description.
+
+        Raises:
+            NotImplementedError: This content type does not support status_aware_description.
+            This is because the object does not define a status field
+
+        Returns:
+            str: description, which may or may not be prefixed with the deprecation/experimental message
+        """
+        status = getattr(self, "status", None)
+
+        if not isinstance(status, DetectionStatus):
+            raise NotImplementedError(
+                f"Detection status is not implemented for [{self.name}] of type '{type(self).__name__}'"
+            )
+        if status == DetectionStatus.experimental:
+            return EXPERIMENTAL_TEMPLATE.format(
+                content_type=type(self).__name__, description=self.description
+            )
+        elif status == DetectionStatus.deprecated:
+            return DEPRECATED_TEMPLATE.format(
+                content_type=type(self).__name__, description=self.description
+            )
+        else:
+            return self.description
+
     @model_serializer
     def serialize_model(self):
         return {

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/baseline.py

@@ -1,28 +1,28 @@
 from __future__ import annotations
-from typing import Annotated, List, Any, TYPE_CHECKING
+
+from typing import TYPE_CHECKING, Annotated, Any, List, Literal
 
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
 from pydantic import (
-    field_validator,
-    ValidationInfo,
     Field,
-    model_serializer,
+    ValidationInfo,
     computed_field,
+    field_validator,
+    model_serializer,
 )
-from contentctl.objects.deployment import Deployment
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.enums import DataModel
-from contentctl.objects.baseline_tags import BaselineTags
 
+from contentctl.objects.baseline_tags import BaselineTags
 from contentctl.objects.config import CustomApp
-
-from contentctl.objects.lookup import Lookup
 from contentctl.objects.constants import (
-    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
     CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE,
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
 )
+from contentctl.objects.deployment import Deployment
+from contentctl.objects.enums import DataModel, DetectionStatus
+from contentctl.objects.lookup import Lookup
+from contentctl.objects.security_content_object import SecurityContentObject
 
 
 class Baseline(SecurityContentObject):
@@ -35,6 +35,7 @@ class Baseline(SecurityContentObject):
     lookups: list[Lookup] = Field([], validate_default=True)
     # enrichment
     deployment: Deployment = Field({})
+    status: Literal[DetectionStatus.production, DetectionStatus.deprecated]
 
     @field_validator("lookups", mode="before")
     @classmethod

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/config.py

@@ -425,7 +425,6 @@ class inspect(build):
             "enforcement (defaults to the latest release of the app published on Splunkbase)."
         ),
     )
-    stack_type: StackType = Field(description="The type of your Splunk Cloud Stack")
 
     @field_validator("enrichments", mode="after")
     @classmethod
@@ -496,6 +495,9 @@ class new(Config_Base):
 
 class deploy_acs(inspect):
     model_config = ConfigDict(validate_default=False, arbitrary_types_allowed=True)
+
+    stack_type: StackType = Field(description="The type of your Splunk Cloud Stack")
+
     # ignore linter error
     splunk_cloud_jwt_token: str = Field(
         exclude=True,

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/constants.py

@@ -144,3 +144,6 @@ CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(
         app_label="ESCU", detection_name=""
     )
 )
+
+DEPRECATED_TEMPLATE = "**WARNING**, this {content_type} has been marked **DEPRECATED** by the Splunk Threat Research Team. This means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com. {description}"
+EXPERIMENTAL_TEMPLATE = "**WARNING**, this {content_type} is marked **EXPERIMENTAL** by the Splunk Threat Research Team. This means that the {content_type} has been manually tested but we do not have the associated attack data to perform automated testing or cannot share this attack dataset due to its sensitive nature. If you have any questions feel free to email us at: research@splunk.com. {description}"

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/data_source.py

@@ -1,6 +1,9 @@
 from __future__ import annotations
-from typing import Optional, Any
-from pydantic import Field, HttpUrl, model_serializer, BaseModel
+
+from typing import Any, Optional
+
+from pydantic import BaseModel, Field, HttpUrl, model_serializer
+
 from contentctl.objects.security_content_object import SecurityContentObject
 
 
@@ -20,6 +23,7 @@ class DataSource(SecurityContentObject):
     field_mappings: None | list = None
     convert_to_log_source: None | list = None
     example_log: None | str = None
+    output_fields: list[str] = []
 
     @model_serializer
     def serialize_model(self):

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/investigation.py

@@ -1,16 +1,19 @@
 from __future__ import annotations
+
 import re
-from typing import List, Any
-from pydantic import computed_field, Field, ConfigDict, model_serializer
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.enums import DataModel
-from contentctl.objects.investigation_tags import InvestigationTags
+from typing import Any, List, Literal
+
+from pydantic import ConfigDict, Field, computed_field, model_serializer
+
+from contentctl.objects.config import CustomApp
 from contentctl.objects.constants import (
     CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
-    CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE,
     CONTENTCTL_MAX_STANZA_LENGTH,
+    CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE,
 )
-from contentctl.objects.config import CustomApp
+from contentctl.objects.enums import DataModel, DetectionStatus
+from contentctl.objects.investigation_tags import InvestigationTags
+from contentctl.objects.security_content_object import SecurityContentObject
 
 
 class Investigation(SecurityContentObject):
@@ -21,6 +24,7 @@ class Investigation(SecurityContentObject):
     how_to_implement: str = Field(...)
     known_false_positives: str = Field(...)
     tags: InvestigationTags
+    status: Literal[DetectionStatus.production, DetectionStatus.deprecated]
 
     # enrichment
     @computed_field
@@ -99,3 +103,6 @@ class Investigation(SecurityContentObject):
         # back to itself
         for story in self.tags.analytic_story:
             story.investigations.append(self)
+        # back to itself
+        for story in self.tags.analytic_story:
+            story.investigations.append(self)

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/rba.py

@@ -1,9 +1,12 @@
-from enum import Enum
-from pydantic import BaseModel, computed_field, Field
+from __future__ import annotations
+
 from abc import ABC
-from typing import Set, Annotated
-from contentctl.objects.enums import RiskSeverity
+from enum import Enum
+from typing import Annotated, Set
 
+from pydantic import BaseModel, Field, computed_field, model_serializer
+
+from contentctl.objects.enums import RiskSeverity
 
 RiskScoreValue_Type = Annotated[int, Field(ge=1, le=100)]
 
@@ -51,6 +54,28 @@ class RiskObject(BaseModel):
     def __hash__(self):
         return hash((self.field, self.type, self.score))
 
+    def __lt__(self, other: RiskObject) -> bool:
+        if (
+            f"{self.field}{self.type}{self.score}"
+            < f"{other.field}{other.type}{other.score}"
+        ):
+            return True
+        return False
+
+    @model_serializer
+    def serialize_risk_object(self) -> dict[str, str | int]:
+        """
+        We define this explicitly for two reasons, even though the automatic
+        serialization works correctly.  First we want to enforce a specific
+        field order for reasons of readability. Second, some of the fields
+        actually have different names than they do in the object.
+        """
+        return {
+            "risk_object_field": self.field,
+            "risk_object_type": self.type,
+            "risk_score": self.score,
+        }
+
 
 class ThreatObject(BaseModel):
     field: str
@@ -59,6 +84,24 @@ class ThreatObject(BaseModel):
     def __hash__(self):
         return hash((self.field, self.type))
 
+    def __lt__(self, other: ThreatObject) -> bool:
+        if f"{self.field}{self.type}" < f"{other.field}{other.type}":
+            return True
+        return False
+
+    @model_serializer
+    def serialize_threat_object(self) -> dict[str, str]:
+        """
+        We define this explicitly for two reasons, even though the automatic
+        serialization works correctly.  First we want to enforce a specific
+        field order for reasons of readability. Second, some of the fields
+        actually have different names than they do in the object.
+        """
+        return {
+            "threat_object_field": self.field,
+            "threat_object_type": self.type,
+        }
+
 
 class RBAObject(BaseModel, ABC):
     message: str
@@ -94,3 +137,11 @@ class RBAObject(BaseModel, ABC):
             raise Exception(
                 f"Error getting severity - risk_score must be between 0-100, but was actually {self.risk_score}"
             )
+
+    @model_serializer
+    def serialize_rba(self) -> dict[str, str | list[dict[str, str | int]]]:
+        return {
+            "message": self.message,
+            "risk_objects": [obj.model_dump() for obj in sorted(self.risk_objects)],
+            "threat_objects": [obj.model_dump() for obj in sorted(self.threat_objects)],
+        }

{contentctl-5.0.0a3 → contentctl-5.0.2}/contentctl/objects/story.py

@@ -1,23 +1,27 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING, List
-from contentctl.objects.story_tags import StoryTags
-from pydantic import Field, model_serializer, computed_field, model_validator
+
 import re
+from typing import TYPE_CHECKING, List, Literal
+
+from pydantic import Field, computed_field, model_serializer, model_validator
+
+from contentctl.objects.story_tags import StoryTags
 
 if TYPE_CHECKING:
-    from contentctl.objects.detection import Detection
-    from contentctl.objects.investigation import Investigation
     from contentctl.objects.baseline import Baseline
-    from contentctl.objects.data_source import DataSource
     from contentctl.objects.config import CustomApp
+    from contentctl.objects.data_source import DataSource
+    from contentctl.objects.detection import Detection
+    from contentctl.objects.investigation import Investigation
 
+from contentctl.objects.enums import DetectionStatus
 from contentctl.objects.security_content_object import SecurityContentObject
 
 
 class Story(SecurityContentObject):
     narrative: str = Field(...)
     tags: StoryTags = Field(...)
-
+    status: Literal[DetectionStatus.production, DetectionStatus.deprecated]
     # These are updated when detection and investigation objects are created.
     # Specifically in the model_post_init functions
     detections: List[Detection] = []