contentctl 5.0.2__py3-none-any.whl → 5.0.3__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. contentctl/objects/annotated_types.py +5 -2
  2. contentctl/objects/detection_tags.py +57 -4
  3. contentctl/objects/mitre_attack_enrichment.py +16 -3
  4. contentctl/objects/story_tags.py +6 -5
  5. contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml +0 -1
  6. {contentctl-5.0.2.dist-info → contentctl-5.0.3.dist-info}/METADATA +1 -1
  7. {contentctl-5.0.2.dist-info → contentctl-5.0.3.dist-info}/RECORD +10 -10
  8. {contentctl-5.0.2.dist-info → contentctl-5.0.3.dist-info}/LICENSE.md +0 -0
  9. {contentctl-5.0.2.dist-info → contentctl-5.0.3.dist-info}/WHEEL +0 -0
  10. {contentctl-5.0.2.dist-info → contentctl-5.0.3.dist-info}/entry_points.txt +0 -0
contentctl/objects/annotated_types.py CHANGED
@@ -1,6 +1,9 @@
1
- from pydantic import Field
2
1
  from typing import Annotated
3
2
 
3
+ from pydantic import Field
4
+
4
5
  CVE_TYPE = Annotated[str, Field(pattern=r"^CVE-[1|2]\d{3}-\d+$")]
5
- MITRE_ATTACK_ID_TYPE = Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")]
6
+ MITRE_ATTACK_ID_TYPE_PARENT = Annotated[str, Field(pattern=r"^T\d{4}$")]
7
+ MITRE_ATTACK_ID_TYPE_SUBTYPE = Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})$")]
8
+ MITRE_ATTACK_ID_TYPE = MITRE_ATTACK_ID_TYPE_PARENT | MITRE_ATTACK_ID_TYPE_SUBTYPE
6
9
  APPID_TYPE = Annotated[str, Field(pattern="^[a-zA-Z0-9_-]+$")]
contentctl/objects/detection_tags.py CHANGED
@@ -33,7 +33,10 @@ from contentctl.objects.enums import (
33
33
  SecurityContentProductName,
34
34
  SecurityDomain,
35
35
  )
36
- from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
36
+ from contentctl.objects.mitre_attack_enrichment import (
37
+ MitreAttackEnrichment,
38
+ MitreAttackGroup,
39
+ )
37
40
 
38
41
 
39
42
  class DetectionTags(BaseModel):
@@ -44,7 +47,7 @@ class DetectionTags(BaseModel):
44
47
  asset_type: AssetType = Field(...)
45
48
  group: list[str] = []
46
49
 
47
- mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
50
+ mitre_attack_id: list[MITRE_ATTACK_ID_TYPE] = []
48
51
  nist: list[NistCategory] = []
49
52
 
50
53
  product: list[SecurityContentProductName] = Field(..., min_length=1)
@@ -68,6 +71,15 @@ class DetectionTags(BaseModel):
68
71
  phases.add(phase)
69
72
  return sorted(list(phases))
70
73
 
74
+ # We do not want this to be included in serialization. By default, @property
75
+ # objects are not included in dumps
76
+ @property
77
+ def unique_mitre_attack_groups(self) -> list[MitreAttackGroup]:
78
+ group_set: set[MitreAttackGroup] = set()
79
+ for enrichment in self.mitre_attack_enrichments:
80
+ group_set.update(set(enrichment.mitre_attack_group_objects))
81
+ return sorted(group_set, key=lambda k: k.group)
82
+
71
83
  # enum is intentionally Cis18 even though field is named cis20 for legacy reasons
72
84
  @computed_field
73
85
  @property
@@ -134,8 +146,8 @@ class DetectionTags(BaseModel):
134
146
 
135
147
  if len(missing_tactics) > 0:
136
148
  raise ValueError(f"Missing Mitre Attack IDs. {missing_tactics} not found.")
137
- else:
138
- self.mitre_attack_enrichments = mitre_enrichments
149
+
150
+ self.mitre_attack_enrichments = mitre_enrichments
139
151
 
140
152
  return self
141
153
 
@@ -159,6 +171,44 @@ class DetectionTags(BaseModel):
159
171
  return enrichments
160
172
  """
161
173
 
174
+ @field_validator("mitre_attack_id", mode="after")
175
+ @classmethod
176
+ def sameTypeAndSubtypeNotPresent(
177
+ cls, techniques_and_subtechniques: list[MITRE_ATTACK_ID_TYPE]
178
+ ) -> list[MITRE_ATTACK_ID_TYPE]:
179
+ techniques: list[str] = [
180
+ f"{unknown_technique}."
181
+ for unknown_technique in techniques_and_subtechniques
182
+ if "." not in unknown_technique
183
+ ]
184
+ subtechniques: list[MITRE_ATTACK_ID_TYPE] = [
185
+ unknown_technique
186
+ for unknown_technique in techniques_and_subtechniques
187
+ if "." in unknown_technique
188
+ ]
189
+ subtype_and_parent_exist_exceptions: list[ValueError] = []
190
+
191
+ for subtechnique in subtechniques:
192
+ for technique in techniques:
193
+ if subtechnique.startswith(technique):
194
+ subtype_and_parent_exist_exceptions.append(
195
+ ValueError(
196
+ f" Technique : {technique.split('.')[0]}\n"
197
+ f" SubTechnique: {subtechnique}\n"
198
+ )
199
+ )
200
+
201
+ if len(subtype_and_parent_exist_exceptions):
202
+ error_string = "\n".join(
203
+ str(e) for e in subtype_and_parent_exist_exceptions
204
+ )
205
+ raise ValueError(
206
+ "Overlapping MITRE Attack ID Techniques and Subtechniques may not be defined. "
207
+ f"Remove the Technique and keep the Subtechnique:\n{error_string}"
208
+ )
209
+
210
+ return techniques_and_subtechniques
211
+
162
212
  @field_validator("analytic_story", mode="before")
163
213
  @classmethod
164
214
  def mapStoryNamesToStoryObjects(
@@ -238,3 +288,6 @@ class DetectionTags(BaseModel):
238
288
  return matched_tests + [
239
289
  AtomicTest.AtomicTestWhenTestIsMissing(test) for test in missing_tests
240
290
  ]
291
+ return matched_tests + [
292
+ AtomicTest.AtomicTestWhenTestIsMissing(test) for test in missing_tests
293
+ ]
contentctl/objects/mitre_attack_enrichment.py CHANGED
@@ -1,8 +1,11 @@
1
1
  from __future__ import annotations
2
- from pydantic import BaseModel, Field, ConfigDict, HttpUrl, field_validator
3
- from typing import List
4
- from enum import StrEnum
2
+
5
3
  import datetime
4
+ from enum import StrEnum
5
+ from typing import List
6
+
7
+ from pydantic import BaseModel, ConfigDict, Field, HttpUrl, field_validator
8
+
6
9
  from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE
7
10
 
8
11
 
@@ -84,6 +87,16 @@ class MitreAttackGroup(BaseModel):
84
87
  return []
85
88
  return contributors
86
89
 
90
+ def __lt__(self, other: MitreAttackGroup) -> bool:
91
+ if not isinstance(object, MitreAttackGroup):
92
+ raise Exception(
93
+ f"Cannot compare object of type MitreAttackGroup to object of type [{type(object).__name__}]"
94
+ )
95
+ return self.group < other.group
96
+
97
+ def __hash__(self) -> int:
98
+ return hash(self.group)
99
+
87
100
 
88
101
  class MitreAttackEnrichment(BaseModel):
89
102
  ConfigDict(extra="forbid")
contentctl/objects/story_tags.py CHANGED
@@ -1,17 +1,18 @@
1
1
  from __future__ import annotations
2
- from pydantic import BaseModel, Field, model_serializer, ConfigDict
3
- from typing import List, Set, Optional
4
2
 
5
3
  from enum import Enum
4
+ from typing import List, Optional, Set
6
5
 
7
- from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
6
+ from pydantic import BaseModel, ConfigDict, Field, model_serializer
7
+
8
+ from contentctl.objects.annotated_types import CVE_TYPE, MITRE_ATTACK_ID_TYPE
8
9
  from contentctl.objects.enums import (
9
- StoryCategory,
10
10
  DataModel,
11
11
  KillChainPhase,
12
12
  SecurityContentProductName,
13
+ StoryCategory,
13
14
  )
14
- from contentctl.objects.annotated_types import CVE_TYPE, MITRE_ATTACK_ID_TYPE
15
+ from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
15
16
 
16
17
 
17
18
  class StoryUseCase(str, Enum):
contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml CHANGED
@@ -60,7 +60,6 @@ tags:
60
60
  asset_type: Endpoint
61
61
  mitre_attack_id:
62
62
  - T1560.001
63
- - T1560
64
63
  product:
65
64
  - Splunk Enterprise
66
65
  - Splunk Enterprise Security
{contentctl-5.0.2.dist-info → contentctl-5.0.3.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.3
2
2
  Name: contentctl
3
- Version: 5.0.2
3
+ Version: 5.0.3
4
4
  Summary: Splunk Content Control Tool
5
5
  License: Apache 2.0
6
6
  Author: STRT
{contentctl-5.0.2.dist-info → contentctl-5.0.3.dist-info}/RECORD RENAMED
@@ -35,7 +35,7 @@ contentctl/input/yml_reader.py,sha256=ymmAqsWsf9Oj56waDOhCh_E4SomkSCmu4dAx7iURFt
35
35
  contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=9uUb3BkH9d5vc9qn7RURhki9HZZJSGBTYfnqMImsiY4,43814
36
36
  contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=P1v5n8hM4XzJOjNZbJ5m3y4Bu-cQYaddLPdbE6K-4Xw,12164
37
37
  contentctl/objects/alert_action.py,sha256=iEvdEOT4TrTXT0z4rQ_W5v79hPJpPhFPSzo7TuHDxwA,1376
38
- contentctl/objects/annotated_types.py,sha256=eAMm1Nm3_C5pwfCxhzL5ynDRsC_eK614bFuwUFxPVLw,261
38
+ contentctl/objects/annotated_types.py,sha256=xR4EKvdOpNDEt0doGs8XjxCzKK99J2NHZgHFAmt7p2c,424
39
39
  contentctl/objects/atomic.py,sha256=5nl-JhZnymadi8B8ZEJ8l80DnpvjG-OlRxUjVKR6ffY,7341
40
40
  contentctl/objects/base_test.py,sha256=JG6qlr7xe9P71n3CzKOro8_bsmDQGYDfTG9YooHQSIE,1105
41
41
  contentctl/objects/base_test_result.py,sha256=TYYzTPKWqp9rHTebWoid50uxAp_iALZouril4sFwIcA,5197
@@ -56,7 +56,7 @@ contentctl/objects/deployment_slack.py,sha256=pC8-BB4qOD5fUqUi7Oj2Tre7-kKVqW2xEv
56
56
  contentctl/objects/detection.py,sha256=GKjjhnwyFxm7139dOlPJ4c3vIW0675-NLCPWxEB5m-c,631
57
57
  contentctl/objects/detection_metadata.py,sha256=JMz8rtcn5HfeEoaAx34kw2wXa35qsRIap_mXoY0Vbss,2237
58
58
  contentctl/objects/detection_stanza.py,sha256=-BRQNib5NNhY7Z2fILS5xkpjNkGSLF7qBciTmgOgLV8,3112
59
- contentctl/objects/detection_tags.py,sha256=kOb-hb83k71m3YkfJ5l-fw3sODMgmekuES7WlT5suAQ,8573
59
+ contentctl/objects/detection_tags.py,sha256=j92t4TWlNNVdFi4_DoHvEyvJuURlBp5_o1xv2w2pAVk,10699
60
60
  contentctl/objects/drilldown.py,sha256=Vinw6UYlOl0YzoRA_0oBCfHA5Gvgu5p-rEsfBIgMCdI,4186
61
61
  contentctl/objects/enums.py,sha256=HdaSQgEQ_T38BIlVYk1xdqMm05YyhQb0720nzBorXQw,13554
62
62
  contentctl/objects/errors.py,sha256=xX_FDUaJbJiOWgjgrzjtYW5QsD41UZ2KWqH-yGkHaCU,5554
@@ -68,7 +68,7 @@ contentctl/objects/lookup.py,sha256=mzOPhMDyoNZKLAj8zf6Wg6i9FJKMu3qHWinATtH75I8,
68
68
  contentctl/objects/macro.py,sha256=usbxyOPIRIJoDmvawfP2DxtFNf71GaDwffxiZsRkP5A,3594
69
69
  contentctl/objects/manual_test.py,sha256=cx_XAtQ8VG8Ui_F553Xnut75vFEOtRwm1dDIIWNpOaM,952
70
70
  contentctl/objects/manual_test_result.py,sha256=FyCVVf-f1DKs-qBkM4tbKfY6mkrW25NcIEBqyaDC2rE,156
71
- contentctl/objects/mitre_attack_enrichment.py,sha256=Qzm-P-gx_j-qOe6CKaUCv7AmcNy9EFwnMkw0oYsMfAY,3314
71
+ contentctl/objects/mitre_attack_enrichment.py,sha256=PCakRksW5qrTENIZ7JirEZplE9xpmvSvX2GKv7N8j_k,3683
72
72
  contentctl/objects/notable_action.py,sha256=sW5XlpGznMHqyBmGXtXrl22hWLiCoKkfGCasGtK3rGo,1607
73
73
  contentctl/objects/notable_event.py,sha256=2aOtmfnsdInTtN_fHAGIKmBTBritjHbS_Nc-pqL-GbY,689
74
74
  contentctl/objects/playbook.py,sha256=mgYbWsD3OW86u11MbIFKvmyFueSoMJ1WBJm_rNrFvAo,2425
@@ -80,7 +80,7 @@ contentctl/objects/risk_object.py,sha256=5iUKW_UwQLjjLWiD_vlE78uwH9bkaMNCHRNmKM2
80
80
  contentctl/objects/savedsearches_conf.py,sha256=Dn_Pxd9i3RT6DwNh6JrgmfxjsO3q15xzMksYr3wIGwQ,8624
81
81
  contentctl/objects/security_content_object.py,sha256=iDnhq81P7m6Qkmc_Yi-wOyFm9gZUYnPy1GJxxyCtonA,245
82
82
  contentctl/objects/story.py,sha256=jalNgK4yYGRr_yVkzuO_YHIrPhpWHF0Q79PkTJhcLzY,5048
83
- contentctl/objects/story_tags.py,sha256=SLwgkckLxBdtgJro0LnYgj5TFHZEgMiaqDI9q6OfNE0,2364
83
+ contentctl/objects/story_tags.py,sha256=IYumFuBF2Bt7HtW4lBfCRo2EUpjMYlnNjpx24jBErs4,2365
84
84
  contentctl/objects/test_attack_data.py,sha256=7p-kOJguTZtG9y5th5U3qfPFvpiAWLST_OBw8dwWl_4,488
85
85
  contentctl/objects/test_group.py,sha256=r-dXyddok4yslv8SIjwOpqylbN1rdjsRi-HIijvpWD0,2602
86
86
  contentctl/objects/threat_object.py,sha256=CB3igcmiq06lqnEh7h-btxFrBfgZbHaA9p8kFDKY6lQ,712
@@ -155,14 +155,14 @@ contentctl/templates/deployments/escu_default_configuration_hunting.yml,sha256=h
155
155
  contentctl/templates/deployments/escu_default_configuration_ttp.yml,sha256=1D-pvzaH1v3_yCZXaY6njmdvV4S2_Ak8uzzCOsnj9XY,548
156
156
  contentctl/templates/detections/application/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
157
157
  contentctl/templates/detections/cloud/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
158
- contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml,sha256=VQ8mxkOOm7RfnBomtOXF9XGE8fV-j5j-4pFtpocQ17Y,3875
158
+ contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml,sha256=R8D8X_C_KzJ7_b5E5AU1FnEsi7wCJzesvMz-gUqyRng,3865
159
159
  contentctl/templates/detections/network/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
160
160
  contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
161
161
  contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
162
162
  contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
163
163
  contentctl/templates/stories/cobalt_strike.yml,sha256=uj8idtDNOAIqpZ9p8usQg6mop1CQkJ5TlB4Q7CJdTIE,3082
164
- contentctl-5.0.2.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
165
- contentctl-5.0.2.dist-info/METADATA,sha256=w4N00eZ7_Rn1nbpEbFDNCtIjij82KcNtZIe6YUflmuo,21539
166
- contentctl-5.0.2.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
167
- contentctl-5.0.2.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
168
- contentctl-5.0.2.dist-info/RECORD,,
164
+ contentctl-5.0.3.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
165
+ contentctl-5.0.3.dist-info/METADATA,sha256=KUmcwcjNRAf0tyt2jpUWcjTBJf07usgeBsHmNShVHIo,21539
166
+ contentctl-5.0.3.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
167
+ contentctl-5.0.3.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
168
+ contentctl-5.0.3.dist-info/RECORD,,