PyPI - contentctl - Versions diffs - 5.0.4__py3-none-any.whl → 5.1.0__py3-none-any.whl - Mend

contentctl 5.0.4py3-none-any.whl → 5.1.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

contentctl/contentctl.py CHANGED Viewed

@@ -143,20 +143,6 @@ def test_common_func(config: test_common):
     raise Exception("There was at least one unsuccessful test")
-CONTENTCTL_5_WARNING = """
-*****************************************************************************
-WARNING - THIS IS AN ALPHA BUILD OF CONTENTCTL 5.
-THERE HAVE BEEN NUMEROUS CHANGES IN CONTENTCTL (ESPECIALLY TO YML FORMATS).
-YOU ALMOST CERTAINLY DO NOT WANT TO USE THIS BUILD.
-IF YOU ENCOUNTER ERRORS, PLEASE USE THE LATEST CURRENTYLY SUPPORTED RELEASE:
-CONTENTCTL==4.4.7
-YOU HAVE BEEN WARNED!
-*****************************************************************************
-"""
 def get_random_compliment():
     compliments = [
         "Your detection rules are like a zero-day shield! 🛡️",
@@ -187,7 +173,6 @@ class RecognizeCommand:
 def main():
-    print(CONTENTCTL_5_WARNING)
     try:
         configFile = pathlib.Path("contentctl.yml")
@@ -299,7 +284,6 @@ def main():
             )
         print(e)
-        print(CONTENTCTL_5_WARNING)
         sys.exit(1)

contentctl/input/director.py CHANGED Viewed

@@ -1,30 +1,29 @@
 import os
 import sys
-from pathlib import Path
 from dataclasses import dataclass, field
-from pydantic import ValidationError
+from pathlib import Path
 from uuid import UUID
-from contentctl.input.yml_reader import YmlReader
-from contentctl.objects.detection import Detection
-from contentctl.objects.story import Story
+from pydantic import ValidationError
-from contentctl.objects.baseline import Baseline
-from contentctl.objects.investigation import Investigation
-from contentctl.objects.playbook import Playbook
-from contentctl.objects.deployment import Deployment
-from contentctl.objects.macro import Macro
-from contentctl.objects.lookup import LookupAdapter, Lookup
-from contentctl.objects.atomic import AtomicEnrichment
-from contentctl.objects.security_content_object import SecurityContentObject
-from contentctl.objects.data_source import DataSource
-from contentctl.objects.dashboard import Dashboard
 from contentctl.enrichments.attack_enrichment import AttackEnrichment
 from contentctl.enrichments.cve_enrichment import CveEnrichment
+from contentctl.helper.utils import Utils
+from contentctl.input.yml_reader import YmlReader
+from contentctl.objects.atomic import AtomicEnrichment
+from contentctl.objects.baseline import Baseline
 from contentctl.objects.config import validate
+from contentctl.objects.dashboard import Dashboard
+from contentctl.objects.data_source import DataSource
+from contentctl.objects.deployment import Deployment
+from contentctl.objects.detection import Detection
 from contentctl.objects.enums import SecurityContentType
-from contentctl.helper.utils import Utils
+from contentctl.objects.investigation import Investigation
+from contentctl.objects.lookup import Lookup, LookupAdapter
+from contentctl.objects.macro import Macro
+from contentctl.objects.playbook import Playbook
+from contentctl.objects.security_content_object import SecurityContentObject
+from contentctl.objects.story import Story
 @dataclass
@@ -113,20 +112,6 @@ class Director:
         self.createSecurityContent(SecurityContentType.detections)
         self.createSecurityContent(SecurityContentType.dashboards)
-        from contentctl.objects.abstract_security_content_objects.detection_abstract import (
-            MISSING_SOURCES,
-        )
-        if len(MISSING_SOURCES) > 0:
-            missing_sources_string = "\n 🟡 ".join(sorted(list(MISSING_SOURCES)))
-            print(
-                "WARNING: The following data_sources have been used in detections, but are not yet defined.\n"
-                "This is not yet an error since not all data_sources have been defined, but will be convered to an error soon:\n 🟡 "
-                f"{missing_sources_string}"
-            )
-        else:
-            print("No missing data_sources!")
     def createSecurityContent(self, contentType: SecurityContentType) -> None:
         if contentType in [
             SecurityContentType.deployments,

contentctl/objects/abstract_security_content_objects/detection_abstract.py CHANGED Viewed

@@ -51,8 +51,6 @@ from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.test_group import TestGroup
 from contentctl.objects.unit_test import UnitTest
-MISSING_SOURCES: set[str] = set()
 # Those AnalyticsTypes that we do not test via contentctl
 SKIPPED_ANALYTICS_TYPES: set[str] = {AnalyticsType.Correlation}
@@ -514,7 +512,7 @@ class Detection_Abstract(SecurityContentObject):
             baseline.tags.detections = new_detections
         # Data source may be defined 1 on each line, OR they may be defined as
-        # SOUCE_1 AND ANOTHERSOURCE AND A_THIRD_SOURCE
+        # SOURCE_1 AND ANOTHERSOURCE AND A_THIRD_SOURCE
         # if more than 1 data source is required for a detection (for example, because it includes a join)
         # Parse and update the list to resolve individual names and remove potential duplicates
         updated_data_source_names: set[str] = set()
@@ -524,27 +522,9 @@ class Detection_Abstract(SecurityContentObject):
             updated_data_source_names.update(split_data_sources)
         sources = sorted(list(updated_data_source_names))
-        matched_data_sources: list[DataSource] = []
-        missing_sources: list[str] = []
-        for source in sources:
-            try:
-                matched_data_sources += DataSource.mapNamesToSecurityContentObjects(
-                    [source], director
-                )
-            except Exception:
-                # We gobble this up and add it to a global set so that we
-                # can print it ONCE at the end of the build of datasources.
-                # This will be removed later as per the note below
-                MISSING_SOURCES.add(source)
-        if len(missing_sources) > 0:
-            # This will be changed to ValueError when we have a complete list of data sources
-            print(
-                "WARNING: The following exception occurred when mapping the data_source field to "
-                f"DataSource objects:{missing_sources}"
-            )
+        matched_data_sources = DataSource.mapNamesToSecurityContentObjects(
+            sources, director
+        )
         self.data_source_objects = matched_data_sources
         for story in self.tags.analytic_story:

contentctl/objects/constants.py CHANGED Viewed

@@ -124,7 +124,6 @@ CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = (
     "{app_label} - {detection_name} - Rule"
 )
-CONTENTCTL_DASHBOARD_LABEL_TEMPLATE = "{app_label} - {dashboard_name}"
 CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name}"
 CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = (
     "{app_label} - {detection_name} - Response Task"

contentctl/objects/dashboard.py CHANGED Viewed

@@ -7,11 +7,10 @@ from jinja2 import Environment
 from pydantic import Field, Json, model_validator
 from contentctl.objects.config import build
-from contentctl.objects.constants import CONTENTCTL_DASHBOARD_LABEL_TEMPLATE
 from contentctl.objects.security_content_object import SecurityContentObject
 DEFAULT_DASHBOARD_JINJA2_TEMPLATE = """<dashboard version="2" theme="{{ dashboard.theme }}">
-    <label>{{ dashboard.label(config) }}</label>
+    <label>{{ dashboard.name }}</label>
     <description></description>
     <definition><![CDATA[
 {{ dashboard.pretty_print_json_obj() }}
@@ -50,11 +49,6 @@ class Dashboard(SecurityContentObject):
         ..., description="Valid JSON object that describes the dashboard"
     )
-    def label(self, config: build) -> str:
-        return CONTENTCTL_DASHBOARD_LABEL_TEMPLATE.format(
-            app_label=config.app.label, dashboard_name=self.name
-        )
     @model_validator(mode="before")
     @classmethod
     def validate_fields_from_json(cls, data: Any) -> Any:
@@ -102,9 +96,16 @@ class Dashboard(SecurityContentObject):
         return json.dumps(self.json_obj, indent=4)
     def getOutputFilepathRelativeToAppRoot(self, config: build) -> pathlib.Path:
-        # for clarity, the name of the dashboard file will follow the same convention
-        # as we use for detections, prefixing it with app_name -
-        filename = f"{self.label(config)}.xml"
+        if self.file_path is None:
+            raise FileNotFoundError(
+                f"Dashboard {self.name} file_path was None. Dashboards must be backed by a file."
+            )
+        # Prefix with the appLabel__ in order to make a search for these easy with match="__"
+        # in the default.xml file
+        filename = f"{config.app.label}__{self.file_path.stem}.xml".lower().replace(
+            " ", "_"
+        )
         return pathlib.Path("default/data/ui/views") / filename
     def writeDashboardFile(self, j2_env: Environment, config: build):

contentctl/templates/app_template/default/data/ui/nav/default.xml CHANGED Viewed

@@ -2,6 +2,6 @@
   <view name="escu_summary" default="true"/>
   <view name="search"/>
   <collection label="Dashboards">
-    <view source="unclassified" match=" - "/>
+    <view source="unclassified" match="__"/>
   </collection>
 </nav>

contentctl-5.1.0.dist-info/METADATA ADDED Viewed

@@ -0,0 +1,74 @@
+Metadata-Version: 2.3
+Name: contentctl
+Version: 5.1.0
+Summary: Splunk Content Control Tool
+License: Apache 2.0
+Author: STRT
+Author-email: research@splunk.com
+Requires-Python: >=3.11,<3.14
+Classifier: License :: Other/Proprietary License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
+Requires-Dist: PyYAML (>=6.0.2,<7.0.0)
+Requires-Dist: attackcti (>=0.4.0,<0.5.0)
+Requires-Dist: bottle (>=0.12.25,<0.14.0)
+Requires-Dist: docker (>=7.1.0,<8.0.0)
+Requires-Dist: gitpython (>=3.1.43,<4.0.0)
+Requires-Dist: pycvesearch (>=1.2,<2.0)
+Requires-Dist: pydantic (>=2.9.2,<2.10.0)
+Requires-Dist: pygit2 (>=1.15.1,<2.0.0)
+Requires-Dist: questionary (>=2.0.1,<3.0.0)
+Requires-Dist: requests (>=2.32.3,<2.33.0)
+Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
+Requires-Dist: setuptools (>=69.5.1,<76.0.0)
+Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
+Requires-Dist: tqdm (>=4.66.5,<5.0.0)
+Requires-Dist: tyro (>=0.9.2,<0.10.0)
+Requires-Dist: xmltodict (>=0.13,<0.15)
+Description-Content-Type: text/markdown
+# contentctl
+<p align="center">
+<img src="https://raw.githubusercontent.com/splunk/contentctl/refs/heads/main/docs/contentctl_logo_white.png" title="In case you're wondering, it's a capybara" alt="the logo for the contentctl project, which depicts a doodled 4 legged animal that is supposed to represent a capybara, with the name of the project below it" width="250" height="250"></p>
+> [!NOTE]
+> Looking to migrate from an earlier release to the new contentctl v5+ ? Check out our migration guide [here](docs/contentctl_v5_migration_guide.md).
+## What is contentctl?
+`contentctl` is a tool developed by the Splunk Threat Research Team to help with managing the content living in [splunk/security_content](https://github.com/splunk/security_content) and producing the Enterprise Security Content Update app for Splunk. While its development is largely driven by STRT's needs, it has been somewhat genericized and can be used by customers and partners to package their own content. Simply put, `contentctl` is the workhorse that packages detections, macros, lookups, dashboards into a Splunk app that you can use, and that understands the YAML structure and project layout we've selected to keep development clean.
+## Quick Start Guide
+Check out our [User Guide](docs/UserGuide.md) to get started!
+## Content Testing
+Read more about how `contentctl` can help test and validate your content in a real Splunk instance [here](docs/ContentTestingGuide.md).
+## Sample CICD Workflows
+Already using `contentctl`, or looking to get started with it already configured in GitHub Actions? [Our guide](docs/Sample_CICD_Templates.md) includes workflows to help you build and test your app.
+## Contribution Guide
+Read [the Contribution Guidelines](CONTRIBUTING.md) for this project before opening a Pull Request.
+## Ecosystem
+| Project               | Description                                             |
+| --------------------- | ------------------------------------------------------- |
+| [Splunk Security Content](https://github.com/splunk/security_content)          | Splunk Threat Research Team's Content included in the [Enterprise Security Content Update App (ESCU)](https://splunkbase.splunk.com/app/3449)|
+| [Splunk Attack Range](https://github.com/splunk/attack_range)          | Easily deploy a preconfigured Splunk Environment locally or on AWS containing a Splunk Instance, Windows and Linux Machines, and Attacker Tools like Kali Linux.  Automatically simulate attacks or run your own|
+| [Splunk Attack Data](https://github.com/splunk/attack_data)          | Repository of Attack Simulation Data for writing and Testing Detections|                         |
+| [Splunk contentctl](https://github.com/splunk/contentctl)          | Generate, validate, build, test, and deploy custom Security Content|
+| [SigmaHQ Sigma Rules](https://github.com/SigmaHQ/sigma) | Official Repository for Sigma Rules. These rules are an excellent starting point for new content. |
+| [PurpleSharp Attack Simulation](https://github.com/mvelazc0/PurpleSharp) | Open source adversary simulation tool for Windows Active Directory environments (integrated into Attack Range)|
+| [Red Canary Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)          | Library of attack simulations mapped to the MITRE ATT&CK® framework (integrated into Attack Range)|
+## License
+Copyright 2023 Splunk Inc.
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

{contentctl-5.0.4.dist-info → contentctl-5.1.0.dist-info}/RECORD RENAMED Viewed

@@ -21,7 +21,7 @@ contentctl/actions/reporting.py,sha256=GF32i7sHdc47bw-VWSW-nZ1QBaUl6Ni1JjV5_SOyi
 contentctl/actions/test.py,sha256=GTtvHi1yB5yDm1jPMyuc4WxczOq-O7f2N8LpTmMaWgU,6014
 contentctl/actions/validate.py,sha256=thnxanLj6mfw5g17C1FrzWlkpyIT_AjnDxv_wyNdspA,5837
 contentctl/api.py,sha256=6s17vNOW1E1EzQqOCXAa5uWuhwwShu-JkGSgrsOFEMs,6329
-contentctl/contentctl.py,sha256=pKtjRHsdTHb505Xjvrdx8v_EGJQ9ZAMfKK4P5N4ge-I,12312
+contentctl/contentctl.py,sha256=nR8nHxXY0elvQogVHFqsyid7Ch5sMnIiNAOFbCa0yzI,11755
 contentctl/enrichments/attack_enrichment.py,sha256=68C9xQ8Q3YX-luRdK2hLnwWtRFpheFA2kE4v5GOLGEo,6358
 contentctl/enrichments/cve_enrichment.py,sha256=TsZ52ef2njt19lPf_VyclY_-5Z5iQ1boVOAxFbjGdSQ,2431
 contentctl/enrichments/splunk_app_enrichment.py,sha256=Xynxjjkqlw0_RtQ1thGSFwy1I3HdmPAJmNKZezyqniU,3419
@@ -29,10 +29,10 @@ contentctl/helper/link_validator.py,sha256=kzEi2GdncPWSi-UKNerXm2jtTJfFQ5goS9pqy
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/helper/splunk_app.py,sha256=Zq_C9rjNVqCjBNgm-5CWdBpXyeX5jSpbE-QTGptEZlk,14571
 contentctl/helper/utils.py,sha256=rigwZzCwWzn11sKTVWDkYEtLmRSf0yBbJ671OSRQnOM,19094
-contentctl/input/director.py,sha256=asK4yUlSVdv0QDUzCrTEXQUm0j9hbzVu55o_-wD-eWc,11560
+contentctl/input/director.py,sha256=7mx93-k_8DUc4pwYjxwq39n8-BlDYZOvRBkdzdGA8Qc,10919
 contentctl/input/new_content_questions.py,sha256=z2C4Mg7-EyxtiF2z9m4SnSbi6QO4CUPB3wg__JeMXIQ,4067
 contentctl/input/yml_reader.py,sha256=ymmAqsWsf9Oj56waDOhCh_E4SomkSCmu4dAx7iURFt8,2050
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=9uUb3BkH9d5vc9qn7RURhki9HZZJSGBTYfnqMImsiY4,43814
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=T5SAFOwEeCDCe79IyVryoLO9k6VaTiwbQPWSNo1epk0,43001
 contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=P1v5n8hM4XzJOjNZbJ5m3y4Bu-cQYaddLPdbE6K-4Xw,12164
 contentctl/objects/alert_action.py,sha256=iEvdEOT4TrTXT0z4rQ_W5v79hPJpPhFPSzo7TuHDxwA,1376
 contentctl/objects/annotated_types.py,sha256=xR4EKvdOpNDEt0doGs8XjxCzKK99J2NHZgHFAmt7p2c,424
@@ -42,9 +42,9 @@ contentctl/objects/base_test_result.py,sha256=TYYzTPKWqp9rHTebWoid50uxAp_iALZour
 contentctl/objects/baseline.py,sha256=grzM56KCpROjMnJQIan-fG0LCYfRGA2GHui4FwBwb8A,3172
 contentctl/objects/baseline_tags.py,sha256=Eomy8y3HV-E6Lym5B5ZZTtsmQJYi6Jd4y8GZpTWGYgQ,1643
 contentctl/objects/config.py,sha256=3l8tFVwrBDpAnS7aBgj6to0Kc8_s4bxuZY5Bm5vel8k,48605
-contentctl/objects/constants.py,sha256=u7KI1uo5ggg1c0uSgmXGSsbjQUyqsNtmLH90fwQY2Eg,5537
+contentctl/objects/constants.py,sha256=VwwQtJBGC_zb3ukjb3A7P0CwAlyhacWiXczwAW5Jiog,5466
 contentctl/objects/correlation_search.py,sha256=ab6v-0nbzujhTMpwaXynQiInWpRO1zB5KR4eZLCav_M,45234
-contentctl/objects/dashboard.py,sha256=10nC4U1_brq8_lE_BBQcpFZqtvpbBuWk9W7tXc0B3c0,4501
+contentctl/objects/dashboard.py,sha256=9DiHP_Nx2XBQv4-zUaz6v9XH5yeTJhxaGDlaQqCsbIU,4468
 contentctl/objects/data_source.py,sha256=qt4W14DEwKGO69oLGdJeuYqbWvGkZ6j5Nz0R1RhDQEQ,1491
 contentctl/objects/deployment.py,sha256=FRsgsX2T1gvA_0A44_sFPr22rsedxXVIhtO7o9F7eZM,2902
 contentctl/objects/deployment_email.py,sha256=_Sdr_BNjvXECiFonRHLkiOrIQp3slnUaERbptqRbD0Q,206
@@ -135,7 +135,7 @@ contentctl/templates/app_template/README/essoc_usage_dashboard.txt,sha256=xYUKKV
 contentctl/templates/app_template/README.md,sha256=RT-J9bgRSFsEFgNr9qV6yc2LkfUH_uiMJ2RV4NM9Ymo,366
 contentctl/templates/app_template/default/analytic_stories.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
 contentctl/templates/app_template/default/commands.conf,sha256=U2ccwUeGXKKKt5jo14QY5swi-p9_TSJtaNquOkeF3Yk,319
-contentctl/templates/app_template/default/data/ui/nav/default.xml,sha256=_qdZXttnPgwGVw5xsqieYnR0o2Oc8ere9u1_Utw8bvY,214
+contentctl/templates/app_template/default/data/ui/nav/default.xml,sha256=Tfvl7YUGYBbVI4o5BZ5pfsR3urzxF2r1E-8bonIQ560,213
 contentctl/templates/app_template/default/data/ui/views/escu_summary.xml,sha256=jQhkIthPgEEptCJ2wUCj2lWGHBvUl6JGsKkDfONloxI,8635
 contentctl/templates/app_template/default/data/ui/views/feedback.xml,sha256=uM71EMK2uFz8h68nOTNKGnYxob3HhE_caSL6yA-3H-k,696
 contentctl/templates/app_template/default/use_case_library.conf,sha256=zWuCOOl8SiP7Kit2s-de4KRu3HySLtBSXcp1QnJx0ec,168
@@ -161,8 +161,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=uj8idtDNOAIqpZ9p8usQg6mop1CQkJ5TlB4Q7CJdTIE,3082
-contentctl-5.0.4.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-5.0.4.dist-info/METADATA,sha256=rZUz7votHt0VBGXtqkPv_Mz0O4d22W2kv4qm8jkj9BM,21539
-contentctl-5.0.4.dist-info/WHEEL,sha256=XbeZDeTWKc1w7CSIyre5aMDU_-PohRwTQceYnisIYYY,88
-contentctl-5.0.4.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-5.0.4.dist-info/RECORD,,
+contentctl-5.1.0.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-5.1.0.dist-info/METADATA,sha256=F4a_TCVzB6ayCKCjSNSaX0cPIaZl12-DoLClq1xliNc,5097
+contentctl-5.1.0.dist-info/WHEEL,sha256=XbeZDeTWKc1w7CSIyre5aMDU_-PohRwTQceYnisIYYY,88
+contentctl-5.1.0.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-5.1.0.dist-info/RECORD,,

contentctl-5.0.4.dist-info/METADATA DELETED Viewed

@@ -1,263 +0,0 @@
-Metadata-Version: 2.3
-Name: contentctl
-Version: 5.0.4
-Summary: Splunk Content Control Tool
-License: Apache 2.0
-Author: STRT
-Author-email: research@splunk.com
-Requires-Python: >=3.11,<3.14
-Classifier: License :: Other/Proprietary License
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
-Requires-Dist: PyYAML (>=6.0.2,<7.0.0)
-Requires-Dist: attackcti (>=0.4.0,<0.5.0)
-Requires-Dist: bottle (>=0.12.25,<0.14.0)
-Requires-Dist: docker (>=7.1.0,<8.0.0)
-Requires-Dist: gitpython (>=3.1.43,<4.0.0)
-Requires-Dist: pycvesearch (>=1.2,<2.0)
-Requires-Dist: pydantic (>=2.9.2,<2.10.0)
-Requires-Dist: pygit2 (>=1.15.1,<2.0.0)
-Requires-Dist: questionary (>=2.0.1,<3.0.0)
-Requires-Dist: requests (>=2.32.3,<2.33.0)
-Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<76.0.0)
-Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
-Requires-Dist: tqdm (>=4.66.5,<5.0.0)
-Requires-Dist: tyro (>=0.9.2,<0.10.0)
-Requires-Dist: xmltodict (>=0.13,<0.15)
-Description-Content-Type: text/markdown
-# contentctl
-<p align="center">
-<img src="docs/contentctl_logo_white.png" title="In case you're wondering, it's a capybara" alt="contentctl logo" width="250" height="250"></p>
-# contentctl Quick Start Guide
-If you are already familiar with contentctl, the following common commands may be very useful for basic operations
-| Operation | Command |
-|-----------|---------|
-| Create a repository | `contentctl init` |
-| Validate Your Content | `contentctl validate` |
-| Validate Your Content, performing MITRE Enrichments | `contentctl validate --enrichments`|
-| Build Your App | `contentctl build` |
-| Test All the content in your app, pausing so that you can debug a search if it fails | `contentctl test --post-test-behavior pause_on_failure mode:all` |
-| Test All the content in your app, pausing after every detection to allow debugging | `contentctl test --post-test-behavior always_pause mode:all` |
-| Test 1 or more specified detections. If you are testing more than one detection, the paths are space-separated. You may also use shell-expanded regexes | `contentctl test --post-test-behavior always_pause mode:selected --mode.files detections/endpoint/7zip_commandline_to_smb_share_path.yml detections/cloud/aws_multi_factor_authentication_disabled.yml detections/application/okta*` |
-| Diff your current branch with a target_branch and test detections that have been updated. Your current branch **must be DIFFERENT** than the target_branch | `contentctl test --post-test-behavior always_pause mode:changes --mode.target_branch develop` |
-| Perform Integration Testing of all content. Note that Enterprise Security MUST be listed as an app in your contentctl.yml folder, otherwise all tests will subsequently fail | `contentctl test --enable-integration-testing --post-test-behavior never_pause mode:all` |
-# Introduction
-#### Security Is Hard
-Anyone who has managed a [SOC](#acronyms) will tell you it's hard work.  SOC Managers, Detection Engineers, and Cybersecurity Professionals must understand and manage countless tools and data sources while ensuring the reliability and security of their network and applications.  At the same time, they must be able to detect and react to data breeches, vulnerabilities, and performance degradation in minutes - not seconds or hours.
-These responsibilities leave little time for writing new content - let alone documentation, maintenance, and testing of legacy content.  Existing solutions like Wikis, JIRA tickets, Excel Spreadsheets, and "asking that one team member who knows everything" don't scale and spread information across various systems.
-#### contentctl Makes It ~~Easy~~ Less Hard
-contentctl is a single application that support the full cycle of security content development (each of the links below will redirect to the appropriate section of the README/Wiki):
-- [Create Content Packs](#contentctl-init) - Version-Controlled collections of searches, documentation, and test data
-- [Add New Content](#contentctl-new---type-type) - searches, macros, lookups, and other content
-- [Statically Validate](#contentctl-validate) Content Against a Well-Defined Baseline
-- [Building](#contentctl-build) a Content Pack for your target - Use a supported output format or design your own
-- [Test](#contentctl-test) your Content Pack on a running Splunk Instance
-- [Deploy](#contentctl-deploy) your Content Pack to Splunk Cloud Instance, via REST API, or create a Splunkbase Application for manual deployment
- # Ecosystem
-| Project               | Description                                             |
-| --------------------- | ------------------------------------------------------- |
-| [Splunk Attack Range](https://github.com/splunk/attack_range)          | Easily deploy a preconfigured Splunk Environment locally or on AWS containing a Splunk Instance, Windows and Linux Machines, and Attacker Tools like Kali Linux.  Automatically simulate attacks or run your own|
-| [PurpleSharp Attack Simulation](https://github.com/mvelazc0/PurpleSharp) | Open source adversary simulation tool for Windows Active Directory environments (integrated into Attack Range)|
-| [Red Canary Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)          | Library of attack simulations mapped to the MITRE ATT&CK® framework (integrated into Attack Range)|
-| [Splunk Attack Data](https://github.com/splunk/attack_data)          | Repository of Attack Simulation Data for writing and Testing Detections|                         |
-| [Splunk Security Content](https://github.com/splunk/security_content)          | Splunk Threat Research Team's Content included in the [Enterprise Security Content Update App (ESCU)](https://splunkbase.splunk.com/app/3449)|
-| [Splunk contentctl](https://github.com/splunk/contentctl)          | Generate, validate, build, test, and deploy custom Security Content|
-| [SigmaHQ Sigma Rules](https://github.com/SigmaHQ/sigma) | Official Repository for Sigma Rules. These rules are an excellent starting point for new content. |
-## Workflow
-```mermaid
-graph TD
-starting_state --contentctl init--> contentPack
-newContent{new_content} --contentctl new sigma content--> contentPack
-newContent{new_content} --contentctl new spl content--> contentPack
-contentPack --contentctl validate--> ValidatedContent
-ValidatedContent --contentctl build--> SplunkContent
-ValidatedContent --contentctl docs--> WebsiteDocumentation
-ValidatedContent --contentctl docs--> MITRE_mapDocumentation
-SplunkContent --contentctl test via container-->TestResults
-TestResults --contentctl deploy-->SplunkRESTAPI
-TestResults --contentctl deploy-->SplunkbaseApp
-TestResults --contentctl deploy-->SplunkCloudInstance
-```
-## Installation
-### Requirements
-Testing is run using [GitHub Hosted Runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners).  Ubuntu22.04 is the recommended configuration.
-| Operating System | Supported | Passing Intregration Tests |
-| ---------------- | --------- | ------ |
-| Windows 10       | Yes       | Not tested yet |
-| Windows 11       | Yes       | Not tested yet |
-| Ununtu 20.04 LTS | Yes       | YES (locally + GitHub Actions) |
-| *Ubuntu 22.04 LTS| Yes       | YES (locally + GitHub Actions) |
-| macOS Montery 12       | Yes       | Not tested yet |
-| macOS Ventura 13       | Yes (Intel and Apple Silicon)      | Yes (locally) |
-| Requirement | Supported | Description |  Passing Integration Tests |
-| --------------------- | ----- | ---- | ------ |
-| Python 3.11+ | Yes | contentctl tool is written in Python | Yes (locally + GitHub Actions)  |
-| Docker (local) | Yes | A running Splunk Server is required for Dynamic Testing.  contentctl can automatically create, configure, and destroy this server as a Splunk container during the lifetime of a test. | (locally + GitHub Actions) |
-| Docker (remote) | Planned | A running Splunk Server is required for Dynamic Testing.  contentctl can automatically create, configure, and destroy this server as a Splunk container during the lifetime of a test. | No |
-**Because contentctl uses a large number of dependencies, it's recommended to install contentctl in a virtual environment.
-The instructions below using "poetry" ALSO follow this recommendation.  Poetry will automatically create a new virtual environment for you.
-It is typically recommended to install poetry to the Global Python Environment.**
-#### Install via pip (recommended):
-```
-python3.11 -m venv .venv
-source .venv/bin/activate
-pip install contentctl
-```
-#### From Source (advanced)
-```
-git clone https://github.com/splunk/contentctl
-cd contentctl
-python3.11 -m pip install poetry
-poetry install
-poetry shell
-contentctl --help
-```
-# Usage
-### contentctl init
-Creates a new Content Pack in the current directory as well as a configuration file called [contentctl.yml](/contentctl/templates/contentctl_default.yml) which contains a number of important configuration options.
-The content pack contains a wide variety of content types:
-- [detections](/contentctl/objects/detection.py) - A piece of content that wraps and enriches a Splunk Search.  [Example Detection](/contentctl/templates/detections/anomalous_usage_of_7zip.yml)
-- [baselines](/contentctl/objects/baseline.py) - This content is not currently supported.
-- [lookups](/contentctl//objects/lookup.py) - Static files, such as CSVs, that can be loaded into Splunk for use in lookup commands.  [Example Lookup](https://github.com/splunk/security_content/blob/develop/lookups/attacker_tools.csv)
-- [macros](/contentctl/objects/macro.py) - Common code that is re-used across a wide set of detections.  [Example Macro](/contentctl/templates/macros/security_content_summariesonly.yml)
-- [stories](/contentctl/objects/story.py) - Analytic Stories Allow a developer to tie together a group of detections, for example detections that all relate to Ransomware. [Example Analytic Story](/contentctl/templates/stories/cobalt_strike.yml)
-### contentctl validate
-Performs static validation on all of the content in this Content Pack.  Writing validation is extremely complex.  Each piece of content can one or dozens of fields ranging from free text to numbers to references to other content.  contentctl's build in validation ensures that a number of conditions are met:
-- Required fields in content are defined
-- Values in fields are appropriate.  For example, if content references a Datamodel, then that Datamodel must be valid. Similarly, numeric values that must fall within a certain range must be validated.
-- If a piece of content references other content, then it exists.  For example, if a detection makes use of a macro then the existence and correctness of the macro must be validated.
-- There are no conflicts between content.  For example, two detections cannot have the same name.
-If any of these conditions are not met, then a descriptive error will be printed and contentctl will return a nonzero exit code.  This makes it suitable for running in an automated workflow or other CICD context.  Instead of exiting on the first error, _contentctl validate_ will continue validating all content so that it can present all relevant error before exiting.
-### contentctl build
-Generates Content Packs in the output format defined in the [contentctl.yml](/contentctl/templates/contentctl_default.yml) configuration file.  These outputs may include {splunk_app, api, ba}.  When _contentctl build_ runs, it first performs a _contentctl validate_ in order to ensure that a valid app is generated.  Note that it is *NOT* required or recommended to run _contentctl validate_ separately if the intention is to build a Content Pack.
-### contentctl report
-This section is under active development.  It will allow you to a [MITRE Map](https://mitremap.splunkresearch.com/) showing your coverage of MITRE Techniques.  The link here shows the generation of that MITRE Map using the content in Splunk's [security_content repo](https://github.com/splunk/security_content).
-### contentctl new [--type TYPE]
-Choose TYPE {detection, story} to create new content for the Content Pack.  The tool will interactively ask a series of questions required for generating a basic piece of content and automatically add it to the Content Pack.
-### contentctl inspect
-This section is under development.  The inspect action performs a number of post-build validations. Primarily, it will enable the user to perform an appinspect of the content pack in preparation for deployment onto a Splunk Instance or via Splunk Cloud. It also compares detections in the new build against a prior build, confirming that any changed detections have had their versions incremented (this comparison happens at the savedsearch.conf level, which is why it must happen after the build). Please also note that new versions of contentctl may result in the generation of different savedsearches.conf files without any content changes in YML (new keys at the .conf level which will necessitate bumping of the version in the YML file).
-### contentctl deploy
-The reason to build content is so that it can be deployed to your environment.  However, deploying content to multiple servers and different types of infrastructure can be tricky and time-consuming.  contentctl makes this easy by supporting a number of different deployment mechanisms. Deployment targets can be defined in [contentctl.yml](/contentctl/templates/contentctl_default.yml).
-- Deploy via API - Using the REST API, individual pieces of content are deployed to a running server.  This is a great way to deploy all of the content in a content pack, but can also be used to deploy individual peices of content.
-- Deploy to Splunk Cloud via ACS - Using the Automated Private App Vetting (APAV) Feature of the Admin Config Service (ACS), Splunk Cloud customers can easily deploy custom apps to their environments.
-### contentctl docs
-This section is under active development.  It will allow you to easily generate verbose [web-based documentation](https://research.splunk.com) from all of your content.  The link here shows the generation of that documentation using the content in Splunk's [security_content repo](https://github.com/splunk/security_content).
-### contentctl test
-The static validation performed by *contentctl validate* can only take you so far.  While it's powerful, and fast, it can only tell determine if the content is *syntactically* correct.  *contentctl test* can test your content on real Splunk Infrastructure to ensure there are no errors in your SPL, raw data can be properly ingested/processed/accelerated on your server, your search finds the event(s) you're looking for in raw data, and even provides high-level runtime performance metrics about your searches.    As part of this workflow, a large number of apps will be installed by default.  You can see, and edit, the list of apps in the [app_default.yml](/contentctl/templates/app_default.yml) file.  We plan on making this even easier to update in the future, so stay tuned for updates.
-The following diagram shows this workflow at a high level.
-```mermaid
-graph TD
-SplunkContainer--start-->SplunkInstance
-SplunkServer-->SplunkInstance
-SplunkInstance--Install Apps-->ConfiguredInstance
-SplunkInstance--Configure Settings-->ConfiguredInstance
-ContentPack--Deploy-->ConfiguredInstance
-ConfiguredInstance--Start Test-->Testing
-Testing--Test Detection-->Detection
-Detection--Replay Raw Data-->Result
-subgraph Test Indidivual Detection
-	Detection--Execute Search-->Result
-end
-Result--Cleanup-->Testing
-Testing--Cleanup-->TestResults
-```
-#### Testing Modes
-There are a number of different testing modes that control which content will be tested.  This can be controlled with the `--mode {}` option at the command line
-- all - This will test all of the content in the content pack. Please note that by default only detections marked production will be tested (detections marked as deprecated or experimental, for example, will be ignored).
-- selected - Detections whose relative paths are provided on the command line will be tested.  This is particularly useful if you would like to troubleshoot or update just a handful of detections and can save a significant amount of time.  For example, to test two detections use the following command `contentctl test --mode selected --detections_list detections/detection_one.yml detections/detection_two.yml`
-- **changes - (not currently supported) If you have a large number of detections and use a branching workflow to create new content or update content, then this is an easy way to automatically find and test only that content automatically.  This prevents you from needing to explicitly list the subset of content to test using "selected"**
-#### Testing Behavior
-contentctl test's default mode allows it to quickly test all content with requiring user interaction.  This makes it suitable for local tests as well as CI/CD workflows.  However, users often want to troubleshoot a test if it fails.  contentctl allows you to change the tool's behavior if and/or when a test fails:
-- --behavior never_pause - The default behavior.  If a test does not pass, the tool begins the next test immediately
-- --behavior pause_on_failure - If a test fails, then additional information about that test, and the raw SPL of the test, is printed to the terminal.  A user may then click (or CMD+Click) the "LINK" to begin interactively debugging the failed test on the Splunk Server.  Note that the credentials for the server are printed out at the very beginning of the test.  After you have finished debugging the failure, hit "Return" in the terminal to move on to the next test. The attack_data for this test remains loaded on the server for debugging until the user moves on to the next test.
-- --behavior always_pause - Similar to pause_on_failure, but this pauses after every test regardless of whether it passes or fails.
-1. **init** - Initilialize a new repo from scratch so you can easily add your own content to a custom application.
-2. **new** - Creates new content (detection, story)
-3. **validate** - Validates written content
-4. **build** - Builds an application suitable for deployment on a search head using Slim, the Splunk Packaging Toolkit
-5. **deploy** - Deploy the security content pack to a Splunk Server
-6. **docs** - Create documentation as Markdown
-7. **reporting** - Create different reporting files such as a Mitre ATT&CK overlay
-# Shell tab-complete
-Leveraging the tab completion featureset of the CLI library we're using, you can generate tab completions for `contentctl` automatically, for zsh, bash, and tcsh. For additional details, you can view the docs for the library [here.](https://brentyi.github.io/tyro/tab_completion/)
-### Zsh
-If you already have a location for your ZSH tab completions, you only need to run the generation line and can skip the folder creation, configuring the rest to fit with your shell config.
-```zsh
-mkdir -p ~/.zfunc
-contentctl --tyro-write-completion zsh ~/.zfunc/_contentctl
-echo "fpath+=~/.zfunc" >> ~/.zshrc
-echo "autoload -Uz compinit && compinit" >> ~/.zshrc
-source ~/.zshrc
-```
-### Bash
-```bash
-completion_dir=${BASH_COMPLETION_USER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/bash-completion}/completions/
-mkdir -p $completion_dir
-contentctl --tyro-write-completion bash ${completion_dir}/_contentctl
-```
-# Acronyms
-| Acronym | Meaning| Description |
-| --------------------- | ------------------------------------------------------- | ---- |
-| SOC | Security Operation Center | Description of a SoC |
-| DaC | Detection as Code | A systematic approach applying DevOps priciples to Detection Engineering. DaC enables Continuous Integration and Continuous Delivery of Detectionsa via automated validation, testing, and deployment |
-| CICD | Continuous Integration/Continuous Delivery | A modern DevOps practice that encourages users to make small, frequent changes which are automatically tested and deployed. This contrasts with legacy approaches that emphasize large changes which may be manually tested an infrequently deployed. |
-| ACS| Admin Config Service | The [Splunk Admin Config Service](https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Config/ACSIntro) is a cloud-native API that provides programmatic self-service administration capabilities for Splunk Cloud Platform. One of its features, Automated Private App Vetting (APAV) enables the installation of custom app on Splunk Cloud instances. |
-| APAV | Automated Private App Vetting | [Automated Private App Vetting](https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Config/ManageApps) enables admins to use the ACS API to install, upgrade, and uninstall apps directly on your Splunk Cloud Platform deployment without assistance from Splunk Support. |
-# License
-Copyright 2023 Splunk Inc.
-Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
-http://www.apache.org/licenses/LICENSE-2.0
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

{contentctl-5.0.4.dist-info → contentctl-5.1.0.dist-info}/LICENSE.md RENAMED Viewed

File without changes

{contentctl-5.0.4.dist-info → contentctl-5.1.0.dist-info}/WHEEL RENAMED Viewed

File without changes

{contentctl-5.0.4.dist-info → contentctl-5.1.0.dist-info}/entry_points.txt RENAMED Viewed

File without changes

contentctl 5.0.4__py3-none-any.whl → 5.1.0__py3-none-any.whl

contentctl 5.0.4py3-none-any.whl → 5.1.0py3-none-any.whl