contentctl 5.4.0__py3-none-any.whl → 5.5.0__py3-none-any.whl

contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py

@@ -7,7 +7,6 @@ import pathlib
 import time
 import urllib.parse
 import uuid
-from shutil import copyfile
 from ssl import SSLEOFError, SSLZeroReturnError
 from sys import stdout
 from tempfile import TemporaryDirectory, mktemp
@@ -1402,7 +1401,6 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 f"The only valid indexes on the server are {self.all_indexes_on_server}"
             )
 
-        tempfile = mktemp(dir=tmp_dir)
         if not (
             str(attack_data_file.data).startswith("http://")
             or str(attack_data_file.data).startswith("https://")
@@ -1415,13 +1413,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     test_group_start_time,
                 )
 
-                try:
-                    copyfile(str(attack_data_file.data), tempfile)
-                except Exception as e:
-                    raise Exception(
-                        f"Error copying local Attack Data File for [{test_group.name}] - [{attack_data_file.data}]: "
-                        f"{str(e)}"
-                    )
+                tempfile = str(attack_data_file.data)
             else:
                 raise Exception(
                     f"Attack Data File for [{test_group.name}] is local [{attack_data_file.data}], but does not exist."
@@ -1432,6 +1424,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             # We need to overwrite the file - mkstemp will create an empty file with the
             # given name
             try:
+                tempfile = mktemp(dir=tmp_dir)
                 # In case the path is a local file, try to get it
 
                 self.format_pbar_string(

contentctl/contentctl.py

@@ -68,6 +68,7 @@ def init_func(config: test):
 
 
 def validate_func(config: validate) -> DirectorOutputDto:
+    config.check_test_data_caches()
     validate = Validate()
     return validate.execute(config)
 

contentctl/input/director.py

@@ -338,10 +338,15 @@ class Director:
                     for err in error.errors():
                         error_msg = err.get("msg", "")
                         if "https://errors.pydantic.dev" in error_msg:
-                            continue
+                            # Unfortunately, this is a catch-all for untyped errors. We will still need to emit this
+                            # This is harder to read, but the other option is suppressing it which we cannot do as
+                            # it makes troubleshooting extremelt difficult
+                            print(
+                                f"      {Colors.RED}{Colors.ERROR} {error_msg}{Colors.END}"
+                            )
 
                         # Clean error categorization
-                        if "Field required" in error_msg:
+                        elif "Field required" in error_msg:
                             print(
                                 f"      {Colors.YELLOW}{Colors.WARNING} Field Required: {err.get('loc', [''])[0]}{Colors.END}"
                             )

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -913,7 +913,7 @@ class Detection_Abstract(SecurityContentObject):
         return self
 
     @field_validator("tests", mode="before")
-    def ensure_yml_test_is_unittest(cls, v: list[dict]):
+    def ensure_yml_test_is_unittest(cls, v: list[dict], info: ValidationInfo):
         """The typing for the tests field allows it to be one of
         a number of different types of tests. However, ONLY
         UnitTest should be allowed to be defined in the YML
@@ -941,7 +941,7 @@ class Detection_Abstract(SecurityContentObject):
         for unitTest in v:
             # This raises a ValueError on a failed UnitTest.
             try:
-                UnitTest.model_validate(unitTest)
+                UnitTest.model_validate(unitTest, context=info.context)
             except ValueError as e:
                 valueErrors.append(e)
         if len(valueErrors):

contentctl/objects/config.py

@@ -26,6 +26,7 @@ from pydantic import (
     field_validator,
     model_validator,
 )
+from requests import RequestException, head
 
 from contentctl.helper.splunk_app import SplunkApp
 from contentctl.helper.utils import Utils
@@ -261,6 +262,37 @@ class init(Config_Base):
     )
 
 
+# There can be a number of attack data file warning mapping exceptions, or errors,
+# that can occur when using attack data caches.  In order to avoid very complex
+# output, we will only emit the verbose versions of these message once per file.
+# This is a non-intuitive place to put this, but it is good enough for now.
+ATTACK_DATA_CACHE_MAPPING_EXCEPTIONS: set[str] = set()
+
+
+class AttackDataCache(BaseModel):
+    base_url: str = Field(
+        "This is the beginning of a URL that the data must begin with to map to this cache object."
+    )
+    base_directory_name: str = Field(
+        "This is the root folder name where the attack data should be downloaded to. Note that this path MUST be in the external_repos/ folder",
+        pattern=r"^external_repos/.+",
+    )
+    # suggested checkout information for our attack_data repo
+    # curl https://attack-range-attack-data.s3.us-west-2.amazonaws.com/attack_data.tar.zstd | zstd --decompress | tar -x -C attack_data/
+    # suggested YML values for this:
+    helptext: str | None = Field(
+        default="This repo is set up to use test_data_caches. This can be extremely helpful in validating correct links for test attack_data and speeding up testing.\n"
+        "Include the following in your contentctl.yml file to use this cache:\n\n"
+        "test_data_caches:\n"
+        "- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/\n"
+        "  base_directory_name: external_repos/attack_data\n\n"
+        "In order to check out STRT Attack Data, you can use the following command:\n"
+        "mkdir -p external_repos; curl https://attack-range-attack-data.s3.us-west-2.amazonaws.com/attack_data.tar.zstd | zstd --decompress | tar -x -C external_repos/\n"
+        "or\n"
+        """echo "First ensure git-lfs is enabled"; git clone https://github.com/splunk/attack_data external_repos/attack_data"""
+    )
+
+
 class validate(Config_Base):
     model_config = ConfigDict(validate_default=True, arbitrary_types_allowed=True)
     enforce_deprecation_mapping_requirement: bool = Field(
@@ -291,10 +323,151 @@ class validate(Config_Base):
         default=False, description="Validate latest TA information from Splunkbase"
     )
 
+    test_data_caches: list[AttackDataCache] = Field(
+        default=[],
+        description="A list of attack data that can "
+        "be used in lieu of the HTTPS download links "
+        "of each test data file. This cache can significantly "
+        "increase overall test speed, ensure the correctness of "
+        "links at 'contentctl validate' time, and reduce errors "
+        "associated with failed responses from file servers.",
+    )
+
     @property
     def external_repos_path(self) -> pathlib.Path:
         return self.path / "external_repos"
 
+    # We can't make this a validator because the constructor
+    # is called many times - we don't want to print this out many times.
+    def check_test_data_caches(self) -> Self:
+        """
+        Check that the test data caches actually exist at the specified paths.
+        If they do exist, then do nothing. If they do not, then emit the helpext, but
+        do not raise an exception.  They are not required, but can significantly speed up
+        and reduce the flakiness of tests by reducing failed HTTP requests.
+        """
+        if not self.verbose:
+            # Ignore the check and error output if we are not in verbose mode
+            return self
+        for cache in self.test_data_caches:
+            cache_path = self.path / cache.base_directory_name
+            if not cache_path.is_dir():
+                print(cache.helptext)
+            else:
+                build_date_file = cache_path / "cache_build_date.txt"
+                git_hash_file = cache_path / "git_hash.txt"
+
+                if build_date_file.is_file():
+                    # This is a cache that was built by contentctl.  We can use this to
+                    # determine if the cache is out of date.
+                    with open(build_date_file, "r") as f:
+                        build_date = f.read().strip()
+                else:
+                    build_date = "<UNKNOWN_DATE>"
+                if git_hash_file.is_file():
+                    # This is a cache that was built by contentctl.  We can use this to
+                    # determine if the cache is out of date.
+                    with open(git_hash_file, "r") as f:
+                        git_hash = f.read().strip()
+                else:
+                    git_hash = "<UNKNOWN_HASH>"
+
+                print(
+                    f"Found attack data cache at [{cache_path}]\n**Cache Build Date: {build_date}\n**Repo Git Hash   : {git_hash}\n"
+                )
+
+        return self
+
+    def map_to_attack_data_cache(
+        self, filename: HttpUrl | FilePath, verbose: bool = False
+    ) -> HttpUrl | FilePath:
+        if str(filename) in ATTACK_DATA_CACHE_MAPPING_EXCEPTIONS:
+            # This is already something that we have emitted a warning or
+            # Exception for.  We don't want to emit it again as it will
+            # pollute the output.
+            return filename
+
+        # If this is simply a link to a file directly, then no mapping
+        # needs to take place. Return the link to the file.
+        if isinstance(filename, pathlib.Path):
+            return filename
+
+        if len(self.test_data_caches) == 0:
+            return filename
+
+        # Otherwise, this is a URL.  See if its prefix matches one of the
+        # prefixes in the list of caches
+        for cache in self.test_data_caches:
+            root_folder_path = self.path / cache.base_directory_name
+            # See if this data file was in that path
+
+            if str(filename).startswith(cache.base_url):
+                new_file_name = str(filename).replace(cache.base_url, "")
+                new_file_path = root_folder_path / new_file_name
+
+                if not root_folder_path.is_dir():
+                    # This has not been checked out. Even though we want to use this cache
+                    # whenever possible, we don't want to force it.
+                    return filename
+
+                if new_file_path.is_file():
+                    # We found the file in the cache. Return the new path
+                    return new_file_path
+
+                # Any thing below here is non standard behavior that will produce either a warning message,
+                # an error, or both. We onyl want to do this once for each file, even if it is used
+                # across multiple different detections.
+                ATTACK_DATA_CACHE_MAPPING_EXCEPTIONS.add(str(filename))
+
+                # The cache exists, but we didn't find the file.  We will emit an informational warning
+                # for this, but this is not an exception. Instead, we will just fall back to using
+                # the original URL.
+                if verbose:
+                    # Give some extra context about missing attack data files/bad mapping
+                    try:
+                        h = head(str(filename))
+                        h.raise_for_status()
+
+                    except RequestException:
+                        raise ValueError(
+                            f"Error resolving the attack_data file {filename}. "
+                            f"It was missing from the cache {cache.base_directory_name} and a download from the server failed."
+                        )
+                    print(
+                        f"\nFilename {filename} not found in cache {cache.base_directory_name}, but exists on the server. "
+                        f"Your cache {cache.base_directory_name} may be out of date."
+                    )
+                return filename
+        if verbose:
+            # Any thing below here is non standard behavior that will produce either a warning message,
+            # an error, or both. We onyl want to do this once for each file, even if it is used
+            # across multiple different detections.
+            ATTACK_DATA_CACHE_MAPPING_EXCEPTIONS.add(str(filename))
+
+            # Give some extra context about missing attack data files/bad mapping
+            url = f"Attack Data   : {filename}"
+            prefixes = "".join(
+                [
+                    f"\n  Valid Prefix: {cache.base_url}"
+                    for cache in self.test_data_caches
+                ]
+            )
+            # Give some extra context about missing attack data files/bad mapping
+            try:
+                h = head(str(filename))
+                h.raise_for_status()
+            except RequestException:
+                raise ValueError(
+                    f"Error resolving the attack_data file {filename}. It was missing from all caches and a download from the server failed.\n"
+                    f"{url}{prefixes}\n"
+                )
+
+            print(
+                f"\nAttack Data Missing from all caches, but present at URL:\n{url}{prefixes}"
+            )
+
+        return filename
+
     @property
     def mitre_cti_repo_path(self) -> pathlib.Path:
         return self.external_repos_path / "cti"

contentctl/objects/test_attack_data.py

@@ -1,5 +1,19 @@
 from __future__ import annotations
-from pydantic import BaseModel, HttpUrl, FilePath, Field, ConfigDict
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from contentctl.objects.config import validate
+
+from pydantic import (
+    BaseModel,
+    ConfigDict,
+    Field,
+    FilePath,
+    HttpUrl,
+    ValidationInfo,
+    field_validator,
+)
 
 
 class TestAttackData(BaseModel):
@@ -11,3 +25,24 @@ class TestAttackData(BaseModel):
     sourcetype: str = Field(...)
     custom_index: str | None = None
     host: str | None = None
+
+    @field_validator("data", mode="after")
+    @classmethod
+    def check_for_existence_of_attack_data_repo(
+        cls, value: HttpUrl | FilePath, info: ValidationInfo
+    ) -> HttpUrl | FilePath:
+        # this appears to be called more than once, the first time
+        # info.context is always None. In this case, just return what
+        # was passed.
+        if not info.context:
+            return value
+
+        # When the config is passed, used it to determine if we can map
+        # the test data to a file on disk
+        if info.context.get("config", None):
+            config: validate = info.context.get("config", None)
+            return config.map_to_attack_data_cache(value, verbose=config.verbose)
+        else:
+            raise ValueError(
+                "config not passed to TestAttackData constructor in context"
+            )

contentctl/output/templates/savedsearches_detections.j2

@@ -1,7 +1,6 @@
 ### {{app.label}} DETECTIONS ###
 
 {% for detection in objects %}
-{% if (detection.type == 'TTP' or detection.type == 'Anomaly' or detection.type == 'Hunting' or detection.type == 'Correlation') %}
 [{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
@@ -9,23 +8,13 @@ description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.mappings = {{ detection.mappings | tojson }}
 action.escu.data_models = {{ detection.datamodel | tojson }}
 action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
-{% if detection.how_to_implement %}
 action.escu.how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
-{% else %}
-action.escu.how_to_implement = none
-{% endif %}
-{% if detection.known_false_positives %}
 action.escu.known_false_positives = {{ detection.known_false_positives | escapeNewlines() }}
-{% else %}
-action.escu.known_false_positives = None
-{% endif %}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}
 action.escu.confidence = high
 action.escu.search_type = detection
-{% if detection.tags.product is defined %}
 action.escu.product = {{ detection.tags.product | tojson }}
-{% endif %}
 {% if detection.tags.atomic_guid %}
 action.escu.atomic_red_team_guids = {{ detection.tags.getAtomicGuidStringArray() | tojson }}
 {% endif %}
@@ -34,7 +23,6 @@ action.escu.providing_technologies = {{ detection.providing_technologies | tojso
 {% else %}
 action.escu.providing_technologies = null
 {% endif %}
-{% if detection.tags.analytic_story %}
 action.escu.analytic_story = {{ objectListToNameList(detection.tags.analytic_story) | tojson }}
 {% if detection.deployment.alert_action.rba.enabled%}
 action.risk = 1
@@ -43,25 +31,19 @@ action.risk.param._risk = {{ detection.risk | tojson }}
 action.risk.param._risk_score = 0
 action.risk.param.verbose = 0
 {% endif %}
-{% else %}
-action.escu.analytic_story = []
-{% endif %}
 cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
 dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
 dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
 action.correlationsearch.enabled = 1
+action.correlationsearch.detection_type = ebd
 action.correlationsearch.label = {{ detection.get_action_dot_correlationsearch_dot_label(app) }}
 action.correlationsearch.annotations = {{ detection.annotations | tojson }}
 action.correlationsearch.metadata = {{ detection.metadata | tojson }}
-{% if detection.deployment.scheduling.schedule_window is defined %}
 schedule_window = {{ detection.deployment.scheduling.schedule_window }}
-{% endif %}
-{% if detection.deployment is defined %}
 {% if detection.deployment.alert_action.notable %}
 action.notable = 1
-{% if detection.nes_fields %}
+action.notable.param._entities = [{"risk_object_field": "N/A", "risk_object_type": "N/A", "risk_score": "0"}]
 action.notable.param.nes_fields = {{ detection.nes_fields }}
-{% endif %}
 action.notable.param.rule_description = {{ detection.deployment.alert_action.notable.rule_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines()}}
 action.notable.param.rule_title = {% if detection.type | lower == "correlation" %}RBA: {{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% else %}{{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% endif +%}
 action.notable.param.security_domain = {{ detection.tags.security_domain }}
@@ -87,13 +69,8 @@ action.sendtophantom.param.phantom_server = {{ detection.deployment.alert_action
 action.sendtophantom.param.sensitivity = {{ detection.deployment.alert_action.phantom.sensitivity | custom_jinja2_enrichment_filter(detection) }}
 action.sendtophantom.param.severity = {{ detection.deployment.alert_action.phantom.severity | custom_jinja2_enrichment_filter(detection) }}
 {% endif %}
-{% endif %}
 alert.digest_mode = 1
-{% if detection.enabled_by_default %}
-disabled = false
-{% else %}
-disabled = true
-{% endif %}
+disabled = {{ (not detection.enabled_by_default) | lower }}
 enableSched = 1
 allow_skew = 100%
 counttype = number of events
@@ -108,7 +85,6 @@ alert.suppress.period = {{ detection.tags.throttling.period }}
 {% endif %}
 search = {{ detection.search | escapeNewlines() }}
 action.notable.param.drilldown_searches = {{ detection.drilldowns_in_JSON | tojson | escapeNewlines() }}
-{% endif %}
 
 {% endfor %}
 ### END {{ app.label }} DETECTIONS ###

{contentctl-5.4.0.dist-info → contentctl-5.5.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: contentctl
-Version: 5.4.0
+Version: 5.5.0
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -24,7 +24,7 @@ Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.3,<2.33.0)
 Requires-Dist: rich (>=14.0.0,<15.0.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<79.0.0)
+Requires-Dist: setuptools (>=69.5.1,<81.0.0)
 Requires-Dist: splunk-sdk (>=2.0.2,<3.0.0)
 Requires-Dist: tqdm (>=4.66.5,<5.0.0)
 Requires-Dist: tyro (>=0.9.2,<0.10.0)

{contentctl-5.4.0.dist-info → contentctl-5.5.0.dist-info}/RECORD

@@ -4,7 +4,7 @@ contentctl/actions/deploy_acs.py,sha256=w3OqO8GXzB_5zHrE8lDYbadAy4Etw7F2o84Gze74
 contentctl/actions/detection_testing/DetectionTestingManager.py,sha256=94apBwLkXWsgdLSvE9f_KqCfQSdmDChMncMcsEdY1A8,10974
 contentctl/actions/detection_testing/GitService.py,sha256=HU1fKkb5463weqSZ3LrTVHtNrzBH_f5pE99-zD2j1A8,11345
 contentctl/actions/detection_testing/generate_detection_coverage_badge.py,sha256=bGUVKjKv96lTw1GZ4Kw1JX-Yicu4aOJWm-IL524e9HI,2302
-contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=nJVo_L3Y4V0Uk7VCGHY58waGCBKcfujIFmxKC83oVgY,61082
+contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py,sha256=Th2QFQeGL3a-aUp83fUCm0aApQIcXjspetNj920fd34,60776
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py,sha256=qYWgRW7uc-15jzwv5xSUF2xyLDmtyGyMfuXkQK9j-aM,7221
 contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureServer.py,sha256=Q1ZfCYOp54O39bgTScZMInkmZiU-bGAM9Hiwr2mq5ms,370
 contentctl/actions/detection_testing/progress_bar.py,sha256=UrpNCqxTmQ4hfoRZgxPJ1xvDVwMrTq0UnotdryHN0gM,3232
@@ -21,7 +21,7 @@ contentctl/actions/reporting.py,sha256=GF32i7sHdc47bw-VWSW-nZ1QBaUl6Ni1JjV5_SOyi
 contentctl/actions/test.py,sha256=ftZazqoqv7bLNhyW23aRnDpetG9zltS8wr4Xq9Hls0k,6268
 contentctl/actions/validate.py,sha256=teqRVxNlUgzDvKQm-sXb05TST05duA2-NhJOzNxlBTw,6152
 contentctl/api.py,sha256=6s17vNOW1E1EzQqOCXAa5uWuhwwShu-JkGSgrsOFEMs,6329
-contentctl/contentctl.py,sha256=nR8nHxXY0elvQogVHFqsyid7Ch5sMnIiNAOFbCa0yzI,11755
+contentctl/contentctl.py,sha256=Wpy5GmgQIVoWs9PBDDKS0E1U2810J8WEfzfxckMGB-c,11791
 contentctl/enrichments/attack_enrichment.py,sha256=68C9xQ8Q3YX-luRdK2hLnwWtRFpheFA2kE4v5GOLGEo,6358
 contentctl/enrichments/cve_enrichment.py,sha256=TsZ52ef2njt19lPf_VyclY_-5Z5iQ1boVOAxFbjGdSQ,2431
 contentctl/enrichments/splunk_app_enrichment.py,sha256=Xynxjjkqlw0_RtQ1thGSFwy1I3HdmPAJmNKZezyqniU,3419
@@ -29,10 +29,10 @@ contentctl/helper/link_validator.py,sha256=kzEi2GdncPWSi-UKNerXm2jtTJfFQ5goS9pqy
 contentctl/helper/logger.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 contentctl/helper/splunk_app.py,sha256=Zq_C9rjNVqCjBNgm-5CWdBpXyeX5jSpbE-QTGptEZlk,14571
 contentctl/helper/utils.py,sha256=1_6cbvvbPXWxym3ZhRhL18ttmXLXiHbavpXAkROtGcg,21154
-contentctl/input/director.py,sha256=h2F7vfP56RyBhrUmI9_9Wn_gDIH2d1NKepc8Yt5cHf4,17002
+contentctl/input/director.py,sha256=Em7ZwYdIapgr7Qd--uX6UxkeSyT1oxwyY0pius2Wbqc,17431
 contentctl/input/new_content_questions.py,sha256=z2C4Mg7-EyxtiF2z9m4SnSbi6QO4CUPB3wg__JeMXIQ,4067
 contentctl/input/yml_reader.py,sha256=L27b14_xXQYypUV1eAzZrfMtwtkzAZx--6nRo3RNZnE,2729
-contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=Gsb6v44VpWeGnMi79viJ0zO81pZ9GuiaqQJyHM-ba5I,46861
+contentctl/objects/abstract_security_content_objects/detection_abstract.py,sha256=bvX3iDQvR7BI1KIgKFBbyX7QkijhPANo9GzBCMVwtm8,46905
 contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py,sha256=un1tjoZdxKi07dSddPD5MXRN3tea3dj0poKmFrbCu-k,34206
 contentctl/objects/alert_action.py,sha256=iEvdEOT4TrTXT0z4rQ_W5v79hPJpPhFPSzo7TuHDxwA,1376
 contentctl/objects/annotated_types.py,sha256=xR4EKvdOpNDEt0doGs8XjxCzKK99J2NHZgHFAmt7p2c,424
@@ -42,7 +42,7 @@ contentctl/objects/base_test.py,sha256=JG6qlr7xe9P71n3CzKOro8_bsmDQGYDfTG9YooHQS
 contentctl/objects/base_test_result.py,sha256=TYYzTPKWqp9rHTebWoid50uxAp_iALZouril4sFwIcA,5197
 contentctl/objects/baseline.py,sha256=EMcuz_9sVgOFh3YCj871GSAA6v3FIkRTf90-LAHq-J0,3700
 contentctl/objects/baseline_tags.py,sha256=Eomy8y3HV-E6Lym5B5ZZTtsmQJYi6Jd4y8GZpTWGYgQ,1643
-contentctl/objects/config.py,sha256=8F_zpcnFyE_rSdGomm2qeVDG6tTpjhrVyK6BsNHM8js,49357
+contentctl/objects/config.py,sha256=3sJN48BuWXsCRjrdYyHTjZnUmVHGt9aW3_QaMBaghRw,57953
 contentctl/objects/constants.py,sha256=VwwQtJBGC_zb3ukjb3A7P0CwAlyhacWiXczwAW5Jiog,5466
 contentctl/objects/content_versioning_service.py,sha256=BDk_TV1PTVoXpPcUxqTLa5_bjkfOs9PFYgqTuzOS9UI,20566
 contentctl/objects/correlation_search.py,sha256=tvcFeHGFRyZso50KHsEVCjTmHh3rHDegcfqaD-TjCFg,51473
@@ -84,7 +84,7 @@ contentctl/objects/savedsearches_conf.py,sha256=Dn_Pxd9i3RT6DwNh6JrgmfxjsO3q15xz
 contentctl/objects/security_content_object.py,sha256=2mEf-wt3hMsLEyo4yatyK66jKjgUOVjJHIN9fgQB5nA,246
 contentctl/objects/story.py,sha256=1JCiF9D1EZeVcoMXXDoWkOqHXQn4TsQgl8EtUN59a2E,5796
 contentctl/objects/story_tags.py,sha256=IYumFuBF2Bt7HtW4lBfCRo2EUpjMYlnNjpx24jBErs4,2365
-contentctl/objects/test_attack_data.py,sha256=7p-kOJguTZtG9y5th5U3qfPFvpiAWLST_OBw8dwWl_4,488
+contentctl/objects/test_attack_data.py,sha256=jXpaThVBntzKkRm1CPjTpaXDbKPu8xNghwuQ1pcGkoo,1513
 contentctl/objects/test_group.py,sha256=r-dXyddok4yslv8SIjwOpqylbN1rdjsRi-HIijvpWD0,2602
 contentctl/objects/threat_object.py,sha256=CB3igcmiq06lqnEh7h-btxFrBfgZbHaA9p8kFDKY6lQ,712
 contentctl/objects/throttling.py,sha256=oupWmdtvwAXzLmD3MBJyAU18SD2L2ciEZWUcnL8MuGk,2309
@@ -124,7 +124,7 @@ contentctl/output/templates/header.j2,sha256=3usV7jm1q6J-QNnQrZzII9cN0XEGQjg_eVK
 contentctl/output/templates/macros.j2,sha256=SLcQQ5X7TZS8j-2qP06BTXqdIcnwoYqTAaBLX2Dge7Y,390
 contentctl/output/templates/panel.j2,sha256=Cw_W6p-14n6UivVfpS75KKJiJ2VpdGsSBceYsUYe9gk,221
 contentctl/output/templates/savedsearches_baselines.j2,sha256=WHZB4e0vmeym8832VxRmuUfDJ-YRYt6emcYaJrghI58,1709
-contentctl/output/templates/savedsearches_detections.j2,sha256=mbOSSDoHwTfzpxQRVz03FvFNQJ26lWqcUtl6uW6tUZY,5874
+contentctl/output/templates/savedsearches_detections.j2,sha256=4WVJtVdFNzSx83SygzpcTYS0McBX41mpRPFm0HxkpuU,5328
 contentctl/output/templates/savedsearches_investigations.j2,sha256=KH2r8SgyAMiettSHypSbA2-1XmQ_8_8xzk3BkbZ1Re4,1196
 contentctl/output/templates/server.conf.j2,sha256=sPZUkiuJNGm9R8rpjfRKyuAvmmQb0C4w9Q6hpmvmPeU,127
 contentctl/output/templates/transforms.j2,sha256=TEKZi8DWpcCysRTNvuLEgAwx-g1SZ2E0CkLiu6v6AlU,1339
@@ -164,8 +164,8 @@ contentctl/templates/detections/web/.gitkeep,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRk
 contentctl/templates/macros/security_content_ctime.yml,sha256=Gg1YNllHVsX_YB716H1SJLWzxXZEfuJlnsgB2fuyoHU,159
 contentctl/templates/macros/security_content_summariesonly.yml,sha256=9BYUxAl2E4Nwh8K19F3AJS8Ka7ceO6ZDBjFiO3l3LY0,162
 contentctl/templates/stories/cobalt_strike.yml,sha256=uj8idtDNOAIqpZ9p8usQg6mop1CQkJ5TlB4Q7CJdTIE,3082
-contentctl-5.4.0.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
-contentctl-5.4.0.dist-info/METADATA,sha256=0Ym0O-VJlAqZbBBwe5BWrymkdZgj-SW1pncPksgZ9jM,5134
-contentctl-5.4.0.dist-info/WHEEL,sha256=fGIA9gx4Qxk2KDKeNJCbOEwSrmLtjWCwzBz351GyrPQ,88
-contentctl-5.4.0.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
-contentctl-5.4.0.dist-info/RECORD,,
+contentctl-5.5.0.dist-info/LICENSE.md,sha256=hQWUayRk-pAiOZbZnuy8djmoZkjKBx8MrCFpW-JiOgo,11344
+contentctl-5.5.0.dist-info/METADATA,sha256=howJqbvOr3-HZmRA1k887Cj-yiGCPpR_pwJrVEYDUUY,5134
+contentctl-5.5.0.dist-info/WHEEL,sha256=fGIA9gx4Qxk2KDKeNJCbOEwSrmLtjWCwzBz351GyrPQ,88
+contentctl-5.5.0.dist-info/entry_points.txt,sha256=5bjZ2NkbQfSwK47uOnA77yCtjgXhvgxnmCQiynRF_-U,57
+contentctl-5.5.0.dist-info/RECORD,,