Merge pull request #151 from splunk/dependabot/pip/setuptools-gte-69.5.1-and-lt-71.0.0

Update setuptools requirement from ^69.5.1 to >=69.5.1,<71.0.0

Author: pyth0n1c

contentctl/actions/new_content.py

@@ -19,16 +19,21 @@ def buildDetection(self)->dict[str,Any]:
         answers = questionary.prompt(questions)
         answers.update(answers)
         answers['name'] = answers['detection_name']
+        del answers['detection_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['detection_author']
+        del answers['detection_author']
         answers['data_source'] = answers['data_source']
         answers['type'] = answers['detection_type']
+        del answers['detection_type']
         answers['status'] = "production" #start everything as production since that's what we INTEND the content to become   
         answers['description'] = 'UPDATE_DESCRIPTION'   
         file_name = answers['name'].replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
+        answers['kind'] = answers['detection_kind']
         answers['search'] = answers['detection_search'] + ' | `' + file_name + '_filter`'
+        del answers['detection_search']
         answers['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'
         answers['known_false_positives'] = 'UPDATE_KNOWN_FALSE_POSITIVES'            
         answers['references'] = ['REFERENCE']
@@ -52,7 +57,7 @@ def buildDetection(self)->dict[str,Any]:
                 'name': "True Positive Test",
                 'attack_data': [ 
                     {
-                    'data': "Enter URL for Dataset Here.  This may also be a relative or absolute path on your local system for testing.",
+                    'data': "https://github.com/splunk/contentctl/wiki",
                     "sourcetype": "UPDATE SOURCETYPE",
                     "source": "UPDATE SOURCE"
                     }
@@ -65,32 +70,35 @@ def buildStory(self)->dict[str,Any]:
         questions = NewContentQuestions.get_questions_story()
         answers = questionary.prompt(questions)
         answers['name'] = answers['story_name']
+        del answers['story_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['story_author']
+        del answers['story_author']
         answers['description'] = 'UPDATE_DESCRIPTION'
         answers['narrative'] = 'UPDATE_NARRATIVE'
         answers['references'] = []
         answers['tags'] = dict()
-        answers['tags']['analytic_story'] = answers['name']
         answers['tags']['category'] = answers['category']
+        del answers['category']
         answers['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
         answers['tags']['usecase'] = answers['usecase']
+        del answers['usecase']
         answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
         return answers
 
 
     def execute(self, input_dto: new) -> None:
         if input_dto.type == NewContentType.detection:
             content_dict = self.buildDetection()
-            subdirectory = pathlib.Path('detections') / content_dict.get('type')
+            subdirectory = pathlib.Path('detections') / content_dict.pop('detection_kind')
         elif input_dto.type == NewContentType.story:
             content_dict = self.buildStory()
             subdirectory = pathlib.Path('stories')
         else:
             raise Exception(f"Unsupported new content type: [{input_dto.type}]")
-    
+
         full_output_path = input_dto.path / subdirectory / SecurityContentObject_Abstract.contentNameToFileName(content_dict.get('name'))
         YmlWriter.writeYmlFile(str(full_output_path), content_dict)
 

contentctl/input/new_content_questions.py

@@ -27,11 +27,6 @@ def get_questions_detection(self) -> list:
                 'message': 'enter author name',
                 'name': 'detection_author',
             },
-            {
-                "type": "text",
-                "message": "enter author name",
-                "name": "detection_author",
-            },
             {
                 "type": "select",
                 "message": "select a detection type",

contentctl/objects/story_tags.py

@@ -14,6 +14,8 @@ class StoryUseCase(str,Enum):
    APPLICATION_SECURITY = "Application Security"
    SECURITY_MONITORING = "Security Monitoring"
    ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
+   INSIDER_THREAT = "Insider Threat"
+   OTHER = "Other"
 
 class StoryTags(BaseModel):
    model_config = ConfigDict(extra='forbid', use_enum_values=True)

contentctl/output/conf_writer.py

@@ -34,7 +34,7 @@ def escapeNewlines(obj:Any):
         # Failing to do so will result in an improperly formatted conf files that
         # cannot be parsed
         if isinstance(obj,str):
-            return obj.replace(f"\n","\\\n")
+            return obj.replace(f"\n"," \\\n")
         else:
             return obj
 

contentctl/output/finding_report_writer.py

@@ -59,9 +59,9 @@ def writeFindingReport(detection : SSADetection) -> None:
             detection.tags.risk_level = "Critical"  
 
         evidence_str = "{"
-        for i in range(len(detection.tags.observable)):            
-            evidence_str = evidence_str + '"' + detection.tags.observable[i]["name"] + '": ' + detection.tags.observable[i]["name"].replace(".", "_")
-            if not i == (len(detection.tags.observable) - 1):
+        for i in range(len(detection.tags.required_fields)):            
+            evidence_str = evidence_str + '"' + detection.tags.required_fields[i] + '": ' + detection.tags.required_fields[i].replace(".", "_")
+            if not i == (len(detection.tags.required_fields) - 1):
                 evidence_str = evidence_str + ', '
 
         evidence_str = evidence_str + ', "sourceType": metadata.source_type, "source": metadata.source}'        

contentctl/output/templates/es_investigations_investigations.j2

@@ -7,32 +7,32 @@ disabled = 0
 tokens = {\
 {% for token in response_task.inputs %}
 {% if token == 'user' %}
-  "user": {\
-    "valuePrefix": "\"",\
-    "valueSuffix": "\"",\
-    "delimiter": " OR {{ token }}=",\
-    "valueType": "primitive",\
-    "value": "identity",\
-    "default": "null"\
-    }\{% elif token == 'dest'%}
+    "user": {\
+      "valuePrefix": "\"",\
+      "valueSuffix": "\"",\
+      "delimiter": " OR {{ token }}=",\
+      "valueType": "primitive",\
+      "value": "identity",\
+      "default": "null"\
+    }{% elif token == 'dest'%}
     "dest": {\
       "valuePrefix": "\"",\
       "valueSuffix": "\"",\
       "delimiter": " OR {{ token }}=",\
       "valueType": "primitive",\
       "value": "asset",\
       "default": "null"\
-    }\{% else %}
+    }{% else %}
     "{{ token }}": {\
       "valuePrefix": "\"",\
       "valueSuffix": "\"",\
       "delimiter": " OR {{ token }}=",\
       "valueType": "primitive",\
       "value": "file",\
       "default": "null"\
-    }\{% endif %}{{ "," if not loop.last }}
+    }{% endif %}{{ "," if not loop.last }}\
 {% endfor %}
-  }\
+}\
 
 
 {% endfor %}