splunk
diff --git a/‎.github/workflows/test_against_escu.yml‎
Lines changed: 69 additions & 0 deletions b/‎.github/workflows/test_against_escu.yml‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎contentctl/actions/deploy_acs.py‎
Lines changed: 1 addition & 4 deletions b/‎contentctl/actions/deploy_acs.py‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎contentctl/actions/new_content.py‎
Lines changed: 18 additions & 7 deletions b/‎contentctl/actions/new_content.py‎
Lines changed: 18 additions & 7 deletions
diff --git a/‎contentctl/actions/validate.py‎
Lines changed: 1 addition & 0 deletions b/‎contentctl/actions/validate.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎contentctl/api.py‎
Lines changed: 137 additions & 0 deletions b/‎contentctl/api.py‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎contentctl/contentctl.py‎
Lines changed: 5 additions & 4 deletions b/‎contentctl/contentctl.py‎
Lines changed: 5 additions & 4 deletions
@@ -0,0 +1,69 @@
+# The default branch of security_content should always be correct.
+# As such, we should use it in our test workflow, here, to ensure
+# that contentctl is also correct and does not throw unexpected errors.
+
+# We should remember that if contentctl introduces NEW validations that have
+# note yet been fixed in security_content, we may see this workflow fail.
+name: test_against_escu
+on:
+  push:
+  pull_request:
+    types: [opened, reopened]
+  schedule:
+    - cron: "44 4 * * *"
+
+jobs:
+  smoketest_escu:
+    strategy:
+      fail-fast: false
+      matrix:
+        python_version: ["3.11", "3.12"]
+        operating_system: ["ubuntu-20.04", "ubuntu-22.04", "macos-latest", "macos-14"]
+        #operating_system: ["ubuntu-20.04", "ubuntu-22.04", "macos-latest"]
+
+
+    runs-on: ${{ matrix.operating_system }}
+    steps:
+      # Checkout the current branch of contentctl repo
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      # Checkout the develop (default) branch of security_content
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with: 
+          path: security_content
+          repository: splunk/security_content
+
+      #Install the given version of Python we will test against
+      - name: Install Required Python Version
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python_version }}
+          architecture: "x64"
+          
+      - name: Install Poetry
+        run: 
+          python -m pip install poetry
+
+      - name: Install contentctl and activate the shell
+        run: |
+          poetry install --no-interaction
+
+
+      - name: Clone the AtomicRedTeam Repo (for extended validation)
+        run: |
+          cd security_content
+          git clone --depth 1 https://github.com/redcanaryco/atomic-red-team
+
+      
+      # We do not separately run validate and build 
+      # since a build ALSO performs a validate
+      - name: Run contentctl build
+        run: |
+          cd security_content
+          poetry run contentctl build --enrichments
+
+      # Do not run a test - it will take far too long!
+      # Do not upload any artifacts
+      
@@ -10,6 +10,7 @@ apps*
 test_results*
 attack_data*
 security_content/
+contentctl.yml
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
 
@@ -49,7 +49,4 @@ def execute(self, config: deploy_acs, appinspect_token:str) -> None:
             formatted_error_text = pprint.pformat(error_text)
             raise Exception(f"Error installing to stack '{config.splunk_cloud_stack}' (stack_type='{config.stack_type}') via ACS:\n{formatted_error_text}")
 
-        print(f"'{config.getPackageFilePath(include_version=False)}' successfully installed to stack '{config.splunk_cloud_stack}' (stack_type='{config.stack_type}') via ACS!")
-
-        
-        
+        print(f"'{config.getPackageFilePath(include_version=False)}' successfully installed to stack '{config.splunk_cloud_stack}' (stack_type='{config.stack_type}') via ACS!")
@@ -19,16 +19,22 @@ def buildDetection(self)->dict[str,Any]:
         answers = questionary.prompt(questions)
         answers.update(answers)
         answers['name'] = answers['detection_name']
+        del answers['detection_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['detection_author']
-        answers['data_source'] = answers['data_source']
+        del answers['detection_author']
+        answers['data_sources'] = answers['data_source']
+        del answers['data_source']
         answers['type'] = answers['detection_type']
+        del answers['detection_type']
         answers['status'] = "production" #start everything as production since that's what we INTEND the content to become   
         answers['description'] = 'UPDATE_DESCRIPTION'   
         file_name = answers['name'].replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
+        answers['kind'] = answers['detection_kind']
         answers['search'] = answers['detection_search'] + ' | `' + file_name + '_filter`'
+        del answers['detection_search']
         answers['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'
         answers['known_false_positives'] = 'UPDATE_KNOWN_FALSE_POSITIVES'            
         answers['references'] = ['REFERENCE']
@@ -44,6 +50,7 @@ def buildDetection(self)->dict[str,Any]:
         answers['tags']['required_fields'] = ['UPDATE']
         answers['tags']['risk_score'] = 'UPDATE (impact * confidence)/100'
         answers['tags']['security_domain'] = answers['security_domain']
+        del answers["security_domain"]
         answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
 
         #generate the tests section
@@ -52,45 +59,49 @@ def buildDetection(self)->dict[str,Any]:
                 'name': "True Positive Test",
                 'attack_data': [ 
                     {
-                    'data': "Enter URL for Dataset Here.  This may also be a relative or absolute path on your local system for testing.",
+                    'data': "https://github.com/splunk/contentctl/wiki",
                     "sourcetype": "UPDATE SOURCETYPE",
                     "source": "UPDATE SOURCE"
                     }
                 ]
             }
         ]
+        del answers["mitre_attack_ids"]
         return answers
 
     def buildStory(self)->dict[str,Any]:
         questions = NewContentQuestions.get_questions_story()
         answers = questionary.prompt(questions)
         answers['name'] = answers['story_name']
+        del answers['story_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['story_author']
+        del answers['story_author']
         answers['description'] = 'UPDATE_DESCRIPTION'
         answers['narrative'] = 'UPDATE_NARRATIVE'
         answers['references'] = []
         answers['tags'] = dict()
-        answers['tags']['analytic_story'] = answers['name']
         answers['tags']['category'] = answers['category']
+        del answers['category']
         answers['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
         answers['tags']['usecase'] = answers['usecase']
+        del answers['usecase']
         answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
         return answers
 
 
     def execute(self, input_dto: new) -> None:
         if input_dto.type == NewContentType.detection:
             content_dict = self.buildDetection()
-            subdirectory = pathlib.Path('detections') / content_dict.get('type')
+            subdirectory = pathlib.Path('detections') / content_dict.pop('detection_kind')
         elif input_dto.type == NewContentType.story:
             content_dict = self.buildStory()
             subdirectory = pathlib.Path('stories')
         else:
             raise Exception(f"Unsupported new content type: [{input_dto.type}]")
-    
+
         full_output_path = input_dto.path / subdirectory / SecurityContentObject_Abstract.contentNameToFileName(content_dict.get('name'))
         YmlWriter.writeYmlFile(str(full_output_path), content_dict)
 
@@ -103,12 +114,12 @@ def writeObjectNewContent(self, object: dict, subdirectory_name: str, type: NewC
             #make sure the output folder exists for this detection
             output_folder.mkdir(exist_ok=True)
 
-            YmlWriter.writeYmlFile(file_path, object)
+            YmlWriter.writeDetection(file_path, object)
             print("Successfully created detection " + file_path)
 
         elif type == NewContentType.story:
             file_path = os.path.join(self.output_path, 'stories', self.convertNameToFileName(object['name'], object['tags']['product']))
-            YmlWriter.writeYmlFile(file_path, object)
+            YmlWriter.writeStory(file_path, object)
             print("Successfully created story " + file_path)        
 
         else:
 
@@ -23,6 +23,7 @@ def execute(self, input_dto: validate) -> DirectorOutputDto:
         director_output_dto = DirectorOutputDto(AtomicTest.getAtomicTestsFromArtRepo(repo_path=input_dto.getAtomicRedTeamRepoPath(), 
                                                                                      enabled=input_dto.enrichments),
                                                 AttackEnrichment.getAttackEnrichment(input_dto),
+                                                CveEnrichment.getCveEnrichment(input_dto),
                                                 [],[],[],[],[],[],[],[],[])
 
 
 
@@ -0,0 +1,137 @@
+from pathlib import Path
+from typing import Any, Union, Type
+from contentctl.input.yml_reader import YmlReader
+from contentctl.objects.config import test_common, test, test_servers
+from contentctl.objects.security_content_object import SecurityContentObject
+from contentctl.input.director import DirectorOutputDto
+
+def config_from_file(path:Path=Path("contentctl.yml"), config: dict[str,Any]={}, 
+                   configType:Type[Union[test,test_servers]]=test)->test_common:
+    
+    """
+    Fetch a configuration object that can be used for a number of different contentctl
+    operations including validate, build, inspect, test, and test_servers. A file will 
+    be used as the basis for constructing the configuration.
+
+    Args:
+        path (Path, optional): Relative or absolute path to a contentctl config file. 
+        Defaults to Path("contentctl.yml"), which is the default name and location (in the current directory)
+        of the configuration files which are automatically generated for contentctl.
+        config (dict[], optional): Dictionary of values to override values read from the YML
+        path passed as the first argument. Defaults to {}, an empty dict meaning that nothing
+        will be overwritten 
+        configType (Type[Union[test,test_servers]], optional): The Config Class to instantiate. 
+        This may be a test or test_servers object. Note that this is NOT an instance of the class. Defaults to test.
+    Returns:
+        test_common: Returns a complete contentctl test_common configuration. Note that this configuration
+        will have all applicable field for validate and build as well, but can also be used for easily
+        construction a test or test_servers object.  
+    """    
+
+    try:
+        yml_dict = YmlReader.load_file(path, add_fields=False)
+        
+        
+    except Exception as e:
+        raise Exception(f"Failed to load contentctl configuration from file '{path}': {str(e)}")
+    
+    # Apply settings that have been overridden from the ones in the file
+    try:
+        yml_dict.update(config)
+    except Exception as e:
+        raise Exception(f"Failed updating dictionary of values read from file '{path}'"
+                        f" with the dictionary of arguments passed: {str(e)}")
+
+    # The function below will throw its own descriptive exception if it fails
+    configObject = config_from_dict(yml_dict, configType=configType)
+
+    return configObject
+
+
+
+
+def config_from_dict(config: dict[str,Any]={}, 
+                   configType:Type[Union[test,test_servers]]=test)->test_common:
+    """
+    Fetch a configuration object that can be used for a number of different contentctl
+    operations including validate, build, inspect, test, and test_servers. A dict will 
+    be used as the basis for constructing the configuration.
+
+    Args:
+        config (dict[str,Any],Optional): If a dictionary is not explicitly passed, then
+        an empty dict will be used to create a configuration, if possible, from default
+        values.  Note that based on default values in the contentctl/objects/config.py
+        file, this may raise an exception.  If so, please set appropriate default values
+        in the file above or supply those values via this argument.
+        configType (Type[Union[test,test_servers]], optional): The Config Class to instantiate. 
+        This may be a test or test_servers object. Note that this is NOT an instance of the class. Defaults to test.
+    Returns:
+        test_common: Returns a complete contentctl test_common configuration. Note that this configuration
+        will have all applicable field for validate and build as well, but can also be used for easily
+        construction a test or test_servers object.  
+    """    
+    try:
+        test_object = configType.model_validate(config)
+    except Exception as e:
+        raise Exception(f"Failed to load contentctl configuration from dict:\n{str(e)}")
+    
+    return test_object
+
+
+def update_config(config:Union[test,test_servers], **key_value_updates:dict[str,Any])->test_common:
+    
+    """Update any relevant keys in a config file with the specified values.
+    Full validation will be performed after this update and descriptive errors
+    will be produced
+
+    Args:
+        config (test_common): A previously-constructed test_common object.  This can be 
+        build using the configFromDict or configFromFile functions.
+        key_value_updates (kwargs, optional): Additional keyword/argument pairs to update
+        arbitrary fields in the configuration.
+
+    Returns:
+        test_common: A validated object which has had the relevant fields updated.
+        Note that descriptive Exceptions will be generated if updated values are either
+        invalid (have the wrong type, or disallowed values) or you attempt to update
+        fields that do not exist
+    """
+    # Create a copy so we don't change the underlying model
+    config_copy = config.model_copy(deep=True)
+
+    # Force validation of assignment since doing so via arbitrary dict can be error prone
+    # Also, ensure that we do not try to add fields that are not part of the model
+    config_copy.model_config.update({'validate_assignment': True, 'extra': 'forbid'})
+
+    
+    
+    # Collect any errors that may occur
+    errors:list[Exception] = []
+    
+    # We need to do this one by one because the extra:forbid argument does not appear to 
+    # be respected at this time.
+    for key, value in key_value_updates.items():
+        try:
+            setattr(config_copy,key,value)
+        except Exception as e:
+            errors.append(e)
+    if len(errors) > 0:
+        errors_string = '\n'.join([str(e) for e in errors])
+        raise Exception(f"Error(s) updaitng configuration:\n{errors_string}")
+    
+    return config_copy
+    
+
+
+def content_to_dict(director:DirectorOutputDto)->dict[str,list[dict[str,Any]]]:
+    output_dict:dict[str,list[dict[str,Any]]] = {}
+    for contentType in ['detections','stories','baselines','investigations',
+                        'playbooks','macros','lookups','deployments','ssa_detections']:
+        
+        output_dict[contentType] = []
+        t:list[SecurityContentObject] = getattr(director,contentType)
+        
+        for item in t:
+            output_dict[contentType].append(item.model_dump())
+    return output_dict
+            
@@ -99,6 +99,11 @@ def deploy_acs_func(config:deploy_acs):
     raise Exception("deploy acs not yet implemented") 
 
 def test_common_func(config:test_common):
+    if type(config) == test:
+        #construct the container Infrastructure objects
+        config.getContainerInfrastructureObjects()
+        #otherwise, they have already been passed as servers
+
     director_output_dto = build_func(config)
     gitServer = GitService(director=director_output_dto,config=config)
     detections_to_test = gitServer.getContent()
@@ -206,10 +211,6 @@ def main():
             updated_config = deploy_acs.model_validate(config)
             deploy_acs_func(updated_config)
         elif type(config) == test or type(config) == test_servers:
-            if type(config) == test:
-                #construct the container Infrastructure objects
-                config.getContainerInfrastructureObjects()
-                #otherwise, they have already been passed as servers
             test_common_func(config)
         else:
             raise Exception(f"Unknown command line type '{type(config).__name__}'")