Skip to content

Commit 39ce0ef

Browse files
pyth0n1cpyth0n1c
committed
Removed risk_Score from contentctl
new template. Added drilldowns, if appropriate, and made the link to attack_data set invalid, so that if it is not updated it fails validation. This prevents an incorrect attack_data from failing silently.
1 parent a00958c commit 39ce0ef

File tree

1 file changed

+17
-2
lines changed

1 file changed

+17
-2
lines changed

contentctl/actions/new_content.py

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,20 @@
1313
from contentctl.output.yml_writer import YmlWriter
1414

1515
class NewContent:
16+
DEFAULT_DRILLDOWN_DEF = [
17+
{
18+
"name": 'View the detection results for - "$first_observable_name_here$" and "$second_observable_name_here$"',
19+
"search": '%original_detection_search% | search first_observable_type_here = "$first_observable_name_here$" second_observable_type_here = $second_observable_name_here$',
20+
"earliest_offset": '$info_min_time$',
21+
"latest_offset": '$info_max_time$'
22+
},
23+
{
24+
"name": 'View risk events for the last 7 days for - "$first_observable_name_here$" and "$second_observable_name_here$"',
25+
"search": '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$first_observable_name_here$", "$second_observable_name_here$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`',
26+
"earliest_offset": '$info_min_time$',
27+
"latest_offset": '$info_max_time$'
28+
}
29+
]
1630

1731
def buildDetection(self)->dict[str,Any]:
1832
questions = NewContentQuestions.get_questions_detection()
@@ -40,6 +54,8 @@ def buildDetection(self)->dict[str,Any]:
4054
answers['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'
4155
answers['known_false_positives'] = 'UPDATE_KNOWN_FALSE_POSITIVES'
4256
answers['references'] = ['REFERENCE']
57+
if answers['type'] in ["TTP", "Correlation", "Anomaly", "TTP"]:
58+
answers['drilldown_searches'] = NewContent.DEFAULT_DRILLDOWN_DEF
4359
answers['tags'] = dict()
4460
answers['tags']['analytic_story'] = ['UPDATE_STORY_NAME']
4561
answers['tags']['asset_type'] = 'UPDATE asset_type'
@@ -49,7 +65,6 @@ def buildDetection(self)->dict[str,Any]:
4965
answers['tags']['mitre_attack_id'] = [x.strip() for x in answers['mitre_attack_ids'].split(',')]
5066
answers['tags']['observable'] = [{'name': 'UPDATE', 'type': 'UPDATE', 'role': ['UPDATE']}]
5167
answers['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
52-
answers['tags']['risk_score'] = 'UPDATE (impact * confidence)/100'
5368
answers['tags']['security_domain'] = answers['security_domain']
5469
del answers["security_domain"]
5570
answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
@@ -60,7 +75,7 @@ def buildDetection(self)->dict[str,Any]:
6075
'name': "True Positive Test",
6176
'attack_data': [
6277
{
63-
'data': "https://github.com/splunk/contentctl/wiki",
78+
'data': "Go to https://github.com/splunk/contentctl/wiki for information about the format of this field",
6479
"sourcetype": "UPDATE SOURCETYPE",
6580
"source": "UPDATE SOURCE"
6681
}

0 commit comments

Comments
 (0)