Merge pull request #243 from splunk/role_enum

pyth0n1c · web-flow · commit 3e4532abe429 · 2024-08-21T13:25:33.000-07:00
New observable role enum
diff --git a/contentctl/objects/constants.py b/contentctl/objects/constants.py
@@ -132,3 +132,8 @@
     "Exfiltration": "TA0010",
     "Impact": "TA0040"
 }
+
+RBA_OBSERVABLE_ROLE_MAPPING = {
+    "Attacker": 0,
+    "Victim": 1
+}
diff --git a/contentctl/objects/observable.py b/contentctl/objects/observable.py
@@ -1,5 +1,5 @@
 from pydantic import BaseModel, field_validator
-from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, SES_OBSERVABLE_ROLE_MAPPING
+from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, RBA_OBSERVABLE_ROLE_MAPPING
 
 
 class Observable(BaseModel):
@@ -26,10 +26,12 @@ def check_type(cls, v: str):
     def check_roles(cls, v: list[str]):
         if len(v) == 0:
             raise ValueError("Error, at least 1 role must be listed for Observable.")
+        if len(v) > 1:
+            raise ValueError("Error, each Observable can only have one role.")
         for role in v:
-            if role not in SES_OBSERVABLE_ROLE_MAPPING.keys():
+            if role not in RBA_OBSERVABLE_ROLE_MAPPING.keys():
                 raise ValueError(
                     f"Invalid role '{role}' provided for observable.  Valid observable types are "
-                    f"{SES_OBSERVABLE_ROLE_MAPPING.keys()}"
+                    f"{RBA_OBSERVABLE_ROLE_MAPPING.keys()}"
                 )
         return v
diff --git a/contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml b/contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml
@@ -53,11 +53,11 @@ tags:
   - name: parent_process_name
     type: Process
     role:
-    - Parent Process
+    - Attacker
   - name: process_name
     type: Process
     role:
-    - Child Process
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Original file line number	Diff line number	Diff line change
`@@ -132,3 +132,8 @@`
`132`	`132`	`"Exfiltration": "TA0010",`
`133`	`133`	`"Impact": "TA0040"`
`134`	`134`	`}`
	`135`	`+`
	`136`	`+RBA_OBSERVABLE_ROLE_MAPPING = {`
	`137`	`+ "Attacker": 0,`
	`138`	`+ "Victim": 1`
	`139`	`+}`