Merge branch 'main' into feature/risk-model-validation

Author: pyth0n1c

.github/ISSUE_TEMPLATE/bug_report.md

@@ -4,6 +4,7 @@ about: Create a report to help us improve contentctl
 title: "[BUG]"
 labels: bug
 assignees: ''
+type: "Bug"
 
 ---
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -4,7 +4,7 @@ about: Suggest an idea for this project
 title: ''
 labels: enhancement
 assignees: ''
-
+type: "Feature"
 ---
 
 **Is your feature request related to a problem? Please describe.**

.pre-commit-config.yaml

@@ -8,7 +8,7 @@ repos:
       - id: detect-private-key
       - id: forbid-submodules
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.0
+    rev: v0.11.2
     hooks:
       - id: ruff
         args: [ --fix ]

contentctl/actions/release_notes.py

@@ -1,10 +1,12 @@
-from contentctl.objects.config import release_notes
-from git import Repo
-import re
-import yaml
 import pathlib
+import re
 from typing import List, Union
 
+import yaml
+from git import Repo
+
+from contentctl.objects.config import release_notes
+
 
 class ReleaseNotes:
     def create_notes(
@@ -171,13 +173,13 @@ def create_notes(
 
     def release_notes(self, config: release_notes) -> None:
         ### Remove hard coded path
-        directories = [
-            "detections/",
-            "stories/",
-            "macros/",
-            "lookups/",
-            "playbooks/",
-            "ssa_detections/",
+        directories: list[pathlib.Path] = [
+            config.path / "detections",
+            config.path / "stories",
+            config.path / "macros",
+            config.path / "lookups",
+            config.path / "playbooks",
+            config.path / "ssa_detections",
         ]
 
         repo = Repo(config.path)
@@ -229,7 +231,7 @@ def release_notes(self, config: release_notes) -> None:
             file_path = pathlib.Path(diff.a_path)
 
             # Check if the file is in the specified directories
-            if any(str(file_path).startswith(directory) for directory in directories):
+            if any(file_path.is_relative_to(directory) for directory in directories):
                 # Check if a file is Modified
                 if diff.change_type == "M":
                     modified_files.append(file_path)

contentctl/input/yml_reader.py

@@ -1,7 +1,8 @@
-from typing import Dict, Any
-import yaml
-import sys
 import pathlib
+import sys
+from typing import Any, Dict
+
+import yaml
 
 
 class YmlReader:
@@ -13,40 +14,44 @@ def load_file(
     ) -> Dict[str, Any]:
         try:
             file_handler = open(file_path, "r", encoding="utf-8")
+        except OSError as exc:
+            print(
+                f"\nThere was an unrecoverable error when opening the file '{file_path}' - we will exit immediately:\n{str(exc)}"
+            )
+            sys.exit(1)
 
             # The following code can help diagnose issues with duplicate keys or
             # poorly-formatted but still "compliant" YML.  This code should be
             # enabled manually for debugging purposes. As such, strictyaml
             # library is intentionally excluded from the contentctl requirements
 
+        try:
             if STRICT_YML_CHECKING:
+                # This is an extra level of verbose parsing that can be
+                # enabled for debugging purpose. It is intentionally done in
+                # addition to the regular yml parsing
                 import strictyaml
 
-                try:
-                    strictyaml.dirty_load(file_handler.read(), allow_flow_style=True)
-                    file_handler.seek(0)
-                except Exception as e:
-                    print(f"Error loading YML file {file_path}: {str(e)}")
-                    sys.exit(1)
-            try:
-                # Ideally we should use
-                # from contentctl.actions.new_content import NewContent
-                # and use NewContent.UPDATE_PREFIX,
-                # but there is a circular dependency right now which makes that difficult.
-                # We have instead hardcoded UPDATE_PREFIX
-                UPDATE_PREFIX = "__UPDATE__"
-                data = file_handler.read()
-                if UPDATE_PREFIX in data:
-                    raise Exception(
-                        f"The file {file_path} contains the value '{UPDATE_PREFIX}'. Please fill out any unpopulated fields as required."
-                    )
-                yml_obj = yaml.load(data, Loader=yaml.CSafeLoader)
-            except yaml.YAMLError as exc:
-                print(exc)
-                sys.exit(1)
-
-        except OSError as exc:
-            print(exc)
+                strictyaml.dirty_load(file_handler.read(), allow_flow_style=True)
+                file_handler.seek(0)
+
+            # Ideally we should use
+            # from contentctl.actions.new_content import NewContent
+            # and use NewContent.UPDATE_PREFIX,
+            # but there is a circular dependency right now which makes that difficult.
+            # We have instead hardcoded UPDATE_PREFIX
+            UPDATE_PREFIX = "__UPDATE__"
+            data = file_handler.read()
+            if UPDATE_PREFIX in data:
+                raise Exception(
+                    f"\nThe file {file_path} contains the value '{UPDATE_PREFIX}'. Please fill out any unpopulated fields as required."
+                )
+            yml_obj = yaml.load(data, Loader=yaml.CSafeLoader)
+
+        except yaml.YAMLError as exc:
+            print(
+                f"\nThere was an unrecoverable YML Parsing error when reading or parsing the file '{file_path}' - we will exit immediately:\n{str(exc)}"
+            )
             sys.exit(1)
 
         if add_fields is False:

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -43,10 +43,11 @@
     DetectionStatus,
     NistCategory,
     ProvidingTechnology,
+    RiskSeverity,
 )
 from contentctl.objects.integration_test import IntegrationTest
 from contentctl.objects.manual_test import ManualTest
-from contentctl.objects.rba import RBAObject
+from contentctl.objects.rba import RBAObject, RiskScoreValue_Type
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.test_group import TestGroup
 from contentctl.objects.unit_test import UnitTest
@@ -66,6 +67,54 @@ class Detection_Abstract(SecurityContentObject):
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
     rba: Optional[RBAObject] = Field(default=None)
+
+    @computed_field
+    @property
+    def risk_score(self) -> RiskScoreValue_Type:
+        # First get the maximum score associated with
+        # a risk object. If there are no objects, then
+        # we should throw an exception.
+        if self.rba is None or len(self.rba.risk_objects) == 0:
+            raise Exception(
+                "There must be at least one Risk Object present to get Severity."
+            )
+        return max([risk_object.score for risk_object in self.rba.risk_objects])
+
+    @computed_field
+    @property
+    def severity(self) -> RiskSeverity:
+        """
+        Severity is required for notables (but not risk objects).
+        In the contentctl codebase, instead of requiring an additional
+        field to be added to the YMLs, we derive the severity from the
+        HIGHEST risk score of any risk object that is part of this detection.
+        However, if a detection does not have a risk object but still has a notable,
+        we will use a default value of high. This only impact Correlation searches. As
+        TTP searches, which also generate notables, must also have risk object(s)
+        """
+        try:
+            risk_score = self.risk_score
+        except Exception:
+            # This object does not have any RBA objects,
+            # hence no disk score is returned. So we will
+            # return the defualt value of high
+            return RiskSeverity.HIGH
+
+        if 0 <= risk_score <= 20:
+            return RiskSeverity.INFORMATIONAL
+        elif 20 < risk_score <= 40:
+            return RiskSeverity.LOW
+        elif 40 < risk_score <= 60:
+            return RiskSeverity.MEDIUM
+        elif 60 < risk_score <= 80:
+            return RiskSeverity.HIGH
+        elif 80 < risk_score <= 100:
+            return RiskSeverity.CRITICAL
+        else:
+            raise Exception(
+                f"Error getting severity - risk_score must be between 0-100, but was actually {self.risk_score}"
+            )
+
     explanation: None | str = Field(
         default=None,
         exclude=True,  # Don't serialize this value when dumping the object
@@ -435,12 +484,10 @@ def serialize_model(self):
             "datamodel": self.datamodel,
             "source": self.source,
             "nes_fields": self.nes_fields,
+            "rba": self.rba or {},
         }
-        if self.rba is not None:
-            model["risk_severity"] = self.rba.severity
-            model["tags"]["risk_score"] = self.rba.risk_score
-        else:
-            model["tags"]["risk_score"] = 0
+        if self.deployment.alert_action.notable:
+            model["risk_severity"] = self.severity
 
         # Only a subset of macro fields are required:
         all_macros: list[dict[str, str | list[str]]] = []

contentctl/objects/rba.py

@@ -4,9 +4,7 @@
 from enum import Enum
 from typing import Annotated, Set
 
-from pydantic import BaseModel, Field, computed_field, model_serializer
-
-from contentctl.objects.enums import RiskSeverity
+from pydantic import BaseModel, Field, model_serializer
 
 RiskScoreValue_Type = Annotated[int, Field(ge=1, le=100)]
 
@@ -108,36 +106,6 @@ class RBAObject(BaseModel, ABC):
     risk_objects: Annotated[Set[RiskObject], Field(min_length=1)]
     threat_objects: Set[ThreatObject]
 
-    @computed_field
-    @property
-    def risk_score(self) -> RiskScoreValue_Type:
-        # First get the maximum score associated with
-        # a risk object. If there are no objects, then
-        # we should throw an exception.
-        if len(self.risk_objects) == 0:
-            raise Exception(
-                "There must be at least one Risk Object present to get Severity."
-            )
-        return max([risk_object.score for risk_object in self.risk_objects])
-
-    @computed_field
-    @property
-    def severity(self) -> RiskSeverity:
-        if 0 <= self.risk_score <= 20:
-            return RiskSeverity.INFORMATIONAL
-        elif 20 < self.risk_score <= 40:
-            return RiskSeverity.LOW
-        elif 40 < self.risk_score <= 60:
-            return RiskSeverity.MEDIUM
-        elif 60 < self.risk_score <= 80:
-            return RiskSeverity.HIGH
-        elif 80 < self.risk_score <= 100:
-            return RiskSeverity.CRITICAL
-        else:
-            raise Exception(
-                f"Error getting severity - risk_score must be between 0-100, but was actually {self.risk_score}"
-            )
-
     @model_serializer
     def serialize_rba(self) -> dict[str, str | list[dict[str, str | int]]]:
         return {

contentctl/output/api_json_output.py

@@ -1,14 +1,15 @@
 from __future__ import annotations
+
 from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
+    from contentctl.objects.baseline import Baseline
+    from contentctl.objects.deployment import Deployment
     from contentctl.objects.detection import Detection
+    from contentctl.objects.investigation import Investigation
     from contentctl.objects.lookup import Lookup
     from contentctl.objects.macro import Macro
     from contentctl.objects.story import Story
-    from contentctl.objects.baseline import Baseline
-    from contentctl.objects.investigation import Investigation
-    from contentctl.objects.deployment import Deployment
 
 import os
 import pathlib
@@ -42,6 +43,7 @@ def writeDetections(
                         "search",
                         "how_to_implement",
                         "known_false_positives",
+                        "rba",
                         "references",
                         "datamodel",
                         "macros",

contentctl/output/templates/savedsearches_detections.j2

@@ -65,14 +65,10 @@ action.notable.param.nes_fields = {{ detection.nes_fields }}
 action.notable.param.rule_description = {{ detection.deployment.alert_action.notable.rule_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines()}}
 action.notable.param.rule_title = {% if detection.type | lower == "correlation" %}RBA: {{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% else %}{{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% endif +%}
 action.notable.param.security_domain = {{ detection.tags.security_domain }}
-{% if detection.rba %}
-action.notable.param.severity = {{ detection.rba.severity }}
-{% else %}
-{# Correlations do not have detection.rba defined, but should get a default severity #}
-action.notable.param.severity = high 
-{% endif %}
+action.notable.param.severity = {{ detection.severity }}
 {% endif %}
 {% if detection.deployment.alert_action.email %}
+action.email = 1
 action.email.subject.alert = {{ detection.deployment.alert_action.email.subject | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
 action.email.to = {{ detection.deployment.alert_action.email.to }}
 action.email.message.alert = {{ detection.deployment.alert_action.email.message | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}

pyproject.toml

@@ -33,7 +33,7 @@ gitpython = "^3.1.43"
 setuptools = ">=69.5.1,<79.0.0"
 
 [tool.poetry.group.dev.dependencies]
-ruff = "^0.11.0"
+ruff = "^0.11.2"
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]