cleanup; log fixes

cmcginley-splunk · cmcginley-splunk · commit 72c51a4c2487 · 2025-01-16T14:29:06.000-08:00
diff --git a/contentctl/objects/abstract_security_content_objects/detection_abstract.py b/contentctl/objects/abstract_security_content_objects/detection_abstract.py
@@ -279,7 +279,6 @@ def source(self) -> str:
 
     deployment: Deployment = Field({})
 
-    # TODO (cmcginley): @ljstella removing the refs to confidence and impact?
     @computed_field
     @property
     def annotations(self) -> dict[str, Union[List[str], int, str]]:
diff --git a/contentctl/objects/correlation_search.py b/contentctl/objects/correlation_search.py
@@ -31,8 +31,9 @@
 from contentctl.objects.notable_event import NotableEvent
 
 
+# TODO (cmcginley): disable logging
 # Suppress logging by default; enable for local testing
-ENABLE_LOGGING = False
+ENABLE_LOGGING = True
 LOG_LEVEL = logging.DEBUG
 LOG_PATH = "correlation_search.log"
 
@@ -652,15 +653,8 @@ def validate_risk_events(self) -> None:
                 f"Unexpected error: Detection '{self.detection.name}' has no RBA objects associated"
                 " with it; cannot validate."
             )
-        risk_object_counts: dict[str, int] = {str(x): 0 for x in self.detection.rba.risk_objects}
 
-        # NOTE: we intentionally want this to be an error state and not a failure state, as
-        #   ultimately this validation should be handled during the build process
-        if len(self.detection.rba.risk_objects) != len(risk_object_counts):
-            raise ClientError(
-                f"At least two risk objects in '{self.detection.name}' have the same name; "
-                "each risk object for a detection should be unique."
-            )
+        risk_object_counts: dict[int, int] = {id(x): 0 for x in self.detection.rba.risk_objects}
 
         # Get the risk events; note that we use the cached risk events, expecting they were
         # saved by a prior call to risk_event_exists
@@ -681,20 +675,20 @@ def validate_risk_events(self) -> None:
             self.logger.debug(
                 f"Matched risk event (object={event.risk_object}, type={event.risk_object_type}) "
                 f"to detection's risk object (name={matched_risk_object.field}, "
-                f"type={matched_risk_object.type.value} using the source field "
+                f"type={matched_risk_object.type.value}) using the source field "
                 f"'{event.source_field_name}'"
             )
-            risk_object_counts[str(matched_risk_object)] += 1
+            risk_object_counts[id(matched_risk_object)] += 1
 
         # Report any risk objects which did not have at least one match to a risk event
         for risk_object in self.detection.rba.risk_objects:
             self.logger.debug(
                 f"Matched risk object (name={risk_object.field}, type={risk_object.type.value} "
-                f"to {risk_object_counts[str(risk_object)]} risk events."
+                f"to {risk_object_counts[id(risk_object)]} risk events."
             )
-            if risk_object_counts[str(risk_object)] == 0:
+            if risk_object_counts[id(risk_object)] == 0:
                 raise ValidationFailed(
-                    f"Risk object (name={risk_object.field}, type={risk_object.type.value} "
+                    f"Risk object (name={risk_object.field}, type={risk_object.type.value}) "
                     "was not matched to any risk events."
                 )
 
@@ -703,26 +697,26 @@ def validate_risk_events(self) -> None:
         # relevant risk object, and the total count should match the total number of events
         # individual_count: int | None = None
         # total_count = 0
-        # for risk_object_str in risk_object_counts:
+        # for risk_object_id in risk_object_counts:
         #     self.logger.debug(
-        #         f"Risk object <{risk_object_str}> match count: {risk_object_counts[risk_object_str]}"
+        #         f"Risk object <{risk_object_id}> match count: {risk_object_counts[risk_object_id]}"
         #     )
 
         #     # Grab the first value encountered if not set yet
         #     if individual_count is None:
-        #         individual_count = risk_object_counts[risk_object_str]
+        #         individual_count = risk_object_counts[risk_object_id]
         #     else:
         #         # Confirm that the count for the current risk object matches the count of the
         #         # others
-        #         if risk_object_counts[risk_object_str] != individual_count:
+        #         if risk_object_counts[risk_object_id] != individual_count:
         #             raise ValidationFailed(
-        #                 f"Count of risk events matching detection's risk object <\"{risk_object_str}\"> "
-        #                 f"({risk_object_counts[risk_object_str]}) does not match the count of those "
+        #                 f"Count of risk events matching detection's risk object <\"{risk_object_id}\"> "
+        #                 f"({risk_object_counts[risk_object_id]}) does not match the count of those "
         #                 f"matching other risk objects ({individual_count})."
         #             )
 
         #     # Aggregate total count of events matched to risk objects
-        #     total_count += risk_object_counts[risk_object_str]
+        #     total_count += risk_object_counts[risk_object_id]
 
         # # Raise if the the number of events doesn't match the number of those matched to risk
         # # objects
diff --git a/contentctl/objects/detection_tags.py b/contentctl/objects/detection_tags.py
@@ -4,8 +4,6 @@
 from pydantic import (
     BaseModel,
     Field,
-    NonNegativeInt,
-    PositiveInt,
     computed_field,
     UUID4,
     HttpUrl,
@@ -34,14 +32,15 @@
 from contentctl.objects.atomic import AtomicEnrichment, AtomicTest
 from contentctl.objects.annotated_types import MITRE_ATTACK_ID_TYPE, CVE_TYPE
 
+
 class DetectionTags(BaseModel):
     # detection spec
 
     model_config = ConfigDict(validate_default=False, extra='forbid')
     analytic_story: list[Story] = Field(...)
     asset_type: AssetType = Field(...)
     group: list[str] = []
-    
+
     mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
 
@@ -84,7 +83,7 @@ def cis20(self) -> list[Cis18Value]:
 
     # TODO (#268): Validate manual_test has length > 0 if not None
     manual_test: Optional[str] = None
-    
+
     # The following validator is temporarily disabled pending further discussions
     # @validator('message')
     # def validate_message(cls,v,values):
@@ -117,7 +116,6 @@ def cis20(self) -> list[Cis18Value]:
     #         )
     #     return v
 
-    # TODO (cmcginley): @ljstella removing risk_score and severity from serialization?
     @model_serializer
     def serialize_model(self):
         # Since this field has no parent, there is no need to call super() serialization function
diff --git a/contentctl/objects/risk_event.py b/contentctl/objects/risk_event.py
@@ -137,7 +137,7 @@ def validate_analyticstories(self, detection: Detection) -> None:
         if sorted(self.analyticstories) != sorted(detection_analytic_story):
             raise ValidationFailed(
                 f"Analytic stories in risk event ({self.analyticstories}) do not match those"
-                f" in detection ({detection.tags.analytic_story})."
+                f" in detection ({[x.name for x in detection.tags.analytic_story]})."
             )
 
     # TODO (cmcginley): all of this type checking is a good use case (potentially) for subtyping
@@ -160,6 +160,9 @@ def validate_risk_message(self, detection: Detection) -> None:
         field_replacement_pattern = re.compile(r"\$\S+\$")
         tokens = field_replacement_pattern.findall(detection.rba.message)
 
+        # TODO (cmcginley): could expand this to get the field values from the raw events and check
+        #   to see that allexpected strings ARE in the risk message (as opposed to checking only
+        #   that unexpected strings aren't)
         # Check for the presence of each token in the message from the risk event
         for token in tokens:
             if token in self.risk_message:
@@ -249,10 +252,12 @@ def get_matched_risk_object(self, risk_objects: set[RiskObject]) -> RiskObject:
 
             # Try to match the risk_object against a specific risk object
             if self.source_field_name == risk_object.field:
+                # TODO (cmcginley): this should be enforced as part of build validation
                 if matched_risk_object is not None:
                     raise ValueError(
-                        "Unexpected conditon: we don't expect the source event field "
-                        "corresponding to an risk object's field name to be repeated."
+                        "Unexpected conditon: we don't expect multiple risk objects to use the "
+                        "same field name, so we should not be able match the risk event to "
+                        "multiple risk objects."
                     )
 
                 # TODO (cmcginley): risk objects and threat objects are now in separate sets,
