Merge branch 'obs_to_rba' into integration_testing_rba_migration

cmcginley-splunk · cmcginley-splunk · commit 7b8b2ff7d885 · 2025-01-16T14:53:22.000-08:00
diff --git a/.github/workflows/test_against_escu.yml b/.github/workflows/test_against_escu.yml
@@ -35,7 +35,7 @@ jobs:
         with: 
           path: security_content
           repository: splunk/security_content
-          ref: strict_yml_from_rba
+          ref: rba_migration
 
       #Install the given version of Python we will test against
       - name: Install Required Python Version
diff --git a/contentctl/objects/abstract_security_content_objects/detection_abstract.py b/contentctl/objects/abstract_security_content_objects/detection_abstract.py
@@ -36,7 +36,7 @@
 from contentctl.objects.integration_test import IntegrationTest
 from contentctl.objects.data_source import DataSource
 
-from contentctl.objects.rba import rba_object
+from contentctl.objects.rba import RBAObject
 
 from contentctl.objects.base_test_result import TestResultStatus
 from contentctl.objects.drilldown import Drilldown, DRILLDOWN_SEARCH_PLACEHOLDER
@@ -68,7 +68,7 @@ class Detection_Abstract(SecurityContentObject):
     search: str = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
-    rba: Optional[rba_object] = Field(default=None)
+    rba: Optional[RBAObject] = Field(default=None)
     explanation: None | str = Field(
         default=None,
         exclude=True, #Don't serialize this value when dumping the object
diff --git a/contentctl/objects/rba.py b/contentctl/objects/rba.py
@@ -40,25 +40,25 @@ class ThreatObjectType(str, Enum):
     TLS_HASH = "tls_hash"
     URL = "url"
 
-class risk_object(BaseModel):
+class RiskObject(BaseModel):
     field: str
     type: RiskObjectType
     score: RiskScoreValue_Type
 
     def __hash__(self):
         return hash((self.field, self.type, self.score))
 
-class threat_object(BaseModel):
+class ThreatObject(BaseModel):
     field: str
     type: ThreatObjectType
 
     def __hash__(self):
         return hash((self.field, self.type))
 
-class rba_object(BaseModel, ABC):
+class RBAObject(BaseModel, ABC):
     message: str
-    risk_objects: Annotated[Set[risk_object], Field(min_length=1)]
-    threat_objects: Set[threat_object]
+    risk_objects: Annotated[Set[RiskObject], Field(min_length=1)]
+    threat_objects: Set[ThreatObject]
 
     
     
diff --git a/contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml b/contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml
@@ -58,8 +58,6 @@ tags:
   analytic_story:
   - Cobalt Strike
   asset_type: Endpoint
-  confidence: 80
-  impact: 80
   mitre_attack_id:
   - T1560.001
   - T1560
