initial commit; migrated integration testing to RBA structures; littered code w/ comments for cleanup before merge

Author: cmcginley-splunk

contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py

@@ -1094,6 +1094,7 @@ def retry_search_until_timeout(
             job = self.get_conn().search(query=search, **kwargs)
             results = JSONResultsReader(job.results(output_mode="json"))
 
+            # TODO (cmcginley): @ljstella you're removing this ultimately, right?
             # Consolidate a set of the distinct observable field names
             observable_fields_set = set([o.name for o in detection.tags.observable]) # keeping this around for later
             risk_object_fields_set = set([o.name for o in detection.tags.observable if "Victim" in o.role ]) # just the "Risk Objects"
@@ -1121,7 +1122,10 @@ def retry_search_until_timeout(
                     missing_risk_objects = risk_object_fields_set - results_fields_set
                     if len(missing_risk_objects) > 0:
                         # Report a failure in such cases
-                        e = Exception(f"The observable field(s) {missing_risk_objects} are missing in the detection results")
+                        e = Exception(
+                            f"The risk object field(s) {missing_risk_objects} are missing in the "
+                            "detection results"
+                        )
                         test.result.set_job_content(
                             job.content,
                             self.infrastructure,
@@ -1137,6 +1141,8 @@ def retry_search_until_timeout(
                     # on a field.  In this case, the field will appear but will not contain any values
                     current_empty_fields: set[str] = set()
 
+                    # TODO (cmcginley): @ljstella is this something we're keeping for testing as
+                    #   well?
                     for field in observable_fields_set:
                         if result.get(field, 'null') == 'null':
                             if field in risk_object_fields_set:

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -279,6 +279,7 @@ def source(self) -> str:
 
     deployment: Deployment = Field({})
 
+    # TODO (cmcginley): @ljstella removing the refs to confidence and impact?
     @computed_field
     @property
     def annotations(self) -> dict[str, Union[List[str], int, str]]:

contentctl/objects/constants.py

@@ -79,6 +79,7 @@
     "Actions on Objectives": 7
 }
 
+# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
 SES_OBSERVABLE_ROLE_MAPPING = {
     "Other": -1,
     "Unknown": 0,
@@ -93,6 +94,7 @@
     "Observer": 9
 }
 
+# TODO (cmcginley): @ljstella should this be removed? also referenced in new_content.py
 SES_OBSERVABLE_TYPE_MAPPING = {
     "Unknown": 0,
     "Hostname": 1,
@@ -135,6 +137,7 @@
     "Impact": "TA0040"
 }
 
+# TODO (cmcginley): is this just for the transition testing?
 RBA_OBSERVABLE_ROLE_MAPPING = {
     "Attacker": 0,
     "Victim": 1

contentctl/objects/correlation_search.py

@@ -42,13 +42,17 @@ class DetectionTags(BaseModel):
     analytic_story: list[Story] = Field(...)
     asset_type: AssetType = Field(...)
     group: list[str] = []
+
+    # TODO (cmcginley): should confidence, impact and the risk_score property be removed?
     confidence: NonNegativeInt = Field(...,le=100)
     impact: NonNegativeInt = Field(...,le=100)
     @computed_field
     @property
     def risk_score(self) -> int:
         return round((self.confidence * self.impact)/100)
-    
+
+    # TODO (cmcginley): @ljstella what's happening w/ severity, given it's use of the top-level
+    #   risk_score?
     @computed_field
     @property
     def severity(self)->RiskSeverity:
@@ -69,14 +73,14 @@ def severity(self)->RiskSeverity:
     mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
 
+    # TODO (cmcginley): observable should be removed as well, yes?
     # TODO (#249): Add pydantic validator to ensure observables are unique within a detection
     observable: List[Observable] = []
     product: list[SecurityContentProductName] = Field(..., min_length=1)
     throttling: Optional[Throttling] = None
     security_domain: SecurityDomain = Field(...)
     cve: List[CVE_TYPE] = []
     atomic_guid: List[AtomicTest] = []
-    
 
     # enrichment
     mitre_attack_enrichments: List[MitreAttackEnrichment] = Field([], validate_default=True)
@@ -144,6 +148,7 @@ def cis20(self) -> list[Cis18Value]:
     #         )
     #     return v
 
+    # TODO (cmcginley): @ljstella removing risk_score and severity from serialization?
     @model_serializer
     def serialize_model(self):
         # Since this field has no parent, there is no need to call super() serialization function

contentctl/objects/detection_tags.py

@@ -23,6 +23,7 @@ class Drilldown(BaseModel):
                               "but it is NOT the default value and must be supplied explicitly.", 
                               min_length= 1)
 
+    # TODO (cmcginley): @ljstella the drilldowns will need to be updated
     @classmethod
     def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldown]:
         victim_observables = [o for o in detection.tags.observable if o.role[0] == "Victim"] 

contentctl/objects/drilldown.py

@@ -1,6 +1,7 @@
 from pydantic import BaseModel, field_validator, ConfigDict
 from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, RBA_OBSERVABLE_ROLE_MAPPING
 
+# TODO (cmcginley): should this class be removed?
 
 class Observable(BaseModel):
     model_config = ConfigDict(extra="forbid")

contentctl/objects/observable.py

@@ -38,6 +38,7 @@ class ThreatObjectType(str, Enum):
     TLS_HASH = "tls_hash"
     URL = "url"
 
+# TODO (cmcginley): class names should be capitalized
 class risk_object(BaseModel):
     field: str
     type: RiskObjectType