Updates to get the names

of Detections, Baselines,
and Investigations/Response Tasks
Properly written to the conf files.

Author: pyth0n1c

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -43,7 +43,8 @@
 from contentctl.objects.constants import (
     ES_MAX_STANZA_LENGTH,
     ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE,
-    CONTENTCTL_MAX_SEARCH_NAME_LENGTH
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
+    CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE
 )
 
 MISSING_SOURCES: set[str] = set()
@@ -80,6 +81,12 @@ class Detection_Abstract(SecurityContentObject):
 
     data_source_objects: list[DataSource] = []
 
+    def get_conf_stanza_name(self, app:CustomApp)->str:
+        stanza_name = CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+        self.check_conf_stanza_max_length(stanza_name)
+        return stanza_name
+    
+
     def get_action_dot_correlationsearch_dot_label(self, app:CustomApp, max_stanza_length:int=ES_MAX_STANZA_LENGTH)->str:
         stanza_name = self.get_conf_stanza_name(app)
         stanza_name_after_saving_in_es = ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(

contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py

@@ -8,7 +8,7 @@
     from contentctl.objects.config import CustomApp
 
 from contentctl.objects.enums import AnalyticsType
-from contentctl.objects.constants import CONTENTCTL_MAX_STANZA_LENGTH, CONTENTCTL_STANZA_NAME_FORMAT_TEMPLATE
+from contentctl.objects.constants import CONTENTCTL_MAX_STANZA_LENGTH
 import abc
 import uuid
 import datetime
@@ -59,12 +59,11 @@ def serialize_model(self):
             "references": [str(url) for url in self.references or []]
         }
 
-    def get_conf_stanza_name(self, app:CustomApp, max_stanza_length:int=CONTENTCTL_MAX_STANZA_LENGTH)->str:
-        stanza_name = CONTENTCTL_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+    
+    def check_conf_stanza_max_length(self, stanza_name:str, max_stanza_length:int=CONTENTCTL_MAX_STANZA_LENGTH) -> None:
         if len(stanza_name) > max_stanza_length:
             raise ValueError(f"conf stanza may only be {max_stanza_length} characters, "
                              f"but stanza was actually {len(stanza_name)} characters: '{stanza_name}' ")
-        return stanza_name
 
     @staticmethod
     def objectListToNameList(objects: list[SecurityContentObject]) -> list[str]:

contentctl/objects/baseline.py

@@ -7,7 +7,10 @@
 from contentctl.objects.enums import DataModel
 from contentctl.objects.baseline_tags import BaselineTags
 
-from contentctl.objects.constants import CONTENTCTL_MAX_SEARCH_NAME_LENGTH
+from contentctl.objects.config import CustomApp
+
+
+from contentctl.objects.constants import CONTENTCTL_MAX_SEARCH_NAME_LENGTH,CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE
 
 class Baseline(SecurityContentObject):
     name:str = Field(...,max_length=CONTENTCTL_MAX_SEARCH_NAME_LENGTH)
@@ -22,6 +25,11 @@ class Baseline(SecurityContentObject):
     deployment: Deployment = Field({})
 
 
+    def get_conf_stanza_name(self, app:CustomApp)->str:
+        stanza_name = CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+        self.check_conf_stanza_max_length(stanza_name)
+        return stanza_name
+
     @field_validator("deployment", mode="before")
     def getDeployment(cls, v:Any, info:ValidationInfo)->Deployment:
         return Deployment.getDeployment(v,info)

contentctl/objects/constants.py

@@ -162,8 +162,11 @@
 # Endpoint - ESCU - Name of Search From YML File - Rule - Rule
 # The math below accounts for all these caveats
 ES_MAX_STANZA_LENGTH = 99
-CONTENTCTL_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Rule"
+CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Rule"
+CONTENTCTL_BASELINE_STANZA_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name}"
+CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE = "{app_label} - {detection_name} - Response Task"
+
 ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE = "{security_domain_value} - {search_name} - Rule"
 SECURITY_DOMAIN_MAX_LENGTH = max([len(SecurityDomain[value]) for value in SecurityDomain._member_map_])
 CONTENTCTL_MAX_STANZA_LENGTH = ES_MAX_STANZA_LENGTH - len(ES_SEARCH_STANZA_NAME_FORMAT_AFTER_CLONING_IN_PRODUCT_TEMPLATE.format(security_domain_value="X"*SECURITY_DOMAIN_MAX_LENGTH,search_name=""))
-CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(CONTENTCTL_STANZA_NAME_FORMAT_TEMPLATE.format(app_label="ESCU", detection_name=""))
+CONTENTCTL_MAX_SEARCH_NAME_LENGTH = CONTENTCTL_MAX_STANZA_LENGTH - len(CONTENTCTL_DETECTION_STANZA_NAME_FORMAT_TEMPLATE.format(app_label="ESCU", detection_name=""))

contentctl/objects/investigation.py

@@ -5,8 +5,12 @@
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import DataModel
 from contentctl.objects.investigation_tags import InvestigationTags
-
-from contentctl.objects.constants import CONTENTCTL_MAX_SEARCH_NAME_LENGTH
+from contentctl.objects.constants import (
+    CONTENTCTL_MAX_SEARCH_NAME_LENGTH,
+    CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE,
+    CONTENTCTL_MAX_STANZA_LENGTH
+)
+from contentctl.objects.config import CustomApp
 
 # TODO (#266): disable the use_enum_values configuration
 class Investigation(SecurityContentObject):
@@ -39,6 +43,16 @@ def inputs(self)->List[str]:
     def lowercase_name(self)->str:
         return self.name.replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower().replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
 
+    
+    # This is a slightly modified version of the get_conf_stanza_name function from
+    # SecurityContentObject_Abstract
+    def get_response_task_name(self, app:CustomApp, max_stanza_length:int=CONTENTCTL_MAX_STANZA_LENGTH)->str:
+        stanza_name = CONTENTCTL_RESPONSE_TASK_NAME_FORMAT_TEMPLATE.format(app_label=app.label, detection_name=self.name)
+        if len(stanza_name) > max_stanza_length:
+            raise ValueError(f"conf stanza may only be {max_stanza_length} characters, "
+                             f"but stanza was actually {len(stanza_name)} characters: '{stanza_name}' ")
+        return stanza_name
+    
 
     @model_serializer
     def serialize_model(self):
@@ -69,6 +83,3 @@ def model_post_init(self, ctx:dict[str,Any]):
         # back to itself
         for story in self.tags.analytic_story:
             story.investigations.append(self)
-    
-
-    

contentctl/objects/story.py

@@ -8,26 +8,14 @@
     from contentctl.objects.investigation import Investigation
     from contentctl.objects.baseline import Baseline
     from contentctl.objects.data_source import DataSource
+    from contentctl.objects.config import CustomApp
 
 from contentctl.objects.security_content_object import SecurityContentObject
 
-
-
-
-
-#from contentctl.objects.investigation import Investigation
-
-
-
 class Story(SecurityContentObject):
     narrative: str = Field(...)
     tags: StoryTags = Field(...)
 
-    # enrichments
-    #detection_names: List[str] = []
-    #investigation_names: List[str] = []
-    #baseline_names: List[str] = []
-
     # These are updated when detection and investigation objects are created.
     # Specifically in the model_post_init functions
     detections:List[Detection] = []
@@ -46,9 +34,9 @@ def data_sources(self)-> list[DataSource]:
         return sorted(list(data_source_objects))
 
 
-    def storyAndInvestigationNamesWithApp(self, app_name:str)->List[str]:
-        return [f"{app_name} - {name} - Rule" for name in self.detection_names] + \
-               [f"{app_name} - {name} - Response Task" for name in self.investigation_names]
+    def storyAndInvestigationNamesWithApp(self, app:CustomApp)->List[str]:
+        return [detection.get_conf_stanza_name(app) for detection in self.detections] + \
+               [investigation.get_response_task_name(app) for investigation in self.investigations]
 
     @model_serializer
     def serialize_model(self):

contentctl/output/templates/analyticstories_investigations.j2

@@ -1,13 +1,13 @@
 
 ### RESPONSE TASKS ###
 
-{% for detection in objects %}
-{% if (detection.type == 'Investigation') %}
-[savedsearch://{{ detection.get_conf_stanza_name(app) }}]
+{% for investigation in objects %}
+{% if (investigation.type == 'Investigation') %}
+[savedsearch://{{ investigation.get_response_task_name(app) }}]
 type = investigation
 explanation = none
-{% if detection.how_to_implement is defined %}
-how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
+{% if investigation.how_to_implement is defined %}
+how_to_implement = {{ investigation.how_to_implement | escapeNewlines() }}
 {% else %}
 how_to_implement = none
 {% endif %}

contentctl/output/templates/analyticstories_stories.j2

@@ -10,7 +10,7 @@ version = {{ story.version }}
 references = {{ story.getReferencesListForJson() | tojson }}
 maintainers = [{"company": "{{ story.author_company }}", "email": "{{ story.author_email }}", "name": "{{ story.author_name }}"}]
 spec_version = 3
-searches = {{ story.storyAndInvestigationNamesWithApp(app.label) | tojson }}
+searches = {{ story.storyAndInvestigationNamesWithApp(app) | tojson }}
 description = {{ story.description | escapeNewlines() }}
 {% if story.narrative is defined %}
 narrative = {{ story.narrative | escapeNewlines() }}

contentctl/output/templates/savedsearches_investigations.j2

@@ -5,7 +5,7 @@
 {% for detection in objects %}
 {% if (detection.type == 'Investigation') %}
 {% if detection.search is defined %}
-[{{ detection.get_conf_stanza_name(app) }}]
+[{{ detection.get_response_task_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = investigative