@@ -19,16 +19,21 @@ def buildDetection(self)->dict[str,Any]:
1919 answers = questionary .prompt (questions )
2020 answers .update (answers )
2121 answers ['name' ] = answers ['detection_name' ]
22+ del answers ['detection_name' ]
2223 answers ['id' ] = str (uuid .uuid4 ())
2324 answers ['version' ] = 1
2425 answers ['date' ] = datetime .today ().strftime ('%Y-%m-%d' )
2526 answers ['author' ] = answers ['detection_author' ]
27+ del answers ['detection_author' ]
2628 answers ['data_source' ] = answers ['data_source' ]
2729 answers ['type' ] = answers ['detection_type' ]
30+ del answers ['detection_type' ]
2831 answers ['status' ] = "production" #start everything as production since that's what we INTEND the content to become
2932 answers ['description' ] = 'UPDATE_DESCRIPTION'
3033 file_name = answers ['name' ].replace (' ' , '_' ).replace ('-' ,'_' ).replace ('.' ,'_' ).replace ('/' ,'_' ).lower ()
34+ answers ['kind' ] = answers ['detection_kind' ]
3135 answers ['search' ] = answers ['detection_search' ] + ' | `' + file_name + '_filter`'
36+ del answers ['detection_search' ]
3237 answers ['how_to_implement' ] = 'UPDATE_HOW_TO_IMPLEMENT'
3338 answers ['known_false_positives' ] = 'UPDATE_KNOWN_FALSE_POSITIVES'
3439 answers ['references' ] = ['REFERENCE' ]
@@ -52,7 +57,7 @@ def buildDetection(self)->dict[str,Any]:
5257 'name' : "True Positive Test" ,
5358 'attack_data' : [
5459 {
55- 'data' : "Enter URL for Dataset Here. This may also be a relative or absolute path on your local system for testing. " ,
60+ 'data' : "https://github.com/splunk/contentctl/wiki " ,
5661 "sourcetype" : "UPDATE SOURCETYPE" ,
5762 "source" : "UPDATE SOURCE"
5863 }
@@ -65,32 +70,35 @@ def buildStory(self)->dict[str,Any]:
6570 questions = NewContentQuestions .get_questions_story ()
6671 answers = questionary .prompt (questions )
6772 answers ['name' ] = answers ['story_name' ]
73+ del answers ['story_name' ]
6874 answers ['id' ] = str (uuid .uuid4 ())
6975 answers ['version' ] = 1
7076 answers ['date' ] = datetime .today ().strftime ('%Y-%m-%d' )
7177 answers ['author' ] = answers ['story_author' ]
78+ del answers ['story_author' ]
7279 answers ['description' ] = 'UPDATE_DESCRIPTION'
7380 answers ['narrative' ] = 'UPDATE_NARRATIVE'
7481 answers ['references' ] = []
7582 answers ['tags' ] = dict ()
76- answers ['tags' ]['analytic_story' ] = answers ['name' ]
7783 answers ['tags' ]['category' ] = answers ['category' ]
84+ del answers ['category' ]
7885 answers ['tags' ]['product' ] = ['Splunk Enterprise' ,'Splunk Enterprise Security' ,'Splunk Cloud' ]
7986 answers ['tags' ]['usecase' ] = answers ['usecase' ]
87+ del answers ['usecase' ]
8088 answers ['tags' ]['cve' ] = ['UPDATE WITH CVE(S) IF APPLICABLE' ]
8189 return answers
8290
8391
8492 def execute (self , input_dto : new ) -> None :
8593 if input_dto .type == NewContentType .detection :
8694 content_dict = self .buildDetection ()
87- subdirectory = pathlib .Path ('detections' ) / content_dict .get ( 'type '
95+ subdirectory = pathlib .Path ('detections' ) / content_dict .pop ( 'detection_kind '
8896 elif input_dto .type == NewContentType .story :
8997 content_dict = self .buildStory ()
9098 subdirectory = pathlib .Path ('stories' )
9199 else :
92100 raise Exception (f"Unsupported new content type: [{ input_dto .type } )
93-
101+
94102 full_output_path = input_dto .path / subdirectory / SecurityContentObject_Abstract .contentNameToFileName (content_dict .get ('name' ))
95103 YmlWriter .writeYmlFile (str (full_output_path ), content_dict )
96104
0 commit comments