Merge pull request #213 from splunk/fix_name_length

Fix name length

Author: pyth0n1c

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -20,7 +20,8 @@
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
     from contentctl.objects.baseline import Baseline
-
+    from contentctl.objects.config import CustomApp
+    
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import AnalyticsType
 from contentctl.objects.enums import DataModel
@@ -36,7 +37,6 @@
 from contentctl.objects.data_source import DataSource
 from contentctl.objects.base_test_result import TestResultStatus
 
-# from contentctl.objects.playbook import Playbook
 from contentctl.objects.enums import ProvidingTechnology
 from contentctl.enrichments.cve_enrichment import CveEnrichmentObj
 import datetime
@@ -51,8 +51,8 @@
 # TODO (#266): disable the use_enum_values configuration
 class Detection_Abstract(SecurityContentObject):
     model_config = ConfigDict(use_enum_values=True)
-
-    # contentType: SecurityContentType = SecurityContentType.detections
+    name:str = Field(...,max_length=67)
+    #contentType: SecurityContentType = SecurityContentType.detections
     type: AnalyticsType = Field(...)
     status: DetectionStatus = Field(...)
     data_source: list[str] = []
@@ -70,10 +70,31 @@ class Detection_Abstract(SecurityContentObject):
     # https://github.com/pydantic/pydantic/issues/9101#issuecomment-2019032541
     tests: List[Annotated[Union[UnitTest, IntegrationTest, ManualTest], Field(union_mode='left_to_right')]] = []
     # A list of groups of tests, relying on the same data
-    test_groups: Union[list[TestGroup], None] = Field(None, validate_default=True)
+    test_groups: list[TestGroup] = []
 
     data_source_objects: list[DataSource] = []
 
+    def get_action_dot_correlationsearch_dot_label(self, app:CustomApp, max_stanza_length:int=99)->str:
+        label = self.get_conf_stanza_name(app)
+        label_after_saving_in_product = f"{self.tags.security_domain.value} - {label} - Rule"
+    
+        if len(label_after_saving_in_product) > max_stanza_length:
+            raise ValueError(f"label may only be {max_stanza_length} characters to allow updating in-product, "
+                             f"but stanza was actually {len(label_after_saving_in_product)} characters: '{label_after_saving_in_product}' ")
+        
+        return label
+    
+    def get_conf_stanza_name(self, app:CustomApp, max_stanza_length:int=81)->str:
+        stanza_name = f"{app.label} - {self.name} - Rule"
+        if len(stanza_name) > max_stanza_length:
+            raise ValueError(f"conf stanza may only be {max_stanza_length} characters, "
+                             f"but stanza was actually {len(stanza_name)} characters: '{stanza_name}' ")
+        #print(f"Stanza            Length[{len(stanza_name)}]")
+        return stanza_name
+    
+        
+    
+
     @field_validator("search", mode="before")
     @classmethod
     def validate_presence_of_filter_macro(cls, value:str, info:ValidationInfo)->str:
@@ -515,7 +536,7 @@ def model_post_init(self, __context: Any) -> None:
         self.data_source_objects = matched_data_sources
 
         for story in self.tags.analytic_story:
-            story.detections.append(self)
+            story.detections.append(self)     
 
         self.cve_enrichment_func(__context)
 

contentctl/objects/abstract_security_content_objects/security_content_object_abstract.py

@@ -31,14 +31,14 @@
 
 # TODO (#266): disable the use_enum_values configuration
 class SecurityContentObject_Abstract(BaseModel, abc.ABC):
-    model_config = ConfigDict(use_enum_values=True, validate_default=True)
-
-    name: str = Field(...)
-    author: str = Field("Content Author", max_length=255)
-    date: datetime.date = Field(datetime.date.today())
-    version: NonNegativeInt = 1
-    id: uuid.UUID = Field(default_factory=uuid.uuid4)  # we set a default here until all content has a uuid
-    description: str = Field("Enter Description Here", max_length=10000)
+    model_config = ConfigDict(use_enum_values=True,validate_default=True)
+    
+    name: str = Field(...,max_length=99)
+    author: str = Field(...,max_length=255)
+    date: datetime.date = Field(...)
+    version: NonNegativeInt = Field(...)
+    id: uuid.UUID = Field(...) #we set a default here until all content has a uuid
+    description: str = Field(...,max_length=10000)
     file_path: Optional[FilePath] = None
     references: Optional[List[HttpUrl]] = None
 

contentctl/objects/baseline.py

@@ -6,6 +6,7 @@
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import DataModel
 from contentctl.objects.baseline_tags import BaselineTags
+from contentctl.objects.config import CustomApp
 #from contentctl.objects.deployment import Deployment
 
 # from typing import TYPE_CHECKING
@@ -14,6 +15,7 @@
 
 
 class Baseline(SecurityContentObject):
+    name:str = Field(...,max_length=67)
     type: Annotated[str,Field(pattern="^Baseline$")] = Field(...)
     datamodel: Optional[List[DataModel]] = None
     search: str = Field(..., min_length=4)
@@ -23,6 +25,15 @@ class Baseline(SecurityContentObject):
 
     # enrichment
     deployment: Deployment = Field({})
+    
+    def get_conf_stanza_name(self, app:CustomApp, max_stanza_length:int=81)->str:
+        stanza_name = f"{app.label} - {self.name}"
+        if len(stanza_name) > max_stanza_length:
+            raise ValueError(f"conf stanza may only be {max_stanza_length} characters, "
+                             f"but stanza was actually {len(stanza_name)} characters: '{stanza_name}' ")
+        #print(f"Stanza            Length[{len(stanza_name)}]")
+        return stanza_name
+    
 
     @field_validator("deployment", mode="before")
     def getDeployment(cls, v:Any, info:ValidationInfo)->Deployment:

contentctl/objects/deployment.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
-from pydantic import Field, computed_field, model_validator,ValidationInfo, model_serializer
-from typing import Optional,Any
-
+from pydantic import Field, computed_field,ValidationInfo, model_serializer, NonNegativeInt
+from typing import Any
+import uuid
+import datetime
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.deployment_scheduling import DeploymentScheduling
 from contentctl.objects.alert_action import AlertAction
@@ -15,17 +16,22 @@ class Deployment(SecurityContentObject):
     #author: str = None
     #description: str = None
     #contentType: SecurityContentType = SecurityContentType.deployments
+    
+    
     scheduling: DeploymentScheduling = Field(...)
     alert_action: AlertAction = AlertAction()
     type: DeploymentType = Field(...)
+    author: str = Field(...,max_length=255)
+    version: NonNegativeInt = 1
 
     #Type was the only tag exposed and should likely be removed/refactored.
     #For transitional reasons, provide this as a computed_field in prep for removal
     @computed_field
     @property
     def tags(self)->dict[str,DeploymentType]:
         return {"type": self.type}
-    
+
+        
     @staticmethod
     def getDeployment(v:dict[str,Any], info:ValidationInfo)->Deployment:
         if v != {}:
@@ -36,8 +42,17 @@ def getDeployment(v:dict[str,Any], info:ValidationInfo)->Deployment:
             detection_name = info.data.get("name", None)
             if detection_name is None:
                 raise ValueError("Could not create inline deployment - Baseline or Detection lacking 'name' field,")
+
+            # Add a number of static values            
+            v.update({
+              'name': f"{detection_name} - Inline Deployment",
+              'id':uuid.uuid4(),
+              'date': datetime.date.today(),
+              'description': "Inline deployment created at runtime.",
+              'author': "contentctl tool"
+            })
+
 
-            v['name'] = f"{detection_name} - Inline Deployment"
             # This constructs a temporary in-memory deployment,
             # allowing the deployment to be easily defined in the 
             # detection on a per detection basis.

contentctl/objects/investigation.py

@@ -5,14 +5,14 @@
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.enums import DataModel
 from contentctl.objects.investigation_tags import InvestigationTags
-
+from contentctl.objects.config import CustomApp
 
 # TODO (#266): disable the use_enum_values configuration
 class Investigation(SecurityContentObject):
     model_config = ConfigDict(use_enum_values=True,validate_default=False)
     type: str = Field(...,pattern="^Investigation$")
     datamodel: list[DataModel] = Field(...)
-    
+    name:str = Field(...,max_length=67)
     search: str = Field(...)
     how_to_implement: str = Field(...)
     known_false_positives: str = Field(...)
@@ -69,5 +69,13 @@ def model_post_init(self, ctx:dict[str,Any]):
         for story in self.tags.analytic_story:
             story.investigations.append(self)
 
+    def get_conf_stanza_name(self, app:CustomApp, max_stanza_length:int=81)->str:
+        stanza_name = f"{app.label} - {self.name} - Response Task"
+        if len(stanza_name) > max_stanza_length:
+            raise ValueError(f"conf stanza may only be {max_stanza_length} characters, "
+                             f"but stanza was actually {len(stanza_name)} characters: '{stanza_name}' ")
+        #print(f"Stanza            Length[{len(stanza_name)}]")
+        return stanza_name
+    
 
 

contentctl/objects/lookup.py

@@ -1,8 +1,10 @@
 from __future__ import annotations
-from pydantic import field_validator, ValidationInfo, model_validator, FilePath, model_serializer
+from pydantic import field_validator, ValidationInfo, model_validator, FilePath, model_serializer, Field, NonNegativeInt
 from typing import TYPE_CHECKING, Optional, Any, Union
 import re
 import csv
+import uuid
+import datetime
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
     from contentctl.objects.config import validate
@@ -32,6 +34,11 @@ class Lookup(SecurityContentObject):
     match_type: Optional[str] = None
     min_matches: Optional[int] = None
     case_sensitive_match: Optional[bool] = None
+    # TODO: Add id field to all lookup ymls
+    id: uuid.UUID = Field(default_factory=uuid.uuid4) 
+    date: datetime.date = Field(datetime.date.today())
+    author: str = Field("NO AUTHOR DEFINED",max_length=255)
+    version: NonNegativeInt = 1
 
 
     @model_serializer

contentctl/objects/macro.py

@@ -3,7 +3,9 @@
 from __future__ import annotations
 from typing import TYPE_CHECKING, List
 import re
-from pydantic import Field, model_serializer
+from pydantic import Field, model_serializer, NonNegativeInt
+import uuid
+import datetime
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 from contentctl.objects.security_content_object import SecurityContentObject
@@ -22,7 +24,11 @@
 class Macro(SecurityContentObject):
     definition: str = Field(..., min_length=1)
     arguments: List[str] = Field([])
-    
+    # TODO: Add id field to all macro ymls
+    id: uuid.UUID = Field(default_factory=uuid.uuid4)
+    date: datetime.date = Field(datetime.date.today())
+    author: str = Field("NO AUTHOR DEFINED",max_length=255)
+    version: NonNegativeInt = 1
 
 
 

contentctl/output/templates/analyticstories_detections.j2

@@ -3,7 +3,7 @@
 
 {% for detection in objects %}
 {% if (detection.type == 'TTP' or detection.type == 'Anomaly' or detection.type == 'Hunting' or detection.type == 'Correlation') %}
-[savedsearch://{{app.label}} - {{ detection.name }} - Rule]
+[savedsearch://{{ detection.get_conf_stanza_name(app) }}]
 type = detection
 asset_type = {{ detection.tags.asset_type.value }}
 confidence = medium

contentctl/output/templates/analyticstories_investigations.j2

@@ -3,7 +3,7 @@
 
 {% for detection in objects %}
 {% if (detection.type == 'Investigation') %}
-[savedsearch://{{app.label}} - {{ detection.name }} - Response Task]
+[savedsearch://{{ detection.get_conf_stanza_name(app) }}]
 type = investigation
 explanation = none
 {% if detection.how_to_implement is defined %}

contentctl/output/templates/savedsearches_baselines.j2

@@ -4,11 +4,10 @@
 
 {% for detection in objects %}
 {% if (detection.type == 'Baseline') %}
-[{{app.label}} - {{ detection.name }}]
+[{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
 action.escu.search_type = support
-action.escu.full_search_name = {{app.label}} - {{ detection.name }}
 description = {{ detection.description | escapeNewlines() }}
 action.escu.creation_date = {{ detection.date }}
 action.escu.modification_date = {{ detection.date }}