Merge pull request #162 from splunk/init_update

fleshing out init dirs
splunk · Jun 12, 2024 · d94aa7b · d94aa7b
2 parents 1b7470c + 86088c8
commit d94aa7b
Show file tree

Hide file tree

Showing 9 changed files with 15 additions and 10 deletions.
diff --git a/contentctl/actions/new_content.py b/contentctl/actions/new_content.py
@@ -19,16 +19,21 @@ def buildDetection(self)->dict[str,Any]:
         answers = questionary.prompt(questions)
         answers.update(answers)
         answers['name'] = answers['detection_name']
+        del answers['detection_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['detection_author']
+        del answers['detection_author']
         answers['data_source'] = answers['data_source']
         answers['type'] = answers['detection_type']
+        del answers['detection_type']
         answers['status'] = "production" #start everything as production since that's what we INTEND the content to become   
         answers['description'] = 'UPDATE_DESCRIPTION'   
         file_name = answers['name'].replace(' ', '_').replace('-','_').replace('.','_').replace('/','_').lower()
+        answers['kind'] = answers['detection_kind']
         answers['search'] = answers['detection_search'] + ' | `' + file_name + '_filter`'
+        del answers['detection_search']
         answers['how_to_implement'] = 'UPDATE_HOW_TO_IMPLEMENT'
         answers['known_false_positives'] = 'UPDATE_KNOWN_FALSE_POSITIVES'            
         answers['references'] = ['REFERENCE']
@@ -52,7 +57,7 @@ def buildDetection(self)->dict[str,Any]:
                 'name': "True Positive Test",
                 'attack_data': [ 
                     {
-                    'data': "Enter URL for Dataset Here.  This may also be a relative or absolute path on your local system for testing.",
+                    'data': "https://github.com/splunk/contentctl/wiki",
                     "sourcetype": "UPDATE SOURCETYPE",
                     "source": "UPDATE SOURCE"
                     }
@@ -65,32 +70,35 @@ def buildStory(self)->dict[str,Any]:
         questions = NewContentQuestions.get_questions_story()
         answers = questionary.prompt(questions)
         answers['name'] = answers['story_name']
+        del answers['story_name']
         answers['id'] = str(uuid.uuid4())
         answers['version'] = 1
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['story_author']
+        del answers['story_author']
         answers['description'] = 'UPDATE_DESCRIPTION'
         answers['narrative'] = 'UPDATE_NARRATIVE'
         answers['references'] = []
         answers['tags'] = dict()
-        answers['tags']['analytic_story'] = answers['name']
         answers['tags']['category'] = answers['category']
+        del answers['category']
         answers['tags']['product'] = ['Splunk Enterprise','Splunk Enterprise Security','Splunk Cloud']
         answers['tags']['usecase'] = answers['usecase']
+        del answers['usecase']
         answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
         return answers
 
 
     def execute(self, input_dto: new) -> None:
         if input_dto.type == NewContentType.detection:
             content_dict = self.buildDetection()
-            subdirectory = pathlib.Path('detections') / content_dict.get('type')
+            subdirectory = pathlib.Path('detections') / content_dict.pop('detection_kind')
         elif input_dto.type == NewContentType.story:
             content_dict = self.buildStory()
             subdirectory = pathlib.Path('stories')
         else:
             raise Exception(f"Unsupported new content type: [{input_dto.type}]")
-    
+
         full_output_path = input_dto.path / subdirectory / SecurityContentObject_Abstract.contentNameToFileName(content_dict.get('name'))
         YmlWriter.writeYmlFile(str(full_output_path), content_dict)
 

diff --git a/contentctl/input/new_content_questions.py b/contentctl/input/new_content_questions.py
@@ -27,11 +27,6 @@ def get_questions_detection(self) -> list:
                 'message': 'enter author name',
                 'name': 'detection_author',
             },
-            {
-                "type": "text",
-                "message": "enter author name",
-                "name": "detection_author",
-            },
             {
                 "type": "select",
                 "message": "select a detection type",

diff --git a/contentctl/objects/story_tags.py b/contentctl/objects/story_tags.py
@@ -14,6 +14,8 @@ class StoryUseCase(str,Enum):
    APPLICATION_SECURITY = "Application Security"
    SECURITY_MONITORING = "Security Monitoring"
    ADVANCED_THREAD_DETECTION = "Advanced Threat Detection"
+   INSIDER_THREAT = "Insider Threat"
+   OTHER = "Other"
 
 class StoryTags(BaseModel):
    model_config = ConfigDict(extra='forbid', use_enum_values=True)

diff --git a/contentctl/templates/detections/application/.gitkeep b/contentctl/templates/detections/application/.gitkeep
diff --git a/contentctl/templates/detections/cloud/.gitkeep b/contentctl/templates/detections/cloud/.gitkeep
diff --git a/...es/detections/anomalous_usage_of_7zip.yml → ...ions/endpoint/anomalous_usage_of_7zip.yml b/...es/detections/anomalous_usage_of_7zip.yml → ...ions/endpoint/anomalous_usage_of_7zip.yml
diff --git a/contentctl/templates/detections/network/.gitkeep b/contentctl/templates/detections/network/.gitkeep
diff --git a/contentctl/templates/detections/web/.gitkeep b/contentctl/templates/detections/web/.gitkeep
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "contentctl"
-version = "4.0.4"
+version = "4.0.5"
 description = "Splunk Content Control Tool"
 authors = ["STRT <research@splunk.com>"]
 license = "Apache 2.0"