From 390c3727bf83b5af3e50e4ed4434b542a7d8629f Mon Sep 17 00:00:00 2001 From: Casey McGinley Date: Mon, 9 Dec 2024 09:36:53 -0800 Subject: [PATCH] updating TODOs, updating query --- .../objects/content_versioning_service.py | 24 +++---------------- contentctl/objects/correlation_search.py | 2 +- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/contentctl/objects/content_versioning_service.py b/contentctl/objects/content_versioning_service.py index 34534731..84ca7a3e 100644 --- a/contentctl/objects/content_versioning_service.py +++ b/contentctl/objects/content_versioning_service.py @@ -16,15 +16,6 @@ from contentctl.objects.correlation_search import ResultIterator from contentctl.helper.utils import Utils -# TODO (cmcginley): -# - [x] version naming scheme seems to have changed from X - X to X.X -# - [x] sourcetype no longer holds detection name but instead is stash_common_detection_model -# - [x] action.escu.full_search_name no longer available -# - [x] check to see if we can get "name" -# - [ ] move strings to enums -# - [x] additionally, timeout for cms_parser seems to need more time -# - [ ] validate multi-line fields -> search, description, action.notable.param.rule_description, -# action.notable.param.drilldown_searches # TODO (cmcginley): suppress logging # Suppress logging by default; enable for local testing @@ -310,8 +301,8 @@ def _query_cms_main(self, use_cache: bool = False) -> splunklib.Job: # Construct the query looking for CMS events matching the content app name query = ( - f"search index=cms_main app_name=\"{self.global_config.app.appid}\" | " - f"fields {', '.join(self.cms_fields)}" + f"search index=cms_main sourcetype=stash_common_detection_model " + f"app_name=\"{self.global_config.app.appid}\" | fields {', '.join(self.cms_fields)}" ) self.logger.debug(f"[{self.infrastructure.instance_name}] Query on cms_main: {query}") @@ -503,7 +494,7 @@ def validate_detection_against_cms_event( :return: The generated exception, or None :rtype: Exception | None """ - # TODO (cmcginley): validate additional fields between the cms_event and the detection + # TODO (PEX-509): validate additional fields between the cms_event and the detection cms_uuid = uuid.UUID(cms_event["detection_id"]) rule_name_from_detection = f"{self.global_config.app.label} - {detection.name} - Rule" @@ -535,14 +526,5 @@ def validate_detection_against_cms_event( ) self.logger.error(msg) return Exception(msg) - elif cms_event["sourcetype"] != "stash_common_detection_model": - # Compare the full search name - msg = ( - f"[{self.infrastructure.instance_name}] [{detection.name}]: Unexpected sourcetype " - f"in cms_event ('{cms_event[f'sourcetype']}'); expected " - "'stash_common_detection_model'" - ) - self.logger.error(msg) - return Exception(msg) return None diff --git a/contentctl/objects/correlation_search.py b/contentctl/objects/correlation_search.py index 6328a6f5..6f819d1a 100644 --- a/contentctl/objects/correlation_search.py +++ b/contentctl/objects/correlation_search.py @@ -131,7 +131,7 @@ def __next__(self) -> dict[str, Any]: if isinstance(result, Message): # convert level string to level int level_name: str = result.type.strip().upper() # type: ignore - # TODO (cmcginley): this method is deprecated; replace with our own enum + # TODO (PEX-510): this method is deprecated; replace with our own enum level: int = logging.getLevelName(level_name) # log message at appropriate level and raise if needed