Skip to content

Update RBA API Output#379

Closed
pyth0n1c wants to merge 1 commit intomainfrom
update_json_objects
Closed

Update RBA API Output#379
pyth0n1c wants to merge 1 commit intomainfrom
update_json_objects

Conversation

@pyth0n1c
Copy link
Contributor

@pyth0n1c pyth0n1c commented Mar 8, 2025

Make sure that relevant/required fields are included in the detections.json API object

@pyth0n1c
Ensure proper presence
bc1d0ec 
of fields in new dumped
rba object json
pyth0n1c
pyth0n1c commented Mar 8, 2025
View reviewed changes
contentctl/objects/abstract_security_content_objects/detection_abstract.py
"nes_fields": self.nes_fields,
"rba": self.rba,
}
if self.rba is not None:
Copy link
Contributor Author

@pyth0n1c pyth0n1c Mar 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since these are encoded in individual risk_objects, I do not believe they should be included at a high-level for the entire RBA section anymore.

pyth0n1c
pyth0n1c commented Mar 8, 2025
View reviewed changes
contentctl/objects/rba.py
RiskScoreValue_Type = Annotated[int, Field(ge=1, le=100)]


def risk_score_to_severity(num: int) -> RiskSeverity:
Copy link
Contributor Author

@pyth0n1c pyth0n1c Mar 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If risk_severity needs to exist both for individual risk_objects AND at a high level for the entire RBA section, then this should be broken out here so it can be re-used.
It is also used in the savedsearches.conf dump logic here:

contentctl/contentctl/output/templates/savedsearches_detections.j2

Line 69 in a64d879

action.notable.param.severity = {{ detection.rba.severity }}

Is this a required field that MUST still be present in savedsearches.conf?

pyth0n1c
pyth0n1c commented Mar 8, 2025
View reviewed changes
contentctl/output/api_json_output.py
"id",
"description",
"tags",
"rba",
Copy link
Contributor Author

@pyth0n1c pyth0n1c Mar 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure that the RBA field is written when a detection is dumped to JSON.

@pyth0n1c pyth0n1c marked this pull request as draft March 20, 2025 22:02
@pyth0n1c
Copy link
Contributor Author

pyth0n1c commented Mar 20, 2025

After discussing with relevant team(s), this PR will likely be closed out in favor of another that implements the relevant changes.
We will keep this open until that point for documentation purposes.

@pyth0n1c pyth0n1c mentioned this pull request Mar 29, 2025
Merged
@pyth0n1c
Copy link
Contributor Author

pyth0n1c commented Mar 29, 2025

This PR has been closed. New work will be focused on the following PR, which supersedes this one:
#390

@pyth0n1c pyth0n1c closed this Mar 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pyth0n1c