From 6fc54ac334076cbe43f9d320e7c64bb4ac81c07f Mon Sep 17 00:00:00 2001
From: Jose Enrique Hernandez <josehelps@gmail.com>
Date: Thu, 8 Feb 2024 22:10:29 -0500
Subject: [PATCH 1/3] Update constants.py

fixes a UI issue with ES
---
 contentctl/objects/constants.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/contentctl/objects/constants.py b/contentctl/objects/constants.py
index 288d32b4..3668429d 100644
--- a/contentctl/objects/constants.py
+++ b/contentctl/objects/constants.py
@@ -11,8 +11,8 @@
     "Discovery": "Exploitation", 
     "Lateral Movement": "Exploitation",
     "Collection": "Exploitation",
-    "Command And Control": "Command And Control",
-    "Command And Control": "Command And Control",
+    "Command And Control": "Command and Control",
+    "Command And Control": "Command and Control",
     "Exfiltration": "Actions on Objectives",
     "Impact": "Actions on Objectives"
 }
@@ -132,4 +132,4 @@
     "Command_and_Control": "TA0011",
     "Exfiltration": "TA0010",
     "Impact": "TA0040"
-}
\ No newline at end of file
+}

From 39927d69224422604eac6ac87109bd6d14b2d8a6 Mon Sep 17 00:00:00 2001
From: pyth0n1c <emcginnis@splunk.com>
Date: Fri, 9 Feb 2024 12:15:44 -0800
Subject: [PATCH 2/3] Updates duplicate definition of
 ATTACK_TACTICS_KILLCHAIN_MAPPING constant/enum value

---
 contentctl/helper/constants.py            | 34 +++++++++++------------
 contentctl/input/detection_builder.py     |  3 +-
 contentctl/input/sigma_converter.py       |  1 -
 contentctl/input/ssa_detection_builder.py |  2 +-
 4 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/contentctl/helper/constants.py b/contentctl/helper/constants.py
index f9de2cdd..1df083f9 100644
--- a/contentctl/helper/constants.py
+++ b/contentctl/helper/constants.py
@@ -1,20 +1,20 @@
-ATTACK_TACTICS_KILLCHAIN_MAPPING = {
-    "Reconnaissance": "Reconnaissance",
-    "Resource Development": "Weaponization",
-    "Initial Access": "Delivery",
-    "Execution": "Installation",
-    "Persistence": "Installation",
-    "Privilege Escalation": "Exploitation",
-    "Defense Evasion": "Exploitation",
-    "Credential Access": "Exploitation",
-    "Discovery": "Exploitation", 
-    "Lateral Movement": "Exploitation",
-    "Collection": "Exploitation",
-    "Command And Control": "Command And Control",
-    "Command And Control": "Command And Control",
-    "Exfiltration": "Actions on Objectives",
-    "Impact": "Actions on Objectives"
-}
+# ATTACK_TACTICS_KILLCHAIN_MAPPING = {
+#     "Reconnaissance": "Reconnaissance",
+#     "Resource Development": "Weaponization",
+#     "Initial Access": "Delivery",
+#     "Execution": "Installation",
+#     "Persistence": "Installation",
+#     "Privilege Escalation": "Exploitation",
+#     "Defense Evasion": "Exploitation",
+#     "Credential Access": "Exploitation",
+#     "Discovery": "Exploitation", 
+#     "Lateral Movement": "Exploitation",
+#     "Collection": "Exploitation",
+#     "Command And Control": "Command And Control",
+#     "Command And Control": "Command And Control",
+#     "Exfiltration": "Actions on Objectives",
+#     "Impact": "Actions on Objectives"
+# }
 
 SES_CONTEXT_MAPPING = {
     "Unknown": 0,
diff --git a/contentctl/input/detection_builder.py b/contentctl/input/detection_builder.py
index efc0596d..dc4099c3 100644
--- a/contentctl/input/detection_builder.py
+++ b/contentctl/input/detection_builder.py
@@ -13,8 +13,7 @@
 from contentctl.enrichments.cve_enrichment import CveEnrichment
 from contentctl.enrichments.splunk_app_enrichment import SplunkAppEnrichment
 from contentctl.objects.config import ConfigDetectionConfiguration
-from contentctl.helper.constants import *
-
+from contentctl.objects.constants import ATTACK_TACTICS_KILLCHAIN_MAPPING
 
 class DetectionBuilder():
     security_content_obj : SecurityContentObject
diff --git a/contentctl/input/sigma_converter.py b/contentctl/input/sigma_converter.py
index aec19de3..465f7781 100644
--- a/contentctl/input/sigma_converter.py
+++ b/contentctl/input/sigma_converter.py
@@ -16,7 +16,6 @@
 from contentctl.input.yml_reader import YmlReader
 from contentctl.objects.detection import Detection
 from contentctl.objects.data_source import DataSource
-from contentctl.helper.constants import *
 from contentctl.objects.enums import *
 from contentctl.helper.utils import Utils
 from contentctl.input.backend_splunk_ba import SplunkBABackend
diff --git a/contentctl/input/ssa_detection_builder.py b/contentctl/input/ssa_detection_builder.py
index 8efb1674..9e134f71 100644
--- a/contentctl/input/ssa_detection_builder.py
+++ b/contentctl/input/ssa_detection_builder.py
@@ -12,7 +12,7 @@
 from contentctl.enrichments.cve_enrichment import CveEnrichment
 from contentctl.enrichments.splunk_app_enrichment import SplunkAppEnrichment
 from contentctl.objects.ssa_detection import SSADetection
-from contentctl.helper.constants import *
+from contentctl.objects.constants import ATTACK_TACTICS_KILLCHAIN_MAPPING
 
 
 class SSADetectionBuilder():

From bdc28c428f1d82d72304dd193a8b372152a914d9 Mon Sep 17 00:00:00 2001
From: pyth0n1c <emcginnis@splunk.com>
Date: Fri, 9 Feb 2024 13:31:31 -0800
Subject: [PATCH 3/3] Remove helper contstant file entirely. Fix capitalization
 that does not affect BA functionality in support of old file removal.

---
 contentctl/helper/constants.py  | 134 --------------------------------
 contentctl/objects/constants.py |   2 +-
 2 files changed, 1 insertion(+), 135 deletions(-)
 delete mode 100644 contentctl/helper/constants.py

diff --git a/contentctl/helper/constants.py b/contentctl/helper/constants.py
deleted file mode 100644
index 1df083f9..00000000
--- a/contentctl/helper/constants.py
+++ /dev/null
@@ -1,134 +0,0 @@
-# ATTACK_TACTICS_KILLCHAIN_MAPPING = {
-#     "Reconnaissance": "Reconnaissance",
-#     "Resource Development": "Weaponization",
-#     "Initial Access": "Delivery",
-#     "Execution": "Installation",
-#     "Persistence": "Installation",
-#     "Privilege Escalation": "Exploitation",
-#     "Defense Evasion": "Exploitation",
-#     "Credential Access": "Exploitation",
-#     "Discovery": "Exploitation", 
-#     "Lateral Movement": "Exploitation",
-#     "Collection": "Exploitation",
-#     "Command And Control": "Command And Control",
-#     "Command And Control": "Command And Control",
-#     "Exfiltration": "Actions on Objectives",
-#     "Impact": "Actions on Objectives"
-# }
-
-SES_CONTEXT_MAPPING = {
-    "Unknown": 0,
-    "Source:Endpoint": 10,
-    "Source:AD": 11,
-    "Source:Firewall": 12,
-    "Source:Application Log": 13,
-    "Source:IPS": 14,
-    "Source:Cloud Data": 15,
-    "Source:Correlation": 16,
-    "Source:Printer": 17,
-    "Source:Badge": 18,
-    "Scope:Internal": 20,
-    "Scope:External": 21,
-    "Scope:Inbound": 22,
-    "Scope:Outbound": 23,
-    "Scope:Local": 24,
-    "Scope:Network": 25,
-    "Outcome:Blocked": 30,
-    "Outcome:Allowed": 31,
-    "Stage:Recon": 40,
-    "Stage:Initial Access": 41,
-    "Stage:Execution": 42,
-    "Stage:Persistence": 43,
-    "Stage:Privilege Escalation": 44,
-    "Stage:Defense Evasion": 45,
-    "Stage:Credential Access": 46,
-    "Stage:Discovery": 47,
-    "Stage:Lateral Movement": 48,
-    "Stage:Collection": 49,
-    "Stage:Exfiltration": 50,
-    "Stage:Command And Control": 51,
-    "Consequence:Infection": 60,
-    "Consequence:Reduced Visibility": 61,
-    "Consequence:Data Destruction": 62,
-    "Consequence:Denial Of Service": 63,
-    "Consequence:Loss Of Control": 64,
-    "Rares:Rare User": 70,
-    "Rares:Rare Process": 71,
-    "Rares:Rare Device": 72,
-    "Rares:Rare Domain": 73,
-    "Rares:Rare Network": 74,
-    "Rares:Rare Location": 75,
-    "Other:Peer Group": 80,
-    "Other:Brute Force": 81,
-    "Other:Policy Violation": 82,
-    "Other:Threat Intelligence": 83,
-    "Other:Flight Risk": 84,
-    "Other:Removable Storage": 85
-}
-
-SES_KILL_CHAIN_MAPPINGS = {
-    "Unknown": 0,
-    "Reconnaissance": 1,
-    "Weaponization": 2,
-    "Delivery": 3,
-    "Exploitation": 4,
-    "Installation": 5,
-    "Command And Control": 6,
-    "Actions on Objectives": 7
-}
-
-SES_OBSERVABLE_ROLE_MAPPING = {
-    "Other": -1,
-    "Unknown": 0,
-    "Actor": 1,
-    "Target": 2,
-    "Attacker": 3,
-    "Victim": 4,
-    "Parent Process": 5,
-    "Child Process": 6,
-    "Known Bad": 7,
-    "Data Loss": 8,
-    "Observer": 9
-}
-
-SES_OBSERVABLE_TYPE_MAPPING = {
-    "Unknown": 0,
-    "Hostname": 1,
-    "IP Address": 2,
-    "MAC Address": 3,
-    "User Name": 4,
-    "Email Address": 5,
-    "URL String": 6,
-    "File Name": 7,
-    "File Hash": 8,
-    "Process Name": 9,
-    "Ressource UID": 10,
-    "Endpoint": 20,
-    "User": 21,
-    "Email": 22,
-    "Uniform Resource Locator": 23,
-    "File": 24,
-    "Process": 25,
-    "Geo Location": 26,
-    "Container": 27,
-    "Registry Key": 28,
-    "Registry Value": 29,
-    "Other": 99
-}
-
-SES_ATTACK_TACTICS_ID_MAPPING = {
-    "Reconnaissance": "TA0043",
-    "Resource_Development": "TA0042",
-    "Initial_Access": "TA0001",
-    "Execution": "TA0002",
-    "Persistence": "TA0003",
-    "Privilege_Escalation": "TA0004",
-    "Defense_Evasion": "TA0005",
-    "Credential_Access": "TA0006",
-    "Discovery": "TA0007",
-    "Lateral_Movement": "TA0008",
-    "Collection": "TA0009",
-    "Command_and_Control": "TA0011",
-    "Exfiltration": "TA0010",
-    "Impact": "TA0040"
-}
\ No newline at end of file
diff --git a/contentctl/objects/constants.py b/contentctl/objects/constants.py
index 3668429d..1c772e1a 100644
--- a/contentctl/objects/constants.py
+++ b/contentctl/objects/constants.py
@@ -74,7 +74,7 @@
     "Delivery": 3,
     "Exploitation": 4,
     "Installation": 5,
-    "Command And Control": 6,
+    "Command and Control": 6,
     "Actions on Objectives": 7
 }