Skip to content

Email Action Support #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
)
from contentctl.objects.integration_test import IntegrationTest
from contentctl.objects.manual_test import ManualTest
from contentctl.objects.email import EmailObject
from contentctl.objects.rba import RBAObject
from contentctl.objects.security_content_object import SecurityContentObject
from contentctl.objects.test_group import TestGroup
Expand All @@ -66,6 +67,7 @@ class Detection_Abstract(SecurityContentObject):
how_to_implement: str = Field(..., min_length=4)
known_false_positives: str = Field(..., min_length=4)
rba: Optional[RBAObject] = Field(default=None)
email: Optional[EmailObject] = Field(default=None)
explanation: None | str = Field(
default=None,
exclude=True, # Don't serialize this value when dumping the object
Expand Down Expand Up @@ -441,6 +443,8 @@ def serialize_model(self):
model["tags"]["risk_score"] = self.rba.risk_score
else:
model["tags"]["risk_score"] = 0
if self.email is not None:
model["email"] = self.email

# Only a subset of macro fields are required:
all_macros: list[dict[str, str | list[str]]] = []
Expand Down
2 changes: 1 addition & 1 deletion contentctl/objects/alert_action.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ def serialize_model(self):
model = {}

if self.email is not None:
raise Exception("Email not implemented")
model["email"] = self.email

if self.notable is not None:
model["notable"] = self.notable
Expand Down
19 changes: 19 additions & 0 deletions contentctl/objects/email.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
from __future__ import annotations

from abc import ABC

from pydantic import BaseModel, model_validator


class EmailObject(BaseModel, ABC):
to: str
subject: str
message: str

@model_validator(mode="before")
# Validate the email address
def validate_email(cls, data: str) -> str:
if data.get("to"):
if "@" not in data.get("to"):
raise ValueError("Invalid email address")
return data
8 changes: 4 additions & 4 deletions contentctl/output/templates/savedsearches_detections.j2
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,11 @@ action.notable.param.severity = {{ detection.rba.severity }}
action.notable.param.severity = high
{% endif %}
{% endif %}
{% if detection.deployment.alert_action.email %}
{% if detection.email %}
action.email = 1
action.email.subject.alert = {{ detection.deployment.alert_action.email.subject | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
action.email.to = {{ detection.deployment.alert_action.email.to }}
action.email.message.alert = {{ detection.deployment.alert_action.email.message | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
action.email.subject.alert = {{ detection.email.subject | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
action.email.to = {{ detection.email.to }}
action.email.message.alert = {{ detection.email.message | custom_jinja2_enrichment_filter(detection) | escapeNewlines() }}
action.email.useNSSubject = 1
{% endif %}
{% if detection.deployment.alert_action.slack %}
Expand Down
Loading