Skip to content

generated-catalog.md

Latest commit

 

History

History
345 lines (324 loc) · 18.3 KB

generated-catalog.md

File metadata and controls

345 lines (324 loc) · 18.3 KB

Generated catalog

Generated. Do not edit this file by hand. Regenerate with contentops catalog regenerate. CI gate: contentops catalog check exits 1 when this file disagrees with what the code would currently produce. Source of truth lives in contentops/catalog/inspect.py.

This catalog is a code-derived projection of the live contentops state: the registered Click commands, the asset taxonomy, the lint-rule registry, the per-asset handlers, the GitHub Actions workflows, and the unit + integration test files. Hand-curated narrative catalogs (feature-catalog.md, test-catalog.md, cli-workflow-matrix.md, asset-coverage.md) keep their prose; this file is what survives drift.

CLI commands

Command Type Summary
alerts group Alert tracking, daily rollup, and trend reporting.
alerts collect command Fetch raw alerts from Graph alerts_v2 or Sentinel incidents.
alerts report command Compute a multi-day alert trend report.
alerts rollup command Compute a daily alert classification rollup.
apply command Apply all assets via their registered handlers.
audit group Audit-trail commands.
audit query group Forensic / compliance queries over the audit chain.
audit query by-actor command Every record by ACTOR (GITHUB_ACTOR / USER / USERNAME field).
audit query failures command All records with status=failed, optionally bounded by --since.
audit query latest command Latest record for ASSET_ID across the chain.
audit query rollbacks command Records produced by contentops rollback (message starts with 'rollback to ').
audit query timeline command Every record for ASSET_ID, oldest first.
audit verify command Verify hash-chain integrity of audit/*.jsonl.
auto-disabled-rules command List Sentinel-side disabled rules + recent query failures (NVISO Part 7).
bootstrap command Idempotent first-run setup for a new Sentinel workspace.
catalog group Code-driven catalog of CLI commands, assets, lint rules,
catalog check command Exit 1 if the committed catalog drifts from the regenerated catalog.
catalog regenerate command Regenerate the catalog markdown from the live codebase.
clean command Delete local detection YAMLs (Sentinel + Defender content).
collect command Collect every asset from the live tenant into local YAML.
config group Inspect and validate tenant configuration.
config list-workspaces command Print the configured Sentinel workspaces.
config validate command Load and validate the tenant configuration.
conformance command Verify the ContentOps deployment is wired correctly (read-only).
coverage command Render a MITRE ATT&CK coverage heatmap (or --gaps / --d3fend) from detection metadata.
defender-extensions-probe command Probe Defender Graph extension endpoints for availability (F11).
defender-roundtrip-diff command Diagnose a Defender custom-detection MISMATCH after apply.
detection-docs group Per-detection markdown documentation (NVISO Part 4).
detection-docs check command Exit 1 if the committed detection docs drift from the renderer.
detection-docs regenerate command Regenerate per-detection markdown from the live envelopes.
disable command Emergency-disable a detection rule (or cohort) by setting
doctor command Run environment & configuration sanity checks (--fix to autofix).
drift command Detect drift between remote tenant and local YAML.
drift-pr-body command Render a Markdown PR body for the auto-drift workflow.
drift-resolve command Resolve drift for one rule with a chosen strategy.
enable command Inverse of contentops disable -- flip status: deprecated
explain command Surface everything the pipeline knows about RULE_ID in one shot.
lifecycle group Status promotion gates (F8). Reduced gate set in this PR.
lifecycle promote command Promote RULE_ID (or --rules / --cohort) from experimental to production.
lint command Run pure-Python KQL lint checks across all detections.
lock command Pin a rule as locally customised - apply will skip it without --force-overwrite.
navigator command Generate a MITRE Navigator layer JSON across three coverage axes.
new command Scaffold a valid YAML envelope.
plan command Show what apply would do - no API calls (or --against-tenant for live diff).
portfolio command Emit a flat per-detection portfolio report (CSV / JSON).
prune command Delete remote assets that are not in local YAML.
report command Generate the SOC-grade detection inventory report.
restore command Restore detections/ from a contentops collect archive (DR / inverse).
retry-failed command Re-apply only the assets a previous apply marked as failed.
rollback command Replay the YAML at SHA against the tenant.
rule-test command Run a detection's KQL against the live workspace.
sentinel-roundtrip-diff command Diagnose a Sentinel rule MISMATCH after apply.
silent-rules command List rules that haven't fired in the lookback window (F4).
snapshot-diff command Content-aware diff between two contentops collect archives.
state group Inspect and manage the per-env state file (DESIGN section 13).
state forget command Drop one envelope id from state (e.g. after a manual portal cleanup).
state show command Print the per-env state file.
state sync group Push / pull / status against the orphan-branch state convention.
state sync pull command Pull refs/heads/state/ into state/state.json.
state sync push command Push state/state.json onto refs/heads/state/ (orphan).
state sync status command Show divergence between local state and the state/ ref.
status group Generate dashboard markdown for the docs/status/ tree.
status all command Generate both pages with their default output paths.
status configuration command Render configuration health to docs/status/configuration.md.
status deployments command Render deployment status to docs/status/deployments.md.
test command Run pytest with sensible defaults.
tuning group Detection-tuning helpers (NVISO Part 8).
tuning preview command Estimate the blast-radius of new drift suppressions in this PR.
unlock command Inverse of contentops lock - remove the localCustomization flag.
upstream group Upstream-catalog watchers (G3 + G4 + F1.1).
upstream check-defender-schema command Refresh schemas_defender.json from Graph Advanced Hunting (F1.1 follow-up).
upstream check-marketplace command Diff contentPackages against the committed manifest (closes G3).
upstream check-schemas command Diff LA workspace table schemas against the kql_strict baseline (F1.1).
upstream check-templates command Diff alertRuleTemplates against the committed manifest (closes G4).
upstream pre-pr-refresh command One-shot pre-PR refresh: runs both check-schemas commands when allowed.

Asset taxonomy

Total: 6 asset kinds (six-kind detection-engineering taxonomy).

Asset kind Handler module KQL field declared
defender_custom_detection contentops.handlers.defender_custom_detection yes
sentinel_analytic contentops.handlers.sentinel_analytic yes
sentinel_data_connector contentops.handlers.sentinel_data_connector no
sentinel_hunting contentops.handlers.sentinel_hunting yes
sentinel_parser contentops.handlers.sentinel_parser yes
sentinel_watchlist contentops.handlers.sentinel_watchlist no

Lint rules

Rule ID Severity Module
KQL001 error contentops.lint.kql
KQL002 error contentops.lint.kql
KQL003 error contentops.lint.kql
KQL004 warning contentops.lint.kql
KQL005 warning contentops.lint.kql
KQL006 warning contentops.lint.kql
KQL007 error contentops.lint.kql
KQL101 error contentops.lint.strict_rules
KQLOVERRIDE001 error contentops.lint.snippets
KQLOVERRIDE002 error contentops.lint.snippets
KQLOVERRIDE003 error contentops.lint.snippets
KQLOVERRIDE004 error contentops.lint.snippets
PAYLOAD001 error contentops.lint.payload
PAYLOAD002 warning contentops.lint.payload

Handlers

Module File Asset kind

GitHub Actions workflows

File Workflow name
.github/workflows/alerts-report.yml daily-alerts-rollup
.github/workflows/audit-verify.yml Audit chain verify
.github/workflows/ci.yml ci
.github/workflows/collect.yml Collect Detection Rules
.github/workflows/conformance.yml Deployment conformance
.github/workflows/coverage.yml mitre-attack-coverage
.github/workflows/dco.yml DCO check
.github/workflows/defender-graph-probe.yml Defender Graph endpoint probe
.github/workflows/deploy.yml Deploy Detection Rules
.github/workflows/drift.yml Drift detection (auto-PR + PR check)
.github/workflows/e2e-capability-tests.yml e2e-capability-tests
.github/workflows/emergency-disable.yml Emergency Disable Rule
.github/workflows/integration-deploy.yml Deploy to Integration Workspace
.github/workflows/integration.yml Integration tests (live tenant)
.github/workflows/kql-schemas-refresh.yml KQL schemas refresh (F1.1)
.github/workflows/lint.yml Lint detections
.github/workflows/lock-unlock.yml Lock / unlock
.github/workflows/portfolio.yml Portfolio report
.github/workflows/production-promotion-check.yml production-promotion-check
.github/workflows/promote-to-integration.yml Promote prod -> integration
.github/workflows/prune.yml Prune (delete remote orphans)
.github/workflows/references-check.yml References URL check
.github/workflows/release.yml Release
.github/workflows/report.yml detection-inventory-report
.github/workflows/retry-failed.yml Retry failed apply records
.github/workflows/sast.yml SAST (bandit + semgrep)
.github/workflows/secret-scan.yml Secret scan (gitleaks)
.github/workflows/silent-rules.yml Silent Rules Report
.github/workflows/spelling.yml Spelling (codespell)
.github/workflows/status-refresh.yml Status refresh
.github/workflows/tuning-impact-preview.yml Tuning impact preview
.github/workflows/upstream-watchers.yml Upstream catalog watchers (G3 + G4)
.github/workflows/validate.yml Validate Detection Rules

Tests

Unit: 144 files, 1450 test functions. Integration: 10 files, 14 test functions.

Unit tests (tests/v2/)

File Test functions
tests/v2/test_alerts_models.py 31
tests/v2/test_alerts_rollup.py 25
tests/v2/test_analytic_kinds.py 27
tests/v2/test_apply_continue_on_error.py 4
tests/v2/test_apply_json_report.py 10
tests/v2/test_apply_push_state.py 3
tests/v2/test_apply_safeguards.py 5
tests/v2/test_apply_verify_analytic.py 3
tests/v2/test_apply_verify_defender.py 5
tests/v2/test_apply_verify_hunting.py 3
tests/v2/test_apply_verify_watchlist.py 13
tests/v2/test_arm_name_matching.py 10
tests/v2/test_audit.py 13
tests/v2/test_audit_chain.py 18
tests/v2/test_audit_concurrent_write.py 4
tests/v2/test_audit_query.py 19
tests/v2/test_audit_timestamp_monotonicity.py 18
tests/v2/test_auth.py 6
tests/v2/test_auth_credential_chain.py 3
tests/v2/test_bootstrap_cli.py 3
tests/v2/test_catalog.py 16
tests/v2/test_check_references_diff.py 5
tests/v2/test_clean_cmd.py 5
tests/v2/test_cli_help_ascii_safe.py 3
tests/v2/test_cli_help_text.py 4
tests/v2/test_cli_plan_apply.py 6
tests/v2/test_cli_root_group.py 3
tests/v2/test_collect_enrich.py 5
tests/v2/test_collect_roundtrip.py 10
tests/v2/test_collect_workers_default.py 2
tests/v2/test_config_cli.py 18
tests/v2/test_config_envs.py 5
tests/v2/test_conformance_auth_env.py 3
tests/v2/test_coverage.py 19
tests/v2/test_coverage_d3fend.py 12
tests/v2/test_coverage_extract.py 14
tests/v2/test_coverage_gaps.py 14
tests/v2/test_defender_dry_run_resolve.py 4
tests/v2/test_defender_extensions_probe.py 9
tests/v2/test_defender_roundtrip.py 10
tests/v2/test_dependencies.py 7
tests/v2/test_detect_production_promotions.py 9
tests/v2/test_detection_docs.py 9
tests/v2/test_devex_doctor.py 8
tests/v2/test_devex_scaffold.py 9
tests/v2/test_disable.py 5
tests/v2/test_disable_pattern.py 12
tests/v2/test_discovery.py 2
tests/v2/test_docs_assets_readme_drift.py 2
tests/v2/test_doctor_fix.py 11
tests/v2/test_doctor_handler_matrix_classifier.py 6
tests/v2/test_doctor_handler_matrix_iteration.py 4
tests/v2/test_doctor_message_split.py 4
tests/v2/test_doctor_multi_workspace.py 3
tests/v2/test_doctor_output.py 3
tests/v2/test_doctor_sentinel_health.py 6
tests/v2/test_drift.py 10
tests/v2/test_drift_field_diff.py 10
tests/v2/test_drift_pr_body.py 4
tests/v2/test_drift_resolve.py 8
tests/v2/test_drift_roundtrip.py 12
tests/v2/test_drift_suppressions.py 17
tests/v2/test_emergency_disable_workflow.py 10
tests/v2/test_enable_pattern.py 15
tests/v2/test_entity_mappings_cap.py 4
tests/v2/test_env_status_filter.py 6
tests/v2/test_envelope_lifecycle_stage.py 6
tests/v2/test_envelope_metadata_fallback.py 2
tests/v2/test_explain.py 13
tests/v2/test_extract_etag.py 5
tests/v2/test_git_diff.py 5
tests/v2/test_handler_coverage.py 3
tests/v2/test_http_retry.py 13
tests/v2/test_hunting_handler.py 6
tests/v2/test_hunting_model.py 6
tests/v2/test_integration_guard.py 5
tests/v2/test_l2_kql101_production_gating.py 2
tests/v2/test_lifecycle_promote.py 41
tests/v2/test_lint.py 24
tests/v2/test_lint_coverage.py 5
tests/v2/test_lint_graduated_strict.py 10
tests/v2/test_lint_new_rules.py 21
tests/v2/test_lint_payload002_slug_truncation.py 13
tests/v2/test_lint_strict.py 13
tests/v2/test_lint_strict_config.py 10
tests/v2/test_lint_strict_dotnet.py 5
tests/v2/test_lint_strict_take_limit.py 12
tests/v2/test_lock_unlock_retry.py 12
tests/v2/test_meta001_lint.py 26
tests/v2/test_metadata.py 12
tests/v2/test_metadata_schema.py 14
tests/v2/test_migrate_tenant_config.py 4
tests/v2/test_multi_workspace_config.py 28
tests/v2/test_multi_workspace_targeting.py 15
tests/v2/test_navigator_extract.py 14
tests/v2/test_navigator_render.py 8
tests/v2/test_optional_engines.py 14
tests/v2/test_plan_against_tenant.py 4
tests/v2/test_portfolio.py 13
tests/v2/test_portfolio_score.py 19
tests/v2/test_portfolio_telemetry.py 5
tests/v2/test_pr_l_chunks.py 12
tests/v2/test_product_filter_enum.py 3
tests/v2/test_production_promotion_detector.py 8
tests/v2/test_prune.py 19
tests/v2/test_registry_and_handler.py 6
tests/v2/test_registry_close.py 5
tests/v2/test_remediate_payload001.py 8
tests/v2/test_report.py 28
tests/v2/test_report_enrich.py 16
tests/v2/test_report_snapshot.py 14
tests/v2/test_resolve_workspace_id.py 7
tests/v2/test_restore.py 11
tests/v2/test_retry_failed_since.py 19
tests/v2/test_rollback.py 14
tests/v2/test_rule_test_cli.py 5
tests/v2/test_sentinel_arm_retry.py 6
tests/v2/test_sentinel_pagination.py 1
tests/v2/test_sentinel_roundtrip.py 24
tests/v2/test_slug_arm_name.py 12
tests/v2/test_snapshot_diff.py 15
tests/v2/test_snippets.py 36
tests/v2/test_state_file.py 10
tests/v2/test_state_sync.py 10
tests/v2/test_status_configuration.py 8
tests/v2/test_status_deployments.py 13
tests/v2/test_status_redact.py 13
tests/v2/test_stdio_utf8.py 4
tests/v2/test_strict_allowlist.py 14
tests/v2/test_tenant_policy.py 6
tests/v2/test_token_auth.py 6
tests/v2/test_tuning.py 10
tests/v2/test_upstream_cli.py 5
tests/v2/test_upstream_defender_schema.py 18
tests/v2/test_upstream_manifest.py 14
tests/v2/test_upstream_marketplace.py 2
tests/v2/test_upstream_schemas.py 9
tests/v2/test_upstream_templates.py 1
tests/v2/test_upstream_whatsnew.py 9
tests/v2/test_watchlist_model.py 7
tests/v2/test_workflow_state_and_telemetry.py 2
tests/v2/test_workspace_kql.py 18
tests/v2/test_workspace_role_test.py 4
tests/v2/test_yaml_block_scalar.py 4

Integration tests (tests/integration/)

File Test functions
tests/integration/test_alerts_collect.py 2
tests/integration/test_collect_live_roundtrip.py 1
tests/integration/test_defender_custom_detection_crud.py 1
tests/integration/test_prune_live.py 2
tests/integration/test_rollback_drill_live.py 2
tests/integration/test_sentinel_alert_kinds_crud.py 2
tests/integration/test_sentinel_analytic_crud.py 1
tests/integration/test_sentinel_analytic_scaffold_deploys.py 1
tests/integration/test_sentinel_extras_crud.py 1
tests/integration/test_sentinel_live_full_coverage.py 1

MITRE ATT&CK coverage

  • Covered: 45 / 222 techniques (20%)
  • Matrix: MITRE ATT&CK Enterprise (full)
  • Badge: see coverage/badge.json (shields.io endpoint format).
  • Layer: see coverage/navigator-layer.json (uploadable to https://mitre-attack.github.io/attack-navigator/).
  • Source helper: contentops.coverage.coverage_summary().