From 0f3be119aff7536878052f3337222f1c03c82545 Mon Sep 17 00:00:00 2001
From: Swati Panchal <spanchal@splunk.com>
Date: Wed, 5 Mar 2025 10:37:10 +0530
Subject: [PATCH 1/2] chore: ADDON-77801 Added support for ingesting json event
 using contentctl

---
 .../infrastructures/DetectionTestingInfrastructure.py     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py b/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
index ea755d8c..ad4d4530 100644
--- a/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
+++ b/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
@@ -1404,10 +1404,16 @@ def hec_raw_replay(
         )
         with open(tempfile, "rb") as datafile:
             try:
+                content = datafile.read()
+                content_str = content.decode("utf-8")
+                if content_str.startswith('{"event"'):
+                    url_with_hec_path = urllib.parse.urljoin(
+                        url_with_port, "services/collector/event"
+                    )
                 res = requests.post(
                     url_with_hec_path,
                     params=url_params,
-                    data=datafile.read(),
+                    data=content,
                     allow_redirects=True,
                     headers=headers,
                     verify=verify_ssl,

From 461a112b9f50ba34555588797cc1271709ac5da4 Mon Sep 17 00:00:00 2001
From: Swati Panchal <spanchal@splunk.com>
Date: Thu, 13 Mar 2025 17:08:19 +0530
Subject: [PATCH 2/2] chore: ADDON-77801 introduce endpoint field in yml files
 to ingest json data

---
 .../DetectionTestingInfrastructure.py                | 12 +++++-------
 contentctl/objects/test_attack_data.py               |  1 +
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py b/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
index ad4d4530..eae488f2 100644
--- a/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
+++ b/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
@@ -1402,18 +1402,16 @@ def hec_raw_replay(
         url_with_hec_path = urllib.parse.urljoin(
             url_with_port, "services/collector/raw"
         )
+
+        if attack_data_file.endpoint:
+            url_with_hec_path = urllib.parse.urljoin(url_with_port, attack_data_file.endpoint)
+
         with open(tempfile, "rb") as datafile:
             try:
-                content = datafile.read()
-                content_str = content.decode("utf-8")
-                if content_str.startswith('{"event"'):
-                    url_with_hec_path = urllib.parse.urljoin(
-                        url_with_port, "services/collector/event"
-                    )
                 res = requests.post(
                     url_with_hec_path,
                     params=url_params,
-                    data=content,
+                    data=datafile.read(),
                     allow_redirects=True,
                     headers=headers,
                     verify=verify_ssl,
diff --git a/contentctl/objects/test_attack_data.py b/contentctl/objects/test_attack_data.py
index 5d5f9c80..7f3437c8 100644
--- a/contentctl/objects/test_attack_data.py
+++ b/contentctl/objects/test_attack_data.py
@@ -11,3 +11,4 @@ class TestAttackData(BaseModel):
     sourcetype: str = Field(...)
     custom_index: str | None = None
     host: str | None = None
+    endpoint: str | None = None