v5.3.1

Small bugfix where there could be errors when testing with mode:changes due to the presence of the new RuntimeCSV object.

What's Changed

• Fix runtime csv testing error by @pyth0n1c in #398

Full Changelog: v5.3.0...v5.3.1

v5.3.0

There are a number of new changes in 5.3.0. Most notably, we have now included formal support for content deprecation and removal via the new command line argument (to contentctl validate/build/test/inspect) --enable_deprecation_mapping_requirement. This new argument allows fine-grained control and validations of what detections have been marked as deprecated/removed and scheduling for when that content MUST be removed from your app. You can see an example of that file here: https://github.com/splunk/security_content/blob/develop/removed/deprecation_mapping.YML
It is used in the https://github.com/splunk/security_content/ repo and ES Content Update App to power the Deprecation Assistant Dashboard. As part of this, it will automatically generate a deprecation_mapping_DDDDMMDD.csv file and corresponding lookup deprecation_mapping to expose this deprecation information in your app.
If you do not explicitly pass the --enable_deprecation_mapping_requirement argument on the command line (or in your contentctl.yml), you should not notice any new behavior or requirments.

Other notable improvements include improved testing of ESCU content when using Splunk Enterprise Security 8 Content Versioning, better errors when attempting to parse malformed or empty YML files, and updated structure for detections in the detections.json api objects.

What's Changed

• Ruff updates by @ljstella in #381
• Update attackcti requirement from ^0.4.0 to >=0.4,<0.6 by @dependabot in #343
• Update setuptools requirement from >=69.5.1,<76.0.0 to >=69.5.1,<79.0.0 by @dependabot in #386
• Feature: validation of detections against cms_main by @cmcginley-splunk in #303
• Improve YML parsing error output by @pyth0n1c in #389
• Fix pathing issue on Windows and Cleanup Typing by @pyth0n1c in #393
• fixes #394, adds action.email to email output by @ljstella in #395
• Bumping to ruff v0.11.2 by @ljstella in #388
• Issue template update by @ljstella in #396
• update detections.json output with new rba structure by @pyth0n1c in #390
• D assistant take 2 by @pyth0n1c in #355

Full Changelog: v5.2.0...v5.3.0

v5.2.0

What's Changed

• Data source output fields validation by @P4T12ICK in #377
• Additions to DataSource model by @ljstella in #353
• Bump ruff by @ljstella in #367
• updated mitre map gen by @josehelps in #378
• Wrong type for lookup.default_match by @pyth0n1c in #371

Full Changelog: v5.1.0...v5.2.0

v5.1.0

The most signifcant change in this release is that instead of emitting a WARNING that a non-existent DataSource is referenced by a detection, we now emit an ERROR which causes a validation failure.

What's Changed

• README + Docs Rewrite by @ljstella in #360
• Convert warning for missing datasource to an error by @pyth0n1c in #375

Full Changelog: v5.0.5...v5.1.0

v5.0.5

Fix appinspect issue caused by spaces in dashboard filenames

What's Changed

• fix dashboard file names by @pyth0n1c in #373

Full Changelog: v5.0.4...v5.0.5

v5.0.4

Create a new Dropdown menu called Dashboards showing dashboard objects that are part of your app

What's Changed

• Dashboards dropdown by @pyth0n1c in #372

Full Changelog: v5.0.3...v5.0.4

v5.0.3

This PR introduces new validation enforcements on tags.mitre_attack_id field. It is not longer possible to declare overlapping techniques and sub-techniques. For example, both T1000 and T1000.001 cannot be defined.
However, any combination of non-overlapping techniques and sub-techniques remains valid.

What's Changed

• Cleanup mitre actors and techniques by @pyth0n1c in #363

Full Changelog: v5.0.2...v5.0.3

v5.0.2

The following are some minor patch updates that improve output of appinspect (which now includes cloud, victoria, and classic tags) and adds a new optional field to data_source objects.

What's Changed

• Update appinspect flags by @pyth0n1c in #365
• Recognize by @josehelps in #366
• Adding output fields to data_source by @ljstella in #368

Full Changelog: v5.0.1...v5.0.2

v5.0.1

Because Risk and Threat Objects in the new "rba" section of detections are a set, and not a list, their serialization order to conf files was non-deterministic. contentctl build MUST produce deterministic outputs into conf files. This is important for enforcing versioning compliance.

We still treat these objects as a set internally, but when serializing we now sort the objects by a custom sort function to ensure that the serialization order does not change between invocations.

What's Changed

• deterministic output for rba dict by @pyth0n1c in #362

Full Changelog: v5.0.0...v5.0.1

v5.0.0

contentctl 5.0.0 initial release.
More details about this release will be published in the next 48 hours.