v5.0.0-alpha.3

Fixies a number of issues, most notably removing references to observables which are no longer used in the codebase. They have been superseded by the RBA object (which in turn has its own message, victim, and threat objects).
Some additional bugs were resolved around this removal and introduction of the new RBA field which happened in the first alpha.
Finally, some code cleanup (formatting and linting).

This is still a pre-release and not intended for public use at this time.

What's Changed

• lint fixes & formatting by @ljstella in #350
• removing code referencing observables by @ljstella in #352
• Fixes for 5.0.0a2 by @ljstella in #351
• Version bump for next alpha release by @ljstella in #354

Full Changelog: v5.0.0-alpha.2...v5.0.0-alpha.3

v5.0.0-alpha.2

This is still a prelease version and not intended for public use. It resolves :

1. issues around detecting lookups that have changed when running contentctl test mode:changes ...
2. resolves an error in the savedsearches_detections.j2 template where erroneous newlines may be inclued in savedsearches.conf
3. reverts to using splunk/splunk:9.3 (instead of splunk/splunk:latest, which presently installs splunk:9.4) due to an error in contentctl where contentctl test does not wait for all apps to install before beginning testing. This will be resolved in a future release.

What's Changed

• Bugfixes on 5.0.0-alpha by @ljstella in #349

Full Changelog: v5.0.0-alpha...v5.0.0-alpha.2

v5.0.0-alpha

There are a significant number of changes in this release and it is not intended for public use yet. This release is being done to enable testing of a number of different workflows in prep for a general release of contentctl 5.0. We DO NOT suggest using this release at this time.
When the non-alpha version of contentctl 5.0.0, we will give more detail about exactly what changes were made.

To indicate the state of this release, the following warning is printed every time contentctl is run:

WARNING - THIS IS AN ALPHA BUILD OF CONTENTCTL 5.
THERE HAVE BEEN NUMEROUS CHANGES IN CONTENTCTL (ESPECIALLY TO YML FORMATS).
YOU ALMOST CERTAINLY DO NOT WANT TO USE THIS BUILD.
IF YOU ENCOUNTER ERRORS, PLEASE USE THE LATEST CURRENTLY SUPPORTED RELEASE:

CONTENTCTL==4.4.7

YOU HAVE BEEN WARNED!

What's Changed

• Exception on extra fields by @pyth0n1c in #325
• Python 3.13 support by @ljstella in #302
• Remove use enum values by @pyth0n1c in #335
• GH Actions Matrix update by @ljstella in #340
• Update tyro requirement from ^0.8.3 to >=0.8.3,<0.10.0 by @dependabot in #341
• Improve lookup regex - Step 1 - ESCU 5.0 by @pyth0n1c in #274
• Migrate integration testing to RBA paradigm - Step 2 by @cmcginley-splunk in #345
• DRAFT: new RBA Object - Step 3 - ESCU 5.0 by @ljstella in #263
• First crack at default config for ruff - Step 3.5 - ESCU 5.0 by @ljstella in #254
• contentctl 5 - Step 4 - ESCU 5.0 by @pyth0n1c in #334

Full Changelog: v4.4.7...v5.0.0-alpha

v4.4.7

This resolves a bug which causes all contentctl operations to fail with Pydantic >= 2.10

What's Changed

• Pin Pydantic to Resolve Contentctl Bug by @pyth0n1c in #332

Full Changelog: v4.4.6...v4.4.7

v4.4.6

contentctl does not yet support Python 3.13. This was not reflected in the pyproject.toml and thus Pypi.
This release updates the compatibility here and on Pypi. At this time, contentctl supports Python 3.11 and 3.12.

Look for Python 3.13 support in an upcoming release!

What's Changed

• don't declare py3.13 compat by @ljstella in #329

Full Changelog: v4.4.5...v4.4.6

v4.4.5

Ensure that when testing using mode:changes, updates to an underlying data_source object used by a detection mean that the detections which reference it must be retested.

What's Changed

• Ensure we print the right field for data_source by @ljstella in #324
• Testing on Datasource changes by @ljstella in #301

Full Changelog: v4.4.4...v4.4.5

v4.4.4

This addresses a number of appinspect warnings and enables deploying via appinspect.

What's Changed

• Enable acs deploy + appinspect warnings by @pyth0n1c in #146

Full Changelog: v4.4.3...v4.4.4

v4.4.3

This fixes a serious problem that caused all integration testing to fail due to an incorrect path used for scheduling a savedsearch.
There may still be some testing issues with this release, but this is definitely more correct than previously.

This supercedes 4.4.2 which had a bug where the version was not updated in pyproject.toml, meaning that the upload to Pypi failed.

What's Changed

• Fix savedsearches path issue by @pyth0n1c in #316
• remove "cloud" from the security_domain enum by @pyth0n1c in #314

Full Changelog: v4.4.1...v4.4.3

v4.4.1

Update CLI release_notes workflow for a bit more control on the branch we diff against to generate those notes. Previously, we could only diff against a tag.

What's Changed

• add --compare_against flag to release_notes action by @patel-bhavin in #311

Full Changelog: v4.4.0...v4.4.1

v4.4.0

Summary

contentctl 4.4.0 includes a significant number of fixes, updates, and new features.
Most notably, we now include support for

• Dashboard Objects - Dashboards can now be defined as content in the dashboards/ folder after creating a new app! These dashboards should be created in Splunk by creating a Simple XML Dashboard. Go to the "View Source" button when editing your dashboard to extract the JSON that represents that dashboard. Each dashboard is represented by a YML file and this JSON file (the JSON file should have the same name as the YML file. You can see some example dashboards that ESCU ships here: https://github.com/splunk/security_content/tree/develop/dashboards

• Drilldown Searches: Production searches which are NOT type: Hunting are now required to have two Drilldown searches. These now render in the Enterprise Security UI and make triaging and investigating your alerts much easier. For some example Drilldowns, please refer here: https://github.com/splunk/contentctl/blob/cfda377c6887e28e02bb1798382ac0070b7983c2/contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml#L32-L40

• Throttling/Alert Suppression: In order to avoid too many alerts being generated in a given time frame, we have added support for Throttling/Alert Suppression on a per detection basis. Please refer to the inline documentation here for more information to:https://github.com/splunk/contentctl/blob/main/contentctl/objects/throttling.py . Splunk provides more information about throttling here: https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/ThrottleAlerts . An example throttling section of your Detection YML, under the "tags" section, looks like:

throttling:
  period: 3600s #time period to throttle
  fields: name,host # fields to throttle on

What's Changed

• Allow absent tests for experimental detections by @linuxdaemon in #36
• Update new content generator with new formats by @linuxdaemon in #44
• Handle stopped containers in testing by @linuxdaemon in #42
• Customer prs 1 by @pyth0n1c in #86
• Fix error on missing roles by @pyth0n1c in #190
• Add fields as requested by @pyth0n1c in #169
• Add UI dispatch app by @pyth0n1c in #145
• Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<72.0.0 by @dependabot in #196
• Handling when a user does not answer one of the questions by @yaleman in #189
• Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<72.0.0 by @dependabot in #202
• Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<72.0.0 by @dependabot in #205
• Handling the case where there are no tests by @yaleman in #198
• No tests fix by @pyth0n1c in #207
• Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<73.0.0 by @dependabot in #209
• Add Alert Suppression (throttling) support to detections by @pyth0n1c in #192
• Dashboard Support by @pyth0n1c in #147
• Fix name length by @pyth0n1c in #213
• improve output of risk severity field. by @pyth0n1c in #191
• contentctl v4.4.0 by @pyth0n1c in #179
• Ryanplasma add explanation by @pyth0n1c in #296
• Add type_list to annotations by @pyth0n1c in #293
• Fix datasource in contentctl new by @pyth0n1c in #297
• Optionally suppress missing detections during metadata validation by @pyth0n1c in #305
• Update xmltodict requirement from ^0.13.0 to >=0.13,<0.15 by @dependabot in #304
• Exception on malformatted unit tests in YMLs by @pyth0n1c in #300
• Refactoring for formatting and some logical error correction by @cmcginley-splunk in #308
• Mathieugonzales: replace deprecated pydantic validators by @pyth0n1c in #298
• Drilldown Support by @pyth0n1c in #256
• Allow testing with the default or custom_index by @ax-hsmith in #307
• Add more custom indexes by @pyth0n1c in #309

New Contributors

• @yaleman made their first contribution in #189
• @ax-hsmith made their first contribution in #307

Full Changelog: v4.3.5...v4.4.0