v4.3.5

In addition to some cleanup, this release includes two significant features:

1. Versioning enforcement has been added to that when a Detection is updated in a new release, its version field MUST be updated. This is important so that applications built with contentctl can take advantage of Splunk Enterprise Security 8's "Detection Versioning" feature! This enforcement has been added to the inspect workflow.
2. The enrichments workflow has changed, When building with enrichments, both the Atomic Red Team and Mitre CTI repos must be checked out. This update was made because it results in faster builds (when enrichments are enabled) and more stable and reliable builds using the Mitre CTI repo. We previously used the MITRE TAXII server, which is accessed via API in the attackcti client, but that API was frequently down, making us unable to build/test/release ESCU.

What's Changed

• Removal of more bits of SSA by @ljstella in #255
• Fix unintended whitespace by @pyth0n1c in #278
• Update bottle requirement from ^0.12.25 to >=0.12.25,<0.14.0 by @dependabot in #277
• Bareinit by @pyth0n1c in #288
• Update setuptools requirement from >=69.5.1,<75.0.0 to >=69.5.1,<76.0.0 by @dependabot in #290
• Feature: Adding version enforcement by @cmcginley-splunk in #280
• Require mitre/cti repo for enrichments by @pyth0n1c in #291

Full Changelog: v4.3.4...v4.3.5

v4.3.4

This PR includes extended support for ensuring that the appropriate Risk and Observable objects are created. See the PR linked below for more details.
There are also some small validation fixes around validating MITRE ID formats.

What's Changed

• Abstract Commonly Used Annotated Type Definitions by @pyth0n1c in #271
• Update setuptools requirement from >=69.5.1,<74.0.0 to >=69.5.1,<75.0.0 by @dependabot in #270
• Enabling risk/observable matching by @cmcginley-splunk in #241
• Update pyproject.toml by @pyth0n1c in #281

Full Changelog: v4.3.3...v4.3.4

v4.3.3

The action.correlationsearch.metadata field was updated to include an additional value called publish_date, a timestamp float representing when a detection was published.
Additionally, some cleanup was done around testing and the test_results/summary.yml was improved significantly to support better test results/tracking.
Finally, if searches use Baselines but have not been marked manual_test, they will throw runtime Exceptions during testing until Baselines are officially supported in the testing workflow.

What's Changed

• add publish_date field by @pyth0n1c in #239
• Responses to Comments by @pyth0n1c in #260
• Expanding coverage and other metrics in summary.yml by @cmcginley-splunk in #257

Full Changelog: v4.3.2...v4.3.3

v4.3.2

What's Changed

• add support for the entire mitre group metadata by @pyth0n1c in #253

Full Changelog: v4.3.1...v4.3.2

v4.3.1

Improve checking against observables. These changes ensure that Threat Objects and Risk Objects are created correctly.

What's Changed

• Threat objects by @ljstella in #234
• New observable role enum by @ljstella in #243
• Update setuptools requirement from >=69.5.1,<73.0.0 to >=69.5.1,<74.0.0 by @dependabot in #245

Full Changelog: v4.3.0...v4.3.1

v4.3.0

This change removes code and references to SSA as they are not applicable to external users.

What's Changed

• Update readme by @pyth0n1c in #244
• Remove SSA specific code by @P4T12ICK in #219

Full Changelog: v4.2.5...v4.3.0

v4.2.5

A number of small improvements from internal and community PRs. See the "What's Changed" below for details.

What's Changed

• Add a launcher to contentctl.py to allow easier debugging and launchi… by @Res260 in #212
• Update attackcti requirement from ^0.3.7 to >=0.3.7,<0.5.0 by @dependabot in #214
• Update on naming for the repo readme vs app readme by @pyth0n1c in #235
• Hotfix: Bumping integration testing timeout to compensate for recent bugfix by @cmcginley-splunk in #240

Full Changelog: v4.2.4...v4.2.5

v4.2.4

This change includes extended validation of the message: field of a detection when using --enable-integration-testing flag for contentctl test. This is mostly used for internal Splunk testing at this time.

It also now includes validation of DataSource Objects to ensure that the latest TA version is declared for each Data Source.

Finally, @Res260 made a contribution to get contentctl test working on Windows by fixing a path issue. Thanks!

What's Changed

• Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<73.0.0 by @dependabot in #215
• Tweaks to Data Source Validation by @pyth0n1c in #218
• Add latest TA version validation by @P4T12ICK in #216
• Allow contentctl test to work on Windows by fixing a path problem. by @Res260 in #217
• Addressed Casey's Feedback by @pyth0n1c in #222
• Adding risk message validation++ by @cmcginley-splunk in #92

New Contributors

• @Res260 made their first contribution in #217

Full Changelog: v4.2.2...v4.2.4

v4.2.2

This update adds a new "missing" lookup to ignore as it is used by some detections in the latest release of security_content / ESCU.
It also removes the optional words Deprecated/Experimental/RIR from action.correlationsearch.label field in savedsearches.conf. This could cause labels which are too long and provide poor experience in Enterprise Security.

What's Changed

• SA Admon lookup exclusion by @patel-bhavin in #210
• make labels a bit shorter by @pyth0n1c in #211

Full Changelog: v4.2.1...v4.2.2

v4.2.1

What's Changed

• updating error handling on selected testing by @patel-bhavin in #206

Full Changelog: v4.2.0...v4.2.1