Releases: splunk/contentctl
v4.0.2
This release fixes spacing issues that could appear in savedsearches.conf or es_investigations.conf and result in failed parsing of certain stanzas and failures/errors when running btool.
This issue was initially reported by a customer. Thank you to them for their feedback!
v4.0.1
Support for the upcoming Enterprise Security
- Added support for an upcoming Enterprise Security, including the
actions.correlationsearch.metadatafield for version, date, and other relevant information.
Improved Validation and Performance
- Upgraded to Pydantic2 for enhanced object validation of detections, stories, lookups, and other content.
- Leveraged newer Pydantic field validation technology to introduce strongly typed content fields, eliminating string references.
- Moved many checks from runtime to validation time, allowing for faster error detection (3 seconds instead of 1-2 hour wait for failure).
- Implemented Atomic GUID validation and support for detection tests.
- Added strict checks for risk and threat object configuration, including type, allowed fields, and mandatory victim definition.
- Introduced notable and risk message validation during runtime when Enterprise Security triggers the detection.
Bug Fixes and Consistency Improvements
- Resolved inconsistencies between file names and detection names through programmatic enforcement.
- Fixed broken references to analytic stories and detections that were mistyped or no longer existed.
- Ensured all detections create correct risk and threat objects, addressing previous bugs.
- Removed backspace usage for new lines in the detection description, fixing rendering issues and eliminating the need for escape characters (\).
Code Cleanup and Optimization
- Cleaned out old, duplicated code.
- Significantly improved execution speed across all content workflows, including validation and build generation.
Developer Experience Enhancements
- Upgraded to Python 3.12 for improved performance and compatibility.
- Added an app template folder for customization of the app generated by
contentctl init, allowing users to add their own images, dashboards, panels, etc. - Improved command line ergonomics and documentation for a better developer experience.
Miscellaneous Updates
- Improved release notes generation for easier tracking of changes between versions.
These updates aim to enhance the overall functionality, performance, and user experience of Contentctl, while addressing bugs and inconsistencies present in previous versions.
v3.6.0
This version includes a small change that writes additional information to savedsearches.conf.
The file now includes a metadata field showing:
- Whether or not a detection is deprecated
- The current version of the detection
- the UUID of the detection.
Here are some examples:
Please see the following link for more detail on the PR:
#132 (comment)
v3.5.0
This release includes improvements around Integration Testing Functionality and now properly respects the manual_test flag. Previously, detections labeled as manual_test would show as errors at the conclusion of the test, but they now render as SKIPPED.
Release note generation is also improved.
v3.4.3
v3.4.2
Update how long we wait for the appinspect api to return results.
First, wait for 40 seconds, then check every subsequent second for the results (appinspects always take at least 40 seconds).
This reduces the wait time for an appinspect without creating undue stress on the appinspect endpoint.
v3.4.1
v3.4.0
This release brings a number of exciting features and fixes. The most significant are as follows:
- ACS Deploy Support - contentctl can now deploy your app directly into your Classic OR Victoria Splunk Cloud Stack! #114
- Enable Specified Searches by Default - You can now enable a search in your environment by default (instead of disabled by default) on app build time. When this app is deployed, the search will be scheduled to run. To do this, add the following key to your YML:
enabled_by_default: True#116 - Allow Comments in Searches - This fixes a bug where comments could be parsed as macros and cause validation failures. Now, you can include inline comments in the search field of your detection YMLs. #115
v3.3.0
v3.2.0
Improve content development/testing performance
This release adds two new features.
First is the --skip_enrichment command which can be used as follows:
contentctl --skip_enrichment validate
contentctl --skip_enrichment build
contentctl --skip_enrichment test
This command line switch overrides the enrichments values contained in contentctl.yml, enabling contentctl commands to run MUCH faster by optionally disabling enrichment. Enrichment should still be used for final testing and release builds of content.
Second, since test environments take so long to be configured, by default they will be re-used for subsequent tests. This means that a container test environment, once it has been created, will remain running until it is manually terminated. This behavior can be overwritten by setting the option contentctl_test.yml ---> infrastructure_config ---> persist_and_reuse_container = True.
Note that if a test container does not exist when a test begins, it will be created. Finally, the presence of additional messages on the command line when running contentctl test indicates that this feature is active:
Container [splunk_contentctl_0] has NOT been terminated because 'contentctl_test.yml ---> infrastructure_config ---> persist_and_reuse_container = True'
To remove it, please manually run the following at the command line: `docker container rm -fv splunk_contentctl_0`
If you have made changes to your environment since it was built, such as adding new apps/TAs, OR you have updated any content that is NOT a detection (such as a macro or lookup), then please terminate your container and rerun contentctl test. At this time, those artifacts are not reflected into the persistent test environment.