Skip to content

Releases: splunk/contentctl

v4.4.1

21 Oct 22:41
d4d7d9d
Compare
Choose a tag to compare

Update CLI release_notes workflow for a bit more control on the branch we diff against to generate those notes. Previously, we could only diff against a tag.

What's Changed

Full Changelog: v4.4.0...v4.4.1

v4.4.0

16 Oct 13:25
cfda377
Compare
Choose a tag to compare

Summary

contentctl 4.4.0 includes a significant number of fixes, updates, and new features.
Most notably, we now include support for

throttling:
  period: 3600s #time period to throttle
  fields: name,host # fields to throttle on

What's Changed

New Contributors

Full Changelog: v4.3.5...v4.4.0

v4.3.5

18 Sep 16:46
dbd3ea9
Compare
Choose a tag to compare

In addition to some cleanup, this release includes two significant features:

  1. Versioning enforcement has been added to that when a Detection is updated in a new release, its version field MUST be updated. This is important so that applications built with contentctl can take advantage of Splunk Enterprise Security 8's "Detection Versioning" feature! This enforcement has been added to the inspect workflow.
  2. The enrichments workflow has changed, When building with enrichments, both the Atomic Red Team and Mitre CTI repos must be checked out. This update was made because it results in faster builds (when enrichments are enabled) and more stable and reliable builds using the Mitre CTI repo. We previously used the MITRE TAXII server, which is accessed via API in the attackcti client, but that API was frequently down, making us unable to build/test/release ESCU.

What's Changed

Full Changelog: v4.3.4...v4.3.5

v4.3.4

10 Sep 17:09
b9ce7f9
Compare
Choose a tag to compare

This PR includes extended support for ensuring that the appropriate Risk and Observable objects are created. See the PR linked below for more details.
There are also some small validation fixes around validating MITRE ID formats.

What's Changed

Full Changelog: v4.3.3...v4.3.4

v4.3.3

28 Aug 00:03
90f1b91
Compare
Choose a tag to compare

The action.correlationsearch.metadata field was updated to include an additional value called publish_date, a timestamp float representing when a detection was published.
Additionally, some cleanup was done around testing and the test_results/summary.yml was improved significantly to support better test results/tracking.
Finally, if searches use Baselines but have not been marked manual_test, they will throw runtime Exceptions during testing until Baselines are officially supported in the testing workflow.

What's Changed

Full Changelog: v4.3.2...v4.3.3

v4.3.2

22 Aug 22:12
cb6e45b
Compare
Choose a tag to compare

What's Changed

  • add support for the entire mitre group metadata by @pyth0n1c in #253

Full Changelog: v4.3.1...v4.3.2

v4.3.1

22 Aug 18:06
8a07fcf
Compare
Choose a tag to compare

Improve checking against observables. These changes ensure that Threat Objects and Risk Objects are created correctly.

What's Changed

Full Changelog: v4.3.0...v4.3.1

v4.3.0

21 Aug 19:27
5d84999
Compare
Choose a tag to compare

This change removes code and references to SSA as they are not applicable to external users.

What's Changed

Full Changelog: v4.2.5...v4.3.0

v4.2.5

15 Aug 23:01
af372f6
Compare
Choose a tag to compare

A number of small improvements from internal and community PRs. See the "What's Changed" below for details.

What's Changed

  • Add a launcher to contentctl.py to allow easier debugging and launchi… by @Res260 in #212
  • Update attackcti requirement from ^0.3.7 to >=0.3.7,<0.5.0 by @dependabot in #214
  • Update on naming for the repo readme vs app readme by @pyth0n1c in #235
  • Hotfix: Bumping integration testing timeout to compensate for recent bugfix by @cmcginley-splunk in #240

Full Changelog: v4.2.4...v4.2.5

v4.2.4

09 Aug 14:44
9b5e02e
Compare
Choose a tag to compare

This change includes extended validation of the message: field of a detection when using --enable-integration-testing flag for contentctl test. This is mostly used for internal Splunk testing at this time.

It also now includes validation of DataSource Objects to ensure that the latest TA version is declared for each Data Source.

Finally, @Res260 made a contribution to get contentctl test working on Windows by fixing a path issue. Thanks!

What's Changed

New Contributors

Full Changelog: v4.2.2...v4.2.4