Releases: splunk/contentctl
v5.5.8
With these changes, integration testing can run much faster!
This also fixes a "bug" related to capitalization of datasources in the escu analytic onboarding assistant.
We also update our ruff configs and some dependencies.
What's Changed
- Pex 552/on demand detection triggers by @pyth0n1c in #416
- remove "yml" from playbook release notes by @patel-bhavin in #426
- Make data_sources lookup case insensitive by @ljstella in #429
- Bumping Ruff version by @ljstella in #411
- Bump the verisons of requests and setuptools to latest. by @pyth0n1c in #432
Full Changelog: v5.5.7...v5.5.8
Contributors
Assets 2
v5.5.7
Minor update to Playbooks type
What's Changed
- Add additional use cases and missing D3FEND techniques by @ccl0utier in #418
New Contributors
- @ccl0utier made their first contribution in #418
Full Changelog: v5.5.6...v5.5.7
Contributors
Assets 2
v5.5.6
Generate MITRE Attack Output layer.
Fix a bug intrdocued in tyro v0.0.9.23 where if an extremely large number of files (greater than 530 or so) are passed to mode:selected --mode.files ..., the command line parser crashes.
What's Changed
- Bump MITRE ATT&CK version in output layer by @ljstella in #417
- Update pyproject.toml by @pyth0n1c in #419
Full Changelog: v5.5.5...v5.5.6
Contributors
Assets 2
v5.5.5
Added some "allowed macros" to validation because they exist in Enterprise Security.
What's Changed
Full Changelog: v5.5.4...v5.5.5
Contributors
Assets 2
v5.5.4
contentctl report has been updated to output MITRE Attack Navigator in the 5.1.0 format.
What's Changed
- TR-3506 MITRE MAP Update by @josehelps in #413
Full Changelog: v5.5.3...v5.5.4
Contributors
Assets 2
v5.5.3
What's Changed
Full Changelog: v5.5.2...v5.5.3
Contributors
Assets 2
v5.5.2
This just bumps the names of the objects generated in dist/api to end in _v2. This is because the detection schema changed slightly, so we want to differentiate them from the old objects.
What's Changed
Full Changelog: v5.5.1...v5.5.2
Contributors
Assets 2
v5.5.1
Contributors
Assets 2
v5.5.0
Most notably, this PR adds support for a cached version of the attack_data repo that is usable during validate and test operations.
This offers a number of distinct advantages in terms of runtime performance and up-front error checking:
- If attack_data links were incorrect (for example, they link to http/s files that do not exist), then testing could fail at test runtime rather than validation time.
- Downloading files sometimes fails due to rate limiting from GitHub
- Attack Data files may be very large (hundreds of MB) and the
https://media.githubusercontentendpoint does not compress these files (as it assumes they are media and, thus, already highly compressed) - The same attack data file is often downloaded multiple times if it is used by multiple detections
A cache of the https://github.com/splunk/attack_data repo is now hosted and available, compressed with zstd at https://attack-range-attack-data.s3.us-west-2.amazonaws.com/attack_data.tar.zstd. This cache is updated whenever new attack data is merged into the master branch.
This archive includes all of the data in the attack_data/datasets for and is only ~215MB. This makes it a significant improvement over the uncompressed size of all attack data today (about 10GB).
To begin using this data during validation or testing, check out the helptext here:
https://github.com/splunk/contentctl/blob/2b633b6207d028f40908b8d7a618544aaa3876ce/contentctl/objects/config.py#L283-L293
Note that running contentctl validate/build/test with the --verbose flag (such as contentctl validate --verbose) enables even more extended validations of your test data during the validation phase, further reducing chances of a failure to find attack data at runtime.
What's Changed
- detection_Type and _entities conf file updates by @pyth0n1c in #404
- Enable Attack Data Download before Test by @pyth0n1c in #392
Full Changelog: v5.4.1...v5.5.0
Contributors
Assets 2
v5.4.1
This includes a small fix where certain types of validation errors could be clobbered and not appear on the command line. In particular, validation errors to the "tests" section of a Detection could fail to appear.
This issue has now been fixed (however these error lack formatting as elegant as most of the other errors).
Overall, errors are still much easier to read than they were before.
What's Changed
- Update setuptools requirement from >=69.5.1,<79.0.0 to >=69.5.1,<81.0.0 by @dependabot in #401
- New error printout generic case by @pyth0n1c in #403
Full Changelog: v5.4.0...v5.4.1
