Releases: splunk/contentctl
v5.5.9
What's Changed
- Ruff tweaks by @ljstella in #434
- Bump actions/checkout from 4 to 5 by @dependabot[bot] in #435
- Add new options to enums for playbooks by @ljstella in #441
Full Changelog: v5.5.8...v5.5.9
Contributors
Assets 2
v5.5.8
With these changes, integration testing can run much faster!
This also fixes a "bug" related to capitalization of datasources in the escu analytic onboarding assistant.
We also update our ruff configs and some dependencies.
What's Changed
- Pex 552/on demand detection triggers by @pyth0n1c in #416
- remove "yml" from playbook release notes by @patel-bhavin in #426
- Make data_sources lookup case insensitive by @ljstella in #429
- Bumping Ruff version by @ljstella in #411
- Bump the verisons of requests and setuptools to latest. by @pyth0n1c in #432
Full Changelog: v5.5.7...v5.5.8
Contributors
Assets 2
v5.5.7
Minor update to Playbooks type
What's Changed
- Add additional use cases and missing D3FEND techniques by @ccl0utier in #418
New Contributors
- @ccl0utier made their first contribution in #418
Full Changelog: v5.5.6...v5.5.7
Contributors
Assets 2
v5.5.6
Generate MITRE Attack Output layer.
Fix a bug intrdocued in tyro v0.0.9.23 where if an extremely large number of files (greater than 530 or so) are passed to mode:selected --mode.files ..., the command line parser crashes.
What's Changed
- Bump MITRE ATT&CK version in output layer by @ljstella in #417
- Update pyproject.toml by @pyth0n1c in #419
Full Changelog: v5.5.5...v5.5.6
Contributors
Assets 2
v5.5.5
Added some "allowed macros" to validation because they exist in Enterprise Security.
What's Changed
Full Changelog: v5.5.4...v5.5.5
Contributors
Assets 2
v5.5.4
contentctl report has been updated to output MITRE Attack Navigator in the 5.1.0 format.
What's Changed
- TR-3506 MITRE MAP Update by @josehelps in #413
Full Changelog: v5.5.3...v5.5.4
Contributors
Assets 2
v5.5.3
What's Changed
Full Changelog: v5.5.2...v5.5.3
Contributors
Assets 2
v5.5.2
This just bumps the names of the objects generated in dist/api to end in _v2. This is because the detection schema changed slightly, so we want to differentiate them from the old objects.
What's Changed
Full Changelog: v5.5.1...v5.5.2
Contributors
Assets 2
v5.5.1
Contributors
Assets 2
v5.5.0
Most notably, this PR adds support for a cached version of the attack_data repo that is usable during validate and test operations.
This offers a number of distinct advantages in terms of runtime performance and up-front error checking:
- If attack_data links were incorrect (for example, they link to http/s files that do not exist), then testing could fail at test runtime rather than validation time.
- Downloading files sometimes fails due to rate limiting from GitHub
- Attack Data files may be very large (hundreds of MB) and the
https://media.githubusercontentendpoint does not compress these files (as it assumes they are media and, thus, already highly compressed) - The same attack data file is often downloaded multiple times if it is used by multiple detections
A cache of the https://github.com/splunk/attack_data repo is now hosted and available, compressed with zstd at https://attack-range-attack-data.s3.us-west-2.amazonaws.com/attack_data.tar.zstd. This cache is updated whenever new attack data is merged into the master branch.
This archive includes all of the data in the attack_data/datasets for and is only ~215MB. This makes it a significant improvement over the uncompressed size of all attack data today (about 10GB).
To begin using this data during validation or testing, check out the helptext here:
https://github.com/splunk/contentctl/blob/2b633b6207d028f40908b8d7a618544aaa3876ce/contentctl/objects/config.py#L283-L293
Note that running contentctl validate/build/test with the --verbose flag (such as contentctl validate --verbose) enables even more extended validations of your test data during the validation phase, further reducing chances of a failure to find attack data at runtime.
What's Changed
- detection_Type and _entities conf file updates by @pyth0n1c in #404
- Enable Attack Data Download before Test by @pyth0n1c in #392
Full Changelog: v5.4.1...v5.5.0