v4.1.3

This patch release includes a single PR that fixes an issue with the generation of detections.json API file.
Please see this PR for details: #188

v4.1.2

This release includes:

1. Bug fix to how mode:changes works. Modified content could be missed when the path to that content contained the substring "dist": #187
2. Preliminary support for data_source objects! These do not make it into files that are produced by contentctl build yet, but stay tuned for how these objects will be used and integrated more tightly! #180

v4.1.1

This is a small update which ensures that even if no detection are tested, a test_results/summary.yml file is still created.
This is important so that we still have a record of the test.

v4.1.0

This includes a number of updates:

• a new workflow is included that tests contentctl by ensuring that the github.com/splunk/security_content repo can be contentctl build correctly without errors. Since this content should all be "correct" this is a good test of the contentctl tool
• a simple API is included so that objects can be parsed+loaded and tests can be run without needing to go through the command line interface.
• API Deploy functionality, which was experimental and allowed individual pieces of content to be deployed to an on-premises instance using the Splunk REST API, has been removed. This is because it ONLY supported deploying searches and macros. Since we cannot deploy other content, such as lookups or stories, we cannot guarantee that content will work as expected. This may be recreated with more robust, scalable support at a later date as it is a popular user request.
• Improved contentctl new workflow to fix errors and ensure that fields are written in the correct order.
• "CVE Enrichment" now only populates the url field of the CVE. This is used to link directly to the relevant NIST page and supports faster site build time. It also avoids using the CVESearch tool (and the circl.lu API which is frequently down or has extremely slow, multi-minute response times).
• Better filter_macro validation and detection of macros used in searches missing from the macros/ folder

v4.0.5

This PR fixes a number of issues with:

• The directories automatically created during contentctl init
• The questions asked to create new detections and stories using contentctl new

Thank you to @ljstella for the PR which fixed these issues: #162

v4.0.4

This release contains a minor update for how SSA files are generated for the BA platform.
It only affects internal Splunk Content and should not affect content written by other users.

v4.0.3

This release bumps several dependencies to newer versions.

Full Changelog: v4.0.2...v4.0.3

v4.0.2

This release fixes spacing issues that could appear in savedsearches.conf or es_investigations.conf and result in failed parsing of certain stanzas and failures/errors when running btool.
This issue was initially reported by a customer. Thank you to them for their feedback!

v4.0.1

Support for the upcoming Enterprise Security

• Added support for an upcoming Enterprise Security, including the actions.correlationsearch.metadata field for version, date, and other relevant information.

Improved Validation and Performance

• Upgraded to Pydantic2 for enhanced object validation of detections, stories, lookups, and other content.
• Leveraged newer Pydantic field validation technology to introduce strongly typed content fields, eliminating string references.
• Moved many checks from runtime to validation time, allowing for faster error detection (3 seconds instead of 1-2 hour wait for failure).
• Implemented Atomic GUID validation and support for detection tests.
• Added strict checks for risk and threat object configuration, including type, allowed fields, and mandatory victim definition.
• Introduced notable and risk message validation during runtime when Enterprise Security triggers the detection.

Bug Fixes and Consistency Improvements

• Resolved inconsistencies between file names and detection names through programmatic enforcement.
• Fixed broken references to analytic stories and detections that were mistyped or no longer existed.
• Ensured all detections create correct risk and threat objects, addressing previous bugs.
• Removed backspace usage for new lines in the detection description, fixing rendering issues and eliminating the need for escape characters (\).

Code Cleanup and Optimization

• Cleaned out old, duplicated code.
• Significantly improved execution speed across all content workflows, including validation and build generation.

Developer Experience Enhancements

• Upgraded to Python 3.12 for improved performance and compatibility.
• Added an app template folder for customization of the app generated by contentctl init, allowing users to add their own images, dashboards, panels, etc.
• Improved command line ergonomics and documentation for a better developer experience.

Miscellaneous Updates

• Improved release notes generation for easier tracking of changes between versions.

These updates aim to enhance the overall functionality, performance, and user experience of Contentctl, while addressing bugs and inconsistencies present in previous versions.

v3.6.0

This version includes a small change that writes additional information to savedsearches.conf.
The file now includes a metadata field showing:

1. Whether or not a detection is deprecated
2. The current version of the detection
3. the UUID of the detection.

Here are some examples:

Please see the following link for more detail on the PR:
#132 (comment)