v5.5.14

What's Changed

• Pinning setuptools by @ljstella in #470

Full Changelog: v5.5.13...v5.5.14

v5.5.13

What's Changed

• Hotfix: filtering FBDs from CMS validation by @cmcginley-splunk in #466

Full Changelog: v5.5.12...v5.5.13

v5.5.12

What's Changed

• Move default stanza outside of detections section by @ljstella in #465

Full Changelog: v5.5.11...v5.5.12

v5.5.11

What's Changed

• Default Stanza to prevent issues post-search-removal by @ljstella in #421

Full Changelog: v5.5.10...v5.5.11

v5.5.10

contentctl v5.5.10 Release Notes

Overview

contentctl v5.5.10 introduces support for Findings-Based Detections (FBDs), enhanced KVStore versioning validation for Splunk Enterprise Security 8.3+, and improved integration testing reliability. This release focuses on expanding deployment capabilities and strengthening version management workflows.

What's New

Findings-Based Detection (FBD) Support

• New: Added FBD configuration output generation to support Findings-Based Detections in Splunk
• Enhancement: Created dedicated Jinja2 template (savedsearches_fbds.j2) for FBD stanza generation
• Integration: FBDs are now included in the build process and packaged into Splunk apps
• Files modified: contentctl/output/conf_output.py:59, contentctl/actions/build.py:1

KVStore Versioning & Validation Enhancements

• New: ES version detection to determine appropriate versioning method (KVStore for ES 8.3+, index-based for ES 8.0-8.2)
• New: CMSEvent model for structured parsing and validation of content versioning events
• New: Version-based validation endpoint to confirm versioning is active before deployment
• Enhancement: Updated search queries to use cms_content_lookup for ES 8.3+ KVStore-based versioning
• Enhancement: Improved error messages for versioning validation failures
• Refactor: Streamlined versioning activation workflow for ES 8.3+ compatibility
• Primary file: contentctl/objects/content_versioning_service.py (+216 lines, major enhancements)

Testing & Quality Improvements

• Fix: Adjusted integration test time windows to use full time ranges, improving test reliability and reducing flaky test failures
• Files modified: contentctl/objects/correlation_search.py:4

Technical Details

Modified Components

• contentctl/actions/build.py - Integrated FBD output generation
• contentctl/objects/content_versioning_service.py - Major versioning overhaul (216+ line changes)
• contentctl/objects/correlation_search.py - Time range fixes
• contentctl/output/conf_output.py - FBD configuration generation (+59 lines)
• contentctl/output/templates/savedsearches_fbds.j2 - New FBD template

Breaking Changes

None.

Contributors

• Casey McGinley (@cmcginley)
• Xiaonan Qi (@xqi)

---

Full Changelog: v5.5.9...v5.5.10

v5.5.9

What's Changed

• Ruff tweaks by @ljstella in #434
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #435
• Add new options to enums for playbooks by @ljstella in #441

Full Changelog: v5.5.8...v5.5.9

v5.5.8

With these changes, integration testing can run much faster!
This also fixes a "bug" related to capitalization of datasources in the escu analytic onboarding assistant.
We also update our ruff configs and some dependencies.

What's Changed

• Pex 552/on demand detection triggers by @pyth0n1c in #416
• remove "yml" from playbook release notes by @patel-bhavin in #426
• Make data_sources lookup case insensitive by @ljstella in #429
• Bumping Ruff version by @ljstella in #411
• Bump the verisons of requests and setuptools to latest. by @pyth0n1c in #432

Full Changelog: v5.5.7...v5.5.8

v5.5.7

Minor update to Playbooks type

What's Changed

• Add additional use cases and missing D3FEND techniques by @ccl0utier in #418

New Contributors

• @ccl0utier made their first contribution in #418

Full Changelog: v5.5.6...v5.5.7

v5.5.6

Generate MITRE Attack Output layer.
Fix a bug intrdocued in tyro v0.0.9.23 where if an extremely large number of files (greater than 530 or so) are passed to mode:selected --mode.files ..., the command line parser crashes.

What's Changed

• Bump MITRE ATT&CK version in output layer by @ljstella in #417
• Update pyproject.toml by @pyth0n1c in #419

Full Changelog: v5.5.5...v5.5.6

v5.5.5

Added some "allowed macros" to validation because they exist in Enterprise Security.

What's Changed

• Adding new macro & lookup exceptions by @ljstella in #415

Full Changelog: v5.5.4...v5.5.5