v5.5.10

contentctl v5.5.10 Release Notes

Overview

contentctl v5.5.10 introduces support for Findings-Based Detections (FBDs), enhanced KVStore versioning validation for Splunk Enterprise Security 8.3+, and improved integration testing reliability. This release focuses on expanding deployment capabilities and strengthening version management workflows.

What's New

Findings-Based Detection (FBD) Support

• New: Added FBD configuration output generation to support Findings-Based Detections in Splunk
• Enhancement: Created dedicated Jinja2 template (savedsearches_fbds.j2) for FBD stanza generation
• Integration: FBDs are now included in the build process and packaged into Splunk apps
• Files modified: contentctl/output/conf_output.py:59, contentctl/actions/build.py:1

KVStore Versioning & Validation Enhancements

• New: ES version detection to determine appropriate versioning method (KVStore for ES 8.3+, index-based for ES 8.0-8.2)
• New: CMSEvent model for structured parsing and validation of content versioning events
• New: Version-based validation endpoint to confirm versioning is active before deployment
• Enhancement: Updated search queries to use cms_content_lookup for ES 8.3+ KVStore-based versioning
• Enhancement: Improved error messages for versioning validation failures
• Refactor: Streamlined versioning activation workflow for ES 8.3+ compatibility
• Primary file: contentctl/objects/content_versioning_service.py (+216 lines, major enhancements)

Testing & Quality Improvements

• Fix: Adjusted integration test time windows to use full time ranges, improving test reliability and reducing flaky test failures
• Files modified: contentctl/objects/correlation_search.py:4

Technical Details

Modified Components

• contentctl/actions/build.py - Integrated FBD output generation
• contentctl/objects/content_versioning_service.py - Major versioning overhaul (216+ line changes)
• contentctl/objects/correlation_search.py - Time range fixes
• contentctl/output/conf_output.py - FBD configuration generation (+59 lines)
• contentctl/output/templates/savedsearches_fbds.j2 - New FBD template

Breaking Changes

None.

Contributors

• Casey McGinley (@cmcginley)
• Xiaonan Qi (@xqi)

---

Full Changelog: v5.5.9...v5.5.10

v5.5.9

What's Changed

• Ruff tweaks by @ljstella in #434
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #435
• Add new options to enums for playbooks by @ljstella in #441

Full Changelog: v5.5.8...v5.5.9

v5.5.8

With these changes, integration testing can run much faster!
This also fixes a "bug" related to capitalization of datasources in the escu analytic onboarding assistant.
We also update our ruff configs and some dependencies.

What's Changed

• Pex 552/on demand detection triggers by @pyth0n1c in #416
• remove "yml" from playbook release notes by @patel-bhavin in #426
• Make data_sources lookup case insensitive by @ljstella in #429
• Bumping Ruff version by @ljstella in #411
• Bump the verisons of requests and setuptools to latest. by @pyth0n1c in #432

Full Changelog: v5.5.7...v5.5.8

v5.5.7

Minor update to Playbooks type

What's Changed

• Add additional use cases and missing D3FEND techniques by @ccl0utier in #418

New Contributors

• @ccl0utier made their first contribution in #418

Full Changelog: v5.5.6...v5.5.7

v5.5.6

Generate MITRE Attack Output layer.
Fix a bug intrdocued in tyro v0.0.9.23 where if an extremely large number of files (greater than 530 or so) are passed to mode:selected --mode.files ..., the command line parser crashes.

What's Changed

• Bump MITRE ATT&CK version in output layer by @ljstella in #417
• Update pyproject.toml by @pyth0n1c in #419

Full Changelog: v5.5.5...v5.5.6

v5.5.5

Added some "allowed macros" to validation because they exist in Enterprise Security.

What's Changed

• Adding new macro & lookup exceptions by @ljstella in #415

Full Changelog: v5.5.4...v5.5.5

v5.5.4

contentctl report has been updated to output MITRE Attack Navigator in the 5.1.0 format.

What's Changed

• TR-3506 MITRE MAP Update by @josehelps in #413

Full Changelog: v5.5.3...v5.5.4

v5.5.3

What's Changed

• Catch duplicate analytic stories and other mapped content by @pyth0n1c in #410

Full Changelog: v5.5.2...v5.5.3

v5.5.2

This just bumps the names of the objects generated in dist/api to end in _v2. This is because the detection schema changed slightly, so we want to differentiate them from the old objects.

What's Changed

• Bump api to v2 by @pyth0n1c in #408

Full Changelog: v5.5.1...v5.5.2

v5.5.1

Minor typing changes to a field from str to int

What's Changed

• Risk from str to int by @pyth0n1c in #406

Full Changelog: v5.5.0...v5.5.1