security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

Add custom annotation for versioning

Open TheLawsOfChaos opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. Near impossible without manual validation to compare updated correlation searches to existing ones.

Describe the solution you'd like Add custom annotation of either verison number last updated in, or date last updated.

Describe alternatives you've considered N/AA clear and concise description of any alternative solutions or features you've considered.

Additional context By putting in the date the search was updated, or what release version it was last updated in, people using ESCU can compare it vs their local copies to ensure capturing updates. This came up when I noticed a certain query was missing a field, but then checked the repo and that exact search had that field added to the query in a release. As I'm public sector, my instance is not internet-connected, so it's harder to ensure running the latest ESCU version. Versioning baked into the correlation search would help tremendously.

TheLawsOfChaos avatar Oct 31 '23 15:10 TheLawsOfChaos

We do have a detection version, we can pass this I believe as an annotation into the Splunk savedsearches.conf file will this help?

josehelps avatar Jan 24 '24 02:01 josehelps

For example: https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml#L3

josehelps avatar Jan 24 '24 02:01 josehelps

@josehelps Yeah, the version in the .yml is great, but please make it an annotation! Would love to be able to update the ESCU app, then have a scheduled search to compare the ESCU version vs the cloned custom version in my own app (to see if I need to update how I cloned it).

TheLawsOfChaos avatar Jan 24 '24 04:01 TheLawsOfChaos

Hi @TheLawsOfChaos ! This was just added as an annotation in contentctl: https://github.com/splunk/contentctl/pull/132

It should now be available if you install contentctl via source from poetry. We will do a new contentctl release in the coming days. Because it is in contentctl, it will also make it into the savedsearches.conf file in the next release of ESCU.

As such, I am closing this issue, but feel free to reopen if you have any questions/thoughts!

pyth0n1c avatar Apr 23 '24 21:04 pyth0n1c