Contentctl

This fixes a serious problem that caused all integration testing to fail due to an incorrect path used for scheduling a savedsearch.
There may still be some testing issues with this release, but this is definitely more correct than previously.

This supercedes 4.4.2 which had a bug where the version was not updated in pyproject.toml, meaning that the upload to Pypi failed.

What's Changed
* Fix savedsearches path issue by pyth0n1c in https://github.com/splunk/contentctl/pull/316
* remove "cloud" from the security_domain enum by pyth0n1c in https://github.com/splunk/contentctl/pull/314


**Full Changelog**: https://github.com/splunk/contentctl/compare/v4.4.1...v4.4.2

Update CLI release_notes workflow for a bit more control on the branch we diff against to generate those notes. Previously, we could only diff against a tag.

What's Changed
* add --compare_against flag to release_notes action by patel-bhavin in https://github.com/splunk/contentctl/pull/311


**Full Changelog**: https://github.com/splunk/contentctl/compare/v4.4.0...v4.4.1

Most notably, we now include support for

- Dashboard Objects - Dashboards can now be defined as content in the dashboards/ folder after creating a new app! These dashboards should be created in Splunk by creating a Simple XML Dashboard. Go to the "View Source" button when editing your dashboard to extract the JSON that represents that dashboard. Each dashboard is represented by a YML file and this JSON file (the JSON file should have the same name as the YML file. You can see some example dashboards that ESCU ships here: https://github.com/splunk/security_content/tree/develop/dashboards

- Drilldown Searches: Production searches which are NOT `type: Hunting` are now required to have two Drilldown searches. These now render in the Enterprise Security UI and make triaging and investigating your alerts much easier. For some example Drilldowns, please refer here: https://github.com/splunk/contentctl/blob/cfda377c6887e28e02bb1798382ac0070b7983c2/contentctl/templates/detections/endpoint/anomalous_usage_of_7zip.yml#L32-L40

- Throttling/Alert Suppression: In order to avoid too many alerts being generated in a given time frame, we have added support for Throttling/Alert Suppression on a per detection basis. Please refer to the inline documentation here for more information to:https://github.com/splunk/contentctl/blob/main/contentctl/objects/throttling.py . Splunk provides more information about throttling here: https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/ThrottleAlerts . An example throttling section of your Detection YML, under the "tags" section, looks like:


throttling:
period: 3600s time period to throttle
fields: name,host fields to throttle on


What's Changed
* Allow absent tests for experimental detections by linuxdaemon in https://github.com/splunk/contentctl/pull/36
* Update new content generator with new formats by linuxdaemon in https://github.com/splunk/contentctl/pull/44
* Handle stopped containers in testing by linuxdaemon in https://github.com/splunk/contentctl/pull/42
* Customer prs 1 by pyth0n1c in https://github.com/splunk/contentctl/pull/86
* Fix error on missing roles by pyth0n1c in https://github.com/splunk/contentctl/pull/190
* Add fields as requested by pyth0n1c in https://github.com/splunk/contentctl/pull/169
* Add UI dispatch app by pyth0n1c in https://github.com/splunk/contentctl/pull/145
* Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<72.0.0 by dependabot in https://github.com/splunk/contentctl/pull/196
* Handling when a user does not answer one of the questions by yaleman in https://github.com/splunk/contentctl/pull/189
* Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<72.0.0 by dependabot in https://github.com/splunk/contentctl/pull/202
* Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<72.0.0 by dependabot in https://github.com/splunk/contentctl/pull/205
* Handling the case where there are no tests by yaleman in https://github.com/splunk/contentctl/pull/198
* No tests fix by pyth0n1c in https://github.com/splunk/contentctl/pull/207
* Update setuptools requirement from >=69.5.1,<71.0.0 to >=69.5.1,<73.0.0 by dependabot in https://github.com/splunk/contentctl/pull/209
* Add Alert Suppression (throttling) support to detections by pyth0n1c in https://github.com/splunk/contentctl/pull/192
* Dashboard Support by pyth0n1c in https://github.com/splunk/contentctl/pull/147
* Fix name length by pyth0n1c in https://github.com/splunk/contentctl/pull/213
* improve output of risk severity field. by pyth0n1c in https://github.com/splunk/contentctl/pull/191
* contentctl v4.4.0 by pyth0n1c in https://github.com/splunk/contentctl/pull/179
* Ryanplasma add explanation by pyth0n1c in https://github.com/splunk/contentctl/pull/296
* Add type_list to annotations by pyth0n1c in https://github.com/splunk/contentctl/pull/293
* Fix datasource in contentctl new by pyth0n1c in https://github.com/splunk/contentctl/pull/297
* Optionally suppress missing detections during metadata validation by pyth0n1c in https://github.com/splunk/contentctl/pull/305
* Update xmltodict requirement from ^0.13.0 to >=0.13,<0.15 by dependabot in https://github.com/splunk/contentctl/pull/304
* Exception on malformatted unit tests in YMLs by pyth0n1c in https://github.com/splunk/contentctl/pull/300
* Refactoring for formatting and some logical error correction by cmcginley-splunk in https://github.com/splunk/contentctl/pull/308
* Mathieugonzales: replace deprecated pydantic validators by pyth0n1c in https://github.com/splunk/contentctl/pull/298
* Drilldown Support by pyth0n1c in https://github.com/splunk/contentctl/pull/256
* Allow testing with the default or custom_index by ax-hsmith in https://github.com/splunk/contentctl/pull/307
* Add more custom indexes by pyth0n1c in https://github.com/splunk/contentctl/pull/309

New Contributors
* yaleman made their first contribution in https://github.com/splunk/contentctl/pull/189
* ax-hsmith made their first contribution in https://github.com/splunk/contentctl/pull/307

**Full Changelog**: https://github.com/splunk/contentctl/compare/v4.3.5...v4.4.0

In addition to some cleanup, this release includes two significant features:
1. Versioning enforcement has been added to that when a Detection is updated in a new release, its `version` field MUST be updated. This is important so that applications built with contentctl can take advantage of Splunk Enterprise Security 8's "Detection Versioning" feature! This enforcement has been added to the `inspect` workflow.
2. The `enrichments` workflow has changed, When building with `enrichments`, both the Atomic Red Team and Mitre CTI repos must be checked out. This update was made because it results in faster builds (when enrichments are enabled) and more stable and reliable builds using the Mitre CTI repo. We previously used the MITRE TAXII server, which is accessed via API in the `attackcti` client, but that API was _frequently_ down, making us unable to build/test/release ESCU.

What's Changed
* Removal of more bits of SSA by ljstella in https://github.com/splunk/contentctl/pull/255
* Fix unintended whitespace by pyth0n1c in https://github.com/splunk/contentctl/pull/278
* Update bottle requirement from ^0.12.25 to >=0.12.25,<0.14.0 by dependabot in https://github.com/splunk/contentctl/pull/277
* Bareinit by pyth0n1c in https://github.com/splunk/contentctl/pull/288
* Update setuptools requirement from >=69.5.1,<75.0.0 to >=69.5.1,<76.0.0 by dependabot in https://github.com/splunk/contentctl/pull/290
* Feature: Adding version enforcement by cmcginley-splunk in https://github.com/splunk/contentctl/pull/280
* Require mitre/cti repo for enrichments by pyth0n1c in https://github.com/splunk/contentctl/pull/291


**Full Changelog**: https://github.com/splunk/contentctl/compare/v4.3.4...v4.3.5

This PR includes extended support for ensuring that the appropriate Risk and Observable objects are created. See the PR linked below for more details.
There are also some small validation fixes around validating MITRE ID formats.

What's Changed
* Abstract Commonly Used Annotated Type Definitions by pyth0n1c in https://github.com/splunk/contentctl/pull/271
* Update setuptools requirement from >=69.5.1,<74.0.0 to >=69.5.1,<75.0.0 by dependabot in https://github.com/splunk/contentctl/pull/270
* Enabling risk/observable matching by cmcginley-splunk in https://github.com/splunk/contentctl/pull/241
* Update pyproject.toml by pyth0n1c in https://github.com/splunk/contentctl/pull/281


**Full Changelog**: https://github.com/splunk/contentctl/compare/v4.3.3...v4.3.4

The `action.correlationsearch.metadata` field was updated to include an additional value called `publish_date`, a timestamp float representing when a detection was published.
Additionally, some cleanup was done around testing and the test_results/summary.yml was improved significantly to support better test results/tracking.
Finally, if searches use Baselines but have not been marked manual_test, they will throw runtime Exceptions during testing until Baselines are officially supported in the testing workflow.

What's Changed
* add publish_date field by pyth0n1c in https://github.com/splunk/contentctl/pull/239
* Responses to Comments by pyth0n1c in https://github.com/splunk/contentctl/pull/260
* Expanding coverage and other metrics in summary.yml by cmcginley-splunk in https://github.com/splunk/contentctl/pull/257


**Full Changelog**: https://github.com/splunk/contentctl/compare/v4.3.2...v4.3.3