Add custom annotation for versioning
TheLawsOfChaos opened this issue ยท 4 comments
Is your feature request related to a problem? Please describe.
Near impossible without manual validation to compare updated correlation searches to existing ones.
Describe the solution you'd like
Add custom annotation of either verison number last updated in, or date last updated.
Describe alternatives you've considered
N/AA clear and concise description of any alternative solutions or features you've considered.
Additional context
By putting in the date the search was updated, or what release version it was last updated in, people using ESCU can compare it vs their local copies to ensure capturing updates. This came up when I noticed a certain query was missing a field, but then checked the repo and that exact search had that field added to the query in a release. As I'm public sector, my instance is not internet-connected, so it's harder to ensure running the latest ESCU version. Versioning baked into the correlation search would help tremendously.
We do have a detection version, we can pass this I believe as an annotation into the Splunk savedsearches.conf file will this help?
@josehelps Yeah, the version in the .yml is great, but please make it an annotation! Would love to be able to update the ESCU app, then have a scheduled search to compare the ESCU version vs the cloned custom version in my own app (to see if I need to update how I cloned it).
Hi @TheLawsOfChaos ! This was just added as an annotation in contentctl:
splunk/contentctl#132
It should now be available if you install contentctl via source from poetry. We will do a new contentctl release in the coming days.
Because it is in contentctl, it will also make it into the savedsearches.conf file in the next release of ESCU.
As such, I am closing this issue, but feel free to reopen if you have any questions/thoughts!