Conversation
rosplk
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
detections/application/mcp_filesystem_server_suspicious_extension_writes.yml
Outdated
Show resolved
Hide resolved
detections/application/mcp_filesystem_server_suspicious_extension_writes.yml
Outdated
Show resolved
Hide resolved
contentctl.yml
Outdated
| data_source_TA_validation: false | ||
| test_data_caches: | ||
| - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/ | ||
| base_directory_name: external_repos/attack_data | ||
| helptext: "This repo is set up to use test_data_caches. This can be extremely helpful\ | ||
| \ in validating correct links for test attack_data and speeding up testing.\n\ | ||
| Include the following in your contentctl.yml file to use this cache:\n\ntest_data_caches:\n\ | ||
| - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/\n\ | ||
| \ base_directory_name: external_repos/attack_data\n\nIn order to check out STRT\ | ||
| \ Attack Data, you can use the following command:\nmkdir -p external_repos; curl\ | ||
| \ https://attack-range-attack-data.s3.us-west-2.amazonaws.com/attack_data.tar.zstd\ | ||
| \ | zstd --decompress | tar -x -C external_repos/\nor\necho \"First ensure git-lfs\ | ||
| \ is enabled\"; git clone https://github.com/splunk/attack_data external_repos/attack_data" |
There was a problem hiding this comment.
Are supposed to add this here?
There was a problem hiding this comment.
you can remove it if you want
There was a problem hiding this comment.
The only thing that should be present here is what is in the contentctl.yml presently:
security_content/contentctl.yml
Lines 260 to 262 in 79d2458
I have copied it to show that it is far more breif below:
test_data_caches:
- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
base_directory_name: external_repos/attack_data
This is used in some types of testing for significantly speeding up testing (avoiding (re)download of data on each test) and avoiding 404-related issues where github is flaky in fetching the attack_data files which can otherwise cause a test failure
There was a problem hiding this comment.
I actually removed it will push in a bit
contentctl.yml
Outdated
| mode: | ||
| mode_name: All | ||
| post_test_behavior: pause_on_failure | ||
| enable_integration_testing: false |
There was a problem hiding this comment.
We do unless we are testing with ES installed like in UEBA
There was a problem hiding this comment.
No harm in having these be more explicit. However, the default if these are not supplied either in the YML file or on the command line will be mode: all and enable_integration_testing: false
There was a problem hiding this comment.
@pyth0n1c -
We sync this file contentctl yaml file with Gitlab, do you think it will affect any downstream integration testing ?
There was a problem hiding this comment.
Will it impact anything? I don't think so, but...
On second thought, in the interest of consistency with how this file has looked in the past, I would remove these changes.
We pass these options explicitly on the command line invocations of contentctl in our other workflows, so it should not make a difference. But I do not see any reason to include these changes in this PR.
There have been no changes to the contentctl tool, or workflow that we use, that necessitates that changes.
There was a problem hiding this comment.
@rosplk - please review this comment and you can remove these contentctl changes
There was a problem hiding this comment.
reverted contentctl changes
detections/application/mcp_filesystem_server_suspicious_extension_writes.yml
Outdated
Show resolved
Hide resolved
detections/application/mcp_filesystem_server_suspicious_extension_writes.yml
Outdated
Show resolved
Hide resolved
detections/application/mcp_filesystem_server_suspicious_extension_writes.yml
Show resolved
Hide resolved
detections/application/mcp_filesystem_server_suspicious_extension_writes.yml
Outdated
Show resolved
Hide resolved
…ion_writes.yml Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
nasbench
left a comment
nasbench
left a comment
There was a problem hiding this comment.
Just for consistency in the naming convention we have for titles
detections/application/mcp_filesystem_server_suspicious_extension_write.yml
Outdated
Show resolved
Hide resolved
5 participants
MCP TA searches