Skip to content

MCP detections#3895

Merged
nasbench merged 16 commits intodevelopfrom
mcptasearches
Feb 17, 2026
Merged

MCP detections#3895
nasbench merged 16 commits intodevelopfrom
mcptasearches

Conversation

@rosplk
Copy link
Contributor

@rosplk rosplk commented Feb 6, 2026

MCP TA searches

@patel-bhavin patel-bhavin changed the title Mcptasearches MCP detections Feb 6, 2026
@patel-bhavin patel-bhavin added this to the v5.22.0 milestone Feb 10, 2026
patel-bhavin
patel-bhavin previously approved these changes Feb 17, 2026
Copy link
Contributor

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small tweaks

contentctl.yml Outdated
Comment on lines 18 to 30
data_source_TA_validation: false
test_data_caches:
- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
base_directory_name: external_repos/attack_data
helptext: "This repo is set up to use test_data_caches. This can be extremely helpful\
\ in validating correct links for test attack_data and speeding up testing.\n\
Include the following in your contentctl.yml file to use this cache:\n\ntest_data_caches:\n\
- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/\n\
\ base_directory_name: external_repos/attack_data\n\nIn order to check out STRT\
\ Attack Data, you can use the following command:\nmkdir -p external_repos; curl\
\ https://attack-range-attack-data.s3.us-west-2.amazonaws.com/attack_data.tar.zstd\
\ | zstd --decompress | tar -x -C external_repos/\nor\necho \"First ensure git-lfs\
\ is enabled\"; git clone https://github.com/splunk/attack_data external_repos/attack_data"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are supposed to add this here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pyth0n1c : Do we need this here ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can remove it if you want

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only thing that should be present here is what is in the contentctl.yml presently:

test_data_caches:
- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
base_directory_name: external_repos/attack_data

I have copied it to show that it is far more breif below:

test_data_caches:
- base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
  base_directory_name: external_repos/attack_data

This is used in some types of testing for significantly speeding up testing (avoiding (re)download of data on each test) and avoiding 404-related issues where github is flaky in fetching the attack_data files which can otherwise cause a test failure

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually removed it will push in a bit

contentctl.yml Outdated
mode:
mode_name: All
post_test_behavior: pause_on_failure
enable_integration_testing: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intentional?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pyth0n1c : Do we need this here ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do unless we are testing with ES installed like in UEBA

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No harm in having these be more explicit. However, the default if these are not supplied either in the YML file or on the command line will be mode: all and enable_integration_testing: false

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pyth0n1c -
We sync this file contentctl yaml file with Gitlab, do you think it will affect any downstream integration testing ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it impact anything? I don't think so, but...
On second thought, in the interest of consistency with how this file has looked in the past, I would remove these changes.
We pass these options explicitly on the command line invocations of contentctl in our other workflows, so it should not make a difference. But I do not see any reason to include these changes in this PR.
There have been no changes to the contentctl tool, or workflow that we use, that necessitates that changes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rosplk - please review this comment and you can remove these contentctl changes

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted contentctl changes

…ion_writes.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
ljstella
ljstella previously approved these changes Feb 17, 2026
Copy link
Contributor

@ljstella ljstella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now

Copy link
Contributor

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for consistency in the naming convention we have for titles

@nasbench nasbench merged commit 0257368 into develop Feb 17, 2026
5 checks passed
@nasbench nasbench deleted the mcptasearches branch February 17, 2026 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants