Contains a collection of topic-based security guides called "Analytic Stories," which are mapped to the MITRE ATT&CK Framework, Lockheed Martin Kill Chain phases, and CIS controls. They include corresponding detection, investigative, and support searches. The content here is packaged and shipped as part of the Splunk Enterprise Security Content Updates (ESCU).
| branch | build status |
|---|---|
| develop |  |
| master |  |
Can be consumed using:
Grab the latest release of DA-ESS-ContentUpdate and install it on a Splunk Enterprise server (search head).
curl https://g7jbilqdth.execute-api.us-west-2.amazonaws.com/api/
python content-update.py -o $SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate --splunk_user admin --splunk_password xxxx
First, make sure to follow the steps to install dependecies and pre-commit hook's under developing before you begin.
- Select the content piece you want to write.
- Copy an example and edit it to suit your needs. At a minimum, you must write a story, a detection search, and an investigative search.
- Make a pull request. If Circle CI fails, refer to troubleshooting.
- stories/: All Analytic Stories for ESCU
- detections/: Splunk Enterprise, Splunk UBA, and Splunk Phantom detection searches that power Analytic Stories
- investigations/: Splunk Enterprise and Splunk Phantom investigative searches and playbooks employed by Analytic Stories
- responses/: Automated Splunk Enterprise and Splunk Phantom responses used by Analytic Stories
- baselines/: Splunk Phantom and Splunk Enterprise baseline searches needed to support detection searches in Analytic Stories
- package/: Splunk content app-source files, including lookups, binaries, and default config files
- bin/: All binaries required to produce and test content
Install project dependecies and tests that run before content is commited
- Create virtualenv and install requirements:
virtualenv venv && source venv/bin/activate && pip install -r requirements.txt. - Install
pre-commit install.
tools that help with testing CI jobs
- Install CircleCi CLI Tool.
- To test a local change to CircleCi or build, make sure you are running Docker and then enter
circleci local execute -e GITHUB_TOKEN=$GITHUB_TOKEN --branch <your branch>
To generate docs from schema automatically
- install https://github.com/adobe/jsonschema2md
- Enter
jsonschema2md -d spec/v2/detections.json.spec -o docs
- CI validates that the content was written to spec using
validate.py. To run validation manually, execute:python bin/generate.py --path . --output package --storiesv1 --use_case_lib -v. - CI generates Splunk configuration files using
generate.py. If you want to export Splunk .conf files manually from the content, run:python bin/generate.py --path . --output package --storiesv1 --use_case_lib -v. - CI builds a DA-ESS-ContentUpdate Splunk package using the Splunk Packaging Toolkit.
- CI tests the newly produced package using Splunk Appinspect.
- Build CLI for interacting and developing
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@dependabot-preview[bot]](https://avatars.githubusercontent.com/in/2141?s=64&v=4){kind=small}
