-
Notifications
You must be signed in to change notification settings - Fork 360
2. Installation and Usage
-
Github - Grab the latest release of DA-ESS-ContentUpdate and install it on a Splunk Enterprise instance.
-
Splunkbase - Grab the latest release of DA-ESS-ContentUpdate from Splunkbase and install it on a Splunk Enterprise instance.
-
Enterprise Security- These detections are already available in Splunk Enterprise Security via an automatic application update process built into the product
-
Website - You can also access this content on https://www.research.splunk.com which is updated daily with the latest content that is available in the ESCU application.
Follow these steps to get started with Splunk Security Content.
- Clone this repository using
git clone https://github.com/splunk/security_content.git
- Navigate to the repository directory using
cd security_content
- Install contentctl using
pip install contentctl
to install the latest version of contentctl, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team
Note: We have sister projects that enable us to build the industry's best security content. These projects are the Splunk Attack Range, an attack simulation lab built around Splunk, and Contentctl, the tool that enables us to build, test, and package our content for distribution.
- Splunk Attack Range: An attack simulation lab built around Splunk.
- Contentctl: The tool that enables us to build, test, and package our content for distribution.
- Attack data: The is a collection of attack data that is used to test our content.
- Setup the environment
git clone https://github.com/splunk/security_content.git
cd security_content
python3.11 -m venv .venv
source .venv/bin/activate
pip install contentctl
- Create a new detection.yml and answer the questions
contentctl new
NOTE - Make sure you update the detection.yml with the required fields and values.
- Validate your content
contentctl validate
- Build an ESCU app
contentctl build --enrichments
- Test the content - Our testing framework is based on contentctl and is extensive and flexible. Refer to the contentctl test documentation to learn more about the testing framework.