Skip to content

4. Developing ESCU Content

Bhavin Patel edited this page Sep 18, 2024 · 1 revision

Writing Content

Pre-Requisites

Before you begin, follow the steps to install dependencies

  1. Install contentctl. This requires Python 3.11 or Python 3.12. We recommend using pipx to install and manage it (pipx install contentctl).

Writing Content

  1. Select the content piece you want to write.
  2. Copy an example and edit it to suit your needs. At a minimum, you must write a detection search.
  3. Make a pull request.

Testing New Content

  1. Run contentctl validate locally. This will ensure your new content or changes are all still valid.
  2. If you'd like to run detection testing locally, you can run contentctl test --no_enable-integration-testing mode:changes --mode.target-branch develop which will run unit testing for each detection that differs from the develop branch.

The pull request will trigger a GitHub Actions run, a continuous-integration app that integrates with a VCS and automatically runs a series of steps every time that it detects a change to your repository. A GitHub Actions run consists of a series of steps, usually build, test, and deployment. If your tests pass, you're good to go! A repository maintainer will make sure the PR makes it into the next release. Which will be deployed in the ESCU app. If the GitHub Actions check fails, refer to troubleshooting first, some problems are easily described by CI. If not do not worry, our team will work with you in the PR to make sure your content passes validation and its part of our next release!

For a more detailed explanation on how to contribute to the project, please see "Contributing"

Recommendations

  • 🚨 NOTE: If you are just getting started with managing your Splunk detection as code, we recommend that you keep the YAML structure of the detections as close as possible to the original structure of the detections. This will make it easier to manage your detections and will also make it easier to contribute back to the community by creating a pull request to the Splunk Security Content project.

  • In order to build an content app that specific for your organization, we strongly recommend that you start with keeping only the detections that are related to your organization and remove other yamls that are not related to your organization. This includes selecting detections, stories, macros, lookups that are used by the detection ymls.

  • If your detections are using macros and lookups, please make sure that you have the same macros and lookups in those directories.. This will ensure that the content app is self-contained and does not rely on external files.