Skip to content

splunk/security_content

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23,472 Commits

.github

.github

 
 

.gitlab/merge_request_templates

.gitlab/merge_request_templates

 
 

.vscode

.vscode

 
 

baselines

baselines

 
 

bin/docker_detection_tester

bin/docker_detection_tester

 
 

contentctl @ 438cd08

contentctl @ 438cd08

 
 

dashboards

dashboards

 
 

data_sources/endpoint

data_sources/endpoint

 
 

deployments

deployments

 
 

detections

detections

 
 

dev/endpoint

dev/endpoint

 
 

dev_ssa/endpoint

dev_ssa/endpoint

 
 

dist

dist

 
 

docs

docs

 
 

investigations

investigations

 
 

lookups

lookups

 
 

macros

macros

 
 

notebooks

notebooks

 
 

pipeline

pipeline

 
 

playbooks

playbooks

 
 

reporting

reporting

 
 

security_content_automation

security_content_automation

 
 

spec

spec

 
 

ssa_detections

ssa_detections

 
 

stories

stories

 
 

workbooks

workbooks

 
 

.gitignore

.gitignore

 
 

.gitlab-ci.yml

.gitlab-ci.yml

 
 

.gitmodules

.gitmodules

 
 

.gitpod.yml

.gitpod.yml

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

contentctl.yml

contentctl.yml

 
 

contentctl_test.yml

contentctl_test.yml

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

Splunk Security Content

security_content

Welcome to the Splunk Security Content

This project gives you access to our repository of Analytic Stories, security guides that provide background on tactics, techniques and procedures (TTPs), mapped to the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and CIS Controls. They include Splunk searches, machine learning algorithms and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats.

Note: We have sister projects that enable us to build the industry's best security content. These projects are the Splunk Attack Range, an attack simulation lab built around Splunk, and Contentctl, the tool that enables us to build, test, and package our content for distribution.

  • Splunk Attack Range: An attack simulation lab built around Splunk.
  • Contentctl: The tool that enables us to build, test, and package our content for distribution.

Get Content🛡

The latest Splunk Security Content can be obtained via:

🌐 Website

Best way to discover and access our content is by using the research.splunk.com website.

🖥️ Splunk Enterprise Security (ES) Content Update

Splunk security content ships as part of ESCU directly into, if you are an ES user, good news, you already have it!

📦 ESCU App

To manually download the latest release of Splunk Security Content (named DA-ESS-ContentUpdate.spl), you can visit the splunkbase page or the release page on GitHub.

Tools 🧰

The key tool that drives our content development is contentctl. Contentctl offers the following features:

  • Creating new detections
  • Validating the correctness of all necessary components for detections
  • Testing detections
  • Generating deployable apps from detections

To learn more about contentctl and its capabilities, please visit the contentctl repository.

MITRE ATT&CK ⚔️

Detection Coverage

To view an up-to-date detection coverage map for all the content tagged with MITRE techniques visit: https://mitremap.splunkresearch.com/ under the Detection Coverage layer. Below is a snapshot in time of what technique we currently have some detection coverage for.

Content Parts 🧩

  • detections/: Contains all detection searches to-date and growing.
  • stories/: All Analytic Stories that are group detections or also known as Use Cases
  • deployments/: Configuration for the schedule and alert action for all content
  • playbooks/: Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat.
  • baselines/: Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data.
  • investigations/: Investigations to further analyze the output from detections. For more information, you can refer to the Splunk Enterprise Security documentation on timelines.
  • macros/: Implements Splunk’s search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below.
  • lookups/: Implements Splunk’s lookup, usually to provide a list of static values like commonly used ransomware extensions.
  • data_sources/: Defines the data sources, the necessary TA or App to collect them and the fields provided that can be used by the detections.

Contribution 🥰

We welcome feedback and contributions from the community! Please see our contributing to the project for more information on how to get involved.

Support 💪

If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can open a support case on the https://www.splunk.com/ support portal.

Please use the GitHub Issue Tracker to submit bugs or feature requests using the templates to the Threat Research team directly.

If you have questions or need support, you can:

License

Copyright 2022 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

Splunk Security Content

research.splunk.com

Topics

engineering splunk detection cybersecurity cicd responses detection-engineering

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

1.1k stars

Watchers

63 watching

Forks

328 forks
Report repository

Releases 136

v4.30.0 Latest
Apr 17, 2024
+ 135 releases

Packages

No packages published

Contributors 62

+ 48 contributors

Languages