Generating a Splunk App with your Content
To build a package containing any customization done to content like changing how often detection run, or what the right source type for sysmon in your environment use the generate.py script. The script generate.py generates all the dynamic components that make content in a Splunk app. These specifically include:
- savedsearches.conf Where all detections, response searches, and baselines are written into with their deployment configuration set.
- macros.conf Where all macros are written into, also it generates empty macros for every detection with the suffix _filter to allow easy filtering of false positives.
- analytics_stories.conf This is a bit of an odd one since this file is only used by the Splunk Enterprise Security and ESCU App today to list the Use Cases AKA Analytic Stories. If you have Splunk Enterprise Security it will include your own stories under the Use Case Library feature.
- All lookups/ define in transform.conf or collections.conf with their respective csv.
- Splunk Enterprise Security workflow actions via es_investigations.conf and workflow_actions.conf files.
To run generate.py you must have the requirements of the project installed as described in step 2 of the Installation Guide, but in case you missed it here is the command:
pip install virtualenv && virtualenv venv && source venv/bin/activate && pip install -r requirements.txt
Then run generate to build a Splunk App in a folder.
python bin/generate.py --path . --output package --verbose
Just like before, the path above assumes that you are under the security-content repository. At the end of its execution, you should expect an output similar to:
69 stories have been successfully written to package/default/analytic_stories.conf
206 detections have been successfully written to package/default/savedsearches.conf
71 response tasks have been successfully written to package/default/savedsearches.conf
46 baselines have been successfully written to package/default/savedsearches.conf
65 macros have been successfully written to package/default/macros.conf
workbench panels were generated
security content generation completed..
Note that we use the folder package/ to store the static pieces of our Splunk App like the different dashboards, views, and other components as well. From here you might consider modifying the different static pieces of the app like name, author, version under the app.manifest, and default/app.conf files. Next, let's talk about packaging our application for deployment and committing any changes made to our fork of security-content.