Splunk Security Content Naming Convention
Jose Enrique Hernandez edited this page May 27, 2022
·
1 revision
Everytime a Splunk Security Content analytic is created it should follow the naming convention below. This convention provides us consistent naming as well as organization for our different security content components.
<platform>_<technique_name>_<short_description>
-
<platform>
= Cloud, Endpoint, Network, Application, Splunk etc -
<technique_name>
= Full name of the technique: OS Credential Dumping, Valid Accounts, Process Injection -
<short_description>
= A short description of the detection, ideally 1 to 2 words. Seenames should be
Executables Or Script Creation In Suspicious Path
- Limited to 64 characters
- Avoid verbs/words like: abnormal, suspicious, malicious, and detect