Skip to content

Content Structure

Jump to bottom
Bhavin Patel edited this page Sep 28, 2021 · 7 revisions

What's in an Analytic Story?

Analytic Stories and their corresponding searches are composed of .yml files (manifests) and associated .conf files. The stories reside in /stories and the searches live in /detections.

Manifests contain a number of mandatory and optional fields. You can see the full field list for each piece of content here.

Content Parts

  • stories/: All Analytic Stories
  • detections/: Splunk Enterprise, Splunk UBA, and Splunk Phantom detections that power Analytic Stories
  • deployments/: Deployment configurations for scheduling correlation searches in Enterprise Security
  • macros/: Macros that are used by the detections
  • lookups/: Lookups that are used by the detections
  • playbooks/: Playbook configurations that are associated with analytic stories

Supporting Parts

  • dist/: Splunk content app-source files, including lookups, binaries, and default config files
  • bin/: All binaries required to produce and test content

Docs

  • docs/: Documentation for all spec files
  • spec/: All spec files that describe the security content
Clone this wiki locally