Content Structure
Bhavin Patel edited this page Sep 28, 2021
·
7 revisions
Analytic Stories and their corresponding searches are composed of .yml files (manifests) and associated .conf files. The stories reside in /stories and the searches live in /detections.
Manifests contain a number of mandatory and optional fields. You can see the full field list for each piece of content here.
- stories/: All Analytic Stories
- detections/: Splunk Enterprise, Splunk UBA, and Splunk Phantom detections that power Analytic Stories
- deployments/: Deployment configurations for scheduling correlation searches in Enterprise Security
- macros/: Macros that are used by the detections
- lookups/: Lookups that are used by the detections
- playbooks/: Playbook configurations that are associated with analytic stories