Skip to content

2. Installation and Usage

Jump to bottom
Bhavin Patel edited this page Sep 18, 2024 · 7 revisions

Splunk ES Content Update Application:

  • Github - Grab the latest release of DA-ESS-ContentUpdate and install it on a Splunk Enterprise instance.

  • Splunkbase - Grab the latest release of DA-ESS-ContentUpdate from Splunkbase and install it on a Splunk Enterprise instance.

  • Enterprise Security- These detections are already available in Splunk Enterprise Security via an automatic application update process built into the product

  • Website - You can also access this content on https://www.research.splunk.com which is updated daily with the latest content that is available in the ESCU application.

Getting Started πŸš€

Follow these steps to get started with Splunk Security Content.

  1. Clone this repository using git clone https://github.com/splunk/security_content.git
  2. Navigate to the repository directory using cd security_content
  3. Install contentctl using pip install contentctl to install the latest version of contentctl, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team

Note: We have sister projects that enable us to build the industry's best security content. These projects are the Splunk Attack Range, an attack simulation lab built around Splunk, and Contentctl, the tool that enables us to build, test, and package our content for distribution.

  • Splunk Attack Range: An attack simulation lab built around Splunk.
  • Contentctl: The tool that enables us to build, test, and package our content for distribution.
  • Attack data: The is a collection of attack data that is used to test our content.

Quick Start πŸš€

  1. Setup the environment
git clone https://github.com/splunk/security_content.git
cd security_content
python3.11 -m venv .venv
source .venv/bin/activate
pip install contentctl
  1. Create a new detection.yml and answer the questions
contentctl new

NOTE - Make sure you update the detection.yml with the required fields and values.

  1. Validate your content
contentctl validate
  1. Build an ESCU app
contentctl build --enrichments
  1. Test the content - Our testing framework is based on contentctl and is extensive and flexible. Refer to the contentctl test documentation to learn more about the testing framework.
Clone this wiki locally