Skip to content

2. Installation and Usage

Jump to bottom
Bhavin Patel edited this page Sep 18, 2024 · 7 revisions

The Splunk Security Content can be used via:

Github

  • Grab the latest release of DA-ESS-ContentUpdate and install it on a Splunk Enterprise instance.

Splunkbase

Enterprise Security

These detections are already available in Splunk Enterprise Security via an automatic application update process built into the product

https://www.research.splunk.com

You can also access this content on https://www.research.splunk.com which is updated daily with the latest content that is available in the ESCU application.

Getting Started πŸš€

Follow these steps to get started with Splunk Security Content.

  1. Clone this repository using git clone https://github.com/splunk/security_content.git
  2. Navigate to the repository directory using cd security_content
  3. Install contentctl using pip install contentctl to install the latest version of contentctl, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team

Quick Start πŸš€

  1. Setup the environment
git clone https://github.com/splunk/security_content.git
cd security_content
python3.11 -m venv .venv
source .venv/bin/activate
pip install contentctl
  1. Create a new detection.yml and answer the questions
contentctl new

NOTE - Make sure you update the detection.yml with the required fields and values.

  1. Validate your content
contentctl validate
  1. Build an ESCU app
contentctl build --enrichments
  1. Test the content - Our testing framework is based on contentctl and is extensive and flexible. Refer to the contentctl test documentation to learn more about the testing framework.
Clone this wiki locally