Git Product home page Git Product logo

security_content's Introduction

Splunk Security Content

security_content

Welcome to the Splunk Security Content

This project gives you access to our repository of Analytic Stories, security guides that provide background on tactics, techniques and procedures (TTPs), mapped to the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and CIS Controls. They include Splunk searches, machine learning algorithms and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats.

Get Content🛡

The latest Splunk Security Content can be obtained via:

Grab the latest release of Splunk Security Essentials App and install it on a Splunk instance. You can download it from splunkbase, it is a Splunk Supported App. SSE Splunk app today supports push updates for security content release, this is the preferred way to get content!

Grab the latest release of DA-ESS-ContentUpdate.spl and install it on a Splunk instance. Alternatively, you can download it from splunkbase, it is currently a Splunk Supported App.

curl -s https://content.splunkresearch.com | jq
{
  "hello": "welcome to Splunks Research security content api"
}

Usage 🧰

contentctl.py

The Content Control tool allows you to manipulate Splunk Security Content via the following actions:

  1. new_content - Creates new content (detection, story, baseline)
  2. validate - Validates written content
  3. generate - Generates a deployment package for different platforms (splunk_app)

pre-requisites

Make sure you use python version 3.9.

git clone [email protected]:splunk/security_content.git
cd security_content
pip install virtualenv
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

Architecture details for the tooling

create a new detection

python contentctl.py -p . new_content -t detection

for a more indepth write up on how to write content see our guide.

validate security content

python contentctl.py -p . validate -pr ESCU

generate a splunk app from current content

python contentctl.py -p . generate -o dist/escu -pr ESCU

MITRE ATT&CK ⚔️

Detection Coverage

To view an up-to-date detection coverage map for all the content tagged with MITRE techniques visit: https://mitremap.splunkresearch.com/ under the Detection Coverage layer. Below is a snapshot in time of what technique we currently have some detection coverage for. The darker the shade of blue the more detections we have for this particular technique. This map is automatically updated on every release and generated from the generate-coverage-map.py.

Customize to your Environment 🏗

Customize your content to change how often detections run, or what the right source type for sysmon in your environment is please follow this guide.

What's in an Analytic Story? 🗺

A complete use case, specifically built to detect, investigate, and respond to a specific threat like Credential Dumping or Ransomware. A group of detections and a response make up an analytic story, they are associated with the tag analytic_story: <name>.

Content Parts 🧩

  • detections/: Contains all 209 detection searches to-date and growing.
  • stories/: All Analytic Stories that are group detections or also known as Use Cases
  • deployments/: Configuration for the schedule and alert action for all content
  • playbooks/: Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat.
  • baselines/: Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data.
  • investigations/: Investigations to further analysis the output from detections.
  • dashboards/: JSON definitions of Mission Control dashboards, to be used as a response task. Currently not used.
  • macros/: Implements Splunk’s search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below.
  • lookups/: Implements Splunk’s lookup, usually to provide a list of static values like commonly used ransomware extensions.
  • security_content_automation/: It contains script for enriching detection with relevant supported TAs and also contains script for publishing release build to Pre-QA artifactory on every tag release.

Contribution 🥰

We welcome feedback and contributions from the community! Please see our contributing to the project for more information on how to get involved.

Support 💪

Please use the GitHub Issue Tracker to submit bugs or request features.

If you have questions or need support, you can:

License

Copyright 2022 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

security_content's People

Contributors

github-actions[bot] avatar patel-bhavin avatar josehelps avatar pyth0n1c avatar mhaggis avatar tccontre avatar dependabot-preview[bot] avatar dependabot[bot] avatar p4t12ick avatar mvelazc0 avatar ghoto avatar rvaldez617 avatar ljstella avatar rosplk avatar miskosplunk avatar jzsplunk avatar t-contreras avatar peter-cg avatar xlinsplunk avatar mhart-splunk avatar briannablacet avatar inspired avatar dleung-splunk avatar truptilangalia-crest avatar philroyer-phantom avatar mitjobanputra-crest avatar apger avatar bblacet avatar nbtnc1 avatar trogdorsey avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.