CIRCL/splunk_security_content
17
0
Fork 0
mirror of https://github.com/splunk/security_content.git synced 2026-06-18 07:33:42 +00:00
Code Issues Projects Releases Packages Wiki Activity
Splunk Security Content https://research.splunk.com
28,184 commits 692 branches 196 tags 346 MiB
  • Python 63.9%
  • Jupyter Notebook 36%
Find a file
Exact
pyth0n1c bf5654a61d
 TAs were pointing to versions that have been (#4130) 
pulled from splunkbase
2026-06-18 01:04:17 +05:30
.github debug issues with testing from target branch 2026-05-21 15:34:27 -07:00
.gitlab/merge_request_templates Release Branch v4.33.0 2024-06-05 21:05:06 +00:00
.pre-commit-hooks Fix Windows AD Domain Replication ACL Addition (#3958) 2026-03-16 16:08:55 +01:00
.vscode add code snippets for escu 6 ymls (#4115) 2026-06-15 18:26:29 +05:30
app_template move mitre_enrichment from the app_template and make it its own content object 2026-05-26 15:45:44 -07:00
baselines Baseline cleanup 2026-05-19 12:23:15 -04:00
dashboards Initial commit of modified objects. A small set of 5 kvstore lookups could not be git moved AND updated in the same operation because git instead interpreted this as deleting the old file and creating a new one. To preserve git history, the files have been moved in this commit and will be updated in the next commit. 2026-05-13 14:02:27 -07:00
data_sources TAs were pointing to versions that have been (#4130) 2026-06-18 01:04:17 +05:30
deprecated Some Repo Hygiene (#4120) 2026-06-11 11:39:35 +02:00
detections udpating risk_message (#4129) 2026-06-16 21:34:01 +02:00
docs Some Repo Hygiene (#4120) 2026-06-11 11:39:35 +02:00
lookups Add New BlueHammer / RedSun Analytics (#4037) 2026-06-15 17:21:58 +02:00
macros PTC Windchill (#4124) 2026-06-15 20:17:25 +05:30
playbooks Manual Review completion 2026-05-20 12:15:00 -04:00
removed Bump contentctl.yml and build.yml to 6.1.0 (#4113) 2026-06-08 15:58:54 +02:00
response_templates Delete response_templates/NIST80061_v2.json 2026-04-21 08:11:45 -07:00
schedules Initial commit of modified objects. A small set of 5 kvstore lookups could not be git moved AND updated in the same operation because git instead interpreted this as deleting the old file and creating a new one. To preserve git history, the files have been moved in this commit and will be updated in the next commit. 2026-05-13 14:02:27 -07:00
schemas Add updated schemas, which has been updated as manual_review content was resolved 2026-05-20 12:19:45 -07:00
scripts Update Analytics to Support ATT&CK v19 (#4036) 2026-05-05 17:29:28 +02:00
stories rogue_planet (#4121) 2026-06-16 14:50:27 +05:30
workbooks Add workbook 2022-06-13 15:47:30 -05:00
.gitattributes Add YAML Formatting Job (#3889) 2026-02-26 00:00:35 +05:30
.gitignore version bump 2025-02-26 10:50:15 +01:00
.pre-commit-config.yaml Fix Broken Link, Versions and Pre-Commit (#3956) 2026-03-13 19:17:15 +05:30
.yamlfmt Add YAML Formatting Job (#3889) 2026-02-26 00:00:35 +05:30
.yamllint Add YAML Formatting Job (#3889) 2026-02-26 00:00:35 +05:30
build.yml Bump contentctl.yml and build.yml to 6.1.0 (#4113) 2026-06-08 15:58:54 +02:00
CODE_OF_CONDUCT.md Add new Code of Conduct file pointing at existing wiki page 2024-07-22 14:29:18 -05:00
contentctl.yml TAs were pointing to versions that have been (#4130) 2026-06-18 01:04:17 +05:30
install.yml Initial commit of modified objects. A small set of 5 kvstore lookups could not be git moved AND updated in the same operation because git instead interpreted this as deleting the old file and creating a new one. To preserve git history, the files have been moved in this commit and will be updated in the next commit. 2026-05-13 14:02:27 -07:00
LICENSE Initial commit 2018-12-18 16:14:16 -05:00
README.md add code snippets for escu 6 ymls (#4115) 2026-06-15 18:26:29 +05:30
requirements.txt bump to contentctl 0.7.0 2026-05-27 16:25:10 -07:00
SECURITY.md Create SECURITY.md 2022-02-02 13:21:53 -05:00

README.md

Splunk Security Content

security_content

Welcome to the Splunk Security Content

This project gives you access to our repository of Analytic Stories, security guides that provide background on tactics, techniques and procedures (TTPs), mapped to the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and CIS Controls. They include Splunk searches, machine learning algorithms and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats.

Note: We have sister projects that enable us to build the industry's best security content. These projects are the Splunk Attack Range, an attack simulation lab built around Splunk, and contentctl-ng, the tool that enables us to build, test, and package our content for distribution.

Tools 🧰

  • Splunk Attack Range: The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.
  • contentctl-ng: The tool that enables us to build, test, and package our content for distribution.
  • Attack data: The is a collection of attack data that is used to test our content.
  • Atomic Red Team: Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.

Get Content🛡

The latest Splunk Security Content can be obtained via:

🌐 Website

Best way to discover and access our content is by using the research.splunk.com website.

🖥️ Splunk Enterprise Security (ES) Content Update

Splunk security content ships as part of ESCU directly into, if you are an ES user, good news, you already have it!

📦 ESCU App

To manually download the latest release of Splunk Security Content (named DA-ESS-ContentUpdate.spl), you can visit the splunkbase page or the release page on GitHub.

Getting Started 🛠️

Follow these steps to get started with Splunk Security Content.

  1. Clone this repository using git clone https://github.com/splunk/security_content.git
  2. Navigate to the repository directory using cd security_content
  3. Install contentctl-ng using pip install contentctl-ng to install the latest version of contentctl-ng, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team
  4. Install pre-commit using pip install pre-commit then proceed to installing the hooks via pre-commit install. this is a pre-requisite to validate and apply the proper formatting.

Quick Start 🚀

  1. Setup the environment
git clone https://github.com/splunk/security_content.git
cd security_content
python3.11 -m venv .venv
source .venv/bin/activate
pip install contentctl-ng

  1. Create a new content YML using VSCode Snippets detailed below

  2. Validate your content and build an app

contentctl-ng build

NOTE - The contentctl build command ensures that all YML files adhere to the defined specifications and are up-to-date. It checks for required fields, correct data types, and overall consistency, helping maintain the integrity and quality of the content.

VS Code Snippets ✂️

This repo ships snippets in .vscode/escu_6.code-snippets to scaffold new content quickly in VS Code.

  1. Create a new .yml file in the appropriate content directory (e.g. detections/, macros/, stories/) and give it a descriptive name. This name will be used to populate the name: field of your YML as well.
  2. Type one of the snippet prefixes below and press Tab (or select it from the IntelliSense popup and press Enter) to expand a pre-filled template.
  3. Fill in the relevant fields for your content. You may remove any optional fields which are not relevant to this piece of content.

Available prefixes exist for detection_escu6 , macro_escu6, data_source_escu6, story_escu6, lookup_csv_escu6, lookup_kvstore_escu6 , dashboard_escu6, and baseline_escu6 .

Please see the demo video below for more information

https://github.com/user-attachments/assets/1be02afa-36b5-4d49-91cb-8ebbcf4123d0

Recommendations 💡

  • 🚨 NOTE: If you are just getting started with managing your Splunk detection as code, we recommend that you keep the YML structure of the detections as close as possible to the original structure of the detections. This will make it easier to manage your detections and will also make it easier to contribute back to the community by creating a pull request to the Splunk Security Content project.

  • In order to build an content app that specific for your organization, we strongly recommend that you start with keeping only the detections that are related to your organization and remove other YML files that are not related to your organization. This includes selecting detections, stories, macros, lookups that are used by the detection YML files.

  • If your detections are using macros and lookups, please make sure that you have the same macros and lookups in those directories.. This will ensure that the content app is self-contained and does not rely on external files.

  • We recommend that you follow the errors produced by the contentctl-ng tool while developing this content. The errors are descriptive enough to guide you in getting the right values. If you need help, please refer to the JSON Schemas to check out the list of allowed values

Json Schemas 📄

The JSON schemas defined in the /schemas folder, define the structure and required fields for various YML files used in the project. These specifications ensure consistency and validation across different types of YML files, such as macros, lookups, and analytic stories. Each spec outlines the expected data types, descriptions, and whether the fields are mandatory, providing a clear schema for developers to follow.

Content Parts 🧩

  • baselines/: Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data.
  • data_sources/: Defines the data sources, the necessary TA or App to collect them and the fields provided that can be used by the detections.
  • deployments/: Configuration for the schedule and alert action for all content
  • detections/: Contains all detection searches to-date and growing.
  • lookups/: Implements Splunks lookup, usually to provide a list of static values like commonly used ransomware extensions.
  • macros/: Implements Splunks search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below.
  • playbooks/: Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat.
  • stories/: All Analytic Stories that are group detections or also known as Use Cases

MITRE ATT&CK ⚔️

Detection Coverage

To view an up-to-date detection coverage map for all the content tagged with MITRE techniques visit: https://mitremap.splunkresearch.com/ under the Detection Coverage layer. Below is a snapshot in time of what technique we currently have some detection coverage for.

Contribution 🥰

We welcome feedback and contributions from the community! Please see our contributing to the project for more information on how to get involved.

Support 💪

If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can open a support case on the https://www.splunk.com/ support portal.

Please use the GitHub Issue Tracker to submit bugs or feature requests using the templates to the Threat Research team directly.

If you have questions or need support, you can:

License

Copyright 2026 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.