CIRCL/splunk_security_content
17
0
Fork 0
mirror of https://github.com/splunk/security_content.git synced 2026-04-05 14:23:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
Page: 3. Content Structure and Versioning
Pages
1. Home 2. Installation and Usage 3. Content Structure and Versioning 3.1 ‐ Security Content Code 4. Developing ESCU Content 4.1 ‐ Contributing to the Project 4.2 ‐ Customize to Your Environment 5.1 ‐ Detection Naming Convention 5.2 ‐ Detection Types and Status 5.3 ‐ ESCU ‐ savedsearch.conf spec 5.4 ‐ Deprecated Detections 6.1 ‐ How are risk score calculated for RBA 7 ‐ Code of Conduct
4 3. Content Structure and Versioning
Bhavin Patel edited this page 2024-09-18 16:21:46 +05:30
Table of Contents

Content Parts

  • stories/: All Analytic Stories shipped in ESCU have their
  • detections/: Splunk Enterprise, Splunk UBA, and Splunk Phantom detections that power Analytic Stories
  • deployments/: Deployment configurations for scheduling correlation searches in Enterprise Security
  • macros/: Macros that are used by the detections
  • lookups/: Lookups that are used by the detections
  • playbooks/: Playbook configurations that are associated with analytic stories
  • dashboards/: Contains xml configuration for the dashboards shipped with the app

Release Versioning

Each Splunk Security Content release follows a 3 number structure: <major>.<minor>.<patch> for example 3.9.1. The following is an explanation of what each number signifies and when the numbers change.

  • <major> - This number pertains to the specification/schema version our content is adhering to. Today we are in spec 3.0. This number only changes when we make a schema change or update.
  • <minor> - This number pertains to the update we are on. This number increases every time we introduce a new piece of content. Examples of content include, but are not limited to, the following: detections, stories, responses, and so on.
  • <patch> - This number pertains to fixes for content. This number increases every time we resolve a bug with a current piece of content but do not introduce any new functionality.

We did not come up with this concept and are just implementing semantic versioning per https://semver.org/. Note that release announcements are only sent out for major and minor changes, but not usually for patches unless they contain critical issues that require communication.

Content Versioning of yaml files

  • version - This number is an integer and is bumped every time a yaml file is changed
  • date - This date string is updated every time the content is modified