Convert Figma logo to code with AI

splunk logosecurity_content

Splunk Security Content

1,274
357
1,274
32
View on GitHub

Top Related Projects

mitre's avatar

cti

1,731

Cyber Threat Intelligence Repository expressed in STIX 2.0

TheHive-Project's avatar

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

OTRF's avatar

ThreatHunter-Playbook

4,001

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

SigmaHQ's avatar

sigma

8,252

Main Sigma Rule Repository

elastic's avatar

detection-rules

1,921

Quick Overview

Splunk Security Content is an open-source repository containing security detections, analytics, and automation for Splunk Enterprise Security and Splunk SOAR. It provides a comprehensive collection of security use cases, including threat detection rules, investigation playbooks, and response actions, designed to help security teams improve their threat detection and response capabilities.

Pros

  • Extensive collection of pre-built security content for various use cases
  • Regular updates and contributions from the community and Splunk experts
  • Easy integration with Splunk Enterprise Security and Splunk SOAR
  • Well-documented and standardized format for content creation and sharing

Cons

  • Requires Splunk Enterprise Security or Splunk SOAR for full functionality
  • Some content may require customization for specific environments
  • Learning curve for understanding and implementing advanced detections
  • Limited support for non-Splunk environments

Getting Started

To get started with Splunk Security Content:

  1. Clone the repository:

    git clone https://github.com/splunk/security_content.git

  2. Install the required dependencies:

    pip install -r requirements.txt

  3. Use the provided scripts to validate and generate content:

    python bin/validate_content.py
python bin/generate_attack_data.py

  4. Import the generated content into your Splunk Enterprise Security or Splunk SOAR instance following the documentation provided in the repository.

Competitor Comparisons

mitre logo

cti

1,731

Cyber Threat Intelligence Repository expressed in STIX 2.0

Pros of cti

  • Comprehensive MITRE ATT&CK framework coverage
  • Regular updates with new threat intelligence
  • Structured data format (STIX) for easy integration

Cons of cti

  • Requires more technical expertise to utilize effectively
  • Less focus on ready-to-use detection rules
  • May require additional processing for practical implementation

Code Comparison

cti (STIX format):

{
  "type": "attack-pattern",
  "id": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "created": "2017-05-31T21:30:54.127Z",
  "modified": "2020-03-30T01:59:46.726Z",
  "name": "Rundll32",
  "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code...",
  "kill_chain_phases": [
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "defense-evasion"
    }
  ]
}

security_content (YAML format):

name: Detect Rundll32 Execution
id: 12345678-1234-1234-1234-123456789012
version: 1
date: '2021-01-01'
author: Splunk
type: TTP
datamodel: []
description: This search detects potential abuse of rundll32.exe for malicious code execution.
search: |
  index=windows sourcetype=WinEventLog:Security EventCode=4688
  Process_Name="*\\rundll32.exe"
  | stats count by Computer, User, Process_Name, Process_Command_Line
TheHive-Project logo

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Pros of TheHive

  • Full-featured incident response platform with case management, alert handling, and collaboration tools
  • Integrates with various security tools and threat intelligence platforms
  • Highly customizable and extensible through APIs and plugins

Cons of TheHive

  • Steeper learning curve and more complex setup compared to security_content
  • Requires more resources to run and maintain as a full application stack
  • Less focused on providing pre-built detection content

Code Comparison

TheHive (Scala):

def create(caze: Case): Future[Case] = {
  val createdCase = caze.copy(
    createdAt = Some(new Date().getTime),
    createdBy = Some(AuthContext.get.userId)
  )
  caseRepository.create(createdCase)
}

security_content (YAML):

name: Suspicious PowerShell Download
description: Detects suspicious PowerShell download commands
search: >-
  index=windows sourcetype=WinEventLog:PowerShell
  (CommandLine="*Net.WebClient*.DownloadFile*" OR CommandLine="*Net.WebClient*.DownloadString*")

The code snippets highlight the different focus areas of the two projects. TheHive's code relates to case management functionality, while security_content provides detection rules in YAML format.

OTRF logo

ThreatHunter-Playbook

4,001

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Pros of ThreatHunter-Playbook

  • More comprehensive threat hunting methodology, including data sources and detection logic
  • Broader coverage of various platforms and technologies beyond Splunk
  • Community-driven approach with contributions from diverse security professionals

Cons of ThreatHunter-Playbook

  • Less frequent updates compared to Security Content
  • May require more effort to implement due to its platform-agnostic nature
  • Lacks the tight integration with Splunk's ecosystem

Code Comparison

ThreatHunter-Playbook (YAML format):

title: Suspicious PowerShell Download
id: 69d641e5-aa25-4275-b7aa-4dd4a9e833c3
description: Detects suspicious PowerShell download
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - 'Net.WebClient'
      - 'DownloadFile'
  condition: selection

Security Content (YAML format):

name: Detect Suspicious PowerShell Download
id: 5b2f3ed9-493e-4345-9c1a-3c3d45c0d367
search: >-
  index=windows EventCode=4104
  (ScriptBlockText="*Net.WebClient*" OR ScriptBlockText="*DownloadFile*")
  | stats count by Computer, User

Both repositories provide valuable resources for threat detection and hunting. ThreatHunter-Playbook offers a more comprehensive and platform-agnostic approach, while Security Content provides tighter integration with Splunk and more frequent updates. The choice between them depends on the specific needs and environment of the organization.

SigmaHQ logo

sigma

8,252

Main Sigma Rule Repository

Pros of Sigma

  • Vendor-agnostic rule format, supporting multiple SIEM and log management systems
  • Larger community and broader adoption across the security industry
  • More flexible and extensible, allowing for custom field mappings and rule transformations

Cons of Sigma

  • Less integrated with Splunk-specific features and capabilities
  • May require additional tools or converters for optimal use in Splunk environments
  • Potentially steeper learning curve for Splunk-centric security teams

Code Comparison

Sigma rule example:

title: Suspicious Process Creation
detection:
    selection:
        EventID: 1
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection

Security Content rule example:

<rule>
  <title>Suspicious Process Creation</title>
  <search>EventCode=1 (Image="*\\cmd.exe" OR Image="*\\powershell.exe")</search>
  <description>Detects suspicious process creation events</description>
</rule>

Both repositories provide valuable security content, but Sigma offers a more universal approach, while Security Content is tailored specifically for Splunk environments. Sigma's flexibility comes at the cost of additional complexity, whereas Security Content provides a more streamlined experience for Splunk users.

elastic logo

detection-rules

1,921

Pros of detection-rules

  • More focused on Elastic-specific detections and integrations
  • Includes a robust testing framework for rule validation
  • Offers a wider variety of rule types, including machine learning jobs

Cons of detection-rules

  • Less comprehensive coverage of different security domains
  • Smaller community and fewer contributors
  • More complex setup and configuration process

Code Comparison

detection-rules:

name: Suspicious Process Creation in Temp Folder
type: eql
risk_score: 50
description: Detects suspicious process creation in the Windows Temp folder

query: |
  process where event.type == "creation" and
    process.executable : "C:\\Windows\\Temp\\*"

security_content:

name: Suspicious Process Creation in Temp Folder
search: |
  index=windows sourcetype=WinEventLog:Security EventCode=4688
  New_Process_Name="C:\\Windows\\Temp\\*"
description: Detects suspicious process creation in the Windows Temp folder

Both repositories provide detection rules for security monitoring, but they cater to different platforms. detection-rules is tailored for Elastic Stack users, while security_content is designed for Splunk environments. The code examples show how each repository structures its rules, with detection-rules using EQL (Event Query Language) and security_content using Splunk's search syntax.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Splunk Security Content

security_content

Welcome to the Splunk Security Content

This project gives you access to our repository of Analytic Stories, security guides that provide background on tactics, techniques and procedures (TTPs), mapped to the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and CIS Controls. They include Splunk searches, machine learning algorithms and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats.

Note: We have sister projects that enable us to build the industry's best security content. These projects are the Splunk Attack Range, an attack simulation lab built around Splunk, and Contentctl, the tool that enables us to build, test, and package our content for distribution.

  • Splunk Attack Range: An attack simulation lab built around Splunk.
  • Contentctl: The tool that enables us to build, test, and package our content for distribution.

Get Content🛡

The latest Splunk Security Content can be obtained via:

🌐 Website

Best way to discover and access our content is by using the research.splunk.com website.

🖥️ Splunk Enterprise Security (ES) Content Update

Splunk security content ships as part of ESCU directly into, if you are an ES user, good news, you already have it!

📦 ESCU App

To manually download the latest release of Splunk Security Content (named DA-ESS-ContentUpdate.spl), you can visit the splunkbase page or the release page on GitHub.

Tools 🧰

The key tool that drives our content development is contentctl. Contentctl offers the following features:

  • Creating new detections
  • Validating the correctness of all necessary components for detections
  • Testing detections
  • Generating deployable apps from detections

To learn more about contentctl and its capabilities, please visit the contentctl repository.

MITRE ATT&CK ⚔️

Detection Coverage

To view an up-to-date detection coverage map for all the content tagged with MITRE techniques visit: https://mitremap.splunkresearch.com/ under the Detection Coverage layer. Below is a snapshot in time of what technique we currently have some detection coverage for.

Content Parts 🧩

  • detections/: Contains all detection searches to-date and growing.
  • stories/: All Analytic Stories that are group detections or also known as Use Cases
  • deployments/: Configuration for the schedule and alert action for all content
  • playbooks/: Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat.
  • baselines/: Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data.
  • investigations/: Investigations to further analyze the output from detections. For more information, you can refer to the Splunk Enterprise Security documentation on timelines.
  • macros/: Implements Splunk’s search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below.
  • lookups/: Implements Splunk’s lookup, usually to provide a list of static values like commonly used ransomware extensions.
  • data_sources/: Defines the data sources, the necessary TA or App to collect them and the fields provided that can be used by the detections.

Contribution 🥰

We welcome feedback and contributions from the community! Please see our contributing to the project for more information on how to get involved.

Support 💪

If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can open a support case on the https://www.splunk.com/ support portal.

Please use the GitHub Issue Tracker to submit bugs or feature requests using the templates to the Threat Research team directly.

If you have questions or need support, you can:

License

Copyright 2022 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.