/security-content

Splunk Security Content

Primary LanguagePythonApache License 2.0Apache-2.0

Splunk Security Content

security-content

branch build status
develop develop status
master master status

Welcome to the Splunk Security Content

This project gives you access to our repository of Analytic Stories that are security guides the provide background on TTPs, mapped to the MITRE framework, the Lockheed Martin Kill Chain, and CIS controls. They include Splunk searches, machine-learning algorithms, and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats.

Usage🛡

The Splunk Security Content can be used via:

Grab the latest release of DA-ESS-ContentUpdate and install it on a Splunk Enterprise instance. Alternatively, you can download it from splunkbase, it is currently a Splunk Supported App.

curl -s https://content.splunkresearch.com | jq
{
  "hello": "welcome to Splunks Research security content api"
}

Create your customized version of Security Content by forking this project and following this guide.

MITRE ATT&CK

Detection Coverage

To view an up-to-date detection coverage map for all the content tagged with MITRE techniques visit: https://mitremap.splunkresearch.com/ under the Detection Coverage layer. Below is a snapshot in time of what we are covering. This map is automatically updated on every release and generated from the generate-coverage-map.py.

Detection Priority by Threat Actors

If curious about how the Threat Research team prioritizes what content to build refer to our Detection Priority by Threat Actors layer. Using the actor data from MITRE CTI we add a point for every threat actor that uses a particular technique, and then subtract a point of every detection we have mapped to that technique. The resulting map below is how we prioritize what techniques and detections to focus on next. This map is automatically updated on every release and is generated by the generate-actors-map.py script.

Customize to your Environment 🏗

Customize your content to change how often detections run, or what the right source type for sysmon in your environment is please follow this guide.

Writing Content 📓

Please see the Developing Content guide for instructions.

What's in an Analytic Story?

A complete use case, specifically built to detect, investigate, and respond to a specific threat like Credential Dumping or Ransomware. A group of detections and a response make up an analytic story, they are associated with the tag analytics_story: <name>.

Execute an Analytic Story 🏃‍♀️

Download and install the latest version of Splunk Analytic Story Execution. This Splunk application will help the user do the following:

  1. Execute an analytic story in an ad-hoc mode and view the results.
  2. Schedule all the detection searches in an analytic story.
  3. Update security-content via an API

Content Parts 🧩

  • detections/: Contains all 209 detection searches to-date and growing.
  • stories/: All Analytic Stories that are group detections or also known as Use Cases
  • deployments/: Configuration for the schedule and alert action for all content
  • responses/: Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat.
  • response_tasks/: Individual steps in responses that help the user investigate via a Splunk search, automate via a phantom playbook, and visualize via dashboards threats.
  • baselines/: Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data.
  • dashboards/: JSON definitions of Mission Control dashboards, to be used as a response task. Currently not used.
  • macros/: Implements Splunk’s search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below.
  • lookups/: Implements Splunk’s lookup, usually to provide a list of static values like commonly used ransomware extensions.

Supporting Parts

  • package/: Splunk content app-source files, including lookups, binaries, and default config files
  • bin/: All binaries required to produce and test content

Contribution 🥰

We welcome feedback and contributions from the community! Please see our contributing to the project for more information on how to get involved.

Support 💪

Please use the GitHub Issue Tracker to submit bugs or request features.

If you have questions or need support, you can: