splunk/security_content splunk/security_content

  • Stars
    star
    1,131
  • Rank 39,863 (Top 0.9 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated about 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
splunk/security_content
github

splunk

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Splunk Security Content

Splunk Security Content

security_content

Welcome to the Splunk Security Content

This project gives you access to our repository of Analytic Stories, security guides that provide background on tactics, techniques and procedures (TTPs), mapped to the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and CIS Controls. They include Splunk searches, machine learning algorithms and Splunk Phantom playbooks (where available)β€”all designed to work together to detect, investigate, and respond to threats.

Get ContentπŸ›‘

The latest Splunk Security Content can be obtained via:

SSE App

Grab the latest release of Splunk Security Essentials App and install it on a Splunk instance. You can download it from splunkbase, it is a Splunk Supported App. SSE Splunk app today supports push updates for security content release, this is the preferred way to get content!

ESCU App

Grab the latest release of DA-ESS-ContentUpdate.spl and install it on a Splunk instance. Alternatively, you can download it from splunkbase, it is currently a Splunk Supported App.

API

curl -s https://content.splunkresearch.com | jq
{
  "hello": "welcome to Splunks Research security content api"
}

Usage 🧰

contentctl.py

The Content Control tool allows you to manipulate Splunk Security Content via the following actions:

  1. init - Initilialize a new repo from scratch so you can easily add your own content to a custom application. Note that this requires a large number of command line arguments, so use python contentctl.py init --help for documentation around those arguments.
  2. new_content - Creates new content (detection, story, baseline)
  3. validate - Validates written content
  4. generate - Generates a deployment package for different platforms (splunk_app)
  5. build - Builds an application suitable for deployment on a search head using Slim, the Splunk Packaging Toolkit
  6. inspect - Uses a local version of appinspect to ensure that the app you built meets basic quality standards.
  7. cloud_deploy - Using ACS, deploy your custom app to a running Splunk Cloud Instance.
  8. convert - Convert a detection rule with sigma syntax to a Splunk SPL detection
  9. content_changer - Perform changes on security content

pre-requisites

Make sure you use python version 3.9.

git clone [email protected]:splunk/security_content.git
cd security_content
pip install virtualenv
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

Architecture details for the tooling

create a new detection

python contentctl.py -p . new_content -t detection

for a more indepth write up on how to write content see our guide.

validate security content

python contentctl.py -p . validate -pr ESCU

generate a splunk app from current content

python contentctl.py -p . generate -o dist/escu -pr ESCU

convert a Sigma search into a Splunk detection

Detection rule using tstats and cim datamodel: python contentctl.py -p . convert -dm cim -o detections/endpoint/ -dp dev/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml

Detection rule using raw: python contentctl.py -p . convert -dm raw -o detections/endpoint/ -dp dev/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml

Detection rule converted to Windows Security Event Code 4688: python contentctl.py -p . convert -dm raw -lo "Windows Security 4688" -o detections/endpoint/ -dp dev/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml

perform changes on security content

Content changer will perform a change function defined in here on all content or the content defined through the filter condition: python contentctl.py -p detections/endpoint content_changer --change_function update_description --filter_key name --filter_value "3CX Supply Chain Attack Network Indicators" "Hello World"

MITRE ATT&CK βš”οΈ

Detection Coverage

To view an up-to-date detection coverage map for all the content tagged with MITRE techniques visit: https://mitremap.splunkresearch.com/ under the Detection Coverage layer. Below is a snapshot in time of what technique we currently have some detection coverage for. The darker the shade of blue the more detections we have for this particular technique. This map is automatically updated on every release and generated from the generate-coverage-map.py.

Customize to your Environment πŸ—

Customize your content to change how often detections run, or what the right source type for sysmon in your environment is please follow this guide.

What's in an Analytic Story? πŸ—Ί

A complete use case, specifically built to detect, investigate, and respond to a specific threat like Credential Dumping or Ransomware. A group of detections and a response make up an analytic story, they are associated with the tag analytic_story: <name>.

Content Parts 🧩

  • detections/: Contains all 209 detection searches to-date and growing.
  • stories/: All Analytic Stories that are group detections or also known as Use Cases
  • deployments/: Configuration for the schedule and alert action for all content
  • playbooks/: Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat.
  • baselines/: Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data.
  • investigations/: Investigations to further analysis the output from detections.
  • dashboards/: JSON definitions of Mission Control dashboards, to be used as a response task. Currently not used.
  • macros/: Implements Splunk’s search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below.
  • lookups/: Implements Splunk’s lookup, usually to provide a list of static values like commonly used ransomware extensions.
  • security_content_automation/: It contains script for enriching detection with relevant supported TAs and also contains script for publishing release build to Pre-QA artifactory on every tag release.

Contribution πŸ₯°

We welcome feedback and contributions from the community! Please see our contributing to the project for more information on how to get involved.

Support πŸ’ͺ

If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can open a support case on the https://www.splunk.com/ support portal.

Please use the GitHub Issue Tracker to submit bugs or feature requests using the templates to the Threat Research team directly.

If you have questions or need support, you can:

License

Copyright 2022 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

attack_range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Jinja
1,983
star
2

splunk-sdk-python

Splunk Software Development Kit for Python
Python
649
star
3

attack_data

A repository of curated datasets from various attacks
Python
537
star
4

docker-splunk

Splunk Docker GitHub Repository
Python
410
star
5

eventgen

Splunk Event Generator: Eventgen
Python
354
star
6

splunk-ansible

Ansible playbooks for configuring and managing Splunk Enterprise and Universal Forwarder deployments
Python
344
star
7

splunk-connect-for-kubernetes

Helm charts associated with kubernetes plug-ins
Python
341
star
8

botsv2

Splunk Boss of the SOC version 2 dataset.
340
star
9

docker-splunk-legacy

Docker Splunk *** LEGACY IMAGES - PLEASE SEE https://github.com/splunk/docker-splunk INSTEAD ***
Shell
304
star
10

botsv1

302
star
11

pion

Pion Network Library (Boost licensed open source)
C++
299
star
12

splunk-operator

Splunk Operator for Kubernetes
Go
197
star
13

splunk-sdk-javascript

Splunk Software Development Kit for JavaScript
JavaScript
185
star
14

botsv3

Splunk Boss of the SOC version 3 dataset.
163
star
15

melting-cobalt

A Cobalt Strike Scanner that retrieves detected Team Server beacons into a JSON object
Python
162
star
16

qbec

configure kubernetes objects on multiple clusters using jsonnet
Go
157
star
17

splunk-connect-for-syslog

Splunk Connect for Syslog
Python
142
star
18

splunk-sdk-java

Splunk Software Development Kit for Java
Java
138
star
19

splunk-library-javalogging

Splunk logging appenders for popular Java Logging frameworks
Java
131
star
20

ansible-role-for-splunk

Splunk@Splunk's Ansible role for installing Splunk, upgrading Splunk, and installing apps/addons on Splunk deployments (VM/bare metal)
Jinja
131
star
21

attack_range_local

Build a attack range in your local machine
Jinja
129
star
22

SA-ctf_scoreboard

Python
115
star
23

splunk-platform-automator

Ansible framework providing a fast and simple way to spin up complex Splunk environments.
Python
114
star
24

splunk-aws-cloudformation

AWS CloudFormation templates for Splunk distributed cluster deployment
Shell
107
star
25

securitydatasets

Home for Splunk security datasets.
97
star
26

splunk-aws-project-trumpet

Python
95
star
27

splunk-app-examples

App examples for Splunk Enterprise
JavaScript
93
star
28

splunk-demo-collector-for-analyticsjs

Example Node.js based backend collector for client-side data
JavaScript
93
star
29

terraform-provider-splunk

Terraform Provider for Splunk
Go
93
star
30

fluent-plugin-splunk-hec

This is the Fluentd output plugin for sending events to Splunk via HEC.
Ruby
83
star
31

network-explorer

C++
82
star
32

mltk-algo-contrib

Python
82
star
33

kafka-connect-splunk

Kafka connector for Splunk
Java
82
star
34

vscode-extension-splunk

Visual Studio Code Extension for Splunk
Python
82
star
35

splunk-javascript-logging

Splunk HTTP Event Collector logging interface for JavaScript
JavaScript
81
star
36

splunk-reskit-powershell

Splunk Resource Kit for Powershell
PowerShell
80
star
37

corona_virus

This project includes an app that allows users to visualize and analyze information about COVID-19 using data made publicly-available by Johns Hopkins University. For more information on legal disclaimers, please see the README.
Python
79
star
38

observability-workshop

To get started, please proceed to The Splunk Observability Cloud Workshop Homepage.
Shell
78
star
39

salo

Synthetic Adversarial Log Objects: A Framework for synthentic log generation
Python
70
star
40

docker-itmonitoring

Get Started with Streaming your Docker Logs and Stats in Splunk!
HTML
68
star
41

splunk-sdk-csharp-pcl

Splunk's next generation C# SDK
C#
65
star
42

docker-logging-plugin

Splunk Connect for Docker is a Docker logging plugin that allows docker containers to send their logs directly to Splunk Enterprise or a Splunk Cloud deployment.
Go
64
star
43

contentctl

Splunk Content Control Tool
Python
63
star
44

attack-detections-collector

Collects a listing of MITRE ATT&CK Techniques, then discovers Splunk ESCU detections for each technique
Python
59
star
45

splunk-aws-serverless-apps

Splunk AWS Serverless applications and Lambda blueprints
JavaScript
54
star
46

splunk-connect-for-ethereum

Splunk Connect for Ethereum
TypeScript
52
star
47

ShellSweep

ShellSweeping the evil.
PowerShell
52
star
48

splunk-webframework

Splunk Web Framework
Python
51
star
49

splunk-app-splunkgit

GitHub App
Python
49
star
50

pytest-splunk-addon

A Dynamic test tool for Splunk Technology Add-ons
Python
47
star
51

splunk-mltk-container-docker

Splunk App for Data Science and Deep Learning - container images repository
Jupyter Notebook
44
star
52

splunk-cloud-sdk-go

The Splunk Cloud SDK for Go, contains libraries for building apps for the Splunk Cloud Services Platform.
Go
43
star
53

rba

RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.
42
star
54

splunk-app-testing

sample app along with a CICD pipeline for testing multiple versions of splunk
Shell
42
star
55

vault-plugin-secrets-gitlab

Vault Plugin for Gitlab Project Access Token
Go
40
star
56

rwi_executive_dashboard

Splunk Remote Work Insights - Executive Dashboard
HTML
38
star
57

splunk-sdk-ruby

Splunk Software Development Kit for Ruby
Ruby
36
star
58

splunk-shuttl

Splunk app for archive management, including HDFS support.
Java
35
star
59

addonfactory-ucc-generator

A framework to generate UI-based Splunk Add-ons.
Python
34
star
60

splunk-for-securityHub

Python
34
star
61

attack_range_cloud

Attack Range to test detection against nativel serverless cloud services and environments
Python
34
star
62

cloud-datamodel-security-research

A data model for cloud providers (AWS, GCP, Azure) based on security use cases
34
star
63

dashboard-conf19-examples

Splunk new dashboard framework examples .conf 2019
JavaScript
30
star
64

github_app_for_splunk

A collection of dashboards and knowledge objects for Github data
JavaScript
29
star
65

azure-functions-splunk

Azure Functions for getting data in to Splunk
JavaScript
28
star
66

splunk-connect-for-snmp

Python
28
star
67

jupyterhub-istio-proxy

JupyterHub proxy implementation for kubernetes clusters running istio service mesh
Go
27
star
68

twinclams

because twin clams are better than one clam?
Python
26
star
69

lightproto

Protobuf compatible code generator
Java
26
star
70

splunk-app-twitter

Twitter application for Splunk
Python
25
star
71

splunk-library-dotnetlogging

Support for logging from .NET Tracing and ETW / Semantic Logging ApplicationBlock to Splunk.
C#
25
star
72

observability-content-contrib

Contribution repository for Splunk Observability Content (e.g. Dashboards, Detectors, Examples, etc)
HCL
24
star
73

splunkrepl

An awesome little REPL for issuing SPLUNK queries
JavaScript
24
star
74

splunk-ref-pas-code

Splunk Reference App - Pluggable Auditing System (PAS) - Code Repo
Python
22
star
75

vault-plugin-splunk

Vault plugin to securely manage Splunk admin accounts and password rotation
Go
22
star
76

splunk-sdk-php

Splunk Software Development Kit for PHP
PHP
22
star
77

fluent-plugin-kubernetes-objects

This is the Fluentd input plugin which queries Kubernetes API to collect Kubernetes objects (like Nodes, Namespaces, Pods, etc.)
Ruby
22
star
78

splunk-heatwave-viz

A heatmap vizualization of bucketed ranged data over time.
JavaScript
21
star
79

pipelines

Concurrent processing pipelines in Go.
Go
21
star
80

splunk-gcp-functions

Python
20
star
81

splunk-tableau-wdc

Splunk Tableau Web Data Connector (WDC) Example
JavaScript
20
star
82

splunkforjenkins

Java
19
star
83

minecraft-app

Splunking Minecraft with the App Framework
JavaScript
19
star
84

splunk-add-on-jira-alerts

Splunk custom alert action for Atlassian JIRA
Python
19
star
85

splunk-bunyan-logger

A Bunyan stream for Splunk's HTTP Event Collector
JavaScript
18
star
86

splunk-3D-graph-network-topology-viz

Plot relationships between objects with force directed graph based on ThreeJS/WebGL.
JavaScript
18
star
87

public-o11y-docs

Splunk Observability Cloud docs
HTML
18
star
88

dashpub

Generate next.js apps to publish Splunk dashboards
JavaScript
18
star
89

SA-ctf_scoreboard_admin

Python
18
star
90

slack-alerts

Splunk custom alert action for sending messages to Slack channels
Python
17
star
91

vale-splunk-style-guide

Splunk Style Guide for the Vale linter
17
star
92

acs-privateapps-demo

Demo of private-apps ci/cd integration into splunkcloud using the admin config service
Go
17
star
93

splunk-cloud-sdk-python

The Splunk Cloud SDK for Python, contains libraries for building apps for the Splunk Cloud Services Platform.
Python
17
star
94

fabric-logger

Logs blocks, transactions and events from Hyperledger Fabric to Splunk.
TypeScript
17
star
95

terraform-provider-scp

Splunk Terraform Provider to manage config resources for Splunk Cloud Platform
Go
16
star
96

PEAK

Security Content for the PEAK Threat Hunting Framework
Jupyter Notebook
16
star
97

deep-learning-toolkit

Deep Learning Toolkit for Splunk
Python
15
star
98

k8s-yaml-patch

jsonnet library to patch objects loaded from yaml
Go
15
star
99

TA-osquery

A Splunk technology add-on for osquery
14
star
100

ml-toolkit-docs

ML Toolkit & Showcase application documents
14
star