You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Developing custom content and ignoring already existing content is hard, especially when built in content is not separated from custom. If content is being edited it will result in having to merge with updates.
Describe the solution you'd like
All content should be under a single directory called content for example
It should then be possible to select what directory you want to use with the tool to build from.
This way a directory called whatever you like can be used to build from and remain untracked while allowing you to develop your own content separately, the content you want from the existing content can be copied in to your own directory and remain untouched by future updates. The repo can be updated without any conflicts.
Describe alternatives you've considered
Not aware of any.
Additional context
Working for a large Splunk customer, we are looking at detection as code but we have difficulties with the detection pack signatures as they are and either want to modify heavily or use our own.
The text was updated successfully, but these errors were encountered:
Thanks for reaching out. Most of our team is at .Conf this week, so a full response may be delayed. With that being said, I'd recommend not trying to re-ship the ESCU content alongside custom content, but starting with a new app built with splunk/contentctl and including your own content and any rewrites or tweaked versions of ESCU in that app. We've found that maintaining a fork of security_content in this fashion long term is more work than most people expect it to be and they fall behind rather quickly.
Is your feature request related to a problem? Please describe.
Developing custom content and ignoring already existing content is hard, especially when built in content is not separated from custom. If content is being edited it will result in having to merge with updates.
Describe the solution you'd like
This way a directory called whatever you like can be used to build from and remain untracked while allowing you to develop your own content separately, the content you want from the existing content can be copied in to your own directory and remain untouched by future updates. The repo can be updated without any conflicts.
Describe alternatives you've considered
Not aware of any.
Additional context
Working for a large Splunk customer, we are looking at detection as code but we have difficulties with the detection pack signatures as they are and either want to modify heavily or use our own.
The text was updated successfully, but these errors were encountered: