Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom Content Development #3019

Open
lluked opened this issue Jun 11, 2024 · 1 comment
Open

Custom Content Development #3019

lluked opened this issue Jun 11, 2024 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@lluked
Copy link

lluked commented Jun 11, 2024

Is your feature request related to a problem? Please describe.

Developing custom content and ignoring already existing content is hard, especially when built in content is not separated from custom. If content is being edited it will result in having to merge with updates.

Describe the solution you'd like

  • All content should be under a single directory called content for example
Content 
| - Detections
| - Stories
| - Macros
|  -  ...
  • It should then be possible to select what directory you want to use with the tool to build from.

This way a directory called whatever you like can be used to build from and remain untracked while allowing you to develop your own content separately, the content you want from the existing content can be copied in to your own directory and remain untouched by future updates. The repo can be updated without any conflicts.

Describe alternatives you've considered

Not aware of any.

Additional context

Working for a large Splunk customer, we are looking at detection as code but we have difficulties with the detection pack signatures as they are and either want to modify heavily or use our own.

@lluked lluked added the enhancement New feature or request label Jun 11, 2024
@ljstella ljstella self-assigned this Jun 11, 2024
@ljstella
Copy link
Contributor

Hi @lluked

Thanks for reaching out. Most of our team is at .Conf this week, so a full response may be delayed. With that being said, I'd recommend not trying to re-ship the ESCU content alongside custom content, but starting with a new app built with splunk/contentctl and including your own content and any rewrites or tweaked versions of ESCU in that app. We've found that maintaining a fork of security_content in this fashion long term is more work than most people expect it to be and they fall behind rather quickly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants