Skip to content

Latest commit

 

History

History
65 lines (52 loc) · 3.04 KB

UserGuide.md

File metadata and controls

65 lines (52 loc) · 3.04 KB

Quick Start Guide

  1. Use pipx to install contentctl on your computer.
pipx install contentctl
  1. Create a new directory to serve as your repository for content
mkdir MyNewContentPack
  1. Initialize the project. This will create the scaffolding for you.
contentctl init

At this point, you have a fully functioning app that you can build with

contentctl build

and install on your Splunk server! But there's not much to it just yet, so we should create new content.

  1. You can create new content via a wizard on the terminal:
contentctl new --type detection

or

contentctl new --type story

If you're not already familiar with the types of content, you should read the splunk/security_content wiki - all of the objects we use to create ESCU are available to use in your own app. The short version is that Analytic Stories are an object that you can use to group Detections together, whether its by common data source, techniques used in a campaign, or the color you assign in your mind to each detection. There's no strict rules in your own app for this. Meanwhile, detections are the correlation searches (pre-ES8) or Event-Based Detections (post-ES8) that power your security operations.

Once you've run through the wizard and created a new piece of content, you should open it up in a text editor. There will be some fields that still need to be configured, depending on what prompts you answered.

  1. As you go about developing your app, you may have questions about whether or not the value you've supplied for a field is valid or not, or whether a field requires a single item or can take a list of items. You can check your work as you go with
contentctl validate

which will surface validation errors with your configurations.

Risk Based Alerting

There are more details around how to utilize Risk Based Alerting in contentctl present in both the v5 migration guide and the RBA Types documents.

Shell tab-complete

Leveraging the tab completion featureset of the CLI library we're using, you can generate tab completions for contentctl automatically, for zsh, bash, and tcsh. For additional details, you can view the docs for the library here.

Zsh

If you already have a location for your ZSH tab completions, you only need to run the generation line and can skip the folder creation, configuring the rest to fit with your shell config.

mkdir -p ~/.zfunc
contentctl --tyro-write-completion zsh ~/.zfunc/_contentctl
echo "fpath+=~/.zfunc" >> ~/.zshrc
echo "autoload -Uz compinit && compinit" >> ~/.zshrc
source ~/.zshrc

Bash

completion_dir=${BASH_COMPLETION_USER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/bash-completion}/completions/
mkdir -p $completion_dir
contentctl --tyro-write-completion bash ${completion_dir}/_contentctl