-
Notifications
You must be signed in to change notification settings - Fork 0
/
splunk_contentctl_pipeline.yml
54 lines (53 loc) · 1.49 KB
/
splunk_contentctl_pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Output to contenctl yaml format
priority: 100
postprocessing:
- type: template
template: |+
name: {{rule.title}}
id: {{ rule.id }}
version: 1
date: {{rule.date}}
author: {{rule.author}}
data_sources:
- UPDATE
type: UPDATE
status: validation
description: {{rule.description}}
kind: UPDATE
search: '{{query}}'
how_to_implement: UPDATE_HOW_TO_IMPLEMENT
known_false_positives: '{% for fp in rule.falsepositives -%}{{fp}}{{ ", " if not loop.last else "" }}{% endfor %}'
references:
{% for reference in rule.references -%}
- {{reference}}
{% endfor -%}
tags:
analytic_story:
- UPDATE_STORY_NAME
asset_type: UPDATE asset_type
confidence: UPDATE value between 1-100
impact: UPDATE value between 1-100
message: UPDATE message
mitre_attack_id:
- UPDATE
observable:
- name: UPDATE
type: UPDATE
role:
- UPDATE
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- UPDATE
risk_score: UPDATE (impact * confidence)/100
security_domain: UPDATE
cve:
- UPDATE WITH CVE(S) IF APPLICABLE
tests:
- name: True Positive Test
attack_data:
- data: https://github.com/splunk/contentctl/wiki
sourcetype: UPDATE SOURCETYPE
source: UPDATE SOURCE