-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom Content Development #3019
Comments
Hi @lluked Thanks for reaching out. Most of our team is at .Conf this week, so a full response may be delayed. With that being said, I'd recommend not trying to re-ship the ESCU content alongside custom content, but starting with a new app built with splunk/contentctl and including your own content and any rewrites or tweaked versions of ESCU in that app. We've found that maintaining a fork of security_content in this fashion long term is more work than most people expect it to be and they fall behind rather quickly. |
Is your feature request related to a problem? Please describe.
Developing custom content and ignoring already existing content is hard, especially when built in content is not separated from custom. If content is being edited it will result in having to merge with updates.
Describe the solution you'd like
This way a directory called whatever you like can be used to build from and remain untracked while allowing you to develop your own content separately, the content you want from the existing content can be copied in to your own directory and remain untouched by future updates. The repo can be updated without any conflicts.
Describe alternatives you've considered
Not aware of any.
Additional context
Working for a large Splunk customer, we are looking at detection as code but we have difficulties with the detection pack signatures as they are and either want to modify heavily or use our own.
The text was updated successfully, but these errors were encountered: