Custom Content Development

[lluked]

Is your feature request related to a problem? Please describe.

Developing custom content and ignoring already existing content is hard, especially when built in content is not separated from custom. If content is being edited it will result in having to merge with updates.

Describe the solution you'd like

• All content should be under a single directory called content for example

Content 
| - Detections
| - Stories
| - Macros
|  -  ...

• It should then be possible to select what directory you want to use with the tool to build from.

This way a directory called whatever you like can be used to build from and remain untracked while allowing you to develop your own content separately, the content you want from the existing content can be copied in to your own directory and remain untouched by future updates. The repo can be updated without any conflicts.

Describe alternatives you've considered

Not aware of any.

Additional context

Working for a large Splunk customer, we are looking at detection as code but we have difficulties with the detection pack signatures as they are and either want to modify heavily or use our own.

[ljstella]

Hi @lluked

Thanks for reaching out. Most of our team is at .Conf this week, so a full response may be delayed. With that being said, I'd recommend not trying to re-ship the ESCU content alongside custom content, but starting with a new app built with splunk/contentctl and including your own content and any rewrites or tweaked versions of ESCU in that app. We've found that maintaining a fork of security_content in this fashion long term is more work than most people expect it to be and they fall behind rather quickly.