Feature request: Integration with contentctl for detection content management #1935
Description
Description
Description
I am not an expert and do not know much about contentctl, but here is my thought:
Integration between Splunk UCC and contentctl to enable automated building, testing, and packaging of detection content (saved searches, correlations) alongside UCC-generated add-ons.
Problem
Currently, detection content in UCC add-ons requires manual management of savedsearches.conf files, which can be error-prone and difficult to maintain across versions. It would be nice if Splunk UCC could do the same as contentctl:
- Build detections from YAML templates
- Validate and test detection content automatically
- Auto-generate savedsearches.conf file and others like lookups and macros
Potential Solution
This will help developers that use Splunk UCC:
- Reduced manual configuration errors
- Automated testing and validation of detection content
- Standardized format for detection management
- CI/CD pipeline integration
Use Cases
- Security add-ons bundling threat detections
- Data source add-ons with pre-configured correlation searches
References
- contentctl (https://github.com/splunk/contentctl)