From fd398c951d9dfc2dadca180c8b72730f8fa6812d Mon Sep 17 00:00:00 2001 From: Eric Date: Wed, 3 Jun 2026 11:02:13 -0700 Subject: [PATCH 1/6] add code snippets for escu 6 ymsl --- .vscode/escu_6.code-snippets | 229 +++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 .vscode/escu_6.code-snippets diff --git a/.vscode/escu_6.code-snippets b/.vscode/escu_6.code-snippets new file mode 100644 index 0000000000..623d309083 --- /dev/null +++ b/.vscode/escu_6.code-snippets @@ -0,0 +1,229 @@ +{ + "New Detection": { + "scope": "yaml", + "prefix": "detection_escu6", + "description": "Scaffold a Splunk Security Content detection YAML", + "body": [ + "name: ${1:${TM_FILENAME_BASE/(^|[_-])(\\w)/${1:+ }${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${2:Your Name, Splunk}", + "status: production", + "type: ${3|TTP,Anomaly,Hunting,Correlation|}", + "description: ${4}", + "data_source:", + " - ", + "search: >-", + " your search here", + " | `${TM_FILENAME_BASE}_filter`", + "how_to_implement: ", + "known_false_positives: ", + "references:", + " - ", + "drilldown_searches:", + " - name: View the detection results for - \"$risk_object$\"", + " search: '%original_detection_search% | search risk_object = \"$risk_object$\"'", + " earliest_offset: $info_min_time$", + " latest_offset: $info_max_time$", + " - name: View risk events for the last 7 days for - \"$risk_object$\"", + " search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN (\"$risk_object$\") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as \"Search Name\" values(risk_message) as \"Risk Message\" values(analyticstories) as \"Analytic Stories\" values(annotations._all) as \"Annotations\" values(annotations.mitre_attack.mitre_tactic) as \"ATT&CK Tactics\" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'", + " earliest_offset: 7d", + " latest_offset: \"0\"", + "finding:", + " title: ", + " entity:", + " field: ", + " type: ", + " score: ", + "intermediate_findings:", + " entities:", + " - field: ", + " type: ", + " score: ", + " message:", + "threat_objects:", + " - field: ", + " type: ", + "analytic_story:", + " - ", + "asset_type: ", + "mitre_attack_id:", + " - ", + "product:", + " - Splunk Enterprise", + " - Splunk Enterprise Security", + " - Splunk Cloud", + "category: ", + "security_domain: ", + "tests:", + " - name: True Positive Test", + " attack_data:", + " - data: ", + " source: ", + " sourcetype: ", + " test_type: unit", + ] + }, + "New Macro": { + "scope": "yaml", + "prefix": "macro_escu6", + "body": [ + "name: ${1:${TM_FILENAME_BASE/([_-])(\\w)/ ${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${1:Splunk Threat Research Team}", + "description: ${2}", + "definition: ${3}", + "$0" + ], + "description": "Scaffold a new Splunk security content macro YAML file" + }, + + "New Data Source": { + "scope": "yaml", + "prefix": "data_source_escu6", + "description": "Scaffold a new Splunk security content data source YAML file", + "body": [ + "name: ${1:${TM_FILENAME_BASE/(^|[_-])(\\w)/${1:+ }${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${1:Splunk Threat Research Team}", + "description: ${3}", + "source: ${4:sourcename}", + "sourcetype: ${5:sourcetype_value}", + "separator: ${6:EventCode}", + "separator_value: '${7}'", + "supported_TA:", + " - name: ${8}", + " url: ${9:hxxps://splunkbase.splunk.com/app/....}", + " version: ${10}", + "fields:", + " - ", + "output_fields:", + " - ", + "mitre_components:", + " - ", + "example_log: '${11}'", + "$0" + ] + }, + + "New Story": { + "scope": "yaml", + "prefix": "story_escu6", + "description": "Scaffold a new Splunk security content analytic story YAML file", + "body": [ + "name: ${1:${TM_FILENAME_BASE/(^|[_-])(\\w)/${1:+ }${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${2:Splunk Threat Research Team}", + "status: production", + "description: ${3}", + "narrative: ${4}", + "references:", + " - ", + "category:", + " - ", + "product:", + " - Splunk Enterprise", + " - Splunk Enterprise Security", + " - Splunk Cloud", + "usecase: ", + "$0" + ] + }, + + "New Lookup (CSV)": { + "scope": "yaml", + "prefix": "lookup_csv_escu6", + "description": "Scaffold a new Splunk security content CSV lookup YAML file", + "body": [ + "name: ${1:${TM_FILENAME_BASE/([_-])(\\w)/ ${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${2:Splunk Threat Research Team}", + "lookup_type: csv", + "description: ${3}", + "match_type:", + " - ${4:WILDCARD()}", + "min_matches: REMOVE ME IF NO MIN MATCHES REQUIRED", + "max_matches: REMOVE ME IF NO MAX MATCHES REQUIRED", + "case_sensitive_match: REMOVE ME IF NO CASE SENSITIVE MATCH REQUIRED", + "$0" + ] + }, + + "New Lookup (KVStore)": { + "scope": "yaml", + "prefix": "lookup_kvstore_escu6", + "description": "Scaffold a new Splunk security content KVStore lookup YAML file", + "body": [ + "name: ${1:${TM_FILENAME_BASE/([_-])(\\w)/ ${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${2:Splunk Threat Research Team}", + "lookup_type: kvstore", + "description: ${3}", + "fields:", + " - _key", + " - ${4:field_name}", + "$0" + ] + }, + + "New Dashboard": { + "scope": "yaml", + "prefix": "dashboard_escu6", + "description": "Scaffold a new Splunk security content dashboard YAML file", + "body": [ + "name: ${1:${TM_FILENAME_BASE/(^|[_-])(\\w)/${1:+ }${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${2:Splunk Threat Research Team}", + "description: ${3:Utilize this dashboard to...}", + "$0" + ] + }, + + "New Baseline": { + "scope": "yaml", + "prefix": "baseline_escu6", + "description": "Scaffold a new Splunk security content baseline YAML file", + "body": [ + "name: ${1:${TM_FILENAME_BASE/(^|[_-])(\\w)/${1:+ }${2:/upcase}/g}}", + "id: $UUID", + "version: 1", + "creation_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "modification_date: '${CURRENT_YEAR}-${CURRENT_MONTH}-${CURRENT_DATE}'", + "author: ${2:Splunk Threat Research Team}", + "status: production", + "description: ${3:This search...}", + "search: ${4}", + "how_to_implement: ${5}", + "known_false_positives: ${6}", + "references: []", + "product:", + " - Splunk Enterprise", + " - Splunk Enterprise Security", + " - Splunk Cloud", + "security_domain: ${7}", + "schedule: Default Baseline", + "$0" + ] + } + +} From 67715fa5ac8e5157b3df721c7b99b7d37e2be5f8 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Jun 2026 18:09:00 +0200 Subject: [PATCH 2/6] Update README.md --- README.md | 47 ++++++++++++++++++++--------------------------- 1 file changed, 20 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index c196f78ae6..5afdaeb167 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ Follow these steps to get started with Splunk Security Content. 1. Clone this repository using `git clone https://github.com/splunk/security_content.git` 2. Navigate to the repository directory using `cd security_content` -3. Install contentctl using `pip install contentctl` to install the latest version of contentctl, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team +3. Install contentctl using `pip install contentctl-ng` to install the latest version of contentctl, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team 4. Install pre-commit using `pip install pre-commit` then proceed to installing the hooks via `pre-commit install`. this is a pre-requisite to validate and apply the proper formatting. # Quick Start 🚀 @@ -66,7 +66,7 @@ git clone https://github.com/splunk/security_content.git cd security_content python3.11 -m venv .venv source .venv/bin/activate -pip install contentctl +pip install contentctl-ng ``` 2. Create a new **detection.yml** and answer the questions @@ -75,7 +75,7 @@ pip install contentctl ``` -**NOTE** - Make sure you update the detection.yml with the required fields and values. If you need help, please refer to the [yaml-spec](docs/yaml-spec) to check out the list of allowed values +**NOTE** - Make sure you update the detection.yml with the required fields and values. If you need help, please refer to the [schemas](schemas/) folder to check out the list of allowed values. 4. Validate your content ``` @@ -83,13 +83,6 @@ contentctl validate ``` **NOTE** - The contentctl validate command ensures that all YAML files adhere to the defined specifications and are up-to-date. It checks for required fields, correct data types, and overall consistency, helping maintain the integrity and quality of the content. -5. Build an ESCU app with enrichments from Atomic Red Team and Mitre CTI repositories -``` -contentctl build --enrichments -``` - -6. Test the content - Our testing framework is based on [contentctl](https://github.com/splunk/contentctl) and is extensive and flexible. Refer to the [contentctl test documentation](https://github.com/splunk/contentctl?tab=readme-ov-file#contentctl-test) to learn more about the testing framework. - # Recommendations 💡 @@ -99,30 +92,30 @@ contentctl build --enrichments - If your detections are using macros and lookups, please make sure that you have the same macros and lookups in those directories.. This will ensure that the content app is self-contained and does not rely on external files. -- We recommend that you follow the errors produced by the `contentctl` tool while developing this content. The errors are descriptive enough to guide you in getting the right values. If you need help, please open a GitHub issue in the `contentctl` repository or refer to the [yaml-spec](docs/yaml-spec) to check out the list of allowed values - +- We recommend that you follow the errors produced by the `contentctl-ng` tool while developing this content. The errors are descriptive enough to guide you in getting the right values. If you need help, please refer to the [JSON Schemas](#json-schemas) to check out the list of allowed values -# YAML Specs 📄 +# Json Schemas 📄 -YAML specs define the structure and required fields for various YAML configuration files used in the project. These specifications ensure consistency and validation across different types of YAML files, such as macros, lookups, and analytic stories. Each spec outlines the expected data types, descriptions, and whether the fields are mandatory, providing a clear schema for developers to follow. +The JSON schemas defined in the [/schemas](/schemas/) folder, define the structure and required fields for various YAML files used in the project. These specifications ensure consistency and validation across different types of YAML files, such as macros, lookups, and analytic stories. Each spec outlines the expected data types, descriptions, and whether the fields are mandatory, providing a clear schema for developers to follow. -- [detection](https://github.com/splunk/security_content/blob/develop/docs/yaml-spec/detection_spec.yml) -- [stories](https://github.com/splunk/security_content/blob/develop/docs/yaml-spec/stories_spec.yml) -- [macros](https://github.com/splunk/security_content/blob/develop/docs/yaml-spec/macros_spec.yml) -- [lookups](https://github.com/splunk/security_content/blob/develop/docs/yaml-spec/lookups_spec.yml) +- [detection](schemas/EventBasedDetection.schema.json) +- [stories](schemas/Story.schema.json) +- [macros](schemas/FileBackedMacro.schema.json) +- [lookups](schemas/CsvLookup.schema.json) +- [baseline](schemas/Baseline.schema.json) +- [playbook](schemas/Playbook.schema.json) +- [data_source](schemas/DataSource.schema.json) # Content Parts 🧩 -* [detections/](detections/): Contains all detection searches to-date and growing. -* [stories/](stories/): All Analytic Stories that are group detections or also known as Use Cases -* [deployments/](deployments/): Configuration for the schedule and alert action for all content -* [playbooks/](playbooks/): Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat. * [baselines/](baselines/): Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data. -* [investigations/](investigations/): Investigations to further analyze the output from detections. For more information, you can refer to the [Splunk Enterprise Security documentation on timelines](https://help.splunk.com/en/splunk-enterprise-security-7/user-guide/7.3/investigations/investigations-in-splunk-enterprise-security). -* [macros/](macros/): Implements Splunk’s search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below. -* [lookups/](lookups/): Implements Splunk’s lookup, usually to provide a list of static values like commonly used ransomware extensions. * [data_sources/](data_sources/): Defines the data sources, the necessary TA or App to collect them and the fields provided that can be used by the detections. - +* [deployments/](deployments/): Configuration for the schedule and alert action for all content +* [detections/](detections/): Contains all detection searches to-date and growing. +* [lookups/](lookups/): Implements Splunk’s lookup, usually to provide a list of static values like commonly used ransomware extensions. +* [macros/](macros/): Implements Splunk’s search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below. +* [playbooks/](playbooks/): Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat. +* [stories/](stories/): All Analytic Stories that are group detections or also known as Use Cases # MITRE ATT&CK ⚔️ ### Detection Coverage @@ -142,7 +135,7 @@ If you have questions or need support, you can: * Join the [#security-research](https://splunkcommunity.slack.com/archives/CDNHXVBGS) channel in the [Splunk Community Slack.](https://splk.it/slack) ## License -Copyright 2022 Splunk Inc. +Copyright 2026 Splunk Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 0612a7220c3cd7d035959f67b5a816ca5cff4895 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Fri, 12 Jun 2026 09:21:19 -0700 Subject: [PATCH 3/6] Add line to readme abbout snippets --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 5afdaeb167..0a6a5d3ec3 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,15 @@ contentctl validate ``` **NOTE** - The contentctl validate command ensures that all YAML files adhere to the defined specifications and are up-to-date. It checks for required fields, correct data types, and overall consistency, helping maintain the integrity and quality of the content. +# VS Code Snippets ✂️ + +This repo ships snippets in [.vscode/escu_6.code-snippets](.vscode/escu_6.code-snippets) to scaffold new content quickly in VS Code. + +1. Create a new `.yml` file in the appropriate content directory (e.g. `detections/`, `macros/`, `stories/`) and give it a descriptive name. This name will be used to populate the `name: ` field of your yml as well. +2. Type one of the snippet prefixes below and press `Tab` (or select it from the IntelliSense popup and press `Enter`) to expand a pre-filled template. +3. Fill in the relevant fields for your content. You may remove any optional fields which are not relevant to this piece of content. + +Available prefixes exist for `detection_escu6` , `macro_escu6`, `data_source_escu6`, `story_escu6`, `lookup_csv_escu6`, `lookup_kvstore_escu6` , `dashboard_escu6`, and `baseline_escu6` . # Recommendations 💡 From 52c2defcbf06ae920dd9cf7523d1c57cf4be8d5f Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Fri, 12 Jun 2026 09:35:21 -0700 Subject: [PATCH 4/6] Add demo video link to README Added a demo video link for additional information. --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 0a6a5d3ec3..3137e44afa 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,12 @@ This repo ships snippets in [.vscode/escu_6.code-snippets](.vscode/escu_6.code-s Available prefixes exist for `detection_escu6` , `macro_escu6`, `data_source_escu6`, `story_escu6`, `lookup_csv_escu6`, `lookup_kvstore_escu6` , `dashboard_escu6`, and `baseline_escu6` . +Please see the demo video below for more information + +https://github.com/user-attachments/assets/1be02afa-36b5-4d49-91cb-8ebbcf4123d0 + + + # Recommendations 💡 - 🚨 NOTE: If you are just getting started with managing your Splunk detection as code, we recommend that you keep the YAML structure of the detections as close as possible to the original structure of the detections. This will make it easier to manage your detections and will also make it easier to contribute back to the community by creating a pull request to the Splunk Security Content project. From 9418b5d33b23a750360abb3c6168c32f3317abbc Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Fri, 12 Jun 2026 09:51:34 -0700 Subject: [PATCH 5/6] update readme to replace contentctl refs with contentctl-ng. Consistent naming for YAML to YML files. --- README.md | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 3137e44afa..b1d148cdfe 100644 --- a/README.md +++ b/README.md @@ -25,12 +25,12 @@ Welcome to the Splunk Security Content This project gives you access to our repository of Analytic Stories, security guides that provide background on tactics, techniques and procedures (TTPs), mapped to the MITRE ATT&CK Framework, the Lockheed Martin Cyber Kill Chain, and CIS Controls. They include Splunk searches, machine learning algorithms and Splunk Phantom playbooks (where available)—all designed to work together to detect, investigate, and respond to threats. -**Note:** We have sister projects that enable us to build the industry's best security content. These projects are the Splunk Attack Range, an attack simulation lab built around Splunk, and Contentctl, the tool that enables us to build, test, and package our content for distribution. +**Note:** We have sister projects that enable us to build the industry's best security content. These projects are the Splunk Attack Range, an attack simulation lab built around Splunk, and contentctl-ng, the tool that enables us to build, test, and package our content for distribution. # Tools 🧰 - [Splunk Attack Range](https://github.com/splunk/attack_range): The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections. -- [Contentctl](https://github.com/splunk/contentctl): The tool that enables us to build, test, and package our content for distribution. +- [contentctl-ng](https://pypi.org/project/contentctl-ng/): The tool that enables us to build, test, and package our content for distribution. - [Attack data](https://github.com/splunk/attack_data): The is a collection of attack data that is used to test our content. - [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team): Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. @@ -55,7 +55,7 @@ Follow these steps to get started with Splunk Security Content. 1. Clone this repository using `git clone https://github.com/splunk/security_content.git` 2. Navigate to the repository directory using `cd security_content` -3. Install contentctl using `pip install contentctl-ng` to install the latest version of contentctl, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team +3. Install contentctl-ng using `pip install contentctl-ng` to install the latest version of contentctl-ng, this is a pre-requisite to validate, build and test the content like the Splunk Threat Research team 4. Install pre-commit using `pip install pre-commit` then proceed to installing the hooks via `pre-commit install`. this is a pre-requisite to validate and apply the proper formatting. # Quick Start 🚀 @@ -69,25 +69,19 @@ source .venv/bin/activate pip install contentctl-ng ``` -2. Create a new **detection.yml** and answer the questions - ``` - contentctl new - ``` +2. Create a new content YML using VSCode Snippets detailed below - -**NOTE** - Make sure you update the detection.yml with the required fields and values. If you need help, please refer to the [schemas](schemas/) folder to check out the list of allowed values. - -4. Validate your content +3. Validate your content and build an app ``` -contentctl validate +contentctl-ng build ``` -**NOTE** - The contentctl validate command ensures that all YAML files adhere to the defined specifications and are up-to-date. It checks for required fields, correct data types, and overall consistency, helping maintain the integrity and quality of the content. +**NOTE** - The contentctl build command ensures that all yml files adhere to the defined specifications and are up-to-date. It checks for required fields, correct data types, and overall consistency, helping maintain the integrity and quality of the content. # VS Code Snippets ✂️ This repo ships snippets in [.vscode/escu_6.code-snippets](.vscode/escu_6.code-snippets) to scaffold new content quickly in VS Code. -1. Create a new `.yml` file in the appropriate content directory (e.g. `detections/`, `macros/`, `stories/`) and give it a descriptive name. This name will be used to populate the `name: ` field of your yml as well. +1. Create a new `.yml` file in the appropriate content directory (e.g. `detections/`, `macros/`, `stories/`) and give it a descriptive name. This name will be used to populate the `name: ` field of your YML as well. 2. Type one of the snippet prefixes below and press `Tab` (or select it from the IntelliSense popup and press `Enter`) to expand a pre-filled template. 3. Fill in the relevant fields for your content. You may remove any optional fields which are not relevant to this piece of content. @@ -97,13 +91,11 @@ Please see the demo video below for more information https://github.com/user-attachments/assets/1be02afa-36b5-4d49-91cb-8ebbcf4123d0 - - # Recommendations 💡 -- 🚨 NOTE: If you are just getting started with managing your Splunk detection as code, we recommend that you keep the YAML structure of the detections as close as possible to the original structure of the detections. This will make it easier to manage your detections and will also make it easier to contribute back to the community by creating a pull request to the Splunk Security Content project. +- 🚨 NOTE: If you are just getting started with managing your Splunk detection as code, we recommend that you keep the YML structure of the detections as close as possible to the original structure of the detections. This will make it easier to manage your detections and will also make it easier to contribute back to the community by creating a pull request to the Splunk Security Content project. -- In order to build an content app that specific for your organization, we strongly recommend that you start with keeping only the detections that are related to your organization and remove other yamls that are not related to your organization. This includes selecting detections, stories, macros, lookups that are used by the detection ymls. +- In order to build an content app that specific for your organization, we strongly recommend that you start with keeping only the detections that are related to your organization and remove other YML files that are not related to your organization. This includes selecting detections, stories, macros, lookups that are used by the detection YML files. - If your detections are using macros and lookups, please make sure that you have the same macros and lookups in those directories.. This will ensure that the content app is self-contained and does not rely on external files. @@ -111,7 +103,7 @@ https://github.com/user-attachments/assets/1be02afa-36b5-4d49-91cb-8ebbcf4123d0 # Json Schemas 📄 -The JSON schemas defined in the [/schemas](/schemas/) folder, define the structure and required fields for various YAML files used in the project. These specifications ensure consistency and validation across different types of YAML files, such as macros, lookups, and analytic stories. Each spec outlines the expected data types, descriptions, and whether the fields are mandatory, providing a clear schema for developers to follow. +The JSON schemas defined in the [/schemas](/schemas/) folder, define the structure and required fields for various YML files used in the project. These specifications ensure consistency and validation across different types of YML files, such as macros, lookups, and analytic stories. Each spec outlines the expected data types, descriptions, and whether the fields are mandatory, providing a clear schema for developers to follow. - [detection](schemas/EventBasedDetection.schema.json) - [stories](schemas/Story.schema.json) From b19ba4901cf95cdd7ace924a43d1f39eaf49c688 Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Fri, 12 Jun 2026 09:53:07 -0700 Subject: [PATCH 6/6] yml case --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b1d148cdfe..e01cf2677f 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ pip install contentctl-ng ``` contentctl-ng build ``` -**NOTE** - The contentctl build command ensures that all yml files adhere to the defined specifications and are up-to-date. It checks for required fields, correct data types, and overall consistency, helping maintain the integrity and quality of the content. +**NOTE** - The contentctl build command ensures that all YML files adhere to the defined specifications and are up-to-date. It checks for required fields, correct data types, and overall consistency, helping maintain the integrity and quality of the content. # VS Code Snippets ✂️