dstaulcu
commented
1 year ago You are on the right track with observation that Signature of TTP would ultimately get expressed as scheduled search in savedsearches.conf. There is another GitHub project called Sigma where you can find newer signatures for TTPs and convert them to splunk searches. If you are looking to include signatures observed from sources other than sysmon, powershell or windows event logs there will of course by many more conf files to update in the app such as macros, inputs, and possibly props and transforms.
I want to add more TTP's, is there any documentation available on how one can add more to this tool? It seems the saveconference file is the file to edit.