0xC0FFEEEE
commented
1 week ago Some context as to why this would be a great feature from the perspective of a Splunk cloud customer w/ >950 ESCU rules enabled:
When we adopted Splunk ES, we opted to enable, tune and tweak ESCU rules in-place, as there was no clear benefit to cloning detections given that ES does not provide any means to merge changes from upstream security_content updates.
Over time we've modified a number of these rules to various extents and it's simply not worth the time/effort to manually compare and merge in changes from an updated ESCU detection, meaning we are likely missing out on some beneficial updates. If I could access the Splunk ES filesystem to diff the default and local configs I probably would!
Our eventual goal with DaC is to maintain our own fork of security_content, and for the eventual switchover to happen, we will need to import our local savedsearches.conf before merging in changes from ESCU v4.16 (IIRC) to date.
I'm also considering whether we should manage our filter macros as code, so importing macros.conf would also be nice, and would certainly help with the switch to our forked content pack.
A great feature in contentctl which would enable faster onboarding of content from a splunk environment is import from existing conf files. There was initial work towards that here: https://github.com/splunk/contentctl/pull/84 But since that was opened the structure of the codebase has changed significantly. As such, that PR has been closed out. Let's track this as it is an oft-requested feature, especially for new users.
I will tag @0xC0FFEEEE directly in this issue so that they can provide comments and feedback if they would like 😄